Professional Documents
Culture Documents
6425C ENU Companion PDF
6425C ENU Companion PDF
6425C
Configuring and Troubleshooting Windows
Server® 2008 Active Directory® Domain
Services
Companion Content
2 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Released: 05/2011
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 3
4 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 5
6 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 7
Module 1
Introducing Active Directory® Domain Services
Contents:
Lesson 1: Overview of Active Directory, Identity, and Access 8
Lesson 1
Overview of Active Directory, Identity, and Access
Contents:
Additional Reading 9
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 9
Additional Reading
Information Protection
• Microsoft Identity and Access Solutions
Authorization
• Logon and Authentication Technologies
Lesson 2
Active Directory Components and Concepts
Contents:
Detailed Demonstration Steps 11
Additional Reading 12
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 11
2. Open D:\AdminTools\ADConsole.msc. Expand Active Directory, and then expand Active Directory
Schema.
3. Review the Attributes container. Attributes are definitions of a property and of its behavior. While
scrolling through attributes, notice a couple of attributes whose purpose (if not name) is familiar.
Open the Properties of each.
• objectSID
• sAMAccountName. Most admins call this the “user name”. This attribute defines the type of an
attribute (string in this case)
• unicodePwd
• member. Attributes can be multivalued. When used with a group, it is the list of one or more
members.
• description
4. Open the Classes container. While scrolling through, review the already familiar object classes,
including user, computer, and group. Object classes are created by referring to attributes in the
“pool” of attributes that you just saw.
5. Open the group object class and demonstrate that it refers to the member attribute.
12 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Additional Reading
Active Directory Data Store
• You will learn more about the partitions of Active Directory and about SYSVOL throughout this
course. DNS is a focus of Module 11, and the PAS is examined in detail in Module 13. The contents of
SYSVOL are explored in Module 6 and the objects stored in the Configuration are covered in
Module 13. The objects in the Domain partition are covered in Modules 3-6 and database
maintenance and administration tasks are detailed in Modules 10 and 14.
Domain Controllers
• Domain Controllers are discussed throughout this course, but Modules 11 and 12 are focused
specifically on domain controller administration and placement. Module 10 discusses RODCs.
Organizational Units
• Modules 6 and 8 of this course examine the purpose, management, and design of organizational
units.
Domain
• You will learn more about domains throughout this course, and Module 15 focuses on the design
considerations related to how many domains you should have in your enterprise.
Forest
• The concepts and design of a multidomain forest are discussed in Module 15.
Tree
• The concepts and design of a multidomain forest are discussed in Module 15.
Replication
• Active Directory Replication is detailed in Module 12. SYSVOL replication is discussed in Module 10.
Sites
• Active Directory site and subnet objects are the focus of Module 13.
Global Catalog
• The global catalog is explored in detail in Module 12.
Functional Levels
• Functional levels are detailed in Module 15.
Trust Relationships
• Trust relationships are discussed in Module 15.
14 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Lesson 3
Install Active Directory Domain Services
Contents:
Additional Reading 15
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 15
Additional Reading
Prepare to Create a New Forest with Windows Server 2008 R2
• This list comprises the settings that you will be prompted to configure when creating a domain
controller. There are a number of additional considerations regarding the deployment of AD DS in an
enterprise setting. See the Windows Server 2008 Technical Library at
http://go.microsoft.com/fwlink/?LinkID=214181 for more information.
16 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Answer: Authentication is the process of providing credentials from user to identity store or an
authentication service. By performing authentication, no right to access resource is granted.
Authentication only confirms the identity of a user. On the other hand, authorization is a process of
granting rights to access a specific resource based on an ACL. To proceed with authorization,
authentication must first be performed.
2. Why is global catalog important in a multidomain environment?
Answer: Because the domain controllers in your domain will not contain information about objects in
other domains, you must rely on the global catalog, which has the indexed, partial attribute set for all
objects in other domains.
You cannot start dcpromo.exe You must first install AD DS role by using Server
Manager
You cannot raise forest to the Windows Server Check that all domains in the forest are raised to
2008 R2functional level the Windows Server 2008 R2 functional level
Tools
Tool Use to Where to find it
Server Manager Adding AD DS role Administrative Tools
Answer: This console is used to perform some basic administrative tasks such changing time
zone or computer name.
Answer: You must add the Active Directory Domain Services role.
Answer: The Active Directory Domains and Trusts tool is used to raise the domain functional
level.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 19
Module 2
Administering Active Directory Securely and Efficiently
Contents:
Lesson 1: Work with Active Directory Administration Tools 20
Lesson 1
Work with Active Directory Administration Tools
Contents:
Additional Reading 21
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 21
Additional Reading
Active Directory Administration Snap-ins
• Active Directory Domain Services
Lesson 2
Custom Consoles and Least Privilege
Contents:
Detailed Demonstration Steps 23
Additional Reading 25
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 23
Log on to NYC-DC1 as Pat.Coleman_Admin, with the password,Pa$$w0rd. Open the Run box and run
the following command with administrative credentials: D:\Labfiles\Lab02a\Lab02a_Setup.bat. This
command unregisters the schema mmc snap-in.
In this demonstration, create a custom MMC console with all four Active Directory management snap-ins.
This demonstration is a preview of an upcoming lab.
1. Click the Start button. In the Search programs and files box, type mmc.exe, and then press ENTER.
Click Yes in the User Account Control dialog box.
An empty MMC console appears. Maximize it.
5. Repeat for Active Directory Sites and Services and Active Directory Domains and Trusts.
6. Notice that the Active Directory Schema snap-in is not available to add. Click OK to close the Add or
Remove Snap-ins dialog box.
7. Register the Schema management snap-in: Open a command prompt as administrator, type
regsvr32.exe schmmgmt.dll, and then press Enter. Click OK. Close the command prompt.
8. Return to the MMC console and click File, and then click Add/Remove Snap-in.
9. Add the Active Directory Schema snap-in.
10. Click OK to close the Add Or Remove Snap-ins dialog box.
11. Click File, click Save, and save the console as C:\AdminTools\ADConsole.msc. Be sure to save the
console to a new folder. In the next demo, you will open the console with a different user account
that will not have access to your Desktop or Document folders.
6. Click Yes.
7. Optionally, open Task Manager and click Show processes from all users. Enter the same
credentials: CONTOSO\Pat.Coleman_Admin; Pa$$w0rd.
The administrator account (Pat.Coleman_Admin) may not have immediate access to the Desktop,
Documents, or other folders that the user account (Pat.Coleman) has access to. If Pat.Coleman (user)
saves the console to a location accessible only to that account, and starts it from there, the moment
the process is elevated to the administrator (Pat.Coleman_Admin) account, it can no longer access the
console.
8. At the end of the demo, log off from NYC-DC1 and log back on as Contoso\Pat.Coleman_Admin,
with the password, Pa$$w0rd.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 25
Additional Reading
Demonstration: Create a Custom MMC Console for Administering Active
Directory
• Add, Remove, and Organize Snap-ins and Extensions in MMC 3.0
Lesson 3
Find Objects in Active Directory
Contents:
Detailed Demonstration Steps 27
Additional Reading 29
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 27
Add users to the Instructors group (in the Groups\Role OU) by using the Members tab of the
group.
1. Open Active Directory Users and Computers and then browse to the Groups\Role OU. Open the
Properties of the Instructors security group and perform the following:
2. On the Members tab, click Add. Type linda;joan and click Check Names. This demonstrates a full
first name and partial first name, and that semicolons delimit multiple users.
Add a user to the Instructors group by using the Add To Group command of the user.
2. Right-click Pat Coleman and click Add to a group. Type Instrand click Check Names. This
demonstrates the resolution of a group. Note that Computers are not included by default. Click OK.
3. Set up the scenario: You want to deploy Microsoft Office Visio® to NYC-CL1. It is licensed per
computer, not per user, so the deployment of Visio should be targeted to a computer object (like
most software). You have a group that represents the computers that should have Visio.
5. On the Members tab, try to add NYC-CL1. Point out that it fails.
6. Try again. This time, click the Object Types button and select Computers.
Note that saved queries can “virtualize” your view of your Active Directory: It doesn't matter where an
object is located (for example, in the Employees, Contractors, or Admin Identities OUs), just that it meets
search criteria.
Create a saved query called Non-Expiring Passwords that returns user objects with passwords that
do not expire.
2. In the New Query dialog box, type Non-Expiring Passwords in the Name box.
3. Click Define Query. Select the Non expiring passwords check box. Click OK twice.
28 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Note that all users in the sample domain are set to non-expiring passwords for the purpose of the course
only.
Create a saved query called Global Catalog servers that returns all Global Catalog Servers in the
domain.
1. In Active Directory Administrative Center, in the left-hand pane, click Global Search.
3. Select the check box next to Computers running as a given domain controller type.
4. Click Add.
5. Click the Any domain controllers link and then choose Global catalogs.
6. Click Search.
Note that any domain controller that is configured as a Global Catalog is displayed.
8. In the text box, type Global Catalog Servers, and then click OK.
9. Click the Queries button to view the saved query.
10. Log off from NYC-DC1 when you are finished the demonstration.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 29
Additional Reading
Options for Locating Objects
• Search Active Directory
30 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Lesson 4
Use Windows PowerShell to Administer Active Directory
Contents:
Detailed Demonstration Steps 31
Additional Reading 32
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 31
Note You require the 6425C-NYC-DC1 virtual machine to complete this demonstration.
