6425A Configuring WS2008 Active Directory Domain Services 2007 PDF

OFFICIAL MICROSOFT LEARNING PRODUCT
6425A
Configuring Windows Server 2008 ®
Active Directory Domain Services

® ®
Be sure to access the extended learning content on your

Course Companion CD enclosed on the back cover of the book.
BETA COURSEWARE. EXPIRES 4/11/2008

ii Configuring Windows Server® 2008 Active Directory® Domain Services®
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, ActiveX, Excel, Internet Explorer, Jscript, MSDN, NetMeeting, PowerPoint,
SharePoint, SQL Server, Visual Basic, Visual Studio, Win32, Windows, Windows Media, Windows NT,
Windows PowerShell, Windows Server and Windows Vista are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Technical Reviewer: John Policelli
Product Number: 6425A
Part Number: N/A
Released: 10/2007

MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS COURSEWARE –
BLENDED LEARNING COURSE - STUDENT EDITION
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the licensed content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
• updates,
• supplements,
• Internet-based services, and
• support services
for this licensed content, unless other terms accompany those items. If so, those terms apply.
By using the licensed content, you accept these terms. If you do not accept them, do not use
the licensed content.
If you comply with these license terms, you have the rights below.
1. OVERVIEW.
Licensed Content. The licensed content includes software, printed materials, academic materials
(online and electronic), and associated media.
License Model. The licensed content is licensed on a per copy per device basis.
2. INSTALLATION AND USE RIGHTS.
a. Licensed Device. The licensed device is the device on which you use the licensed content. You
may install and use one copy of the licensed content on the licensed device.
b. Portable Device. You may install another copy on a portable device for use by the single
primary user of the licensed device.
c. Separation of Components. The components of the licensed content are licensed as a single
unit. You may not separate the components and install them on different devices.
d. Third Party Programs. The licensed content may contain third party programs. These license
terms will apply to your use of those third party programs, unless other terms accompany those
programs.
3. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Media Elements and Templates. You may use images, clip art, animations, sounds, music,
shapes, video clips and templates provided with the licensed content solely for your personal
training use. If you wish to use these media elements or templates for any other purpose, go to
www.microsoft.com/permission to learn whether that use is allowed.
b. Academic Materials. If the licensed content contains academic materials (such as white papers,
labs, tests, datasheets and FAQs), you may copy and use the academic materials. You may not
make any modifications to the academic materials and you may not print any book (either

electronic or print version) in its entirety. If you reproduce any academic materials, you agree
that:
• The use of the academic materials will be only for your personal reference or training use
• You will not republish or post the academic materials on any network computer or broadcast in
any media;
• You will include the academic material’s original copyright notice, or a copyright notice to
Microsoft’s benefit in the format provided below:
Form of Notice:
© 2007 Reprinted for personal reference use only with permission by
Microsoft Corporation. All rights reserved.
Microsoft and Windows are either registered trademarks or trademarks of
Microsoft Corporation in the US and/or other countries. Other product and
company names mentioned herein may be the trademarks of their respective
owners.
c. Distributable Code. The licensed content may contain code that you are permitted to distribute
in programs you develop if you comply with the terms below.
i. Right to Use and Distribute. The code and text files listed below are “Distributable Code.”
• REDIST.TXT Files. You may copy and distribute the object code form of code listed in
REDIST.TXT files.
• Sample Code. You may modify, copy, and distribute the source and object code form of
code marked as “sample.”
• Third Party Distribution. You may permit distributors of your programs to copy and
distribute the Distributable Code as part of those programs.
ii. Distribution Requirements. For any Distributable Code you distribute, you must
• add significant primary functionality to it in your programs;
• require distributors and external end users to agree to terms that protect it at least as
much as this agreement;
• display your valid copyright notice on your programs; and
• indemnify, defend, and hold harmless Microsoft from any claims, including attorneys’ fees,
related to the distribution or use of your programs.

iii. Distribution Restrictions. You may not
• alter any copyright, trademark or patent notice in the Distributable Code;
• use Microsoft’s trademarks in your programs’ names or in a way that suggests your
programs come from or are endorsed by Microsoft;
• distribute Distributable Code to run on a platform other than the Windows platform;
• include Distributable Code in malicious, deceptive or unlawful programs; or
• modify or distribute the source code of any Distributable Code so that any part of it
becomes subject to an Excluded License. An Excluded License is one that requires, as a
condition of use, modification or distribution, that
• the code be disclosed or distributed in source code form; or
• others have the right to modify it.
4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the licensed
content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone else’s use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
5. SCOPE OF LICENSE. The licensed content is licensed, not sold. This agreement only gives you some
rights to use the licensed content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the licensed content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the licensed content that
only allow you to use it in certain ways. You may not
• disclose the results of any benchmark tests of the licensed content to any third party without
Microsoft’s prior written approval;
• work around any technical limitations in the licensed content;
• reverse engineer, decompile or disassemble the licensed content, except and only to the extent
that applicable law expressly permits, despite this limitation;
• make more copies of the licensed content than specified in this agreement or allowed by
applicable law, despite this limitation;
• publish the licensed content for others to copy;
• rent, lease or lend the licensed content; or
• use the licensed content for commercial licensed content hosting services.
• Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
6. BACKUP COPY. You may make one backup copy of the licensed content. You may use it only to
reinstall the licensed content.
7. TRANSFER TO ANOTHER DEVICE. You may uninstall the licensed content and install it on another
device for your use. You may not do so to share this license between devices.
8. TRANSFER TO A THIRD PARTY. The first user of the licensed content may transfer it and this
agreement directly to a third party. Before the transfer, that party must agree that this agreement

applies to the transfer and use of the licensed content. The first user must uninstall the licensed
content before transferring it separately from the device. The first user may not retain any copies.
9. EXPORT RESTRICTIONS. The licensed content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that
apply to the licensed content. These laws include restrictions on destinations, end users and end use.
For additional information, see www.microsoft.com/exporting.
10. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or licensed
content marked as “NFR” or “Not for Resale.”
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if
you fail to comply with the terms and conditions of these license terms. Upon any termination of this
agreement, you must destroy all copies of the licensed content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based
services and support services that you use, are the entire agreement for the licensed content and
support services.
13. APPLICABLE LAW.
a. United States. If you acquired the licensed content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the licensed content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
licensed content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED “AS-IS.” YOU BEAR
THE RISK OF USING IT. MICROSOFT GIVES NO EXPRESS WARRANTIES, GUARANTEES OR
CONDITIONS. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL
LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER
YOUR LOCAL LAWS, MICROSOFT EXCLUDES THE IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER
FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU
CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS,
SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
• anything related to the licensed content, software, services, content (including code) on third party
Internet sites, or third party programs; and
• claims for breach of contract, breach of warranty, guarantee or condition, strict liability,
negligence, or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion
or limitation of incidental, consequential or other damages.
Please note: As this licensed content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des
clauses dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ».
Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune
autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la
protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit
locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de
contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation
pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de
bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité
stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel
dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus
ne s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres
droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les
lois de votre pays si celles-ci ne le permettent pas.

Configuring Windows Server® 2008 Active Directory® Domain Services® ix
Contents
Module 1: Implementing Active Directory® Domain Services
Lesson 1: Installing Active Directory Domain Services 1-3
Lesson 2: Deploying Read-Only Domain Controllers 1-14
Lesson 3: Configuring AD DS Domain Controller Roles 1-22
Lab: Implementing Read-Only Domain Controllers and Managing
Domain Controller Roles 1-29
Module 2: Configuring Domain Name Service for Active Directory Domain

Services
Lesson 1: Overview of Active Directory Domain Services and
DNS Integration 2-3
Lesson 2: Configuring Active Directory Integrated Zones 2-11
Lesson 3: Configuring Read-Only DNS Zones 2-19
Lab: Configuring AD DS and DNS Integration 2-23
Module 3: Configuring Active Directory® Objects and Trusts

Lesson 1: Configuring Active Directory Objects 3-3
Lesson 2: Strategies for Using Groups 3-14
Lesson 3: Automating AD DS Object Management 3-20
Lab A: Configuring Active Directory Objects 3-28
Lesson 4: Delegating Administrative Access to AD DS Objects 3-42
Lesson 5: Configuring AD DS Trusts 3-50
Lab B: Configuring Active Directory Delegation 3-59
Module 4: Configuring Active Directory® Sites and Replication

Lesson 1: Overview of Active Directory Domain Services Replication 4-3
Lesson 2: Overview of AD DS Sites and Replication 4-13
Lesson 3: Configuring and Monitoring AD DS Replication 4-22
Lab: Configuring Active Directory Sites and Replication 4-31

x Configuring Windows Server® 2008 Active Directory® Domain Services®
Module 5: Creating and Configuring Group Policies

Lesson 1: Overview of Group Policies 5-3
Lesson 2: Configuring the Scope of Group Policy Objects 5-15
Lesson 3: Evaluating the Application of Group Policy Objects 5-26
Lesson 4: Managing Group Policy Objects 5-31
Lesson 5: Delegating Administrative Control of Group Policies 5-38
Lab: Creating and Configuring GPOs 5-42
Module 6: Configuring User Environments Using Group Policies

Lesson 1: Configuring Group Policy Settings 6-3
Lesson 2: Configuring Scripts and Folder Redirection Using Group Policies 6-7
Lesson 3: Configuring Administrative Templates 6-15
Lesson 4: Deploying Software Using Group Policy 6-22
Lab: Configuring User Environments Using Group Policies 6-32
Module 7: Implementing Security Using Group Policies

Lesson 1: Configuring Security Policies 7-3
Lesson 2: Implementing Fine-Grained Password Policies 7-13
Lesson 3: Restricting Group Membership and Access to Software 7-19
Lesson 4: Managing Security by Using Security Templates 7-26
Lab: Implementing Security Using Group Policies 7-33
Module 8: Implementing an Active Directory Domain Services Monitoring

Plan
Lesson 1: Monitoring Active Directory Domain Services Using
Event Viewer 8-3
Lesson 2: Monitoring Active Directory Domain Servers Using
Reliability and Performance Monitor 8-10
Lesson 3: Configuring Active Directory Domain Services Auditing 8-20

Configuring Windows Server® 2008 Active Directory® Domain Services® xi
Module 9: Implementing an Active Directory Domain Services Maintenance

Plan
Lesson 1: Maintaining the AD DS Domain Controllers 9-3
Lesson 2: Backing Up Active Directory Domain Services 9-14
Lesson 3: Restoring Active Directory Domain Services 9-18
Lab: Implementing an Active Directory Domain Services
Maintenance Plan 9-29
Module 10: Troubleshooting Active Directory, DNS, and Replication Issues

Lesson 1: Troubleshooting Active Directory Domain Services 10-3
Lesson 2: Troubleshooting DNS Integration with Active Directory
Domain Services 10-9
Lesson 3: Troubleshooting Active Directory Replication 10-15
Lab: Troubleshooting Active Directory, DNS and Replication Issues 10-22
Module 11: Troubleshooting Group Policy Issues

Lesson 1: Introduction to Group Policy Troubleshooting 11-3
Lesson 2: Troubleshooting Group Policy Applications 11-10
Lesson 3: Troubleshooting Group Policy Settings 11-17
Lab: Troubleshooting Group Policy Issues 11-25
Module 12: Implementing an Active Directory® Domain Services

Infrastructure
Lesson 1: Overview of the AD DS Domain 12-3
Lesson 2: Planning a Group Policy Strategy 12-7
Lab A: Deploying Active Directory Domain Services 12-9
Lab B: Configuring Forest Trusts 12-23
Lab C: Designing a Group Policy Strategy 12-31

About This Course i
About This Course

This section provides you with a brief description of the course, audience,
suggested prerequisites, and course objectives.
Course Description
The purpose of this 5-day course is to teach Active Directory Technology
Specialists how to configure Active Directory Domain Services in a distributed
environment, implement Group Policies, perform backup and restore, and monitor
and troubleshoot Active Directory related issues. After completing this course,
students will be able to implement and configure Active Directory domain services
in their enterprise environment.
Audience
The primary audience for this course are Active Directory Technology Specialists,
Server Administrators, and Enterprise Administrators who want to learn how to
implement Active Directory in a distributed environment, secure domains using
Group Policies, and perform backup, restore, and monitor and troubleshoot Active
Directory configuration to ensure trouble free operation.
Student Prerequisites
This course requires that you meet the following prerequisites:
• Basic understanding of networking. For example, how TCP/IP functions,
addressing, name resolution (Domain Name System [DNS]/Windows Internet
Name Service [WINS]), and connection methods (wired, wireless, virtual
private network [VPN]), NET+ or equivalent knowledge.
• Intermediate understanding of network operating systems. For example,
Windows® 2000, Windows® XP, Windows® Server 2003 etc, the Windows
Vista® operating system client (nice to have).
• An awareness of security best practices. For example, file system permissions,
authentication methods, workstation and server hardening methods etc.
• Basic knowledge of server hardware. A+ or equivalent knowledge.
• Some experience creating objects in Active Directory.
ii About This Course
• Foundation course (6424A: Fundamentals of Windows Server® 2008 Active

Directory®) or equivalent knowledge.
• Basic concepts of backup and recovery in a Windows Server Environment. For
example, backup types, backup methods, backup topologies etc. (information
covered in 6420A: Fundamentals of Windows Server® 2008 Network
Infrastructure and Application Platform).
Course Objectives
After completing this course, students will be able to:
• Implement Active Directory® Domain Services (AD DS).
• Configure DNS for AD DS.
• Configure Active Directory® objects and trusts.
• Configure Active Directory sites and replication.
• Create and configure Group Policies.
• Configure user environments using Group Policies.
• Implement security using Group Policies.
• Implement an AD DS monitoring plan.
• Implement an AD DS maintenance plan.
• Troubleshoot Active Directory, DNS, and replication issues.
• Troubleshoot Group Policy issues.
• Implement an AD DS infrastructure.
About This Course iii
Course Outline
This section provides an outline of the course:
Module 1: This module discusses the prerequisite hardware and software required
for implementing Active Directory Domain Services, as well as the process for
installing it. It also defines what a read-only domain controller (RODC) is and how
to install it.
Module 2: This module covers DNS configuration specific to Active Directory.
Module 3: This module discusses how to implement and configure AD DS objects
and trusts.
Module 4: This module covers how to create and configure sites to manage
replication.
Module 5: This module covers how Group Policy objects (GPOs) work and how to
create and apply GPOs.
Module 6: This module discusses how to configure user desktop settings by using
Group Policies.
Module 7: This module describes how to configure security settings and apply
them using GPOs.
Module 8: This module describes how to monitor AD DS infrastructure and
services.
Module 9: This module discusses how to perform maintenance, backup, and
recovery of Active Directory servers and objects.
Module 10: This module covers how to troubleshoot and resolve issues related to
Active Directory, DNS, and replication.
Module 11: This module describes how to troubleshoot and resolve issues related
to Group Policy.
Module 12: This module is a day-long lab. You are given scenarios that will help
you learn how to create a solution from start to end.
iv About This Course
Course Materials
The following materials are included with your kit:
• Course handbook. The Course handbook contains the material covered in class.
It is meant to be used in conjunction with the Course Companion CD.
• Course Companion CD. The Course Companion CD contains the full course
content, including expanded content for each topic pages, full lab exercises
and answer keys, topical and categorized resources and Web links. It is meant
to be used both inside and outside the class.
Note To access the full course content, insert the Course Companion CD into the CD-
ROM drive, and then in the root directory of the CD, double-click StartCD.exe.
• Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to

support@mscourseware.com. To inquire about the Microsoft Certification
Program, send e-mail to mcphelp@microsoft.com.
About This Course v
Virtual Machine Environment

This section provides the information for setting up the classroom environment to
support the business scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Virtual Server 2005 to perform the labs.
Important: At the end of each lab, you must close the virtual machine and must not
save any changes. To close a virtual machine without saving the changes, perform
the following steps: 1. On the host computer, click Start, point to All Programs,
point to Microsoft Virtual Server, and then click Virtual Server Administration
Website. 2. Under Navigation, click Master Status. For each virtual machine that is
running, point to the virtual machine name, and, in the context menu, click Turn off
Virtual Machine and Discard Undo Disks. Click OK.
The following table shows the role of each virtual machine that this course uses:
Virtual machine Role

6425A-SEA-DC1 Domain controller in the WoodgroveBank.com domain
6425A-SEA-DC2 Domain controller in the WoodgroveBank.com domain
6425A-SEA-SVR1 Member server
6425A-NYC-CL1 Windows Vista computer in the WoodgroveBank.com domain
6425A-MIA-RODC 6425A-MIA-RODC
6425A-NYC-SVR2 Windows Server 2008 Server core computer

vi About This Course
Software Configuration
The following software is installed on each virtual machine:
• Windows Server 2008 Enterprise; Windows Vista
Classroom Setup
Each classroom computer will have the same virtual machine configured in the
same way.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a
minimum equipment configuration for trainer and student computers in all
Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which
Official Microsoft Learning Product courseware are taught. This course requires a
computer that meets or exceeds hardware level 5, which specifies a 2.4–gigahertz
(minimum) Pentium 4 or equivalent CPU, at least 2 gigabytes (GB) of RAM, 16
megabytes (MB) of video RAM, and a 7200 RPM 40-GB hard disk.
Implementing Active Directory® Domain Services 1-1
Module 1
Implementing Active Directory® Domain
Services
Contents:
Lesson 1: Installing Active Directory Domain Services 1-3
Lesson 2: Deploying Read-Only Domain Controllers 1-14
Lesson 3: Configuring AD DS Domain Controller Roles 1-22
Lab: Implementing Read-Only Domain Controllers and Managing
Domain Controller Roles 1-29

1-2 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
Module Overview
Active Directory® Domain Services (AD DS) is installed as a server role in

Windows Server® 2008. You have several choices to make when you install AD DS
and run the Active Directory Installation Wizard. You must choose whether to
create a new domain or add a domain controller to an existing domain. You also
have the option of installing AD DS on a server running Windows Server 2008
Server Core or installing read-only domain controllers. After deploying the domain
controllers, you also must manage special domain controller roles, such as the
global catalog and operations masters.

Lesson 1:
Installing Active Directory Domain Services
Windows Server 2008 provides several ways to install and configure Active
Directory Domain Services. This lesson describes the standard AD DS installation,
and then also describes some of the other options that are available when
performing the installation.

Requirements for Installing AD DS
Key Points
To install Active Directory Domain Services, the server must meet the following
requirements:
Windows Server 2008 operating system must be is installed. AD DS can only be
installed on the following editions:
• Windows Server 2008, Standard Edition
• Windows Server 2008, Enterprise Edition
• Windows Server 2008, Datacenter edition
Additional Reading
• Active Directory Domain Services Help: Installing Active Directory Domain
Services
• Microsoft Technet article: Requirements for Installing AD DS

What Are Domain and Forest Functional Levels?
Key Points
In Windows Server 2008, forest and domain functionality provides a way to enable
forest-wide or domain-wide Active Directory features in your network environment.
Different levels of forest and domain functionality are available, depending on
domain and forest functional level.
Additional Reading
• Active Directory Domain Services Help: Set the domain or forest functional
level
• Microsoft Technet article: Appendix of Functional Level Features

AD DS Installation Process
Key Points
To configure a Windows Server 2008 domain controller, you must install the AD
DS server role and run the Active Directory Domain Services Installation wizard.
Do this using one of the following processes:
• Install the Server role by using Server Manager, and then run the installation
wizard by running DCPromo or the installation wizard from Server Manager.
• Run DCPromo from the Run command or a command prompt. This will
install the AD DS server role and then start the installation wizard.
Additional Reading
Services
• Microsoft Technet article: Installing a New Windows Server 2008 Forest and
Scenarios for Installing AD DS

Advanced Options for Installing AD DS
Key Points
Some of the Active Directory Domain Services Installation Wizard pages appear
only if you select the Use advanced mode installation check box on the Welcome
page of the wizard or by running DCPromo with the /adv switch. If you do not run
the installation wizard in advanced mode, the wizard uses default options that
apply to most configurations.
Question: When would you use the advanced options mode in your organization?
Additional Reading
• Active Directory Domain Services Help: Use advanced mode installation
• Microsoft Technet article: What's New in AD DS Installation and Removal

Installing AD DS from Media
Key Points
Before you can use backup media as the source for installing a domain controller,
use Ntdsutil.exe to create the installation media.
Question: Which types of installation media will you use in your organization?
Additional Reading
• Microsoft Technet article: Installing AD DS from Media

Demonstration: Verifying the AD DS installation
Question: What steps would you take if you noticed that the domain controller
installation failed?
Additional Reading
• Microsoft Technet article: Verifying an AD DS Installation
• Microsoft Technet article: Verifying Active Directory Installation

Upgrading to Windows Server 2008 AD DS
Key Points
To install a new Windows Server 2008 domain controller in an existing Windows
2000 Server or Windows Server 2003 domain, complete the following steps:
• If the domain controller is the first Windows Server 2008 domain controller in
the forest, you must prepare the forest for Windows Server 2008 by extending
the schema on the schema operations master. To extend the schema, run
adprep /forestprep. The adprep tool is located on the Windows Server 2008
installation media.
a Windows 2000 Server domain, you must first prepare the domain by
running adprep /domainprep /gpprep on the infrastructure master. The
gpprep switch adds inheritable access control entry (ACEs) to the Group
Policy Objects (GPO) that are located in the SYSVOL shared folder and
synchronizes the SYSVOL shared folder among the controllers in the domain.

a Windows Server 2003 domain, you must prepare the domain by running
adprep /domainprep on the infrastructure master.
• After you install a writeable domain controller, you can install an RODC in the
Windows Server 2003 forest. Before doing this, you must prepare the forest by
running adprep /rodcprep. You can run adprep /rodcprep on any computer in
the forest. If the RODC will be a global catalog server, then you must run
adprep /domainprep in all domains in the forest, regardless of whether the
domain runs a Windows Server 2008 domain controller. By running adprep
/domainprep in all domains, the RODC can replicate global catalog data from
all domains in the forest and then advertise as a global catalog server.
Additional Reading
Services
• Microsoft Technet article: Installing a New Windows Server 2008 Forest:
• Microsoft Technet article: Scenarios for Installing AD DS

Installing AD DS on a Server Core Computer
Key Points
To install AD DS on a Windows Server 2008 computer running Server Core, you
must use an unattended setup. Windows Server 2008 Server Core does not
provide a graphical user interface (GUI) so you cannot run the Active Directory
Domain Services installation wizard.
To perform an unattended install of AD DS, use an answer file and the following
syntax with the Dcpromo command:
Dcpromo /answer[:filename] Where filename is the name of your answer
file.
Additional Reading
• Microsoft Technet article: Appendix of Unattended Installation Parameters

Discussion: Common Configuration for AD DS
Key Points
After installing a domain controller, you may need to perform additional tasks in
your environment. You can access checklists for the following common
configurations for AD DS in Server Manager, under Resources and Support.
Additional Reading
• AD DS Help: Common Configurations for Active Directory Domain Services

Lesson 2:
Deploying Read-Only Domain
Controllers
One of the important new features in Windows Server 2008 is the option to use
read-only domain controllers (RODCs). RODCs provide all of the functionality that
clients require while providing additional security for domain controllers deployed
in branch offices. When configuring RODCs, you can specify which user account
passwords will be cached on the server and configure delegated administrative
permissions for the domain controller. This lesson describes how to install and
configure RODCs.

What Is a Read-Only Domain Controller?
Key Points
An RODC is a new type of domain controller that Windows Server 2008 supports.
An RODC hosts read-only partitions of the AD DS database. This means that no
changes can ever be made to the database copy that the RODC stores, and all AD
DS replication uses a one-way connection from a domain controller that has a
writeable database copy to the RODC.
Additional Reading
• Microsoft Technet article: AD DS: Read-Only Domain Controllers

Read-Only Domain Controller Features
Key Points
See the list on the slide.
Additional Reading
• Microsoft Technet article: Step-by-Step Guide for Read-Only Domain
Controller in Windows Server 2008 Beta 3

Preparing to Install the RODC
Key Points
Before you can install an RODC, you must prepare the AD DS environment by
completing the following steps:
• Configure the domain and forest functional level
• Plan for Windows Server 2008 domain controller availability
• Prepare the forest and domain
Additional Reading
• AD DS Help: Delegate read-only domain controller installation and
administration

Installing the RODC
Key Points
The RODC installation is almost identical to the installation of AD DS on a domain
controller with a writeable copy of the database. However there are a few extra
steps.
Additional Reading
administration

Delegating the RODC Installation
Key Points
You can delegate the installation of an RODC by performing a two stage
installation.
Question: What are the benefits of delegating an RODC installation?
Additional reading
administration
• Microsoft Technet article: AD DS: Read-Only Domain Controllers:
Controller in Windows Server 2008 Beta 3:

What Are Password Replication Policies?
Key Points
When deploy an RODC, you can configure a Password Replication Policy for the
RODC.
The Password Replication Policy acts as an access control list (ACL) that
determines if an RODC is permitted to cache a password.
The Password Replication Policy lists the accounts that you are allowing explicitly
to be cached and those that you are not. The passwords for any accounts are not
actually cached on the RODC until after the first time the user or computer
account is authenticated through the RODC.
Additional Reading
• AD DS Online Help: Specify Password Replication Policy

Demonstration: Configuring Administrator Role Separation

and Password Replication Policies
Questions: What is an alternative way to configure administrator role separation

and password replication policies?
Your organization has deployed two RODCs. How would you configure the
password replication policy if you wanted the credentials for all user accounts and
computer accounts except for administrators and executives to be cached on both
RODCs?
Additional Reading
• AD DS Help: Specify Password Replication Policy

Lesson 3:
Configuring AD DS Domain Controller
Roles
All domain controllers in a domain are essentially equal, meaning they all contain
the same data and provide the same services. However, you also can assign special
roles to domain controllers to provide additional services or address scenarios in
which only one domain controller should provide services at any given time. This
lesson describes how to configure and manage global catalog servers and
operations masters.

What Are Global Catalog Servers?
Key Points
The global catalog is a partial, read-only replica of all domain directory partitions in
a forest. The global catalog is a partial replica because it includes only a limited set
of attributes for each of the forest’s objects. By including only the attributes that are
used the most for searching, the database of a single global catalog server can
represent every object in every domain in the forest.
The global catalog server hosts the global catalog and its domain information.
Active Directory configures the first domain controller automatically in the forest as
a global catalog server. You can add global catalog functionality to other domain
controllers or change the default location of the global catalog to another domain
controller.
Additional Reading
• Microsoft Technet article: Domain Controller Roles

Modifying the Global Catalog
Key Points
Sometimes you may want to customize the global catalog server to include
additional attributes. By default, for every object in the forest, the global catalog
server contains an object’s most common attributes. Applications and users can
query these attributes. For example, you can find a user by first name, last name, e-
mail address, or other common properties
Additional Reading
• Microsoft Technet article: Domain Controller Roles (Global Catalog Partial
Attribute Set section)

Demonstration: Configuring Global Catalog Servers
Questions: What types of errors or user experiences would lead you to investigate
whether you needed to configure another server as a global catalog server?
What are reasons why you would choose to replicate an attribute to the global
catalog?
Additional Reading
• Microsoft Technet article: To add an attribute to the global catalog

What Are Operations Master Roles?
Key Points
Active Directory is designed as a multimaster replication system. However, for
certain directory operations, only a single authoritative server is required. The
domain controllers that perform specific roles are known as operations masters.
The domain controllers that hold operations master roles are designated to
perform specific tasks to ensure consistency and to eliminate the potential for
conflicting entries in the Active Directory database.
Additional Reading
• Microsoft Technet article: To add an attribute to the global catalog

Demonstration: Managing Operation Master Roles
Questions: Under what circumstances might you need to seize an operations

master role immediately rather than wait a few hours for a domain controller
currently holding the role to be repaired?
You are deploying the first domain controller in a new domain that will be a new
domain tree in the WoodgroveBank.com forest. What operations master roles will
this server hold by default?
Additional Reading
• Microsoft Technet article: Manage Operations Master Roles

How Windows Time Service Works
Key Points
The Windows Time service, also known as W32Time, synchronizes the date and
time for all computers running on a Windows Server 2008 network. The Windows
Time service uses the Network Time Protocol (NTP) to ensure highly accurate time
settings throughout your network. You also can integrate the Windows Time
service with external time sources.
Additional Reading
• Microsoft Technet article: Windows Time Service Technical Reference
• Microsoft Technet article: Configuring a time source for the forest

Lab: Implementing Read-Only Domain

Controllers and Managing Domain Controller
Roles
Scenario:
Woodgrove Bank has begun their deployment of Windows Server 2008. The
organization has deployed several domain controllers at the corporate
headquarters and is preparing to deploy domain controllers in several branch
offices. The Enterprise Administrator created a design that requires read-only
domain controllers to be deployed on servers running Windows Server 2008 in all
branch offices. Your task is to deploy a domain controller in a branch office that
meets these requirements.

Exercise 1: Evaluating Forest and Server Readiness for

Installing an RODC
Woodgrove Bank has begun their deployment of Windows Server 2008. The
organization has deployed several domain controllers at the corporate
headquarters and is now preparing to deploy domain controllers in several of the
branch offices. The Enterprise Administrator has created a design that requires
read-only domain controllers to be deployed on servers running Windows Server
2008 in all branch offices.
Your task is to deploy a domain controller in a branch office that meets these
requirements
Note: Due to the limitations of the virtual lab environment, you will be installing the
RODC in the same site as the existing domain controllers. In a production
environment, you would complete the same steps even if the RODC was in a
different site.
The main tasks are as follows:

1. Start 6425A-NYC-DC1 and log on as Administrator.
2. Start 6425A-NYC-SVR1 and log on as Administrator.
3. Start 6425A-NYC-SVR1 and log on as Administrator.
4. Verify the forest and domain functional level are compatible with an RODC
deployment.
5. Verify the availability of a writeable domain controller running Windows
Server 2008.
5. Configure the computer account settings for the RODC.
f Task 1: Start 6425A-NYC-DC1 and log on as Administrator

• Start 6425A-NYC-DC1 and log on as Administrator using the password
Pa$$w0rd.


Pa$$w0rd.
f Task 3: Start 6425A-NYC-SVR1 and log on as Administrator

• Start 6425A-NYC-SVR1 and log on as Administrator using the password
Pa$$w0rd.
f Task 3: Verify the forest and domain functional level are compatible
with an RODC deployment
1. On NYC-DC1, open Active Directory Users and Computers.
2. Right-click WoodgroveBank.com and verify that the domain functional level
and the forest functional level are set to Windows Server 2003.
f Task 4: Verify the availability of a writeable domain controller running

Windows Server 2008
1. In Active Directory Users and Computers, check the properties for NYC-DC1.
2. Verify that the operating system name is Windows Server 2008 Enterprise.
f Task 5: Configure the computer account settings for the RODC

1. On NYC-SVR1, open Server Manager.
2. Click Change System Properties, and on the Computer Name tab, change the
computer name to TOR-DC1.
3. Restart the computer.
Result: At the end of this exercise, you will have verified that the domain and the
computer are ready to install an RODC.

Exercise 2: Installing and Configuring an RODC

You will install the RODC server role on the Windows Server 2008 computer. To
do this, you will prestage the computer account that the RODC will use. As part of
the prestaging, you will configure an administrative group with permissions to
install the domain controller.
After the installation is complete, you will verify that the installation completed
successfully. You also will configure password-replication policies for users that log
on to the domain controller.
1. Pre-stage the computer account for the RODC.
2. Log on to TOR-DC1 as Administrator.
3. Install the RODC using the existing account. Use WoodgroveBank\Axel as the
account with credentials to perform the installation.
4. Verify the successful installation of the domain controller.
5. Configure a password replication policy that enables credential caching for all
user accounts in Toronto.
f Task 1: Pre-stage the computer account for the RODC

2. Right-click the Domain Controllers organization unit and click Pre-create
Read-only Domain Controller account.
3. Complete the Active Directory Domain Services Installation Wizard using the
following selections:
a. Use advanced mode installation
b. Use the current credentials.
c. Computer name: TOR-DC1
d. Default site
e. Install only the DNS and RODC options
f. Delegate permission to install the RODC to Axel Delgado

f Task 2: Log on to TOR-DC1 as Administrator

• Log on as Administrator using the password Pa$$w0rd.
f Task 3: Install the RODC using the existing account. Use

WoodgroveBank\Axel as the account with credentials to perform the
installation
1. On TOR-DC1, open a command prompt and type dcpromo
/UseExistingAccount:Attach, and then press ENTER:
2. Complete the Active Directory Domain Services Installation Wizard using the
following selections:
a. Use advanced mode installation
b. Provide Axel as the alternative credential
c. Use TOR-DC1 as the computer name
d. Use NYC-DC1.WoodgroveBank.com as the source domain controller
e. Accept the default location for the Database, Log Files, and SYSVOL files.
f. Use Pa$$w0rd as the Directory Services Restore Mode Administrator
Password
3. Reboot the computer when the installation finishes.
f Task 4: Verify the successful installation of the domain controller

1. After NYC-SRV1 restarts, log on as Axel with a password of Pa$$w0rd.
2. In Server Manager, verify that Active Directory Domain Services server role is
installed.
3. Verify that all required services are running.
4. In Active Directory Users and Computers, verify that TOR-DC1 is listed in
the Domain Controllers organizational unit.
5. Verify that you do not have permission to add or remove domain objects.

6. In Active Directory Sites and Services, verify that TOR-DC1 is listed in the
Servers list for the Default-First-Site-Name.
7. Check the NTDS Settings for TOR-DC1. Confirm that connection objects have
been created.
8. Check the NTDS Settings for NYC-DC1. Confirm that no connection objects
have been created for replication with TOR-DC1.
9. Open Event Viewer. In the Directory Service log, locate and view a message
with an event ID of 1128. This event ID verifies that a replication connection
object has been created between NYC-DC1 and TOR-DC1.
f Task 5: Configure a password replication policy that enables credential

caching for all user accounts in Toronto
1. On NYC-DC1, in Active Directory Users and Computers, access the TOR-
DC1 Properties dialog box.
2. Add all of the Toronto groups to the Password replication policy.
Result: At the end of this exercise, you will have installed an RODC and configured
the RODC password replication policy for the RODC.

Exercise 3: Configuring AD DS Domain Controller Roles

You will configure the RODC installed in the previous exercise as a global catalog
server. You also will assign operation master roles to an additional domain
controller in the domain.
1. Use Active Directory Sites and Services to configure TOR-DC1 as a global
catalog server.
2. Configure NYC-DC2 as the infrastructure master and domain naming master
for the WoodgroveBank.com domain.
3. Add the Department attribute to the global catalog.
4. Shut down all virtual machines.
f Task 1: Use Active Directory Sites and Services to configure TOR-DC1

as a global catalog server
1. On NYC-DC1, in Active Directory Sites and Services, locate the TOR-DC1
computer account.
2. Access the NTDS Settings, and select the Global Catalog check box.
f Task 2: Configure NYC-DC2 as the infrastructure master and domain

naming master for the WoodgroveBank.com domain
1. On NYC-DC1, in Active Directory Users and Computers, change the
console’s focus to NYC-DC1.WoodgroveBank.com and then click OK.
2. Right-click WoodgroveBank.com, and then click Operations Masters.
Transfer the infrastructure master role to NYC-DC2.WoodgroveBank.com.
3. On NYC-DC2, open Active Directory Domains and Trusts. Access the
Operations Master settings and transfer the domain naming operations
master role to NYC-DC2.

f Task 3: Add the Department attribute to the global catalog

1. On NYC-DC1, use the regsvr32 schmmgmt.dll to register the Active Directory
Schema snap-in.
2. Create a new MMC and add the Active Directory Schema snap-in.
3. In the Active Directory Schema, access the Department attribute and
configure the attribute to replicate to the Global Catalog.
f Task 4: Shut down all virtual machines and discard any changes
Result: At the end of this exercise, you will have configured a global catalog server and
configure AD DS domain controller roles.

Module Review and Takeaways
Review Questions
1. You are deploying a domain controller in a branch office. The branch office
does not have a highly secure server room so you are concerned about the
security of the server. What two Windows Server 2008 features can you take
advantage of to enhance the security of the domain controller deployment?
2. You must create a new domain by installing a domain controller in your Active
Directory infrastructure. You are reviewing the inventory list of available
servers for this purpose. Which of the following computers could be used as a
domain controller?
A. Windows Server 2008 Web Edition, NTFS files system, 1 gigabyte (GB)
free hard disk space, TCP/IP.
B. Windows Server 2008 Enterprise Edition, NTFS files system, 500
megabyte (MB) free hard disk space, TCP/IP.

C. Windows Server 2008 Server Core Enterprise Edition, NTFS files system,
1GB free hard disk space, TCP/IP.
D. Windows Server 2008 Standard Edition, NTFS files system, 500 MB free
hard disk space, TCP/IP.
3. You are deploying an RODC in branch office. You need to ensure that all users
in the branch office can authenticate even if the WAN connection from the
branch office is not available. Only the users who normally log on in the
branch office should be able to do this? How would you configure the
password replication policy?
4. You need to install a domain controller by using the install from media option.
What steps do you need to take to complete this process?
5. Will you be deploying RODCs in your AD DS environment? Describe the
deployment scenario.
6. You are deploying a domain controller in a branch office. The office has a
WAN connection to the main office that has very little available bandwidth and
is not very reliable. Should you configure the branch office domain controller
as a global catalog server?
Considerations
Keep the following considerations in mind when you are implementing RODCs
and managing domain controller roles:
• You can install the AD DS Server role on all Windows Server 2008 editions
except Windows Server 2008 Web Server Edition.
• Consider installing a RODC on a Windows Server 2008 Server Core computer
to provide additional security for your domain environment.
• To install AD DS on a Server Core computer, you must use an unattended
installation.
• Plan the password replication policies carefully in your organization. If you
enable credential caching for most of the accounts in your domain, you will
increase the impact to your organization if the RODC is compromised. If you
do not enable any credential caching, you increase the impact to the branch
office location if the WAN link to the main office is not available.

