Lesson Plans LabSim for Microsoft s Configuring Windows Server 2008 Active Directory

Lesson Plans LabSim for Microsoft s Configuring Windows Server 2008 Active Directory (Exam 70-640)

Table of Contents Course Overview... 3 Section 0.1: Active Directory Organization... 5 Section 0.2: Active Directory Features... 7 Section 0.3: New 2008 and 2008 R2 Features... 8 Section 1.1: Organizational Units... 10 Section 1.2: User Accounts... 12 Section 1.3: Computer Accounts... 14 Section 1.4: Service Accounts... 16 Section 1.5: Groups... 17 Section 1.6: Group Strategy... 19 Section 1.7: Object Management Tools... 21 Section 2.1: DNS Concepts... 23 Section 2.2: Installation... 24 Section 2.3: Zones... 25 Section 2.4: Resource Records... 27 Section 2.5: Zone Transfers... 29 Section 2.6: Advanced Zone Configuration... 31 Section 2.7: Root Hints... 33 Section 2.8: Round Robin... 35 Section 2.9: Directory Partitions... 36 Section 2.10: DNS Features... 37 Section 3.1: Preparation... 38 Section 3.2: Installation... 40 Section 3.3: Removal... 42 Section 4.1: Functional Levels... 44 Section 4.2: Sites and Subnets... 46 Section 4.3: Global Catalog Servers... 48 Section 4.4: Operations Master Roles... 50 Section 4.5: Trusts... 52 Section 5.1: RODC Concepts... 54 Section 5.2: RODC Installation... 55 Section 5.3: RODC Administration... 57 Section 5.4: RODC Removal... 59 Section 6.1: Group Policy... 60 Section 6.2: GPO Management... 62 Section 6.3: GPO Application... 64 Section 6.4: Software Deployment... 66 Section 6.5: Application Restriction... 68 Section 6.6: Password Policies... 70 Section 6.7: Auditing... 72 Section 7.1: Certificate Services... 74 Section 7.2: AD CS Installation... 76 Section 7.3: Certificate Templates... 77 1

Section 7.4: Certificate Requests... 79 Section 7.5: Certificate Revocation... 81 Section 7.6: CA Management... 83 Section 7.7: Certificate Implementations... 85 Section 8.1: Lightweight Directory Services (AD LDS)... 87 Section 8.2: Federation Services (AD FS)... 89 Section 8.3: Rights Management Services (AD RMS)... 91 Section 9.1: Recovery and Availability... 94 Section 9.2: Windows Server Backup... 95 Section 9.3: Active Directory Backup and Restore... 97 Section 9.4: Maintenance and Monitoring... 99 Practice Exams... 101 Appendix A: Approximate for the Course... 102 2

Course Overview This course prepares students for Microsoft s Configuring Windows Server 2008 Active Directory Exam: 70-640. It focuses on configuring, managing and troubleshooting the computing environment of medium to large companies. Module 0 Active Directory Overview This module provides an overview of the organization and features of Active Directory. Module 1 Objects and Accounts This module discusses the basics of using the following objects and accounts to organize network resources; organizational units (OUs), user accounts, computer accounts, service accounts, and groups. Students will also learn about group strategies for assigning members to groups and tools used to manage Active Directory objects. Module 2 DNS This module examines the following details about DNS; the role and components of DNS, facts about installing DNS, configuration of DNS zones, common resource records, configuration of zone transfers, configuration of advanced zones, root hints, configuration of DNS round robin for load balancing, application directory partitions, and new Windows Server 2008 DNS features. Module 3 Installation In this module students will learn the following facts about installing Windows Server 2008; preparing forest and domain support for Windows Server 2008, requirements and methods for installing Active Directory Domain Services (AD DS), tools and scenarios to remove a domain controller. Module 4 Infrastructure This module teaches the students about configuring the infrastructure by raising forest functional levels and configuring sites and subnets, global catalog servers, operations master roles, and trusts. Module 5 Read-only Domain Controller This module discusses configuring and installing a read-only controller (RODC). Module 6 Group Policy This module examines creating and applying Group Policy objects (GPOs). This includes the following; management and application of GPOs, the software deployment lifecycle, software, Password Policy and Account Lockout Policy settings, and audit policies configurable through Group Policy. 3

Module 7 Certificate Services In this module students will learn facts about installing Active Directory certificate services and services roles and managing certificate templates. Module 8 Active Directory Roles This module teaches the students about the following Active Directory roles; Lightweight Directory Services (AD LDS), Federation Service (AD FS), and Rights Management Services (AD RMS). Module 9 Maintenance This module examines the following maintenance facts; tools for managing disaster recovery and availability, managing backup and recovery for Windows Server 2008 and Windows Server 2008 R2, managing backup and restore of Active Directory, and tools to view and monitor system events and information. Practice Exams In Practice Exams students will have the opportunity to test themselves and verify that they understand the concepts and are ready to take the certification exam. 4

Section 0.1: Active Directory Organization This section discusses the organization of the Active Directory database. The Active Directory structure is a hierarchical framework consisting of the following components: Domain Objects Organizational Unit (OU) Generic Containers Trees and Forests Domain Controller Sites and Subnets The Active Directory database file called NTDS.dit consists of three internal tables: Data table Link table Security descriptor (SD) Students will learn how to: Use management tools to view the Active Directory structure and objects. Lecture Focus Questions: Why is DNS important for Active Directory? What is the purpose of the schema? What are the advantages of using organizational units over generic containers? What is the difference between a tree and a forest? How can you tell when a new domain starts a new tree? How does a site differ from a domain? 5