Log on to the virtual machine as Contoso\Administrator with the password of Pa$$w0rd.
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Module
for Windows PowerShell.
new-adorganizationalunit Test1
new-adorganizationalunit Test2
3. To create a new user type the following (Note: by default the user will be created in the Users
container if no other option is specified. For this demo, the account is created in the New Users OU.):
5. To get a group and view its members, type the following command.
7. To set the password and enable a user account, type the following command.
Additional Reading
Windows PowerShell Cmdlets for Active Directory
• Active Directory Administration with Windows PowerShell
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 33
Answer: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory
Domains and Trusts, and Active Directory Schema.
2. Is the Active Directory Administrative Center based upon an MMC?
3. List some of the tasks that can be performed with Windows PowerShell.
Answer:
Tools
Tool Use to Where to find it
Active Directory Users and • Managing an Active Directory • Administrative Tools
Computers domain
Active Directory Module for Used to manage Active Directory Domain Services by using
Windows PowerShell Windows PowerShell
34 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Answer: Answers will vary. Most students will use Active Directory Users and Computers
regularly, to administer users, computers, and groups.
Question: When you build a custom MMC console for administration in your enterprise,
what snap-ins will you add?
Answer: Answers will vary. The answer will depend on students' job responsibilities and
experience level.
Question: In your work, what scenarios require you to search Active Directory?
Answer: The correct answer will be based on your own experience and situation.
Question: What types of saved queries can you create to help you perform your
administrative tasks more efficiently?
Answer: The correct answer will be based on your own experience and situation.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 35
Module 3
Managing Users and Service Accounts
Contents:
Lesson 1: Create and Administer User Accounts 36
Lesson 1
Create and Administer User Accounts
Contents:
Detailed Demonstration Steps 37
Additional Reading 38
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 37
2. Right-click the Employees OU, point to New, and then click User.
6. In the User logon name (pre-Windows 2000) text box, enter the pre-Windows 2000 logon name:
Chris.Mayo.
7. Click Next.
• The default password policy for an Active Directory domain requires a password of seven or more
characters. Additionally, the password must contain three of four character types: uppercase (A-
Z), lowercase (a-z), numeric (0-9), and non-alphanumeric (for example, !@#$%). The password
cannot contain any of the user’s name or logon name attributes.
• Optionally, attempt to create the user account with a password that does not meet the policy, so
that students can see the error that appears.
• In a production environment, you should use a unique, strong password for each user account
that you create.
9. Ensure that User must change password at next logon is selected, and then click Next.
10. Review the summary and click Finish.
38 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Additional Reading
Create Users with Windows PowerShell
• Creating a user with Windows PowerShell
Name Attributes
• Object Names
Account Attributes
• User Properties - Account Tab
• http://go.microsoft.com/fwlink/?LinkID=214193
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 39
Lesson 2
Configure User Object Attributes
Contents:
Detailed Demonstration Steps 40
Additional Reading 42
40 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
4. Note that the underscore prefix will put the template at the top of the user list in the OU, making it
easier to find.
7. Click Next.
17. The Multiple Names Found dialog box appears. Select Sales and click OK.
18. Click the Organization tab.
24. In the Account Expires section, click End Of, and then select the last day of the current year.
5. Confirm that the User logon name (pre-Windows 2000) is also Amy.Strande, and click Next.
Additional Reading
Modify User Attributes by Using Windows PowerShell
• Setting a User’s Profile Attributes
Lesson 3
Automate User Account Creation
Contents:
Additional Reading 44
44 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Additional Reading
Export Users with CSVDE
• CSVDE
• LDAP QuerySyntax
Lesson 4
Create and Configure Managed Service Accounts
Contents:
Additional Reading 46
46 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Additional Reading
Challenges of Using Standard User Accounts for Services
• What’s New in Service Accounts in Windows Server 2008 and Windows 7
Answer: Answers will vary; however, options include Active Directory Users and Computers, Active
Directory Administrative Center, or the Active Directory Module for Windows PowerShell.
2. Which user account attributes will be important to use within your network environment?
Answer: Answers will vary, but possible answers should be based upon attributes listed in the user
account properties.
Managed Service Accounts Used to automate password and SPN management for service
accounts used by applications and services
48 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Question: What happens when you create a user account that has a password that does not
meet the requirements of the domain?
Answer: The account is created, but it is disabled. It cannot be enabled until a password
that meets the requirements of the domain is configured.
Question: What are the options for modifying the attributes of new and existing users?
Answer: Multiselecting users and opening the Properties dialog box, using the DSMod
command, and creating a user account based on a user account template.
Question: What methods have you learned for modifying attributes of new and existing
users?
Answer: Multiselecting users and opening the Properties dialog box, by using the DSMod
command, and then creating a user account based on a user account template.
Question: What scenarios lend themselves to importing users with CSVDE and LDIFDE?
Answer: If you are importing a large number of users, CSVDE and LDIFDE add significant
value. Also, CSVDE and LDIFDE give you the ability to configure most user attributes, unlike
templates, which support a very limited number of attributes.
Question: You need to obtain a list of all the managed service accounts in the domain.
Which command would you use?
Module 4
Managing Groups
Contents:
Lesson 1: Overview of Groups 50
Lesson 1
Overview of Groups
Contents:
Additional Reading 51
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 51
Additional Reading
Role-Based Management: Role Groups and Rule Groups
• For more information about role-based management, see Windows Administration Resource Kit:
Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008).
Default Groups
For more information about protected accounts, see:
• Microsoft TechNet provides an exhaustive reference to the default groups in a domain and to the
default local groups.
• For reference information about local and domain groups, go to
• For reference information about default local groups, go to
• Default groups
• Windows Server 2008 Future Resources
52 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Lesson 2
Administer Groups
Contents:
Detailed Demonstration Steps 53
Additional Reading 56
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 53
3. Right-click the Role OU, point to New, and then click Group.
4. Type the name of the new group in the Group name box. For the purpose of this demonstration,
type ITConsultants for the name of group.
Most organizations have naming conventions that specify how group names should be created. Be
sure to follow the guidelines of your organization.
By default, the name you type is also entered as the Group name (pre-Windows® 2000). It is very
highly recommended that you keep the two names the same.
5. Do not change the name in the Group name (pre-Windows 2000) box.
• A Security group is a group that can be given permissions to resources. It can also be configured
as an e-mail distribution list.
54 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
• A Global group is typically used to identify users based on criteria such as job function, location,
etc.
• A Domain local group is used to collect users and groups who share similar resource access
needs, such as all users who need to be able to modify a project report.
• A Universal group is typically used to collect users and groups from multiple domains.
For this demo, click Global.
8. Click OK.
Group objects have a number of properties that are useful to configure. These can be specified after the
object has been created.
• Be sure to follow the naming conventions and other standards of your organization.
• The group’s Members and Member Of tabs specify who belongs to the group and what groups
the group itself belongs to.
• The group’s Description field, because it is easily visible in the details pane of the Active
Directory Users and Computers snap-in, is a good place to summarize the purpose of the group
and the contact information for the individual(s) responsible for deciding who is and is not a
member of the group.
• The group’s Notes field can be used to provide more detail about the group.
• The Managed By tab can be used to link to the user or group that is responsible for the group.
The contact information on the Managed By tab is populated from the account specified in the
Name box. The Managed By tab is typically used for contact information so that if a user wants
to join the group, you can decide who in the business should be contacted to authorize the new
member. However, if you select the Manager can update membershipList option, the account
specified in the Name box will be given permission to add and remove members of the group.
This is one method to delegate administrative control over the group.
To change the user or group that is referred to on the Managed By tab, click the Change button
underneath the Name box. By default, the Select User, Contact, or Group dialog box that
appears does not, despite its name, search for groups. To search for groups, you must first click
the Object Types button and select Groups.
3. Click OK.
Change Group Scope using Windows PowerShell with Active Directory Module:
1. Open Windows PowerShell with Active Directory Module from Administrative Tools in Start Menu. Be
sure to open as administrator.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 55
2. When command line environment is opened, type the following command, and then press ENTER.
Set-ADGroup -Identity ITConsultants –GroupScope Universal
3. Open Active Directory Users and Computers console and check if the group scope is changed from
Global to Universal.
56 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Additional Reading
Demonstration: Create a Group Object
• Create a New Group
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 57
Lesson 3
Best Practices for Group Management
Contents:
Additional Reading 58
58 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Additional Reading
Protect Groups from Accidental Deletion
• For more information about recovering deleted groups and their memberships, go to:
Knowledge Base article 840001
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 59
Answer: In this situation, you can create a group with domain local scope and assign it permission to
access the printer. Put the Sales user accounts in a group with global scope, and then add this group to
the group having domain local scope. When you want to give the Sales users access to a new printer,
assign the group with domain local scope permission to access the new printer. All members of the group
with global scope automatically receive access to the new printer.
2. You are responsible for managing accounts and access to resources for your group members. A user
in your group transfers into another department within the company. What should you do with the
user’s account?
Answer: Although your company may have an HR representative with AD DS permissions to move user
accounts, the best solution involves having the user account moved into the appropriate OU of the new
department. In this manner, the Group Policies associated with the new department will be enforced. If
applying the correct Group Policies is important, the user’s account should be disabled until somebody
with appropriate security permissions can move it into the new OU.
Cannot create group in AD DS Check if you have necessary permissions to create group objects.