• In most cases, deploying a global catalog server in a site will improve the logon
experience for users. However, deploying a global catalog in a remote office
also increases the network utilized for replication.
• Operation master roles provide important services on a network but the
services are not usually time critical. Most of the time, if a domain controller
holding an operation master role fails, you do not immediately need to seize
the role to another domain controller if the failed server can be repaired within
a few hours.

Configuring Domain Name Service for Active Directory® Domain Services 2-1
Module 2
Configuring Domain Name Service for
Active Directory® Domain Services
Contents:
Lesson 1: Overview of Active Directory Domain Services and
DNS Integration 2-3
Lesson 2: Configuring Active Directory Integrated Zones 2-11
Lesson 3: Configuring Read-Only DNS Zones 2-19
Lab: Configuring AD DS and DNS Integration 2-23

Module Overview
Domain Name System (DNS) is an integral part of Active Directory® for Windows
Server® 2008. By understanding the relationship between these applications, you
can troubleshoot Active Directory® and increase security, while providing clients
with the full functionality of DNS.

Lesson 1:
Overview of Active Directory Domain Services
and DNS Integration
Windows Server 2008 requires that a DNS infrastructure is in place before you
install Active Directory. Understanding how DNS and Active Directory are
integrated, and how client computers use DNS during logon, will help you resolve
problems related to DNS, such as client logon issues.

Active Directory Domain Services and DNS Namespace

Integration
Key Points
Domains and computers are represented by resource records in the DNS
namespace and by Active Directory objects in the Active Directory namespace. All
Active Directory domains must have corresponding DNS domains with identical
domain names. Clients rely on DNS to resolve computer host names to IP
addresses in order to locate domain controllers and other computers that provide
Active Directory and other network services.
Active Directory requires DNS, but not any particular type of DNS server.
Therefore, there may be multiple DNS servers of different types.
Question: What is the relationship between Active Directory domain names and
DNS zone names?

Additional Reading:
• Active Directory integration
• DNS integration

What Are Service Resource Locator Records?
Key Points
For Active Directory to function properly, client computers must be able to locate
servers that provide specific services, such as authenticating logon requests and
providing Telnet or Session Initiated Protocol (SIP) services. Active Directory
clients and domain controllers use Service (SRV) resource records to determine the
IP addresses of computers that provide those services. Also, Active Directory site-
aware applications, such as Microsoft® Exchange, use SRV resource records.
Question: In the following example of two SRV resource records. Which record
will be used by a client querying for an SIP service?
• _sip._tcp.example.com. 86400 IN SRV 10 60 5060 Lcs1.contoso.com.


Additional Reading
• Managing resource records
• RFC 2782 - A DNS RR for specifying the location of services (DNS SRV)

Demonstration: SRV Resource Records Registered by AD DS

Domain Controllers
Questions: What is the benefit of replicating the mscdcs zone to the entire forest?
How could one SRV resource record be given preference over another?

How Service Resource Locator Records Are Used
Key Points
Domain client computers use the locator application programming interface (API)
to locate a domain controller by querying DNS. If SRV resource records are not
available to identify domain controllers, logons may fail. All computers -- including
both workstations such as the Windows® XP Professional operating system and
Windows Vista® operating system, and servers such as the Windows Server®°2003
operating systems and the Windows Server 2008 operating systems -- use the same
process to locate domain controllers.
Additional Reading
• How Domain Controllers Are Located in Windows XP
• Domain Controller Location Process

Integration of Service Locator Records and Active Directory

Sites
Key Points
During a search for a domain controller, the Locator attempts to find a domain
controller in the site closest to the client. The domain controller uses the
information stored in Active Directory to determine the closest site. In most cases,
the domain controller that first responds to the client will be in the same site as the
client. But in cases where a computer has physically moved to a different site, or
the domain controller in the local site is unavailable, there is a process to find a
different domain controller.
During Net Logon startup, the Net Logon service on each domain controller
enumerates the site objects in the Configuration container. Net Logon uses the site
information to build an in-memory structure that is used to map IP addresses to
site names.
Additional Reading
• Finding a Domain Controller in the Closest Site

Lesson 2:
Configuring Active Directory Integrated Zones
Integrating Active Directory and DNS zones can simplify DNS administration by
replicating DNS zone information as part of the Active Directory replication. It also
provides benefits like secure dynamic updates, and aging and scavenging of stale
resource records.

What Are Active Directory Integrated Zones?
Key Points
One benefit of integrating DNS and Active Directory is the ability to integrate DNS
zones into an Active Directory database. A zone is a portion of the domain
namespace that has a logical grouping of resource records, which allows zone
transfers of these records to operate as one unit.
Additional Reading
• Active Directory integration

What Are Application Partitions in AD DS?
Key Points
Three major partitions contain Active Directory information:

• The schema partition, which replicates schema information to the entire forest
• The configuration partition, which replicates information about the physical
structure to the entire forest
• The domain partition, which replicates domain information to all domain
controllers in a given domain
Additional Reading
• DNS zone replication in Active Directory

Options for Configuring Application Partitions for DNS
Key Points
You can change the scope of DNS replication anytime by using the DNS Microsoft
Management Console (MMC) or the DNSCMD command-line tool. You have the
following replication choices when using the DNS MMC:
• To all DNS servers in this forest
• To all DNS servers in this domain (this is the default storage location)
• To all domain controllers in this domain (this is the domain information
partition)
• To all domain controllers hosting a particular application partition
Additional Reading
• DNS zone replication in Active Directory

How Dynamic Updates Work
Key Points
Dynamic updates enable DNS client computers to register and dynamically update
their resource records with a DNS server whenever changes occur. This reduces
the need to administer zone records manually, especially for clients that frequently
move or change locations and that use Dynamic Host Configuration Protocol
(DHCP) to obtain an IP address.
Additional Reading
• Dynamic update

How Secure Dynamic DNS Updates Work
Key Points
Secure dynamic updates work like dynamic updates, with the following exception:
the authoritative name server accepts updates only from clients and servers that are
authenticated and joined to the Active Directory domain in which the DNS server
is located.
As the slide shows, the client first attempts a non-secure update. If that attempt
fails, the client then attempts to negotiate a secure update. If the client has been
authenticated to Active Directory, the update will succeed.
Question: What are the benefits of using Active Directory integrated DNS zones?

Demonstration: Configuring AD DS Integrated Zones
Questions: How could you prevent a computer from registering in the DNS
database?
What would be the implications of not allowing dynamic updates?
When using secure dynamic updates, how can you control which clients are
allowed to update DNS records?

How Background Zone Loading Works
Key Points
A DNS server running Windows Server 2008 loads zone data from Active Directory
in the background while it restarts so that it can respond to data requests from
other zones.
Additional Reading
• DNS Server Role

Lesson 3:
Configuring Read-Only DNS Zones
You can provide additional security by configuring read-only DNS zones -- while
clients still have the full functionality of the Active Directory name resolution --
because only an administrator can change read-only DNS zones. Unauthorized
personnel will not be able to alter records on the read-only domain controller
(RODC).

What Are Read-Only DNS Zones?
Key Points
When installing a Windows Server 2008 RODC you are prompted with DNS
Server installation options. The default option is to install a primary read-only form
of DNS Server locally on the RODC, which replicates the existing AD-integrated
zone for the domain specified and adds the local IP address as the preferred DNS
server in the local TCP/IP settings. This ensures that the DNS server running on
the RODC has a full read-only copy of any DNS zones.
Additional Reading
• DNS Server Role

How Read-Only DNS Works
Key Points
When a computer becomes an RODC, it replicates a full read-only copy of all
application directory partitions that DNS uses, including the domain partition,
ForestDNSZones, and DomainDNSZones. This ensures that the DNS server
running on the RODC has a full read-only copy of any DNS zones stored on a
centrally located domain controller in those directory partitions. The administrator
of an RODC can view the contents of a primary read-only zone. However, the
administrator can change the contents only by changing the zone on a DNS server
with a writable copy of the DNS database.
Question: How does RODC increase security?
Additional Reading
• DNS Server Role

Discussion: Comparing DNS Options for Branch Offices
Key Points
Answer the questions in a classroom discussion.
Additional Reading
• How DNS Works

Lab: Configuring AD DS and DNS Integration
Scenario:
Woodgrove Bank is an enterprise that has offices located in several cities
throughout the world. Woodgrove Bank has business relationships with two other
entities, Fabrikam Inc. and Contoso Inc. Woodgrove Bank has acquired copies of
the DNS zone files for these entities. All employees in the Woodgrove Bank forest
need access to the DNS records for Contoso Inc. Only employees in the
Woodgrove Bank domain need access to the DNS files for Fabrikam Inc. The
branch office of Woodgrove Bank has a read-only domain controller. This domain
controller will be configured to support the DNS server service and all forest-wide
and domain-wide DNS zones. The enterprise administrator has created a design
document for the DNS configuration. The design includes configuring AD DS
integrated zones, configuring DNS dynamic updates, and configuring read-only
DNS zones.

Exercise 1: Configuring Active Directory Integrated Zones

In this exercise, you will configure the DNS zones for the Woodgrove Bank
environment to meet the design requirements. You will verify the SRV resource
records that each domain controller has registered and create a new SRV resource
record to support the Telnet protocol. You also will modify DNS zones to examine
the difference between Active Directory integrated zones and standard zones, and
will configure dynamic updates and the scope of replication. You then will use the
ADSI Edit management console to view the DNS records stored in the domain
partition.
1. Start the domain controller and log on as Administrator.
2. Examine the SRV resource records.
3. Create a new SRV resource record to support the Telnet protocol on NYC-
SRV2.
4. Create two new zones based on the zone files for Fabrikam and Contoso.
5. Configure the two new zones to be Active Directory integrated, and ensure that
no dynamic updates are allowed.
6. Configure the scope of replication for the Contoso zone to be forest wide and
the Fabrikam zone to be domain wide.
7. Use ADSI Edit.exe to view the Active Directory integrated DNS zones.
f Task 1: Start NYC-DC1 and log on as Administrator

• Start NYC-DC1 and log on as Administrator with a password of Pa$$w0rd
f Task 2: Examine the SRV resource records

1. Open the DNS management console, expand the Forward Lookup Zones
and then click on _msdsc.woodgrovebank.com.
2. Expand the GC>_TCP folder.
3. Expand the DC>_TCP folder.
4. Open the Properties of the _msdsc.woodgrovebank.com.
5. Close the Properties page.

f Task 3: Create a new SRV resource record to support the Telnet

protocol on NYC-SRV2
1. Right click the _msdsc.woodgrovebank.com zone and then click Other New
Records
2. Select the Service Location (SRV) record type and then click Create Record.
3. In the Service field, select _telnet from the drop-down list.
4. In the Host offering this service field, type NYC-SRV2.woodgrovebank.com
and then click OK.
5. Click Done.
f Task 4: Create two new zones based on the zone files for Fabrikam and
Contoso
1. Use Windows Explorer to copy the Contoso.com.dns and the
Fabrikam.com.dns files from D:\6425\Mod02\Labfiles to
C:\Windows\System32\DNS. Leave Windows Explorer open.
2. Use the DNS management console to create a new primary standard zone
named Contoso.com using the existing file Contoso.com.dns.
3. Create a new primary standard zone named Fabrikam.com using the existing
file Fabrikam.com.dns
f Task 5: Configure the Contoso and Fabrikam zones to be active

directory integrated and ensure that no dynamic updates are allowed
1. Open the property page for Contoso.com.
2. Change the zone type to be stored in Active Directory.
3. Return to Windows Explorer. Notice the Contoso.com.dns zone file is no
longer in the DNS folder. It is now stored in Active Directory.
4. Return to the property page for the Woodgrovebank.com zone. Set Dynamic
updates to be None.
5. Repeat steps 1-4 for the Fabrikam.com zone.

f Task 6: Configure the scope of replication for the Contoso zone to be

forest wide and the Fabrikam zone to be domain wide
1, Open the property page for Contoso.com
2. Change the replication scope to be To all DNS servers in this forest.
3. Open the property page for Fabrikam.com.
4. Ensure the scope of replication for the Fabrikam zone is To all DNS servers in
this domain.
f Task 7 - Use ADSI Edit.exe to view the Active Directory integrated DNS
zones
1, From the Run command, launch the adsiedit.msc.
2. Right click ADSI Edit and click Connect to…
3. In the Connection Point section, choose Select or type a Distinguished
Name or Naming Context.
4. Type DC=DomainDNSZones,DC=WoodgroveBank,DC=Com and then click
OK.
5. Expand the naming context and then expand CN=MicrosoftDNS and then
click DC=Woodgrovebank.com and examine the records.
6. Double click the record for NYC-DC1.
When was the record created?
7. Close all property pages and close the ADSI management console.
Result: At the end of this exercise, you will have created Active Directory integrated
DNS zones.

Exercise 2: Configuring Read-Only DNS Zones

In this lab, you will configure a read-only DNS zone on an RODC, and you will test
dynamic updates and administrative updates.
The main tasks are to configure a read-only DNS zone on the RODC to support
Fabrikam.
The main tasks are as follow:
1. Start and log on to MIA-RODC as Administrator.
2. Install the DNS Server service.
3. Configure the DNS server to support all domain-wide and forest-wide zones.
4. Shut down all virtual machines, and discard any changes.
f Task 1: Start and log on to the MIA-RODC

• Start and log on to the read-only domain controller as Administrator with a
password of Pa$$w0rd.
f Task 2: Install the DNS Server service

• Use the Start /w Ocsetup DNS-Server-Core-Role to install the DNS server
role.

f Task 3: Configure the DNS server to support all domain-wide and

forest-wide zones.
1. From the Command Prompt, type the following command:
Dnscmd /enlistdirectorypartition DomainDnsZones.woodgrovebank.com
2. Then type the following command.
Dnscmd /enlistdirectorypartition ForestDnsZones.woodgrovebank.com
3. Switch to NYC-DC1 and open the DNS management console.
4. Add the MIA-RODC computer to the DNS console and ensure that all DNS
zones appear.
f Task 4: Shut down all virtual machines, and discard changes
Result: At the end of this exercise, you will have configured the DNS server to
support all domain-wide and forest-wide zones.

Review Questions
1. How does a client computer determine what site it is in?
2. List at least three benefits of Active Directory integrated zones.
3. In the following example of two SRV resource records. Which record will be
used by a client querying for an SIP service?
4. What permissions are required to create DNS application directory partitions?
5. What utilities are available to create application partitions?
6. What is the default state of dynamic updates for an Active Directory integrated
zone?
7. What is the default state of dynamic updates for a standard primary zone?
8. What groups have permission to perform secure dynamic updates?

Considerations
When configuring AD DS and DNS integration, keep the following considerations
in mind:
• Because of the dependency Windows Server 2008 and Active Directory clients
have on DNS, the first step in troubleshooting Active Directory issues often is
to troubleshoot DNS.
• Service locator records are critical to Active Directory functioning properly.
• Service locator records need to be highly available.
• Windows Server 2008 can operate with any compatible DNS server, but Active
Directory integrated zones provide additional features and security.
• Active Directory integrated zones can be replicated to domain wide or forest
wide, or to specific domain controllers via custom application partitions.
• Internal DNS records should be kept separate from public DNS records.
• Dynamic updates lighten the administrative overhead of maintaining the DNS
zone database.
• Dynamic updates can be limited to Authenticated Users.
• Background zone loading will reduce the time for DNS servers to become
available after a restart.
• You can use read-only DNS in conjunction with read-only domain controllers
to provide security while still providing required client functionality.

Configuring Active Directory® Objects and Trusts 3-1
Module 3
Configuring Active Directory® Objects and Trusts
Contents:
Lesson 1: Configuring Active Directory Objects 3-3
Lesson 2: Strategies for Using Groups 3-14
Lesson 3: Automating AD DS Object Management 3-20
Lab A: Configuring Active Directory Objects 3-28
Lesson 4: Delegating Administrative Access to AD DS Objects 3-42
Lesson 5: Configuring AD DS Trusts 3-50
Lab B: Configuring Active Directory Delegation 3-59

3-2 Course 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
Module Overview
After the initial deployment of Active Directory® Domain Services (AD DS), the
most common tasks for an AD DS administrator are configuring and managing AD
DS objects. In most organizations, each employee is issued a user account, which is
added to one or more groups in Active Directory. The user and group accounts
enable access to Windows Server-based network resources such as Web sites,
mailboxes, and shared folders. This module describes how to perform many of
these administrative tasks and the options for delegating or automating these tasks.
This module also describes how to configure and manage Active Directory trusts.

Lesson 1:
Configuring Active Directory Objects
One of your primary tasks as a Windows Server® 2008 administrator is to manage

AD DS objects. In most organizations, the AD DS administrators are the only
people with appropriate permissions to create and modify these objects. This
lesson provides an overview of the objects that you can create in AD DS, and
describes how to create and configure these objects.

Types of AD DS Objects
Key Points
You can create several different types of objects in Active Directory Additional
reading
Additional Reading
• Active Directory Users and Computers Help

Demonstration: Configuring AD DS User Accounts
Questions: How would you create several user objects with the same settings for
attributes such as department and office location?
Under what circumstances would you disable a user account rather than delete the
user account?

AD DS Group Types
Key Points
AD DS supports two group types.
Additional Reading

AD DS Group Scopes
Key Points
Windows Server 2003 supports the group scopes shown on the slide.
Additional Reading
• Active Directory Users and Computers Help: Managing Groups

Default AD DS Groups
Key Points
Windows Server 2008 provides many built-in groups, which are created
automatically when you install an Active Directory domain. You can use built-in
groups to manage access to shared resources and to delegate specific Active
Directory administrative roles. For example, you could put the user account of an
AD DS administrator into the Account Operators group to allow the administrator
to create user accounts and groups.
Additional Reading
• Microsoft Technet Default Groups
• Active Directory Domain Services Technical Reference

AD DS Special Identities
Key Points
Servers running Windows Server 2008 include several special identities in addition
to the groups in the Users and Built-in containers. These identities generally are
referred to as special groups or special identities.
Additional Reading
• Microsoft Technet article: Special identities of ADM (Administrative Template)
Files in Windows

Discussion: Using Default Groups and Special Identities
Scenario
Woodgrove Bank has more than 100 servers worldwide. You must determine
whether you can use default groups or whether you must create groups, and then
assign specific user rights or permissions to the groups to perform the following
Administrative tasks.
You must assign default groups, special identities, or create new groups for the
following tasks. List the name of the default group that has the most restrictive
user rights for performing the following actions, or determine whether you must
create a new group:
1. Backing up and restoring domain controllers
2. Backing up, but not restoring, files on member servers
3. Creating groups in the Sales organizational unit
4. Granting access to a shared folder to which all Woodgrove Employees need
access

5. Granting administrative permissions to the user currently logged on to a client

computer without granting access to any other computers
6. Granting help-desk employees with access to control the desktop remotely
7. Providing administrative access to all computers in the entire domain
8. Providing access to a shared folder named Data on a server named Den-SRV1
9. Managing the print queue of a specific print server’s printer
10. Configuring network settings on a member server

Demonstration: Configuring AD DS Group Accounts
Questions: What options are available for changing an AD DS group’s scope and
type?
What are the benefits of assigning group managers? Is this a setting that you would
configure in your organization?
Additional Reading
• Active Directory Users and Computers Help: Managing Groups

Demonstration: Configuring Additional

AD DS Objects
Questions: What are the reasons why you would create organizational units?
What are the benefits and limitations of using printer objects and shared folder
objects in AD DS?
Additional Reading

Lesson 2:
Strategies for Using Groups
AD DS groups are used to simplify AD DS management when assigning access to

resources. Rather than assigning access to resources by using user accounts, it is
much more efficient to add the users to groups and then assign access to the
groups. However, because of the variety of group options and AD DS deployment
options, you can use several different strategies when configuring groups.

Options for Assigning Access to Resources
Key Points
One of the primary reasons for creating users and groups in AD DS is so that users
can gain access to shared resources, such as shared folders, printers, Windows
SharePoint® Services sites, or applications.
Additional Reading
• Microsoft Technet article: Selecting a Resource Authorization Method

Using Account Groups to Assign Access to Resources
Key Points
When you use just account groups to assign access to resources, you add all user
accounts to the groups, and then assign the group a set of access permissions. For
example, an administrator can put all accounting user accounts into a global group
called GG-All Accountants and assign this group with permissions to a shared
resource. In a single domain environment, you can use domain local groups, global
groups, or universal groups to assign access to resources.
Additional Reading
• Microsoft Technet article: AG/ACL Method

Using Account Groups and Resource Groups
Key Points
When you use account groups and resource groups, you add users with similar
access requirements into account groups, and then add the account groups as
members to a resource group to which you granted specific resource-access
permissions.
This strategy provides the most flexibility while reducing the complexity of
assigning access permissions to the network. This method is used most commonly
by large organizations for controlling access to resources.
Additional Reading
• Microsoft Technet article: AG/RG Method

Discussion: Using Groups in a Single-Domain or Multiple-

Domain Environment
Read the scenarios, and create a plan for configuring groups and assigning access
to resources in each scenario.
Example 1
Contoso, Ltd., has a single domain that is located in Paris, France. Contoso, Ltd.,
managers need access to the Inventory database to perform their jobs.
Question: What do you do to ensure that the managers have access to the
Inventory database?

Example 2
Contoso, Ltd. has determined that all Accounting division personnel must have full
access to the accounting data. Also, Contoso, Ltd., executives must be able to view
the data. Contoso, Ltd. wants to create the group structure for the entire
Accounting division, which also includes the Accounts Payable and Accounts
Receivable departments.
Question: What do you do to ensure that the managers have the required access and that
there is a minimum of administration?
Example 3
Contoso, Ltd., has expanded to include operations in South America and Asia, and
now contains three domains: the Contoso.com domain, the Asia.contoso.com
domain, and the SA.contoso.com domain. You need to grant all IT managers,
across all domains, access to the Admin_tools shared folder in the Contoso
domain. You also need to grant the IT managers access to other resources in the
future.
Question: How can you achieve the desired result with the least amount of
administrative effort?

Lesson 3:
Automating AD DS Object Management
In most cases, you are likely to create and configure AD DS objects on an

individual basis. However, in some cases, you may need to create or modify the
configuration for many objects simultaneously. For example, if your organization
hires a large group of new employees, you may want to automate the new-accounts
configuration process. If your organization moves to a new location, you may want
to automate the task of assigning new addresses and phone numbers to all users.
This lesson describes how to manage multiple AD DS objects.

Tools for Automating AD DS Object Management
Key Points
Windows Server 2008 provides a number of tools that you can use to create or
modify multiple user accounts automatically in Active Directory. Some of these
tools require that you use a text file that contains information about the user
accounts that you want to create. You also can create Windows PowerShell scripts
to add objects or make changes to objects in Active Directory.

Configuring AD DS Objects Using Command-Line Tools
Key Points
Use these command-line tools to configure AD DS objects.

Managing User Objects with LDIFDE
Key Points
You can use the Ldifde command-line tool to create and make changes to multiple
accounts. When you use the Ldifde tool, you will use a line-separated text file to
provide the command’s input information.
Additional Reading
• Microsoft Technet article: LDIFDE

Managing User Objects with CSVDE
Key Points
You can use the Csvde command-line tool to create multiple accounts in Active
Directory. You only can use the Csvde tool to create accounts, not to change them.
Additional Reading
• Microsoft Technet article: CSVDE

What Is Windows Powershell?
Key Points
Windows® PowerShell is an extensible scripting and command-line technology
that developers and administrators can use to automate tasks in a Windows
environment. Windows PowerShell uses a set of small commands that each
perform a specific task, but you also can combine multiple commands to perform
complex administrative tasks.
Additional Reading
• Microsoft Support: Windows PowerShell 1.0 Documentation Pack

Windows Powershell Cmdlets
Key Points
Windows Powershell is easy to learn because the use of Cmdlets. Pipelining is
consistent across all Cmdlets.
Additional Reading
• Windows PowerShell 1.0 Documentation Pack

Demonstration: Configuring Active Directory Objects Using

Windows Powershell
Questions: What are the advantages and disadvantages of modifying Active

Directory objects by using Windows Powershell scripts? How can you address the
disadvantages?
Additional Reading
• Windows PowerShell Blog
• Microsoft Technet article: Scripting with Windows PowerShell

Lab A: Configuring Active Directory Objects
Scenario:
Woodgrove Bank has several requirements for managing AD DS objects. The
organization frequently hires interns who must have limited permissions and
whose accounts must be set to expire automatically when the internship is
complete. User accounts also must be configured with a standard configuration
that includes settings such as user profile settings and mapped drives for home
folders. The organization also requires AD DS groups that will be used to assign
permissions to a variety of network resources. As much as possible, the
organization would like to automate the user and group management tasks.

Exercise 1: Delegating Control of AD DS Objects

In this exercise, you will install the AD DS management tools on a Windows Vista
computer. Then you will use these tools to configure several AD DS objects based
on a information that the HR department provides. These tasks include creating
new user accounts and modifying existing user accounts.
The HR department has requested the following changes in AD DS:
• Create new user accounts for Kerim Hanif and Jun Cao. Both user accounts
should be created in the ITAdmins OU.
• Modify the user account for Dana Birkby.

1. Start the 6425A-NYC-DC1 virtual machine and log on as Administrator.
2. Start the 6425A-NYC-CL1 virtual machine and log on as Administrator.
3. Install the Windows Server 2008 management tools on the NYC-CL1
computer.
4. Create new user accounts.
5. Modify existing user accounts.
6. Shut down 6425A-LON-DC1 and delete all changes.
f Task 1: Start the 6425A-NYC-DC1 virtual machine and log on as

Administrator
• Start 6425A-NYC-DC1 and then log on as Administrator using the password
Pa$$w0rd.
f Task 2: Start the 6425A-NYC-CL1 virtual machine and then log on

as Administrator
• Start 6425A-NYC-CL1 and then log on as Administrator using the password
Pa$$w0rd.

f Task 3: Install the Windows Server 2008 management tools on the

NYC-CL1 computer
• Follow the steps in the Windows Server 2008 management tools installation
guide
f Task 4: Create new user accounts

2. In the ITAdmins OU, create a new user with the following parameters:
• First name: Kerim
• Last name: Hanif
• Full name: Kerim Hanif
• User logon name: Kerim
• Password: Pa$$w0rd
• Clear the User must change password at next logon check box
3. On NYC-DC1, use the Dsadd command-line tool to create a new user account
for Jun Cao. The syntax for the Dsadd command is:
dsadd user "cn=username,ou=ouname,dc=domainname,dc=com" -samid

logonname -pwd password –desc description

f Task 5: Modify existing user accounts

1. On NYC-DC1, create a new folder on the D drive named HomeDirs. Share the
folder and configure Domain Users with Contributor permissions.
2. In the HomeDirs folder, create a new folder named Marketing.
3. In Active Directory Users and Computers, locate Dana Birkby’s account and
modify the user properties as follows:
4. Verify that Shay cannot create a user in the ITAdmins OU.
a. On the General tab, set:
• Telephone number: 555-555-0100
• Office: Head Office
• E-mail: Dana@WoodgroveBank.com
b. On the Dial-in tab, set:
• Network Access Permission: Allow access
c. On the Account tab, set:
• Logon Hours: Configure logon hours to be permitted between 8:00
A.M. and 5:00 P.M, and then click OK.
d. On the Profile tab, set:
• Home folder: Map H drive to:
\\NYC-DC1\HomeDirs\Marketing\%username%
5. In Windows Explorer, browse to D:\HomeDirs\Marketing. Ensure that a
folder named Dana was created in the folder.
6. On NYC-CL1, log off and then log on as Dana using a password of Pa$$w0rd.
Confirm that the H: drive has been mapped correctly and that Dana has
permission to create files in her home folder.
Result: At the end of this exercise, you will have delegated the administrative tasks
for the Toronto office.

Exercise 2: Implementing an AD DS Group Strategy

In this exercise, you will review the requirements for creating groups at
Woodgrove Bank. You then will create the required groups and configure group
nesting.
1. Log on to the 6425A-LON-DC1 virtual machine.
2. Review the group requirements documentation and create a group
implementation strategy.
3. Discuss the group implementation strategy.
4. Create groups required by the group implementation strategy.
5. Nest groups required by the group implementation strategy.
f Task 1: Start the 6425A-LON-DC1 virtual machine and logon as

Administrator
• Start 6425A-LON-DC1 and log on as Administrator using the password
Pa$$w0rd.

f Task 2: Review the group requirements documentation and create a

group implementation strategy
Woodgrove Bank needs to configure access to shared folders for the organization’s
executives. The organization has implemented a shared folder on NYC-DC1 named
ExecData. The following table lists the folders in the ExecData folder and their
purposes:
Folder Contents
ExecData \HeadOffice
\Branch
\Corp
ExecData\HeadOfficeReports Contains confidential information related to head
office operations and personnel. Executives in the
head office and the NYC branch offices should be
able to read and write information from this folder.
ExecData\BranchReports Contains confidential information related to branch
office operations and personnel. A separate folder
has been created for each branch office. Executives
from the head office should have read access to all
of the branch office folders. Branch office
managers should have full access only to their
branch’s folder.
ExecData\Corp Contains information that relates to Woodgrove
Bank operations. All executives and branch office
managers should have full control of this folder’s
files.
The Woodgrove Bank executive team is distributed as follows:

• Executives may be based in any location. Executives are based in North
America, Europe, and Asia.
• Each branch has one or more branch managers. Branches are located in
Miami, New York, Toronto, London, and Tokyo.

The AD DS planning group has established the following naming scheme for AD
DS groups:
• Three-character location code: NYC, TOR, MIA, LON, and TOK
• For groups that contain accounts from multiple domains, use the location
code WGB
• For groups that do not have a specific location, include the domain name in
the group name
• For account groups, use the department name: BranchManagers, Executives
This is followed by the group type: GG, UG
• For resource groups, use the resource name: EX_HOReports,
EX_LON_BranchReports, EX_Corp. This is followed by the level of access –
FC, RO.
1. Determine which global groups you need to create:

• Determine the logical groupings of the organization’s users. Do not be
concerned with the permissions that users require, just the groups of
users.
• Document a group name for each group of users. Record your decisions in
the Global Group Planning table below.
2. Determine which local groups you need to create:
• Determine which permissions are required on each resource. Do not be
concerned with who requires the permission, just the permission itself.
• Document a group name for each type of permission. Record your
decisions on the Local Group Planning table below
3. Determine which groups you need to nest. Document the group nesting
configuration in the Group Nesting Planning table below.
4. Determine how you would configure share level permissions for ExecData
folder.

Global Group Planning Table

Organizational Group Group Name
Local Group Planning Table

Resource Access Requirement Group Names
ExecData\HeadOfficeReports
ExecData\BranchReports\NYC
ExecData\BranchReports\Toronto
ExecData\BranchReports\Miami
ExecData\BranchReports\London
ExecData\BranchReports\Tokyo
ExecData\Corp

Group Nesting Planning Table

Domain local group name Nested groups
f Task 3:Discuss the group implementation strategy
f Task 4: Create groups required by the group implementation strategy
Note: To simplify the implementation process, some of the required groups may
already have been created. In addition, you configure the required groups for only
the WoodgroveBank.com and the EMEA.WoodgroveBank.com.
1. On NYC-DC1, in Active Directory Users and Computers, verify that all of the
global groups required to assign permission have been created.
2. On LON-DC1, in Active Directory Users and Computers, verify that all of the
global groups required to assign permission have been created.
3. On NYC-DC1, create the required universal groups based on the group
implementation strategy. Create the universal groups in the Executives OU.
4. Create the required domain local groups based on the group implementation
strategy.

f Task: Nest groups required by the group implementation

strategy
• On NYC-DC1, nest the groups required to meet the group implementation
strategy.
f Task 6: Shut down 6425A-LON-DC1 and delete all changes

• In the Virtual Server Administration Web site, shut down 6425A-LON-DC1
and discard the undo disk.
Result: At the end of this exercise, you will have implemented a group
implementation strategy.

Exercise 3: Automating the Management of AD DS Objects

In this exercise, you will use the Windows Server 2008 tools to automate the AD
DS object management tasks. These tools include CSVDE to create new user
accounts, LDIFDE to modify existing user accounts, and Windows Powershell to
create and configure user accounts. You will modify files or scripts that the
enterprise administrator provides to perform the bulk administration tasks.
Woodgrove Bank is opening a new Houston branch. The HR department has
provided you with a file that includes all of the new users that are being hired for
the Houston location. You need to import the user accounts into Active Directory.
You also need to activate and assign passwords to all of the accounts.
You also need to modify the user properties for the Houston users by updating the
city information.
Woodgrove Bank also is planning on starting a Research and Development
department in the NYC location. You need to create a new OU for the research and
development (R&D) department in the Woodgrove Bank domain, and import and
configure new user accounts into AD DS.
1. Modify and use the Importusers.csv file to import a group of users into AD DS.
2. Modify and run the ActivateUser.vbs script to enable the imported user
accounts and assign a password to each account.
3. Modify and use the Modifyusers.ldf file to prepare for modifying the properties
for a group of users into AD DS.
4. Modify and run the CreateUsers.ps1 script to add new users to AD DS.

f Task 1: Modify and use the Importusers.csv file to import a

group of users into AD DS
1. On NYC-DC1, browse to D:\Mod03\6425\Labfiles and open
ImportUsers.csv with Notepad. Examine the header information required to
create OUs and user accounts.
2. Copy and paste the contents of the Users.txt file into the ImportUsers.csv file,
starting with the second line. Save the file as C:\import.csv.
3. At the command prompt, type CSVDE –I –F C:\import.csv and then press
ENTER.
4. In Active Directory Users and Computers, verify that the Houston OU and
five child OUs were created, and that several user accounts were created in
each OU.
f Task 2: Modify and run the ActivateUser.vbs script to enable

the imported user accounts and assign a password to each
account
1. On NYC-DC1, in D:\Mod03\6425\Labfiles, edit Activateusers.vbs.
2. Modify the container value in the second line to:
OU=BranchManagers,OU=Houston DC=WoodgroveBank,DC=com.
3. Modify the container values in the additional lines at the end of the script to
include the following OUs, and then save the file:
• OU=CustomerService,OU=Houston,DC=WoodgroveBank,DC=com
• OU=Executives,OU=Houston,DC=WoodgroveBank,DC=com
• OU=Investments,OU=Houston,DC=WoodgroveBank,DC=com
• OU=ITAdmins,OU=Houston,DC=WoodgroveBank,DC=com
4. Double-click Activateusers.vbs.
5. In Active Directory Users and Computers, browse to the Houston OU.
Confirm that user accounts in all child OUs are activated.

f Task 3: Modify and use the Modifyusers.ldf file to prepare to

modify the properties for a group of users into AD DS
1. On NYC-DC1, export all of the user accounts in the Houston child OUs by
using the LDIFDE –f c:\ Modifyusers.ldf –d
"OU=Houston,DC=WoodgroveBank,DC=com" –r "objectClass=user" –l
physicalDeliveryOfficeName command.
2. Edit the C:\Modifyusers.ldf file.
3. On the Edit menu, use the Replace option to replace all instances of
changetype: add with changetype: modify.
4. After each changetype line, add the following lines:
replace: physicalDeliveryOfficeName
physicalDeliveryOfficeName: Houston
5. At the end of the entry for each user, add a dash (–) followed by a blank line.
6. Save the file as C:\ldifimport.ldf.
7. At the command prompt, type ldifde –I –f c:\ldifimport.ldf and then press
ENTER.
8. In Active Directory Users and Computers, verify that the Office attribute for
the user accounts in Houston has been updated with the Houston location.

f Task 4: Modify and run the CreateMultipleUsers.ps1 script to

add new users to AD DS
1. On NYC-DC1, in D:\6425\Labfiles\Mod03, edit CreateMultipleUsers.ps1.
2. In two places, change ADOUName to R&D.
3. Change Path to CSV file to C:\6425 \Mod03\Labfiles \Createusers.csv.
Save the changes to the file.
4. Start Windows PowerShell, and at the PS prompt, type
C:\6425\Labfiles\Mod03\Createusers.ps1 and press ENTER.
5. In Active Directory Users and Computers, verify that the R&D OU was
created and that the OU has been populated with user accounts that have the
correct attributes.
Result: At the end of this exercise, you will have examined several options for
automating the management of user objects.

Lesson 4:
Delegating Administrative Access to AD DS
Objects
Many of the AD DS administration tasks are quite easy to perform, but can be quite
repetitive. One of the options available in Windows Server 2008 AD DS is to
delegate some of those administrative tasks to other administrators or users. By
delegating control, you can enable these users to perform specific AD DS
management tasks without granting them more permissions than they need.

Active Directory Object Permissions
Key Points
Active Directory object permissions secure resources by enabling you to control
which administrators or users can access individual objects or object attributes,
and the type of access they have. You use permissions to assign administrative
privileges for an organizational unit or a hierarchy of organizational units to
manage Active Directory objects.
Questions: What are the risks with using special permissions to assign AD DS
permissions?
What would permissions would a user have on an object if you granted them full
control permission, and denied the user write access?

Additional Reading
• Microsoft Technet article: Access control in Active Directory
• Microsoft Technet article: Assign, change, or remove permissions on Active
Directory objects or attributes

Demonstration: Active Directory Domain Services Object

Permission Inheritance
Questions: What would happen to an object’s permissions if you moved the object
from one OU to another if the OUs had different permissions applied?
What would happen if you removed all permissions from an OU when you
blocked inheritance and did not assign any new permissions?
Additional Reading
• Microsoft Technet article: Assign, change, or remove permissions on Active
Directory objects or attributes

What Are Effective Permissions?
Key Points
You can use the Effective Permissions tool to determine the permissions for an
Active Directory object. This tool calculates the permissions that are granted to the
specified user or group, and takes into account the permissions that are in effect
from group memberships and any permissions inherited from parent objects.
Additional Reading
• Microsoft Technet article: Effective Permissions tool

What Is Delegation of Control?
Key Points
Delegation of control is the ability to assign management responsibility of Active
Directory objects to another user or group.
Delegated administration helps to ease the administrative burden of managing
your network by distributing routine administrative tasks to multiple users. With
delegated administration, you can assign basic administrative tasks to regular users
or groups. For example, you could give supervisors the right to modify group
memberships in their department.
By delegating administration, you give groups in your organization more control of
their local network resources. You also help secure your network from accidental
or malicious damage by limiting the membership of administrator groups

Discussion: Scenarios for Delegating Control
Answer the questions on the slide as a class.