Video/Demo 0.1.1 Active Directory 7:26 0.1.2 Active Directory Structure 5:00 0.1.3 Active Directory Schema 3:34 0.1.4 Viewing Active Directory 2:40 Total 18:40 Total About 25 minutes 6

Section 0.2: Active Directory Features This section teaches the students about the following features of Active Directory: Global Catalog Operations Master Roles Service Functional Level Group Policy Lecture Focus Questions: What is the purpose of a global catalog server? Which operation master roles are forest-wide roles? Why is the domain or forest functional level important? How does the functional level relate to the operating system versions you run on domain controllers in the domain? How does Group Policy simplify network administration? Video/Demo 0.2.1 Global Catalog 2:50 0.2.2 Operations Master Roles 4:28 0.2.3 Service 5:20 Total 12:38 Total About 15 minutes 7

Section 0.3: New 2008 and 2008 R2 Features This section discusses features available in Windows 2008 and 2008 R2. Concepts presented include: The function of: An Active Directory server role A role Role services A feature The following Active Directory server roles are described: Active Directory Domain Services (AD DS) Active Directory Lightweight Directory Service (AD LDS) Active Directory Federation Services (AD FS) Active Directory Rights Management Service (AD RMS) Active Directory certificate Services (AD CS) Server core, a minimal server installation, provides a low-maintenance version of Windows 2008 and Windows Server 2008 R2. Details include: Limitations of using the server core interface Limited set of server roles Features currently available in Windows Server 2008 R2 server Managing a server core system Students will learn how to: Use Server Manager to add and mange roles and features. Lecture Focus Questions: What is the difference between a role, a role service, and a feature? Which Active Directory role helps you control access to digital documents? Which role do you use to create a custom directory service? What are the advantages of using a Server Core installation over a regular installation? How does management of a Server Core system differ from managing a regular version of Windows? Which server roles cannot run on a Server Core system? 8

Video/Demo 0.3.1 New 2008 Features 7:24 0.3.2 New 2008 R2 Features 3:45 0.3.3 Using Server Manager 2:03 0.3.4 Using PowerShell Cmdlets 7:12 0.3.5 New 2008 Features Tour 3:30 0.3.6 Using Best Practice Analyzer 3:56 Total 27:50 Total About 35 minutes 9

Section 1.1: Organizational Units This section provides the basics of using organizational units (OUs) to organize network resources within a domain. Details include: An OU can contain other OUs OUs can be nested OUs are typically organized by: o Physical location o Organizational structure o Object type o Hybrid of location, organizational structure, and object type Considerations for managing OUs: o Group Policy o Preventing accidental deletion o Delegating authority Default containers and OUs automatically created when Active Directory is installed: o Builtin o Computers o Domain Controllers o ForeignSecurityPrincipals o LostAndFound o NTDS Quotas o Program Data o System o Users Managing default containers Students will learn how to: Create organizational units using Active Directory Users and Computers or Server Manager. Use the Delegation of Control wizard to allow administrators to manage objects and object properties. Configuring Windows Server 2008 Active Directory Objectives 402. Maintain Active Directory accounts. Lecture Focus Questions: What objects can an organizational unit contain? 10

How is an organizational unit different than a generic container? How does inheritance affect child organizational units? How does object-based delegation differ from task-based delegation? Video/Demo 1.1.1 Organizational Units (OUs) 5:40 1.1.2 Managing OUs 3:58 1.1.3 Delegating Authority 2:12 Total 11:50 Lab/Activity Create OUs Number of Exam Questions 5 questions Total About 25 minutes 11

Section 1.2: User Accounts This section discusses how to create and manage user accounts. Details include: Types of Windows user accounts: o Local o Domain Name types used by Active Directory to recognize each objects: o User or Logon Name o User Principal Name (UPN) o LDAP Distinguished Name (DN) o Relative Distinguished Name (RDN) Recommendations for managing user accounts. Students will learn how to: Create domain user accounts. Modify user account properties, including changing logon and password settings in the user account. Rename a user account. Reset a user account password and unlock the account. Enable and disable an account. Configuring Windows Server 2008 Active Directory Objectives 401. Automate creation of Active Directory accounts. 402. Maintain Active Directory accounts. Lecture Focus Questions: How is a domain user account different from a local user account? What is the purpose of a contact object? How is it similar and different from a user account? What is the difference between a disabled, locked out, or expired user account? What is the best way to handle a user s account when an employee quits the company and will be replaced by a new employee in the near future? What are the recommendations for using a template user account? What properties of a user account do not get duplicated when you copy the user? 12

Video/Demo 1.2.1 User Accounts 7:37 1.2.3 Creating User Accounts 3:14 1.2.4 Managing User Account Properties 13:20 1.2.5 Managing User Accounts with PowerShell 7:55 Total 32:06 Lab/Activity Create User Accounts Manage User Accounts Number of Exam Questions 13 questions Total About 60 minutes 13