Answer: Create a new global security group. Add the project members to the group. Create a new OU
outside your department’s OU. Assign full control of the OU to the project manager. Add the global
group to the new OU. Add resources to the OU, such as shared files and printers. Keep track of the
project, and delete the global group when the work finishes. You can keep the OU if another project
requires it. However, you should delete it if there is no immediate need for it.
60 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
• Use Universal groups only when necessary because they add weight to replication traffic.
• Use Windows PowerShell with Active Directory Module for batch jobs on groups.
Tools
Tool Use Where to find it
Active Directory Users and • Manage groups Administrative Tools
Computers
Answer: Global groups can include as members users and other roles (global groups) from
the same domain.
Question: Describe the purpose of domain local groups in terms of role-based management
of resource access.
Answer: Domain local groups are generally used to define a scope of management, such as
managing a level of access to a resource.
Answer: Domain local groups can contain roles (global groups) and individual users from
any trusted domain in the same forest or an external forest, as well as other domain local
groups in the same domain. Finally, domain local groups can contain universal groups from
anywhere in the forest.
Question: If you have implemented role-based management and are asked to report who
can read the Sales folders, what command would you use to do so?
Answer: Better documented groups are easier to find and understand and are less likely to
be misused for purposes other than their intended purpose.
Question: What are the advantages and disadvantages of delegating group membership?
Answer: Delegating group membership allows IT to get "out of the middle." In most
organizations, when a user needs access to a resource, he or she contacts IT, IT contacts the
business owner to get approval, and then IT adds the user to the groups. Delegating allows
the request to go straight to the business owner, who can then make the change to the
group.
62 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Module 5
Managing Computer Accounts
Contents:
Lesson 1: Create Computers and Join the Domain 63
Lesson 1
Create Computers and Join the Domain
Contents:
Question and Answers 64
64 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Answer: To join a computer to a prestaged account, you must be given permission on the account to join
it to the domain. If the account is not prestaged, the ms-DS-MachineAccountQuota attribute will
determine the number of computers you can join to the domain in the default computer container
without explicit permission.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 65
Lesson 3
Offline Domain Join
Contents:
Question and Answers 66
Answer: This file contains sensitive data that is needed to establish a relationship between a
computer and a domain. The data includes the machine account password and other
information about the domain, including the domain name, the name of a domain
controller, and the SID of the domain.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 67
Note You require the 6425C-NYC-DC1 virtual machine to complete this demonstration.
Answer: You cannot create an OU within a Computers container, so you cannot subdivide the Computers
OU. Also, you cannot link a Group Policy object to a container. Because of this, we recommend that you
move the newly created computer account from the Computers container to an OU.
2. When should you reset a computer account? Why is it better to reset the computer account than to
disjoin and rejoin it to the domain?
Answer: You should reset a computer account when the computer is no longer able to authenticate to
the domain. That can happen if the operating system is reinstalled, the computer is restored from backup,
or the password is out of sync interval. If you just disjoin the computer from a domain and rejoin it instead
of resetting the computer account, you risk losing the computer account altogether, which results in the
computer’s SID being lost, and more importantly, its group memberships. When you rejoin the domain,
even though the computer has the same name, the account has a new SID, and all the group
memberships of the previous computer object must be re-created.
3. In an Offline Domain Join, what should you do after you provision a new computer account to the
domain by using the djoin.exe utility?
Answer: After a new computer account is provisioned, you should transfer the blob text file, with the
domain and computer account information, to the destination computer that should be joined to the
domain. Then, you should run djoin.exe with /the requestODJ switch.
Group Policy is not applied to the Check if the computer account is still in the Computers container.
computer after it is joined to the You cannot link GPOs to this container.
domain.
The Offline Domain Join is not • Check if the name of the provisioned computer account is the
working as expected. same as the name of the computer being joined to the domain.
• Make sure that you do not use the /localos switch if you are
mounting a drive from the destination computer.
Answer: The best way to do this will be to first provision the computer accounts to AD DS by using the
djoin utility with the /provision switch, and after that to use an unattended setup to perform the
installation. By using a utility such as Windows System Image Manager, you can perform an unattended
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 69
domain join during an operating system installation by providing information that is relevant to the
domain join in an Unattend.xml file.
Tools
Tool Use Where to find it
Windows PowerShell with Computer account Administrative Tools
Active Directory Module management
Offline Domain Join New feature in Windows Server 2008 R2 and Windows 7 that
allows you to join machines to domain even when they don't
have network connection to domain controller
70 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Answer: Answers may vary depending on your own experience and situation.
Question: What are the two credentials that are necessary for any computer to join a
domain?
Answer: The necessary credentials are the local credentials that are in the local
Administrators group of the computer, and domain credentials that have permissions to join
a computer to the computer account.
Question: What insights did you gain into the issues and procedures regarding computer
accounts and administering computer accounts through their life cycle?
Answer: Answers will vary based on your own experience and situation.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 71
Module 6
Implementing a Group Policy Infrastructure
Contents:
Lesson 1: Understand Group Policy 72
Lesson 1
Understand Group Policy
Contents:
Detailed Demonstration Steps 73
Additional Reading 74
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 73
2. In the GPMC, right-click the CONTOSO Standards GPO, and then click Edit.
3. Spend time exploring the settings that are available in a GPO. Do not make any changes.
5. Notice the timing with which computer and user settings are applied.
Additional Reading
Review the Components of Group Policy
TechNet contains detailed technical and operational guides to Group Policy, including the following:
Lesson 2
Implement GPOs
Contents:
Detailed Demonstration Steps 76
Additional Reading 78
76 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
1. Start 6425C-NYC-DC1.
3. Run Group Policy Management with administrative credentials. Use the account
Pat.Coleman_Admin with the password Pa$$w0rd.
4. In the console tree, expand Forest: contoso.com, Domains, and contoso.com, and then click the
Group Policy Objects container.
5. In the console tree, right-click the GroupPolicyObjects container, and then click New.
Link a GPO
1. In the GPMC console tree, right-click the contoso.com domain, and then click Link an Existing GPO.
4. In the GPMC console tree, expand the Group Policy Objects container, and then click the CONTOSO
Standards GPO.
9. In the details pane, double-click the Group Policy Creator Owners group, and then click the
Members tab.
Delete a GPO
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 77
1. In the GPMC console tree, in the Group Policy Objects container, right-click the CONTOSO
Standards GPO, and then click Delete.
2. Click No.
Discuss the default connection to the PDC Emulator
1. In the GPMC console tree, right-click the contoso.com domain, and then click Change Domain
Controller.
Additional Reading
Local GPOs
• Multiple Local Group Policy objects
Lesson 3
Manage Group Policy Scope
Contents:
Additional Reading 80
80 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Additional Reading
WMI Filters
For more information on WMI and for examples of WMI filters, go to:
Lesson 4
Group Policy Processing
Contents:
Additional Reading 82
82 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Additional Reading
Slow Links and Disconnected Systems
• How Core Group Policy Works
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 83
Answer: Security permissions might be a problem. If some users do not have read access to shared
network folder where scripts are stored, they will not be able to apply policy. Also, security filtering on
GPO might be the cause for this problem.
2. What GPO settings are applied across slow links by default?
Answer: Registry policy and Security policy are always applied even when a slow link is detected. This
setting cannot be changed.
3. You need to ensure that a domain level policy is enforced, but the Managers global group needs to
be exempt from the policy. How would you accomplish this?
Answer: Set the link to be enforced at the domain level, and use security group filtering to deny Apply
Group Policy permission to the Administrators group.
Group policy settings sometimes • Enable wait for network before logon option
need two restarts to apply
• Use Block Inheritance and Enforced options only when really necessary
Tools
Tool Use for Where to find it
Group policy reporting Reporting information Group Policy Management Console
RSoP about the current
policies being delivered
to clients.
Question: Which policy settings did you discover that you might want to implement in your
organization?
Question: Many organizations rely heavily on security group filtering to scope GPOs, rather
than linking GPOs to specific OUs. In these organizations, GPOs are typically linked very high
in the Active Directory logical structure—to the domain itself or to a first-level OU. What
advantages are gained by using security group filtering rather than GPO links to manage the
scope of the GPO?
Answer: The fundamental problem of relying on OUs to scope the application of GPOs is
that an OU is a fixed, inflexible structure within Active Directory, and that a single user or
computer can only exist within one OU. As organizations get larger and more complex,
configuration requirements are difficult to match in a one-to-one relationship with any
container structure. With security groups, a user or computer can exist in as many groups as
necessary, and can be added and removed easily without impacting the security or
management of the user or computer account.
Question: Why might it be useful to create an exemption group—a group that is denied the
Apply Group Policy permission—for every GPO you create?
Answer: There are very few scenarios in which you can be guaranteed that all of the settings
in a GPO will always need to apply to all users and computers within its scope. By having an
exemption group, you will always be able to respond to situations in which a user or
computer must be excluded. This can also help in troubleshooting compatibility and
functionality problems. Sometimes, specific GPO settings can interfere with the functionality
of an application. In order to test whether the application works on a "pure" installation of
Windows, you might need to exclude the user or computer from the scope of GPOs, at least
temporarily for testing.
Question: Do you use loopback policy processing in your organization? In which scenarios
and for which policy settings can loopback policy processing add value?
Answer: Answers will vary. Scenarios including conference rooms, kiosks, virtual desktop
infrastructures, and other "standard" environments should certainly be mentioned.