Demonstration: Configuring Delegation of Control

Lesson 5:
Configuring AD DS Trusts
Many organizations that deploy AD DS will deploy only one domain. However,
larger organizations, or organizations that need to enable access to resources in
other organizations or business units, may deploy several domains, in the same AD
DS forest or a separate forest. For users to access resources between the domains,
you must configure the domains or forests with trusts. This lesson describes how
to configure and manage trusts in an AD DS environment.

What Are AD DS Trusts?
Key Points
Trusts allow security principals to traverse their credentials from one domain to
another, and are necessary to allow resource access between domains. When you
configure a trust between domains, a user can be authenticated in their domain
and their security credentials then can be used to access resources in a different
domain.

AD DS Trust Options
Key Points
The table on the slide describes the trusts options supported by Windows
Server 2008.
Questions: If you were going to configure a trust between a Windows Server 2008
domain and a Windows NT 4.0 domain, what type of trust would you need to
configure?
If you need to share resources between domains, but do not want to configure a
trust, how could provide access to the shared resources? A user located in a
different domain in your forest needs permission to create GPOs in your domain.
What is the best way to accomplish this?
Additional Reading
• Active Directory Domains and Trusts Help: Managing Trusts

How Trusts Work Within a Forest
Key Points
When you set up trusts between domains within the same forest, across forests, or
with an external realm, information about these trusts is stored in Active Directory
so you can retrieve it when necessary. A trusted domain object (TDO) stores this
information. The TDO stores information about the trust, such as the trust
transitivity and type. Whenever you create a trust, a new TDO is created and stored
in the System container in the trust’s domain.
Additional Reading
• Active Directory Domains and Trusts Help: Managing Trusts

How Trusts Work Between Forests
Key Points
Windows Server 2008 supports cross-forest trusts, which allow users in one forest
to access resources in another forest. When a user attempts to access a resource in
a trusted forest, Active Directory must first locate the resource. After the resource is
located, the user can be authenticated and allowed to access the resource.
Additional Reading
• Microsoft Technet article: How Domains and Forests Work

Demonstration: Configuring Trusts
Questions: What is the difference between a shortcut trust and an external trust?
When you set up a forest trust, what information will need to be available in DNS
in order for the forest trust to work?
Additional Reading
• Active Directory Domains and Trusts Help: Create a shortcut trust, Create an
external trust, Create a forest trust

What Are User Principal Names?
Key Points
A user principal name is a logon name that is used only to log on to a
Windows Server 2008 network. There are two parts to a user principal name,
which are separated by the @ sign—for example, suzan@WoodgroveBank.com:
• The user principal name prefix, which in this example is suzan.
• The user principal name suffix, which in this example is WoodgroveBank.com.
By default, the suffix is the name of the domain in which the user account was
created. You can use the other domains in the network, or additional suffixes
that you created, to configure other suffixes for users. For example, you may
want to configure a suffix to create user logon names that match users’ e-mail
addresses.
Additional Reading
• Microsoft Technet article: Active Directory naming

What Are the Selective Authentication Settings?
Key Points
Another option for restricting authentication across trusts in a Windows
Server 2008 forest is selective authentication. With selective authentication, you
can restrict which computers in your forest that another forest’s users can access.
Additional Reading
• Microsoft Technet article: Enable selective authentication over a forest trust
• Microsoft Technet article: Grant the Allowed to Authenticate permission on
computers in the trusting domain or forest

Demonstration: Configuring Advanced Trust Settings
Key Points
Another option for restricting authentication across trusts in a Windows
Server 2008 forest is selective authentication. With selective authentication, you
can restrict which computers in your forest users in another forest can access.
Questions: What would happen if you configured a new UPN suffix in a forest
after a trust had been configured with another forest that had the same UPN
suffix?
In what situations would you implement selective authentication?
Additional Reading
• Microsoft Technet article: Enable selective authentication over a forest trust
• Microsoft Technet article: Grant the Allowed to Authenticate permission on
computers in the trusting domain or forest

Lab B: Configuring Active Directory Delegation
Scenario:
To optimize the use of AD DS administrator time, Woodgrove Bank would like to
delegate some administrative tasks to junior administrators. These administrators
will be granted access to manage user and group accounts in different OUs.
Woodgrove Bank also has established a partner relationship with Fabrikam Ltd.
Some users in each organization must be able to access resources in the other
organization. However, the access between organizations must be limited to as few
users and as few servers as possible.

Exercise 1: Delegating Control of AD DS Objects

In this exercise, you will delegate control of AD DS objects for other
administrators. You also will test the delegate permissions to ensure that
administrators can perform the required actions, but cannot perform other actions.
Woodgrove Bank has decided to delegate administrative tasks for the Toronto
office. In this office, the branch managers must be able to create and manage user
and group accounts. The customer service personnel must be able to reset user
passwords and configure some user information, such as phone numbers and
addresses.
1. Assign full control of users and groups in the Toronto OU.
2. Assign rights to reset passwords and configure private user information in the
Toronto OU.
3. Verify the effective permissions assigned for the Toronto OU.
4. Test the delegated permissions for the Toronto OU.
f Task 1: Assign full control of users and groups in the Toronto OU

1. On NYC-DC1, run the Delegation of Control Wizard on the Toronto OU.
2. Assign the right to Create, delete and manage user accounts and the Create,
delete and manage groups to the Tor_BranchManagersGG.
f Task 2: Assign rights to reset passwords and configure private

user information in the Toronto OU
1. On NYC-DC1, run the Delegation of Control Wizard on the Toronto OU.
2. Assign the right to Reset user passwords and force password change at next
logon to the Tor_CustomerServiceGG group.
3. Run the Delegation of Control Wizard again. Chose the option to create a
custom task.
4. Assign the Tor_CustomerServiceGG group permission to change personal
information only for user accounts.

f Task 3: Verify the effective permissions assigned for the

Toronto OU
1. In Active Directory Users and Computers, enable viewing of Advanced
Features.
2. Access the Advanced Security Settings for the Toronto OU.
3. Check the effective permissions for Shay Bashay. Shay is a member of the
Tor_BranchManagersGG group. Verify that Shay has permissions to create and
delete user and group accounts.
4. Access the advanced security settings for Berend Otten, located in the
CustomerService OU in the Toronto OU. Verify that Berend has permissions
to create and delete user and group accounts.
5. Check the effective permissions for Helge Hoening. Helge is a member of the
Tor_CustomerServiceGG group. Verify that Helge has permissions to reset
passwords and permission to write personal attributes.
f Task 4: Enable Domain Users to log on to domain controllers
Note: This step is included in the lab to enable you to test the delegated
permissions. As a best practice, you should install the administration tools on a
Windows workstation rather than enable Domain Users to log on to domain
controllers.
1. On NYC-DC1, start Group Policy Management and edit the Default Domain
Controllers Policy.
2. In the Group Policy Management Editor window, access the User Rights
Assignment folder.
3. Double-click Allow log on locally. In the Allow log on locally Properties
dialog box, click Add User or Group.
4. Grant the Domain Users group the log on locally right.
5. Open a command prompt, and type GPUpdate /force and press ENTER.

f Task 5: Test the delegated permissions for the Toronto OU

1. Log on to NYC-DC1 as Shay with the password of Pa$$w0rd.
2. Start Active Directory Users and Computers, and verify that Shay can create a
new user in the Toronto organizational unit.
3. Verify that Shay can create a new group in the Toronto OU.
4. Verify that Shay cannot create a user in the ITAdmins OU.
5. Log off NYC-DC1 and log on as Helge with a password of Pa$$w0rd.
6. In Active Directory Users and Computers, verify that Helge does not have
permissions to create any new objects in the Toronto OU.
7. Verify that Helge can reset user passwords and configure user properties, such
as the office and telephone number.
Result: At the end of this exercise, you will have delegated the administrative tasks
for the Toronto office.

Exercise 2: Configuring AD DS Trusts

In this exercise, you will configure trusts based on trust-configuration design that
the enterprise administrator provides. You also will test the trust configuration to
ensure that the trusts are configured correctly.
Woodgrove Bank has initiated a strategic partnership with Fabrikam.. Users at
Woodgrove Bank will need to have access to several file shares and applications
running on several servers at Fabrikam. Users from Fabrikam only should be able
to access shares on NYC-SVR1
1. Start the 6425A-VAN-DC1 virtual machine and log on as Administrator.
2. Start the 6425A-NYC-SVR1 virtual machine and log on as Administrator.
3. Configure the Network and DNS Settings to enable the forest trust
3. Configure a forest trust between WoodgroveBank.com and
NorthwindTraders.com.
4. Configure selective authentication for the forest trust to enable access to only
NYC-DC2.
5. Test the selective authentication.
f Task 1: Start the 6425A-VAN-DC1 virtual machine and logon as

Administrator
• Start 6425A-VAN-DC1 and log on as Administrator using the password
Pa$$w0rd.

f Task 2: Start the 6425A-NYC-SVR1 virtual machine and logon as

Administrator
1. On VAN-DC1, modify the Local Area Network properties to change the IP
address to 10.10.0.110, the Default gateway to 10.10.0.1, and the Preferred
DNS server to 10.10.0.110. Click OK, and close the open dialog boxes.
2. In DNS Manager, add a conditional forwarder to forward all queries for
Woodgrovebank.com to 10.10.0.10.
3. In Active Directory Domains and Trusts raise the domain and forest level to
Windows Server 2003.
4. On NYC-DC1, in the DNS Manager console, add a conditional forwarder to
forward all queries for Fabrikam.com to 10.10.0.110.
5. Close the DNS Manager console
f Task 3: Configure a forest trust between WoodgroveBank.com and

Fabrikam.com
1. On NYC-DC1, start Active Directory Domains and Trusts from the
Administrative Tools folder.
2. Right-click WoodgroveBank.com and then click Properties.
3. Start the new trust wizard and configure a forest trust with Fabikam.com.
4. Configure both sides of the trust. Use Administrator@Fabrikam.com to verify
the trust.
5. Accept the default s setting of domain-wide authentication for both domains.
6. Confirm both trusts.

f Task 4: Configure selective authentication for the forest trust to

enable access to only NYC-DC2 and NYC-CL1 .
1. In Active Directory Domains and Trusts, modify the incoming trust from
NorthwindTraders.com to use selective authentication.
2. In Active Directory Users and Computers, access NYC-DC2’s properties. On
the Security tab, grant the MarketingGG group from Fabrikam.com permission
to authenticate to this server.
3. Access NYC-CL1’s properties. On the Security tab, grant the MarketingGG
group from Fabrikam.com permission to authenticate to this server.
f Task 5: Test the selective authentication

1. Log on to the NYC-CL1 virtual machine as Adam@fabrikam.com using a
password of Pa$$w0rd. Adam is a member of the MarketingGG group at
Fabrikam. He is able to log on to a computer in the WoodgroveBank.com
domain because of the trust between the two forests and because he has been
allowed to authenticate to NYC-CL1.
2. Try to access the \\NYC-DC2\Netlogon folder. Josh should be able to access
the folder.
3. Try to access the \\NYC-DC1\Netlogon folder. Josh should not be able to
access the folder because the server is not configured for selective
authentication.
Shut down all virtual machines and discard any changes
Result: At the end of this exercise, you will have configured trusts based on a trust
configuration design.

Review Questions
1. You are responsible for managing accounts and access to resources for your
group’s members. A user in your group leaves the company, and you expect a
replacement for that employee in a few days. What should you do with the
previous user’s account?
2. You need to create several hundred computer accounts in AD DS so that the
accounts can be pre-configured for a unattended installation. What is the best
way to do this?
3. A user reports that she cannot log on to her computer. The error message
indicates that the trust between the computer and the domain is broken. How
will you fix the problem?
4. You have created a global group called Helpdesk, which contains all the help
desk accounts. You want the help desk personnel to be able to perform any
operation on local desktop computers, including taking ownership of files.
Which is the best built-in group to use?

5. The BranchOffice_Admins group has been granted full control of all user
accounts in the BranchOffice_OU. What permissions would the
BranchOffice_Admins have to a user account that was moved from the
BranchOffice_OU to the HeadOffice_OU?
6. Your organization has a Windows Server 2008 forest environment, but it has
just acquired another organization with a Windows 2000 forest environment
that contains a single domain. Users in both organizations must be able to
access resources in each other’s forest. What type of trust do you create
between the forest root domain of each forest?
Considerations for Configuring Active Directory Objects

Supplement or modify the following best practices for your own work situations:
• Create a naming scheme for AD DS objects before starting the AD DS
deployment. For example, you need to plan how you will create user logon
names and devise your group-naming strategy. It is much easier to plan the
naming strategies early in the AD DS deployment rather than change the
names after deployment.
• Plan your AD DS group strategy before deploying AD DS. When planning the
group strategy, consider the organization’s plans for future growth. Even if the
organization only has a small number of users in a single domain, you may
want to implement an account group/resource group strategy if the
organization has an aggressive growth strategy or is likely to establish key
partnerships that may require forest trusts.
• Look for opportunities to automate AD DS management tasks. It can take
considerable time to create csvde and ldifde files, or to write VBScript or
Windows Powershell scripts. However, once these tools are in place, they can
save a great deal of time.
• Another option for decreasing workload for AD DS administrators is to
delegate tasks. One strategy for determining what tasks to delegate is to
analyze what tasks take the most time for AD DS administrators. If mundane
tasks, such as creating user accounts, resetting passwords, or updating user
information, take a significant amount of time, consider delegating those
specific tasks to other users.

Tools
Use the following tools when configuring AD DS objects and trusts:
Tool Use for Where to find it

Server Manager • Accessing the AD DS Click Start, and then point to
management tools in a single Administrative Tools. Click
console. Server Manager.
Active Directory • Creating and configuring all Click Start, and then point to
Users and
Computers AD DS objects. Administrative Tools. Click
Active Directory Users and
Computers.
Active Directory • Creating and configuring Click Start, and then point to
Domains and Trusts
trusts. Administrative Tools. Click
Active Directory Domains
and Trusts.
Command line • Creating and configuring AD These are installed by default
tools (including
Csvde and Ldifde) DS objects and are accessible at a
command prompt.
Windows • Writing scripts that can Windows Powershell is
Powershell
automate AD DS object available as a download from
management Microsoft. After installing
Windows Powershell, all
cmdlets are accessible
through the command shell.

Configuring Active Directory® Sites and Replication 4-1
Module 4
Configuring Active Directory® Sites and
Replication
Contents:
Lesson 1: Overview of Active Directory Domain Services Replication 4-3
Lesson 2: Overview of AD DS Sites and Replication 4-13
Lesson 3: Configuring and Monitoring AD DS Replication 4-22

Module Overview
In a Windows Server® 2008 Active Directory® Domain Services (AD DS)

environment, you can deploy multiple domain controllers in the same domain or
in other domains in the same forest. The AD DS information replicates
automatically between all of the domain controllers. Understanding how AD DS
replication works enables you to manage replication network traffic and ensure the
consistency of AD DS data across your network.

Lesson 1:
Overview of Active Directory Domain Services
Replication
When a user or an administrator performs an update to AD DS, the AD DS

database on one domain controller is updated. That update then replicates to all
other domain controllers in the domain, and in some cases, to all other domain
controllers in the forest. AD DS uses a multimaster replication model, which means
that you can make most changes on any domain controller and the changes will
replicate to all other domain controllers. This lesson describes how AD DS
replication works in Windows Server 2008.

How AD DS Replication Works
Key Points
The slide describes how the different components in AD DS replication work.
Additional Reading
• Active Directory Sites and Services Help: Understanding Sites, Subnets, and
Site Links
• Microsoft Technet article: Replication Model Components:
• Microsoft Technet article: How the Active Directory Replication Model Works

How AD DS Replication Works Within a Site
Key Points
Within a single site, a notification from the sending domain controller initiates the
replication process. When a database change is made, the sending computer
notifies a replication partner that changes are available. The replication partner
pulls the changes from the sending domain controller using a remote procedure
call (RPC) connection. After replication is complete, the sending domain controller
waits three seconds and then notifies another replication partner, which also pulls
the changes. By default, a domain controller will wait for 15 seconds after a change
is made and then begin replicating the changes to other domain controllers in the
same site.
Additional Reading
Site Links

Resolving Replication Conflicts

Key Points
There are three conflict types:
• Attribute value. This conflict occurs when the same attribute on an object is
modified on two domain controllers at the same time.
• Adding an object or modifying an object on one domain controller at the same
time that the container object for the object is deleted on another domain
controller.
• Adding objects with the same relative distinguished name into the same
container.
Additional Reading

Optimizing Replication
Key Points
During replication, domain controllers use multiple paths for sending and
receiving updates. Although using multiple paths provides both fault tolerance and
improved performance, it can result in updates being replicated to the same
domain controller more than once along different replication paths. To prevent
these repeated replications, AD DS replication uses propagation dampening.
Propagation dampening is the process of reducing the amount of unnecessary data
from traveling from one domain controller to another.
Additional Reading

What Are Directory Partitions?
Key Points
The AD DS database is separated logically into directory partitions -- a schema
partition, a configuration partition, domain partitions, and application partitions.
Each partition is a unit of replication, and each partition has its own replication
topology.
Additional Reading
• Microsoft Technet article: How the Data Store Works (Directory Partition
section)
• How the Active Directory Replication Model Works e

What Is Replication Topology?
Key Points
The replication topology is the route by which replication data travels throughout a
network. To create a replication topology, AD DS must determine which domain
controllers replicate data with other domain controllers.
Question: Which application partitions are created by default in AD DS?
Additional Reading
• Microsoft Technet article: What Is Active Directory Replication Topology?

How Directory Partitions and the Global Catalog Are

Replicated
Key Points
Replication of the schema and configuration partitions follows the same process as
all other directory partitions. However, because these partitions are forest-wide
rather than domain-wide, you can create the connection objects for these partitions
between any two domain controllers, regardless of the domain controller’s domain.
All domain controllers in the forest are included in the replication topology for
these partitions.
Additional Reading

How the Replication Topology Is Generated
Key Points
When you add domain controllers to a site, AD DS uses the Knowledge
Consistency Checker (KCC) to establish a replication path between domain
controllers.
Additional Reading

Demonstration: Creating and Configuring Connection

Objects
Question: When would you configure connection objects manually?

Lesson 2:
Overview of AD DS Sites and Replication
Within a single site, AD DS replication happens rapidly and automatically, without

regard for network utilization. However, some organizations have multiple
locations that are connected by slow network connections. You can use AD DS
sites to control replication and other types of AD DS traffic across these network
links.

What Are AD DS Sites and Site Links?
Key Points
You use sites to control replication traffic, logon traffic, and client computer
requests to the global catalog server.
Additional Reading
Site Links

Discussion: Why Implement Additional Sites?
Additional Reading
Site Links

Demonstration: Configuring AD DS Sites
Questions:
• What would happen to the replication topology if you moved a domain

controller from one site to another site?
• You move a domain controller to a new site by using Active Directory Sites and
Services. Six hours later you determine that the domain controller is not
replicating with any other domain controller. What should you check?
Additional Reading
• Active Directory Sites and Services Help: Create a Site, Create a Subnet

How Replication Works Between Sites
Key Points
Within a site, you have very little control over the AD DS replication process. When
you implement multiple sites in an AD DS forest, you also can configure AD DS
replication to ensure optimal network utilization.

Comparing Replication Within Sites and Between Sites
Key Points
See the slide for comparisons.
Additional Reading
• Active Directory Sites and Services Help: Understanding Replication Between
Sites

Demonstration: Configuring AD DS Site Links
Questions
• If all of the locations in your organization are connected by a wide area

network that has the same available bandwidth, do you need to create
additional site links?
• Your organization has two sites and a single domain. Can you use SMTP as the
replication protocol between the two sites?
Additional Reading
• Active Directory Sites and Services Help: Create a Site Link

What Is the Inter-site Topology Generator?
Key Points
The KCC on one domain controller in the site is designated as the site’s Inter-Site
Topology Generator (ISTG). There is only one ISTG per site regardless of how
many domains or other directory partitions the site has. ISTG is responsible for
calculating the site’s ideal replication topology.
Additional Reading

How Unidirectional Replication Works
Key Points
Because no changes are written directly to the read-only domain controller
(RODC), no changes originate at the RODC. Accordingly, writable domain
controllers that are replication partners do not have to pull changes from the
RODC. This means that any changes or corruption that a malicious user might
make at branch locations cannot replicate from the RODC to the forest. This also
reduces the workload of the hub’s bridgehead servers and the effort required to
monitor replication.
Additional Reading
• Microsoft Technet article: AD DS: Read-Only Domain Controllers:

Lesson 3:
Configuring and Monitoring AD DS Replication
Once you have configured the sites and site links for your AD DS environment, you
can configure AD DS replication. AD DS in Windows Server 2008 provides several
options that you can use to manage how replication will flow between sites.
Because AD DS replication is so critical to your environment, you also need to
know how to monitor AD DS replication.

What Is a Bridgehead Server?
Key Points
The bridgehead server in an AD DS replication topology is the single domain
controller in each site that is responsible for sending and receiving replicated data
with other sites. The bridgehead server from the originating site collects all of the
replication changes in its site and then sends them to the receiving site’s
bridgehead server, which replicates the changes to all of the site’s domain
controllers.
By default, the ISTG identifies one domain controller in each site as the bridgehead
server for each site link. If that bridgehead server becomes unavailable, the ISTG
identifies another domain controller as the bridgehead server.
Additional Reading
• Microsoft Technet article:How the Active Directory Replication Model Works

Demonstration: Configuring Bridgehead Servers
Question:
Your organization has two sites and two domains in the same forest with domain
controllers for both domains in both sites. You configure one domain controller in
each site as the preferred bridgehead server. Some time later you notice that the
domain controllers for one of the domains are not replicating across the site link.
What do you need to do to fix this?
Additional Reading
• Microsoft Technet article: Managing Intersite Replication

Demonstration: Configuring Replication Availability and

Frequency
Questions:
You configure site links between the New York site and the Toronto site, and
between the New York site and the London site. The New York-Toronto site link is
available from 2 am to 5 am EST. The New York-London site link is available from
8 pm to 11 pm EST. You create a new user in Toronto. When will the new user
appear in AD DS on a domain controller in London?
Your organization has 4 sites. All of your sites are included in the
DefaultIPSiteLink. You would like to modify the replication schedule for all of the
sites so that replication between sites happens every 15 minutes. What should you
do?
Additional Reading
• Active Directory Sites and Services Help: Configure Intersite Replication

What Is Site Link Bridging?
Key Points
By default, all AD DS site links are transitive or bridged. That means that if site A
has a common site link with site B, site B also has a common site link with site C,
and the two site links are bridged. Domain controllers in site A can replicate
directly with domain controllers in site C, even though there is no site link between
sites A and C.
You can modify the default site link bridging configuration by disabling site-link
bridging and then configuring site link bridging only for those site links that
should be transitive.
Additional Reading

Demonstration: Modifying Site Link Bridges
Question: Your organization has five sites. Four of the sites are connected by Wide
Are Network (WAN) links with surplus network bandwidth, while one of the sites
is connected to the other sites by a WAN link with very little available bandwidth.
You disable site link bridging in your organization, and then realize that it is taking
much longer than usual to replicate AD DS changes between sites. What should
you do to optimize replication between the four sites with available bandwidth
while minimizing the network utilization to the site with less available bandwidth?
Additional Reading

What Is Universal Group Membership Caching
Key Points
One of the issues that you may need to address when configuring AD DS
replication is whether to deploy global catalog servers in each site. Because global
catalog servers are required when users log on to the domain, deploying a global
catalog server in each site optimizes the user experience. However, deploying a
global catalog server in a site results in additional replication traffic, which may be
an issue if the network connection between AD DS sites has limited bandwidth. In
these scenarios, you can deploy domain controllers running Windows Server 2008
and then enable universal group membership caching for the site.
Additional Reading
• Microsoft Technet article: Planning Global Catalog Server Placement

Demonstration: Configuring Universal Group Membership

Caching
Additional Reading
• Microsoft Technet article: Cache universal group memberships

Demonstration: Tools for Monitoring and Managing

Replication
Questions:
• Under what circumstance might you want to know which domain controller is
the ISTG in a site?
• What information is available in the command line tools that is not available
through the GUI tools?

Lab: Configuring Active Directory Sites and

Replication
Scenario:
Woodgrove Bank has multiple offices throughout the world. To optimize client
logon traffic and manage AD DS replication, the enterprise administrator has
created a new design for configure AD DS sites and for configuring replication
between sites. You need to create AD DS sites and configure replication based on
the enterprise administrators design, and monitor site replication and ensure that
all components required for replication are functional.
The current site design at Woodgrove Bank has not been modified from the
default. Other than the default site, no AD DS sites or site links are configured.

The enterprise administrator has created the following site design:

• New York has a 1.544 Mbps wide area network (WAN) connection to London
that has 50% available bandwidth. New York and Tokyo also are connected by
a 1.544 Mbps WAN connection that has 50% available bandwidth. Any
changes made to AD DS in any of these three locations should be replicated to
the other locations within one hour.
• Miami is connected to New York through a 256 kbps WAN connection that
has less than 20% available bandwidth during regular business hours.
Changes made to AD DS in any site in the organization should not be
replicated to Miami during regular business hours.
• The domain controller in Miami should receive updates only from a New York
domain controller. Domain controllers in New York, Tokyo, and London can
receive updates from any domain controller in one of these three sites.
• The domain controller in Miami is not configured as a global catalog server
because of concerns with global catalog replication. To minimize the network
traffic required for authentication, you should enable universal group-
membership caching for the Miami site.
• You should configure each company location as a separate site, with a site
name of CityName-Site.
• You should name site links using the following format: CityName-CityName-
Site-Link.
• The network-address configurations for each company location are as follows:
• New York – 10.10.0.0/16
• London – 10.20.0.0/16
• Miami – 10.30.0.0/16
• Tokyo – 10.40.0.0/16
Note: Due to the virtual lab limitations, you will be configuring the sites only for the
New York, London, and Miami locations.

Exercise 1: Configuring AD DS Sites and Subnets

In this exercise, you will modify the existing site configuration based on the
enterprise administrator’s design. The tasks include creating new subnets and
sites, creating site links, and moving servers into the appropriate sites.
2. Start the 6425A-LON-DC1 virtual machine and log on as Administrator.
3. Start the 6425A-MIA-RODC virtual machine and log on as Administrator.
4. Start the 6425A-NYC-RAS virtual machine and log on as Administrator.
5. Verify the current site configuration and replication topology.
6. Create the AD DS sites.

Administrator
Pa$$w0rd.
f Task 2: Start the 6425A-LON-DC1 virtual machine and log on as

Administrator
• Start 6425A-LON-DC1 and log on as Administrator using the password
Pa$$w0rd.
f Task 3: Start the 6425A-MIA-RODC virtual machine and log on as

Administrator
• Start 6425A-MIA-RODC and log on as Administrator with a password of
Pa$$w0rd.
f Task 4: Start the 6425A-NYC-RAS virtual machine and log on as

Administrator
• Start 6425A-NYC-RAS and log on as Administrator with a password of
Pa$$w0rd.

f Task 5: Verify the current site configuration and replication

topology
1. On NYC-DC1, open Active Directory Sites and Services and access the NTDS
Settings properties for NYC-DC1.
2. Verify the connection objects configured on NYC-DC1. Confirm that the
connection objects are used to replicate all relevant directory partitions.
3. Verify that the connections are configured to always replicate and check for
updates every hour.
4. Examine the connection objects configured on MIA-RODC. Verify that the
RODC only has inbound replication partners and no outbound replication
partners.
f Task 6: Create the AD DS sites

1. In Active Directory Sites and Services, rename the Default-First-Site-Name to
NewYork-Site.
2. Create new sites named Miami-Site, London-Site, and Tokyo-site.
3. Create new subnet objects with the following properties:
• Prefix: 10.10.0.0/16, Site: NewYork-Site
• Prefix: 10.20.0.0/16, Site: London-Site
• Prefix: 10.30.0.0/16, Site: Miami-Site
• Prefix: 10.40.0.0/16, Site: Tokyo-Site
4. Verify that the correct subnets are associated with each site.
Result: At the end of this exercise, you will configure AD DS sites and subnets and
linked the subnets to the appropriate sites.

Exercise 2: Configuring AD DS Replication

In this exercise, you will configure AD DS replication between sites. The tasks
include creating new site links, configuring site-link bridging, and moving the
domain controllers to the appropriate sites.
1. Create the site links.
2. Configure site link bridging.
3. Modify the domain controller IP address configuration.
4. Move the domain controllers into the appropriate sites.
5. Configure global catalog caching for the Miami site.
f Task 1: Create the site links

1. In Active Directory Sites and Services, rename the DefaultIPSiteLink to
NewYork-London-Site-Link. Configure the site link to include only the
NewYork-Site and London-Site, and to replicate every 30 minutes.
2. Right-click NewYork-London-Site-Link and click Properties.
3. Create a new site link named NewYork-Tokyo-Site-Link that includes the
NewYork-Site and Tokyo-Site, and that replicates every 30 minutes.
4. Create another new site link named NewYork-Miami-Site-Link that includes
the NewYork-Site and Miami-Site. Modify the schedule for the site link to not
allow replication between 7 a.m. and 7 p.m., Monday to Friday.
f Task 2: Configure site link bridging

1. In Active Directory Sites and Services, turn off site-link bridging for the IP site
links.
2. Create a new site-link bridge named NewYork-London-Tokyo-Site-Link-
Bridge that includes all sites except the Miami-Site.

f Task 3: Modify the domain controller IP address configuration

1. On LON-DC1, access the Local Area Connection properties. Change the IP-
address configuration to use an IP address of 10.20.0.110 and a default
gateway to 10.11.0.1.
2. Ensure that you can ping 10.10.0.10 from LON-DC1, and force the server to
register its IP address in DNS.
3. On MIA-RODC, in the command prompt window, use the Netsh interface
ipv4 show interfaces to identify the Idx value assigned to the Local Area
Connection.
4. Use the netsh interface ipv4 set address name="ID" source=static
address=10.30.0.15 mask=255.255.0.0 gateway=10.30.0.1 command to
change the IP address for MIA-RODC.
5. Ensure that you can ping 10.10.0.10 from MIA-RODC, and force the server to
register its IP address in DNS.
6. On NYC-DC1, verify that the IP addresses for LON-DC1 and MIA-RODC have
been updated in DNS.
f Task 4: Move the domain controllers into the appropriate sites

1. On NYC-DC1, in Active Directory Sites and Services, move LON-DC1 from
the NewYork-Site to the London-Site.
2. Move MIA-RODC from the NewYork-Site to the Miami-Site.
f Task 5: Configure global catalog caching for the Miami site

1. On NYC-DC1, in Active Directory Sites and Services, access the NTDS Site
Settings properties for the Miami-Site.
2. Enable Universal Group Membership Caching and configure the cache to be
refreshed from the NewYork-Site.
Result: At the end of this exercise, you will configure AD DS replication.

Exercise 3: Monitoring AD DS Replication

In this exercise, you will monitor AD DS replication between sites. You will use
DCDiag and NLTest to check for server availability, use Repadmin to configure AD
DS objects, and use Replmon to monitor the replication between sites.
1. Verify that the replication topology has been updated.
2. Verify that replication is working between sites.
3. Use DCDiag to verify the replication topology.
4. Use Repadmin to verify successful replication.
5. Shut down all virtual machines and delete all changes.
f Task 1: Verify that the replication topology has been updated

1. On NYC-DC1, in Active Directory Sites and Services, access the NTDS
Settings for NYC-DC1 and force the server to check the replication topology.
2. Access the NTDS Settings for LON-DC1 in the London-Site and force it to
check the replication topology. This will take a few moments to complete.
3. Access the NTDS Setting for MIA-RODC in the Miami-Site and force it to
check the replication topology. This will take a few moments to complete.
4. Access the NTDS Site Settings properties for the NewYork-Site and verify that
NYC-DC1 is configured as the Inter-Site Topology Generator.
5. Verify that LON-DC1 is the ISTG for the London site.
6. Access the NTDS Site Settings for the Miami-Site and verify that MIA-RODC is
not listed as the ISTG. Because MIA-RODC is a RODC, it cannot operate as a
bridgehead server or an ISTG.

f Task 2: Verify that replication is working between sites

1. On NYC-DC1, in Active Directory Sites and Services, access the NTDS
Settings for NYC-DC1.
2. In the details pane, verify that a connection object has been created between
NYC-DC1 and LON-DC1. Force replication on the connection object.
3. Access the connection object configured on LON-DC1 between LON-DC1 and
NYC-DC1. Force replication on the connection object.
4. On NYC-DC1, in Active Directory Users and Computers, in the Users
container, create a new user with a first name and logon name of TestUser and
a password of Pa$$w0rd.
5. In Active Directory Sites and Services, access the connection object
configured on MIA-RODC between NYC-DC1 and MIA-RODC. Force
replication on the connection object.
6. In Active Directory Users and Computers, change the focus to MIA-
RODC.WoodgroveBank.com.
7. In the Change Domain Controller dialog box, click MIA-
RODC.WoodgroveBank.com and click OK. Verify that the TestUser account
has been replicated to MIA-RODC.
f Task 3: Use DCDiag to verify the replication topology

1. On NYC-DC1, at a command prompt, type DCDiag /test:replications to
verify that NYC-DC1 passes all replication tests.
Note: There will be replication errors listed because NYC-DC2 and TOK-DC1 are not
running and replication has been attempted.
2. Use DCDiag with the /s servername option to verify that LON-DC1 passed all
test related to replication.
Hint: Look for the Starting test: Replications section in the screen output.

f Task 4: Use Repadmin to verify successful replication

1. On NYC-DC1, at the command prompt, type repadmin /showrepl and verify
that all directory partitions were updated successfully during the last
replication update.
2. At the command prompt, type repadmin /showrepl MIA-
RODC.WoodgroveBank.com and verify that all directory partitions were
updated successfully during the last replication update.
3. At the command prompt, type repadmin /bridgeheads and verify that NYC-
DC1 and LON-DC1 are listed as bridgehead servers for their site.
4. At the command prompt, type repadmin /replsummary and examine the
replication summary, and then close the command prompt.
f Task 5: Shut down all virtual machines and delete all changes
• Connect to the Virtual Server Administration site and shut down all virtual
machines without saving changes.
Result: At the end of this exercise, you will have verified that AD DS replication is
working.

Review Questions
1. How can you minimize the chances of creating a replication conflict in your
organization?
2. You have deployed nine domain controllers in the same domain. Five of these
domain controllers are in one site, while four are in a different site. You have
not modified the default-replication frequency for intra-site and inter-site
replication. You create a user account on one domain controller. What is the
maximum amount of time it will take for that user account to be replicated to
all of the domain’s controllers?
3. You add a new domain controller to an existing domain in your forest. Which
AD DS partitions will be modified as a result?

4. Your organization has one domain with three sites -- a head-office site and two
branch-office sites. Domain controllers in the branch-office sites can
communicate with domain controllers at the head office, but cannot
communicate directly with domain controllers in the other branch office due
to firewall restrictions. How can you configure the site-link architecture in AD
DS to integrate the firewall and ensure that the KCC will not create a
connection automatically between the branch-office sites?
5. Your organization has a head office and 20 branch offices. Each office is
configured as a separate site. You have three domain controllers deployed at
the head office. One of the domain controllers at the head office has a faster
processor and more memory than the other two. You want to ensure that the
AD DS replication workload is assigned to the more powerful computer. What
should you do?
Considerations for Configuring AD DS Sites and Replication

• In an organization with a single site, you can almost always just accept the
default replication configuration. Although you can modify the default
notification times for AD DS replication, there is rarely any reason to do so.
• In organization with multiple sites, you must plan the site design to optimize
WAN utilization by minimizing Active Directory replication and client logon
traffic.
• Use preferred bridgehead servers only if you want to exclude some domain
controllers in the site from being bridgehead servers. Some domain controllers
may not be powerful enough to replicate reliably between sites. Otherwise,
allow the intersite topology generator to automatically select bridgehead
servers.
• The site configuration and domain controller locations within sites can be
modified after deployment. If you discover that your AD DS replication is
inefficient, or your organization expands, it is easy to modify the AD DS
replication process by adding or removing sites, or modifying the site link
configuration.
• AD DS replication traffic between sites is compressed. This means that in all
but the largest organizations, replication traffic will not consume a great deal
of network bandwidth between sites.

Tools
Use the following tools when configuring AD DS sites and replication:

Server Manager Accessing the AD DS Click Start, and then point to
management tools in a single Administrative Tools. Click
console. Server Manager.
Active Directory Creating and configuring sites, Click Start, and then point to
Sites and Services subnets, moving domain Administrative Tools. Click
controllers between sites, and Active Directory Users and
forcing replication. Computers.
Repadmin Gathering data about the Installed by default and

current replication topology accessible at a command
and status and creating new prompt.
replication objects
DCDiag Gathering data about domain Installed by default and

controllers including replication accessible at a command
partners and status prompt.

Creating and Configuring Group Policies 5-1
Module 5
Creating and Configuring Group Policies
Contents:
Lesson 1: Overview of Group Policies 5-3
Lesson 2: Configuring the Scope of Group Policy Objects 5-15
Lesson 3: Evaluating the Application of Group Policy Objects 5-26
Lesson 4: Managing Group Policy Objects 5-31
Lesson 5: Delegating Administrative Control of Group Policies 5-38
Lab: Creating and Configuring GPOs 5-42

Module Overview
Administrators face increasingly complex challenges in managing the Information

Technology (IT) infrastructure. You must deliver and maintain customized
desktop configurations for more types of workers, such as mobile users,
information workers, or others assigned to strictly defined tasks, such as data
entry. Group Policy and the Active Directory® services infrastructure in Windows
Server® 2008 enable IT administrators to automate management of users and
computers, which simplifies administrative tasks and reduces IT costs.
Administrators can efficiently implement security settings, enforce IT policies, and
distribute software consistently across a given site, domain, or range of
organizational units (OUs). In this module, you will learn how to use Group
Policies to manage your IT infrastructure.