Section 1.3: Computer Accounts This section explores using computer accounts to identify network computers. Details include: Methods to perform the processes that are required to identify a specific computer: o Manual join o Prestage accounts o Offline domain join Facts about computer accounts and joining a domain. Facts about computer passwords that are automatically-generated when a computer joins the domain. Students will learn how to: Create computer accounts and manage computer account properties. Configuring Windows Server 2008 Active Directory Objectives 402. Maintain Active Directory accounts. Lecture Focus Questions: What can the administrator do to allow a user to join a computer to a domain during installation? How can you control where a computer account is placed when it joins a domain? What are the things to consider if a computer account has been created on a domain but doesn t seem to be able to join the domain? What must you do after resetting a computer account? Video/Demo 1.3.1 Creating Computer Accounts 3:05 1.3.2 Offline Domain Join 4:07 1.3.3 Using Offline Domain Join 4:40 Total 11:52 14

Lab/Activity Create Computer Accounts Number of Exam Questions 8 questions Total About 30 minutes 15

Section 1.4: Service Accounts This section discusses how service accounts are used to interact with operating systems. Categories of service accounts include: o Built-in local user account o Domain user account o Managed service account o Virtual account Configuring Windows Server 2008 Active Directory Objectives 402. Maintain Active Directory accounts. Lecture Focus Questions: What are the differences between a managed service account and a virtual service account? Which operating system is required to manage a service with a managed service account? Which Windows PowerShell cmdlet will create a new managed service account? If you have a domain controller running Windows Server 2003, how can you still use a virtual account? Video/Demo 1.4.1 Service Accounts 3:55 1.4.2 Creating Service Accounts 4:39 Total 8:34 Number of Exam Questions 2 questions Total About 15 minutes 16

Section 1.5: Groups In this section students will learn about using groups to organize user accounts, computer accounts, and other group accounts into manageable units to simplify network maintenance and administration. Details include Security group scopes o Global o Domain Local o Universal Types of groups: o Security o Distribution Facts about managing groups: o Best practices for user and group security o Converting the group s security and or type o Methods to add or remove members of a group o Deleting and recovering a group Default local groups: o Administrators o Backup Operators o Users o Power Users o Guests Default domain groups that are created in the Builtin folder: o Administrators o Server Operators o Backup Operators o Account Operators o Guests o Network Configuration Operators o Print Operators o Users Domain groups created in the User folder in Active Directory: o Domain Admins o Domain Computers o Domain Controllers o Domain Guests o Domain Users o Enterprise Admins o Schema Admins o Read-only Domain Controllers o DHCP Administrators o Cert Publishers 17

Students will learn how to: Create security and distribution groups. Add members to groups. Change the group type or scope. Configuring Windows Server 2008 Active Directory Objectives 401. Automate creation of Active Directory accounts. 402. Maintain Active Directory accounts. Lecture Focus Questions: What are the advantages of using groups when setting permissions? What is the difference between a security group and a distribution group? What type of objects can be made members of a universal group? A domain local group? What happens to user accounts when a group is deleted? Video/Demo 1.5.1 Groups 13:35 1.5.2 Managing Groups 4:20 Total 17:55 Lab/Activity Create Global Groups Create a Distribution Group Change the Group Scope Number of Exam Questions 4 questions Total About 45 minutes 18

Section 1.6: Group Strategy This section discusses strategies for assigning members to groups. Details include: Approaches to managing user, groups, and permissions: o AGDLP o AGUDLP o ALP When and how to use universal groups Students will learn how to: Implement a group strategy following Microsoft's recommendations for group membership and nesting. Configuring Windows Server 2008 Active Directory Objectives 402. Maintain Active Directory accounts. Lecture Focus Questions: Based on Microsoft's recommendations, which group scope is added to the ACL for an object and assigned the permissions? Based on Microsoft's recommendations, which group scope type would you use to add user accounts as members? When is it appropriate to use universal groups? In which scenarios are they unnecessary? Video/Demo 1.6.1 Group Strategy 2:47 1.6.2 Implementing AGDLP 2:29 Total 5:16 Lab/Activity Implement a Group Strategy 1 Implement a Group Strategy 2 19

Number of Exam Questions 6 questions Total About 25 minutes 20

Section 1.7: Object Management Tools This section examines using the following tools to manage Active Directory objects: Active Directory Users and Computers ADSI Edit Command Prompt Csvde command Ldifde command PowerShell Visual Basic scripts (VBscripts) Ldp utility Active Directory Migration Tool (ADMT) Active Directory Administrative Center Active Directory Web Services (ADWS) Active Directory Management Gateway Configuring Windows Server 2008 Active Directory Objectives 401. Automate creation of Active Directory accounts. Lecture Focus Questions: What tools are available when managing Active Directory objects on a Server Core installation? When would you use ADSI Edit to manage objects instead of Active Directory Users and Computers? When would you choose Csvde over Ldifde when managing objects? What are cmdlets and how can they manage Active Directory objects? How can you provide the same functionality as Active Directory Web Services (ADWS) on a Windows Server 2003 domain controller? 21

Video/Demo 1.7.1 Object Management Tools 3:52 1.7.2 Using Administrative Center 6:58 1.7.3 Using PowerShell 5:31 1.7.4 Web Service and Management Gateway 5:44 Total 22:05 Number of Exam Questions 9 questions Total About 35 minutes 22

Section 2.1: DNS Concepts This section examines using the DNS database to map logical host names to IP addresses. Concepts discussed include the: The role of the DNS server Components of the DNS hierarchy Fully qualified domain name (FQDN) DNS is a distributed database The role of a forward lookup and a reverse lookup Record types in the zone database: o A record o PTR record o CNAME record o SRV record The role of Dynamic DNS (DDNS) The process for a client computer to find the IP address for a host name The process when a DNS server receives a name resolution request from a client The role of a caching-only DNS server Configuring Windows Server 2008 Active Directory Objectives 101. Configure zones. Lecture Focus Questions: What is the purpose of DNS? How does an FQDN identify a host? What is the difference between a forward lookup zone and a reverse lookup zone? What is the purpose of PTR records? How does DDNS simplify DNS management? What is the difference between forwarding and recursion? Video/Demo 2.1.1 DNS Concepts 9:41 Total About 15 minutes 23