Question: In which situations have you used RSoP reports to troubleshoot Group Policy
application in your organization?
Answer: The correct answer will be based on your own experience and situation.
Question: In which situations have you used, or could you anticipate using, Group Policy
modeling?
Answer: The correct answer will be based on your own experience and situation.
Question: Have you ever diagnosed a Group Policy application problem based on events in
one of the event logs?
Answer: The correct answer will be based on your own experience and situation.
86 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Module 7
Managing User Desktop with Group Policy
Contents:
Lesson 1: Implement Administrative Templates 87
Lesson 1
Implement Administrative Templates
Contents:
Detailed Demonstration Steps 88
88 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
1. Switch to NYC-DC1.
2. Run Group Policy Management with administrative credentials. Use the account
Pat.Coleman_Admin with the password Pa$$w0rd.
3. In the console tree, expand Forest: contoso.com, Domains, and contoso.com, and then click the
Group Policy Objects container.
4. In the details pane, right-click the 6425C GPO, and then click Edit.
The Group Policy Management Editor appears.
5. In the console tree, expand User Configuration, expand Policies, and then click Administrative
Templates.
Administrative Templates policy settings are filtered to show only those that contain the words screen
saver.
10. Spend a few moments examining the settings that you have found.
11. In the console tree, right-click Administrative Templates under User Configuration, and then click
Filter Options.
12. Clear the Enable Keyword Filters check box.
13. In the Configured drop-down list, select Yes, and then click OK.
Administrative Template policy settings are filtered to show only those that have been configured
(enabled or disabled).
1. In the console tree, expand User Configuration, Policies, Administrative Templates, and Control
Panel, and then click Personalization.
5. In the Comment section, type Corporate IT Security Policy implemented with this policy in
combination with Enable screen saver, and click OK.
3. Type Contoso corporate standard policies. Settings are scoped to all users and computers in
the domain. Person responsible for this GPO: your name.
This comment appears on the Details tab of the GPO in the GPMC.
1. In the console tree of the GPMC, click the Starter GPOs container.
The Group Policy Management Editor appears. Review and edit the settings as desired.
1. In the GPMC console tree, expand the Group Policy Objects container, right-click the CONTOSO
Desktop GPO, and then click Copy.
2. Right-click the Group Policy Objects container, click Paste, and then click OK.
3. Click OK.
Create a new GPO by importing settings that were exported from another GPO
1. In the GPMC console tree, expand the Group Policy Objects container, right-click the
CONTOSODesktop GPO, and then click Back Up.
4. In the GPMC console tree, right-click the Group Policy Objects container, and then click New.
6. In the GPMC console tree, right-click the CONTOSO Import GPO, and then click Import Settings.
Lesson 2
Configure Group Policy Preferences
Contents:
Detailed Demonstration Steps 92
Additional Reading 93
92 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
5. In the Location box, click the arrow, and then select All Users Desktop.
6. In the Target path box, type C:\Windows\System32\Notepad.exe.
7. On the Common tab, select the Item-level targeting check box, and then click Targeting.
8. In the Targeting Editor dialog box, click New Item, and then click Computer Name.
9. In the Computer name box, type NYC-CL1, and then click OK twice.
10. Under Windows Settings, right click Folders, point to New, and then click Folder.
11. In the New Folder dialog box, select Create from the Action list.
12. In the Path field, type C:\Reports.
13. On the Common tab, select the Item-level targeting check box, and then click Targeting.
14. In the Targeting Editor dialog box, click New Item, and then click Operating System.
15. In the Product list, click Windows Server 2008 R2, and then click OK twice.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 93
Additional Reading
Differences Between Group Policy Preferences and Settings
• For an overview of Group Policy preferences, see
94 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Lesson 3
Manage Software with GPSI
Contents:
Detailed Demonstration Steps 95
Additional Reading 97
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 95
3. Switch to NYC-DC1.
4. Run Active Directory Users and Computers with administrative credentials. Use the account
Pat.Coleman_Admin with the password Pa$$w0rd.
5. In the console tree, expand the contoso.com domain and the Groups OU, and then click the
Application OU.
6. Right-click the Application OU, point to New, and then click Group.
8. In the console tree, expand the contoso.com domain and the Servers OU, and then click the File
OU.
11. Right-click Shares, and then click New Share. The Create a Shared Folder Wizard appears.
12. Click Next.
13. In the Folder Path box, type C:\Software, and then click Next.
20. Clear the Include inheritable permissions from this object's parent option.
A dialog box appears asking if you want to Add or Remove inherited permissions.
23. Select the remaining permission assigned to the Users group, and then click Remove.
24. Select the permission assigned to Creator Owner, and then click Remove.
96 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
25. Click OK two times to close the Advanced Security Settings dialog boxes.
26. In the Customize Permissions dialog box, click the Share Permissions tab.
The security management best practice is to configure least privilege permissions in the ACL of the
resource, which will apply to users, regardless of how users connect to the resource, at which point
you can use the Full Control permission on the SMB shared folder. The resultant access level will be
the more restrictive permissions defined in the ACL of the folder.
31. Click Start, click Run, type \\NYC-SVR1\c$, and then press Enter.
A Windows Explorer window opens, focused on the root of the drive C on NYC-SVR1.
34. Open the Software folder.
47. Right-click in the empty details pane, and then click Paste.
XML Notepad is copied into the folder on NYC-SVR1.
Additional Reading
Software Deployment Options
• Group Policy Software Installation overview
98 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Answer: Central Store is a single folder in SYSVOL that holds all the .ADMX and .ADML files that are
required. After you have set up Central Store, the GPME recognizes it and loads all administrative
templates from Central Store instead of from the local machine.
2. What is the main difference between Group Policy Settings and Group Policy Preferences?
Answer: While GPO settings enforce some setting on client side, and disable client interface for
modification, Group Policy preferences provide settings but still allows client to modify it.
3. What is the difference between publishing and assigning software through GPSI?
Answer: If you assign software to user or computer it will be installed without asking user if he wants to
install it. Publishing software will allow user to decide if software will be installed or not.
Group Policy Software installation Check security settings on network share where software
does not work for some users installation package resides
Check scoping of Group Policy Object
• Use Central Store for Administrative templates when having clients with Windows Vista and
Windows 7
• Use Group Policy preferences to configure settings not available in Group Policy set of settings
• Use Group Policy Software Installation to deploy packages in .msi format to a large number of users
or computers.
Tools
Tool Use for Where to find it
Group policy reporting Reporting information Group Policy Management Console
RSoP about the current
policies being delivered
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 99
Answer: .ADMX files create the user interface for the GPME and determine the registry
values that are applied when a policy setting is defined. .ADML files provide language-
specific elements (the text) in the user interface.
Question: When does an enterprise get a central store? What benefits does it provide?
Question: What are the advantages of managing Group Policy from a client running the
latest version of Windows? Do the settings you manage apply to the previous versions of
Windows?
Answer: If you manage Group Policy with a client running the latest version of Windows,
you will be able to use the latest administrative templates, and you will be able to view
settings that apply to this and all previous versions of Windows. The policy settings you
configure will apply not based on the version of Windows from which you manage Group
Policy, but rather on the versions of Windows to which the policy setting can apply.
Question: What is the alternate method of providing drive mapping to users, instead of
using Preferences?
Answer: You can use the logon script configured in ordinary Group Policy settings.
Question: If you apply a Group Policy preferences setting, can you change this setting on
the client side?
Answer: Yes, because Group Policy preferences do not enforce settings and also not block
user interface.
Question: Consider the NTFS permissions you applied to the Software and XML Notepad
folders on NYC-SVR1. Explain why these least privilege permissions are preferred to the
default permissions.
Answer: The default permissions on a new NTFS folder include inherited permissions that are
not least privilege. First, the USERS group is given the ability to add files and folders. In a
software distribution folder, only administrators who need to add new applications should
have the ability to add files and folders. Second, CREATOR OWNER special identity is given
full control. This means that whoever adds a file or folder gets an explicit permission that
allows full control, which may or may not be appropriate for each file and folder added to a
software deployment point. Third, the USERS group is also given the ability to read all files
and folders, which will allow them to install any software in the software distribution folder.
Because most software is licensed per computer or per user, you can improve your
compliance by allowing only a specified group to read the installation files for each
application. The SOFTWARE folder (the root) gives access (full control) only to Administrators
and System. The application subfolder, for example, XML Notepad, gives read access to a
group that is allowed to install the application, such as APP_XML Notepad. Those users can
get to the subfolder even though they do not have access to the SOFTWARE folder. Windows
allows all authenticated users the "traverse folders" privilege by default, which allows users to
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 101
navigate to a specific subfolder to which they have access even if they do not have
permission to a parent folder. The least privilege ACLs used in this Lab are a perfect example
of the value of this user right.
Question: Consider the methods used to scope the deployment of XML Notepad: Assigning
the application to computers, filtering the GPO to apply to the APP_XML Notepad group
that contains only computers, and linking the GPO to the Client Computers OU. Why is this
approach advantageous for deploying most software? What would be the disadvantage of
scoping software deployment to users rather than to computers?
Module 8
Managing Enterprise Security and Configuration with Group
Policy Settings
Contents:
Lesson 1: Manage Group Membership by Using Group Policy Settings 103
Lesson 1
Manage Group Membership by Using Group Policy
Settings
Contents:
Detailed Demonstration Steps 104
2. On NYC-DC1 click Start, point to Administrative Tools and run Group Policy Management with
administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.