Lesson 1:
Overview of Group Policies
This lesson introduces you to how you can use Group Policies to simplify
managing computers and users in an Active Directory environment. You will learn
how Group Policies are structured and applied, and about some of the exceptions
to using Group Policies.
This lesson also discusses Group Policy features that are included with Windows
Server 2008, which also will help simplify computer and user management.

What Are Group Policies?
Key Points
Group Policy is a Microsoft technology that supports one-to-many management of
computers and users in an Active Directory environment. By editing Group Policy
objects (GPOs) policy settings, and targeting the GPO at the intended computers
or users, you can manage specific configuration parameters centrally. In this way,
you can manage potentially thousands of computers or users by changing a single
GPO. Group Policy can control many aspects of a target object’s environment,
including the registry, NTFS file system security, audit and security policy, software
installation and restriction, desktop environment, logon/logoff scripts, etc….
One policy may be associated with multiple containers in Active Directory through
linking. Conversely, multiple policies may link to one container.
Question: When would local Group Policies be useful in a domain environment?
Additional Reading
• Microsoft Technet article: Windows Server Group Policy

Group Policy Settings
Key Points
Group Policy has thousands of configurable settings (approximately 2,400). These
settings can affect nearly every area of the computing environment. You cannot
apply all of the settings to all versions of Windows operating systems. For example,
many of the new settings that came with Windows® XP Service Pack (SP) 2 only
applied to that operating system, like software restriction policies. In turn, many of
the hundreds of new settings only apply to Windows® Vista™ and Windows Server
2008. If a computer has a setting applied that it cannot process, it simply ignores it.
Question: Which of the new features will you find the most useful in your
environment?

Additional Reading
• Microsoft Technet article: Summary of New or Expanded Group Policy
Settings
• Microsoft Technet article: What's New in Group Policy in Windows Vista and
Windows Server 2008?

How Group Policies Are Applied
Key Points
Clients initiate Group Policy application by requesting Group Policy settings from
Active Directory. When Group Policy is applied to a user or computer, the client
component interprets the policy and makes the appropriate environment changes.
These components are known as Group Policy client-side extensions. As Group
Policy is processed, the Winlogon process passes the list of GPOs that must be
processed to each Group Policy client-side extension. The extension uses the list to
process the appropriate policy, when applicable.
Question: What would be some advantages and disadvantages to lowering the

refresh interval?
Additional Reading
• Microsoft Technet article: Windows Server Group Policy

Exceptions to Group Policy Processing
Key Points
Different factors can change the normal Group Policy processing behavior, such as
logging on using a slow connection. Also, different types of connections or
operating systems handle Group Policy processing differently.
Question: How is Network Location Awareness (NLA) better than Internet

Control Message Protocol (ICMP) in the proper application of group policy?
Additional Reading
• Controlling Client-Side Extensions by Using Group Policy

Group Policy Components
Key Points
You can use Group Policy templates to create and configure Group Policy settings,
which the GPOs store. The GPOs in turn are stored in the SYSVOL container in
Active Directory. The SYSVOL container acts as a central repository for the GPOs.
In this way, one policy may be associated with multiple Active Directory containers
through linking. Conversely, multiple policies may link to one container.
Group policy has three major components.
• Group policy templates
• Group policy container
• Group policy objects

What Are ADM and ADMX Files?
Key Points
ADM Files
Traditionally, ADM files have been used to define the settings the administrator
can configure through Group Policy. Each successive Windows operating system
and service pack has included a newer version of these files. ADM files use their
own markup language. Because of this, it is difficult to customize ADM files. The
ADM templates are located in the %SystemRoot%\Inf folder.
ADMX Files
Windows Vista and Windows Server 2008 introduce a new format for displaying
registry-based policy settings. Registry-based policy settings are defined using a
standards-based XML file format known as ADMX files. These new files replace
ADM files. Group Policy tools on Windows Vista™ and Windows Server 2008 will
continue to recognize custom ADM files you have in your existing environment,
but will ignore any ADM file that ADMX files have superseded.

Question: How could you tell if a GPO was created or edited using ADM or ADMX
files?
Additional Reading
• Microsoft Technet article: Managing Group Policy ADMX Files Step-by-Step
Guide
• Microsoft Support: Location of ADM (Administrative Template) Files in
Windows

What Is the Central Store?
Key Points
For domain-based enterprises, administrators can create a central store location of
ADMX files that is accessible by anyone with permission to create or edit GPOs.
The Group Policy Object Editor on Windows Vista and Windows Server 2008
automatically reads and displays Administrative Template policy settings from
ADMX files that the central store caches and ignores the ones stored locally. If the
domain controller is not available, then the local store is used.
You must create the central store, and update it manually, on a domain controller.
The use of ADMX files is dependant on the computer’s operating system where
you are creating or editing the GPO. Therefore, the domain controller can be a
server with Windows Server 2000, 2003, or 2008. The File Replication Service
(FRS) will replicate it to that domain’s other controllers.

Question: What would be the advantage of creating the central store on the PDC
emulator?
Additional Reading
• Microsoft Support: How to create a Central Store for Group Policy
Administrative Templates in Window Vista

Demonstration: Configuring Group Policy Objects
Question: When you open the GPMC on your Windows XP computer, you do not
see the new Windows Vista settings in the Group Policy Editor. Why not?

Lesson 2:
Configuring the Scope of Group Policy
Objects
There are many techniques in Group Policy that allow administrators to

manipulate how Group Policy is applied. You can control the default processing
order of policies through enforcement, blocking inheritance, security filtering, and
Windows Management Instrumentation (WMI) filters or using the loopback
feature. In this lesson, you will learn about these techniques.

Group Policy Processing Order
Key Points
The GPOs that apply to a user or computer do not all have the same precedence.
Group Policies are applied in a particular order. This order means that settings that
are processed first may be overwritten by settings that are processed later. For
example, a policy that restricts access to Control Panel applied at the domain level
could be reversed by a policy applied at the OU level for that particular OU.
Question: Your organization has multiple domains spread over multiple sites. You
want to apply a Group Policy to all users in two different domains. What is the best
way to accomplish this?
Additional Reading
• Microsoft Technet article: Group Policy processing and precedence

What Are Multiple Local Group Policies?
Key Points
In Microsoft operating systems prior to Windows Vista, there was only one user
configuration available in the local Group Policy. That configuration was applied to
all users logged on from the local computer. This is still true, but Windows Vista
and Windows Server 2008 have an added feature. In Windows Vista and Windows
Server 2008, it now is possible to have different user settings for different local
users, although there remains only one computer configuration available that
affects all users.
Question: When would multiple local group policies be useful in a domain

environment?
Additional Reading
• Microsoft Technet article: Step-by-Step Guide to Managing Multiple Local
Group Policy Objects

Options for Modifying Group Policy Processing
Key Points
There may be occasions when the normal behavior of Group Policy is not
desirable. For example, certain users or groups may need to be exempt from
restrictive Group Policies or a Group Policy should be applied only to computers
with certain hardware or software characteristics. By default, all Group Policies
apply to the Authenticated Users group in a given container, but you can modify
that behavior through various methods.
Question: You have created a restrictive desktop policy and linked it to the
Finance OU. The Finance OU has several child OUs that have separate GPOs that
reverse some of your desktop restrictions. How would you ensure that all users in
the Finance department receive your desktop policy?
Additional Reading
• Microsoft Technet article: Controlling the Scope of Group Policy Objects using
GPMC

Demonstration: Configuring Group Policy Object Links
Question: True or false – if a GPO is linked to multiple containers, altering the

settings for one of those links will only affect that container.

Demonstration: Configuring Group Policy Inheritance
Question: Your domain has two domain-level policies, GPO1 and GPO2. You need
to ensure that all OUs receive GPO1, but GPO2 should not affect two of the OUs.
How could you accomplish this?

Demonstration: Filtering Group Policy Objects Using

Security Groups
Question: You want to ensure that a specific policy linked to an OU will only affect
the members of the Managers global group. How would you accomplish this?

Demonstration: Filtering Group Policy Objects Using WMI

Filters
Question: You need to deploy a software application that requires computers to

have more than 1 GB or RAM. What is the best way to accomplish this?

How Does Loopback Processing Work?
Key Points
Normally, user policy settings are derived entirely from the GPOs associated with
the user account based on it's location in the Active Directory. Loopback
processing directs the system to apply an alternate set of user settings for the
computer to any user who logs on to a computer affected by this policy. This policy
is intended for special-use computers where you must modify the user policy based
on the computer that is being used, for example, computers in public areas or
classrooms. When loopback is applied, it will affect all users, except local users.
Loopback operates using the following two modes:
• Merge mode
• Replace mode
Additional Reading
• Microsoft Technet article: Loopback processing with merge or replace
• Microsoft Technet article: Loopback processing of Group Policy

Discussion: Configuring the Scope of Group Policy

Processing
Scenario
Use the following scenario information for your discussion.
• All domain computers that have Windows XP Professional installed will have a
software application distributed through group policy.
• All domain users will have the Run menu removed from the Start menu. The
Admin OU will be exempt from this restriction. The Managers security group
will also be exempt from this restriction.
• The Mortgages OU will have further desktop restrictions applied.

Questions: What are the advantages to using security group filtering over blocking
inheritance to prevent group policies from being applied?
What are the advantages to using security group filtering over blocking inheritance
to prevent group policies from being applied?

Lesson 3:
Evaluating the Application of Group Policy
Objects
System administrators need to know how policy settings affect computers and
users in a managed environment. This information is essential when planning
policy for a network and when debugging existing policy. Obtaining the
information can be a complex task when you consider the many combinations of
sites, domains, and organizational units that are possible, and the many types of
Group Policy settings that can exist. Further complicating the task are security-
group filtering and the inheritance, blocking, and enforcement of Group Policies.
The GPResult command-line tool and the Group Policy Management Console
(GPMC) provide reporting features to simplify these tasks.

What Is Group Policy Reporting?
Key Points
Group Policy Reporting is a feature of Group Policy that makes implementation
and troubleshooting easier. Two main troubleshooting tools are the GPResult.exe
command-line tool and the Group Policy Results wizard in the GPMC. The Group
Policy Results feature allows administrators to determine the resultant policy set
that was applied to a given computer and/or user that logged on to that computer.
Although these tools are similar, they each provide different information.
Question: You want to know which domain controller delivered Group Policy to a
client. Which utility would you use to find that out?
Additional Reading
• Microsoft resources: Gpresult
• Microsoft Technet article: Group Policy Results (Administering Group Policy
with Group Policy Management Console)

What Is Group Policy Modeling?
Key Points
Another method for testing Group Policy is to use the Group Policy Modeling
Wizard in the GPMC to model environment changes before you actually make
them. The Group Policy Modeling Wizard calculates the simulated net effect of
GPOs. Group Policy Modeling also simulates such things as security group
membership, WMI filter evaluation, and the effects of moving user or computer
objects to a different OU or site. You also can specify slow-link detection, loopback
processing, or both when using the Group Policy Modeling Wizard.
The Group Policy Modeling process actually runs on a domain controller in your
Active Directory domain. Because the wizard never queries the client computer, it
cannot take local policies into account.

Question: What simulations can be performed with the Group Policy Modeling
Wizard? Choose all that apply.
A. Loopback processing
B. Moving a user to a different domain in the same forest.
C. Security group filtering
D. Slow link detection
E. WMI filtering
F. All of the above
Additional Reading
• Microsoft Technet article: Using Group Policy Modeling and Group Policy
Results to Evaluate Group Policy Settings

Demonstration: How to Evaluate the Application of Group

Policies
Question: A user reports that they are unable to access Control Panel. Other users
in the department can access Control Panel. What tools might you use to
troubleshoot the problem?

Lesson 4:
Managing Group Policy Objects
GPMC provides mechanisms for backing up, restoring, migrating, and copying
existing GPOs. This is very important for maintaining your Group Policy
deployments in the event of error or disaster. It helps you avoid manually
recreating lost or damaged GPOs and having to again go through the planning,
testing, and deployment phases. Part of your ongoing Group Policy operations
plan should include regular backups of all GPOs. GPMC also provides for copying
and importing GPOs, both from the same domain and across domains.

GPO Management Tasks
Key Points
Like critical data and Active Directory related resources, you must back up Group
Policy to protect the integrity of Active Directory and GPOs. The GPMC provides
the basic backup and restore options, but also provides additional control over
GPOs for administrative purposes.
Question: You perform regular backups of GPOs. An administrator has

inadvertently changed a number of settings on the wrong GPO. What is the
quickest way to fix the problem?
Additional Reading
• Windows Server Library: Backing up, Restoring, Migrating, and Copying GPOs
• Microsoft Technet article: Import using GPMC

What Is a Starter GPO?
Key Points
Starter GPOs store a collection of Administrative Template policy settings in a
single object. Starter GPOs only contain Administrative Templates. You can import
and export Starter GPOs to distribute them to other areas of your enterprise.
Additional Reading
• Help Topics: Working with Starter GPOs

Demonstration: How to Copy a GPO
Question: What is the advantage of copying a GPO and linking it to an OU over

linking the original GPO to multiple OUs?

Demonstration: Backing up and Restoring GPOs
Question: What permissions are required to back-up a GPO?

Demonstration: Importing a GPO
Question: What is the purpose of a migration table?

Migrating Group Policy Objects
Key Points
The ADMX Migrator allows you to convert custom ADM templates into ADMX
templates. The associated ADML file also is created. Converted files are saved into
the user’s documents folder by default. Once you create the new files, copy the
ADMX file into the PolicyDefinitions folder, or the central store, and copy the
ADML file into the appropriate subfolder. The new administrative templates then
become available in the GPMC.
Additional Reading
• Microsoft Web site: ADMX Migrator

Lesson 5:
Delegating Administrative Control of Group
Policies
In a distributed environment, it is common to have different groups delegated to

perform different administrative tasks. Group Policy management is one of the
administrative tasks that you can delegate.

Options for Delegating Control of GPOs
Key Points
Delegation allows the administrative workload to be distributed across the
enterprise. One group could be tasked with creating and editing GPOs, while
another group performs reporting and analysis duties. A separate group might be
in charge of WMI filters.
The following Group Policy tasks can be independently delegated:
• Creating Group Policy objects
• Editing Group Policy objects
• Managing Group Policy links for a site, domain, or OU
• Perform Group Policy Modeling analyses on a given domain or OU
• Read Group Policy Results data for objects in a given domain or OU
• Create WMI filters in a domain

Question: You perform regular backups of GPOs. An administrator has

inadvertently changed a number of settings on the wrong GPO. What is the
quickest way to fix the problem?
Additional Reading
• Microsoft Technet article: Delegating Group Policy

Demonstration: How to Delegate Administrative Control of

GPOs
Question: A user located in a different domain in your forest needs permission to

create GPOs in your domain. What is the best way to accomplish this?

Lab: Creating and Configuring GPOs
Scenario:
The Woodgrove Bank has decided to implement group policies to manage user
desktops and to configure computer security. The organization has already
implemented an OU configuration that includes top-level OUs group by location
with additional OUs within each location OU for different departments. User
accounts are located in the same container as their workstation computer accounts.
Server computer accounts are spread throughout various OUs.
The enterprise administrator has created a GPO deployment plan. You have been
asked to create Group Policy objects so that certain policies can be applied to all
domain objects. Some policies are considered mandatory. You also want to create
policy settings that will apply only to subsets of the domain’s objects, and you
want to have separate policies for computer settings and user settings. You must
delegate GPO administration to administrators within each company location.
Note: Some of the tasks in this lab are designed to illustrate GPO management
techniques and settings and may not always follow best practices.

Group Policy Requirements

• Domain users will not have access to the Run Menu. The policy will apply to
all users except users in the IT Admin OU.
• Executives will not have access to the desktop display settings.
• The NYC, Miami and Toronto branch users will not have access to the Control
Panel. All branch managers will be exempt from this restriction.
• All domain computers will have a mandatory baseline security policy applied
that does not display the name of the last logged on user
• Computers running Windows Vista or Windows XP will have additional
settings applied to wait for the network at startup.
• Users in the administrators group will have the URL for Microsoft support
added to their Favorites.
• Kiosk computers in the branch offices will have loopback processing enabled.

Exercise 1: Creating and Configuring Group Policy Objects

You will create and link the GPOs specified by the enterprise administrator’s
design. Tasks include modifying the default domain policy, creating policies linked
to specific OUs and sites.
1. Start and log on to NYC-DC1.
2. Create the group policies.
3. Configure the policies.
4. Link the GPOs.
f Task 1: Start and log on to NYC-DC1

• Start and log on to NYC-DC1 as Administrator with a password of Pa$$w0rd.
f Task 2: Create the group policies

• Use the GPMC to perform the following:
• Create a group policy named Restrict Control Panel.
• Create a group policy named Restrict Desktop Display.
• Create a group policy named Restrict Run Command.
• Create a group policy named Baseline Security.
• Create a group policy named Vista and XP Security
• Create a group policy named Admin Favorites
• Create a group policy named Kiosk Computer Security

f Task 3: Configure the policies

1. Edit the Restrict Run Command GPO to prevent access to the Run Menu.
2. Edit the Baseline Security GPO so that the name of the last logged on user is
not displayed.
3. Edit the Server Security GPO to exempt Administrators from User Account
Control prompts on computers running Windows Server 2008.
4. Edit the Admin Favorites GPO to include the URL for Microsoft tech support
http://support.microsoft.com in the Internet Favorites.
5. Edit the Restrict Control Panel GPO to prevent user access to Control Panel.
6. Edit the Restrict Desktop Display GPO to prevent access to the desktop
display settings.
7. Edit the Kiosk Computer Security GPO to use loopback processing, and to
hide and disable all items on the desktop for the logged on user.
f Task 4: Link the GPOs

• Use the GPMC to perform the following:
• Link the Restrict Run Command GPO to the domain container.
• Link the Baseline Security GPO to the domain container
• Link the Vista and XP Security GPO to the domain container
• Link the Kiosk Computer Security GPO to the domain container
• Link the Admin Favorites GPO to the Admin OU
• Link the Restrict Control Panel GPO to the NYC, Miami and Toronto OUs
• Link the Restrict Desktop Display GPO to the Executive OU.
Result: At the end of this exercise, you will have created and configured GPOs.

Exercise 2: Managing the Scope of GPO Application

In this exercise, you will configure the scope of GPO settings based on the
enterprise administrator’s design. Tasks include disabling portions of GPOs,
blocking and enforcing inheritance, applying filtering based on security groups
and WMI filters.
1. Configure group policy management for the domain container.
2. Configure group policy management for the IT Admin OU.
3. Configure group policy management for the branch OUs.
4. Create and apply a WMI filter for the Server Security GPO.
5. Verify the successful installation of the domain controller.
6. Configure a password replication policy that enables credential caching for all
user accounts in Toronto.
7. Verify that the password replication policy has enabled credential caching.
f Task 1: Configure group policy management for the domain container

1. Configure the Baseline Security link to be Enforced. Disable the User side of
the policy.
2. Configure the Vista and XP Security link to be Enforced.
3. Use security group membership filtering to configure the Kiosk Computer
Security GPO to apply only to the Kiosk Computers global group.

f Task 2: Configure group policy management for the IT Admin OU

• Block inheritance at the IT Admin OU to exempt the executive users from the
Restrict Run Command GPO.
f Task 3: Configure group policy management for the branch OUs

• Use security group membership filtering to configure the Restrict Control
Panel GPO to deny the Apply group policy permission to the following groups:
• Miami_BranchManagersGG
• NYC_BranchManagersGG
• Toronto_BranchManagersGG
Result: At the end of this exercise, you will have configured the scope of GPO
settings.

Exercise 3: Verifying GPO Application

In this exercise, you will test the application of GPOs to ensure that the GPOs are
being applied as specified in the design. Students will log in as specific users, and
also use Group Policy Modeling and RSOP to verify that GPOs are being applied
correctly.
1. Start NYC-CL1.
2. Verify that a Miami branch user is receiving the correct policy.
3. Verify that a Miami Branch Manager is receiving the correct policy.
4. Verify that a user in the IT Admin OU is receiving the correct policy.
5. Verify that a user in the Executive OU user is receiving the correct policy.
6. Verify that the username does not appear.
7. Use group policy modeling to test kiosk computer settings.
f Task 1: Start NYC-CL1
f Task 2: Verify that a Miami branch user is receiving the correct policy
1. Log on to NYC-CL1 as Anton with a password of Pa$$w0rd
2. Ensure that there is no link to the Run menu in the Accessories folder on the
Start Menu
3. Ensure that there is no link to Control Panel on the Start Menu
4. Ensure that you can access the desktop display settings
5. Log off.

f Task 3: Verify that a Miami Branch Manager is receiving the correct

policy
1. Log on to NYC-CL1 as Roya with a password of Pa$$w0rd.
Start Menu
3. Ensure that a link to Control Panel appears on the Start Menu
4. Log off.
f Task 4: Verify that a user in the IT Admin OU is receiving the correct

policy
1. Log on to NYC-CL1 as Betsy with a password of Pa$$w0rd.
2. Ensure that a link to the Run menu appears in the Accessories folder on the
Start Menu.
3. Ensure that a link to Control Panel appears on the Start Menu.
4. Launch Internet Explorer and open the Favorites. Ensure that the link to Tech
Support appears.
5. Log off
f Task 5: Verify that a user in the Executive OU user is receiving the

correct policy
1. Log on to NYC-CL1 as Chase with a password of Pa$$w0rd
Start Menu
3. Ensure that a link to Control Panel appears on the Start Menu
4. Ensure that there is no access to the desktop display settings.
Hint: When you attempt to access display settings you will receive a message
informing you that this has been disabled.
5. Log off.

f Task 6: Verify username does not appear

• Verify that the last logged on username does not appear.
f Task 7: Use group policy modeling to test kiosk computer settings

1. Log on to NYC-DC1 as Administrator with a password of Pa$$w0rd.
2. Launch the GPMC and right click the Group Policy Modeling folder, click
Group Policy Modeling Wizard and then click Next twice.
3. On the User and Computer Selection screen, click Computer and enter NYC-
CL1, and click then Next three times.
4. In the Computer Security Groups screen click Add.
5. In the Select Groups dialog box, type Kiosk Computers and then click Next.
6. In the WMI Filters for Computers screen, click Next twice and then click
Finish and view the report.
Result: At the end of this exercise, you will have tested and verified a GPO application.

Exercise 4: Managing GPOs

In this exercise, you will use the GPMC to back up, restore, and import GPOs.
1. Backup an individual policy.
2. Back up all GPOs.
3. Delete and restore an individual GPO.
4. Import a GPO.
f Task 1: Backup an individual policy

1. In the GPMC, open the Group Policy Objects folder
2. Right click the Restrict Control Panel policy and then click Backup
3. Browse to D:\6425\GPOackup.
4. Click Backup and then click OK after the backup succeeds.
f Task 2: Back up all GPOs

1. Right click the Group Policy Objects folder and then click Back Up All.
2. Ensure that D:\6425\GPOackup is the location. Confirm the deletion.
f Task 3: Delete and restore an individual GPO

1. Right click the Admin Favorites policy and then click Delete. Click Yes and
then click OK when the deletion succeeds.
2. Right click the Group Policy Objects folder and then click Manage Backups.
3. Restore the Admin Favorites GPO.
4. Confirm that the Admin Favorites policy appears in the Group Policy Objects
folder.

f Task 4: Import a GPO

1. Create a new GPO named Import in the Group Policy Objects folder.
2. Right click the Import GPO and then click Import Settings.
3. In the Import Settings Wizard, click Next.
4. On the Backup GPO screen, click Next.
5. Ensure the Backup folder location is D:\6425\GPOackup and then click
Next.
6. On the Source GPO screen click Restrict Control Panel and then click Next.
7. Finish the wizard.
8. Click OK when the import succeeds
9. Click the Import GPO, click the Settings tab and then ensure that the Control
Panel setting is Enabled.
Result: At the end of this exercise, you will have backed up, restored, and imported
GPOs.

Exercise 5: Delegating Administrative Control of GPOs

In this exercise, you will delegate administrative control of GPOs based on the
enterprise administrator design. Tasks include configuring permissions to create,
edit and link GPOs. You will then test the permissions configuration..
1. Grant Betsy the right to create GPOs in the domain.
2. Delegate the right to edit the Import GPO to Betsy.
3. Delegate the right to link GPOs to the Executives OU to Betsy.
4. Enable Domain Users to log on to domain controllers.
5. Test the delegation.
f Task 1: Grant Betsy the right to create GPOs in the domain

1. Select the Group Policy Objects folder and then click the Delegation tab and
then click Add.
2. In the Select Users dialog box type Betsy in the Object name field and then
click OK.
f Task 2: Delegate the right to edit the Import GPO to Betsy

1. In the Group Policy Objects folder, select the Import GPO, click the
Delegation tab and then click Add.
2. In the Select Users dialog box, type Betsy in the Object name field and then
click OK.
3. In the Add Group or User dialog box, select Edit Settings from the drop-
down list and then click OK.
f Task 3: Delegate the right to link GPOs to the Executives OU to Betsy

1. Select the Executives OU and the click the Delegation tab and then click Add.
2. In the Select Users dialog box type Betsy in the Object name field and then
click OK.
3. In the Add Group or User dialog box select This container only and then
click OK.

f Task 4: Enable Domain Users to log on to domain controllers
Note: This step is included in the lab to enable you to test the delegated
permissions. As a best practice, you should install the administration tools on a
Windows workstation rather than enable Domain Users to log on to domain
controllers.
1. On NYC-DC1, start Group Policy Management and edit the Default Domain
Controllers Policy.
2. In the Group Policy Management Editor window, access the User Rights
Assignment folder.
3. Double-click Allow log on locally. In the Allow log on locally Properties
dialog box, click Add User or Group.
4. Grant the Domain Users group the log on locally right.
5. Open a command prompt, and type GPUpdate /force and press ENTER.
f Task 5: Test the delegation

1. Log on to NYC-CL1 as Betsy
2. Create a Group Policy Management Console.
3. Right click the Group Policy Objects folder and then click New.
4. Create a new policy named Test. This operation will succeed.
5. Right click the Import GPO and then click Edit. This operation will succeed
6. Right click the Executives OU and link the Test GPO to it. This operation will
succeed.
7. Close the GPMC.
Result: At the end of this exercise, you will have backed up, restored, and imported
GPOs.

Considerations
Keep the following considerations in mind when creating and configuring Group
Policies:
• Multiple local group policies
• ADMX and ADML files replace ADM files
• Methods to control group policy, inheritance, filtering, enforcement
• Group policy tools and reporting

Review Questions
1. You want to force the application of certain group policy settings across a slow
link. What can you do?
2. You need to ensure that a domain level policy is enforced, but the Managers
global group needs to be exempt form the policy. How would you accomplish
this?
3. You want all GPOs that contain user settings to have certain administrative
templates enabled. You need to be able to send those policies to other
administrators in the enterprise. What is the best approach?
4. You want to control access to removable storage devices on all client
workstations through group policy. Can you use group policy to do this?

Configuring User Environments Using Group Policies 6-1
Module 6
Configuring User Environments Using Group
Policies
Contents:
Lesson 1: Configuring Group Policy Settings 6-3
Lesson 2: Configuring Scripts and Folder Redirection Using Group Policies 6-7
Lesson 3: Configuring Administrative Templates 6-15
Lesson 4: Deploying Software Using Group Policy 6-22
Lab: Configuring User Environments Using Group Policies 6-32

Module Overview
This module introduces the job function of configuring the user environment
using Group Policy. Specifically, this module provides the skills and knowledge
that you need to use Group Policy to configure Folder Redirection, as well as how
to use scripts. You also will learn how Administrative Templates affect Windows
Vista® and Windows Server® 2008, and how to deploy software using Group
Policy.

Lesson 1:
Configuring Group Policy Settings
Group Policy can deliver many different types of settings. Some setting are simply a
matter of “turning them on” while others are more complex to configure. This
lesson will describe how to configure the various Group Policy settings.

Options for Configuring Group Policy Settings
Key Points
For a Group Policy setting to have an effect, you must configure it. Most Group
Policy settings have three states. They are:
• Enabled
• Disabled
• Not Configured
You also must configure values for some Group Policy settings. For example, you
need to configure restricted group-membership needs values for the groups and
users.

Question: A domain level policy restricts access to the Control Panel. You want the
users in the Admin organizational unit (OU) to have access to the Control Panel,
but you do not want to block inheritance. How could you accomplish this?
Additional Reading
• Microsoft Technet article: How Core Group Policy Works

Demonstration: Configuring Group Policy Settings Using

the Group Policy Editor
Question: How could you prevent a lower-level policy from reversing the setting of
a higher-level policy?

Lesson 2:
Configuring Scripts and Folder Redirection
Using Group Policies
Windows Server 2008 enables you to use Group Policy to deploy scripts to users
and computers. You also can redirect folders that the user’s profile includes from
the user’s local hard disks to a central server.

What Are Group Policy Scripts?
Key Points
You can use scripts to perform any number of tasks. There may be actions that you
need performed every time a computer starts or shuts down, or when users log off
or on. For example, you can use scripts to clean up desktops when users log off
and shut down computers, or delete the contents of temporary directories or clear
the pagefile to make the environment more secure.
Question: You keep logon scripts in a shared folder on the network. How could
you ensure that the scripts will always be available to users from all locations?

Additional Reading
• Microsoft Technet article: The Two Sides of Group Policy Script Extension
Processing
• Microsoft Technet article: The Two Sides of Group Policy Script Extension
Processing (Part2)
• Microsoft Support: Overview of Logon, Logoff, Startup, and Shutdown Scripts
in Windows 2000

Demonstration: Configuring Scripts with Group Policies
Question: What other method could you use to assign logon scripts to users?

What Is Folder Redirection?
Key Points
When you redirect folders, you change the folder’s storage location from the local
hard disk on the user’s computer to a shared folder on a network file server. After
you redirect a folder to a file server, it still appears to the user as if it is stored on
the local hard disk. Folder Redirection makes it easier for you to manage and back
up data. By redirecting folders, you can ensure user access to data regardless of the
computers to which they log on.
Question: List some disadvantages of folder redirection.
Additional Reading
• Microsoft Technet article: What Is Folder Redirection Extension?
• MSDN: IE7 in Vista: Folder Redirection for Favorites on the Same Machine
• Microsoft Download: Managing Roaming User Data Deployment Guide

Folder Redirection Configuration Options
Key Points
There are three available settings for Folder Redirection: none, basic, and
advanced. Basic folder redirection is for users who must redirect their folders to a
common area or users who need their data to be private. Advanced redirection
allows you to specify different network locations for different Active Directory
security groups.
Question: Users in the same department often log on to different computers. They
need access to their My Documents folder. They also need the data to be private.
What folder redirection setting would you choose?
Additional Reading
• Microsoft Technet article: Recommendations for Folder Redirection

Options for Securing Redirected Folders
Key Points
You must create a shared network folder manually to store the redirected folders.
Folder Redirection can create the user’s redirected folders for you. When you use
this option, the correct permissions are set automatically. If you manually create
folders, you must know the correct permissions.
Question: What steps could you take to protect the data while it is in transit
between the client and the server?
Additional Reading
• Microsoft Support: Folder Redirection feature in Windows
• Windows Server Library: Security Considerations when Configuring Folder
Redirection

Demonstration: Configuring Folder Redirection
Question: Users in the same department want to have each others Internet
favorites available to everyone in the department. What folder redirection options
would you choose?

Lesson 3:
Configuring Administrative Templates
The Administrative Template files provide the majority of available policy settings,
which are designed to modify specific registry keys. This is known as registry-based
policy. For many applications, the use of registry-based policy that the
Administrative Template files deliver is the simplest and best way to support
centralized management of policy settings. In this lesson, you will learn how to
configure Administrative Templates.

What Are Administrative Templates?
Key Points
Administrative Templates allow you to control the environment of the operating
system and user experience. There are two sets of Administrative Templates: one
for users and one for computers. Administrative Templates are the primary means
of configuring the client computer’s registry settings through Group Policy.
Administrative Templates are a repository of registry-based changes. By using the
Administrative Template sections of the GPO, you can deploy hundreds of
modifications to the computer (the HKEY_LOCAL_MACHINE hive in the registry)
and user (the HKEY_CURRENT_USER hive in the registry) portions of the
Registry

Question: What sections of the Administrative Templates will you find most useful
in your environment?
Additional Reading
• Microsoft Technet article: Using Administrative Template Files with Registry-
Based Group Policy
• Microsoft Technet article: Administrative Templates Extension Technical
Reference

Demonstration: Configuring Administrative Templates
Question: You need to ensure that Windows Messenger is never allowed to run on
a particular computer. How could you use Administrative Templates to implement
this?

Modifying Administrative Templates
Key Points
Because ADMX files are XML based, you can use any text editor to edit or create
new ADMX files, but there also are programs that are XML-aware, like Microsoft
Visual Studio, that administrators or developers can use to create or modify ADMX
files.
Additional Reading
• Microsoft Technet article: Creating a Custom Base ADMX File
• Microsoft Downloads: Group Policy Sample ADMX Files

Demonstration: Adding Administrative Templates for Office

Applications
Question: Can you still use custom ADM files to deliver Group Policy settings in
Windows Server 2008?

Discussion: Options for Using Administrative Templates

Lesson 4
Deploying Software Using Group Policy
Windows Server 2008 includes a feature called Software Installation and

Maintenance that uses Active Directory® Domain Services (AD DS) and Group
Policy and the Microsoft® Windows® Installer service to install, maintain, and
remove software on your organization’s computers.

Options for Deploying and Managing Software by Using

Group Policies
Key Points
The software life cycle consists of four phases: preparation, deployment,
maintenance, and removal. You can apply Group Policy settings to users or
computers in a site, domain, or an organizational unit to install, upgrade, or
remove software automatically. By applying Group Policy settings to software, you
can manage the various phases of software deployment without deploying software
on each computer individually.
Question: What types of applications would you deploy via Group Policy in your
environment?

Additional Reading
• Microsoft Support: How to use Group Policy to install software remotely in
Windows 2000
• Microsoft Technet article: Use Group Policy Software Installation to deploy the
2007 Office system

How Software Distribution Works
Key Points
To enable Group Policy to deploy and manage software, Windows Server 2008
uses the Windows Installer service. This component automates the installation and
removal of applications by applying a set of centrally defined setup rules during
the installation process
Question: What are some disadvantages of deploying software through Group

Policy?
Additional Reading
• Microsoft Support: How to use Group Policy to install software remotely in
Windows 2000

Options for Installing Software
Key Points
There are two deployment types available for delivering software to clients.
Administrators can either install software for users or computers in advance or give
users the option to install the software when they require it. Users do not share
deployed applications, meaning an application you install for one user through
Group Policy will not be available to that computer’s other users. Each user needs
his or her own instance of the application.
Question: What is an advantage of publishing an application over assigning it?
Additional Reading
• Microsoft Technet article: Group Policy Software Installation overview

Demonstration: Configuring Software Distribution
Question: What types of applications would be useful to assign to the computer

rather than the user?

Options for Modifying the Software Distribution
Key Points
Software Installation in Group Policy includes options for configuring deployed
software. You can categorize programs that are published in Control Panel and
associate file name extensions with applications. You also can add modifications to
deployed software.
Additional Reading
• Microsoft Technet article: Specify categories for applications to be managed
• Microsoft Technet article: Best practices for Group Policy Software Installation,
Specify automatic installation options based on file name extension section
• Microsoft Technet article: Add or remove modifications for an application
package

Demonstration: Modifying Software Distribution
Question: You want to deploy an administrative utility to members of the Domain

Admins security group. These utilities should be available from any computer that
an administrator logs onto, but only installed when necessary. What is the best
approach to accomplish this?
Additional Reading
• Microsoft Technet article: Upgrade or remove an application
• Microsoft Technet article: Set Group Policy Software Installation defaults

Maintaining Software Using Group Policies
Key Points
Occasionally a software package will need to be upgraded to a newer version. The
Upgrades tab allows you to upgrade a package using the GPO. You also may re-
deploy a package if the original Microsoft® Windows® Installer file has been
modified. You can remove software packages if they were delivered originally using
Group Policy. Removal also can be mandatory or optional.
Question: Your organization is upgrading to a newer version of a software

package. Some users in the organization require the old version. How would you
deploy the upgrade?
Additional Reading

Discussion: Evaluating the Use of Group Policies to Deploy

Software
Question: You want to deploy an administrative utility to members of the Domain

Admins security group. These utilities should be available from any computer that
an administrator logs onto, but only installed when necessary. What is the best
approach to accomplish this?
Additional Reading

Lab: Configuring User Environments Using

Group Policies
Scenario
Woodgrove Bank has decided to implement group policies to manage user
desktops. The organization already has implemented an organizational unit (OU)
configuration that includes top-level OUs grouped by location, with additional
OUs within each location for different departments. User accounts are located in
the same container as their workstation computer accounts. Server computer
accounts are spread throughout various OUs. The enterprise administrator has
created a GPO design that will be used to manage the user desktop environment.
You have been asked to configure Group Policy objects so that specific settings are
applied to user desktops and computers
Some of the tasks in this lab are designed to illustrate GPO management techniques
and settings, but may not always follow best practices.

Exercise 1: Configuring Scripts and Folder Redirection

Scenario
You have been tasked to create a script that will map a network drive to the shared
folder named Data on NYC-DC1. Then you will use Group Policy to assign the
script to all users in Toronto, Miami, and NYC OUs. The script needs to be stored
in a highly available location. You also will set permissions to share and secure a
folder on NYC-DC1. The Documents folder for all members of the Executive OU
will be redirected there.
The main tasks for this exercise are:
2. Create a logon script to map to the Data shared folder.
3. Use Group Policy to copy the script to the NetLogon share and assign the
script to the appropriate OUs.
4. Share and secure a folder for the Executives group.
5. Redirect the Documents folder for the Executives group.

