IT ACADEMY LESSON PLAN. Microsoft Windows Server Active Directory

Transcription

1 2008 IT ACADEMY LESSON PLAN Microsoft Windows Server Active Directory

2 Microsoft Windows Server 2008 Active Directory: Lesson Plans Introduction Preparing to teach a course on Microsoft Windows Server 2008 Active Directory Configuration, based on Exam : TS: Active Directory Configuration for the first time can be a challenge requiring careful planning and organization. The Microsoft IT Academy provides these lesson plans to help you save time, skillfully manage the teaching environment, and successfully communicate the intended lesson. The lesson plans are flexible and have been created in a concise format of small teachable units to allow you to use them with any textbook. To support a textbook-independent teaching style, each lesson plan contains suggested demonstrations and explanations. These lesson plans have been developed to be independent of a predefined lesson schedule. Whether the course is taught in a one-semester or one-quarter term format, we suggest the following class format: a 60-minute lesson lecture followed by a 120-minute lab (hands-on performance) session. This model is recommended in order to increase student performance and enhance the knowledge and skills gained through active participation in the course. Each lesson plan includes: Learning Goals for each lesson. Learning Objectives that may be observed throughout the lesson. Lecture Outline that details what to present in each class. Quick Quiz of multiple choice and true/false type questions. Lesson Exercises and Lesson Projects are provided at the end of each Lesson Plan to directly connect the student with the materials that have just been covered in class. The projects can be used independent of a textbook or as an assessment to determine skill mastery. To simplify the scoring process, an annotated answer key for each exercise and project is included to adequately determine if the learning objective was accomplished through process of lecture and activity. Microsoft Video Resources at the end of each unit provide links to video resources available for classroom use at no charge through your IT Academy membership. They can be used in class or by students as self-paced instruction or as lesson reinforcement outside of class.

3 Lesson 1: An Introduction to Active Directory Domain Services Microsoft Windows Server 2008 Active Directory Lesson Plans Learning Goals//The goal of this lesson is to introduce students to the Windows Server 2008 Active Directory Domain Services (AD DS) and to point out the benefits of AD DS. The student will learn about the features of AD DS. Learning Objectives Upon completion of this lesson, students will be able to understand: Active Directory domain service Active Directory security Components of Active Directory Active Directory naming standards Working with functional levels in Active Directory Lesson Introduction What is Active Directory Domain Services? Explain that Microsoft Windows Server 2008 includes Active Directory Services that assist the administrator in managing and securing the network. Student will learn what Active Directory is and the components of AD and its functional levels. Instructors should do the following: Explain that directory services allow network administrators to define, manage, access, and secure network resources. Point out that the two components of Windows Server 2008 that provide directory services are Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). Explain that AD DS provides full directory services and is commonly referred to as Active Directory. Explain that AD LDS is a flexible platform that offers Active Directory functionality without the full overhead. Point out that any computer configured to use Active Directory DS role is considered to be a domain controller. Explain that the ability of Active Directory to keep all network domain controllers apprised of changes to the system is called replication. Point out that the process of a domain controller transmitting replication information to another domain controller is called outbound replication.

4 Point out that the process of a domain controller receiving updates from Active Directory via another domain controller is called inbound replication. Explain that Active Directory is used to simplify the security management of network resources and to extend interoperability with applications and devices. What is Active Directory Security? What Are the Components of Active Directory? Instructors should do the following: Point out that interoperability with prior versions of Microsoft Windows Active Directory Service is available in Windows Server 2008 through domain functional levels. Explain that Windows Server 2008 no longer supports the use of Windows NT domain controllers. Explain that Windows Server 2008 provides single sign-on access to any server on the domain. Explain that Active Directory offers a redundant solution and creates a fault tolerant system in the event of server failure or network connectivity failure. Point out that the Active Directory databases file (ntds.dit) is the common database file that is replicated to other domain controllers when changes occur. Explain that Windows Server 2008 includes a Read-Only Domain Controller (RODC) option, which maintains a copy of the ntds.dit file that cannot be modified. This file increases security for branch-office deployments. Explain that Publishing is a way to make an object available to the network as a resource listed in the Active Directory. Instructors should do the following: Explain that components in Active Directory provide flexibility through design, scalability, administration, and security. Point out that objects in Active Directory are categorized as container objects or leaf objects. Explain that a container object is an object that houses other objects. Explain that a leaf object cannot contain other objects and typically refers to a printer, folder, user, or group. Point out that the largest container object in Active Directory is called a forest. Explain that a forest enables a user to access resources across an entire Active Directory forest using a single logon.

5 Point out that for efficiency, partitions are used to divide information into naming contexts (NC). Explain that the two NCs that are replicated forest-wide and stored in the ntds.dit file are the Schema NC and Configuration NC. Point out that the Schema NC contains rules and definitions for creating and modifying object classes within Active Directory. Point out that the Configuration NC contains information regarding the physical topology of the network. Explain that each domain controller stores a copy of the Domain NC that consists of user, computer, and other information for a particular Active Directory domain. Explain that within a forest, Active Directory further divides to create administrative boundaries. Point out that a domain tree is a logical grouping of network resources and devices that contain one or more domains. Explain that the Active Directory global catalog is not considered a formal partition but should be replicated throughout the forest. Point out that the Active Directory can contain one or more organizational units (OUs) that can further subdivide users and resources. Explain that an OU is a container that represents a logical grouping of resources that have similar security guidelines. Point out that OUs are nested in hierarchical fashion, allowing a parent OU to contain one or more child OUs. Explain that the administration of an OU can be delegated to a department supervisor or manager to allow that person to manage daily resource access tasks. Explain that the Application Partition allows administrators to fine-tune administration by designating where information will be replicated to in the domain or forest. Explain that each resource in Active Directory is represented as an object and each object has a set of attributes. Explain that objects in Active Directory are defined in the Active Directory schema. Point out that a schema is a master database containing definitions of all objects in the Active Directory. Explain that a schema is created from two components: the object and its attributes. Explain that common attributes for all objects include a unique name, a globally unique identifier (GUID), required object attributes, and optional object attributes.

6 Point out that a site in Active Directory is defined as one or more IP subnets that are connected. Explain that replication within a site takes place at regularly scheduled intervals that are defined by the administrator. Explain that the Knowledge Consistency Checker (KCC) au- What Are the Active Directory Naming Standards? Instructors should do the following: Explain that the Lightweight Directory Access Protocol (LDAP) has become industry standard, since it enables data exchange between directory services and applications. Point out that LDAP defines the naming of all objects in the Active Directory database. Explain that a Distinguished Name (DN) defines an object in the Active Directory structure through its hierarchical path. Point out that the LDAP Naming Attributes include the Common Name, Organizational Unit Name, and Domain Components. Explain that the Domain Name System (DNS) is Active Directory s default name resolution method. Point out that the configuration of DNS is critical for proper functioning of Active Directory. Explain that DNS is a distributed name resolution service that provides name resolution for Active Directory domain and computer host name to IP address mappings on the network. Point out that computers are assigned an IP address and a DNS host name at installation. Explain that Active Directory relies on DNS to be a locator service for clients on the network. Explain that SRV records are the locator records within DNS that allow the client to locate an Active Directory domain controller. Explain that without SRV records, clients will be unable to authenticate against Active Directory.

7 Working with Functional Levels in Active Directory? Instructors should do the following: Point out that functional levels may be changed in Active Directory for a single domain within a multi-domain environment, allowing for rolling upgrades. Explain that changing functional levels is an irreversible action that can be undone only through a systemwide restore. Explain that the following are functional levels available in Windows Server 2008: Windows 2000 Native, Windows Server 2003, and Windows Server Point out that the following functionality is available for the Windows 2000 Native level: Install from Media, Application partitions, Drag-and-drop user interface, Global Group nesting and Universal Security groups, and SIDHistory. Point out that with the Windows Server 2003 functional level, the Windows 2000 Native level function is available as well as the following additional functions: lastlogontimestamp attributes, Passwords and inetorgperson objects, and Domain rename. Point out that the Windows 2000 functional level is the default forest functional level for Windows Server 2008 and includes the following features: Install from Media, Universal group caching, and Application Directory Partitions. Point out that the Windows Server 2003 functional level includes all Windows Server 2000 features as well as the following: Improved replication of group objects, Dynamic auxiliary class objects, User objects can be converted to inet- OrgPerson objects, Schema deactivations, Domain rename, Cross-forest trusts permitted, and Improved Intersite Topology Generator (ISTG). Discuss the guidelines that are important for raising a forest level in Windows Server Explain that trust relationships are used in Windows Server 2008 to allow access to multiple domains across enterprise networks. Point out that in a trust relationship, administrators from one domain grant access to resources for administrators from another domain. Explain that a shortcut trust or direct path between two domains may be created to expedite the process of creating a trust relationship. Explain that although an external trust can be created, allowing users in the trusting domain to have access to a trusted domain, it is a one-way trust. Users in the trusted domain may not access the trusting domain.

8 Explain that a cross-forest trust can be created, allowing users in domains running at least Windows Server 2003 functional levels to establish either one-way or two-way relationships. Lesson Quiz True/False 1. Active Directory utilizes a single-master database, with all updates and changes made on the primary domain controller. 2. A domain is the largest container object in Active Directory. 3. By default, security settings applied to an organizational unit will be inherited by all child organizational units. 4. Active Directory uses SRV records in DNS to locate domain controllers and global catalog servers. 5. Each domain within a single Active Directory forest will have its own individual Schema. Multiple Choice 1. Which of the following are valid container objects in Active Directory? Choose three. a) Organizational units b) Forests c) Domains d) Security groups 2. The Schema database contains what two types of information? a) Object attributes b) User names c) Object classes d) Active Directory containers 3. Active Directory uses what protocol for the basis of its naming format? a) NetBios b) DNS c) Answer Choice d) LDAP

9 4. What is the default forest functional level in Windows Server 2008 Active Directory? a) Windows Server 2003 b) Windows Server 2000 c) Windows Server 2000 Mixed d) Windows Server What type of trust can be created to improve performance between two Active Directory domains within the same forest that may be separated by a slow WAN link? a) External trust b) Two-way transitive trust c) Shortcut trust d) Direct domain trust Quiz Answers True/False 1. False. Active Directory utilizes a multi-master database. 2. False. A forest is the largest container object in Active Directory. 3. True. 4. True. 5. False. The Schema is defined at the forest level for all domains in a forest. Multiple Choice 1. A, B, C 2. A, C 3. D 4. B 5. C Class Projects Lesson 1 Exercise 1 List and explain the three partitions or naming contexts that are present on each domain controller. Explain how each is replicated. Explain what an application partition is used for. List eight types of objects that can be contained in an organizational unit.

10 Lesson 1 Project 1 List and explain the three domain functional levels supported in Windows Server 2008 Active Directory. What features are supported with each functional level? Give an example of when each functional level would be appropriate. What are the three forest functional levels supported in Windows Server 2008 Active directory? How do forest functional levels differ from domain functional levels? Microsoft Video Resources Windows Server 2008 R2 Quick Look Active Directory Administrative Center This video provides a quick look at Active Directory Administrative Center, the new administrative tool in Windows Server 2008 R2. Length: 6:25 Windows Server 2008 R2 Quick Look System Health Report A quick look at System Health Report, a tool in Windows Server 2008 R2 that helps you analyze your servers and provides you with prescriptive system diagnosis. Length: 4:36

11 Lesson 2: Implementation of Active Directory Microsoft Windows Server 2008 Active Directory Lesson Plans Learning Goals//The goal of this lesson is to guide students through the implementation of Windows Server 2008 Active Directory Domain Services (AD DS). Point out that students will use the components of AD DS that were discussed previously. Learning Objectives Upon completion of this lesson, students will be able to understand: Active Directory requirements Installing Active Directory Raising functional levels Additional Active Directory installation tasks Lesson Introduction Explain that Microsoft Windows Server 2008 implementation requires students to understand the system prerequisites that must be in place. Students will learn how to create a new Active Directory forest, domain tree, and domain. Understanding Active Directory Requirements Instructors should do the following: Explain the importance of being familiar with the Windows Server 2008 Central Administrative Interface. Demonstrate and describe the Central Administrative Interface to students. Point out that Active Directory is installed by configuring one or more domain controllers. Explain that the Active Directory Installation Wizard (dcpromo) is used to guide the installation scenarios of: Adding a domain controller to an existing environment. Creating an entirely new forest structure. Adding a child domain to an existing domain. Adding a new domain tree to an existing forest. Demoting domain controllers and eventually removing a domain or forest.