Section 2.2: Installation This section provides fundamental facts about installing DNS in Windows Server 2008. Concepts include: To install DNS you must be a member of the Domain Admins group Install DNS on all Windows Server 2008 versions except for the Windows Server 2008 Web Server edition. Tools to install DNS on a server: o Use Server Manager and add the DNS roll o At a command prompt use start /w ocsetup DNS-Server-Core- Role to add the DNS role o Use the oclist command to view a list of services installed on a server Manage DNS using DNS snap-in or the dnscmd command Students will learn how to: Add the DNS server role to a server. Lecture Focus Questions: Which Windows Server 2008 versions do not support the DNS server role? How should the DNS server get its IP address? How do you install DNS on a Server Core system? Video/Demo 2.2.1 DNS Installation 1:42 2.2.2 Installing DNS 2:08 Total 3:50 Total About 5 minutes 24

Section 2.3: Zones This section discusses the roles of DNS zones and configuring different types of zones. Concepts discussed include the: Types of DNS zones: o Primary o Secondary o Active Directory-integrated o Stub o GlobalNames Classifications of zones: o Forward lookup zone o Reverse lookup zone Details about Active Directory-integrated zones Replication scopes: o All domain controllers in this domain o All DNS servers in this domain o All DNS servers in this forest o Application partition IP versions: o IPv4 o IPv6 Students will learn how to: Create primary, secondary, and reverse lookup zones. Create an Active Directory-integrated zone and configure the replication scope. Configuring Windows Server 2008 Active Directory Objectives 101. Configure zones. 103. Configure zone transfers and replication. Lecture Focus Questions: How is an Active Directory-integrated zone different from a primary zone? What type of zone would you create if you wanted to use secure dynamic updates? What is the impact on network traffic of the All domain controllers in this domain versus the All DNS servers in this forest replication scope? What type of name resolution is performed by reverse lookup zones? 25

What is the zone name format for the reverse lookup network of 1375:2614:DDAB:EE21? Video/Demo 2.3.1 Zones 6:04 2.3.3 Configuring Zones 6:44 Total 12:48 Lab/Activity Create a Primary Zone Create a Secondary Zone Create an Active Directory-integrated Zone Create a Reverse Lookup Zone Number of Exam Questions 9 questions Total About 50 minutes 26

Section 2.4: Resource Records This section presents information about resource records. Details include: Common resource records: o SOA (Start of Authority) o NS (name server) o A (host address) o AAAA (quad-a) o MX (Mail Exchanger) o CNAME (canonial name) o DNAME (Domain Alias) o SRV (service locator) o PTR (pointer) o WINS and WINS-R resource records The role of Dynamic DNS (DDNS) The default configuration for Dynamic DNS Students will learn how to: Create common resource records. Configuring Windows Server 2008 Active Directory Objectives 101. Configure zones. 103. Configure zone transfers and replication. Lecture Focus Questions: What information does an SOA record contain? What is the difference between an A and a quad-a record? How is the DNAME record similar to a CNAME record? How does Windows Server 2008 handle the creation of SRV records? How does the use of DDNS facilitate record management? What is the difference in the default state of dynamic updates between primary and Active Directory-integrated zones? 27

Video/Demo 2.4.1 DNS Records 3:22 2.4.4 Creating DNS Records 4:47 Total 8:09 Lab/Activity Create a Zone and Add Records Create A and CNAME Records Number of Exam Questions 3 questions Total About 25 minutes 28

Section 2.5: Zone Transfers This section examines the function of zone transfers in the replication of zone data between primary and secondary zones. Details include: The role of a: o Master server o Zone serial number o Full zone transfer (AXFR) o Partial (or incremental) zone transfer (IXFR) o DNS Notify DNS console actions to refresh zone data manually o Reload o Transfer from Master o Reload from Master Students will learn how to: Add authoritative name servers. Restrict zone transfers to name servers or specific servers only. Modify zone properties and enable or disable zone transfers. Configuring Windows Server 2008 Active Directory Objectives 103. Configure zone transfers and replication. Lecture Focus Questions: How is secondary zone data changed? What is the significance of the serial number during zone transfers? What is the difference between AXFR and IXFR zone transfers? What are the methods for restricting zone transfers? What happens if the serial number is greater on the secondary server? How can you use multiple DNS servers to improve DNS performance? What is the difference between a reload and a reload from master operation? 29

Video/Demo 2.5.1 Zone Transfers 2:11 2.5.2 Configuring Zone Transfers 4:15 Total 6:25 Lab/Activity Allow Zone Transfers to Name Servers Allow Zone Transfers to Listed Servers Disable Zone Transfers Number of Exam Questions 11 questions Total About 35 minutes 30