1. Open the Virtual Server Remote Control Client and double-click 6425A-
NYC-DC1.
2. Log on to NYC-DC1 as Administrator using the password Pa$$w0rd.
f Task 2: Create a logon script to map to the Data shared folder

1. Launch Notepad.exe.
2. In Notepad, type Net Use J: \\NYC-DC1\Data.
3. Close and save the file as C:\Map.bat. Ensure the Save as type field is All
Files.

f Task 3: Use Group Policy to copy the script to the NetLogon share and
assign the script to the appropriate OUs
1. Open Windows Explorer, copy C:\map.bat to the clipboard and then close
Windows Explorer.
2. Launch the GPMC and then create a new Group Policy named Logon Script.
3. Edit the policy by expanding User Configuration, expanding Windows
Settings and then clicking Scripts (Logon/Logoff).
4. Open the Properties of the Logon Script GPO, click Show Files, right-click,
click Paste to copy the script from the clipboard to the scripts folder, and then
close Explorer.
5. In the Logon Properties, click Add.
6. In the Add a Script dialog box, click Browse.
7. In the Browse dialog box, select the Map.bat file.
8. Close the Group Policy Management editor.
9. Link the Logon Script policy to the Miami, NYC, and Toronto OUs.
f Task 4: Share and secure a folder for the Executives group

1. In Windows Explorer, open the Properties of the Execs folder.
2. Click the Sharing tab and then click Advanced Sharing.
3. Check the Share this folder checkbox and then click Permissions.
4. Remove the Everyone group.
5. Add the Executives Woodgrove GG and then grant them Full Control.
6. Click the Security tab and then click Advanced.
7. On the Permissions tab, click Edit, clear the checkbox beside Include
inheritable permissions from this object’s parent, and then copy the
permissions.
8. Remove all users and groups except Creator Owner and System.
9. Add the Executives_WoodgroveGG and then assign List folder/Read data
and Create Folders/Append data permissions to This Folder only.
10 Close the properties and then close Windows Explorer.

f Task 5: Redirect the Documents folder for the Executives group

1. Create a new GPO named Executive Redirection.
2. Edit the policy: expand User Configuration, expand Windows Settings,
expand Folder Redirection, right-click Documents and then click Properties.
3. On the Target tab, configure the Setting to be Basic-Redirect everyone’s
folder to the same location.
4. Leave the target folder location at the default settings and then type \\NYC-
DC1\Execs in the Root Path field.
5. Link the policy to the Executives OU.
Result: At the end of this exercise, you will have configured scripts and folders
redirection.

Exercise 2: Configuring Administrative Templates

You have been asked to create and assign Group Policy Administrative Templates
to control the computer and user environment. All computers will have the
following settings applied:
• Allow remote inbound administration
• Slow link detection set to 800 kps
Computers in the Miami, Toronto, and NYC OUs will prevent the installation of
removable devices.
Computers in the Executive OU will have offline files encrypted.
All domain users will have the following settings applied:
• The registry editing tools will be prohibited
• The clock will be removed from the taskbar
Additionally, users in the Miami, Toronto, and NYC OUs will have the following
settings applied:
• Profiles will be limited to 1GB
• Windows Sidebar will be turned off
The main tasks in this exercise are:

1. Modify the Default Domain Policy to contain the settings for all computers.
2. Create and assign a policy to prevent the installation of removable devices for
branch computers.
3. Create and assign a policy to encrypt offline files for executive computers
4. Create and assign a domain-level policy for all domain users.
5. Create and assign a policy to limit profile size and turn off Windows Sidebar
for branch users.

f Task 1: Modify the Default Domain Policy to contain the settings for
all computers
1. In the GPMC, edit the Default Domain Policy.
2. Expand Computer Configuration, expand Administrative Templates,
expand Network, expand Network Connections, expand Windows Firewall,
and then expand Domain Profile. In the details pane, double-click Windows
Firewall: Allow inbound remote administration exception.
3. Enable the policy for the localsubnet in the Allow unsolicited incoming
messages from these IP addresses:
expand System, and then expand Group Policy.
5. Enable Group Policy slow link detection to be 800kps.
f Task 2: Create and assign a policy to prevent the installation of

removable devices for branch computers
1. Create a new Group Policy named Prevent Removable Devices.
2. Edit the policy by expanding Computer Configuration, expand
Administrative Templates, expand System, expand Device Installation,
expand Device Installation Restrictions.
3. Enable the Prevent installation of removable devices setting.
4. Link the Prevent Removable Devices policy to the Miami, NYC, and Toronto
OUs.
f Task 3: Create and assign a policy to encrypt offline files for executive
computers
1. Create a new Group Policy named Encrypt Offline Files.
2. Edit the policy by expanding Computer Configuration, expanding
Administrative Templates, expanding Network, and expanding Offline Files.
3. Enable the Encrypt the Offline Files cache.
4. Link the policy to the Executives OU.

f Task 4: Create and assign a domain level policy for all domain users
1. Create a new Group Policy named All Users Policy.
2. Expand User Configuration, expand Administrative Templates, and then
expand System.
3. Enable the Prevent access to registry editing tools setting.
4. Expand User Configuration, expand Administrative Templates, and then
expand Start Menu and Taskbar.
5. Enable the Remove Clock from the system notification area.
6. Link the policy to the Woodgrovebank.com domain.
f Task 5: Create and assign a policy to limit profile size and turn off
Windows Sidebar for branch users
1. Create a new Group Policy named Branch Users Policy.
2. Edit the policy by expanding User Configuration, expanding Administrative
Templates, expanding System and then expanding User Profiles.
3. Enable the Limit profile size with a value of 1000000.
4. Expand User Configuration, expand Administrative Templates, expand
Windows Components, and then expand Windows Sidebar.
5. Enable the Turn off Windows Sidebar setting.
6. Link the Branch Users Policy policy to the Miami, NYC, and Toronto OUs.
Result: At the end of this exercise, you will have configured Administrative
Templates.

Exercise 3: Verifying GPO Application

Scenario:
You will log on as various domain users to test the application of Group Policy.
You will also use Group Policy Resultant Set of Policy (RSoP) to verify that GPOs
are being applied correctly.
1. Start the 6425A-SEA-CL1 virtual machine, log on as
Woodgrovebank\Administrator, and then observe the applied settings.
2. Log on as a user in the Executives OU and observe the applied settings.
3. Log on as a user in a Branch Office and observe the applied settings.
4. Use the GPMC on NYC-DC1 to use Group Policy results to observe the
applied settings.
f Task 1: Start the 6425A-SEA-CL1 virtual machine, log on as

Woodgrovebank\Administrator and observe the applied settings
1. Open the Virtual Server Remote Control Client and then double-click
6425A-SEA-CL1.
2. Log on to SEA-CL1 as Administrator using the password Pa$$w0rd.
3. Ensure that the Clock is not displayed in the Notification area.
4. Logoff SEA-CL1.
f Task 2: Log on as a user in the Executives OU and observe the applied

settings
1. Log on to SEA-CL1 as Tony using the password Pa$$w0rd. Ensure that the
Clock is not displayed in the Notification area.
2. Click Start, right-click the Documents folder and then click Properties.
Ensure the location is \\nyd-dc1\execs.
3. Click Start, type Regedt32 in the search box and then press ENTER. Ensure
that Registry editing has been disabled.
4. Ensure that the Windows Sidebar is displayed.
5. Log off SEA-CL1.

f Task 3: Log on as a user in a Branch Office and observe the applied

settings
1. Log on to SEA-CL1 as Roya using the password Pa$$w0rd. Ensure that the
Clock is not displayed in the Notification area
2. Click Start, right-click the Documents folder and then click Properties.
Ensure the location is C:\Users\Roya.
3. Click Start, type Regedt32 in the search box and then press Enter. Ensure that
Registry editing has been disabled.
4. Ensure that the Windows Sidebar is not displayed.
5. Click Start, and then open Computer. Ensure that the Data share is mapped
to the J: drive letter.
6. Log off SEA-CL1.
f Task 4: Use the GPMC on NYC-DC1 to use Group Policy results to

observe the applied settings
1. On NYC-DC1, restore the GPMC.
2. Right-click Group Policy Results and then click Group Policy Results
Wizard.
3. Select the SEA-CL1 computer.
4. Select Woodgrovebank\Tony as the user.
5. On the Summary screen, click Next and then click Finish.
6. In the Group Policy Results report summary, expand the Group Policy
Objects section.
7. Click the Settings tab. Expand Administrative Templates.
8. Close the GPMC.
9. Delete the changes on all virtual machines and then shutdown.
Result: At the end of this exercise, you will have verified a GPO application.

Considerations
When configuring user environments using Group Policies, keep the following in
mind:
• Policy settings that are Enabled enforce a setting.
• Policy settings that are Disabled reverse a setting.
• Policy settings that are Not Configured are not affected by Group Policy.
• Scripts can be applied to the user or computer via Group Policy.
• Scripts can be written in multiple languages.
• Storing scripts in the NetLogon share makes them highly available.
• Certain folders can be redirected from the users profile to a shared folder on
the network.

• Different security groups can be redirected to different network locations.

• Administrative Templates apply settings by modifying the registry for the user
and computer.
• ADMX files can be customized.
• Software can be distributed via Group Policy through .MSI files.
• Software can be published to users or assigned to users or computers.
• Software assigned to users is specific to that user.
• Software assigned to computers is available to all users on that computer.
• Software can be modified and maintained through Group Policy.
• Software can be removed through Group Policy.
Review Questions
1. You have assigned a logon script to an OU via Group Policy. The script is
located in a shared network folder named Scripts. Some OU users receive the
script while others do not. What might be causing this?
2. What steps could you take to prevent these types of problems from
reoccurring?
3. You have two logon scripts assigned to users -- script1 and script2. Script2
depends on script1 completing successfully. Your users report that script2
never runs. What is the problem and how would you correct it?

Implementing Security Using Group Policies 7-1
Module 7
Implementing Security Using Group Policies
Contents:
Lesson 1: Configuring Security Policies 7-3
Lesson 2: Implementing Fine-Grained Password Policies 7-13
Lesson 3: Restricting Group Membership and Access to Software 7-19
Lesson 4: Managing Security by Using Security Templates 7-26
Lab: Implementing Security Using Group Policies 7-33

Module Overview
Failure to have adequate security policies can lead to many risks for an
organization. A well designed security policy helps to protect an organization’s
investment in business information and internal resources, like hardware and
software. Having a security policy in itself is not enough, however. You must
implement the policy for it to be effective. You can leverage Group Policy to
standardize security to control the environment.

Lesson 1:
Configuring Security Policies
Group Policy provides settings you can use to implement security in your
organization. For example, you can use these settings to secure passwords, startup,
and permissions for system services. In this lesson, you will learn the knowledge
and skills you need to configure security policies.

What Are Security Policies?
Key Points
Security policies are rules that protect resources on computers and networks.
Group Policy allows you to configure many of these rules as Group Policy settings.
For example, you can configure password policies as part of Group Policy. Group
Policy has a large security section to configure security for both users and
computers. This way, you can apply security consistently across organizational
units (OUs) in Active Directory® by defining security settings in a Group Policy
object that is associated with a site, domain, or OU.
Additional Reading
• Microsoft Technet article: Security Settings
• Microsoft Technet article: Group Policy Security Settings

What Is the Default Domain Security Policy?
Key Points
The default domain policy is linked to the domain and therefore affects all objects
in the domain unless a Group Policy object (GPO) that you applied at a lower level
blocks or overrides these settings. This policy has very few settings configured by
default.
Although the Default Domain Policy has all the settings and capabilities of any
GPO, it is recommended that you use this policy only to deliver Account Policies.
You should create other GPOs to deliver other settings.
Additional Reading
• Microsoft Technet article: Windows Server 2003 Security Guide Chapter 3:
The Domain Policy

What Are the Account Policies?
Key Points
Account policies protect your organization’s accounts and data by mitigating the
threat of brute force guessing of account passwords. In Windows operating
systems, and many other operating systems, the most common method for
authenticating a user’s identity is to use a secret password. Securing your network
environment requires that all users utilize strong passwords. Password policy
settings control the complexity and lifetime of passwords. You can configure
password policy settings through Group Policy.
Additional Reading
• Microsoft Technet article: Account Passwords and Policies

What Are Local Policies?
Key Points
Every Windows® 2000 or later computer has exactly one Local Group Policy
Object (LGPO). In this object, Group Policy settings are stored on individual
computers, regardless of whether they are part of an Active Directory environment.
The LGPO is stored in a hidden folder named %windir%\system32\Group Policy.
This folder does not exist until you configure an LGPO.
Additional Reading
• Microsoft Resources: Local Group Policy

What Are Network Security Policies?
Key Points
Automating client computer-configuration settings is an essential step to reduce
the cost of deploying networking security and minimize support issues that result
from incorrectly configured settings.
Starting with The Windows Server®°2003 operating system, you were able to
automate client wireless configuration using the Wireless Networking Policies
settings in Group Policy. Windows Server®°2008 and Windows®° Vista include
new features for network policies and Group Policy support for 802.1X
authentication settings for wired and wireless connections.

Additional Reading:
• Microsoft Technet article: Joining a Windows Vista Wired Client to a Domain
• Microsoft Technet article: Chapter 6: Designing the Wireless LAN Security
Using 802.1X
• Microsoft Technet article: Wireless Group Policy Settings for Windows Vista
• Microsoft Technet article: Define Active Directory-based Wireless Network
Policies

Windows Firewall with Advanced Security
Key Points
Windows Vista and Windows Server 2008 include a new and enhanced version of
Windows Firewall. The new Windows Firewall is a stateful host-based firewall that
allows or blocks network traffic according to its configuration.
Additional Reading
• Microsoft Technet article: The New Windows Firewall in Windows Vista and
Windows Server 2008

Demonstration: Overview of Additional Security Settings
Question: You need to ensure that a particular service is not allowed to run on any
of your network servers. How would you accomplish this?

Demonstration: What Is the Default Domain Controller

Security Policy?
Question: What is the default Group Policy refresh interval for domain controllers

Lesson 2:
Implementing Fine-Grained Password Policies
In Windows Server 2008, you can allow different password requirements and
account lockout policies for different Active Directory users or groups, using fine-
grained policies. In this lesson, you will learn the knowledge and skills to
implement fine-grained password policies.

What Are Fine-Grained Password Policies?
Key Points
In previous Active Directory domains, you could apply only one password and
account lockout policy to all users in the domain. Fine-grained password policies
allow you to have different password requirements and account lockout policies
for different Active Directory users or groups. This is desirable when you want
different sets of users to have different password requirements, but do not want
separate domains. For example, the Domain Admins group may need strict
password requirements to which you do not want to subject ordinary users. If you
do not implement fine-grained passwords, then the normal default domain
account policies applies to all users.
Question: How would you use fine-grained passwords in your environment?
Additional Reading
• Microsoft Technet article: AD DS: Fine-Grained Password Policies

How Fine-Grained Password Policies Are Implemented
Key Points
To store fine-grained password policies, Windows Server 2008 includes two new
object classes in the Active Directory schema. They are:
• Password Settings Container (PSC)
• Password Settings Object (PSO)
The PSC object class is created by default under the System container in the
domain. It stores that domain’s PSOs. You cannot rename, move, or delete this
container.
Question: How could you view the Password Settings Container in Active
Directory Users and Computers?
Additional Reading
• Microsoft Technet article: AD DS: Fine-Grained Password Policies

Implementing Fine-Grained Password Policies
Key Points
There are three major steps involved in implementing fine-grained passwords:
• Create necessary groups, and add the appropriate users.
• Create PSOs for all defined password policies.
• Apply PSOs to the appropriate users or global security groups.
Question: In your organization, a number of users deal with confidential files on a

regular basis. You need to ensure that all these users have strict account polices
enforced. The user accounts are scattered across multiple OUs. How would you
accomplish this with the least administrative effort?

Additional Reading
• Microsoft Technet article: Fine-Grained Password and Account Lockout Policy
Review

Demonstration: Implementing Fine-Grained Password

Policies
Question:
What utilities can be used to manage PSOs? Choose all that apply.
a. ADSI edit
b. GPMC
c. CSVDE
d. LDIFDE
e. NTDSUtil
f. Active Directory Users and Computers

Lesson 3:
Restricting Group Membership and Access to
Software
In a large network environment, one of the challenges of network security is

controlling the membership of built-in groups in the directory and on
workstations. Another concern is preventing access to unauthorized software on
workstations.

What Is Restricted Group Membership?
Key Points
In some cases, you may want to control the membership of certain groups in a
domain to prevent addition of other user accounts to those groups, such as the
local administrators group.
You can use the Restricted Groups policy to control group membership. Use the
policy to specify what members are placed in a group. If you define a Restricted
Groups policy and refresh Group Policy, any current member of a group that is not
on the Restricted Groups policy members list is removed. This can include default
members, such as domain administrators. Although you can control domain
groups by assigning Restricted Groups policies to domain controllers, you should
use this setting primarily to configure membership of critical groups like Enterprise
Admins and Schema Admins. You also an use this setting to control the
membership of built-in local groups on workstations and member servers. For
example, you can place the Helpdesk group into the local Administrators group on
all workstations.

Question: Your company has five Web servers physically located across North
America. The Web server’s computer accounts are all located in a single OU. You
want to grant all the users in the global group named Web_Backup the right to
backup and restore the web servers. How could you use Group Policy to
accomplish this?
Additional Reading
• Microsoft Technet article: Restricted Groups
• Microsoft Technet article: Group Policy Security Settings

Demonstration: Configuring Restricted Group Membership
Question: You created a Group Policy that adds the Helpdesk group to the local
Administrators group and you linked the policy to an OU. Now the Domain
Administrators no longer have any administrative authority on the computers in
that OU. What is the most likely problem and how would you solve it?

What Is a Software Restriction Policy?
Key Points
You may want to restrict access to software to prevent users from running
particular applications or types of applications, like VBscripts. Software restriction
policy provides administrators with a policy-driven mechanism for identifying
software and controlling its ability to run on a client computer.
Question: You have a number of computers in a workgroup. You need to restrict

access to a certain application so that only members of the Administrators group
are allowed to launch the application. How would you accomplish this?
Additional Reading
• Microsoft Technet article: Microsoft Windows XP: Using Software Restriction
Policies to Protect Against Unauthorized Software

Options for Configuring Software Restriction Policies
Key Points
Software Restriction policies use rules to determine whether an application is
allowed to run. When you create a rule, you first identify the application. Then you
identify it as an exception to the default policy setting of Unrestricted or
Disallowed. The enforcement engine queries the rules in the software restriction
policy before allowing a program to run.
Question: You need to restrict access to a certain application no matter into what
directory location the application is installed. What type of rule should you use?
Additional Reading
• Microsoft Technet article: Microsoft Windows XP: Using Software Restriction
Policies to Protect Against Unauthorized Software

Demonstration: Configuring Software Restriction Policies
Question: You want to ensure that only digitally signed Visual Basic scripts are
allowed to run. What type of rule should you use?

Lesson 4:
Managing Security Using Security Templates
A security policy is a group of security settings that affect a computer’s security.

You can use a security policy to establish account and local policies on your local
computer and in Active Directory. You can create security templates to assist in
creating security policies to meet your company’s security needs. You then can use
these templates to configure the security settings assigned to computers either
manually or through Group Policy.

What Are Security Templates?
Key Points
A security template is a collection of configured security settings. You can use
predefined security templates as a base to create security policies that you
customize to meet your needs, or you can create new templates. You use the
Security Templates snap-in to create or customize templates. After you create a new
template or customize a predefined security template, you can use it to configure
security on an individual computer or thousands of computers. Security templates
contain security settings for all security areas.
Additional Reading
• Microsoft Technet article: Security Templates Concepts

Demonstration Applying Security Templates
Question: You have multiple database servers that are located in different OUs.
What is the easiest way to apply consistent security settings to all of the database
servers?

What Is the Security Configuration Wizard?
Key Points
The Security Configuration Wizard (SCW) is an attack-surface reduction tool that
Windows Server 2003 with Service Pack 1 (SP1) introduced. SCW assists
administrators in creating security policies, and determines the minimum
functionality that is required for a server’s role or roles and disables functionality
that is not required. SCW guides you through the process of creating, editing,
applying, or rolling back a security policy based on the server’s selected roles. The
security policies that you create with SCW are XML files that, when applied,
configure services, network security, specific registry values, audit policy, and if
applicable, Internet Information Services (IIS).
Question: What types of server roles exist in your organization?
Additional Reading
• Security Configuration Wizard Documentation
• Security Configuration Wizard for Windows Server 2003

Demonstration: Configuring Server Security Using the

Security Configuration Wizard
Question: What is the main advantage of the SCW?

Options for Integrating the Security Configuration Wizard

and Security Templates
Key Points
Security policies that you create with the SCW also can include custom security
templates. Some of the settings that you can configure using the SCW partially
overlap the settings that you can configure using security templates alone. Neither
set of configuration changes totally includes the other. For example, the SCW
includes IIS settings that are not included in any security template. Conversely,
security templates can include such items as Software Restriction policies, which
you cannot configure through SCW
Additional Reading
• Microsoft Technet article: Security Configuration Wizard How To
• Microsoft Technet article: The Security Configuration Wizard

Demonstration: Importing Security Configuration Policies

into Security Templates
Question
You need to open a port on your Windows Vista client computers for a custom
application. Should you use the SCW or create a security template and use a GPO?

Lab: Implementing Security Using Group

Policies
Scenario:
Woodgrove Bank has decided to implement group policies to configure security
for users and computers in the organization. The company recently upgraded
all of the workstations to Vista and all of the servers to Windows Server
2008. The organization wants to utilize Group Policy to implement security
settings for the workstations, servers, and users. The enterprise administrator
created a design that includes modifications to the default domain security policy
and additional GPOs for configuring security. The company wants to have the
flexibility to assign different password policies for specific users. The
company also wants to automate the configuration of security settings as
much as possible.
Note: Some of the tasks in this lab are designed to illustrate GPO management
techniques and settings, and may not always follow best practices.

Exercise 1: Configuring Account and Security Policy

Settings
You have been tasked to implement a domain account policy with the following
criteria:
• Domain passwords will be eight characters
• Strong passwords will be enforced
• Passwords will be changed every 20 days exactly
• Accounts will be locked out for 30 minutes after five invalid logon attempts
You also will configure a local policy on the Windows Vista client that enables the
local Administrator account and prohibits access to the Run menu for Non-
Administrators.
Then you will create a wireless network policy for Windows Vista that creates a
profile for the Corp wireless network. This profile will define 802.1x as the
authentication method. This policy also will deny access to a wireless network
named Research.
Finally, you will configure a policy to prevent the Remote Registry service from
running on any domain controller.
2. Create an account policy for the domain.
3. Configure local policy settings for a Windows Vista client.
4. Create a wireless network policy for Windows Vista clients.
5. Configure a policy that prohibits a service on all domain controllers.

Administrator
• Start 6425A-NYC-DC1 and then log on as Administrator using the password
Pa$$w0rd.

f Task 2: Create an account policy for the domain

1. Launch the Group Policy Management Console.
2. Edit the Account Policy in the Default Domain Policy with the following
values:
• Password Policy will be:
• Domain passwords will be 8 characters in length
• Minimum password age will be 19 days
• Maximum password age will be 20 days
• Account lockout policy will be:
• Account Lockout Threshold will be 5 invalid logon attempts
• Account lockout duration will be 30 minutes
• Lockout counter will be reset after 30 minutes
f Task 3: Configure local policy settings for a Windows Vista client

1. Start NYC-CL1 and log on as WoodgroveBank\Administrator using the
password Pa$$w0rd.
2. Create a new MMC and add the snap-in for the Group Policy Object Editor
for the Local Computer.
3. Open Computer Configuration’s Windows Settings, open Security Settings,
Local Policies, Security Options, and then enable the Accounts:
Administrator Account Status setting.
4. Add the Group Policy Object Editor snap-in to the MMC again and then click
Browse.
5. Click the Users tab, select the Non-Administrators group, click OK and then
Finish.
6. Open User Configuration, Administrative Templates, and the Start Menu
and Taskbar folder, and then enable the Remove Run from Start Menu
setting.
7. Close the MMC without saving the changes.

f Task 4: Create a wireless network policy for Windows Vista clients

1. In the GPMC, create a new policy named Vista Wireless.
2. Edit the policy by right-clicking Wireless Network (IEEE 802.11) Policies
and then clicking Create a New Windows Vista Policy.
3. In the New Vista Wireless Network Policy dialog box, click Add and then
click Infrastructure.
4. Create a new profile named Corporate and then type Corp in the Network
Name (SSID) field.
5. Click the Security tab, change the Authentication method to Open with
802.1X and then click OK.
6. Click the Network Permissions tab and then click Add
7. Type Research in the Network Name (SSID): field, set the Permission to
Deny and then click OK twice.
8. Close the Group Policy Management Editor and then leave the GPMC open.
f Task 5: Configure a policy that prohibits a service on all domain

controllers
1. Edit the Default Domain Controller Policy, Windows Settings, Security
Settings, System Services to disable the Remote Registry service.
2. Close the Group Policy Management Editor and leave the GPMC open.
Result: At the end of this exercise, you will have configured account and security
policy settings.

Exercise 2: Implementing Fine-Grained Password Policies

Your corporate security policy dictates that members of the IT Administrative
group will have strict password policies. The passwords must meet the following
criteria:
• 30 passwords will be remembered in password history
• Domain passwords will be 10 characters
• Passwords will not be stored with reversible encryption
• Passwords will be changed every seven days exactly
• Accounts will be locked out for 30 minutes after three invalid logon attempts
You will create a fine-grained password policy to enforce these policies for the IT
Admins global group.
1. Create a PSO using ADSI Edit.
2. Assign the ITAdmin PSO to the IT Admins global group.
f Task 1: Create a PSO using ADSI Edit

1. In the Run menu, type adsiedit.msc and then press ENTER.
2. Right-click ADSI Edit, click Connect to and then click OK to accept the
defaults.
3. Navigate to DC=woodgrovebank, DC=com, CN=System, CN=Password
Settings Container. Right-click CN=Password Settings Container and then
create a new object.
4. In the Create Object dialog box click msDS-PasswordSettings, and then click
Next.
5. In Value type ITAdmin.
6. In the msDS-PasswordSettingsPrecedence value, type 10.
7. In the msDS-PasswordReversibleEncryptionEnabled value, type FALSE.
8. In the msDS-PasswordHistoryLength value, type 30.

9. In the msDS-PasswordComplexityEnabled value, type TRUE.

10. In the msDS-MinimumPasswordLength value, type 10.
11. In the msDS-MinimumPasswordAge value, type -5184000000000.
12. In the msDS-MaximumPasswordAge value, type -6040000000000.
13. In the msDS-LockoutThreshold value, type 3.
14. In the msDS-LockoutObservationWindow value, type -18000000000.
15. In the msDS-LockoutDuration value, type -18000000000 and then click
Finish.
16. Close the ADSI Edit MMC without saving changes.
f Task 2: Assign the ITAdmin PSO to the IT Admins global group

1. Open Active Directory Users and Computers.
2. Click View and then click Advanced Features.
3. Expand Woodgrovebank.com, expand System and then click Password
Settings Container. In the details pane, right-click the ITAdmin PSO and then
click Properties.
4. Click the Attribute Editor tab. Scroll down, select the msDS-PSOAppliesTo
attribute and then click Edit.
5. Add the ITAdmins_WoodgroveGG group group.
6. Close Active Directory Users and Computers.
Result: At the end of this exercise, you will have implemented fine-grained
password policies.

Exercise 3: Configuring Restricted Groups and Software

Restriction Policies
You need to ensure that the ITAdmins global group is included in the local
Administrators group for all of the organization’s computers. Domain controllers
are considered high security, and Internet Explorer will not be allowed to run on
domain controllers. You also will prevent any Visual Basic scripts (VBS) from
running on the C: drive of domain controllers. The main tasks for this exercise are
as follows:
1. Configure restricted groups for the local administrators group.
2. Create a GPO that prohibits Internet Explorer and VBS scripts from running
on domain controllers.
f Task 1: Configure restricted groups for the local administrators

group
1. If required, open the GPMC, open the Group Policy Objects folder and then
edit the Default Domain Policy.
2. Navigate to Windows Settings, Security Settings, right-click Restricted
Groups and then click Add Group.
3. Add the Administrators group and then click OK.
4. In the Administrators Properties dialog box, add the following groups:
• Woodgrovebank\ITAdmins_WoodgroveGG
• Woodgrovebank\Domain Admins
5. Close the Group Policy Management Editor.

f Task 2: Prohibit Internet Explorer and VBS scripts from running

on domain controllers
1. Edit the Default Domain Controllers Policy.
2. Navigate to Windows Settings, Security Settings, right-click Software
Restriction Policies and then click New Software Restriction Policy.
3. Right-click Additional Rules and then click New Hash Rule.
4. Browse and navigate to C:\Program Files\Internet Explorer\iexplore.exe,
and then click Open. Ensure that the Security level is Disallowed.
5. Right-click Additional Rules and then click New Path Rule.
6. In the Path field, type *.vbs and then click OK.
Result: At the end of this exercise, you will have configured restricted groups and
software restriction policies.

Exercise 4: Configuring Security Templates

You will create a security template for file and print servers that will rename the
Administrator account and does not display the last user name that logged on. You
then will use the Security Configuration Wizard to create a security policy that
hardens the file and print server and includes the security template. You will use
the SCW interface to apply the policy to the file and print server, NYC-SVR1.
Finally, you will transform the policy into a GPO named FPSecurity.
1. Create a security template for the file and print servers.
2. Start NYC-SRV1 and disable the Windows Firewall.
3. Run the Security Configuration Wizard and import the FPSecurity template.
4. Transform the FPPolicy into a GPO.
f Task 1: Create a security template for the file and print servers
1. Create a new MMC and add the snap-in for Security Templates.
2. Expand Security Templates, right-click
C:\Users\Administrators\Documents\Security\Templates and then click
New Template.
3. Name the template FPSecurity.
4. Navigate to Local Polices, Security Options. Define the Accounts: Rename
administrator account with the value FPAdmin.
5. Define the Interactive Logon: Do not display last user name to be Enabled.
6. In the folder pane, right-click FPSecurity and then click Save.
7. Close the MMC without saving the changes.

f Task 2: Start NYC-SRV1 join the domain and disable the

Windows Firewall
1. Start NYC-SRV1 and log on as Administrator with a password of Pa$$w0rd.
2. Join NYC-SRV1 to the WoodgoveBank.com domain.
3. Restart the computer and log on as Administrator.
4. Disable the Windows Firewall.
Note: This step is performed to simplify the lab and is not a recommended practice.
f Task 3: Run the Security Configuration Wizard and import the

FPSecurity template
1. On NYC-DC1, launch the Security Configuration Wizard.
2. On the Welcome screen, click Next.
3. On the Configuration Action screen, click Next.
4. On the Select Server screen type NYC-SRV1.woodgrovebank.com and then
click Next.
5. After the configuration databases processes, click Next.
6. On the Role-Based service Configuration screen, click Next.
7. On the Select server Roles screen, clear the checkbox beside DNS Server.
8. Check the checkbox beside File Server.
9. Check the checkbox beside Print Server and then click Next.
10. On the Select Client Features screen, click Next.
11. On the Select Administration and Other Options screen, click Next.
12. On the Select Additional Services screen, click Next.
13. On the Handling Unspecified Services screen, click Next until you reach the
Security Policy File Name screen.

14. On the Security Policy File Name screen, type FPPolicy at the end of the
C:\Windows\security\msscw\policies\ path.
15. Click Include Security Templates and then click Add.
16. Add the Documents\Security\Templates\FPSecurity policy.
17. On the Apply Security Policy screen, click Apply Now and then click Next.
18. On the Applying Security Policy screen, click Next and then click Finish.
f Task 4: Transform the FPPolicy into a GPO

1. On NYC-DC1, launch the Command Prompt and type scwcmd transform
/p:”C:\Windows\security\msscw\Policies\FPpolicy.xml”
/g:FileServerSecurity.
2. Open the GPMC if necessary and then open the Group Policy Objects folder.
Double click the FilesServerSecurity GPO and then examine the settings.
3. Close the GPMC and log off NYC-DC1.
Result: At the end of this exercise, you will have configured security templates.

Exercise 5: Verifying the Security Configuration

You will log on as various users to test the results of group policy.
1. Log on as the Local Administrator of the Windows Vista computer and check
the membership of the local administrators group.
2. Log on to the Windows Vista computer as an ordinary user and test the
account policy.
3. Log on to the domain controller as the domain administrator and test software
restrictions and services.
4. Use group policy modeling to test the settings on the file and print server.
5. Log on to NYC-SRV1 and check that group policy has been applied.
f Task 1: Log on as the Local Administrator of the Windows Vista

computer and check the membership of the local administrators
group
1. Log on to NYC-CLI as NYC-CL1\administrator with a password of
Pa$$w0rd.
2. Launch a Command Prompt and run the GPupdate /force command.
3. Ensure that the Run menu appears in the Accessories folder on the Start
Menu.
4. Open Control Panel, click User Accounts, click User Accounts, click Manage
User Accounts, click the Advanced tab, click Advanced, click Groups, open
the Administrators group, and then ensure that the Domain Admins and the
ITAdmins global groups are present.
5. Restart NYC-CL1.

f Task 2: Log on to the Windows Vista computer as an ordinary

user and test the policy
1. Log on to NYC-CLI as NYC-CL1\administrator with a password of
Pa$$w0rd.
3. Ensure that the Run menu appears in the Accessories folder on the Start
Menu.
4. Open Control Panel, click User Accounts, click User Accounts, click Manage
User Accounts, click the Advanced tab, click Advanced, click Groups, open
the Administrators group, and then ensure that the Domain Admins and the
ITAdmins global groups are present.
5. Log off NYC-CL1.
f Task 3: Log on to the domain controller as the domain

administrator and test software restrictions and services
1. Log on to NYC-CLI as SEA-CL1\administrator with a password of
Pa$$w0rd.
3. Attempt to launch Internet Explorer and read the error message and then
click OK.
4. Navigate to D:\6425\mod07\labfiles and then double-click Hello.vbs. Read
the error message and then click OK.
5. Open the Services MMC in Administrative Tools. Scroll down to the Remote
Registry service and ensure that it is Disabled.

f Task 4: Use group policy modeling to test the settings on the file
and print server
1. Open the GPMC and then launch the Group Policy Modeling Wizard.
2. Accept all the defaults except on the User and Computer Selection screen.
3. Click Computer and then type Woodgrovebank\NYC-SRV1.
4. After completing the Wizard, observe the policy settings.
f Task 5: Log on to NYC-SRV1 and check that group policy has

been applied
1. Log on to NYC-SRV1 as Woodgrovebank\Administrator
2. Open Control Panel, double-click User Accounts, click Manage User
Accounts, click the Advanced tab, click Advanced, and then click the Users
folder. Ensure that the Administrators account has been renamed to FPAdmin.
3. Click the Groups folder and then open the Administrators group. Ensure that
the Woodgrovebank Domain Admins and ITAdmins global groups are
present.
4. Shut down all virtual machines and do not save any changes.
Result: At the end of this exercise, you will have verified the security configuration.

Considerations for Implementing Security Using Group Policies

Keep the following points in mind when implementing security using Group
Policies.
• Security policies are rules that protect resources on computers and
networks and can be enforced using Group Policy.
• The Default Domain Policy and the Default Domain Controllers Policy are
created by default.
• Account policies must be implemented at the domain level.
• Any domain level policy is capable of delivering account policies.
• Clients receive account policies from domain controllers
• Local policies generally affect all users, including domain users, of the
local computer.
• Network security policies can control wireless configuration for Windows
XP and later.

• Network security policies can control wired configuration for Windows

Vista and later.
• Windows Firewall supports outbound rules
• Network awareness can automatically determine your firewall profile
• Firewall settings and IPsec settings are now integrated
• Fine-grained passwords allow different users or global groups to have
different account policies.
• Fine-grained policies are not delivered through Group Policy.
• Fine-grained policies must be created using ADSIedit or LDIFDE.
• Both domain and local group membership can be controlled through
Group Policy.
• Access to software can be controlled through Group Policy.
• Local administrators can be exempted from software restrictions.
• There are four types of rules to control access to software.
• Security templates can be used to provide a consistent set of security
settings.
• The Security Configuration Wizard can be used to assist in creating
security policies.
Review Questions
1. You want to place a software restriction policy on a new type of executable file.
What must you do before you can create a rule for this executable code?
2. What setting must you configure to ensure that users are only allowed 3
invalid logon attempts?
3. You want to provide consistent security settings for all client computers in the
organization. The computer accounts are scattered across multiple OUs. What
is the best way to provide this?
4. An administrator in your organization has accidentally modified the Default
Domain Controller Policy. You need to restore the policy to its original default
settings. How would you accomplish this?

Implementing an Active Directory® Domain Services Monitoring Plan 8-1
Module 8
Implementing an Active Directory Domain
Services Monitoring Plan
Contents:
Lesson 1: Monitoring Active Directory Domain Services Using
Event Viewer 8-3
Lesson 2: Monitoring Active Directory Domain Servers Using
Reliability and Performance Monitor 8-10
Lesson 3: Configuring Active Directory Domain Services Auditing 8-20

Module Overview
To manage and administer an organization’s operating system, it is important to

understand the tools that you can use to monitor the system’s health. By using
tools like Event Viewer, Reliability and Performance Monitor, and audit policies,
you will be better able to anticipate issues and manage everyday events.

Lesson 1:
Monitoring Active Directory Domain Services
Using Event Viewer
Monitoring server performance is an important part of maintaining and

administering an operating system. The Event Viewer is an application that enables
you to browse, manage, and monitor events recorded in event logs.