12 Point out that Active Directory may be installed on a full version of Windows Server 2008, Server Core, or a new installation option in Windows Server Explain the following requirements for installing Active Directory: The user must have an administrator account and password on the local machine. An NT File System (NTFS) partition for the SYSVOL folder structure must be set up. The NTFS partition must contain a minimum of 200 MB of free space. A minimum of 50 MB of file space is necessary to store the transaction log files. TCP/IP (Transmission Control Protocol/Internet Protocol) must be installed and configured. An Authoritative DNS Server for the DNS domain must be established. The user must know the potential size of the Active Directory database. Explain that it is advisable to gather all data needed for the Active Directory installation prior to beginning. The following are needed: Local administrator password Domain controller type Domain name Location for the AD database and log files Location for the SYSVOL folder structure Where DNS will be installed Directory Services Restore Mode (DSRM) password Installation CD or network location of the installation files Installation of the most up-to-date service packs and Installing Active Directory Instructors should do the following: Point out that the forest root domain is the first Active Directory Domain. Explain that child and additional domain trees may be added to the forest root domain. Explain that the dcpromo.exe command will launch the AD Installation Wizard. Point out that the first domain controller installed will house the Flexible Single Master Operations (FSMO) roles, which are server roles that work together to ensure multimaster functionality.

13 Demonstrate how to install a new Active Directory forest using the Server Manager. Point out that when installation is complete, the computer must be rebooted to configure the new domain controller. Explain the significance of verifying the correct installation and configuration of DNS. Explain that the administrator must verify that the following DNS items were created during installation: Application directory partition Aging and scavenging for zones Forward lookup zones and SRV records Reverse lookup zones Explain that it is important to know that: DNS Application directory partitions were created. It is necessary to be a member of the Enterprise Admin group to create or modify an application directory partition. An application directory partition can be created manually if it was not created through the installation wizard. Point out that aging and scavenging are processes for cleaning up the DNS database after DNS records become out of date. Demonstrate how to configure aging and scavenging through the DNS Tool found in the Administrative Tools Folder. Explain that the administrator must verify that appropriate DNS records were created during the installation wizard. Point out that Forward Lookup Zones are used for name resolution in computer host name to IP address mappings. Demonstrate how to verify the creation of a Forward Lookup Zone through the Administrative Tools Folder. Point out that each SRV record created in Active Directory contains the following: Protocol Domain name Time-to-live Priority Weight Port Demonstrate how to verify zone and record creation using the Administrative Tools Folder. Explain that Dynamic Updates must be selected in order for domain controllers to register their records with DNS.

14 Demonstrate how to verify that dynamic updates are selected through Active Directory Properties. Explain that Reverse Lookup Zones answer queries in which a client provides an IP address and DNS resolves the IP address to a host name. Demonstrate how to create a reverse lookup zone through the Administrative Tools Folder. Raising Functional Levels Instructors should do the following: Explain that the purpose of raising functional levels in Active Directory is to enable administrators to take advantage of more advanced features. Explain that domain and forest functional levels provide backward compatibility with previous versions of Windows Server. Point out that the key requirements for raising functional levels include knowing: This is a one-way operation. Each domain is handled independently. The forest functional level cannot be raised until all domains in the forest are raised to a minimum of the domain functional level. The administrator must be logged in as a member of the Domain Admins group to raise a domain. The administrator must be logged in as a member of the Enterprise Admins group to raise the forest. Demonstrate how to raise the domain functional level using tools in the Administrative Tools Folder. Demonstrate how to raise the forest functional level using tools in the Administrative Tools Folder. Explain that to provide fault tolerance, a second domain controller should be added to each domain. Demonstrate how to add a second domain controller to the forest root domain using administrative credentials on the existing Active Directory domain.

15 Additional Active Directory Installation Tasks Instructors should do the following: Explain that the Windows Server 2008 Server Core is an environment for running only specific services and roles. Point out that Server Core runs without the use of a graphical user interface (GUI). Demonstrate how to install Active Directory on Server Core using administrative credentials on the existing Active Directory domain. Explain that removing Active Directory from an Active Directory domain is done for troubleshooting purposes or to decommission older hardware. Demonstrate how to remove Active Directory using the administrative credentials on the existing Active Directory domain. Explain that a read-only domain controller (RODC) is a highsecurity domain controller suitable for deployment in a branch office. Demonstrate how to configure a read-only domain controller using administrative credentials on the domain where the RODC is be added. Point out that it is possible to run a staged installation of an RODC at a central location and then permit the administrator to complete the installation. Demonstrate how to set up a staged installation of an RODC using the tools available in the Administrative Tools Folder. Demonstrate how to complete a staged installation of an RODC as the remote administrator. Explain that if a writable domain controller is ever compromised, it is necessary to decommission an RODC to minimize damage. Demonstrate how to decommission an RODC using the options available in Active Directory. Point out that it may be necessary to modify the Active Directory Schema to support in-house applications. Discuss how students should plan for changes to the Active Directory Schema by understanding that: Schema extensions are replicated to all domain controllers. Default system classes cannot be modified. Classes and attributes added to the Schema cannot be removed. Triggers will replicate the modification throughout the forest.

16 Latency should be anticipated before all domain controllers contain consistent Schema information. Explain that the Active Directory Schema may be extended for commercial applications manually using a snap-in. Demonstrate how to install the Schema management snapin by logging in as a member of the Schema Admins group. Explain that Active Directory Lightweight Directory Services (AD LDS) allows directory-enabled applications to store data in the Active Directory Schema. Demonstrate how to configure AD LDS by logging in as a member of the local Administrators group. Point out that trust relationships are necessary to enable resource accessibility between domains and forests. Discuss the four types of trusts that can be established: Shortcut trusts Cross-forest trusts External trusts Realm trusts Demonstrate how to create a trust relationship by logging in as a member of the Domain Admins group on the local domain. Demonstrate how to verify a trust relationship using Active Directory by logging in as a member of the Domain Admins group. Demonstrate how to verify a trust relationship using NET- DOM by logging in as a member of the Domain Admins group. Demonstrate how to revoke a trust relationship using Active Directory Domains and Trusts by logging in as a member of the Domain Admins group. Demonstrate how to revoke a trust relationship using NET- DOM by logging in as a member of the Domain Admins group. Explain that a User Principal Name (UPN) is stored in the global catalog and is available forest-wide. Demonstrate how to change the default suffix for user principal names by logging in as a member of the Enterprise Admins group.

17 Lesson Quiz Microsoft Windows Server 2008 Active Directory Lesson Plans True/False 1. The Active Directory Installation Wizard can be launched by issuing the dcpromo.exe command. 2. After installing Active Directory and DNS, one of the postinstallation tasks requires creating the DNS Application Directory Partition. 3. When installing Microsoft DNS, Forward Lookup and Reverse Lookup Zones are configured by default. 4. The Server Core version of Windows Server 2008 does not utilize a GUI interface and must be administered through the Command Line. 5. Active Directory Lightweight Directory Services is designed for small branch offices that don t need the entire suite of Active Directory Services. Multiple Choice 1. To configure DNS to automatically clean up old DNS records, you should configure: a) Stale Resource Record Cleanup b) Forward Lookup Zone Cleanup c) Aging/Scavenging d) DNS Record age limits 2. Which of the following are valid zone types that can be selected when configuring Microsoft DNS? Choose three. a) Stub Zone b) Active Directory Zone c) Secondary Zone d) Primary Zone 3. Which level of Active Directory credential is required to raise the forest functional level? a) Domain Administrator b) Forest Administrator c) Enterprise Administrator d) Any of the above 4. Which two of the choices below are unique to a Windows Server 2008 Read Only Domain Controller? a) Outbound only replication b) Locally stored password replication policy c) Inbound replication only d) Must contain all FSMO roles

18 5. Which of the following are types of manual trusts that can be created in a Windows Server 2008 environment? Choose all that apply. a) Realm trust b) Shortcut trust c) Cross-forest trust d) External trust Quiz Answers True/False 1. True. 2. False. The DNS Application Directory Partition is created automatically during the AD and DNS installation process. 3. False. Only Forward Lookup zones are configured by default. 4. True. 5. False. The ASLDS role is used primarily by developers. Multiple Choice 1. C 2. A, C, D 3. C 4. B, C 5. A, B, C, D Class Projects Lesson 2 Exercise 1 Explain the items that should be verified in DNS to ensure that the Active Directory installation process has correctly configured the DNS Services. Explain what a DNS SRV record is used for. List and explain the six pieces of information stored with most SRV records.

19 Lesson 2 Project 1 You are a network administrator for ABC Corp. Your environment consists of three locations, one of which does not have highly skilled IT engineers and is not as secure as you would like it. There are 1,000 users spread throughout the three locations. You have been asked to set up an Active Directory environment using Windows Server Explain how you would recommend setting up the environment. How many and what types of domain controllers would you put in each location? How would you configure DNS? Microsoft Video Links Windows Server 2008 R2 Quick Look Server Core This video provides a quick overview to help you as an administrator in Windows Server 2008 R2, particularly a couple of enhancements inside Windows Server Core. Length: 5:07 Windows Server 2008 R2 Quick Look Active Directory Administrative Center This video provides a quick look at Active Directory Administrative Center, the new administrative tool in Windows Server 2008 R2. Length: 6:25

20 Lesson 3: Using Active Directory Sites Microsoft Windows Server 2008 Active Directory Lesson Plans Learning Goals//The goal of this lesson is to guide students through Active Directory Sites. Point out that students will learn about replication and site management. Learning Objectives Upon completion of this lesson, students will be able to: Understand Active Directory Sites Understand Active Directory Site replication Understand Active Directory Site management Lesson Introduction Explain that working with Microsoft Windows Server 2008 Active Directory Sites requires that students understand the purpose of sites and site replication. Students will learn the differences in replication types, how to implement a plan for management of a site, and monitoring site replication to prevent errors. Students will also learn that site replication is the tool used to sustain an efficient and consistent Active Directory environment. Understanding Active Directory Sites Instructors should do the following: Explain that replication is the process of duplicating Active Directory information between domain controllers for fault tolerance and redundancy. Explain that Active Directory Sites allow administrators to control replication traffic. Point out that Active Directory replicates through intrasite and intersite replication. Explain that intrasite replication is the replication of domain controllers that reside on the same Active Directory site. Explain that intersite replication is the replication of domain controllers that reside on different Active Directory sites. Explain that intersite replication is compressed to reduce bandwidth usage.

21 Point out that Active Directory sites have the following characteristics: Defined by IP Subnets. Multiple sites are joined by site links. Replication is organized by defined groups of servers. Clients query the site information within DNS, at logon, to determine the domain controller to access. Sites are independent of logical structure. Understanding Replication Instructors should do the following: Explain that Active Directory creates a replication topology so that all writeable domain controllers can communicate AD information with each other. Point out that one of the following conditions must be met for replication to occur: An object is added to or removed from Active Directory. The value of an attribute has changed. The name of an object has changed. Explain that an Update Sequence Number (USN) is maintained to keep track of any changes to the domain controller. Point out that in addition to the USN, a Version ID with each Active Directory attribute keeps track of how many times the attribute has been changed. Explain that Active Directory uses the Version ID and USN as tie-breakers to determine which attributes to keep and which to discard. Explain that the final tie-breaker is the time stamp. Point out that Active Directory will designate a bridgehead server to act as a gatekeeper to supervise site-to-site replication. Explain that convergence describes the amount of time required for replication to occur. Explain that prior to Intrasite Replication, the Knowledge Consistency Checker (KCC) maps the logical network topology between domain controllers. Point out that the KCC will select replication partners for a domain controller and create connection objects between domain controllers and the new partner. Explain that linked-value replication (LVR) triggers group member replication due to changes in functional levels.