3. In the console tree, expand Forest:contoso.com, Domains and contoso.com, and then click the
Group Policy Objects container.
4. Right-click the Group Policy Objects container, and then click New.
5. In the Name box, type Corporate Help Desk, and then click OK.
6. In the details pane, right-click Corporate Help Desk, and then click Edit.
9. Click Browse and, in the Select Groups dialog box, type the name of the group you want to add to
the Administrators group—for example, CONTOSO\Help Desk—and click OK.
10. Click OK to close the Add Group dialog box.
The Properties group policy setting should look similar to the dialog box on the left of the side-by-
side dialog boxes shown earlier.
Delegating the membership of the local Administrators group in this manner adds the group specified in
step 9 to that group. It does not remove any existing members of the Administrators group. The Group
Policy setting simply tells the client, “Make sure this group is a member of the local Administrators group.”
This allows for the possibility that individual systems could have other users or groups in their local
Administrators group. This group policy setting is also cumulative. If multiple GPOs configure different
security principals as members of the local Administrators group, all will be added to the group.
To take complete control of the local Administrators group, follow these steps:
Demonstration Steps
1. In Group Policy Management Editor, go to Computer Configuration\Windows
Settings\SecuritySettings\Restricted Groups.
5. Click Browse and enter the name of the group you want to make the sole member of the
Administrators group—for example, CONTOSO\Help Desk—and click OK.
The group policy setting Properties should look similar to the dialog box on the left of the side-by-
side dialog boxes shown earlier.
7. Click OK again to close the Properties dialog box.
When you use the Members setting of a restricted groups policy, the Members list defines the final
membership of the specified group. The steps just listed result in a GPO that authoritatively manages
the Administrators group. When a computer applies this GPO, it adds all members specified by the
GPO and removes all members not specified by the GPO, including Domain Admins. Only the local
Administrator account will not be removed from the Administrators group because Administrator is a
permanent and irremovable member of Administrators.
106 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Additional Reading
Define Group Membership with Group Policy Preferences
• Group Policy Management Console Help, "Local Users and Groups Extension"
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 107
Lesson 2
Manage Security Settings
Contents:
Detailed Demonstration Steps 108
3. Click Startand in the search box, type mmc.exe and press Enter. When prompted, supply
administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.
5. In the Available snap-ins list, select Security Templates, then click Add.
6. Click OK.
12. Click Start, point toAdministrative Tools and run Group Policy Management with administrative
credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.
13. In the console tree, expand Forest:contoso.com, Domains, and contoso.com, and then click the
Group Policy Objects container.
14. In the details pane, right-click the Corporate Help Desk, and then click Edit.
15. In the console tree, expand Computer Configuration,Policies,Windows Settings,and then click
Security Settings.
17. Select the DC Remote Desktop template, and then click Open.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 109
Additional Reading
Configure the Local Security Policy
• Server Security Policy Settings
Lesson 4
Software Restriction Policy and Applocker
Contents:
Detailed Demonstration Steps 111
1. On NYC-DC1, click Start, click Administrative Tools, and then click Group Policy Management.
4. Expand Domains.
5. Expand Contoso.com.
7. Drag the WordPad Restriction Policy GPO on top of the Contoso.com domain container.
10. Click Start, in the Search programs and files box, type cmd, and then press Enter.
11. In the Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy to
be updated.
1. Start and then log on to the NYC-CL1 as Contoso\Alan.Brewer, with the password, Pa$$w0rd.
2. Click Start, in the Search programs and files box, type cmd, and then press Enter.
3. In the Command Prompt window, type gpupdate /force, and press Enter. Wait for the policy to be
updated.
4. Click Start, click All programs, click Accessories, and then click WordPad.
Additional Reading
What Is a Software Restriction Policy?
• Using Software Restriction Policies to Protect Against Unauthorized Software
• AppLocker Walkthrough
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 113
Answer: Use the Security Configuration And Analysis snap-in to create a database. Import the template
into the database, and then apply the database settings to the computer by using the Configure
Computer Now command.
2. Why must AppLocker rules be defined in a GPO separate from SRP rules?
Answer: AppLocker rules are completely separate from SRP rules and cannot be used to manage pre-
Windows 7 computers. The two policies are also separate. If AppLocker rules have been defined in a GPO,
only those rules are applied. Therefore, define AppLocker rules in a separate GPO to ensure
interoperability between SRP and AppLocker policies.
Answer: This is a tricky question and requires some creative thinking. You can configure a
Members policy setting for the Administrators group that adds the Administrator account.
This would have the effect of cleaning out all other group members, and of course the
Administrator account is already a member of the Administrator forest and cannot be
removed. Then, you can configure restricted group policy settings for the Help Desk and the
site-specific Support groups, as you did in the Lab. Alternately, you could use a Local Group
preference configured to delete all member users and groups.
Question: Describe a situation where you would use both security templates and the
Security Configuration Wizard to secure a server.
Answer: Security templates contain some settings that are not available to the Security
Configuration Wizard, such as restricted groups, for example. If you need to incorporate
these additional settings, you can import a configured security template into the Security
Configuration Wizard, and convert it to a GPO.
Question: What are the three major steps required to configure auditing of file system and
other object access?
Question: What systems should have auditing configured? Is there a reason not to audit all
systems in your enterprise? What types of access should be audited, and by whom should
they be audited? Is there a reason not to audit all access by all users?
Answer: Auditing should reflect IT security and usage policies. Auditing not only puts a
(small) burden on the performance of a system, but also generates excessive “noise” that can
make finding the “important” events even harder. What, who, and when auditing is
performed should be aligned with why auditing is being performed—as driven by your
business requirements.
Question: How can you permit access to only a specific set of applications for a set of
computers in your environment?
Answer: Place the computers in an OU, create a GPO, and link it to the OU. In the GPO,
configure the default AppLocker rules to block applications. Then, allow the applications you
want the computers to have access to.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 115
Module 9
Securing Administration
Contents:
Lesson 1: Delegate Administrative Permissions 116
Lesson 1
Delegate Administrative Permissions
Contents:
Detailed Demonstration Steps 117
2. Click Start, point to Administrative Tools, and run Active Directory Users and Computers with
administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.
4. Right-click an object such as a user account, and then choose Properties. For this example use Jeff
Ford located in the User Accounts\Employees OU.
If you have User Account Control enabled, you may need to click Edit, and perhaps enter the
administrative credentials to make the Add button will appear.
8. In the Select dialog box, select the security principal to which permissions will be assigned.
2. Right-click the node (domain or OU) for which you want to delegate administrative tasks or control,
and choose Delegate Control.
The Delegation of Control Wizard appears, to guide you through the required steps.
3. Click Next.
You will first select the administrative group to which you are granting privileges.
118 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
a. Use the Select dialog box to select the group, and then click OK. For this example use the Help
Desk group.
5. Click Next.
You will next specify the task you wish to assign to that group.
7. Click Next.
8. Review the summary of the actions that have been performed, and click Finish.
The Delegation of Control Wizard applies the ACEs that are required to enable the selected group to
perform the specified task.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 119
Additional Reading
Understand Effective Permissions
• The best way to manage delegation in Active Directory is through role-based access control.
Although this approach will not be covered on the certification exam, it is well worth understanding
for real-world implementation of delegation. See the Windows® Administration Resource Kit:
Productivity Solutions for IT Professionals by Dan Holme (Microsoft® Press, 2008) for more
information.
Lesson 2
Audit Active Directory Administration
Contents:
Detailed Demonstration Steps 121
2. Click Start, point to Administrative Tools, and then click Group Policy Management. Use the
account Pat.Coleman_Admin with the password Pa$$w0rd.
3. In the console tree, double-click Forest: contoso.com, double-click Domains, and then double-click
contoso.com.
6. Double-click Security Settings, double-click Advanced Audit Policy Configuration, and then
double-click Audit Policies.
7. Browse through sub-categories, show how to configure them. For example, open Account Logon
sub-node and show how you can configure four various types of auditing for Account Logon event.
Open each setting and show Explain tab with setting description.
10. Click the Add button and add a user account of your choice here. Click Ok.
11. In Auditing Entry for Global File SACL, place a check mark in Successful and Failed column for List
folder/read data and Create files /write data options.
Note When you use Advanced Audit Policy Configuration settings, you need to confirm that these
settings are not overwritten by basic audit policy settings. The following procedure shows how to
prevent conflicts by blocking the application of any basic audit policy settings.
To ensure that Advanced Audit Policy Configuration settings are not overwritten:
1. Double-click Security Settings, open Local Policies, and then click Security Options.
2. Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override
audit policy category settings, and then click Define this policy setting.
Additional Reading
Enable Audit Policy
• AD DS Auditing Step-by-Step Guide
Answer: The console has different ways of indicating that you do not have permissions to
perform a certain task. In some cases, the command that you cannot perform is trimmed
(hidden) by the Active Directory Users and Computers snap-in. For example, when you tested
whether Aaron Painter could create a new user in the Employees OU, the New menu was not
available. In other cases, the command appears but you receive an error message if you
attempt to perform it. For example, when Aaron Painter tried to disable Jeff Ford's account
or reset Pat Coleman's administrative account password, the command was executed but
returned an error message because Aaron's access was denied.
Note Role-based management is a detailed topic. There are other aspects of role-based
management such as discipline and auditing that are required to ensure that the members of
a group such as AD_UserAccounts_Support have the permissions they are supposed to have.