Section 2.6: Advanced Zone Configuration In this section students will explore information about configuration of advanced zones. This includes information about a: The role of a forwarder Methods to control the server s use of forwarders: o Secondary zone o Stub zone o Conditional forwarder o Disable recursion The role of zone delegation The role of a GlobalNames zone Students will learn how to: Create a stub zone. Configure forwarders and conditional forwarding. Create delegated zones. Configuring Windows Server 2008 Active Directory Objectives 101. Configure zones. 102. Configure DNS server settings. Lecture Focus Questions: How does a stub zone differ from a secondary zone? How does conditional forwarding differ from standard forwarding? How is a stub zone dynamic? What records are copied to the zone when you create a stub zone? Why isn't a stub zone authoritative for the zone? Why might you decide to implement zone delegation? What records does the delegation contain? When can you use the GlobalNames zone to replace WINS servers on your network? When should you continue to use a WINS server? Video/Demo 2.6.4 Delegating Zones 4:13 31

Lab/Activity Configure a Stub Zone Configure Conditional Forwarding Delegate Zones Create a Delegated Zone Number of Exam Questions 15 questions Total About 45 minutes 32

Section 2.7: Root Hints This section discusses how root hints are used to point to top level DNS servers on the Internet. This includes facts about: The function of the Cache.dns file The location of the Cache.dns file Configuring the root hints The role of a root zone server Students will learn how to: Configure or delete a root zone. Configure other DNS servers to point to your server via root hints. Configuring Windows Server 2008 Active Directory Objectives 102. Configure DNS server settings. Lecture Focus Questions: Why would you want to create a zone named. (dot)? What is the purpose of the root hints file? Why would you delete the root hints? What is the name and location(s) of the root hints file on a Windows 2008 server? Video/Demo 2.7.1 Root Hints 1:47 2.7.2 Configuring Root Hints 1:23 Total 3:10 Lab/Activity Configure Root Hints 33

Number of Exam Questions 3 questions Total About 10 minutes 34

Section 2.8: Round Robin This section examines facts about using DNS round robin for load balancing to share and distribute network resource loads. Students will learn how to: Configure DNS round robin. Configuring Windows Server 2008 Active Directory Objectives 102. Configure DNS server settings. Lecture Focus Questions: Why do round robin servers use different IP addresses? What type of resource record do you create in the DNS database when using round robin? Why does round robin provide load balancing but not fault tolerance? Video/Demo 2.8.1 DNS Round Robin 1:07 2.8.2 Configuring Round Robin 1:07 Total 2:14 Lab/Activity Configure DNS Round Robin Number of Exam Questions 1 question Total About 10 minutes 35

Section 2.9: Directory Partitions This section discusses the role and use of application directory partitions. Configuring Windows Server 2008 Active Directory Objectives 103. Configure zone transfers and replication. Lecture Focus Questions: How do application directory partitions control the scope of replication? Which group memberships allow users to create application directory partitions manually? What tool would you use to create an application directory partition? Video/Demo 2.9.1 Directory Partitions 1:32 Number of Exam Questions 3 questions Total About 5 minutes 36

Section 2.10: DNS Features This section examines the following new Windows Server 2008 DNS features: Background zone loading Read-only Domain Controller (RODC) IPv6 DNS Support Domain controller search (DC Locator) Link-Local Multicast Name Resolution (LLMNR) GlobalNames Zone Global Query Block List Conditional Forwarding DNSSEC Support Controlling aging and scavenging Configuring debug logging Configuring Windows Server 2008 Active Directory Objectives 101. Configure zones. Lecture Focus Questions: How does background loading have a positive effect on name resolution? How do stale records affect DNS server performance? When is a DNS record considered stale? How does the no-refresh interval affect scavenging? When should you activate debug logging? For what period of time? Number of Exam Questions 5 questions Total About 10 minutes 37

Section 3.1: Preparation In this section students will learn facts about preparing to install Windows Server 2008 and Windows Server 2008 R2. Details will include: Tools to prepare forest and domain support for Windows Server 2008: o Adprep /forestprep o Adprep /domainprep o Adprep /rodcprep Installation scenarios when installing Active Directory Domain Services (AD DS) for Windows Server 2008 or Windows Server 2008 R2: o Installing a new Windows Server 2008 or Windows Server 2008 R2 Forest o Installing a new Windows Server 2008 or Windows Server 2008R2 domain controller to create a new domain in existing Windows 2000 Server or Windows Server 2003 forest o Installing a new Windows Server 2008 or Windows Server 2008 R2 domain controller in an existing Windows 2000 Server or Windows Server 2003 domain Students will learn how to: Prepare an existing forest and domain for installation of a Windows Server 2008 domain controller. Configuring Windows Server 2008 Active Directory Objectives 201. Configure a forest or a domain. 303. Configure the read-only domain controller (RODC). Lecture Focus Questions: Which forest and domain functional levels are required before installing a Windows Server 2008 domain controller? When do you use the adprep /domainprep /gpprep command instead of the adprep /domainprep command? On which domain controller should you run the adprep /domainprep command? What command would you run to prepare for installing a read-only domain controller (RODC)? 38

Video/Demo 3.1.1 Installation Requirements 1:54 3.1.2 Schema Preparation 3:53 3.1.3 Extending the Schema 8:55 Total 14:42 Number of Exam Questions 3 questions Total About 25 minutes 39