22 Point out that the primary principle for KCCs is the Rule of Three, which states that no single domain controller should be more than three hops away from any domain controller that can originate a change to the Active Directory database. Point out that the KCC will run every 15 minutes and analyzes the best path and placement for connection objects. Point out that intrasite replication minimizes latency to allow for quick changes. Explain that KCC creates a dual counter-rotating ring that reroutes traffic if a domain controller in the ring fails. Explain that domain controllers use change notification to inform one another of changes that need to be replicated. Point out that some operations will generate an urgent rep- Understanding Site Management Instructors should do the following: Point out that the administrator may create and manage additional sites to better control the replication traffic. Demonstrate how to rename the default first-site name using the Active Directory Sites and Services MMC Snap-in. Demonstrate how to create a new site using Active Directory Sites and Services. Demonstrate how to create a new subnet to correspond with any new physical segment on the network. Point out that Active Directory Sites must use intersite replication to enable global network communication. Explain that a site link is a logical, transitive connection between two sites that mirrors the routed connections between networks and allows for replication. Point out that one site within the Active Directory environment must run the intersite topology generator (ISTG), which enables bridgehead server selection and mapping of the topology. Explain that cost, schedule, and frequency control the behavior of replication traffic over a site link. Demonstrate how to create a new site link object through Active Directory Sites and Services. Explain that when appropriate protocols must be selected when configuring replication. Point out that Remote Procedure Calls over Internet Protocol (RPC over IP) and Simple Mail Transport Protocol (SMTP) are the two possible protocols for replication.

23 Explain that RPC over IP is the default protocol for all replication traffic and is commonly used to communicate with network services. Explain that SMTP should be used when a direct or reliable IP connection is not available and is the standard messaging protocol. Explain that a bridgehead server is designated to minimize the bandwidth required for intersite replications, since this is a bandwidth intensive process. Explain that the administrator may select to override the default bridgehead server and create a preferred bridgehead server list. Demonstrate how to designate preferred bridgehead servers through Active Directory Sites and Services. Point out that domain controllers from different sites can communication through the site link bridge. Explain that the site link bridge is enabled by default. Demonstrate how to disable automatic site link bridging through Active Directory Sites and Services. Demonstrate how to create a manual site link bridge through Active Directory Sites and Services. Point out that administrators may have to force or manage replication due to an Active Directory problem. Demonstrate how to refresh the intrasite replication topology through Active Directory Sites and Services. Demonstrate how to determine which server holds the ISTG (Intersite Topology Generator) role through Active Directory Sites and Services. Demonstrate how to force manual replication, between two Domain Controllers to correct errors or inconsistencies, through Active Directory Sites and Services. Point out that many issues can be prevented by monitoring the replication activity. Explain out that two tools for monitoring replication are Dcdiag and Repadmin. Explain that the following can be accomplished with Dcdiag: Perform connectivity and replications tests Report DNS registration problems Analyze the permissions required for replication Analyze the state of domain controllers within the forest

24 Explain that the following can be accomplished with Repadmin: View the replication topology from each domain controller Manually create a replication topology Force replication between domain controllers View the replication metadata Lesson Quiz True/False 1. While intrasite replication occurs almost immediately, intersite replication occurs at a configured interval, which by default is every 180 minutes. 2. Active Directory sites replicate the logical structure of the environment and can contain only one Active Directory domain. 3. The bridgehead server in an Active Directory site receives replication updates from all domain controllers in remote sites. 4. Intrasite replication uses the Knowledge Consistency Checker (KCC) to determine replication paths. 5. In a multi-site environment, each domain controller runs the Intersite Topology Generator to determine site replication paths. Multiple Choice 1. Active Directory sites are based on which of the following? a) Domain structure b) Forest Structure c) IP subnets d) DNS naming 2. Active Directory replication occurs when all of the following occur except: a) The name of an object changes b) A client PC logons to the domain c) An objected is added or removed from Active Directory d) The value of an attribute has changed

25 3. What is the connection called that connects two sites and enables replication to occur? a) Site Bridge b) Transitive trust c) Route Path d) Site Link 4. Which two of the following protocols can be used for intersite replication? a) DNS b) IP c) SNMP d) IPX/SPX 5. Which two of the following tools can be used to monitor and manage Active Directory sites? a) Dcdaig b) Netdiag c) Nslookup d) Repadmin Quiz Answers True/False 1. True. 2. False. AD sites represent the physical structure of the environment and may contain multiple domains. 3. False. Bridgehead servers communicate only the bridgehead server in the remote sites for replication information. 4. True. 5. False. One domain controller within each site runs the ISTG process. Multiple Choice 1. C 2. B 3. D 4. B 5. A, D

26 Class Projects Lesson 3 Exercise 1 Explain how Active Directory keeps track of changes to the ntds.dit file and handles changes that are replicated. What three factors can be used to determine if a replicated change should be added by the receiving domain controller? List and explain the three attributes that should be configured when creating a site link in a multiple site environment. Lesson 3 Project 1 Explain in detail the intrasite and intersite replication process. Include in your definition the replication protocols used, factors used to determine which replication protocol is appropriate, replication interval, how replication partners are determined, how compression is used or not used, etc. Microsoft Video Resources Windows Server 2008 R2 Quick Look Active Directory Administrative Center This video provides a quick look at Active Directory Administrative Center, the new administrative tool in Windows Server 2008 R2. Length: 6:25 Windows Server 2008 R2 Quick Look System Health Report A quick look at System Health Report, a tool in Windows Server 2008 R2 that helps you analyze your servers and provides you with prescriptive system diagnosis. Length: 4:36

27 Lesson 4: Using Global Catalog and Flexible Single Master Operations (FSMO) Roles Microsoft Windows Server 2008 Active Directory Lesson Plans Learning Goals//The goal of this lesson is to explain the important role of the global catalog server in Active Directory. Point out that students will also learn about the Flexible Single Master Operations role in Active Directory domains and forest. Learning Objectives Upon completion of this lesson, students will be able to: Understand the global catalog Understand Flexible Single Master Operations (FSMO) roles Understand site management Lesson Introduction Explain that Microsoft Windows Server 2008 Active Directory s global catalog and Flexible Single Master Operation (FSMO) roles are important roles in the accurate functionality of Active Directory. Students will learn about the placement of the global catalog, and how to add or remove a global catalog. Student will also learn the function of Relative Identifier, Infrastructure Master, Primary Domain Controller Emulator, Domain Naming, and Schema Master FSMO roles in the Active Directory domain and forest. Understanding the Global Catalog Instructors should do the following: Explain that the global catalog houses a subset of forestwide Active Directory objects and is a central repository of object copies. Point out that complete object copies and partial copies of objects from other domains within the same forest are referred to as partial attribute sets (PAS). Explain that by default the first domain controller installed on a forest houses the global catalog server. Point out that the four main functions of the global catalog are: Facilitating searches for objects in the forest. Resolving User Principal Names (UPN).

28 Maintaining universal group membership information. Maintaining a copy of all objects in the domain. Explain that a universal group contains users, groups, and computers from any domain in the forest. Explain that when an attribute is indexed, it is stored in the PAS and replicated to all global catalogs. Explain that if a global catalog server is not available, then universal global memberships are stored on the local domain controller. This is called universal group membership caching. Point out the following benefits of universal caching: Eliminates the need for a global catalog in remote locations Provides better logon performance for users with cached information Minimizes WAN usage for replication traffic Demonstrate how to enable universal group membership caching using Active Directory Sites and Services. Point out that the following guidelines will help the administrator determine if an additional global catalog server is needed: Each site should contain a global catalog server to facilitate user logons. The amount of bandwidth necessary to replicate the global catalog information should be considered. The domain controller must have ample hard drive space to house the global catalog. The site containing port 3268, the port used for Active Directory object searches, must also be the site containing the global catalog server. Demonstrate how to configure an additional global catalog server using Active Directory Sites and Services. Understanding Flexible Single Master Operations (FSMO) Roles Instructors should do the following: Explain that FSMO includes specialized roles such as schema management or adding and removing additional domains from an Active Directory forest. Explain that Active Directory supports a total of five FSMO roles, and their functionality is distributed among domainwide and forest-wide FSMOs.

29 Point out that the three domain-specific FSMO roles that are: Relative Identifier (RID) Master Infrastructure Master Primary Domain Controller (PDC) Master Explain that the Relative Identifier (RID) Master is related to the domain that it was created for and is assigned to an object at creation. Point out that RIDs are a part of the object s security identifier (SID). Explain that the Infrastructure Master is responsible for replicating changes to an object s SID or distinguished name (DN). Point out that the Infrastructure Master replicates changes to all domains that have a trust relationship with the source domain. Explain that the Primary Domain Controller (PDC) emulator is responsible for the following tasks: Time management synchronization within an Active Directory Domain Managing edits to Group Policy Objects Managing replication of security-sensitive account replication events Explain that the following Active Directory time synchronization processes are used to assist in conflict resolution: Client and member services within a domain will synchronize their clocks against the domain controller that authenticated them. Domain controllers in each domain will synchronize their time against the PDC Emulator of their domain. The PDC Emulator of each domain in the forest will synchronize its time against the PDC Emulator of the forest root domain. The PDC Emulator of the forest root domain can obtain its time from the internal clock. Point out that the two roles in Active Directory that have forest-wide authority are: Domain Naming Master Schema Master Explain that the Domain Naming Master role is held by only one domain controller in the forest, and this role verifies the uniqueness of the name to the forest. Explain that the Schema Master role is the manager for all schema modifications that take place in the Active Directory.

30 Point out that the following should be considered when determining the locations for the FSMO role: Number of domains that will be part of the domain Physical structure of the network Number of domain controllers that will be available on each domain Point out that the two attributes used to describe a domain controller are: Highly available High capacity Explain that highly available domain controllers are centrally located and contain additional hardware to keep the controller functioning properly. Explain that high-capacity domain controllers have great processing ability and more memory, and are available through faster network access. Point out that the two techniques used to manage FSMO role outages are: Role transfer Role seizure Explain that role transfer occurs when the FSMO is moved from one domain controller to another. Explain that role seizure occurs when a forced transfer of FSMO from one domain controller to another occurs due to failure. Demonstrate how to view the RID Master, PDC Emulator, or Infrastructure Master FSMO Role holders using the Active Directory Users and Computer MMC Snap-in. Demonstrate how to view the Domain Naming Master FSMO Role holder through Active Directory Domains and Trusts. Demonstrate how to view the Schema Master FSMO Role holder through the Active Directory Schema Snap-in. Demonstrate how to transfer the RID Master, PDS Emulator, or Infrastructure Master FSMO Role through the Active Directory Users and Computers MMC Snap-in. Demonstrate how to transfer the Domain Naming Master FSMO Role through Active Directory Domains and Trusts snap-in. Demonstrate how to transfer the Schema Master FSMO Role through the Active Directory Schema Snap-in. Demonstrate how to seize an FSMO Role through the command prompt.