Event Viewer Features
Key Points
One of the first places you should turn when troubleshooting problems in
Microsoft Windows is the Event Viewer. A number of new features are built into
the Event Viewer for Windows Vista® and Windows Server® 2008.
Event Viewer is rewritten completely with a new user interface that makes it easier
to filter and sort events and control which events are logged. Additionally, you now
can perform some basic diagnostic tasks from within Event Viewer. Event Viewer
also provides many new logs files.
Additional Reading
• Microsoft Technet article: Event Viewer Overview

Demonstration: Overview of the Event Viewer
Question: You have an issue with Group Policy. What log should you view for
detailed Group Policy events?

Active Directory Domain Services Logs
Key Points
The System and Application logs still provide general information and log events
from many areas, but the Event Viewer now provides a wide range of application
and service logs. These logs can provide granular information about Active
Directory® and other service, like Group Policy, offline files, Windows Update
client and many others.

What Are Custom Views?
Key Points
Custom views are filters that are named and saved. After creating and saving a
custom view, you are able to reuse it without re-creating its underlying filter. To
reuse a custom view, navigate to the Custom Views category in the console tree
and select the custom view’s name. By selecting the custom view, you apply the
underlying filter and the results are displayed. You can import and export custom
views, enabling you to share them between users and computers.
Additional Reading
• Microsoft Technet article: Create and Manage Custom Views

What Are Subscriptions?
Key Points
Event Viewer enables you to view events on a single remote computer. However,
troubleshooting an issue might require you to examine a set of events stored in
multiple logs on multiple computers. Event Viewer provides the ability to collect
copies of events from multiple remote computers and store them locally. To
specify which events to collect, you create an event subscription. Once a
subscription is active and events are being collected, you can view and manipulate
these forwarded events as you would any other locally stored events.
Question: Where would subscriptions be most useful on in your organization?
Additional Reading
• Microsoft Technet article: Event Subscriptions
• Microsoft Technet article: Configure Computers to Forward and Collect Events

Demonstration: Configuring Custom Views and

Subscriptions
Question: You want to monitor a particular group of events across multiple Web
servers. What is the best way to accomplish this?

Lesson 2:
Monitoring Active Directory Domain Servers
Using Reliability and Performance Monitor
In general, performance is the measure of how quickly a computer completes

application and system tasks. Use performance monitoring to track a range of
processes and display the results. You can use performance monitoring to assist
you with upgrade planning, tracking processes that need to be optimized, and
understanding a workload and its effect on resource usage to identify bottlenecks.
Overall system performance might be limited by the access speed of the physical
hard disks, the amount of available memory, the speed of the processor, or the
throughput of the network interfaces.

Reliability and Performance Monitor Features
Key Points
Windows Reliability and Performance Monitor enables you to track the
performance impact of applications and services, and to generate alerts or take
action when user-defined thresholds for optimum performance are exceeded.
Windows Reliability and Performance Monitor provides the features outlined
below.
• Resource view
• Reliability Monitor
• Data Collector Sets
• Track performance of applications and services
• Wizards and templates for creating logs
• Generate alerts and take action when thresholds are reached
• Generate reports

Additional Reading
• Microsoft Technet article: Windows Reliability and Performance Monitor

Demonstration: Overview of the Reliability and

Performance Monitor
Question: Where can you find real-time information about network activity?

Monitoring AD DS Using Performance Monitor
Key Points
Monitoring the distributed Active Directory® service and the services that it relies
upon helps maintain consistent directory data and the necessary level of service
throughout the forest. You can monitor important indicators to discover and
resolve minor problems before they develop into potentially lengthy service
outages.
In addition to the normal baseline counters that you monitor for all servers, there
are objects and dozens of counters that are specific to Active Directory.
Additional Reading
• Microsoft Technet article: Active Directory Operations Guide

What Is an Active Directory Baseline?
Key Points
A computer’s baseline is a measure of specified resource behavior during normal
activity that indicates how the resource, or a collection of system resources,
performs. This information is then compared to later activity to monitor system
usage and system response to changing conditions.
Additional Reading
• Microsoft Technet article: Deploying Active Directory for Branch Office
Environments, Chapter 9 - Post Deployment Monitoring of Domain
Controllers

Monitoring Service Availability with Reliability Monitor
Key Points
A system’s reliability is the measure of how often it deviates from configured,
expected behavior. The Reliability Monitor calculates a System Stability Index that
reflects whether unexpected problems reduced the system’s reliability. A graph of
the Stability Index over time quickly identifies dates when problems began to
occur. The accompanying System Stability Report provides details to help
troubleshoot the root cause of reduced reliability. By viewing changes to the system
(installation or removal of applications, updates to the operating system, or
addition or modification of drivers) side by side with failures (application failures,
operating system crashes, or hardware failures), you can develop a strategy for
addressing the issues quickly. The Reliability Monitor begins to collect data at the
time of system installation and must run for at least 24 hours before the data is
displayed in the System Stability Chart.

Question: You want to see a historical record of software that has been added or
removed from the computer. Where would you find that information?
Additional Reading
• Microsoft Technet article: Windows Vista Performance and Reliability
Monitoring Step-by-Step Guide

Monitoring Active Directory Domain Services Using Data

Collector Sets
Key Points
A new feature in Windows Reliability and Performance Monitor is the Data
Collector Set, which groups data collectors into reusable elements for use with
different performance monitoring scenarios.
Question: You want to create an alert to notify you when free disk space is low.
How would you create one?
Additional Reading
• Microsoft Technet article: Create Data Collector Sets

Demonstration: Monitoring AD DS
Question: What is the easiest way to log the same set of data across multiple
computers?

Lesson 3:
Configuring Active Directory Domain Services
Auditing
In any secure environment, you should actively monitor the Active Directory. As
part of your overall security strategy, you should determine the level of auditing
appropriate for your environment. Auditing should identify actions, either
successful or not, that have modified or attempted to modify, Active Directory
objects.

What Is Active Directory Domain Services Auditing?
Key Points
An audit log records an entry whenever users perform certain specified actions. For
example, the modification of an object or a policy can trigger an audit entry that
shows the action that was performed, the associated user account, and the date
and time of the action. You can audit both successful and failed attempts at actions.
Additional Reading
• Microsoft Technet article: Windows Server "Longhorn" Beta 3 Auditing AD DS
Changes Step-by-Step Guide
• Microsoft Support: How to use Group Policy to configure detailed security
auditing settings for Windows Vista client computers in a Windows Server
2003 domain or in a Windows 2000 domain
• Microsoft Technet article: Auditpol

Demonstration: Configuring an Audit Policy
Question: What log shows you the results of auditing?
Additional Reading

Types of Events to Audit
The Directory Service Access category still provides information about all the
events that occur in the directory, and is enabled by default. More detailed
information can be delivered from the subcategories.
Question: You want to track details about any modifications made to Active
Directory objects for a particular organizational unit (OU) and any child OUs.
Which ACE should you set to capture that information?
Additional Reading
• Microsoft Technet article: Windows Server "Longhorn" Beta 3 Auditing AD DS
Changes Step-by-Step Guide

Demonstration: Configuring AD DS Auditing
Question: How would enable the tracking of failure events for the directory service
change subcategory?

Lab: Configuring Active Directory Sites and

Replication
Scenario:
Woodgrove Bank has completed their deployment of AD DS. As the AD DS
administrator, you must monitor AD DS availability and performance. The server
administrator has provided a monitoring plan that includes service availability,
performance, and Event log monitoring components. Using Performance and
Reliability Monitoring, Event Viewer, and other tools, you will monitor AD DS
domain controllers.

Exercise 1: Monitor AD DS Using Event Viewer

As the network administrator, you want to collect Event Viewer information from
all domain controllers’ directory service. You will create a custom view to capture
the Critical, Error and Warning events for Active Directory and DNS Server. Then
you will export the view to a shared network folder and import the custom view to
NYC-DC2. You also want to monitor when services stop and start on NYC-DC2.
You will create a subscription to forward event 7036 from NYC-DC2 to NYC-DC1
and test the result. Finally, you will attach a task to the Windows Setup log to
notify you whenever an event is generated in the setup log on NYC-DC1, so that
you can track application installations, and you will attach a task to the 7036 event
to inform you of problems with services.
1. Create a custom view to capture the relevant events.
2. Export a custom view.
3. Import a custom view.
4. Configure computers to forward and collect events.
5. Create a subscription to forward events from NYC-DC2 to NYC-DC1.
6. Attach a task to an event log and attach a task to an event.
f Task 1: Create a custom view to capture the relevant events

1. On NYC-DC1, log on as Administrator with a password of Pa$$w0rd.
2. Launch Event Viewer from the Administrative Tools folder.
3. Right-click Custom Views, and then click Create Custom View.
4. Check the checkboxes beside Critical, Warning and Error.
5. Click the drop-down arrow beside Event Logs, expand Application and
Services Logs, select Directory Service and DNS Server, and then click OK.
6. Name the custom view Directory Service.

f Task 2: Export a custom view

1. Right-click the Directory Service custom view and then click Export Custom
View.
2. Save the exported view as C:\Data\ Active Directory.
f Task 3: Right-click Custom Views and then click Create Custom View
2. Launch Event Viewer from the Administrative Tools folder.
3. Right-click Custom Views and then click Import Custom View.
4. Import the custom view from \\NYC-DC1\Data\Active Directory.xml.
f Task 4: Configure computers to forward and collect events

1. On NYC-DC1 (the collector computer), open a Command Prompt, type
wecutil qc and Y, and then press ENTER to make the changes.
2. Close the command prompt.
3. Switch to NYC-DC2 (the source computer).
4. Open the Command Prompt, type winrm quickconfig and Y, and then press
ENTER to make the changes.

f Task 5: Create a subscription to forward events from NYC-DC2 to

NYC-DC1
1. On NYC-DC1, in Event Viewer, right-click Subscriptions and then click
Create Subscription.
2. Name the subscription Service Events, click Collector Initiated and then click
Select Computers.
3. Click Add Domain Computers and then add NYC-DC2.
4. Click Select Events and then select Information events.
5. Click the drop-down arrow beside Event Logs, expand Windows Logs, and
then select the System log.
6. In the Event ID field, type 7036 and then click OK.
7. Click Advanced, click Specific User and then click User and Password.
8. Ensure the user name is Woodgrovebank\Administrator and then enter a
password of Pa$$w0rd.
9. Click Minimize Latency and then click OK twice. Click Yes to the Event
Viewer messages if they appear.
10. In the folder pane, click the Subscriptions folder and ensure that the System
Events subscription status is Active.
11. On NYC-DC2, open the Command Prompt.
12. In the Command Prompt, type Net Stop DNS and then press ENTER.
13. Type Net Start DNS and then press ENTER.
14. On NYC-DC1, click the Forwarded Events log. Examine the information
events.
Note: Actual events may take a few minutes to show up in the Forwarded Events
log. Start and stop the DNS service again if required.

f Task 6: Attach a task to an event log and to an event

1. On NYC-DC1, expand Windows Logs, right-click the Setup log, and then click
Attach a Task to this Log.
2. In the Create a Basic Task wizard, click Next.
3. On the When a Specific Event is Logged screen, click Next.
4. On the Action screen, click Send an e-mail and then click Next.
5. On the Send an E-mail screen, type Event Viewer in the From field.
6. Type Administrator@woodgrovebank.com in the To field.
7. Type Application Installation in the Subject field.
8. Type Mail.Woodgrovebank.com in the SMTP Server field, and then click
Next and Finish.
9. Click the Forwarded Events log to open it.
10. Right-click one of the 7036 events and then click Attach Task To This Event.
11. On the Create a Basic Task screen, click Next.
12. On the When a Specific Event is Logged screen, click Next
13. On the Action screen, click Display a Message.
14. On the Display a Message screen, type Service Event in the Title field and
type A service stopped or started in the Message field, click Next and then
click Finish. Click OK to acknowledge the Event Viewer message.
15. Switch to NYC-DC2 and repeat the steps to stop and start the DNS service.
The message box will appear displaying your message. Click OK to
acknowledge the message.
Note: The message box may be hidden behind the Event Viewer window. Look for it
on the Task Bar.
16. Close all open windows.

Result: At the end of this exercise, you will have monitored AD DS using Event
Viewer.

Exercise 2: Monitor AD DS Using Performance and

Reliability Monitor
As the network administrator, you will configure Performance and Reliability
Monitor to monitor some of the directory service counters. You also will create
Data Collector Sets, monitor server performance using Performance Monitor, and
configure an alert to be triggered when free disk space is low.
The main tasks are for these exercises are:
1. Configure Performance and Reliability Monitor to monitor AD DS.
2. Create a data collector set.
3. Configure an alert to be triggered when free disk space is low.
f Task 1: Configure Performance and Reliability Monitor to monitor

AD DS
1. On NYC-DC1, open the Reliability and Performance Monitor in the
Administrative Tools, and then click Performance Monitor.
2. Click the green Plus sign on the toolbar to add objects and counters.
3. In the Add Counters dialog box, expand the Directory Services object and
then add the DRA Inbound Bytes Total/sec counter.
4. Repeat the previous step to add the following counters:
• DRA Outbound Bytes Total/sec
• DS Threads In Use
• DS Directory Reads/sec
• DS Directory Writes/sec
5. Expand Security System-Wide Statistics and then add the Kerberos
Authentications counter.
6. Expand DNS and then add the UDP Query Received counter.

f Task 2: Create a data collector set

1. In the folder pane, right-click Performance Monitor, click New, and then click
Data Collector Set.
2. Name the data collector set Active Directory.
3. Leave the Root directory as the default path and then click Finish.
4. Expand Data Collector Sets, expand User Defined, right-click the Active
Directory data collector set, and then click Start.
5. Expand Reports, expand User Defined, expand Active Directory, and then
click System Monitor Log.blg. The Report Status shows that the log is
collecting data.
6. Right-click the Active Directory data collector set and then click Stop.
7. Click the System Monitor Log.blg. The chart of the log is displayed in the
details pane.
f Task 3: Configure an alert to be triggered when free disk space is low

1. Click Start, click Administrative Tools, and then click Reliability and
Performance Monitor.
2. Expand Data Collector Sets, right-click User Defined, click New, and then
click Data Collector Set.
3. Name the alert Low Disk Space Alert, click Create manually (Advanced),
and then click Next.
4. Click Performance Counter Alert and then click Next
5. Add the %Free Space counter from the Logical Disk object and then click OK.
6. In the Alert when field, select Below, in the Limit field type 90 and then click
Next.
Note: You are setting the threshold extremely high to ensure that you will trigger an
alert.

7. Click Save and Close, and then click Finish.

8. Click the Low Disk Space Alert data collector set in the folder pane and then
double-click the DataCollector01 in the details pane to open the Property
page.
9. Click the Alert Action tab, check the checkbox to Log an entry in the
application event log, and then click OK.
10. In the folders pane, right-click the Low Disk Space Alert data collector set and
then click Start. Let the alert run for about one minute.
11. Open the Application Log and view the entries.
12. Right-click the Low Disk Space Alert data collector set and then click Stop.
Result: At the end of this exercise, you will monitor AD DS using Performance and
Reliability Monitor.

Exercise 3: Configure AD DS Auditing

As the network administrator, you have been tasked with implementing an audit
policy to track specific events occurring in Active Directory. First, you will examine
the audit policy’s current state. Then you will configure auditing as required to
track successful and unsuccessful modifications made to Active Directory objects,
including the old and new values of attributes. Finally, you will test the policy.
1. Examine the current state of the audit policy.
2. Enable Audit Directory Service Access on domain controllers.
3. Set the SACL for the domain.
4. Test the policy.
f Task 1: Examine the current state of the audit policy

1. On NYC-DC1, open the Command Prompt.
2. In the command-prompt window, type Auditpol.exe /get /category:* and
press ENTER. Then examine the default audit-policy settings.
3. Minimize the command prompt.
f Task 2: Enable Audit Directory Service Access on domain controllers

1. On NYC-DC1, open Group Policy Management.
2. Open the Group Policy Objects folder and edit the Default Domain
Controllers policy.
3. Expand Computer Configuration, expand Windows Settings, expand
Security Settings, expand Local Policies, and then click Audit Policy. Notice
that all policy settings are set to Not Defined.
4. Double-click Audit Directory Service Access, define the policy settings for
both Success and Failure, and then click OK.
5. Close the Group Policy Management Editor and then close the Group Policy
Management console.
6. Restore the Command Prompt and then type Gpupdate.

7. When the update completes, run the Auditpol.exe /get /category:* command
again and then examine the default audit-policy settings.
f Task 3: Set the SACL for the domain

2. Click the View menu and then click Advanced Features.
3. Right-click the woodgrovebank.com domain object and then click Properties.
4. In the Properties dialog box, click the Security tab, click Advanced, click the
Auditing tab and then click Add.
5. In the Select Users dialog box, type Everyone and then click OK.
6. In the Auditing Entry for Woodgrovebank dialog box, check the checkbox to
audit both Successful and Failed for Write all Properties, and then click OK
twice.
f Task 4: Test the policy

1. Rename the Toronto OU to GTA.
2. Open Event Viewer, expand Windows Logs, and then click Security. Open
event 4662 and examine the event.
3. Return to Active Directory Users and Computers and edit any user account
to change the phone number.
4. Return to Event Viewer and examine the resulting directory service changes
events.
6. Shut down all virtual machines without saving any changes.
Result: At the end of this exercise, you will have configured AD DS Auditing.

Review Questions
1. What kinds of events are logged in the Setup log?
2. For what event ID would you filter to see deleted user accounts?
3. What service must you enable on computers collecting subscription events
from remote computers?
4. Where can you get up to date information about event IDs?
5. Where can you get historical information about application failures?
6. The NTDS\DRA Pending Replication Synchronizations counter is now
consistently higher than the established baseline value for that counter. What
might this indicate?
7. You want to view all the occurrences of a particular event ID across multiple
logs. What is the best way to accomplish this?

Considerations for Implementing an Active Directory Domain Services

Monitoring Plan
Consider the following when implementing an Active Directory Domain Service
monitoring plan:
• Event viewer enables you to save filters as reusable custom views.
• Cross-log queries allow you to display data from multiple logs in a single view.
• Subscriptions allow you to gather events from remote computers.
• Application and Services Logs provide more detailed logs that pertain to
specific Windows services.
• Event logs online provide up-to-date information about events.
• Application and service logs include admin, operational, analytic, and debug
logs.
• A log will be created for each server role you install.
• You can import and export custom views.
• Subscriptions require configuration on both the collecting and source
computers.
• Windows Reliability and Performance Monitor provides real-time information
in the resource view.
• The Reliability Monitor provides a graphical display of system stability over
time.
• You can generate user-friendly reports.
• Performance monitor provides a wide range of Active Directory objects and
counters.
• You should establish baselines to determine a computer’s performance under
a normal workload.
• The System Stability Report tracks multiple categories of events and keeps a
historical record.
• Data Collector Sets allow you to group data collectors into reusable elements.

• There are a number of built-in Data Collector Sets or you can define your own.
• Active Directory auditing can track all events that happen in the Active
Directory.
• Audit directory service access is divided into four subcategories.
• Directory service changes subcategory provides old and new values when you
modify attributes.
• You must use Auditpol.exe to configure subcategories.
• SACLs must be set on objects to allow auditing before you can collect any
results.
• Directory service changes subcategory provides old and new values when
attributes are modified.
• Auditpol.exe must be used to configure subcategories.
• SACLs must be set on objects to allow auditing before any results can be
collected.

Implementing an Active Directory® Domain Services Maintenance Plan 9-1
Module 9
Implementing an Active Directory® Domain
Services Maintenance Plan
Contents:
Lesson 1: Maintaining the AD DS Domain Controllers 9-3
Lesson 2: Backing Up Active Directory Domain Services 9-14
Lesson 3: Restoring Active Directory Domain Services 9-18
Lab: Implementing an Active Directory Domain Services
Maintenance Plan 9-29

Module Overview
As a Windows Server® 2008 administrator, one of your tasks will be to maintain

your organization’s Active Directory® Domain Services (AD DS) domain
controllers. An important component in maintaining the domain controllers is
managing, backing up, and restoring the AD DS data store.

Lesson 1:
Maintaining the AD DS Domain Controllers
Maintaining the AD DS database is an important administrative task that you must

schedule regularly to ensure that, in the case of disaster, you can recover lost or
corrupted data and repair the Active Directory database.
Active Directory has its own database engine, the Extensible Storage Engine (ESE),
which manages the storage of all Active Directory objects in an Active Directory
database. By understanding how changes to attributes in Active Directory are
written to the database, you will understand how data modification affects
database performance and fragmentation, and data integrity.

The Active Directory Domain Services Database and Log

Files
Key Points
The Active Directory database engine, ESE, stores all of the Active Directory
objects. The ESE uses transactions and log files to ensure the Active Directory
database’s integrity.
Additional Reading
• How the Data Store Works

How the AD DS Database Is Modified
Key Points
The key points of Active Directory data-modification process are:
• A transaction is a set of changes made to the AD DS database and the
associated metadata.
• The basic data modification process consists of six steps:
1. The write request initiates a transaction.
2. Active Directory writes the transaction to the transaction buffer in
memory.
3. Active Directory writes the transaction in the transaction log.
4. Active Directory writes the transaction from the memory buffer to the
database.

5. Active Directory compares the database and log files to ensure that the
transaction was committed to the database.
6. Active Directory updates the checkpoint file.
Caching and logging improve database performance by enabling Active Directory

to process additional transactions before writing them to the database.
Question: What other Microsoft services use a transactional model for making
database changes? How does the AD DS model compare to these other services?
Additional Reading
• How the Data Store Works

Managing the Active Directory Database Using NTDSUtil

Tool
Key Points
Ntdsutil.exe is a command-line tool that you can use to manage AD DS. You can
perform many maintenance tasks that cannot be done in the graphical user
interface (GUI), including offline database defragmentation, moving the database
and its transaction log, removing and restoring deleted objects from Active
Directory, seizing operations master (also known as flexible single master
operations or FSMO) roles, and manage snapshots of the database. You also can
include these commands in a batch file.
Question: You have forgotten the directory services restore-mode password for
your domain controller. How can you recover the password?

Additional Reading
• NTDSUtil Help
• Data Store Tools and Settings

What Is an AD DS Database Defragmentation?
Key Points
Over time, fragmentation occurs as records in the Active Directory database are
deleted and new records are added or expanded. When records become
fragmented, the computer must search the disk to find and reassemble all pieces
each time the database is opened. If many changes to the Active Directory database
are made, fragmentation could slow the performance of it.
Question: How often will you need to perform an offline defragmentation of your
AD DS databases in your environment?
Additional Reading
• Performing offline defragmentation of the Active Directory database
• Data Store Tools and Settings

What Are Restartable Active Directory Domain Services?
Key Points
Active Directory Domain Services in Windows Server 2008 can be stopped and
restarted while the machine is booted up. In previous versions, if an administrator
wanted to start a domain controller without loading Active Directory, the server
had to be rebooted into Active Directory Restore Mode. This would start the server
as a member server, without Active Directory. You then could perform offline
maintenance tasks, such as an offline defragmentation or moving the database and
log files. With Windows Server 2008, the directory service can be taken offline
while the machine is running, with minimal disruption to other services.
Additional Reading
• AD DS: Restartable Active Directory Domain Services
• Windows Server 2008 Technical Library

Demonstration: Performing AD DS Database Maintenance

Tasks
Demonstration steps
To perform these steps, you must be a member of the built-in Administrators
group on the domain controller.
1. Stop Active Directory Domain Services.
2. Open a command prompt.
3. Start ntdstuil.
4. At the ntdsutil: prompt, type Activate Instance NTDS and then press ENTER.
5. At the ntdsutil: prompt, type files and then press ENTER.
6. Compact the database, using a temporary directory for the new ntds.dit.

7. Overwrite the old ntds.dit with the new compacted version, and then delete
any log files (*.log) in the %systemroot%\NTDS\ folder.
8. In the ntdsutil File Maintenance command window, type integrity to check
the integrity of the new compacted database.
9. In the File Maintenance command window, type move db to pathname and
then press ENTER. The ntds.dit file is moved to the new location and
permissions are set accordingly.
10. Start Active Directory Domain Services.
Questions: Why is it necessary to stop the AD DS before defragmenting?
Why is it necessary to compact the database to a temporary directory first?
Additional Reading
• Compact the directory database file (offline defragmentation)

Locking Down Services on AD DS Domain Controllers
Key Points
As part of a comprehensive security plan, you can increase a domain controller’s
security by removing all unnecessary services and features. This reduces both the
attack surface and improves performance.
Additional Reading
• Security Configuration Wizard Overview

Lesson 2
Backing Up Active Directory Domain Services
Because of the importance of AD DS for most organizations, it is critical that you

can restore AD DS functionality in the event of database corruption, server failure,
or a more serious disaster, such as the failure of a data center that contains
multiple servers. To prepare for disaster recovery, you must implement a
consistent policy of backing up the AD DS information on domain controllers.

Introduction to Backing Up AD DS
Key Points
You can use Windows Server Backup to back up Active Directory. Windows Server
Backup is not installed by default. You must install it using Add Features in Server
Manager before you can use the Wbadmin.exe command-line tool or Backup tool
in Administrative Tools.
Question: What other process could you use to back up the system state data on a
domain controller?
Additional Reading
• Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain
Services Backup and Recovery

Windows Server Backup Features
Key Points
Windows Server Backup is the new backup utility that Windows Server 2008
provides. To use Windows Server Backup, you must install it as a feature. If you
want to use the Windows Server Backup command-line tools, you also must install
the Windows Powershell feature.
Additional Reading
• Windows Server 2008 Technical Library

Demonstration: Backing Up AD DS
Questions: Why should backups be scheduled?
How often should a full backup be performed? How often should an incremental
or differential backup be performed?
Additional Reading

Lesson 3
Restoring Active Directory Domain Services
After implementing an AD DS backup system, you can move to planning and

implementing AD DS restores. In Windows Server 2008, you have several options
available for restoring AD DS information. This lesson describes when and how to
use each option.

Overview of Restoring AD DS
Key Points
In Windows Server 2008, you have several options available for restoring AD DS.
The option that you choose depends on the disaster-recovery scenario that you
need to address.
Additional Reading

What Is a Nonauthoritative AD DS Restore?
Key Points
You can use a backup to perform a nonauthoritative restore of a domain controller.
A nonauthoritative restore returns the directory service to its state at the time that
the backup was created. After the restore operation completes, AD DS replication
updates the domain controller with changes that have occurred since the time that
the backup was created. In this way, the domain controller is recovered to a
current state.
Question: What would happen if you did not enter the second bcdedit command
after restoring the AD DS database?
Additional reading

What Is an Authoritative AD DS Restore?
Key Points
An authoritative restore provides a method to recover objects and containers that
have been deleted from AD DS. When an object is marked for authoritative restore,
its version number is changed so that it is higher than the existing version number
of the (deleted) object in the Active Directory replication system. This change
ensures that any data that you restore authoritatively is replicated from the
restored domain controller to the forest’s other domain controllers.
Question: What would happen if you did not enter the second bcdedit command
after restoring the AD DS database?

Additional Reading
• Performing an Authoritative Restore of Active Directory Objects

What Is the Database Mounting Tool?
Key Points
The Database Mounting Tool (Dsamain.exe) allows administrators to view and
compare data in database snapshots (backups) without having to restore those
backups, which saves on downtime and speeds the domain-recovery process.
Additional Reading
• AD DS: Database Mounting Tool
• Step-by-Step Guide for Using the Active Directory Database Mounting Tool in
Windows Server 2008 Beta 3

Demonstration: Using the Database Mounting Tool
Demonstration Steps
To perform this procedure, you must be logged on to a domain controller as a
member of either the Enterprise Admins group or the Domain Admins group.
1. Start a command prompt in administrative privilege.
2. At the command prompt, type ntdsutil and hen press ENTER.
3. At the ntdsutil prompt, type snapshot and then press ENTER.
4. At the snapshot prompt, type activate instance ntds and then press ENTER.
5. At the snapshot prompt, type create and then press ENTER. The command
returns the following output: Snapshot set {GUID} generated successfully.
6. At the snapshot prompt, type mount {GUID}. The mounted snapshot will
appear in the file system.
Note: Be sure to include the curly braces in around your GUID number).

7. The mounted snapshot will appear in the file system.

8. Type quit twice to return to the command prompt.
9. At the command prompt, type the following (on one line) and then press
ENTER:
Dsamain -
dbpath:C:\$SNAP_200708311630_VOLUMEC$\WINDOWS\NTDS\
ntds.dit -ldapport:51389 -sslport:51390 -gcport:51391 -
gcsslport:51392
Note: Your snapshot path will probably be different.
10. A message indicates that Active Directory Domain Services startup is complete.
LEAVE Dsamain.exe running. Do not close the command prompt.
11. At the run line, type LDP, and then click OK.
12. Click Connection, and then click Connect.
13. In Server, type localhost, and in Port type 51389, and then click OK.
14. Click Connection and then click Bind.
15. In Bind type, click Bind as currently logged on user. Click OK.
16. Click View, and then click Tree.
17. In BaseDN, type dc=woodgrovebank,dc=com.
18. Browse the containers for a user object. Double-click the user to view its
properties.
19. Close LDP.exe
20. Stop Dsamain.exe by pressing CTRL+C.

Questions: When would it be useful to mount multiple snapshots at the same

time?
Why is it necessary to specify different LDAP, SSL and GC ports for each mounted
instance of the database?
Additional Reading
• Step-by-Step Guide for Using the Active Directory Database Mounting Tool in
Windows Server 2008 Beta 3

Reanimating Tombstoned AD DS Objects
Key Points
A tombstoned object is one that is marked as deleted in Active Directory. When an
administrator deletes an object, it is converted into a tombstone. The tombstone
remains in the Active Directory database in a deactivated state for 180 days (default
Tombstone Lifetime). The tombstone is replicated to the entire domain’s other
controllers and then deleted on each domain controller at the tombstone lifetime’s
end.
When an object is marked as a tombstone, the isDeleted attribute on the object is
set to True and most of the other attributes are deleted. Only a few critical
attributes (SID, ObjectGUID, LastKnownParent, and SAMAccountName) are
retained. This means that even if the administrator reanimates the object, it no
longer has all the information it once had. You must recreate the missing attribute
values manually

Note: The Database Mounting Tool can be used to view the attributes for the
deleted object in a snapshot that was made before the object was deleted. This
makes it easier to recover the deleted item.
Additional Reading
• How to restore deleted user accounts and their group memberships in Active
Directory

Lab: Implementing an Active Directory Domain

Services Maintenance Plan
Scenario:
Woodgrove Bank has completed its AD DS deployment. To ensure high availability
and performance for the AD DS servers, the organization is implementing a
maintenance plan that includes ongoing AD DS database maintenance and
implementation of a disaster-recovery plan. The server administrator has prepared
a backup plan that includes daily system volume of a domain controller in each
domain. The server administrator also has prepared plans for recovering AD DS
data in several scenarios. You need to implement these plans.

Exercise 1: Maintaining AD DS domain controllers

In this exercise, you will implement a plan for maintaining AD DS domain
controllers. Tasks include running the SCW to disable all services that are not
required on the domain controllers, moving the AD DS databases to an alternate
hard disk, and performing an offline defragmentation of the AD DS database.
The main tasks in this exercise are as follows:
1. Start the 6425A-NYC-DC1 virtual machine and log on as Administrator, with
a password of Pa$$w0rd.
2. Use the Security Configuration Wizard to lock down services and configure
the firewall on NYC-DC1.
3. Perform an offline defragmentation of the AD DS database.
4. Move the AD DS database.

Administrator
Pa$$w0rd.
f Task 2: Use the Security Configuration Wizard to lock down services

and configure the firewall on NYC-DC1
1. Start the Security Configuation Wizard from Server Manager.
2. Choose the option to create a new security policy for NYC-DC1.
3. Run the Security Configuration Wizard with the following options:
• Select the Domain Controller (Active Directory) server role.
• Enable the DHCP Client and the DNS Registration Client.
• Enable the Active Directory – Global Catalog and the Active Directory –
RsoP Planning Mode services.
4. Accept the defaults for the Windows Firewall configuration.

5. Configure the Registry settings as follows.

• Require SMB Security Signatures.
• Enable only Windows 2000 Service Pack 3 or later client computers.
• Allow only Windows NT 4.0 Service Pack 6a or later operating systems
and Clocks that are synchronized with the selected server’s clock.
• Do not allow Computers that require LAN Manager authentication and
Computers that have not been configured to use NTLMv2
authentication to connect.
6. Configure the Audit Policy to Audit successful and unsuccessful activities.
7. Save the security policy using a file name of c:\windows\security\msscw\
policies\NYC-DC1.xml.
8. Choose the option to apply the policy later.
f Task 3: Perform an offline defragmentation of the AD DS database

1. On 6425A-NYC-DC1, stop the Active Directory Domain Services.
2. Open a command prompt and start the ntdsutil tool.
3. Activate the NTDS instance.
4. Use the files command to compact the AD DS database to C:\temp.
5. Check the integrity of the defragmented database.
6. Copy the c:\temp\ntds.dit file to c:\Windows\NTDS\ntds.dit.
7. Delete all the log files in the C:\Windows\NTDS folder.
8. Start the Active Directory Domain Services.

f Task 4: Move the AD DS database

1. On 6425A-NYC-DC1, stop the Active Directory Domain Services.
2. Open a command prompt and start the ntdsutil tool.
3. Activate the NTDS instance.
4. Use the file-maintenance command to move the AD DS database to
C:\DSData.
5. Start the Active Directory Domain Services.
Result: At the end of this exercise, you will have installed run the SCW to lock down
services on an AD DS domain controller and performed AD DS database-
maintenance tasks.

Exercise 2 Backing Up AD DS
In this exercise, you will install the Windows Server Backup feature and then use it
to schedule a backup of the AD DS information. You also will perform an on-
demand backup of the system volume.
The main tasks for this exercise are as follows:
1. Install all of the Windows Server Backup Features.
2. Create a Scheduled Backup.
3. Complete an On-Demand Backup.
f Task 1: Install the Windows Server Backup Feature

• In Server Manager, install all of the Windows Server Backup features.
f Task 2: Create a Scheduled Backup

1. Start Windows Server Backup and create a schedule back up with the
following settings:
• Backup type: Custom
• Backup items: C: drive only
• Backup time: 12:00 am every day
• Destination disk: Disk 1
2. Open the Task Scheduler and review the scheduled backup task you just
created.

f Task 3: Complete a System Backup

1. At a command prompt, use the wbadmin start systemstatebackup –
backupTarget:D: command to create a system state backup.
2. The backup will take about 5-7 minutes to complete.
Result: At the end of this exercise, you will have installed the Windows Server Backup
feature and then use it to schedule a backup of the AD DS information and to perform
an on-demand backup.

Exercise 3: Performing a Nonauthoritative Restore of the

AD DS Database
In this exercise, you will test the functionality of a nonauthoritative restore. First
you will delete an operational unit (OU) in AD DS and then ensure that the OU
deletion has been replicated to another domain controller. Then you will restore
the OU using a nonauthoritative restore and verify that the OU is again deleted
through replication.
2. Delete the Toronto OU.
3. Verify replication to NYC-DC2 and disable the network card.
4. Restart NYC-DC1 in Directory Services Restore Mode.
5. Perform a Non-Authoritative Restore of the AD DS Database.
6. Verify that the Toronto OU has been restored.
7. Enable the network connection for NYC-DC2 and verify that replication
deletes the Toronto OU.

Administrator
Pa$$w0rd.
f Task 2: Delete the Toronto OU

• On NYC-DC1, delete the Toronto OU.
f Task 3: Verify replication to NYC-DC2 and disable the network card

1. On NYC-DC2, in Active Directory Users and Computers, verify that the
deletion of the Toronto OU has been replicated to NYC-DC2.
2. Disable the Local Area Connection on NYC-DC2.

f Task 4: Restart NYC-DC1 in Directory Services Restore Mode

1. On NYC-DC1, restart the server in Directory Services Restore Mode.
2. Log on as the local Administrator using a password of Pa$$w0rd.
f Task 5: Perform a Non-Authoritative Restore of the AD DS Database

1. Start a command prompt with administrator permissions.
2. Use the wbadmin get versions -backuptarget:D: -machine:NYC-DC1
command to get the version information for the backup you created.
3. Restore the system state information by using the wbadmin start
systemstaterecovery -version:version -machine:NYC-DC1 command.
4. When the restore finishes, restart the computer.
f Task 6: Verify that the Toronto OU has been restored

• On NYC-DC1, verify that the Toronto OU has been restored.
f Task 7: Enable the network connection for NYC-DC2 and verify that
replication deletes the Toronto OU
1. On NYC-DC2, enable the Local Area Network connection.
2. On NYC-DC1, in Active Directory Sites and Services, force replication with
NYC-DC2.
3. In Active Directory Users and Computers, verify that the Toronto OU has
been deleted through replication.
Result: At the end of this exercise, you will have performed a non-authoritative
restore of AD DS information and verified that the OU is again deleted through
replication

Exercise 4: Performing an Authoritative Restore of the AD

DS Database
In this exercise, you will perform an authoritative restore of the AD DS database.
You will then verify that the restored data is not overwritten by replication.
1. Restart NYC-DC1 in Directory Services Restore Mode.
2. Restore the system state data.
3. Mark the restored information as authoritative and restart the server.
4. Verify that the deleted data has been restored.
f Task 1: Restart NYC-DC1 in Directory Services Restore Mode

2. Use the bcdedit /set safeboot dsrepair to configure the server to start in
Directory Services Restore Mode. Restart the server.
f Task 2: Restore the system state data

1. Log on as Administrator using a password of Pa$$w0rd.
3. Use the wbadmin get versions -backuptarget:D: -machine:NYC-DC1
command to get the version information for the backup you created.
4. Restore the system state information by using the wbadmin start
systemstaterecovery -version:version -machine:NYC-DC1 command.
f Task 3: Mark the restored information as authoritative and restart the

server
1. At the command prompt, use NTDS to perform an authoritative restore on
“OU=Toronto,DC=Woodgrovebank,DC=com”
2. To restart the server normally after you perform the restore operation, type
bcdedit /deletevalue safeboot, and then press ENTER.
3. Restart the server.

f Task 4: Verify that the deleted data has been restored

1. After the server restarts, log on as administrator
2. Open Active Directory Users and Computers, and verify that the Toronto
OU was restored.
3. On NYC-DC2, open Active Directory Users and Computers. Verify that the
Toronto OU has also been restored on this server.
Result: At the end of this exercise, you will have performed an authoritative restore
of AD DS information.