Section 3.2: Installation This section discusses installing Active Directory Domain Services. The following concepts are covered: Requirements for installing Active Directory Domain Services (AD DS) Methods to install Active Directory Domain Services: o Active Directory Domain Services Installation Wizard o Command line dcpromo command o Answer file o AD DS installation from media Basics about installing a RODC Details about using an answer file: o Parameters o Key answer file settings Methods to verify an AD DS installation o Determine whether a Server object has child objects o Check the status of the shared SYSVOL o Verify domain membership for a new domain controller o Verify communication with other domain controllers o Verify replication with other domain controllers Students will learn how to: Install a new domain controller using GUI and command-line tools. Configuring Windows Server 2008 Active Directory Objectives 201. Configure a forest or a domain. Lecture Focus Questions: What is the difference between a forest and a tree? How does an installation from media reduce network traffic? What tools can you use to create the installation media for installing a domain controller? How can you easily create an answer file for use with Dcpromo? When using an answer file for domain controller installation, what is the difference between a new domain and a replica? How can you verify that Active Directory is installed? 40

Video/Demo 3.2.1 AD DS Installation 5:40 3.2.2 Installing AD DS 8:30 3.2.3 Creating an Answer File 4:14 Total 18:24 Number of Exam Questions 3 questions Total About 35 minutes 41

Section 3.3: Removal This section provides information about removing a domain controller. Concepts covered include: Tools to remove a domain controller Actions to take for specific uninstall scenarios: o Removing a domain controller from a domain o Removing the last domain controller from a domain o Removing the last domain controller from a forest o Forcing a removal of a domain controller Actions to uninstall binary files Students will learn how to: Uninstall a domain controller and remove Active Directory binaries. Force removal of Active Directory from a domain controller. Configuring Windows Server 2008 Active Directory Objectives 201. Configure a forest or a domain. Lecture Focus Questions: What does the IsLastDCInDomain parameter in an answer file do? When should you forcefully remove a domain controller? What should you try before doing so? What are the results of removing the last domain controller from a domain? How do you remove the Active Directory binaries from a system? Video/Demo 3.3.1 AD DS Removal 3:46 3.3.2 Removing AD DS 2:11 Total 5:57 42

Number of Exam Questions 4 questions Total About 15 minutes 43

Section 4.1: Functional Levels In this section students will learn about domain and forest functional levels. Facts that are discussed include: The role of functional levels Features that are available for each of the different domain functional levels Features that are available for each of the different forest functional levels Guidelines to management of functional levels o Set the domain and forest functional levels to the highest value the environment can support o In most cases, you cannot reverse the operation of raising the functional level, two exceptions are presented. Guidelines to raising the domain and forest functional levels Circumstances that might prevent you from raising the functional level to Windows Server 2008 or Windows Server 2008 R2 Students will learn how to: Identify the current domain and forest functional levels. Raise the functional levels of domains and forests. Configuring Windows Server 2008 Active Directory Objectives 201. Configure a forest or a domain. Lecture Focus Questions: Which functional level is required to enable selective authentication? What forest functional level(s) let you rename domains? What features do you get by enabling a Windows Server 2008 functional level? When would you raise the domain functional level? What are the domain controller operating system requirements for raising a domain functional level to Windows Server 2008? 44

Video/Demo 4.1.1 Functional Levels 2:50 4.1.3 Configuring Functional Levels 3:41 Total 6:31 Lab/Activity Raise Functional Levels Raise the Domain and/or Forest Levels Number of Exam Questions 3 questions Total About 25 minutes 45

Section 4.2: Sites and Subnets This section covers how Active Directory uses sites and subnets to optimize and customize replication traffic. The following concepts are covered: Objects that Active Directory uses to represent the physical structure of the network and control replication traffic: o Subnet o Site o Site link o Site link bridge o Bridgehead server o Connection Sites and Services distinguishes between two types of replication: o Intrasite o Intersite Replication uses the following types of transport protocols: o Directory Services Remote Procedure Call (DS-RPC) o Inter-Site Messaging Simple Mail Transfer Protocol (ISM-SMTP) Intrasite replication occurs between domain controllers within a site Intersite replication occurs between bridgehead servers between sites. Steps you can take when managing intersite replication include: o Preferred bridgehead server o Replication schedule o Replication frequency o Site link cost o Bridged site replication o Forced replication Using the Distributed File System (DFS) engine to replicate the contents of the SYSVOL folder Students will learn how to: Create sites and subnets. Move servers into sites. Create site links and configure site link properties to customize replication. Customize intersite and intrasite replication frequencies and schedules. Designate preferred bridgehead servers. Configuring Windows Server 2008 Active Directory Objectives 203. Configure sites. 204. Configure Active Directory replication. 46

Lecture Focus Questions: What is the purpose of a site link? What is the purpose of a site link bridge? Why would you typically not create a connection object? What are the differences between intrasite and intersite replication? What does a site link cost do? When would you use the SMTP protocol for replication? What is the function of the bridgehead server? How is a preferred bridgehead server determined? Video/Demo 4.2.1 Sites and Subnets 9:04 4.2.2 Replication 2:08 4.2.4 Configuring Sites and Subnets 8:01 Total 19:13 Lab/Activity Manage Sites and Subnets Configure Intersite Replication Configure Intrasite Replication Number of Exam Questions 18 questions Total About 65 minutes 47

Section 4.3: Global Catalog Servers This section discusses using global catalog servers. The following concepts are discussed: The role of the Global Catalog (GC) The role of the Universal Group Membership Caching (UGMC) When to select a Global Catalog server or Universal Group Membership Caching Details about Lightweight Directory Access Protocol (LDAP) Students will learn how to: Add or remove the global catalog from a domain controller. Enable Universal Group Membership Caching for a site. Configuring Windows Server 2008 Active Directory Objectives 205. Configure the global catalog. Lecture Focus Questions: What are the advantages of having more than one Global Catalog server? Why does a single domain network not need a Global Catalog server? What is the function of Universal Group Membership caching? When should Universal Group Membership caching be implemented? When would you use global catalog servers instead? Video/Demo 4.3.1 Global Catalog Servers 3:56 4.3.2 Managing Global Catalog Servers 1:39 Total 5:35 Lab/Activity Configure Global Catalog Servers Enable Universal Group Membership Caching 48