31 Lesson Quiz True/False 1. A global catalog server will contain a complete copy of its Domain NC, but not information about other domains in the forest. 2. For redundancy, it is recommended that each domain have at least two RID Masters. 3. If a user object, John Doe, is deleted and then re-created later exactly as it was before being deleted, it will receive the same GUID as the original John Doe. 4. The Domain Naming Master is a domain-specific FSMO role that has responsibility for ensuring that all names within a domain are unique. 5. If the RID Master fails, the failure will not be visible until the domain controller runs out of RIDS that were previously assigned by the RID Master. Multiple Choice 1. What feature of Windows Server 2008 can allow remote members of Universal groups to log on to the domain when a local global catalog server is not available? a) Two-way transitive trusts between domains b) Local cached credentials c) Universal Group Caching d) RID Master 2. Which three of the following FSMO roles are domain specific? a) Relative Identifier (RID) Master b) Schema Master c) Primary Domain Controller (PDC) Emulator d) Infrastructure Master 3. Which two of the following five FSMO roles have forestwide authority? a) Domain Naming Master b) RID Master c) Schema Master d) Infrastructure Master

32 4. It s considered a best practice to run which two of the following FSMO roles on the same domain controller? a) Schema Master b) PDC Emulator c) Domain Name Master d) RID Master 5. Which of the following procedures would be used to recover from a domain controller failure when the domain controller was running one or more of the FSMO roles? a) Role Seizure b) Role Transfer c) Role Migration d) Role Failover Quiz Answers True/False 1. False. A global catalog server contains a complete copy of its domain NC and a partial attribute set for all other domains in the forest. 2. False. There can only be one RID Master per domain. 3. False. When an object is deleted, the GUID will never be used again. 4. False. The Domain Naming Master is a forest-wide FSMO role that is responsible for the creation of domains, domain trees, and application data partitions. 5. True. Multiple Choice 1. C 2. A, C, D 3. A, C 4. B, D 5. A Class Projects Lesson 4 Exercise 1 List and explain the four primary functions of a global catalog server.

33 List and explain the five FSMO roles in a Windows Server 2008 forest. Explain which FSMO roles are domain specific and which are forest wide. Lesson 4 Project 1 You are the Active Directory administrator for a multi-domain Active Directory forest with five locations. What factors should you consider when determining the placement and number of global catalog servers? What factors should you consider when determining where to place the FSMO roles? Microsoft Video Resources Active Directory Domain Services in Microsoft Windows Server 2008 Demonstrates new features and enhancements that are focused around the fundamentals: improved security, reliability, performance, reduced operational complexity, and increased deployment flexibility. This session presents the Windows Server 2008 features in Active Directory. Length: 48:06

34 Lesson 5: Administration of Active Directory Microsoft Windows Server 2008 Active Directory Lesson Plans Learning Goals//The goal of this lesson is to explain the management of users and groups in Active Directory. Point out that students will also learn how to configure and manage these accounts. Learning Objectives Upon completion of this lesson, students will be able to: Understand user accounts Understand group accounts Understand special identity groups and local groups Develop a group implementation plan Lesson Introduction Explain that Microsoft Windows Server 2008 Active Directory Domain Services tasks include the administration of users and groups to enable network access. Students will learn the details of users and group accounts. Students will also learn about special identity groups and local groups. The task of creating a group implementation plan will be discussed and demonstrated during this lesson. Understanding User Accounts Instructors should do the following: Explain that the user account in Active Directory is used to provide access to resources. Point out that authentication verifies a user s identity through Active Directory. Explain that there are three types of user accounts in Windows Server 2008: Local accounts Domain accounts Built-in user accounts Point out that a local account can access the local computer only and is stored in the Security Account Manager database on the local computer. Point out that domain accounts are used to access Active Directory resources or other network resources. This account information is stored in Active Directory. Point out that built-in user accounts are automatically created at the installation of Microsoft Windows Server 2008.

35 Explain that a built-in administrator account has full control of files and management on the local computer. Point out the following built-in administrator account guidelines that should be considered: Rename the administrator account. Set a strong password. Limit knowledge of administrator passwords to only a few individuals. Do not use the administrator account for daily nonadministrative tasks. Explain that Windows Server 2008 provides a built-in guest account that may be used for temporary network access. Point out the following built-in guest account guidelines that should be considered: Rename the guest account after enabling it for use. Set a strong password. Understanding Group Accounts Instructors should do the following: Explain that groups are used in Windows Server 2008 to make network permissions more manageable. Point out that groups enable the administrator to apply a set of permissions to multiple users. Explain that an access token is created at logon for each user. These tokens identify users and their appropriate permissions. Point out that a user may be a member of more than one group, which is called group nesting. Point out that when users are a member of one group and that group becomes a member of another group, they are automatically given the new group s permissions. This is called nested membership. Explain that two characteristics that define a group are group type and group scope. Point out that group type determines how a group is used in Active Directory, and the two group types that are stored in an Active Directory database are: Distribution groups Security groups Explain that distribution groups are used for the distribution of information. Explain that security groups are used for granting access permissions for resources.

36 Explain that group scope controls the objects that can be contained in a group. Point out that group scopes for Active Directory are: Domain local groups Global groups Universal groups Explain that domain local groups include user accounts, computer accounts, global groups, and universal groups for the same domain. Explain that global groups include user accounts, computer accounts, global groups, and universal groups for the same domain as a global group. Explain that universal groups include user accounts, computer accounts, global groups, and universal groups for anywhere in the forest. Point out that group nesting refers to groups that are added as members of other groups. Explain that built-in security groups are created when Windows Server 2008 Active Directory is installed with a set of predefined network related tasks. Demonstrate how to view groups using the Active Directory Users and Computers Snap-in. Understanding Special Identity Groups and Local Groups Instructors should do the following: Explain that administrators cannot modify the memberships of, or view the membership list of, users in special identity groups. Explain that a local group is a group of users who are specific to one local machine. Point out that the Everyone group is a special identity group that contains all authenticated users.

37 Developing a Group Implementation Plan Instructors should do the following: Explain that a group implementation plan should be developed to accommodate changes within the organization. Point out that group implementation plans should include the following: Who has the ability and responsibility to create, delete, and manage groups How domain local and universal groups are to be used A policy that states guidelines for creating new groups and deleting old groups Naming standards document to keep group names consistent Standards for group nesting Point out that the creation of Active Directory objects is a common task for administrators. Explain that the following are the commonly used methods for creating multiple users and groups: Batch files Comma-Separated Value Directory Exchange (CSVDE) LDAP Data Interchange Format Directory Exchange (LDIFDE) Windows Script Host (WSH) Demonstrate how to create users, computers, and groups using Windows Server 2008 local administrator credentials. Demonstrate how to create users, computers, and groups using Windows Server 2008 domain administrator credentials. Point out that batch files can be created using a text editor. Explain that batch files may be created, deleted, viewed, or modified using the Dsadd command at the Windows Server 2008 command line. Explain that Comma-Separated Value (CSV) files may be used to import and export information from Microsoft Excel or Exchange to the Active Directory Database. Explain that the LDIFDE utility provides the ability to modify existing records in Active Directory. Explain that the Windows Scripting Host (WSH) offers the flexibility to run scripts from a Windows interface or a command prompt.

38 Lesson Quiz True/False 1. Microsoft Best Practice recommends deleting the guest account for security reasons. 2. Distribution groups are used to assign permissions. 3. The Dsadd command can be used in a batch file to create bulk user accounts. 4. Group nesting refers to adding users to multiple security groups. 5. Domain Local Groups can be used to grant permissions to resources on any computer that is joined to the Active Directory Domain. Multiple Choice 1. What are the three types of user accounts in Active Directory? a) Built-in user accounts b) Special Identity user accounts c) Local user accounts d) Domain user accounts 2. Windows Server 2008 utilizes which two of the following group types? a) Distribution group b) Global group c) Security group d) Local group 3. Active Directory in Windows Server 2008 supports which three of the following group scopes? a) Domain Local group b) Distribution group c) Global group d) Universal groups 4. Windows Server 2008 offers several tools for managing or creating bulk objects in Active Directory. Which of the tools listed below provides the ability to add, modify, and delete Active Directory Objects? a) LDIFDE b) Batch files c) CSVDE d) WSH

39 5. Which of the following groups is disabled by default? a) Anonymous users b) Guest c) Administrators d) Everyone Quiz Answers True/False 1. False. The Guest account, like the Administrator account, cannot be deleted. It s considered a best practice to rename the Guest account. 2. False. Security groups are used to assign permissions. 3. True. 4. False. 5. True. Multiple Choice 1. A, C, D 2. A, C 3. A, C, D 4. A 5. B Class Projects Lesson 5 Exercise 1 List and explain four best practices for securing a local or domain security account. Explain what is meant by group nesting. What is meant by the acronym AGUDLP?

40 Lesson 5 Project 1 Explain how Active Directory uses default groups. Explain when each of the following groups is created and how users become members. Account Operators Administrators Guest DHCP Administrators Domain Users Explain how special identity groups are used in Windows Server How do users become members of a special identity group? How do you view the members of a special identity group? Microsoft Video Resources Provide users with seamless corporate network access from anywhere with Windows 7, Windows Server 2008 R2, and DirectAccess Remote users? Mobile users? People working from home, from the coffee shop, from the airport? How do you provide them with secure connections that are easy to use and deploy while still maintaining the integrity of your network? Windows 7 and Windows Server 2008 R2 provide the answer with DirectAccess. This video presents a walk-through of the configuration of DirectAccess and discusses the requirements for deploying it in your network. Length: 30:30

41 Allowing External Users to Manage IIS7 Web Applications Web servers often need remote administration by an external consultant. Many companies outsource web development activities and as a result, they need to grant external users access to manage both content and configuration on their web servers. IIS 7 includes a new management service which addresses this need, and TS RemoteApp provides a secure way to make management tools available outside the firewall. This demo shows how you can configure the management service, work with feature delegation, and connect to IIS Manager from outside the firewall using TS RemoteApp. Length: 10:16 Use Group Policy in Windows Vista and Windows Server 2008 An examination of the improvements and changes in Group Policy management in Windows Vista and Windows Server Includes a look at the new format of Group Policy templates, the central store, and multiple local group policies, then drills down into device management using Group Policy. Length: 18:06

42 Using Group Policy with Windows and Windows Server 2008 A scenario-based walk-through using a series of demonstrations to offer an in-depth understanding of new and enhanced Group Policy functions in Windows Vista, as well as plans for the Windows Server 2008 timeframe. This session showcases Windows Vista as a Windows Vista Group Policy administrative workstation. Learn about new Group Policy features in Windows Vista, including the new format and functionality of Administrative Template (ADMX) files (and interop with legacy ADM files), the ADMX central store, improved awareness of changing network conditions, using multiple local Group Policy Objects (MLGPOs), and Group Policy Management Console (GPMC) integration into the operating system. Demos include using the new event viewer ("Crimson"), along with showcasing a selection of the hundreds of new policy settings delivered with Windows Vista. Finally, we provide an introduction to the products acquired from DesktopStandard and discuss their future availability and roadmap. Length: 60:03

43 Lesson 6: Security Planning and Administrative Delegation of Active Directory Microsoft Windows Server 2008 Active Directory Lesson Plans Learning Goals//The goal of this lesson is to explain that creating a secure Active Directory environment is a critical responsibility of the administrator. Point out that students will also learn the tasks of creating and working with organization units as well as delegating administrative control of resources. Learning Objectives Upon completion of this lesson, students will be able to: Implement Account Security Plan an organizational unit strategy Lesson Introduction Explain that Microsoft Windows Server 2008 Active Directory requires that all accounts access the network through a secure password. Discuss with students the importance of having an organizational policy for user name and password creation. Explain to students that securing the administrative side of Active Directory is necessary to prevent hackers from gaining unauthorized access to the network. Describe how organizational units are used to secure administrative resources. Implementing Account Security Instructors should do the following: Explain that user account security is an important aspect of a secure network. Point out that the network administrator will create guidelines for the user name scheme, and it is extremely important that the organization strictly follow the guidelines. Explain that Windows Server 2008 requires that all user accounts be accompanied with a secure password. Explain that a password is an alphanumeric sequence of characters that must accompany the user name to gain access to network resources. Point out the following best practices for protecting your password: Keep documented password in a secure location. Do not share your password with anyone.