Exercise 5: Restoring Data Using the AD DS Database

Mounting Tool
In this exercise, you will use the AD DS Database Mounting Tool to assist in
restoring data from a deleted AD DS object. Tasks include using NTDSUtil to
create a snapshot of AD DS volume, deleting a user account from AD DS, using
NTDSUtil to mount the snapshot. Then you will restore the account using LDP,
and view the details for the account from the snapshot.
The main tasks in this exercise are as follows:
1. Create and mount a snapshot of the AD DS information.
2. Modify and then delete a user account in AD DS.
3. Use LDP to restore the deleted user account.
4. View the information for the deleted user account in the mounted snapshot.
f Task 1: Create and mount a snapshot of the AD DS information

1. On NYC-DC1, in Active Directory Users and Computers, in the ITAdmins
OU, right-click Axel Delgado and click Properties. Add the following
information to the user-account properties and then click OK:
• Description: IT Administrator
• Office: Head Office
• Telephone Number: 555-5555
2. Start a command prompt, with administrative permissions.
3. At the command prompt, type ntdsutil then press ENTER.
4. At the ntdsutil prompt, type snapshot then press ENTER.
5. At the snapshot prompt, type activate instance ntds then press ENTER.
6. At the snapshot prompt, type create then press ENTER. The command returns
the following output: Snapshot set {GUID} generated successfully. Leave this
window open.
7. At the snapshot prompt, type mount {GUID} and then press ENTER. The
GUID is the GUID displayed in the previous command. The mounted
snapshot will appear in the file system.

8. At the snapshot prompt, type list all and press ENTER. Identify the number
assigned to the snapshot you just created.
9. At the snapshot prompt, type mount number and press ENTER. The number is
the number displayed in the previous command. The mounted snapshot will
appear in the file system.
10. Exit NTDSUtil, but keep the command prompt open.
f Task 2: Delete a user account

• Delete Axel Delgado’s account.
f Task 3: Use LDP to restore the deleted user account

1. At the command prompt, type the following and press ENTER: Dsamain -
dbpath <path to snapshot ntds.dit> -ldapport 51389
2. Do not close the command prompt.
3. Start LDP, and connect and bind to the local server.
4. On the Options menu, add the Return Deleted Objects control.
5. On the View menu, click Tree. Click OK.
6. Expand DC=Woodgrove Bank,DC=com and then click CN=Deleted
Items,DC=Woodgrove Bank,DC=com.
7. Right-click CN=Axel Delgado and then click Modify.
8. In the Attribute box, type isDeleted. Under Operation, click Delete and then
click ENTER.
9. In the Attribute box, type distinguishedName.
10. In the Values box, type CN=Axel
Delgado,ou=ITAdmins,dc=woodgrovebank,dc=com.
11. Under Operation, click Replace and then click ENTER.
12. Select the Extended check box.
13. Click Run.
14. Open Active Directory Users and Computers, and verify that Axel Delgado’s
account has been restored do the ITAdmins OU and that the account is
disabled.

f Task 4: View the information for the deleted user account in the
mounted snapshot
1. Click Start, click Run, type LDP, and then click OK.
2. Connect and bind to the localhost, using port 51389.
3. In BaseDN, type dc=woodgrovebank,dc=com.
4. Browse to the ITAdmins OU and double-click CN=Axel Delgado. View the
Description, physicalDeliveryOfficeName, and Telephone Number Attributes.
You now can add the information in these attributes to the user object in
Active Directory Users and Computers. Close LDP.exe.
f Task 5: Shut down all virtual machines and discard any changes
Result: At the end of this exercise, you will have restored a deleted user account and
viewed the restored user properties using the AD DS data-mining tool.

Review Questions
1. One of your domain controllers is running out of hard-drive space. You modify
the domain controller so that it is no longer a global catalog server, but notice
that the size of the AD DS database does not decrease. What should you do to
reclaim hard-drive space on the server?
2. You are concerned about the amount of disk space that the Active Directory
database and log files are using. How do you determine the size of the
database and log files?
3. You install Windows Server Backup on your domain controller. You only have
two drives on the computer and both are being used for data or system files.
What types of backup should you use to back up your AD DS environment?
4. All of the domain controllers in your domain have failed. You are trying to
rebuild the domain from the Active Directory backup on one domain
controller. Which type of restore must you use to rebuild the domain?
5. You accidentally deleted a user account in AD DS. What options do you have
to make the account available again?

Considerations for Maintaining AD DS

• An essential component to maintaining an AD DS environment is monitoring.
An effective monitoring program can alert you to situations where you need to
perform maintenance tasks before the situation becomes critical.
• Compare the effort involved in restoring AD DS objects with the effort
involved in restoring the objects or reanimating deleted objects. If a single user
account has been deleted, it often is much easier just to recreate the account
rather than restore the account. If an entire OU has been deleted, performing
an authoritative restore is usually much faster than recreating all of the OU’s
accounts.
• The most important step in preparing for a domain controller’s failure is to
deploy more than one domain controller in a domain. If you have a second
domain controller available, AD DS services will continue to be available, and
you can install an additional domain controller easily to replace the failed
server. If you have only one domain controller in the domain, and that domain
controller fails, you must restore AD DS from backup.
• If you anticipate needing to use Database Mounting Tool snapshots on a
consistent basis, consider creating a scheduled task that will create a snapshot
regularly.

Tools
Use the following tools when configuring AD DS sites and replication:

Windows Server • Backing up and restoring AD Must be installed as a
Backup DS information or other data Windows Server 2008
on a Windows Server 2008 feature.
computer Click Start, and then point to
Administrative Tools. Click
Windows Server Backup.
LDP.exe • Viewing and modifying Installed by default and

information about AD DS accessible at a command
objects and for reanimating prompt.
deleted objects
NTDSUtil • Managing the AD DS data Installed by default and

store and managing AD DS accessible at a command
operation master roles prompt.
Database Mounting • Used to create and mount Can be accessed through

Tool snapshots of the AD DS data NTDSUtil.
store

Troubleshooting Active Directory, DNS, and Replication Issues 10-1
Module 10
Troubleshooting Active Directory, DNS, and
Replication Issues
Contents:
Lesson 1: Troubleshooting Active Directory Domain Services 10-3
Lesson 2: Troubleshooting DNS Integration with Active Directory
Domain Services 10-9
Lesson 3: Troubleshooting Active Directory Replication 10-15
Lab: Troubleshooting Active Directory, DNS and Replication Issues 10-22

10-2 Course 6425A: Implementing Active Directory® Domain Services
Module Overview
As a Windows Server® 2008 administrator, you are likely to be called upon to

troubleshoot issues related to Active Directory® Domain Services (AD°DS). When
AD DS is well designed and implemented, it provides a very stable directory
services infrastructure. However, even in the most stable environments you will
occasionally need to troubleshoot AD DS issues related to authentication,
authorization, replication or the Domain Name System (DNS) configuration.

Lesson 1:
Troubleshooting Active Directory Domain
Services
Whenever users cannot authenticate to the network, or cannot gain access to

network resources, you must determine whether the cause of the problem is an AD
DS issue. The cause of the problem may be network connectivity, or a network
services error, or an AD DS issue. This lesson describes how to identify and
troubleshoot AD DS issues.

Introduction to AD DS Troubleshooting
Key Points
Active Directory Domain Service is a distributed system that is comprised of many
different services and depends on all of the services to function properly. When
troubleshooting AD DS issues, you need to identify the source of the problem and
resolve the specific issue.
Additional Reading
• Overview of Active Directory Troubleshooting
• Active Directory Operations Guide

Discussion: How to Troubleshoot Active Directory Domain

Services Issues
Questions
What steps would you take to troubleshoot an Active Directory Issue?

What tools would you use?
How would you verify your solution worked?

Troubleshooting User Access Errors
Key Points
There are many possible reasons why a user cannot access network resources.
These can be divided up into three basic categories.

Demonstration: Tools for Troubleshooting User Access

Errors
Questions
From your experience, what is the most common reason for user access error in
your organization?
What steps can you take to reduce the number of user access errors while still
maintaining network security?

Troubleshooting Domain Controller Performance Issues
Key Points
As a distributed service, AD DS depends on many interdependent services that are
distributed across many devices and in many remote locations. As you increase the
size of your network to take advantage of the scalability of AD DS, domain
controller performance could become an issue.
Additional Reading
• Windows Server 2003 Active Directory Branch Office Guide
• Analyzing performance data

Lesson 2
Troubleshooting DNS Integration with Active
Directory Domain Services
AD DS cannot function without DNS. Clients and application servers such as

Exchange Server use DNS to find domain controllers and services. Domain
controllers and global catalog servers use DNS to locate each other to replicate to
each other. Because of this tight integration of AD DS and DNS, you will often
begin your AD DS troubleshooting by troubleshooting DNS.

Overview of DNS and AD DS Troubleshooting
Key Points
One of the most common reasons for AD DS issues is problems with the DNS
infrastructure. In particular, you should begin DNS troubleshooting when you see
the issues listed in the slide.

Troubleshooting DNS Name Resolution
Key Points
To verify that clients can resolve names and records, perform the following steps:
• Verify network connectivity on all computers.
• Use ipconfig to make sure all computers, including clients, member servers,
domain controllers, and DNS servers are using a DNS server that is
authoritative for the Active Directory domain. Sometimes computers are
manually misconfigured to use the wrong DNS server, such as an Internet
caching server or an ISP’s DNS server.
• Use netdiag to test DNS connectivity.
• Ensure that the DNS server is working correctly. You can perform the Simple
self-test in the DNS server’s properties to verify the database is responding. As
well, clear the DNS server’s cache to ensure that the cache is not polluted, or
that it has the latest zone information

• Use ipconfig /flushdns to clear the client’s DNS resolver cache.

• If the zone seems to be corrupt, restore from backup. If necessary, clear any
dynamic registrations from the DNS zone and rebuild the database.
• Check the DNS Server log in Event Viewer for errors.
• Use nslookup to see what results are returned by the DNS server. The
following DNS records are required for proper Active Directory functionality.
Question: What are the most common DNS related issues in your organization?
Additional Reading
• Diagnosing Name Resolution Problems

Troubleshooting DNS Name Registration
Key Points
All servers must have at least A (host) and possibly PTR (reverse lookup) records
in DNS. In addition, all domain controllers must have their SRV (Resource
Locator) records updated in DNS. The following lists which service is responsible
for dynamically updating DNS:
• A records are updated by the computer’s DNS client service.
• PTR records are manually configured.
• SRV records are updated by the DC’s netlogon service.
Question: What are PTR records used for? What errors will you see if you do not
have the PTR records registered for domain controllers?

Troubleshooting DNS Zone Replication
Key Points
Whenever a DNS record is updated, either in a traditional Primary (Master) zone
or an Active-Directory Integrated zone, that update must be replicated in a zone
transfer to all DNS servers that are authoritative for that zone. An administrator
may choose to favor conserving bandwidth during heavy network usage hours by
delaying replication to less busy times. Even so, the record will have to be
replicated at some point for the DNS database to be consistent.
Additional Reading
• Troubleshooting Zone Problems

Lesson 3:
Troubleshooting Active Directory Replication
AD DS uses a multi master replication topology that depends on all domain

controllers being available on the network. Replication is important to ensure that
all users experience a consistent response from the domain controllers regardless
of which domain controller the user is connecting to.

AD DS Replication Requirements
Key Points
Refer to the requirements listed on the slide for AD DS replication to occur
successfully.

Common Replication Issues
Key Points
When you encounter replication problems in Active Directory, your first step is to
identify the symptoms and possible causes.
Question: What is the most common reason for replication error in your
organization?
Additional Reading
• Troubleshooting Active Directory Replication Problems

What Is the Repadmin Tool?
Key Points
You use the Repadmin.exe command-line tool to view the replication topology
from the perspective of each domain controller. You can also use Repadmin.exe to
manually create the replication topology, force replication events between domain
controllers, and view the replication metadata, which is information about the data,
and up-to-date state of vectors.
Additional Reading
• Troubleshooting Active Directory Replication Problems

What Is the DCDiag Tool?
Key Points
The Dcdiag.exe tool performs a series of tests to verify different aspects of the
system. These tests include connectivity, replication, topology integrity, and
intersite health.

Discussion: Troubleshooting Inter-Site AD DS Replication

Issues
As a class, discuss the questions on the slide.

Troubleshooting Distributed File Replication Issues
The contents of SYSVOL folder are replicated to every domain controller in a

domain. If the domain is at Windows Server® 2003 or lower functional level, the
File Replication Service (FRS), is responsible for replicating the contents of the
SYSVOL folder between domain controllers. When you upgrade the functional
level to Windows Server 2008, Distributed File System Replication (DFSR) is used
to replicate the contents of the SYSVOL folder. In both cases, the connection object
topology and schedule that the Knowledge Consistency Checker (KCC) creates for
Active Directory replication is used to manage replication between domain
controllers.

Lab: Troubleshooting Active Directory, DNS

and Replication Issues
Scenario
Woodgrove Bank has completed its deployment of Windows Server 2008. As the
AD DS administrator, one of your primary tasks now is troubleshooting AD DS
issues that have been escalated to you from the company Help Desk. You are
responsible for resolving issues related to user access to resources, the integration
of DNS and AD DS and AD DS replication.

Exercise 1: Troubleshooting Authentication and

Authorization Errors
Scenario
Lab Preparation: Make sure both NYC-DC1 and NYC-CL1 are started and running.
Shut down any other VPCs.
In this exercise, you will troubleshoot authentication and authorization errors. You
will review trouble tickets and resolve the issues related to the trouble tickets.
3. Start 6425A-NYC-CL1.
4. Resolve Trouble Tickets.

Administrator
Pa$$w0rd.

Administrator
Pa$$w0rd
f Task 3: Start the 6425A-NYC-CL1 virtual machine

• Start 6425A-NYC-CL1. Do not log in at this time.
f Task 4: Run the Lab10_Prep.bat file

1. On NYC-DC1, open Windows Explorer and browse to
d:\6425\Mod10\Labfiles.
2. Double-click Lab10_Prep.bat.

f Task 5: Resolve Trouble Tickets

Trouble Ticket #1 – A user named Chris McGurk is having trouble logging on at
her Windows Vista computer. She has been away on a research assignment for
several months. She now needs to get on the network to prepare her report for
senior management. Her desktop computer has been turned off during the time
she was away. The matter has been escalated to you.
1. Attempt to log onto NYC-CL1 as Chris with the password of Pa$$w0rd.
2. Was the logon successful? Note the error message below:
_______________________________________________________________
3. Verify that the NYC-CL1 computer account still exists in the domain
4. What do you think is the issue? How will you resolve the issue?
_______________________________________________________________
5. Log on to NYC-CL1 as NYC-CL1\LocalAdmin with the password of
Pa$$w0rd.
6. Complete your troubleshooting steps.
7. Log off NYC-CL1 as LocalAdmin, and log on as Chris.
8. Were you successful? ______________________________________________
9. Log off NYC-CL1.

Trouble Ticket #2 – A Help Desk staff member named Markus Breyer has been
given the task of adding new hires to the BranchManagers OU in the NYC OU in
the Woodgrovebank.com domain. Markus is a member of the HelpDesk global
group. All members of the HelpDesk group need to be able to manage users
accounts from client workstations by using Remote Desktop. When Markus
attempts to accomplish this task, he is unsuccessful. The matter has been escalated
to you.
1. Log onto NYC-CL1as Markus, with the password of Pa$$w0rd. Try to
connect to NYC-DC1 by using Remote Desktop.
2. Were you successful? What, if any, error messages did you receive?
_______________________________________________________________
3. What do you think is the problem?
_______________________________________________________________
4. Take the required steps to resolve the error message.
5. Try connecting to Remote Desktop again. Were you successful this time? If
not, take the next steps for troubleshooting the issue.
6. After you successfully connect to Remote Desktop, try opening Active
Directory Users and Computers. If you are not successful, complete steps to
troubleshoot the issue.
7. In Active Directory Users and Computers, try to create atest user account in
the Branch Managers OU.
8. Were you successful? What, if any, error messages did you receive?
__________________________________________________________________
9. What additional step(s), if any, do you think you will need to take?
__________________________________________________________________
10. Log off of NYC-CL1.
Result: At the end of this exercise, you will have resolved two trouble tickets with
authentication and authorization issues.

Exercise 2: Troubleshooting the Integration of DNS and

AD DS
Scenario
In this exercise, you will resolve issues identified in the troubleshooting tickets
escalated to the server team regarding DNS integration and AD DS. You will
identify the issue in each ticket, resolve the problem, and verify that the resolution
was successful.
The main task in this exercise is to resolve the trouble ticket.
f Task 1: Resolve the trouble ticket

Trouble Ticket #3 - Some users at Woodgrovebank.com are complaining that
they are having trouble accessing network resources. . The help desk has already
established that all of the client computers that are exhibiting the problem are
using NYC-DC2 as the preferred DNS server. You will use NYC-CL1 to test all
solutions, to ensure that users can log on to the domain using NYC-DC1 and NYC-
DC2 as the primary DNS servers.
1. What do you think may be the problem(s)?
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
2. What steps will you take to test and resolve the problem(s)?
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
3. Use NSLookup to verify the DNS records for the WoodgroveBank.com zone
on both NYC-DC1 and NYC-DC2.
4. Use DNS Manager to examine the configuration for the WoodgroveBank.com
and the _msdcs.WoodgroveBank.com zones on both DNS servers.

5. Take the required steps to troubleshoot the issue.

6. What was the actual problem(s), and how did you resolve it?
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Result: At the end of this exercise, you will have resolved a trouble ticket with DNS
integration and AD DS issues.

Exercise 3: Troubleshooting AD DS Replication

Scenario
In this exercise, you will resolve issues identified in the troubleshooting tickets
escalated to the server team. Potential issues include user accounts that are not
replicated to other domain controllers, replication failures, and AD DS file
replication failures. You will identify the issue in each ticket, resolve the problem,
and verify that the resolution was successful.
The main task in this exercise is to resolve the trouble tickets.
f Task 1: Resolve the trouble tickets

Trouble Ticket #4 – The help desk has been tasked with creating user accounts
for some new hires. Because the new employees will be traveling between the
branch offices, it is critical that they can log on at any location. The help desk has
noticed that replication between NYC-DC1 and NYC-DC2 is not working. The
matter has been escalated to you. When a member of the team creates a user
account on the NYC-DC1 domain controller, the user account is not displayed on
the NYC-DC2 domain controller.
1. Verify that AD DS replication is not working.
2. What do you think might be the problem(s)?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
2. What troubleshooting step(s) will you take to resolve the problem(s)?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
4. Implement your troubleshooting steps. You are successful when you are able
to create a test user on either domain controller and replicate the account to
the other domain controller.

Trouble Ticket #5 – The Help Desk has noticed that when some users in the New
York branch of Woodgrovebank.com log on, they are not getting the expected
automatic drive mappings. All users should get a drive mapping that maps the H:
drive to \\NYC-DC1\data. The Help Desk has confirmed that the Group Policy
Object is configured correctly. The logon script is called MapDataDir.bat and is
supposed to be located in the Netlogon share.
1. What do you think might be the problem(s)?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
2. What troubleshooting step(s) will you take to resolve the problem(s)?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
3. How will you verify that the problem(s) has been resolved?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
4. Implement your troubleshooting steps. What was the actual problem(s), and
how did you resolve it?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
5. Shut down all the Virtual PCs.
Result: At the end of this exercise, you will have resolved a trouble ticket with AD DS
replication issues.

Considerations for Maintaining AD DS

• One troubleshooting AD DS issues, always start at the network layer. In most
cases, it is very easy and fast to verify network connectivity.
• Use the Event Viewer when troubleshooting AD DS issues. Many AD DS errors
will be logged in the Event Viewer logs, and the error details often provide very
valuable information for resolving the issues.
• In a large organization, consider deploying Microsoft System Center
Operations Manager with the Active Directory Management Pack. The
Operations Manager can monitor all of the domain controllers in the
environment and provide detailed guidance on how to resolve AD DS issues.
Microsoft System Center Operations Manager is an upgrade of Microsoft
Operations Manager.

Tools
Use the following tools when troubleshooting AD DS issues:
Tool Used for Where to find it
Server Accessing the AD DS management Click Start, and then point
Manager tools in a single console. to Administrative
Tools. Click Server
Manager.
Active Creating and configuring sites, Click Start, and then point
Directory subnets, moving domain controllers to Administrative
Sites and between sites, and forcing Tools. Click Active
Services replication. Directory Users and
Computers.
DNS Configuring and viewing DNS zones Click Start, and then point
to Administrative
Tools. Click DNS.
Repadmin Gathering data about the current Installed by default and
replication topology and status and accessible at a command
creating new replication objects prompt.
DCDiag Gathering data about domain Installed by default and
controllers including replication accessible at a command
partners and status prompt.
NSLookup Reviewing information stored in DNS Installed by default and
zone files accessible at a command
prompt.
Ntfrsutl Displays detailed information about Installed by default and
the active FRS replicas on the accessible at a command
domain controller and can be used prompt.
to force replication
FRSDiag Provides a graphical user interface Can be downloaded from
for gathering detailed information the Microsoft download
about FRS performance and issues center
and analyzes the results to identify
common FRS and Active Directory
problems.
Dfsradmin Provides detailed information about Installed on Windows Server
the current state of DFSR replication 2008 computers when you
in the domain. Can also be used to install the file management
configure DFSR replication features.

Review Questions
1. A user log is able to log on their computer but whenever she tries to access a
network resource, she is prompted for a user name and password? How would
you ensure that she can access network resources without being prompted for
the user name and password after logon?
2. You need to verify that all of the domain controller SRV records are registered
in DNS. All DNS servers in your organization are using a third-party DNS
product rather than using Windows Server 2008 DNS. How can you view the
records in DNS?
3. Users in a branch office in your organization are experiencing very slow logon
times. You create a domain controller in your main office, and then ship the
domain controller to the branch office. You configure the branch office as a
second site in your forest. You modified the domain controller’s IP address
configuration and have confirmed network connectivity and confirmed that
the domain controller’s IP address has been updated in DNS. However, some
of the users in the branch office are still experiencing very slow logon times.
What else should you do?
4. Your organization has five office locations with each location configured as a
separate site in AD DS. At least one domain controller has been deployed in
each office. All user account management is performed in the main office. You
notice that when you create a new user account in the main office, it can take
up to 3 hours before the user can logon using that account in the branch
office. What should you do to make sure the user can log on right after the
account has been created?

Troubleshooting Group Policy Issues 11-1
Module 11
Troubleshooting Group Policy Issues
Contents:
Lesson 1: Introduction to Group Policy Troubleshooting 11-3
Lesson 2: Troubleshooting Group Policy Applications 11-10
Lesson 3: Troubleshooting Group Policy Settings 11-17
Lab: Troubleshooting Group Policy Issues 11-25

Module Overview
This module describes troubleshooting procedures for Group Policy processing

clients and computers. These troubleshooting procedures may include incorrect or
incomplete policy settings, or lack of policy application to the computer or user. In
this module, you will learn the knowledge and skills necessary for troubleshooting
these issues.

Lesson 1:
Introduction to Group Policy Troubleshooting
Group Policy can be complex to deploy and manage, and sometimes a setting can
cause unintended consequences for users or computers. This lesson provides
details about Group Policy processing and common problem areas, and describes
some of the troubleshooting tools available.

Scenarios for Group Policy Troubleshooting
Additional Reading
• Microsoft Technet article: Group Policy Troubleshooting

Preparing to Troubleshoot Group Policies
Key Points
The first step in troubleshooting Group Policy is to determine the problem’s
source. Group Policy problems may be a symptom of other, unrelated issues –
such as network connectivity, authentication problems, domain controller
availability, or Domain Name Service (DNS) configuration errors. For example, the
failure of a router or DNS server could prevent clients contacting a domain
controller.
Question: What diagnostic tool could you use to determine lease expiration of a
Dynamic Host Configuration Protocol (DHCP) address issued to a client
computer?

Additional Reading
• Troubleshooting Your Systems with Network Diagnostics
• Using NSlookup.exe
• Microsoft Technet article: Unable to access domain controller
• Kerbtray.exe: Kerberos Tray

Tools for Troubleshooting Group Policies
Key Points
There are a number of diagnostic tools and logs that you can use to verify whether
you can trace a problem to core Group Policy.
Group Policy Logging

If other tools do not provide the information you need to identify the problems
affecting Group Policy application, you can enable verbose logging and examine
the resulting log files. Log files can be generated on both the client and the server
to provide detailed information.
Question: What diagnostic tool will quickly display the current Group Policy slow
link threshold?

Additional Reading
• Group Policy Modeling and Results
• How to manually create Default Domain GPOs
• GPOTool (from Win2K Server Resource Kit)
• Microsoft Technet article: Refresh Group Policy settings with GPUpdate.exe
• Fixing Group Policy problems by using log files

Demonstration: Using Group Policy Diagnostic Tools
Question: What steps must you take prior to running Group Policy reporting
RSoP on a remote computer?

Lesson 2
Troubleshooting Group Policy Applications
When troubleshooting Group Policy issues, you need a firm understanding of the
interactions between Group Policy and its supporting technologies, and the ways
in which you manage, deploy, and apply Group Policy objects.

Troubleshooting Group Policy Inheritance
Key Points
Blocking inheritance will prevent all higher-level settings from affecting the
organizational units (OUs) and their child OUs where inheritance has been
blocked. You can block inheritance only for entire OUs, not for individual objects,
and it can complicate troubleshooting because it counteracts the usual inheritance
rules.
Question: Are there scenarios in your organization that would benefit from
blocking inheritance?
Additional Reading
• Microsoft Technet article: Fixing Core Group Policy problems

Troubleshooting Group Policy Filtering
Key Points
Group Policy filtering determines which users and computers will receive the
GPO’s settings. Filtering of a Group Policy object (GPO) is based on two factors:
• The security filtering on the GPO
• Any Windows Management Instrumentation (WMI) filters on the GPO
Question: You have applied security filtering to limit the GPO to apply only to the
Managers group. You did this by setting the following GPO permissions:
• Authenticated Users are denied the Apply Group Policy permission.

• The Managers group has been granted Read and Apply Group Policy
permission.
None of the managers are receiving the GPO settings. What is the problem?

Additional Reading
• Microsoft Technet article: Fixing Group Policy scoping issues

Troubleshooting Group Policy Replication
Key Points
In a domain that contains more than one domain controller, Group Policy
information takes time to propagate, or replicate, from one domain controller to
another. A GPO consists of two parts; the Group Policy template (GPT) and the
Group Policy container (GPC). Changes to GPOs are tracked using version
numbers. Every change increments the version number of the GPT and the GPC.
Question: What tool can be used to force replication across all domain controllers
in the domain?
Additional Reading
• Troubleshooting File Replication Service
• Microsoft Technet article: Replication of Group Policy settings between
domain controllers fails

Troubleshooting Group Policy Refresh
Key Points
Group Policy refresh refers to a client’s periodic retrieval of GPOs. During Group
Policy refresh, the client contacts an available domain controller. If any GPOs
changed, the domain controller provides a list of all the appropriate GPOs. By
default, GPOs are processed at the computer only if the version number of at least
one GPO has changed on the domain controller that the computer is accessing.
Question: You have implemented folder redirection for a particular OU. Some
users report that their folders are not redirecting to the network share. What is the
first step you should take to resolve the problem?
Additional Reading
• Group Policy does not refresh

Discussion: Troubleshooting Group Policy Configuration
Question: One user is getting settings applied that no one else is receiving. What
might be the issue and how would you start troubleshooting?

Lesson 3:
Troubleshooting Group Policy Settings
Group Policy settings issues usually are due to slow-link detection or incorrect
configuration. Understanding how the Client side extensions (CSEs) work and
how slow links are determined assists in troubleshooting these issues.

How Client Side Extension Processing Works
Key Points
CSEs are dynamic-link libraries (DLLs) that perform the actual processing of
Group Policy settings. Policy settings are grouped into different categories, such as
Administrative Templates, Security Settings, Folder Redirection, Disk Quota, and
Software Installation. Each category’s settings require a specific CSE to process
them, and each CSE has its own rules for processing settings. The core Group
Policy process calls the appropriate CSEs to process those settings. Some CSEs
behave differently under different circumstances. For example, a number of CSEs
do not process if a slow link is detected. Security settings and Administrative
Templates always are applied and you cannot turn them off. You can control the
behavior of other CSEs across slow links.
As Group Policy is processed, the Winlogon process passes the list of GPOs that
must be processed to each Group Policy client-side extension. The extension uses
the list to process the appropriate policy when applicable.

Question: Users in a branch office log on across a slow modem connection. You
want folder redirection to be applied to them even across the slow link. How
would you accomplish this?
Additional Reading
• Identifying Group Policy Client-Side Extensions
• Computer Policy for Client-side Extensions
• Group Policy and Network Bandwidth

Troubleshooting Administrative Template Policy Settings
Key Points
Some Administrative Template settings may be preferences, rather than policies
that you cannot remove easily, while older operating systems might not accept
other administrative settings.
Question: Your network has a mixture of Windows XP and Windows Vista

computers. You have configured the Administrative Template to remove the games
link from the Start Menu, but only the Windows Vista computers are enforcing the
setting. What is the problem?
Additional Reading
• Microsoft Technet article: Fixing Administrative Template policy setting
problems

Troubleshooting Security Policy Settings
Key Points
Security policies protect the computing environment’s integrity by controlling
many aspects of it, like password policies, security options, restricted groups,
network policies, services, public key policies, and so on.
Characteristics of Security Policies

• Security policies are refreshed every 16 hours even if they have not changed.
• Security policies are always processed, even across slow connections.

Question: You have configured a password policy in a GPO and linked that policy
to the Research OU. The policy is not affecting domain users in the OU. What is
the problem?
Additional Reading
• Troubleshooting security settings

Troubleshooting Script Policy Settings
Key Points
The Scripts CSE updates the registry with the location of script files so that the
UserInit process can find those values during its normal processing. When a CSE
reports success, it might mean only that the script’s location is placed in the
registry. Even though the setting is in the registry, there could be problems
preventing the setting from being applied to the client. For example, if a script
specified in a Script setting has an error that prevents it from completing, the CSE
does not detect an error.
Group Policy processes a GPO and stores the script information in the registry, in
these locations:
• HKCU\Software\Policies\Microsoft\Windows\System\Scripts (User Scripts)
• HKLM\Software\Policies\Microsoft\Windows\System\Scripts (Machine
Scripts)

Question: A logon script is assigned to an OU. The script executes properly for all
users, but some users report that they get an access-denied message when they try
to access the mapped drive. What is the problem?
Additional Reading
• Microsoft Technet article: Fixing Scripts policy settings problems

Lab: Troubleshooting Group Policy Issues
Scenario
Woodgrove Bank has completed its Windows Server 2008 deployment. As the
Active Directory Domain Services (AD DS) administrator, one of your primary
tasks is troubleshooting AD DS issues that the company help desk escalates to you,
and you are responsible for resolving issues related to Group Policy application
and configuration.
Note: Some of the tasks in this lab are designed to illustrate GPO troubleshooting
techniques and may not always follow best practices.

Exercise 1: Troubleshooting Group Policy Scripts

You will create and link a GPO, to all domain users and computers, which
performs the following:
• Set the homepage in Internet Explorer® to be http://WoodgroveBank.com
• Force the classic Start Menu
• Force the client to wait for the network to initialize at startup and logon
• Configure the Windows Firewall to allow inbound remote administration
Then you will apply a preconfigured GPO to all domain users that maps a drive to
the Data shared folder, and observe and troubleshoot the results.
All domain users will have a drive mapping to a shared folder named Data. The
GPO is created already and is backed up. You will restore and apply the GPO that
delivers that policy to the domain, and troubleshoot any issues with the policy.
A user in the Miami OU has submitted the following help-desk ticket:
• User Name: Roya Asbari
• Computer Name: NYC-CL1
• Description of Problem: There is no drive mapping to the Data folder.
This ticket has been escalated to the server team for resolution.
The main tasks are:
1. Create and link a domain Desktop policy.
• Set the Internet Explorer homepage to http://WoodgroveBank.com.
• Force the classic Start Menu for all domain users.
• Force the client computer to wait for the network to initialize at startup
and logon.
• Configure the Windows Firewall to allow inbound remote administration.
2. Restore the Lab11A GPO.
3. Link the Lab11A GPO to the domain.
4. Test the GPO as various users.
5. Troubleshoot the GPO using RSoP.
6. Resolve and test the issue.

f Task 1: Create and link a domain Desktop policy

2. Open Group Policy Management.
3. Create and link a GPO named Desktop to the WoodgroveBank domain.
4. Edit the policy as follows:
• Navigate to Computer Configuration, then Administrative Templates,
then System, and then Logon. Enable the Always wait for the network at
computer startup and logon policy.
• Navigate to Network, then Network Connections, then Windows
Firewall, and then Domain Profile. Enable the Windows Firewall: Allow
inbound remote administration exceptions policy, then type
localsubnet in the field and then click OK.
• Navigate to User Configuration, then Windows Settings, then Internet
Explorer Maintenance, then URLs, and then Important URLs.
• In the Important URLs dialog box, customize the home page URL to be
http://WoodgroveBank.com.
• Navigate to Administrative Templates, then Start Menu and Taskbar
and then enable the Force classic Start Menu setting.
f Task 2: Restore the Lab11A GPO

1. In the GPMC, right-click the Group Policy Objects folder and then click
Manage Backups.
2. In the Manage Backups dialog box, type D:\6425 in the Backup location field.
3. Select the Lab 11A GPO, click Restore and then click OK twice.
4. Close the Manage Backups dialog box.
f Task 3: Link the Lab11A GPO to the domain

1. In the GPMC, right-click the WoodgroveBank.com domain and then click
Link an existing GPO.
2. In the Select GPO dialog box, select the Lab 11A GPO and then click OK.

f Task 4: Test the GPO

1. Log on to NYC-CL1 as WoodgroveBank\Administrator with a password of
Pa$$w0rd.
2. Close the Welcome Center.
3. Click the Start Menu and ensure you see the classic Start menu.
4. Double click Internet Explorer and then click the red X to stop the
connection attempt to the default startup page. Click the home icon on the
toolbar and ensure that http://WoodgroveBank.com is the homepage.
5. Close Internet Explorer.
6. Double click Computer on the desktop and ensure that you have a mapped
drive to the shared folder named Data.
7. Log off.
8. Log on to NYC-CL1 as Roya with a password of Pa$$w0rd.
10. Click the Start Menu and ensure Roya gets the classic Start menu.
11. On the desktop, double-click Internet Explorer, and then click the Home icon
on the toolbar and ensure that http://WoodgroveBank.com is the homepage.
12. Close Internet Explorer.
13. On the desktop, double-click Computer on the desktop and check for the
mapped drive to the shared folder named Data.
f Task 5: Troubleshoot the GPO

1. Switch back to NYC-DC1.
2. In the GPMC, right-click Group Policy Results and then click Group Policy
Results Wizard.
3. On the Computer Selection screen, click Another Computer and type NYC-
CL1 in the field.
4. On the User Selection screen, select WoodgroveBank\Roya and then click
Finish.
5. In the User Configuration Summary section, click Group Policy Objects and
then click Applied GPOs.

6. Click the Settings tab.

7. Expand Windows Settings, expand Scripts and then expand Logon.
8. Switch back to NYC-CL1 as Roya.
9. Test Roya’s permission to the scripts location by opening a Run command,
typing \\nyc-dc1\scripts, and then pressing ENTER.
10. Click OK to dismiss the error dialog box.
Note: If time permits, you can view the group policy operational log as
Administrator on NYC-CL1. If you filter the view to show events that Roya generates,
you would see that the log does not detect any errors or warnings for this user. This
is because the GPO only sets a value in the registry that defines the scripts folder’s
location. Group Policy is unaware if the user has access to the location. The write to
the registry was successful. Therefore, the Group Policy log does not see any errors.
You would have to audit Object Access for the scripts folder to determine access
issues.
f Task 6: Resolve and test the issue

1. Switch back to NYC-DC1 and open Windows Explorer.
2. Navigate to the D:\6425\scripts folder.
3. Add Authenticated Users to the Share permission list and grant them Read
permission
4. Switch to NYC-CL1 as Roya, log off and then log on.
5. On the desktop, double-click Computer.
Note: Another way to resolve the issue would be to move the script to the Netlogon
share.
6. Log off.
Result: At the end of this exercise, you will have resolved a Group Policy scripts issue.

Exercise 2: Troubleshooting GPO-11B

Domain users in the Miami OU and all sub OUs should not have access to Control
Panel. You will restore and apply the GPO that delivers that policy to the Miami
OU.
The local onsite technician has submitted a help-desk ticket and escalated the
following issue to the server team:
• User Name: Local Onsite Technician
• Description of Problem: No users should be able to access the Control Panel.
However, some users do have access to Control Panel, while others do not.
Particularly, Roya, a Miami branch manager, has access to Control Panel.
1. Restore the Lab11B GPO.
2. Link the Lab11B GPO to the Miami OU.
f Task 1: Restore the Lab11B GPO

1. On NYC-DC1, in the GPMC, right-click the Group Policy Objects folder and
then click Manage Backups.
2. In the Manage Backups dialog box, type D:\6425\ in the Backup location
field.
3. Restore the Lab 11B GPO.

f Task 2: Link the Lab11B GPO to the Miami OU

1. In the GPMC, right-click the Miami OU and then click Link an existing GPO.
2. In the Select GPO dialog box, select the Lab 11B GPO and then click OK.

1. Log on to NYC-CL1 as Rich with a password of Pa$$w0rd.
2. Ensure that the settings from the Desktop GPO are applied.
3. Ensure that the Control Panel icon does not appear on the desktop or Start
Menu.
4. Log off.
5. Log on to NYC-CL1 as Roya.
6. Log off.