Number of Exam Questions 10 questions Total About 30 minutes 49

Section 4.4: Operations Master Roles In this section students will learn the functions of operations master roles. Students will learn about the following: Operation master roles at the forest levels: o Schema Master o Domain Naming Master Operation master roles at the domain levels: o Relative ID (RID) Master o Primary Domain Controller (PDC) Emulator o Infrastructure Master Students will learn how to: Transfer operation master roles among domain controllers. Troubleshoot operation master roles to diagnose network problems. Seize an operation master role in the case of a failed role operations master. Configuring Windows Server 2008 Active Directory Objectives 206. Configure operations masters. Lecture Focus Questions: What is the purpose of an operation master role server? What is the function of a PDC emulator? What does the infrastructure master do? Which operations master roles are located at the forest level? How many of these roles are there in a forest? How many domain operations masters are in a forest? You are installing a new domain controller in a new domain in an existing forest. How many operation master roles will that server hold? What might happen if the RID master becomes unavailable? Which role(s) should be placed on a global catalog server? Which roles should not? What is the difference between transferring a role and seizing a role? 50

Video/Demo 4.4.1 Operations Master Roles 10:12 4.4.3 Configuring Operations Master Roles 10:48 Total 21:00 Lab/Activity Transfer RID and PDC Masters Transfer the Infrastructure Master Troubleshoot Operations Masters Number of Exam Questions 9 questions Total About 55 minutes 51

Section 4.5: Trusts This section provides the basics of using trusts to establish mutual authentication, communication, and access to resources between domains. Students will learn: Properties of a trust: o Direction of trust o Direction of resource access o Transitivity Types of trusts: o Parent/child o Tree root o External o Realm o Forest o Shortcut Facts about configuring trusts Authentication security settings that can be applied to trust: o Selective authentication o Domain-wide authentication o Forest-wide authentication The role of the Security Identifier (SID) o SID filter quarantining o Configuring SID filters Students will learn how to: Create external, shortcut, and forest root trusts. Configuring Windows Server 2008 Active Directory Objectives 202. Configure trusts. Lecture Focus Questions: What is the difference between a one-way trust and a two-way trust? Domain A trusts domain B. Users in which domain will be able to access resources in which domain? What is the relationship between the direction of trust and the direction of access? What is a transitive trust? Which trust types are transitive by default? When are trusts created automatically? What are the properties of those trusts? 52

When should you use a shortcut trust? What are the domain and forest functional level requirements for creating a forest root trust? What type of trust would you use if you couldn't create a forest root trust? Video/Demo 4.5.1 Trusts 4:00 4.5.4 Configuring Trusts 6:32 Total 10:32 Lab/Activity Create a Shortcut Trust Create External Trusts Create a Forest Root Trust Design Trusts Number of Exam Questions 12 questions Total About 50 minutes 53

Section 5.1: RODC Concepts This section discusses using a read-only domain controller (RODC) for a domain that hosts read-only partitions of the Active Directory database. The following RODC s features are discussed: Administrator role separation Unidirectional replication Read-only data Password replication DNS Server service Configuring Windows Server 2008 Active Directory Objectives 303. Configure the read-only domain controller (RODC). Lecture Focus Questions: What is the purpose of administrator role separation? How does unidirectional replication protect your network? How does using an RODC allow for domain logon in the event of a WAN link failure? How do DNS zones work differently on an RODC? Video/Demo 5.1.1 RODC Concepts 5:05 Number of Exam Questions 2 questions About 10 minutes 54

Section 5.2: RODC Installation This section explores the following details about RODC installation: Requirements to install RODCs in a domain Details about deploying an RODC General steps to install a RODC Additional facts about an RODC installation Performing a staged installation of an RODC o First stage o Second stage Students will learn how to: Pre-create RODC accounts in Active Directory. Install an RODC. Configuring Windows Server 2008 Active Directory Objectives 303. Configure the read-only domain controller (RODC). Lecture Focus Questions: What are the domain and forest functional level requirements for installing an RODC? What operating system versions must run on the PDC emulator? What permissions do you need to install an RODC? What are two ways to replicate the installation source files to the RODC? How does BitLocker increase the security of an RODC? Video/Demo 5.2.1 RODC Installation 3:03 5.2.2 Installing RODC 5:51 Total 8:54 Lab/Activity Create RODC Accounts 55

Number of Exam Questions 3 questions Total About 20 minutes 56

Section 5.3: RODC Administration This section examines the following facts about the administration of RODCs: The role of a password replication policy New built-in groups for Windows Server 2008 AD to support password replication: o Allowed RODC Password Replication Group o Denied RODC Password Replication Group Details about password replication policies Administrative models to manage password replication policies: No accounts cached Most accounts cached Few accounts cached Managing RODC password replication with Windows Power Shell Considerations to implement to increase the security of a RODC: o Administrator role separation o BitLocker o Read-only SYSVOL Students will learn how to: Configure password caching and replication for an RODC. Configuring Windows Server 2008 Active Directory Objectives 303. Configure the read-only domain controller (RODC). Lecture Focus Questions: How does password replication make user logons more efficient? What advantages are there to allowing password caching? When would you want to prevent password caching? Why does the Denied RODC Password Replication group contain default members? What are two ways you can allow a user password to be cached on an RODC? Which security feature would encrypt operating system files, swap files, hibernation files, and all user files on an RODC? 57