44 Do not save passwords to your computer to enable easy access. Always use suggested standards for a strong, secure passwords. Explain that a strong password is a password that is created with a secure combination of characters and length to make it difficult for a hacker to discover. Point out that password-cracking is any attempt to discover another user s password. Explain that dictionary attacks are automated password cracking tools used to attempt every combination of a set of characters to crack a password. Explain that strong passwords include the following characteristics: Minimum of eight characters in length Contains at least one uppercase and one lowercase letter, one numeral, and one non-alphabetic character Differs significantly from previous passwords Explain that securing the administrator password is critical, since a hacker with access to the administrator password can do extensive damage. Point out that using the Run as Administrator option through a standard user account is the preferred method for performing administrative tasks and reducing risk. Demonstrate how to use Run as from the GUI while logged in as a Windows Server 2008 member. Demonstrate how to use Run as from the command line while logged in as a domain administrator. Planning an Organizational Unit Strategy Instructors should do the following: Explain that organizational units (OUs) can include the Active Directory objects. Explain that OUs can be created to represent the company s functional foundation. Point out that organizational units are created for the following reasons: They represent the functional and geographical model of the company and its resources. They delegate administrative control over a container s resources to lower-level or branch office administrators. They apply consistent configurations across the organization for group policy.

45 Explain that OUs can be nested to create a solid structure, but nesting should be done with careful planning and caution. Point out that delegating authority at the OU level will allow access only to the OU and its hierarchy. Explain that the Delegation of Control Wizard is a simple interface to delegate permissions. Demonstrate how to delegate administrative control of an OU through Active Directory Users and Computers. Demonstrate how to verify and remove delegated permissions using Active Directory Users and Computers. Explain that objects may be moved between OUs for administrative or business purposes. Point out that the Drag-and-Drop method or move menu options may be used in the Active Directory Users and Computers window. Demonstrate how to move an object between OUs using Drag-and-Drop in the Active Directory Users and Computers window. Demonstrate how to move an object between OUs using the move option in the Active Directory Users and Computers window. Lesson Quiz True/False 1. A default configuration of Active Directory in Windows Server 2008 allows for user accounts with no password to log on to the domain. 2. A dictionary attack is an attempt to hack a computer by trying all combinations of characters. 3. Organizational units are units in Active Directory that cannot be nested. 4. Organizational units are most often used in a decentralized administration model. 5. When an object is moved from one OU to another, OU permissions that were assigned directly to the object will remain the same.

46 Multiple Choice 1. Which of the following should be included when configuring a strong password policy? Choose all that apply. a) Enforce minimum password length b) Set a minimum password age c) Set password history d) Require multiple types of characters 2. Microsoft best practices require strong passwords to have which three of the following characteristics? a) At least six characters in length b) Contain at least three of the following: uppercase letters, lowercase letters, numbers, and non-alphabetic characters c) Differ from previously used passwords d) Not contain your username 3. Which two of the following commands allow a user logged on with a standard user account to perform administrative functions? a) Run As Administrator (Command Line) b) Run as (GUI) c) Run as Administrator (GUI) d) Run as (Command Line) 4. Which two of the following can be used to move objects between organizational units in Active Directory? a) Copy and paste b) Drag and drop c) Move d) Delete and recreate 5. Which Windows Server 2008 services must be started in order for the Run as or Run as Administrator service to function? a) Logon service b) Run as service c) Authentication service d) Secondary Logon service

47 Quiz Answers True/False 1. False. Windows Server 2008 requires that user accounts have passwords. 2. True. 3. False. OUs can be nested. 4. True. 5. True. Multiple Choice 1. A, B, C, D 2. B, C, D 3. C, D 4. B, C 5. D Class Projects Lesson 6 Exercise 1 Describe the components of strong password policy that meets Microsoft best practices. Lesson 6 Project 1 Explain why an administrator would need to create and use organizational units in Active Directory. What advantages do organizational units offer that security groups do not? Microsoft Video Resources Windows Server 2008 Read-Only Domain Controllers Password Replication Policies Read-only domain controllers (RODCs) are a new feature in Windows Server 2008, allowing domain controllers to be deployed in locations where security might otherwise be a concern (e.g., branch offices). This video provides a look at the password replication policies that are used to control credentials stored on RODCs. Length: 4:58

48 Securing Branch Office User Accounts In this demo you will see several ways that user accounts in a branch office can be secured. Branch offices traditionally are places of high risk for domain controllers. Placing domain controllers in branch offices is good for functionality and productivity, but bad for security. This demo shows how you can place a domain controller in a branch office and take measures to make branch office accounts more secure. The demo uses a combination of BitLocker, RODC, fine-grained password policies using a tool from Special Operations Software, and admin role separation to achieve this goal. Length: 12:08

49 Lesson 7: An Introduction to Group Policy Learning Goals//The goal of this lesson is to explain the basics of Group Policy Objects. Point out that student will also learn to use the Group Policy Management Console to configure Group Policy settings. Learning Objectives Upon completion of this lesson, students will be able to understand: The basics of Group Policy Group Policy architecture Configuring Group Policy Lesson Introduction Explain that Microsoft Windows Server 2008 Active Directory uses Group Policy to control settings across the network. Students will learn to describe the Group Policy Container and Group Policy Templates. Students will also learn to use the Group Policy Management Console to configure Group Policy settings. The Basics of Group Policy Instructors should do the following: Explain that Group Policy is used to control settings across the network. Point out that the following can be managed using Group Policy: Registration-based policies Software installation policies Folder redirection Offline file storage Scripts Windows Deployment Services (WDS) Explain that Group Policies can be linked to sites, domains, or OUs and apply the settings to all users and computers within these Active Directory containers. Point out that Security Group filtering allows for Group Policy Objects to be applied to one or more groups within a container.

50 Explain that the benefits of Group Policy can be measured in return on investment and total cost of ownership. Explain that user benefits include: Users can access files, even when the network is not available. User environments can be created to look consistent throughout the network. User files can be redirected to server locations for backup purposes. Applications can be maintained automatically. Explain that administrative benefits include: Administrators have control over centralized configuration. Automatic application repairs are available. Centralized administration of user files. Rapid deployment of new settings for group policy. Group Policy Architecture Instructors should do the following: Explain that Group Policy Objects (GPO) contain all of the Group Policy settings within a site, domain, or OU. Point out that the GPO must be associated with the container to which it is applied. Explain that there are three types of GPOs: Local GPOs Domain GPOs Starter GPOs Explain that the following are characteristics of a local GPO: They contain fewer options. Fewer security settings are available. When local and nonlocal GPOs have a conflict, the local GPO is overwritten by the nonlocal GPO. Point out that the container for the nonlocal GPO is stored in the following two locations: Group Policy Container (GPC) Group Policy Template (GPT) Explain that the Group Policy Container (GPC) is an Active Directory object that stores the properties of the GPO. Explain that the GPT is stored in the Policies subfolder and stores policy settings, security settings, and script files. Point out that the Group Policy Container (GPC) includes sub-containers that hold the GPC policy information.

51 Demonstrate how to view the Group Policy Container using Active Directory Users and Computers. Explain that the Group Policy Templates folder is created and contains all of the policy s settings and information. Point out that the Group Policy Management Console is a snap-in used to create and modify Group Policies and their settings. Demonstrate how to create and link a GPO to an OU using the command prompt. Explain that GPO inheritance is when the group policy is applied to all domains on a site that contains multiple domains. Configuring Group Policy Instructors should do the following: Explain that configuring Group Policy enables you to customize the configuration of a user s desktop, environment, and security settings. Point out that the Group Policy settings are divided into two categories: Computer configuration User configuration Explain that the computer and user configuration contain three sub-nodes or extensions, in order to further organize the group. Point out that the three sub-nodes are: Software settings Windows settings Administrative templates Explain that Group Policy processing depends upon the order in which the policies are applied. Point out that policies affect the containers that they are linked to in the following ways: Site-linked policies affect all domains within a site. Domain-linked policies affect all users and computers within a domain. OU-linked policies affect all objects within the OU. Explain that policies are processed in the following order: Local policies Site policies Domain policies OU policies Point out that domains, sites, and OUs can have multiple group policies linked to them.

52 Explain that policies can be applied to containers and the user and computer objects that they reside. Discuss the steps necessary to implement settings for an assigned GPO to a computer. Point out that the exceptions to Group Policy are to allow greater control and flexibility over the final settings. Point out that exceptions in Group Policy include: Enforcement Block Policy Inheritance Lookback Processing Lesson Quiz True/False 1. Security group filtering allows administrators to apply Group Policy settings to one or more security groups within a container. 2. By default, settings in a local GPO will override settings from nonlocal GPOs. 3. The Group Policy Management Console divides Group Policy settings into two subcategories: Computer Configuration and User Configuration. 4. Group Policy Objects that are linked at the domain level must also be linked at the OU level if you would like the GP setting to affect objects contained in the OU. 5. Group policy settings are applied to a computer on startup in an asynchronous manner. Multiple Choice 1. Group Policy settings can be linked to which three of the following? a) Site b) Group c) Organizational Unit d) Domain 2. Which three of the following are valid types of Group Policy Objects? a) Starter GPO b) Local GPO c) Universal GPO d) Domain GPO

53 3. Which two of the following default Group Policy objects are created when Active Directory is installed? a) Default Computer Policy b) Default User Policy c) Default Domain Policy d) Default Domain Controller Policy 4. Which of the following are valid exception configuration settings for Group Policy processing? a) Apply all b) Block Policy Inheritance c) Loopback Processing d) Enforce 5. Which Windows Server 2008 Group Policy feature allows administrators to automatically install an operating system to a workstation? a) Software Installation Services b) Windows Deployment Services c) RIS d) GHOST Quiz Answers True/False 1. True. 2. False. Nonlocal GPO settings are domain settings, and override local GPO settings. 3. True. 4. False. Group settings linked at the domain level are will affect all objects within the Domain including objects are located in an OU. 5. False. Group policy setting are applied to a computer synchronously at start up. Multiple Choice 1. A, C, D 2. A, B, D 3. C, D 4. B, C, D 5. B

54 Class Projects Lesson 7 Exercise 1 List and explain eight managed settings that can be defined using Group Policy. List and explain the three sub-nodes that are available for configuration under the user configuration and computer configuration areas of the Group Policy Management Console. Lesson 7 Project 1 Explain in what order GPOs are applied. How are conflicting settings handled? Microsoft Video Resources Windows Server 2008 Read-Only Domain Controllers Password Replication Policies Show the class the information in this video and explain that the video takes a look at the password replication policies that are used to control credentials stored on RODCs. Securing Branch Office User Accounts Show the class the information in this video and explain that the video demonstrates how you can place a domain controller in a branch office, and take measures to make branch office accounts more secure. The demo uses a combination of BitLocker, RODC, fine-grained password policies using a tool from Special Operations Software, and admin role separation to achieve this goal.

55 Lesson 8: Configuring Users and Groups using Group Policy Microsoft Windows Server 2008 Active Directory Lesson Plans Learning Goals//The goal of this lesson is to explain how configuring Group Policy Objects is necessary for maintaining and securing the user and computer environments. Point out that students will learn more about using group policies to manage the use of computers and control users. Learning Objectives Upon completion of this lesson, students will be able to understand: Configuring security policies with Group Policy Planning and configuring other policies Lesson Introduction Explain that Microsoft Windows Server 2008 Active Directory uses Group Policy to control settings across the network as well as controlling users and computers on the network. Students will learn to control environments using account policies and audit policies. Configuring Security Policies Using Group Policy Instructors should do the following: Explain that Group Policy is used for centralized management of security settings. Point out that security settings govern: How users and computers are authenticated to the network How resources are allocated Group membership policies How user and group activities are recorded in event logs Point out that the security settings applied in the policies node include public key policies and software restriction policies. Explain that account policies dictate how a user interacts with a computer or a domain. Explain that fine-grained password policies (FGPP) can be used to override the domain-wide policy and can be applied to multiple users and computers or groups.