2. In the GPMC, right-click Group Policy Results and then click Group Policy
Results Wizard.
3. On the Computer Selection screen, click Another Computer and then type
NYC-CL1 in the field
4. On the User Selection screen, select WoodgroveBank\Rich and then click
Finish.
7. Expand Windows Settings and then expand Control Panel.
8. Right-click the Group Policy Results query Roya on NYC-CL1 in the left pane
and then click Rerun Query.
10. Click Denied GPOs.

f Task 5: Resolve the issue

1. In the GPMC, expand the Group Policy Objects folder, click the Lab 11B
GPO, click the Delegation tab and then click Advanced.
2. On the Security tab click the Miami_BranchManagersGG.
3. Remove the Miami_BranchManagersGG from the permission list and then
click OK.
4. Switch to NYC-CL1 and log on again as Roya.
Result: At the end of this exercise, you will have resolved a Group Policy objects issue.

Exercise 3: Troubleshooting GPO Lab-11C

Users in the Miami OU should not have access to the Run command on the Start
Menu. You will restore and link the Lab 11C GPO to apply this setting.
The local desktop technician has escalated the following issue to the server team:
• Description of Problem: No users should be able to access the Run command
on the Start Menu, but all users in the Miami OU have access to the Run
command.
1. Restore the Lab11C GPO.
2. Link the Lab11C GPO to the Miami OU.
f Task 1: Restore the Lab11C GPO

then click Manage Backups
2. In the Manage Backups dialog box type D:\6425\ in the Backup location
field.
3. Restore the Lab 11C GPO.
f Task 2: Link the Lab11C GPO to the Miami OU

1. In the GPMC, right-click the Miami OU and then click Link an existing GPO.
2. Select the Lab 11C GPO and then click OK.


2. Log off.

1. Switch to NYC-DC1.
2. In the GPMC, rerun the query Roya on NYC-CL1.
5. In the User Configuration section, expand Administrative Templates and
then click Start Menu and Taskbar.

1. Expand the Group Policy Objects folder, right-click the Lab 11C GPO and
then click Edit.
2. Navigate to User Configuration, then Administrative Templates, then Start
Menu and then Taskbar.
3. Double-click the Add the Run command to the Start Menu setting, click Not
Configured and then click OK.
4. Locate the Remove Run menu from the Start Menu and enable the setting.
5. Close the Group Policy Object Editor.
7. Do not log off.

Exercise 4: Troubleshooting Lab GPO-11D

You will restore the Lab 11D GPO and link it to the Admins folder. This GPO is
designed to enhance security.
A user in the Admins OU has submitted the following helpdesk ticket:
• User Name: Betsy Stadick
• Description of Problem: Since the application of the GPO, I no longer have the
classic Start Menu or drive mapping, and no longer can run Internet Explorer.
1. Restore the Lab11B GPO.
2. Link the Lab11B GPO to the domain.
3. Move NYC-CL1 to the Admins OU and restart the computer.
f Task 1: Restore the Lab11D GPO

then click Manage Backups.
2. In the Manage Backups dialog box type D:\6425\ in the Backup location
field.
3. Restore the Lab 11D GPO.
f Task 2: Link the Lab11D GPO to the Admins OU

1. In the GPMC, right-click the ITAdmins OU and then click Link an existing
GPO.
2. In the Select GPO dialog box, select the Lab 11D GPO and then click OK.

f Task 3: Move NYC-CL1 to the Admins OU and restart the computer

1. Click Start, click Administrative Tools and then click Active Directory Users
and Computers.
2. Expand the WoodgroveBank.com domain and then click the Computers
container.
3. Right-click the NYC-CL1 computer account and then click Move.
4. Select the ITAdmins OU and then click OK.

1. Switch to NYC-CL1 and restart the computer.
2. Log on as WoodgroveBank\Betsy with a password of Pa$$w0rd.
4. Click Start.
5. Double-click Internet Explorer.
6. Double-click Computer.

2. In the GPMC, run the Group Policy Results Wizard.
3. On the Computer Selection screen, click Another Computer, type NYC-CL1
in the field and then click Next.
4. On the User Selection screen, select WoodgroveBank\Betsy and then click
Finish.
5. In the Computer Configuration Summary section, click Group Policy
Objects and then click Applied GPOs.
6. In the Computer Configuration section, click Administrative Templates and
then click System/Group Policy.


1. In the GPMC, right-click the Admins OU and disable the link to Lab 11D
GPO.
2. Restart the NYC-CL1 computer.
3. Log on as Betsy.

Considerations
Keep the following points in mind when implementing an Active Directory
Domain Service monitoring plan:
• Client-side extensions handle application of Group Policy at regular,
configurable intervals.
• GPO version numbers determine if a Group Policy has changed.
• Not all CSEs process across a slow link.
• Security settings refresh every 16 hours.
• Windows XP and earlier versions log to the Userenv log for most Group-Policy
issues. You can modify the registry to enable other CSE logs.
• Windows Vista logs to operational logs in Event Viewer.

• Blocking inheritance will block all higher level polices from being applied
unless those policies are enforced.
• You can filter Group Policy to apply only to certain security principles by using
security settings or Windows Management Instrumentation (WMI) scripts.
• Group Policies are made up of two parts, Group Policy templates and Group
Policy containers. Group Policy replicates these objects on separate schedules
using different mechanisms.
• Windows XP and later versions log on users with cached credentials by
default. Many users’ settings will require two logons because of this.
• Windows XP and earlier use the Internet Control Message Protocol (ICMP) to
determine link speed. Windows Vista and later versions use network
awareness to determine link speed.
• Security principles need permission to access script locations so that they can
execute scripts.
• Computer startup scripts run synchronously by default.
• User logon scripts run asynchronously by default.

Tools
Use the following tools when troubleshooting Group Policy issues:
Tool Used for
Ping Testing network connectivity.
NSlookup Testing DNS lookups.
DCdiag Testing domain controllers.
Set Displaying, setting, or removing environment variables.
Kerbtray Displaying Kerberos ticket information.
Group policy Reporting information about the current policies being delivered to
reporting RSoP clients.
GPResult A command-line utility that displays RSoP information.
GPOTool A command-line tool that checks Group Policy object stability and
monitors policy replication.
GPResult Refreshing local and Active Directory-based Group Policy settings.
Dcgpofix Restoring the default Group Policy objects to their original state after
initial installation.
GPOLogView Exporting Group Policy-related events from the system and operational
logs into text, HTML, or XML files. For use with Windows Vista and later
versions.
Group Policy Sample scripts that perform a number of different troubleshooting and
Management maintenance tasks.
Scripts

Review Questions
1. What tool can test DNS name resolution?
a. NSlookup
b. DCdiag
c. GPResult
d. Ping
2. What log will give details of folder redirection?
3. What visual indicator in the GPMC designates that inheritance has been
blocked?
4. What GPO settings are applied across slow links by default? Choose all that
apply:
a. Scripts policies
b. Security settings
c. Administrative settings
d. Internet Explorer Maintenance
e. EFS Recovery Policy
f. IPSec Policy

Implementing an Active Directory® Domain Services Infrastructure 12-1
Module 12
Implementing an Active Directory® Domain
Services Infrastructure
Contents:
Lesson 1: Overview of the AD DS Domain 12-3
Lesson 2: Planning a Group Policy Strategy 12-7
Lab A: Deploying Active Directory Domain Services 12-9
Lab B: Configuring Forest Trusts 12-23
Lab C: Designing a Group Policy Strategy 12-31

Module Overview
This module consists of five exercises that make up the three labs. These exercises
give you the opportunity to re-enforce concepts from the course and perform
different operations that were not performed in the prior labs. Each exercise is
independent.

Lesson 1:
Overview of the AD DS Domain
In this lesson, you will see the components of the Active Directory® Domain
Services (AD DS) domain you will work with in the lab.

Overview of the Current AD DS Domain Design
Key Points
The graphic on the slide depicts the current domain configuration at Woodgrove
Bank.

Overview of the AD DS Site Design
Key Points
The graphic on the slide depicts the required domain configuration at Woodgrove
Bank. The Contoso domain will join the Woodgrove bank forest as a separate tree
in the same forest.

Overview of the AD DS Site Design
Key Points
This graphic shows the current site configuration at Woodgrove Bank. A new
branch office has been created in New York and a new site will be created to
control logon traffic.
The following two new sites will be created:
• The Contoso.com site will contain the 192.168.0.0 subnet
• The NYC-Branch-Office site will contain the 10.30.0.0 subnet

Lesson 2:
Planning a Group Policy Strategy
In this lesson, you will plan Group Policies and implement them in the labs.

Overview of Domain Controller Deployment
Key Points
The graphic depicts the new domain controller deployment at Woodgrove Bank.
• The NYC-SRV2 server core computer will be renamed to NYC-DC3 to
reflect the new role and the read-only domain controller (RODC) role will
be installed on NYC-DC3.
• The NYC-SRV1 computer will be renamed to ContosoDC to reflect the
new role and then promoted to become the Contoso domain controller.

Lab A: Deploying Active Directory

Domain Services
Scenario
Woodgrove Bank is deploying Windows Server® 2008 AD DS. The enterprise
administrator has created a design for the deployment. As the AD DS
administrator, you will be implementing this design and verifying that all
components in the design work correctly.
Site Info
There will be two new sites. NYC Branch Office and Contoso
• Site Name – NYC-Head-Office
• Subnet – 10.10.0.0
• Gateway – 10.10.0.1
• Domain Controller – NYC-DC1 10.10.0.10

• Site Name – NYC-Branch-Office

• Subnet – 10.30.0.0
• Gateway – 10.30.0.1
• Domain Controller – NYC-DC3 (RODC) (change the name of NYC-SRV2)
10.30.0.10
• Site Name – Contoso
• Subnet – 192.168.0.0
• Gateway – 192.168.0.1
• Domain Controller – ContosoDC (change the name of NYC-SRV1)
192.168.0.10
Domain Info
There will be two domains. WoodgroveBank.com and Contoso.com
WoodgroveBank and Contoso belong to the same forest. WoodgroveBank is the
root domain of the forest and Contoso is a separate tree in the forest.
WoodgroveBank.com
Domain Controllers – NYC-DC1, NYC-DC2, NYC-DC3 (RODC) (change the name
of NYC-SRV2)
Contoso.com
Domain Controller - ContosoDC (change the name of NYC-SRV1)

Exercise 1: Implementing Group Policies

Scenario
Woodgrove Bank has opened a new branch office in New York City. The branch
office employee user accounts will be located in a separate OU. In order to control
logon traffic, it has been decided to create a separate site for the new branch office
and to create a RODC on a server core installation in the site.
You have been tasked to create and configure the domain controller for the new
branch office in New York City. You will use an existing server, NYC-SRV2, which
is a server core installation. You will perform the following tasks in Active
Directory:
• Pre-configure the account for the RODC of the branch office.
• Create an OU named Branch Office Employees that will contain user accounts.
• Create user accounts for the branch office manager and branch office user
• Create a global group named BranchUsersGG and add the branch office users
to it.
Only the branch office employees will have their passwords cached on the RODC.
You will also create the site for the branch office and create the subnet object,
10.30.0.0, for the branch office. Then you will change the name of NYC-SRV2 to
NYC-DC3 to reflect its now role. You will configure the IP address to reflect the
subnet of the branch site. Then you will install RODC on to the server. Finally, you
will configure replication with the head office site to occur every 30 minutes.
1. Copy the unattended file and change the name of NYC-SRV2 to NYC-DC3.
2. Change the IP address of SRV2 to 10.30.0.10.
3. Create the NYC-Branch-Office site and rename the Default site.
4. Create subnet objects for the NYC head office and branch office sites.
5. Configure the replication schedule.
6. Create an OU for branch office.
7. Create users and groups for the branch.
8. Configure the DNS service on NYC-DC1 to allow zone transfers.

9. Pre-stage RODC account in Active Directory® Users & Computers.

10. Install DNS role on NYC-RODC.
11. Install RODC on NYC-RODC.
Start the following servers, using the logon information below:

• NYC-DC1
• NYC-DC2
• NYC-SRV2
• Router
Logon information:
• Virtual Machine: NYC-DC1, NYC-DC2, NYC-SRV2
• User Name: Administrator
f Task 1: Copy the unattended file and change the name of NYC-SRV2
to NYC-DC3
1. Log on to NYC-SRV2 as Administrator with a password of Pa$$w0rd.
2. At the command prompt type copy
\\10.10.0.10\D$\6425\Mod12\Labfiles\NYC-RODC.txt C:\
3. At the command prompt, type Netdom renamecomputer %computername%
/newname:NYC-DC3 /force /reboot:5, and then press ENTER. The computer
will reboot automatically after 5 seconds.

f Task 2: Change the IP address of SRV2 to 10.30.0.10

1. Log on to NYC-DC3 as Administrator.
2. At the command prompt, type netsh interface ipv4 show interfaces. Note the
Idx number of the Local Area Connection interface.
3. Type netsh interface ipv4 set address name=<Idx number of the LAN
interface> source=static address=10.30.0.10 mask=255.255.0.0
gateway=10.30.0.1, and then press ENTER.
4. Type IPconfig /all and ensure the IP address information is correct. Also
ensure that the DNS Server is 10.10.0.10.
f Task 3: Create the NYC-Branch-Office site and rename the Default site
1. On NYC-DC1, open Active Directory Sites and Services.
2. Right-click Sites and then click New Site named NYC-Branch-Office. Select
the DefaultIPSiteLink and then click OK.
3. Rename the Default-First-Site-Name to NYC-Head-Office.
f Task 4: Create subnet objects for the NYC head office and branch
office sites
1. Create a new subnet object for the 10.10.0.0/16 subnet. Select the NYC-Head-
Office site and then click OK.
2. Create a new subnet object for the 10.30.0.0/16. Select the NYC-Branch-
Office site, and then click OK.
f Task 5: Configure the replication schedule

1. Open the properties of the DEFAULTIPSITELINK.
2. Type 30 in the Replicate every field, and then click OK.
3. Close Active Directory Sites and Services.

f Task 6: Create an OU for the branch office users

2. Create a new Organizational Unit named NYC Branch Office.
f Task 7: Create users and groups for the branch

1. Create a new user with the following parameters:
• Name – Branch Manager
• Logon Name – branchmanager
• Password – Pa$$w0rd
• Password never expires
2. Create a second user with the following parameters:
• Name – Branch User
• Logon Name – branchuser
• Password – Pa$$w0rd
• Password never expires
3. Create a new global group named BranchUsersGG.
4. Add the Branch Manager and the Branch User accounts to the
BranchUsersGG global group.
f Task 8: Configure the DNS service on NYC-DC1 to allow zone transfers

1. On NYC-DC1, open the DNS management console.
2. Configure the Woodgrovebank.com zone to Allow Zone Transfers.
3. Close the DNS Manager.

f Task 9: Pre-stage the computer account for the RODC

1. Return to Active Directory Users and Computers, right-click the Domain
Controllers organization unit and then click Pre-create Read-only Domain
Controller account.
2. On the Welcome to the Active Directory Domain Services Installation
Wizard page, select Use advanced mode installation.
3. On the Network Credentials page, click Next.
4. On the Specify the Computer Name page, type NYC-DC3.
5. On the Select a Site page, click NYC-Branch-Office.
6. On the Additional Domain Controller Options page, click Next.
7. On the Specify the Password Replication Policy page, click Add and then
select Allow passwords for the account to replicate to the RODC.
8. Add the BranchUsersGG and the Domain Admins.
9. On the Delegation of RODC Installation and Administration page, click Set.
Add the BranchManager account.
10. Finish the wizard to create the RODC account. Notice that NYC-DC3
computer account is listed in Active Directory, but the DC type is Unoccupied
DC Account.
f Task 10: Install DNS role on NYC-RODC

1. On NYC-DC3, type Oclist to view the currently installed roles. Notice that no
roles are currently installed.
2. Type start /w ocsetup DNS-Server-Core-Role and then press ENTER to install
the DNS server. The server core role name is case sensitive.

f Task 11: Install RODC on NYC-DC3 and verify the results

1. Type dcpromo.exe /UseExistingAccount:Attach /unattend:c:\nyc-rodc.txt.
The promotion will take several minutes to perform and will automatically
reboot to complete the installation.
2. Log on to NYC-DC3 as Administrator.
3. Switch to NYC-DC1 and refresh the view of the Domain Controllers OU and
notice the DC Type for NYC-DC3 is now set to Read-only, DC.
4. Open Active Directory Sites and Services and examine the NYC-Branch-
Office site. Notice that NYC-DC3 is now listed in the Servers container.
5. Open the DNS Manager and connect to the NYC-DC3 Dns server. Notice that
NYC-DC3 hosts a copy of the WoodgroveBank.com zone.
Note: If the server is unavailable, wait a few minutes and try again. Notice that
NYC-DC3 hosts a copy of the Woodgrovebank.com zone.
6. Close the DNS console.
f Task 12: Shutdown NYC-DC3

• Shutdown NYC-DC3 and delete the changes.
Result: At the end of this exercise, you will have created a new RODC, and a new
branch office site.

Exercise 2: Creating a Domain in a Separate Tree and

Separate Site
Scenario
Woodgrove Bank has acquired a small company named Contoso Ltd. For legal
reasons, this company will have a separate domain in a new tree in the same forest
so that they can maintain the Contoso.com namespace. The Contoso domain will
also be in a separate site.
You have been tasked with creating the domain for Contoso Ltd. The domain will
be named Contoso.Com and will have a separate tree in the WoodgroveBank
forest. You will use an existing server, NYC-SRV1 to become the new domain
controller. You will rename the computer to be ContosoDC. You will also create a
separate site for the Contoso domain that uses the 192.168.0.0 subnet and you will
configure the ContosoDC computer with the IP address of 192.168.0.10. You will
configure replication between the New York site and the Contoso site to occur
every 4 hours between the hours of 6 PM and 6 AM. You will install and configure
the DNS service on ContosoDC to hold a secondary zone of Woodgrovebank.Com.
Finally, you will promote ContosoDC to become the domain controller for
Contoso.com.
1. Create and configure a new site link for replication.
2. Create the Contoso site.
3. Create the subnet for the Contoso site.
4. Rename the NYC-SRV1 server to ContosoDC.
5. Change the IP address of ContosoDC.
6. Configure the DNS service on NYC-DC1 to allow zone transfers.
7. Install DNS on ContosoDC.
8. Configure the DNS Service on ContosoDC.
9. Promote the server to be the Contoso domain controller.

Start NYC-SRV1 using the following logon information:

Logon Information:
• Virtual Machine: NYC-SRV1
f Task 1: Create and configure a new site link for replication

1. Create a new site link named Contoso-NYC-HO.
2. Add the Contoso and NYC-Head-Office sites to the site link.
3. Open the properties of the Contoso-NYC-HO site link and type 240 in the
Replicate every field and then click Change Schedule.
4. In the Schedule for Contoso-NYC-HO dialog box, click and drag to select the
hours of 6 AM to 6 PM, Monday to Friday, click Replication Not Available
and then click OK twice.
5. Remove the Contoso site from the DefaultIPSiteLink.
f Task 2: Create the Contoso site

1. On NYC-DC1, open Active Directory Sites and Services.
2. Create a new site named Contoso. Select the DefaultIPSiteLink and then click
OK. Click OK to acknowledge the message.
f Task 3: Create the subnet for the Contoso site

1. Create a new subnet object for the 192.168.0.0/24 subnet. Select the Contoso
site and then click OK.
2. Close Active Directory Sites and Services.
f Task 4: Rename the NYC-SRV1 server to ContosoDC

2. Change the computer name to ContosoDC and then restart the computer.

f Task 5: Change the IP address of ContosoDC

1. Log on to ContosoDC as Administrator with a password of Pa$$w0rd.
2. Configure the IPV4 address as follows:
• IP address – 192.168.0.10
• Subnet mask – 255.255.255.0
• Default Gateway – 192.168.0.1
• DNS – 10.10.0.10
f Task 6: Configure the DNS service on NYC-DC1 to allow zone transfers

(If you completed Exercise 1, then this step has already been
performed)
2. Open the DNS management console.
3. Configure the Woodgrovebank.com zone to Allow Zone Transfers.
f Task 7: Install the DNS Server Role on ContosoDC

1. Switch to ContosoDC.
2. Install the DNS server role.
3. Leave Server Manager open.

f Task 8: Configure the DNS Service on ContosoDC

1. Open the DNS management console.
2. Create a secondary forward zone named WoodgroveBank.com.
3. Configure the Master DNS server as 10.10.0.10.
It will take a few moments for the zone transfer to occur. You will have to
refresh the console to see the changes.
4. Expand the Global Logs and then click DNS Events. Examine the events that
describe the zone transfer.
f Task 9: Promote the server to be the Contoso domain controller

1. Use Server Manager to add the Active Directory Domain Services role.
2. Launch DCPromo.exe.
3. In the Active Directory Domain Services Installation Wizard, select Use
advanced mode installation.
4. On the Choose a Deployment Configuration screen, click Existing Forest,
click Create a new domain in an existing forest and select Create a new
domain tree root instead of a new child domain.
5. On the Network Credentials screen, type Woodgrovebank.com, click Set and
then use the credentials:
• Woodgrovebank\Administrator
Pa$$w0rd
6. Name the new domain tree root Contoso.com.
7. On the Domain NetBIOS Name screen, click Next
8. Set the domain functional level to Windows Server 2008.
9. On the Select a Site screen, click Next.
10. On the Additional Domain Controller Options screen, check the checkbox
for Global Catalog and then click Next.

11. On the Static IP Assignment message box, click Yes, the computer will use a
dynamically assigned IP address and then click Yes to continue.
Note: This message refers to the IPV6 interface, which is set to use DHCP.
12. On the Source Domain Controller screen, click Next.

13. On the Location for Database, Log Files and SYSVOL screen, click Next.
14. Set the directory services restore mode administrator password to Pa$$w0rd.
15. On the Summary screen click Next and then select Reboot on completion.
16. Log on to the ContosoDC computer as Contoso\Administrator
17. Open the DNS management console and examine the forward lookup zones.
Notice the Contoso.com zone
18. Use the IPconfig /all command to examine the IP configuration. Notice that
ContosoDC is using 127.0.0.1 as the preferred DNS server.
f Task 10: Shutdown ContosoDC

• Shutdown ContosoDC and delete the changes.
Result: At the end of this exercise, you will have created a domain in a separate tree
and separate site.

Overview of the Forest Trust Relationship
Key Points
This topic introduces the information you need for the next lab.
The Fabrikam forest will be upgraded to Windows Server 2008 level and a
Windows server 2008 will be promoted to become an additional domain
controller in the domain. The Fabrikam.com forest will have a forest trust
relationship with the WoodgroveBank forest. The trust will use selective
authentication such that only the WoodgroveBank Domain Admins group will be
allowed to authenticate to resources in the Fabrikam domain.

Lab B: Configuring Forest Trusts
Scenario:
Woodgrove Bank has recently purchased a new subsidiary named Fabrikam, Inc.
Fabrikam is currently running Windows Server® 2003 domain controllers. One of
the first tasks for Woodgrove Bank administrators will be to upgrade the domain
to Windows Server 2008. Fabrikam Inc will remain in a separate forest and will
trust the Woodgrove Bank forest.

Exercise: Upgrading the Fabrikam Domain and Create a

Forest Trust with Woodgrove Bank
Scenario
You have been tasked to prepare the Fabrikam 2003 forest and domain to accept
Windows Server 2008 domain controllers. You will also configure DNS zone
transfers between the Fabrikam forest and the Woodgrovebank forest. Then you
will promote a Windows Server 2008 server to become a domain controller in the
Fabrikam domain. Finally, you will configure a forest trust between
WoodgroveBank.com and Fabrikam.com. The trust will use selective
authentication such that only the WoodgroveBank Domain Admins group will be
allowed to authenticate to resources in the Fabrikam domain.
Use the following information in this exercise:
• Site Name – Fabrikam
• Subnet – 10.20.0.0
• Gateway – 10.20.0.1
• Domain Controller – FabrikamDC 10.20.0.10

1. Prepare the forest and domain to allow the Fabrikam.Com forest to accept
Windows Server 2008 domain controllers.
2. Configure reciprocating DNS zone transfers using stub zones between
Woodgrovebank.com and Fabrikam.com.
3. Rename the NYC-SRV1 to VAN-DC2.
4. Promote the Windows Server 2008 server to a domain controller in the
Fabrikam domain.
5. Configure a forest trust between WoodgroveBank.com and Fabrikam.com for
selective authentication.
6. Configure selective authentication for the WoodgroveBank Domain Admins
group.

Start the following virtual servers, using the logon information below:
• NYC-DC1
• VAN-DC1
• NYC-SRV1
• NYC-DC2
• NYC-RAS
Logon information:
• Virtual Machine: VAN-DC1, NYC-SRV1
f Task 1: Prepare the forest and domain to allow the Fabrikam.Com

forest to accept Windows Server 2008 domain controllers
1. Log on to VAN-DC1 as Administrator with a password of Pa$$w0rd.
3. Right-click Fabrikam.com, and then click Raise Domain Functional Level.
4. Raise the domain functional level to Windows Server 2003.
5. Open Active Directory Domains and Trusts.
6. Right-click Active Directory Domains and Trusts and then click Raise Forest
Functional Level.
7. Raise the forest functional level to Windows Server 2003.
8. Capture the Windows Server 2008 ISO file in C:\Program Files\Microsoft
Learning\6425\Drives on the host computer.
9. From a command prompt, enter the following command:
D:\Sources\Adprep\adprep /forestprep. Read the warning message and
then type C to continue. Forestprep will take a few moments to complete.
10. In the command prompt window, type E:\Sources\Adprep\adprep
/domainprep

f Task 2: Configure reciprocating DNS zone transfers using stub zones

between Woodgrovebank.com and Fabrikam.com
1. On VAN-DC1 launch the DNS management console.
2. Configure the Fabrikam.com zone to allow zone transfers.
4. Configure the WoodgroveBank.com zone to allow zone transfers.
5. Launch the New Zone Wizard.
6. On the Zone Type screen, click Stub Zone.
7. On the Active Directory Zone Replication Scope screen, click Next.
8. On the Zone Name screen type Fabrikam.com.
9. On the Master DNS Servers screen, type 10.20.0.10, and then finish the
wizard. It will take a few moments for the zone transfer to occur. You must
refresh the console to see the changes.
11. Switch to VAN-DC1.
12. Launch the New Zone Wizard.
13. On the Zone Type screen, click Stub Zone.
14. On the Active Directory Zone Replication Scope screen, click Next.
15. On the Zone Name screen ,type WoodgroveBank.com.
16. On the Master DNS Servers screen, type 10.10.0.10 and then finish the
wizard. It will take a few moments for the zone transfer to occur. You will have
to refresh the console to see the changes
f Task 3: Rename the NYC-SRV1 to VAN-DC2

2. In Server Manager, click Change System Properties.
3. Change the name of the computer to VAN-DC2, and then restart the
computer.

f Task 4: Promote the Windows Server 2008 server to a domain

controller in the Fabrikam domain
1. Log on to VAN-DC2 as Administrator with a password of Pa$$w0rd.
2. Add the Active Directory Domain Services role.
3. Launch DCPromo.exe
4. On the Choose a Deployment Configuration screen, click Existing forest and
keep the default choice of Add a domain controller to an existing domain.
5. On the Network Credentials screen, type Fabrikam.com in the domain name
field, and then click Set and use the credentials:
• Fabrikam\Administrator
Pa$$w0rd
6. On the Select a Domain screen, click Fabrikam.com. Click Yes to
acknowledge the message about RODCs.
7. On the Select a Site screen, click Next.
8. On the Additional Domain Controller options, clear the DNS Server and
Global Catalog checkboxes.
9. On the Infrastructure Master Configuration Conflict screen, click Transfer
the infrastructure master role to this domain controller.
10. On the Location for Database, Log Files and Sysvol screen, click Next.
11. On the Directory Services Restore Mode Administrator Password, type
Pa$$w0rd in the fields.
12. On the Summary page click Next and then Reboot on completion.

f Task 5:
1. Switch to NYC-DC1
2. Open Active Directory Domains and Trusts.
3. On the Properties of WoodgroveBank.com, click the Trusts tab and then click
New Trust.
4. In the New Trust Wizard, click Next.
5. Name the trust Fabrikam.com
6. Create a Forest Trust.
7. Configure the trust to be One-way: incoming.
8. On the Sides of Trust screen select Both this domain and the specified
domain.
9. Use the following credentials:
• User name: Administrator
10. On the Outgoing Trust Authentication Level-Specified Forest screen, click
Selective Authentication.
11. On the Trust Selections Complete screens, click Next.
12. On the Confirm Incoming Trust screen, click Next and finish the wizard.

f Task 6: Configure selective authentication for the WoodgroveBank

Domain Admins group
1. Switch to VAN-DC1.
3. Enable the advanced view feature.
4. In the Domain Controllers OU, open the properties of VAN-DC1.
5. On the VAN-DC1 Properties click the Security tab and then click Add.
6. Grant the WoodgroveBank\Domain Admins group the Allowed to
Authenticate permission.
f Task 7: Shutdown servers

• Shutdown VAN-DC1 and VAN-DC2 and delete the changes.
Result: At the end of this exercise, you will have created a forest trust.

Overview of the AD DS Group Policy

Object Design
Key Points
The graphic depicts the current organization unit configuration at Woodgrove
Bank.

Lab C: Designing a Group Policy Strategy
Scenario:
As the network administrator for WoodgroveBank.Com, you are responsible for
developing a desktop and security policy that can be centrally managed through
group policies.

Exercise 1: Planning Group Policies

Scenario
You have been tasked to create a computer security policy that can be delivered
through group policy. You will create any required OUs and create and link the
appropriate policies to them. The corporate policy dictates that servers will be
located in a separate OU tree structure based on their role. There are File and Print
servers and SQL servers and Web servers to consider.
Use the domain diagram to help you plan the group policy and OU structure.
Fill in the table to describe the GPOs that must be created, what settings each will
contain, and where the GPOs will be linked.
1. Create a global security policy to be enforced on all computers in the domain
as follows:
• All computers will have the built in Administrator account renamed to
Admin
• The IT Admins global group will be added to the local Administrators
group.
• Windows Updates will come from an internal Web server named
http://updates
2. Create a security policy to be enforced on all servers with further security
settings based on the server role as follows:
• All member servers will have the built in Administrator account renamed
to SRVAdmin
• Account logon events will be audited on all servers
• Internet Explorer will not be allowed to run on any server.
• SQL servers will prevent the installation of any removable devices

3. Configure a corporate desktop policy as follows:

• Access to screen saver settings will be blocked to all domain users.
• Users in Toronto and Miami will not be allowed to run Windows
Messenger.
• Domain users will not be allowed to add new printers. Users in the Admin
OU will be exempt from this setting.
• Encryption of offline files will be enforced for the Executives OU.
• Access to Control Panel will be prohibited for all users except domain
administrators.

GPO Name Settings Linked to …

Exercise 2: Implementing the Corporate Desktop Policy

Scenario
You have been tasked to implement the Corporate Desktop Policy for the
Woodgrove Bank domain. You will create and link the appropriate GPOs.
This exercises main tasks are:
1. Create and Link the Domain Desktop Policy
2. Create and link the Prohibit Control Panel GPO
3. Create and link the Force Offline File Encryption GPO
4. Create and link the Block Windows Messenger GPO
5. Create and link the Allow Adding Printers GPO
f Task 1: Create and Link the Domain Desktop Policy

1. Start NYC-DC1.
2. Logon as Administrator with a password of Pa$$w0rd.
3. Open the Group Policy Management console
4. Create and link a GPO named Domain Desktop Policy to the
Woodgrovebank.com domain.
5. Edit the Domain Desktop Policy as follows:
• Expand User Configuration, Administrative Templates, Control Panel,
and then Printers. Enable the Prevent additions of printers setting.
6. In the Control Panel, Display, enable the Hide Screen Saver tab setting.

f Task 2: Create and link the Prohibit Control Panel GPO

1. Create and link a GPO named Prohibit Control Panel to the
Woodgrovebank.com domain Edit the Prohibit Control Panel as follows.
2. Expand User Configuration, Administrative Templates, and then Control
Panel.
• Enable the Prohibit access to the Control Panel setting.
4. Double-click the Prohibit access to the Control Panel GPO, click the
Delegation tab in the details pane, and then click Advanced.
5. In the Prohibit access to the Control Panel Security Settings dialog box,
select Domain Admins, check the checkbox to Deny the Apply group policy
permission and then click OK.
6. Click Yes to acknowledge the message. This will exempt the Domain Admins
group from the policy.
f Task 3: Create and link the Force Offline File Encryption GPO
1. Right-click Executives OU, click Create a GPO in this domain, and link it
here.
2. In the New GPO dialog box, type Force Offline File Encryption in the Name
field and then click OK.
3. Right-click the Force Offline File Encryption and then click Edit.
expand Network, and then click Offline Files.
5. In the detail pane, double-click Encrypt the Offline Files cache.
6. In the Encrypt the Offline Files cache Properties dialog box, click Enabled,
and then click OK.

f Task 4: Create and link the Block Windows Messenger GPO

1. Right-click Miami OU and then click Create a GPO in this domain, and link
it here.
2. In the New GPO dialog box, type Block Windows Messenger in the Name
field, and then click OK.
3. Right-click the Block Windows Messenger, and then click Edit.
Windows Components, and then double-click Windows Messenger.
5. In the details pane, double-click Do not allow Windows Messenger to be run.
6. In the Do not allow Windows Messenger to be run Properties dialog box,
click Enabled, and then click OK.
8. Right-click the Toronto OU and then click Link and Existing GPO.
9. In the Select GPO dialog box, click Block Windows Messenger and then click
OK.

f Task 5: Create and link the Allow Adding Printers GPO

1. Right-click IT Admins OU, and then click Create a GPO in this domain, and
link it here.
2. In the New GPO dialog box, type Allow Adding Printers in the Name field,
and then click OK.
3. Right-click the Allow Adding Printers, and then click Edit.
Control Panel and then click Printers. In the details pane, double-click
Prevent additions of printers.
5. In the Prevent Addition of Printers Properties dialog box, click Disabled and
then click OK.
7. Close the GPMC.
8. Shut down all virtual machines and delete any changes.
Result: At the end of this exercise, you will have implemented a Group Policy
strategy.

Considerations
Keep the following in mind when implementing an Active Directory Domain
Services infrastructure:
• Sites can be used to control the scope of logon traffic.
• Separate trees in the forest allow multiple DNS namespaces to exist.

Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your
learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential, and will
use your responses to improve your future learning experience. Your open and
honest feedback is valuable and appreciated.

6425A Configuring WS2008 Active Directory Domain Services 2007 PDF

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

6425A Configuring WS2008 Active Directory Domain Services 2007 PDF

Diunggah oleh

Hak Cipta:

Format Tersedia

OFFICIAL MICROSOFT LEARNING PRODUCT

Active Directory Domain Services

Be sure to access the extended learning content on your

BETA COURSEWARE. EXPIRES 4/11/2008

All other trademarks are property of their respective owners.

Technical Reviewer: John Policelli

Product Number: 6425A

Part Number: N/A

BETA COURSEWARE. EXPIRES 4/11/2008

BETA COURSEWARE. EXPIRES 4/11/2008

BETA COURSEWARE. EXPIRES 4/11/2008

BETA COURSEWARE. EXPIRES 4/11/2008

BETA COURSEWARE. EXPIRES 4/11/2008

BETA COURSEWARE. EXPIRES 4/11/2008

Module 2: Configuring Domain Name Service for Active Directory Domain

Module 3: Configuring Active Directory® Objects and Trusts

Module 4: Configuring Active Directory® Sites and Replication

BETA COURSEWARE. EXPIRES 4/11/2008

Module 5: Creating and Configuring Group Policies

Module 6: Configuring User Environments Using Group Policies

Module 7: Implementing Security Using Group Policies

Module 8: Implementing an Active Directory Domain Services Monitoring

BETA COURSEWARE. EXPIRES 4/11/2008

Module 9: Implementing an Active Directory Domain Services Maintenance

Module 10: Troubleshooting Active Directory, DNS, and Replication Issues

Module 11: Troubleshooting Group Policy Issues

Module 12: Implementing an Active Directory® Domain Services

BETA COURSEWARE. EXPIRES 4/11/2008

About This Course

• Foundation course (6424A: Fundamentals of Windows Server® 2008 Active

To provide additional comments or feedback on the course, send e-mail to

Virtual Machine Environment

Virtual Machine Configuration

Virtual machine Role

6425A-SEA-DC2 Domain controller in the WoodgroveBank.com domain

6425A-SEA-SVR1 Member server

6425A-NYC-CL1 Windows Vista computer in the WoodgroveBank.com domain

6425A-NYC-SVR2 Windows Server 2008 Server core computer

Course Hardware Level

BETA COURSEWARE. EXPIRES 4/11/2008

Active Directory® Domain Services (AD DS) is installed as a server role in

BETA COURSEWARE. EXPIRES 4/11/2008

BETA COURSEWARE. EXPIRES 4/11/2008

Requirements for Installing AD DS

BETA COURSEWARE. EXPIRES 4/11/2008

What Are Domain and Forest Functional Levels?

BETA COURSEWARE. EXPIRES 4/11/2008

BETA COURSEWARE. EXPIRES 4/11/2008

Advanced Options for Installing AD DS

BETA COURSEWARE. EXPIRES 4/11/2008

Installing AD DS from Media

BETA COURSEWARE. EXPIRES 4/11/2008

Demonstration: Verifying the AD DS installation

BETA COURSEWARE. EXPIRES 4/11/2008

Upgrading to Windows Server 2008 AD DS

BETA COURSEWARE. EXPIRES 4/11/2008

BETA COURSEWARE. EXPIRES 4/11/2008

Installing AD DS on a Server Core Computer

BETA COURSEWARE. EXPIRES 4/11/2008

Discussion: Common Configuration for AD DS

BETA COURSEWARE. EXPIRES 4/11/2008

BETA COURSEWARE. EXPIRES 4/11/2008

What Is a Read-Only Domain Controller?