Video/Demo 5.3.1 Administering Password Caching 3:10 5.3.4 BitLocker 4:54 Total 8:04 Lab/Activity Edit the Password Replication Policy Number of Exam Questions 6 questions Total About 25 minutes 58

Section 5.4: RODC Removal This section provides information about removing the RODC account in the event of a security breach. Three possible choices are presented on how to handle the passwords under these circumstances. Students will learn how to: Delete an RODC from your site. Generate a list of passwords cached on an RODC. Configuring Windows Server 2008 Active Directory Objectives 303. Configure the read-only domain controller (RODC). Lecture Focus Questions: What is the effect of resetting computer account passwords cached on the RODC? Why would you want a list of the accounts cached on the RODC? Why is it necessary to reset the user account passwords on a stolen RODC? Video/Demo 5.4.1 RODC Removal 1:25 5.4.2 Removing RODC 2:46 Total 4:11 Number of Exam Questions 1 question Total About 5 minutes 59

Section 6.1: Group Policy This section provides an overview of Group Policy. Details include: GPO categories: o Computer configuration o User configuration Windows Server 2008 Group Policy enhancements: o ADMX and ADML files o Network Location Awareness o Group Policy preferences The role of Administrative Templates The role of starter GPOs The role of Group Policy preferences A comparison of Group Policy preferences vs. Group Policy settings Group Policy preferences described: o Drive maps o Environment o Files Folders o Ini Files o Network share o Registry o Shortcuts o Devices o Folder options o Internet settings o Local users and groups o Network connections o Power options o Printers o Regional opt ions o Scheduled tasks o Services o Start menu Students will learn how to: Enable the central Administrative Templates store and create a starter GPO. Configuring Windows Server 2008 Active Directory Objectives 403. Create and apply Group Policy objects (GPOs). 60

Lecture Focus Questions: What is the difference between policies set in computer configuration and policies set in user configuration? How does network location awareness enhance Group Policy? How does inheritance affect Group Policy settings? To which Active Directory objects can GPOs be linked? What are the advantages of the.admx file format? What is the Administrative Template central store? What advantages do you gain by enabling the central store? Video/Demo 6.1.1 Group Policy 5:04 6.1.3 Group Policy Settings 6:16 6.1.4 Configuring Starter GPOs 4:30 6.1.7 Configuring Preferences 11:39 Total 27:29 Lab/Activity Create a Starter GPO Number of Exam Questions 6 questions Total About 50 minutes 61

Section 6.2: GPO Management In this section students will learn concepts about management of GPOs. Details about managing Group Policy objects Details about configuring specific GPO settings Using Gpupdate to manually refresh group policy settings Methods to create a GPO with the same settings as an existing GPO: o Copy o Backup and import o Starter GPO The role of Group Policy cmdlets: o New-GPO o Copy-GPO o Get-GPO o Backup-GPO o Remove-GPO o Restore-GPO o Import-GPO o New-GPLink o Set-GPLink o Remove-GPLink o New-GPStarterGPO Common GPO setting categories: o Account Policies o Local Policies/Audit Policy o Local Policies/User Rights Assignment o Local Policies/Security Options o Event Log o Restricted Groups o System Services o Registry o File System o Wireless Network o Public Key Policies o Software Restriction Policies Students will learn how to: Create and link GPOs. Edit GPOs settings. Enable or disable computer or user portions in a GPO. 62

Configuring Windows Server 2008 Active Directory Objectives 403. Create and apply Group Policy objects (GPOs). Lecture Focus Questions: What is the difference between a user right and a security option? What is the difference between using a starter GPO and copying an existing GPO? What is the difference between deleting a GPO and deleting a GPO link? What is an undefined GPO setting? How does this affect the effective settings for a user or computer? When are computer configuration settings applied? When are user configuration settings applied? How can you copy a GPO from one domain to another? How can you copy starter GPOs? What is the difference between restore and import when working with GPO backups? Video/Demo 6.2.1 Managing GPOs 12:44 6.2.2 Managing GPOs with PowerShell 8:44 6.2.3 Linking and Enforcing GPOs 5:35 Total 27:03 Lab/Activity Configure User Rights Configure Security Options Configure Restricted Groups Modify GPO Links Number of Exam Questions 10 questions Total About 65 minutes 63

Section 6.3: GPO Application This section discusses the order in which GPOs are applied. The following concepts are presented: GPO inheritance Methods to customize how GPO settings are applied: o Block inheritance o GPO permissions o WMI filtering o Loopback processing Students will learn how to: Link GPOs to appropriate objects to take advantage of inheritance. Customize Group Policy application using block inheritance and no override. Use GPO permissions to limit the application of GPOs. Configure WMI filters and loopback processing. Configuring Windows Server 2008 Active Directory Objectives 403. Create and apply Group Policy objects (GPOs). Lecture Focus Questions: If a setting is configured in a GPO linked to the domain and a GPO linked to an OU, which setting will be in effect? If there is more than one group policy linked to a domain, what controls the order of application? How is the Block Inheritance setting affected by the No Override setting? How can you apply Group Policy settings to specific users or groups? How can you apply Group Policy settings to specific computers? How does loopback processing affect computer settings? 64