56 Point out that the three subcategories found within account policies for security settings are: Password policies Account lockout policies Kerberos policies Demonstrate how to define a domain-wide account policy using Group Policy Management Console. Demonstrate how to configure a domain-wide account lockout policy using Group Policy Management Console. Point out that in order to enable FGPP, the Password Settings Object (PSO) must be configured. Explain that one or more PSOs may be created within a domain. Explain that in domain accounts, the Kerberos policy allows settings to be configured for Active Directory authentication functions. Point out that Kerberos is a default mechanism for authenticating domain users in Windows Server Demonstrate how to configure the Kerberos policy using Group Policy Management Console. Planning and Configuring Other Policies Instructors should do the following: Explain that local policies allow administrators to set user privileges on the local computer that govern what users can do on that computer. Explain that auditing allows administrators to track events that take place on a local computer and are important parts of monitoring and managing activities. Point out that local policy settings in GPOs have three subcategories: User rights assignment Security options Audit policy Explain that user rights assignment is extensive and includes settings for items that pertain to rights needed by users to perform system-related tasks. Explain that the security options category includes security settings related to interactive logon, digital signing of data, restrictions of access to some storage devices, unsigned driver installation behavior, and logon dialog box behavior. Discuss that an audit policy allows administrators to log both successful and failed security events.

57 Explain that auditing is used to track user activities and system activities. Point out the following guidelines to help in planning an audit policy: Audit only pertinent items Archive security logs to provide a documented history Configure the size of your security logs carefully Explain that security logs can be configured to monitor the following: System errors Policy change events Account management events Logon events Account logon events Point out that configuring objects for auditing is necessary when either Audit Directory Service Access or Audit Object Access has been configured. Demonstrate how to configure an audit policy using Group Policy Management Console. Demonstrate how to configure an active directory object for auditing using the Active Directory Users and Computers Snap-in. Demonstrate how to configure files and folders for auditing using Windows Explorer properties. Point out that customizing event log policies allows administrators to configure settings that control each log. Demonstrate how to customize event log policies using the Administrative Tools Event Viewer window. Explain that restricted group settings allow the administrator to specify the group membership list. Explain that the system services category is used to configure the startup and security settings for services running on a computer. Explain that folder redirection is applied to a group policy folder that is located within the User Configuration node of a Group Policy. Demonstrate how to configure folder restrictions by creating a Group Policy Object. Explain that configuring offline files is a separate Group Policy category that can allow files to be available to users even when not connected to the Internet. Explain that disk quotas are set to limit the amount of space available on a server for user data.

58 Demonstrate how to configure disk quotas through the local disk properties. Demonstrate how to configure disk quotas using Group Policy. Point out that the following are types of refresh policies : Computer configuration Group Policy refresh interval Domain controllers Group Policy refresh interval User configuration Group Policy refresh interval Explain that manually refreshing Group Policy is used when modified settings need to be applied immediately. Demonstrate how to optimize Group Policy processing using the Group Policy Management Console. Lesson Quiz True/False 1. In Windows Server 2008, only a single password policy can be set at the domain level. 2. Audit policies can be configured under local policies to control settings for the Event Log on a computer. 3. Restricted groups can be used to remove users from groups to which they were added using Active Directory Users and Computers. 4. Group Policy can be configured to make user files stored on a network share available when the network connection is down by configuring the File Caching Group Policy option. 5. Windows Server 2008 supports Disk Quota configuration on the NTFS and FAT file systems. Multiple Choice 1. Which of the following are the three Account Policy subcategory configuration options? a) Password policies b) Account lockout policies c) Kerberos policies d) Account security policies 2. To monitor successful logon attempts to a domain controller, you should configure Group Policy to manage which type of events? a) System events b) Domain logon events c) Account logon events d) Logon events

59 3. System Services can be configured with all of the following startup options except: a) Enabled b) Automatic c) Manual d) Disabled 4. Folder redirection can be used to redirect the contents of a folder to a network location using group policy. What are the three configuration options for folder redirections? a) Basic Redirect Everyone s folder to the same location b) Advanced Specify location for various users c) Advanced Specify location for various user groups d) Not Configured 5. Domain Controller Group Policy settings will refresh by default every minutes. a) 90 b) 5 c) 2 d) 15 Quiz Answers True/False 1. False. Windows Server 2008 supports fine-grained password policies, allowing multiple password policies in a single domain. 2. True. 3. True. 4. False. You would need to configure the Offline Files Group Policy settings. 5. False. Disk Quota configuration supports the NTFS file system only. Multiple Choice 1. A, B, C 2. D 3. D 4. B, C, D 5. C

60 Class Projects Lesson 8 Exercise 1 List and explain the options available for configuring disk quotas using Group Policy. Lesson 8 Project 1 Explain what settings can be configured under the Account Policy Settings area. How do these options differ from the settings that were available in Windows Server 2003? Microsoft Video Resources Windows Server 2008 Read-Only Domain Controllers Password Replication Policies Read-only domain controllers (RODCs) are a new feature in Windows Server 2008, allowing domain controllers to be deployed in locations where security might otherwise be a concern (e.g., branch offices). This video takes a look at the password replication policies that are used to control credentials stored on RODCs. Length: 4:58 Securing Branch Office User Accounts Show the class the information in this video and explain that the video demonstrates how you can place a domain controller in a branch office, and take measures to make branch office accounts more secure. The demo uses a combination of BitLocker, RODC, fine-grained password policies using a tool from Special Operations Software, and admin role separation to achieve this goal. Length: 12:08

61 Lesson 9: Software Installation with Group Policy Learning Goals//The goal of this lesson is to explain the process of installing software using Group Policy. Learning Objectives Upon completion of this lesson, students will be able to: Manage software with Group Policy Customize software installation using Group Policy Lesson Introduction Explain that Microsoft Windows Server 2008 Active Directory can use Group Policy to perform software installations. This procedure includes the ability to create software restriction policies and run application installations from a user computer. Managing Software with Group Policy Instructors should do the following: Explain that Group Policy can be used to install, upgrade, patch, or remove software applications at computer startup. Point out that software that is deemed out of date is a part of the software life cycle. Explain that there are four phases of the software life cycle: Planning Implementation Maintenance Removal Point out that the Windows Installer uses Group Policy to install and manage software that is packaged as an.msi file. Explain that patch files are used to apply service packs and hotfixes to installed software through Group Policy. Explain that repackaging some software packages is necessary if the software does not provide.msi support. This enables the administrator to take advantage of the Windows Installer Technology.

62 Point out that third-party package-creation application may be used to repackage software for use with Windows Installer. Explain that a.zap file may be created when a repackaging option is not available and a Windows Installer file is not available. Point out that.zap files are created in a text editor and function similarly to an.ini file. Explain that prior to deploying software using Group Policy, a distribution share must be created. Point out that the distribution share creates a shared folder location where users can download the software from a network location. Explain that a GPO must be created to include software installation and then determine if the Assign or Publish option will be used. Point out that when an application is designated for a specific user, it is advertised on the user s Start Menu. Explain that publishing an application is available only under the User Configuration\Policies\Software Settings\Software Installation extension. Demonstrate how to configure software installation defaults using the Group Policy Management Editor window. Demonstrate how to create a new software installation package using the Group Policy Management Editor window. Customizing Software Installation Instructors should do the following: Explain that using the Windows Installer Package properties window enables the administrator to customize the settings associated with the installation package. Point out that the General tab of the Properties window allows the administrator to change the default name of the package. Point out that the Deployment tab of the Properties window allows the administrator to change the deployment type, deployment options, and installation user interface options. Demonstrate how to access the Properties windows of the Windows Installer Package. Explain that allowing users to choose applications that they prefer provides a level of control over their working environment.

63 Explain that configuring software restriction policies prevents potentially harmful applications from running. Point out that the basic strategies for enforcing restrictions are: Unrestricted Disallowed Basic User Demonstrate how to modify the default security level using the Group Policy Management Editor window. Explain that configuring software restriction rules enables conditions to be specified by which application programs can be executed or denied. Point out that the four types of software restriction rules are: Hash rule Certificate rule Path rule Network zone rule Demonstrate how to access the window to configure enforcement properties. Demonstrate how to access the window to configure designated file types properties. Demonstrate how to access the window to configure trusted publishers properties. Lesson Quiz True/False Windows Server 2008 Software Installation Policies can be used to install only application packages with an.msi file extension. The distribution point for a Software Installation Policy must be located in the same domain as the users or computers that the policy will apply to. Choosing to publish an application will allow users to install an application if needed. Software Installation Policies can be used to uninstall applications as well as install applications. The default setting for Software Restriction Policies is Disallow.

64 Multiple Choice 1. When configuring software Installation Policies to automatically install an application at startup, the administrator should choose to the application to the computer. a) Assign b) Enforce c) Publish d) Automate 2. When an application is published to a user, the user can install the application by (choose two). a) No interaction is required; the application will be installed at logon b) No interaction is required; the application will be installed at startup c) Selecting the application from the Start Menu d) Clicking on a file with an extension that requires a published application 3. Which three of the following are security levels available when using a Software Restriction Policy? a) Basic User b) Unrestricted c) Disallowed d) Answer Choice 4. Software Restriction Policy rules can be configured to use which of the following when determining what applications are allowed to run on the network? Choose all that apply. a) Hash Rule b) Path Rule c) Certificate Rule d) Network Zone Rule 5. You are attempting to create a Software Installation policy, but an.msi installer package is not available. What other type of install file can be used? a).xls b).txt c).zap d).exe

65 Quiz Answers True/False 1. True. 2. False. The distribution point can be located in the same domain or forest, but can also be located in another forest as long as a two-way forest trust exists. 3. True. 4. True. 5. False. The default setting is unrestricted. Multiple Choice 1. A 2. C, D 3. A, B, C 4. A, B, C, D 5. C Class Projects Lesson 9 Exercise 1 Explain the four phases of the software life cycle. Lesson 9 Project 1 Explain how software installation policies and software restriction policies should be used in a Windows Server 2008 environment. Explain the four types of rules that can be established when using software restriction policies.

66 Microsoft Video Resources Windows Server 2008 Read-Only Domain Controllers Password Replication Policies Read-only domain controllers (RODCs) are a new feature in Windows Server 2008, allowing domain controllers to be deployed in locations where security might otherwise be a concern (e.g., branch offices). This video takes a look at the password replication policies that are used to control credentials stored on RODCs. Length: 4:58. Securing Branch Office User Accounts Show the class the information in this video and explain that the video demonstrates how you can place a domain controller in a branch office, and take measures to make branch office accounts more secure. The demo uses a combination of BitLocker, RODC, fine-grained password policies using a tool from Special Operations Software, and admin role separation to achieve this goal. Length: 12:08

67 Lesson 10: Planning a Group Policy Management and Implementation Policy Microsoft Windows Server 2008 Active Directory Lesson Plans Learning Goals//The goal of this lesson is to explain the process of planning and implementing Group Policy management within Active Directory. Learning Objectives Upon completion of this lesson, students will be able to understand: Management of Group Policy Customizing other Group Policy settings Lesson Introduction Explain that Microsoft Windows Server 2008 Active Directory manages Group Policy through a Group Policy Management Console. The console allows for unified management across the organization and what-if scenarios for planning potential environment changes. Management of Group Policy Instructors should do the following Explain that the Group Policy Management Snap-in is a tool for managing Windows Server 2008 and offers a single point of administration for Group Policy. Point out that Group Policy Management includes the following functionality: Importing and copying GPO settings to and from the file system Backup and restoration of GPOs, available in Group Policy Management Resultant Set of Policy Hypertext Markup Language Search for GPOs Search for individual settings GPMC is natively installed with Windows Server 2008

68 Demonstrate how to view the Group Policy Management MMC Snap-in. Point out that GPM allows administrators to create and modify policies from the container on which they are linked. Point out that the following features are available on each tab of the GPO: Scope Details Settings Delegation Demonstrate how to view the scope of a Group Policy Object. Demonstrate how to configure a starter GPO using Group Policy Management MMC console. Customizing Other Group Policy Settings Instructors should do the following: Explain that Group Policy settings will be applied to child objects within the domain. Point out that Blocking Group Policy Inheritance can be used to prevent policy settings from applying to child objects. Explain that Group Policy Filtering refines the GPO to include or exclude certain users, groups, and computers. Explain that the two options for preventing restrictive policies from applying to administrators are: Remove the ACE entry for the authenticated users group that grants, reads, and applies group policy permissions. Set the apply group policy ACE to deny specific groups that you want to exclude from group policy. Demonstrate how to configure security group filtering using the Group Policy Management MMC Snap-in. Explain that Windows Management Instrumentation (WMI) is a component of the Microsoft Windows operating system that provides management information to the enterprise environment. Demonstrate how to configure WMI filtering using the Group Policy Management MMC Snap-in. Explain that Resultant Set of Policy (RSoP) is the sum of policies applied to a user and computer after all files, security group permissions, and inheritance settings have finished processing.