You also need to ensure that the members of this group have no other permissions, and that
no other users or groups have been delegated the same permissions.
Answer: There are several benefits. First, it allows you to change "who can do what" without
changing a single ACL in Active Directory. If another group or user needs to be able to reset
Employee passwords, simply add that group (or user) to the AD_UserAccounts_Support
group. Second, it makes it easier to report delegation. If you list the members (including
nested users) of AD_UserAccounts_Support, you instantly know who has permission to reset
passwords for users in the User Accounts OU. In other words, role-based management helps
overcome some of the difficulties that were identified with reporting.
Question: What is the main benefit of using new Advanced Audit Policies?
Answer: New Audit policies provide much more detailed control over auditing and
reporting, which enables administrators to narrow their search for specific information in
Security Logs. Also, new policies provide some additional possibilities for auditing such as
Global Object Access auditing, and also provide some additional information like in Reason
for Access auditing.
Reason for Access auditing is not working Check whether you have enabled Audit Handle
Manipulation setting and that you are running
Windows 7 or Windows Server 2008 R2.
124 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
• Use Advanced Audit Policies for better and more granular audit control.
• Avoid using the block inheritance option when configuring permissions.
Tools
Global Object Access Auditing Method to audit on server level instead on object level
Reason for access reporting New feature that allows administrators to see why someone was
able to access a resource that is being audited.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 125
Answer: The Effective Permissions list is showing the permissions that apply to the selected
object, which in the first case is an organizational unit. One cannot reset the password of an
organizational unit, so that permission is not available to be evaluated.
When you assign permissions to reset passwords on the OU, the permission does not actually
apply to the OU itself; rather it applies to descendent user objects within the OU. The OU is a
container, so permissions are available that specify what types of objects can be created in
the OU.
When you examined permissions on Aaron Lee's user account, the Reset permission
appeared because it is available for user accounts.
Answer: Lead a discussion that addresses the difficulty of reporting delegation. The user
interfaces and command-line tools are neither detailed nor "administrator-friendly" enough
to be useful reporting tools.
Question: What is the impact of resetting the ACL of an OU back to its schema-defined
default?
Answer: You don't necessarily know what permissions are applied to the OU unless you find
some way to do detail reporting. Moreover, you don't necessarily know why those
permissions were assigned to the OU or by whom. There may be good reasons for some
custom and explicit permissions, and removing them may cause something in your
environment to break. For example, when you install Microsoft Exchange Server, explicit
permissions are applied to certain Active Directory objects.
Question: What details are captured by Directory Services Changes auditing that are not
captured by Directory Service Access auditing?
Answer: Directory Services Changes auditing captures important details, including the
specific attribute that is changed and the change that was made.
Question: Which type of administrative activities would you want to audit by using Directory
Services Changes auditing?
Answer: Lead a discussion to elicit suggestions from students. Pose the question: Why not
audit all changes in Active Directory? Answer: The volume of event log entries would make
finding particularly important changes difficult. Guide students to an understanding that the
configuration of Directory Services auditing should be driven by the requirements of an
organization's IT Security policies and procedures.
126 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Module 10
Improving the Security of Authentication in an AD DS
Domain
Contents:
Lesson 1: Configure Password and Lockout Policies 127
Lesson 1
Configure Password and Lockout Policies
Contents:
Detailed Demonstration Steps 128
2. Run Group Policy Management with administrative credentials. Use the account
Pat.Coleman_Admin with the password Pa$$w0rd.
3. In the console tree, expand Forest:contoso.com, Domains, and contoso.com.
4. Right-click Default Domain Policy underneath the domain, contoso.com and click Edit.
• You may be prompted with a reminder that you are changing the settings of a GPO. If so, click
OK.
• Group Policy Management Editor opens.
5. In the console tree, expand Computer Configuration, Policies, Windows Settings, Security Settings,
and Account Policies, and then click Password Policy.
6. Double-click the following policy settings in the console details pane and configure the settings as
indicated:
• Enforce password history: 20 passwords remembered
2. Run ADSI Edit, with administrative credentials, user namePat.Coleman_Admin and password
Pa$$w0rd.
3. Right-click ADSI Edit, and then click Connect To.
7. In the console tree, expand CN=System, and then click CN=Password Settings Container.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 129
All PSOs are created and stored in the Password Settings Container (PSC).
8. Right-click CN=Password Settings Container, point to New, and then click Object.
The Create Object dialog box appears. It prompts you to select the type of object to create. There is
only one choice: msDS-PasswordSettings—the technical name for the object class referred to as a
PSO.
9. Click Next.
You are then prompted for the value for each attribute of a PSO. The attributes are similar to those
found in the domain account policies.
10. Configure each attribute as indicated below. Click Next after each attribute.
• cn:My Domain Admins PSO. This is the common name of the PSO.
• msDS-LockoutDuration:1:00:00:00. An account, if locked out, will remain locked for one day, or
until it is unlocked manually. A value of zero will result in the account remaining locked out until
an administrator unlocks it.
12. Run Active Directory Users and Computers as before and in the console tree, expand the System
container.
If you do not see the System container, then click the View menu of the MMC console, and ensure
that Advanced Features is selected.
14. Right-click My Domain Admins PSO, click Properties and then click the Attribute Editor tab.
15. In the Attributes list, select msDS-PSOAppliesTo, and then click Edit.
The Multi-valued Distinguished Name With Security Principal Editor dialog box appears.
19. In the console tree, expand the contoso.com domain and the Admins OU, and then click the Admin
Identities OU.
Additional Reading
Configure the Domain Password and Lockout Policy
• Windows Server 2003 Security Guide Chapter 3: The Domain Policy:
Lesson 3
Configure Read-Only Domain Controllers
Contents:
Detailed Demonstration Steps 133
Note Before performing this demonstration, if the Domain Controller object for BRANCHDC01 does
not yet exist, pre-create it on NYC-DC1 using these steps:
1. Run Active Directory Users and Computers with administrative credentials. Use the account
Pat.Coleman_Admin with the password Pa$$w0rd.
2. In the console tree, expand the contoso.com domain, and then click the Domain Controllers OU.
3. Right-click Domain Controllers and click Pre-create Read-only Domain Controller Account. The
Active Directory Domain Services Installation Wizard appears.
4. Click Next.
13. Review your selections on the Summary page, and then click Next.
14. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.
Configure a password replication policy
2. Run Active Directory Users and Computers with administrative credentials. Use the account
Pat.Coleman_Admin with the password Pa$$w0rd.
5. Click the Password Replication Policy tab and view the default policy.
7. In the Active Directory Users and Computers console tree, click the Users container.
134 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
10. Examine the default membership of Allowed RODC Password Replication Group.
14. Click Cancel to close the Denied RODC Password Replication Group properties.
4. Click Advanced. The Advanced Password Replication Policy for BRANCHDC01 dialog box
appears. The Policy Usage tab displays Accounts whose passwords are stored on this Read-Only
Domain Controller.
5. From the drop-down list, select Accounts Whose Passwords Are Stored On This Read-Only
Domain Controller.
6. From the drop-down list, select Accounts that have been authenticated to this Read-only
Domain Controller.
7. Click the Resultant Policy tab, and then click Add. The Select Users or Computers dialog box
appears.
10. Click Prepopulate Passwords.The Select Users or Computers dialog box appears.
11. Type the name of the account you want to prepopulate (for example, type Chris.Gallagher), and then
click OK.
12. Click Yes to confirm that you want to send the credentials to the RODC. The following message
typically appears: Passwords for all accounts were successfully prepopulated. Note that for this
demonstration the BRANCHDC01 is not running as so an error is observed. Click OK.
Additional Reading
Installing an RODC
• For details regarding other options for installing an RODC, including delegated installation see
Answer: Create a shadow global group and place all the appropriate users into that group.
Then create and assign a PSO to the group.
Question: Where should you define the default password and account lockout policies for
user accounts in the domain?
Answer: Configure the baseline password and account lockout policies in the Default
Domain Policy GPO.
Question: What would be the disadvantage of auditing all successful and failed logons on all
machines in your domain?
Answer: Such an audit policy would generate a tremendous amount of audit entries across
every machine in your domain. Managing the security event logs and locating the events
that indicate potential problems would be very difficult. It is best to align your audit policy
with specific, narrowly-targeted auditing goals and requirements of your organization.
Question: What are the advantages and disadvantages of prepopulating the credentials for
all users and computers in a branch office to that branch's RODC?
Answer: There is no clear-cut answer to this question. Use it to review the strategic role of an
RODC. By prepopulating the credentials of users and computers in the branch RODC cache,
you ensure that authentication performance is maximized (on the first logon—after that, the
credential would have been cached because the users are on the Allow list anyway); and you
ensure that, if the WAN link is unavailable on the first logon, users can authenticate. The
disadvantage is that, should there be a breach of physical security on the RODC, those
credentials are exposed even if the users have not yet logged on in the branch.
User or group does not have the Check if you have created multiple PSOs and linked them on the
right PSO applied. same user or group. If that is correct, you should check the
Precedence value.
You cannot deploy an RODC. Check if you have at least one Windows Server 2008 or Windows
Server 2008 R2 Domain Controller.
Check if the domain functional level is Windows Server 2003.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 137
Answer: One possible solution is to define minimum password age to the value of two weeks,
enforce password change every 30 days, and to set password history to remember 24 last
passwords.