69 Point out that the RSoP wizard assists administrators in determining the effects of policies on users and computers. Explain that the planning modes of RSoP allow administrators to simulate the effect of policy settings prior to implementation. Explain that the logging mode of RSoP allows administrators to query existing policies in the hierarchy that are linked to sites, domains, domain controllers, and OUs. Demonstrate the use of the Resultant Set of Policy wizard. Explain that Group Policy Modeling is used to simulate the effect of policy on the user environment. Demonstrate how to create a Group Policy modeling query using Administrative Tools. Point out that Group Policy Results is equivalent to the Logging mode within the RSoP MMC Snap-in. Demonstrate how to create a Group Policy Results query in Administrative Tools. Explain that GPResult is a command-line tool that allows you to create and display an RSoP query from the command line. Lesson Quiz True/False 1. As with Windows Server 2003, the Group Policy Management Console is an add-on snap-in that must be downloaded and installed from the Microsoft website. 2. WMI Filtering can be used to control the application of GPOs based on criteria such as disk space or processor capabilities. 3. The Resultant Set of Policies provides administrators with the tools to simulate the effect of GPO settings before actually applying the settings in productions. 4. The Group Policy Modeling feature in the Group Policy Management Console produces results similar to running the RSoP Snap-in in planning mode 5. A WMI filter can be linked to only one GPO.

70 Multiple Choice 1. When viewing an individual GPO using the Group Policy Management Console, which tab would display the status, such as Enabled? a) Details b) Scope c) Settings d) Delegation 2. Which two filtering options allow administrators to control the application of GPOs? a) Organizational unit filtering b) Computer and user filtering c) Security group filtering d) WMI filtering 3. Which two tools can be used to display the net effect of all group policies assigned to a user or computer? a) Resultant Set of Policy Wizard b) Net Effect Wizard c) Group Policy Wizard d) GP Result 4. Which Resultant Set of Policies mode is useful for understanding the effect of combined policies on users and computers? a) Planning Mode b) Results Mode c) GPResults Mode d) Logging Mode 5. Which command line tool provides the ability to create a Resultant Set of Policy query? a) GPResult.exe b) GPupdate.exe c) GPdisplay.exe d) RSoP.exe

71 Quiz Answers True/False 1. False. GPMC is natively installed in Windows Server True. 3. True. 4. True. 5. False. WMI filters can be linked to multiple GPOs. Multiple Choice 1. B 2. C, D 3. A, D 4. D 5. A Class Projects Lesson 10 Exercise 1 Explain the functions that can be performed using the Group Policy Management Console. Lesson 10 Project 1 As an Active Directory administrator, one of your jobs is to simplify the application of internal IT policies to user and computers. Explain how this can be accomplished using the following: Group Policy, inheritance of GPO settings, blocking of inheritance of GPO Microsoft Video Resources Windows Server 2008 Read-Only Domain Controllers Password Replication Policies Read-only domain controllers (RODCs) are a new feature in Windows Server 2008, allowing domain controllers to be deployed in locations where security might otherwise be a concern (e.g., branch offices). In this video Mark Wilson takes a look at the password replication policies that are used to control credentials stored on RODCs. Length: 4:58.

72 Securing Branch Office User Accounts Show the class the information in this video and explain that the video demonstrates how you can place a domain controller in a branch office, and take measures to make branch office accounts more secure. The demo uses a combination of BitLocker, RODC, fine-grained password policies using a tool from Special Operations Software, and admin role separation to achieve this goal. Length: 12:08

73 Lesson 11: Active Directory Maintenance, Troubleshooting, and Disaster Recovery Microsoft Windows Server 2008 Active Directory Lesson Plans Learning Goals//The goal of this lesson is to explain the processes and tools used to monitor, troubleshoot, and maintain Active Directory. Learning Objectives Upon completion of this lesson, students will understand: Management of Group Policy Restoring Active Directory Monitoring Active Directory Troubleshooting Active Directory Lesson Introduction Maintaining Active Directory Explain that Microsoft Windows Server 2008 Active Directory requires that the network administrator be able to monitor, troubleshoot, back up, and restore Active Directory Domain Services. Students will learn the vital importance of monitoring and troubleshooting Active Directory to ensure reliability. Instructors should do the following: Explain that maintenance and monitoring procedures for Active Directory ensure that the system runs smoothly. Point out that the Active Directory database is based on the Extensible Storage Engine (ESE) format. Point out that the ESE format is responsible for managing changes to the Active Directory Database. Point out that requests for creation or modification of database objects are made through the following process: Active Directory writes a transaction to the transaction buffer. Active Directory writes the transaction to the transaction log. Active Directory writes the transaction from the transaction buffer to the ntds.dit database. Active Directory compares the database with the change to the edbx.log file. Active Directory updates the edb.chk checkpoint file.

74 Point out that modifications and changes can affect database performance and data integrity. Explain that fragmentation may occur to the data, which causes data to be divided into pieces in various locations on the disk. Explain that defragmentation is the process of rearranging fragmented data and placing it in a more efficient location on the disk. Point out that online defragmentation is an automatic process that occurs during the garbage collection process, which removes all tombstones from the database. Explain that offline defragmentation is a manual process of defragmenting the Active Directory database in addition to reducing its size. Demonstrate how to perform an offline defragmentation using your Directory Services Restore Mode password. Demonstrate how to move the Active Directory Database and Log Files using your Directory Services Restore Mode password. Explain that backing up Active Directory is essential to ensure that data and operating system information is backed up in the event of failure. Point out that in order to back up Active Directory, the Windows Server Backup must be installed from the Server Manager Console. Point out that a backup may also be performed from the command line using Windows PowerShell. Explain that Windows Server 2008 permits manual backups or scheduled backups to be performed. Point out that the critical volumes in Active Directory should be backed up rather than only backing up system state data. Demonstrate how to perform a manual Active Directory Backup by logging in to the Domain Controller. Demonstrate how to configure scheduled Active Directory Backups by logging in to the Domain Controller. Point out that Windows Server 2008 provides the ability to restore the Active Directory database.

75 Restoring Active Directory Monitoring Active Directory Instructors should do the following: Point out that Windows Server 2008 provides the ability to restore the Active Directory database. Explain that Active Directory replication provides fault tolerance in the event of a hardware or software failure. Explain that Windows Server 2008 provides several restorative methods for Active Directory. Point out that wbadmin is a command line component to perform a non-authoritative restore in Active Directory. Point out that the Ntdsutil command line utility performs an authoritative restore. Explain that an authoritative restore will be necessary if an object or container within Active Directory is inadvertently deleted and needs to be restored. Demonstrate how to perform an authoritative restore at the command prompt window. Instructors should do the following: Explain that monitoring Active Directory is an essential task in network administration. Point out that adequate monitoring of Active Directory provides the following benefits: Early alerts to potential problems Improved system reliability Fewer support calls to the helpdesk Improved system performance Explain that the Windows Event Viewer records all system events for security, application, and directory service logs. Demonstrate how to view the Directory Services Event Log. Explain that the Reliability and Performance Monitor tool allows the administrator to collect real-time information for which permissions are granted. Point out that performance objects contain performance counters associated with the category that the administrator monitors. Demonstrate how to use the reliability and performance monitor found in Administrative Tools.

76 Troubleshooting Active Directory Instructors should do the following: Explain that monitoring Active Directory is an essential task in network administration. Point out that configuring Active Directory diagnostic event logging requires that the administrator be able to edit the registry. Point out that the following values indicate the level of logging that will occur for Active Directory: 0 (None): Critical Events and Error Events. 1 (Minimal): Very high level events. 2 (Basic): Slightly more detailed information than the lowest level. 3 (Extensive): More detailed information than the lowest level, like steps performed to complete a task. 4 (Verbose): More detailed that the previous reports and is narrowed to the problem or a specific service. 5 (Internal): Logs all events, include debug strings and configuration changes. Lesson Quiz True/False 1. Online defragmentation runs every 12 hours by default on all domain controllers as a part of the garbage collection process. 2. Performing an offline defragmentation of a domain controller running Windows Server 2008 requires that you restart the server and boot to the Directory Services Restore mode. 3. Windows Server supports two types of backups: Manual Backups and Scheduled Backups. 4. A non-authoritative restore can be used to recover a deleted item after replication has deleted the item from all other domain controllers. 5. Dcdaig is a command line tool that can be used to examine the state of domain controllers as well as troubleshooting Domain Controller issues.

77 Multiple Choice 1. What two features must be installed to enable the ability to perform Active Directory backups from the command line? a) Windows PowerShell b) Backup Exec c) ADBackup d) Windows Server Backup 2. What should you do on a Windows Server 2008 Domain Controller to ensure that you are backing up system state data? a) Choose System State on the backup options b) Choose Backup AD System State on the backup options c) Choose critical volumes on the backup options d) Nothing, system state data is backed up by default 3. Which command line tool can be used to perform an authoritative restore of Active Directory? a) Wbadmin b) Ntdsutil c) Windows Backup d) Windows PowerShell 4. Which two of the following Windows Server 2008 tools can be used to monitor the health of Active Directory? a) Event Viewer b) Reliability and Performance Monitor c) Memory Diagnostic Tools d) Component Services 5. Which command line tool can be used to verify replication consistency between replication partners? a) Dcdaig b) Netdom c) Repadmin d) Dsacls

78 Quiz Answers True/False 1. True. 2. False. Windows Server 2008 offers the feature of Restartable Active Directory Domain Services that can be used to stop the Active Directory Service. DSRM can also be used, but it is no longer a requirement. 3. True. 4. False. Recovering a deleted item after replication would require an Authoritative Restore. 5. True. Multiple Choice 1. A, D 2. C 3. B 4. A, B 5. C Class Projects Lesson 11 Exercise 1 Explain what is backed up when you choose to back up critical volumes using Windows Backup. Why is it important to back up the critical volumes on Domain Controllers? Lesson 11 Project 1 Explain the differences between an Authoritative Restore and a Non Authoritative Restore. Give examples of when each would be appropriately used. Explain what tools can be used from a command line to perform an authoritative and non-authoritative restore of Active Directory.

79 Microsoft Video Resources Windows Server 2008 Read-Only Domain Controllers Password Replication Policies Read-only domain controllers (RODCs) are a new feature in Windows Server 2008, allowing domain controllers to be deployed in locations where security might otherwise be a concern (e.g., branch offices). This video takes a look at the password replication policies that are used to control credentials stored on RODCs. Length: 4:58 Securing Branch Office User Accounts Show the class the information in this video and explain that the video demonstrates how you can place a domain controller in a branch office, and take measures to make branch office accounts more secure. The demo uses a combination of BitLocker, RODC, fine-grained password policies using a tool from Special Operations Software, and admin role separation to achieve this goal. Length: 12:08

80 Lesson 12: Configuring Name Resolution and Additional Services Learning Goals//The goal of this lesson is to provide students with in-depth knowledge of Domain Name Server (DNS) name resolution. Learning Objectives Upon completion of this lesson, students will understand: DNS name resolution Configuring additional services Lesson Introduction Explain that Microsoft Windows Server 2008 Active Directory uses DNS for name resolution and that this tool is used for deployment and administration of a functional Active Directory infrastructure. Students will learn about DNS Zones and deploy additional services within the Active Directory environment. DNS Name Resolution Instructors should do the following: Explain that name resolution is an essential function on all Transmission Control Protocol/Internet Protocol (TCP/IP) networks. Point out that the network administrator will determine computer names at the time that the network is set up. Explain that DNS is the name resolution mechanism computers use for all Internet communication and is primarily used in Active Directory. Point out that one method of resolving names is to use a host file. Explain that the host table in the host files consists of the IP address, host name, and comments. Discuss how DNS maintains an extensive list of IP addresses and hosts through a distributed database. Point out that DNS consists of the following three elements: DNS namespace Name servers Resolvers

81 Explain that the DNS name resolution process consists of a resolver submitting a name resolution request to its designated DNS server. Explain that a DNS domain is an administrative entity that consists of a group of hosts, usually a combination of computers, routers, printers, and other TCP/IP-enabled devices. Point out that the following are DNS configuration items: Resource records Start of Authority (SOA) Name Server (NS) Host (A) Host (AAA) Canonical Name (CNAME) Host Information (HINFO) Mail Exchanger (MX) Pointer (PTR) Service Record (SRV) Explain that the hierarchy levels of the DNS domain namespace make it possible to locate an authoritative source for any domain name. Point out that root name servers are at the top of the domain hierarchy. Explain that other top-level domains include: Com Net Org Edu Mil Gov Int Biz Explain that to create authoritative sources for your Internet domain, the administrator can deploy the organization s own DNS servers. Discuss the process of DNS name resolution on the Internet. Point out that caching is a process that can speed up the DNS name resolution process. Explain that a referral is the process where one DNS server sends a name resolution request to another DNS server. Explain that the two types of name resolution requests are recursive query and iterative query. Discuss the process of name resolution. Explain that reverse name resolution is the process of converting an IP address into a DNS name.