• Min password age: 16 days (answers between 14 and 17 are acceptable) to account for a user who
leaves the office exactly two weeks before the password expires, and wants to change the password
• Enforce password history: 22 (answers between 21 and 27 are acceptable) to account for the
possibility that a user might change the password every Min password age (14-17 days) for the entire
year. Password history must be (365 days per year/Min password age)
• Use fine-grained password policy to specify password and account lockout policies for specific users
and groups with administrative privileges.
• Do not enable all options for auditing because you will have many security logs, which will be hard to
search. Use advanced audit logging to have more granular control.
• Deploy RODCs in sites where physical security is an issue.
Tools
Tool Used for Where to find it
Group Policy • Editing and managing group Administrative Tools
Management console policy objects
Answer: Each PSO must fully define the appropriate password and account lockout policies,
because PSOs do not "merge." Link PSOs to global groups, and not to individual user
accounts. Ensure that each PSO has a unique precedence value
Question: How can you define a unique password policy for all the service accounts in the
Service Accounts OU?
Answer: PSOs cannot be linked to an OU. You must create a global group that contains the
accounts that are in the Service Accounts OU. You can then link a PSO to that group.
Question: You have been asked to audit attempts to log on to desktops and laptops in the
Finance division by using local accounts such as Administrator. What type of audit policy do
you set, and in what GPO(s)?
Answer: You will need to enable auditing for successful and failed account logon events.
However, the accounts you are interested in are local accounts, which are authenticated by
the local security authority on each desktop and laptop. Therefore, you will need to enable
auditing in a GPO that is scoped to apply to the desktops and laptops in the Finance division.
The settings do not need to be scoped to domain controllers.
Question: Why should you ensure that the password replication policy for a branch office
RODC has, in its Allow list, the accounts for the computers in the branch office as well as the
users?
Answer: Computers must authenticate to the domain as well as users, so the logic is the
same as with users: you want to improve authentication performance over the WAN and
ensure that authentication can continue even if the WAN link is unavailable.
Question: What would be the most manageable way to ensure that computers in a branch
are in the Allow list of the RODC's password replication policy?
Answer: Create a group for computers, for example Branch Office Computers.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 139
Module 11
Configuring Domain Name System
Contents:
Lesson 2 : Integration of AD DS, DNS, and Windows 140
Lesson 2
Integration of AD DS, DNS, and Windows
Contents:
Detailed Demonstration Steps 141
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 141
3. Run Lab11b_Setup.bat with administrative credentials. Use the account Pat.Coleman_Admin with
the password Pa$$w0rd.The lab setup script runs. When it is complete, press any key to continue.
5. Start 6425C-NYC-DC2.
1. On 6425C-NYC-DC1, run DNS Management with administrative credentials. Use the account
Pat.Coleman_Admin with the password Pa$$w0rd.
2. In the console tree, expand NYC-DC1, Forward Lookup Zones, and contoso.com, and then click the
_tcp node. Examine the SRV records.
3. In the console tree, expand NYC-DC1, Forward Lookup Zones, contoso.com, _sites, Default-First-
Site-Name, and then click the _tcp node. Examine the SRV records.
4. Run Command Prompt with administrative credentials. Use the account Pat.Coleman_Admin with
the password Pa$$w0rd.
5. Type nslookup, and then press Enter.
7. Type _ldap._tcp.contoso.com, and then press Enter. Type Exit and then press Enter.
15. In the console tree, right-click the _tcp node, and then click Refresh. Examine the SRV records for
NYC-DC1.contoso.com.
142 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
16. Click Start, and in the Start Search box, type notepad.exe.
Note You should run this with administrative credentials to open the netlogon file in the next
step.
17. Click File, click Open, type %systemroot%\system32\config\netlogon.dns in the File Name box,
and then press Enter
Lesson 3
Advanced DNS Configuration and Administration
Contents:
Additional Reading 144
144 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Additional Reading
Resolving Single-Label Names
• Providing Single-Label DNS Name Resolution
Answer: You would point out DNS Security Extensions, DNS Devolution, DNS Cache Locking
and DNS Socket Pool.
Question: You are deploying DNS servers into an Active Directory domain, and your
customer requires that the infrastructure is resistant to single points of failure. What must
you consider while planning the DNS configuration?
Question: You must automate a DNS server configuration process so that you can automate
the deployment of Windows Server 2008. Which DNS tool can you use to do this?
Zone transfer is not working Ensure that the server trying to transfer the zone is permitted in
the primary zone configuration
Ensure that a firewall or other port-management devices that
reside between the two DNS servers are not blocking Port 53
UDP.
DNS server performs slowly Use Performance Monitor to identify the load on the server that
DNS requests generate. It may be necessary to split the load or
create additional subzones.
When creating trusts between two Active Directory domains, the ability for domain A to lookup
records in domain B (and vice versa) is tied to the configuration of the DNS infrastructure. Active
Directory domains are accessible rarely on the Internet. Therefore, you need conditional forwarders,
stub zones, or secondary zones to replicate the DNS infrastructure across domains and forests.
By default, zone transfers are disabled in Windows Server 2008. When configuring zone transfers, it is
a best practice to specify the IP address of the servers to which you want to transfer zone data. Do
not select the Allow zone transfer to Any Server, especially if the server is on the Internet. With this
option enabled, it is possible to dump the entire zone, which can provide a significant amount of
information about the network to possible attackers.
• Disable recursion for servers that do not answer client queries or communicate by using forwarders.
As DNS servers communicate amongst themselves by using iterative queries, this ensures that the
server responds only to queries that are intended for it.
• Consider the use of secondary zones to assist in off-loading DNS query traffic wherever appropriate.
• Enter the correct email address of the responsible person for each zone you add to, or manage on, a
DNS server. Applications use this field to notify DNS administrators for a variety of reasons. For
example, query errors, incorrect data returned in a query, and security problems are a few ways in
which this field can be used. Although most Internet email addresses contain the “@”symbol to
represent the word “at” in email, this symbol must be replaced with a period (.) when entering an
email address for this field. For example, instead of “administrator@microsoft.com,” you would use
“administrator.microsoft.com.”
Tools
Tool Used for Where to find it
DNS Management • DNS administration and management Administrative Tools
Console
Answer: They cannot resolve names other than those in the contoso.com domain (zone).
Question: In this lab, you used a stub zone and a conditional forwarder to provide name
resolution between two distinct domains. What other options you could have used?
Answer: You could create a secondary zone in each domain that hosts a copy of the zone
from the other. If the domains have delegations in the top-level .com domain, you could use
root hints and standard DNS recursive queries to get them to resolve names in each other’s
domains.
148 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Module 12
Administering AD DS Domain Controllers
Contents:
Lesson 1: Domain Controller Installation Options 149
Lesson 1
Domain Controller Installation Options
Contents:
Additional Reading 150
150 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Additional Reading
Unattended Installation Options and Answer Files
• For a complete reference of dcpromo parameters and unattended installation options, see
• ADPrep
• See article 216498 in the Microsoft Knowledge Base for information about performing metadata
cleanup. The article is located at
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 151
Lesson 2
Install a Server Core Domain Controller
Contents:
Additional Reading 152
152 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Additional Reading
Understand Server Core
• Server Core Installation Option
Answer: This option will be available only during installation of first domain controller in
domain/forest.
Question: How can you easily prepare an unattended file for domain controller installation?
Answer: You can do it by running dcpromo.exe on full version of Windows Server 2008 or
2008 R2, and by exporting configured settings at the end of wizard.
Question: How can you say that RID master is not working?
Answer: If the RID master fails, eventually you will be prevented from creating new security
principals. For example, you will not be able to create new user objects. However, this might
not happen immediately. Domain Controllers will contact RID master after they spend all
SIDs from last allocation.
Question: If you seize the operations master role, can you bring online the original
operation master?
Answer: Only if the failed domain controller was the PDC emulator or infrastructure master.
Schema, domain naming, and RID master role holders cannot be brought back online if the
role was seized while the domain controller was offline. Instead, the failed domain controller
must be demoted or, preferably, reinstalled entirely while offline. After the server is back
online, it can be re-promoted to a domain controller and, at that time, the operations master
role can be transferred gracefully to it.
You cannot transfer one or more Check whether the current role master is online. If not, you must
operation masters roles seize the role instead transferring it.
You cannot install role or feature Check whether the role that you want to install is supported on
on Server Core Server Core, as this version supports only limited number of roles
and features.
You cannot add additional domain • Check whether there is at least one domain controller available
controller to current AD DS • Check DNS functionality
infrastructure
• Check IP settings
• Distribute operations masters roles on several servers. Be sure to co-locate compatible roles.
Tools
Tool Used for Where to find it
Active Directory Users • Managing operation masters Administrative Tools
and Computers
• Managing domain
functional level
• Trust management
Answer: Automation of installation, consistency (always using the same options in a script
versus hoping that an admin uses the correct options), documentation (the script
“documents” how the domain controller was installed), andServer Core installation.
Question: In which situations does it make sense to create a domain controller using
installation media?
Answer: When the replication of Active Directory to the new domain controller will be
problematic from a performance or network impact perspective.
Question: Did you find the configuration of Server Core to be particularly difficult?
Answer: Answers will vary, some administrators may find difficult to perform initial
configuration using just command line utilities.
Question: What are the advantages of using Server Core for domain controllers?