82 Explain that since most organizations provide an internal network and external Internet presence, resources must be carefully managed to provide seamless access to resources. Explain that the following strategies will help in managing internal and external domains: Use the same domain name internally and externally (highly discouraged) Create separate and unrelated internal and external domains Make the internal domain a subdomain of the external domain Explain that as the server performs client name resolutions, it builds up a cache of DNS information. Point out that a DNS server that contains no zones and hosts no domains is a caching-only server. Point out that a forwarder is a DNS server that receives queries from other DNS servers and is configured to forward them. Explain that conditional forwarding is available in Windows Server 2008 to enable administrators to forward queries based upon the domain specified in the name resolution request. Explain that a DNS zone is an administrative entity on the DNS server that represents a discrete portion of the DNS namespace. Point out that zone types specify the servers that store the zone database and the information it contains: Primary zone Secondary zone Stub zone Point out that the administrator can configure standard DNS zones for the transfer from primary zones to secondary zones. Demonstrate how to configure a standard DNS zone using Administrative Tools. Explain that a full zone transfer is performed when a new DNS server is created on the network to obtain a full copy of all resource records for the zone. Point out that Windows Server 2008 also supports incremental zone transfer (IXFR), which is a revised DNS zone transfer process for intermediate changes. Explain that if Active Directory is run on the network, you must have at least one DNS server on the network that supports the SRV resource record.

83 Point out that Active Directory conserves bandwidth by replicating only the DNS data that has changed since the last replication. Explain that Windows Server 2008 replicates the database for a zone stored in Active Directory to all the other domain controllers running the DNS service in the Active Directory domain where the primary zone is located. Demonstrate how to configure a custom application directory partition at the Windows Command Prompt. Explain that after DNS servers are configured, the client computers must be configured. Demonstrate how to configure DNS client settings manually using the Server Manager. Demonstrate how to configure DNS/WINS Integration using Administrative Tools. Configuring Additional Services Instructors should do the following: Explain that Windows Server 2008 offers additional services that increase security and functionality of the Active Directory Network. Explain that Active Directory Rights Management Service (AD RMS) is a Windows Server 2008 service that you can use to protect sensitive data on a Windows network. Explain that Active Directory Federation Services (AD FS) allows administrators to configure single sign-on for a webbased application across multiple organizations. Point out that AD FS configuration consists of the following two organizations: Resource organizations Account organizations Point out that the following components are available when installing AD FS: AD FS Federation Service AD FS Federation Services Proxy Claims-aware agent Windows token based agent

84 Lesson Quiz True/False 1. Windows Server 2008 supports the Windows Internet Naming Service (WINS) for NetBIOS to IP address resolutions. 2. The.com domain is an example of a root domain. 3. DNS zone transfers are always initiated by the secondary master DNS server. 4. Active Directory Rights Management is an Active Directory service that can provide owners of data with the ability to control who can access the data. 5. Active Directory Federation Services relies on the existence of Active Directory trusts between domains to function properly. Multiple Choice 1. Which type of DNS record provides IP addresses to DNS name mapping? a) Host record b) Pointer record c) SRV record d) Name server record 2. What are the two types of queries DNS can perform? a) Primary b) Secondary c) Recursive d) Iterative 3. A DNS server does not host any DNS zones but can be used to resolve queries. a) Primary b) Caching-only c) Forwarder d) Secondary 4. Which of the following are valid DNS zone types in Windows Server 2008 DNS? a) Stub zone b) Secondary c) SRV zone d) Primary

85 5. What type of DNS record does an Active Directory client use to locate a domain controller? a) Host b) PTR c) SRV d) MX Quiz Answers True/False 1. True. 2. False. The.com domain is a top-level domain, not a root domain. 3. True. 4. True. 5. False. Trusts are not required with Active Directory Federation Services. Multiple Choice 1. B 2. C, D 3. B 4. A, B, D 5. C Class Projects Lesson 12 Exercise 1 Explain the three elements of a Domain Name System. List at least five different types of DNS records that could be used in an Active Directory environment. Lesson 12 Project 1 DNS can be configured to perform two types of queries: recursive and iterative. Explain what is meant by each and when each would be used.

86 Explain the following terms: Caching-only DNS server DNS Forwarder Conditional Forwarding Give an example of when each might be used. Microsoft Video Resources Windows Server 2008 Read-Only Domain Controllers Password Replication Policies Read-only domain controllers (RODCs) are a new feature in Windows Server 2008, allowing domain controllers to be deployed in locations where security might otherwise be a concern (e.g., branch offices). This video takes a look at the password replication policies that are used to control credentials stored on RODCs. Length: 4:58 Securing Branch Office User Accounts Show the class the information in this video and explain that the video demonstrates how you can place a domain controller in a branch office, and take measures to make branch office accounts more secure. The demo uses a combination of BitLocker, RODC, fine-grained password policies using a tool from Special Operations Software, and admin role separation to achieve this goal. Length: 12:08

87 Lesson 13: Configuring Active Directory Certificate Services Microsoft Windows Server 2008 Active Directory Lesson Plans Learning Goals//The goal of this lesson is to provide students with knowledge about the technology used in private key infrastructure. Learning Objectives Upon completion of this lesson, students will understand: The basics of Active Directory Certificate Services Configuring Certificate Services Lesson Introduction Introduction Active Directory Certificate Services Explain that Microsoft Windows Server 2008 Active Directory Certificate Services offers features that enable parties to communicate securely through private key infrastructure. Students will learn to design and deploy private key infrastructure within Windows Server Instructors should do the following: Explain that Active Directory Certificate Services (AD CS) provides a user account or modifies access rights as a user s role changes within an organization and de-provisions a user account when the user s relationship with an organization ends. Point out that a public key infrastructure (PKI) includes features that allow two parties to communicate securely through the use of a mathematical algorithm called public key cryptography (PKC). Explain that public key cryptography stores a piece of information called the public key for each user and computer participating in a PKI. Point out that each user account and computer also contains private key information, which is known only to the individual computer or user account. Discuss the terminology that is associated with public key infrastructure.

88 Point out that the Windows Server 2008 Active Directory Certificate Services includes the following features: Certification Authority (CA) Web enrollment Online responder Network Device Enrollment Service (NDES) Point out that a standalone CA and an enterprise CA are deployed with public key infrastructure. Demonstrate installing Active Directory Certificate Services after logging on to the CA Member Service. Configuring Certificate Services Instructors should do the following: Explain that one or more online responders can be configured to make revocation information available for one or more CAs. Demonstrate how to configure certificate revocation by logging in to the CA as the default administrator. Demonstrate how to configure certificate templates by logging into the CA as an administrator. Point out that certificate enrollment may be configured in a number of ways, depending on the setup of the organization. Point out that PKI certificates enable the following to be set up as automatic distributions: Certificate templates Group Policy Certificate request wizard Certification Authority Web Enrollment Point out that certificate templates may be configured as: Full control Read Write Enroll Autoenroll Demonstrate how to manage certificate enrollment by logging in to the domain controller. Explain that Windows Server 2008 provides the ability to create a wireless network policy to address the security aspects of implementing wireless clients on a network. Point out that using public key policies for wireless networks provides the administrator with more control in establishing rules and guidelines governing the issuance and maintenance of wireless access to the network.

89 Point out that the following settings are available in the public key policies category: Encrypting file system (EFS) Automatic certificate request Trusted root certification authorities Enterprise Trust Certificate services client-auto-enrollment Explain that CA server settings are used for key archival and recovery, assigning administrative roles, and backing up and restoring the CA database. Explain that one risk is that users will lose the private keys associated with their certificates. Explain that key recovery agents are used to restore escrow copies of a private key. Demonstrate how to configure key archival and recovery by logging in to the domain controller. Explain that multiple predefined certificate roles can each perform a specific set of tasks. Point out that the predefined roles are: CA Administrator Certificate managers Backup operators Auditors Lesson Quiz True/False 1. A stand-alone Certificate Authority in Windows Server 2008 does not integrate with Active Directory. 2. The Encrypted File System (EFS) does not require the use of a Recovery Agent to recover lost encryption keys. 3. An online responder can be used to provide certificate revocation information when a traditional CRL is not available. 4. In a Windows Server 2008 PKI environment, the domain administrator is the single Active Directory user account that can have Key Recovery Agent capabilities. 5. The Online Responder Service can be installed only on a Windows Server 2008 server running the Enterprise or Data Center versions.

90 Multiple Choice 1. Which of the following is a type of CA that integrates with Active Directory and can allow automatic enrollment of computer and user certificates? a) Enterprise CA b) Active Directory CA c) Standalone CA d) Private CA 2. Certificate enrollment in a Windows Server 2008 environment can be used to automate PKI certificate distributions using which of the following methods? Choose all that apply. a) Certificate Authority Web Enrollment b) Certificate Templates c) Certificate Request Wizard d) Group Policy 3. Which of the following allows an administrator to define and distribute a list of trusted external CAs, known as a Certificate Trust List (CTL)? a) Root CA b) Certificate Services c) Key Distribution Agent d) Enterprise Trust 4. Windows Server 2008 supports two-factor authentication through the use of? a) Certificate services b) Digital signatures c) Smart cards d) Auto enrollment 5. Which protocol is used to allow network devices to enroll for PKI certificates? a) TCP/IP b) SCEP c) DNS d) HTTP

91 Quiz Answers True/False 1. True. 2. False. A Recovery Agent is required to recover a lost EFS encryption key. 3. True. 4. False. Multiple user accounts can be set up as Key Recovery Agents. 5. True. Multiple Choice 1. A 2. A, B, C, D 3. D 4. C 5. B Class Projects Lesson 13 Exercise 1 Explain the difference between a stand-alone CA and an Enterprise CA. Discuss the role each of the following plays in a PKI environment: Root CA, Subordinate CA, and Intermediate CA. Lesson 13 Project 1 List and explain the four predefined security roles in a Windows Server 2008 Certificate Services environment.

92 Microsoft Video Resources Windows Server 2008 Read-Only Domain Controllers Password Replication Policies Read-only domain controllers (RODCs) are a new feature in Windows Server 2008, allowing domain controllers to be deployed in locations where security might otherwise be a concern (e.g., branch offices). This video takes a look at the password replication policies that are used to control credentials stored on RODCs. Length: 4:58. Securing Branch Office User Accounts Show the class the information in this video and explain that the video demonstrates how you can place a domain controller in a branch office, and take measures to make branch office accounts more secure. The demo uses a combination of BitLocker, RODC, fine-grained password policies using a tool from Special Operations Software, and admin role separation to achieve this goal. Length: 12:08