Answer: Reduced system requirements, reduced attack surface (vulnerability) and therefore
increased security.
Question: If you transfer all roles before taking a domain controller offline, is it okay to bring
the domain controller back online?
Answer: Yes
Question: When you enable global catalog, what actually happens on that domain
controller?
Answer: The domain controller that is designated as global catalog, in addition to its full,
writable domain directory partition replica, also starts to store a partial, read-only replica of
all other domain directory partitions in the forest.
Question: On which level would you enable Universal Group Membership Caching?
Answer: It is enabled on site level.
Question: What would you expect to be different between two enterprises, one which
created its domain initially with Windows 2008 domain controllers, and one that migrated to
Windows Server 2008 from Windows Server 2003?
Answer: In a domain that was created with Windows 2008 in the first place, the SYSVOL
share will refer to a folder named SYSVOL that is replicated with DFS-R. In a domain that was
created with domain controllers prior to Windows 2008, SYSVOL will be replicated with FRS,
until it has been migrated. After that point, the SYSVOL share will refer to a folder named
SYSVOL_DFSR.
Question: What must you be aware of while migrating from the Prepared to the Redirected
state?
Answer: While migrating from the Prepared to the Redirected state, any changes made to
SYSVOL must be manually duplicated in SYSVOL_DFSR.
156 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Module 13
Managing Sites and Active Directory® Replication
Contents:
Lesson 1: Configure Sites and Subnets 157
Lesson 1
Configure Sites and Subnets
Contents:
Additional Reading 158
158 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Additional Reading
How Client Locates Domain Controller
• For more information about domain controller location, see
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 159
Lesson 2
Configure Replication
Contents:
Additional Reading 160
160 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Additional Reading
Bridgehead Servers
• Bridge Server Selection
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 161
Answer: The process of locating domain controllers and other services can be made more
efficient by referring clients to the correct site, based on the client’s IP address and the
definition of subnets. If a client has an IP address that does not belong to a site, the client will
query for all DCs in the domain, and that is not at all efficient. In fact, a single client can be
performing actions against domain controllers in different sites, which (if those changes have
not replicated yet) can lead to very strange results. It is very important that each client
knows what site it is in, and that’s achieved by ensuring that DCs can identify what site a
client is in.
Question: What are the advantages and disadvantages of reducing the intersite replication
interval?
Answer: Convergence is improved. Changes made in one site are replicated more quickly to
other sites. There are actually few, if any, disadvantages. If you consider that the same
changes must replicate whether they wait 15 minutes or 3 hours to replicate, it’s really a
matter of timing of replication rather than the quantity of replication. However, in some
extreme situations, it’s possible that allowing a smaller number of changes to happen more
frequently might be less preferable than allowing a large number of changes to replicate less
frequently.
Answer: SMTP can be used. Disadvantage is the inability to replicate domain partition.
Replication between • Check whether both domain controllers appear in same site
two Domain Controllers
in the same site does • Check whether Active Directory on domain controllers is operational.
not work.
162 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
• Do not setup long intervals without replication when you configure replication schedules for intersite
replication.
• Do not use universal groups unless necessary because they create additional replication traffic.
Tools
Tool Used for Where to find it
Active Directory Sites • Manage site objects Administrative Tools
and services
• Manage site links
• Manage replication
Module 14
Managing Sites and Active Directory® Replication
Contents:
Lesson 1: Monitor Active Directory 165
Lesson 1
Monitor Active Directory
Contents:
Detailed Demonstration Steps 166
1. If it is not already started Launch the virtual machine 6425C-NYC-DC1 and log on as
Contoso\Pat.Coleman_Admin with Password Pa$$w0rd
2. Open Performance Monitor and then add the server baseline counters.
3. Add some of the Active Directory counters, and then start the Data Collector Set.
6. In the system container, start the Active Directory Diagnostics Data Collector Set.
3. In left console pane, expand Roles and click on Active Directory Domain Services role
6. Review events that showed up in Noncompliant tab. Emphasize that some events have severity Error
and some are Warning
7. Right click any event and select Properties
9. Right click any event and select Exclude Result. Show that event now appears in Excluded tab
10. Click Compliant tab and show events that appear there.
11. Close Server Manager.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 167
Additional Reading
Performance Monitor
• Using Performance Monitor
Lesson 2
Manage the Active Directory Database
Contents:
Questions and Answers 169
Answer: Both Microsoft Exchange Server and Microsoft SQL Server® use the transaction
model. The AD DS model is very similar in all cases, although some details, such as the size of
the transaction logs, vary. For example, in Exchange Server 2007, the transaction logs are
only 1 MB in size.
Answer: Most organizations will have to perform an offline defragmentation only when they
need to optimize database usage. In general, you will do this only when the amount of data
that you are storing in the AD DS database on a domain controller decreases significantly.
Answer: The database needs to be closed completely before it can be overwritten. An online
database may have locked records that are being written to, thus preventing file
modification.
Answer: Compacting the database actually creates a contiguous copy, which will be used to
overwrite the fragmented original.
170 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
1. If it is not already started, start the virtual machine 6425C-NYC-DC1 and log on as
Contoso\Pat.Coleman_Admin with Password Pa$$w0rd
2. Click Start, click Administrative Tools, and then click Services.
3. Right-click Active Directory Domain Services, and then select Stop from the context menu.
1. Click Start, click Run, type CMD, and then press Enter.
2. In the command window, type ntdsutil, and then press Enter. Click Yes.
3. At the ntdsutil: prompt, type Activate Instance NTDS, and then press Enter.
5. At the file maintenance: prompt, type compact to drive:\ LocalDirectoryPath (where drive:\
LocalDirectoryPath is the path to a location on the local computer), and then press Ctrl+C to break
the process. It takes too long to demonstrate.
6. Next, you would copy NTDS.dit to a “backup” location, along with the logs (*.log), and then you
would delete the logs (*.log).
7. Next, check the integrity of the newly compacted database. Type integrity to check the integrity of
the newly compacted database, but press Ctrl+C to break the process.
9. In the Services MMC, right-click Active Directory Domain Services, and then click Start.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 171
Additional Reading
Active Directory Database Files
• How the Data Store Works
NTDSUtil
• Data Store Tools and Settings
• How to remove data in Active Directory after an unsuccessful domain controller demotion
Lesson 3
Active Directory Recycle Bin
Contents:
Detailed Demonstration Steps 173
1. On NYC-DC1, click Start, point to Administrative Tools and then click Active Directory
Domainsand Trusts.
2. Right click Active Directory Domains and Trusts and click Raise Forest Functional Level.
3. Check the value of Current forest functional level. If it is not set to Windows Server 2008 R2,
proceed to the next step. If it is, click OK and close the Active Directory Domains and Trust
console.
4. In a Select an available forest functional level drop-down list, select Windows Server 2008 R2.
5. Click Raise.
Delete an object
1. Open the Active Directory Users and Computers console from Administrative Tools.
2. Expand Contoso.com and expand User Accounts and then click the Employees organizational unit.
3. In the central pane, right-click Aaron Lee and select Delete.
3. In the Controls dialog box, expand the Load Predefined menu, click Return deleted objects, and
then click OK.
• Click View, click Tree, and in BaseDN, type DC=contoso,DC=com, and then click OK
• In the console tree, double-click the root distinguished name (also known as DN) and locate the
CN=Deleted Objects, DC=contoso,DC=com container. Expand that object and ensure that
Aaron Lee object appears below it.
5. Right-click the CN=Aaron Lee,... object, and click Modify
9. In the Values box, type the original distinguished name, which is CN=Aaron Lee,OU=Employees,
OU=User Accounts,DC=contoso,DC=com.
10. Under Operation, click Replace.
11. Ensure that the Extended check box is selected, click Enter, and then click Run.
12. Click Close.
13. From Administrative Tools, open the Active Directory Users and Computers console
14. Expand Contoso.com and expand User Accounts and then click the Employees organizational unit.
15. Ensure that the Aaron Lee user object exists and that all attributes like group membership are
retained.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 175
Additional Reading
What Is Active Directory Recycle Bin?
• Active Directory Recycle Bin Step-by-Step Guide
176 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Lesson 4
Back Up and Restore AD DS and Domain Controllers
Contents:
Detailed Demonstration Steps 177
3. On the Backup Options page, ensure that Different options is selected, and then click Next.
4. On the Select Backup Configuration page, click Custom, and then click Next.
5. On the Select Items for Backup page, click Add Items.
6. On the Select Items dialog box, click System state, and then click OK. Click Next.
Additional Reading
Backup and Recovery Tools
• Backup and Recovery Overview for Windows Server 2008
Answer: The database needs to be closed completely before it can be overwritten. An online
database may have locked records that are being written to, thus preventing file
modification.
Answer: Compacting the database actually creates a contiguous copy, which will be used to
overwrite the fragmented original.
Question: Which tool should be used to clean up metadata from offline domain controller?
Answer: You should use ntdsutil for this purpose.
Question: What should you do before starting to use Active Directory Recycle Bin?
Answer: You should check if your forest functional level in on Windows Server 2008 R2, and
you must enable Active Directory Recycle Bin feature by using Windows PowerShell or by
using ldp.exe.
Question: What kind of restore can you perform with Active Directory?
Answer: You can perform authoritative restore, nonauthoritative restore and restore of
single objects with Active Directory Recycle Bin,
You suspect that Active Directory Run Active Directory Best Practices analyzer
is not configured according to
best practices
You want to be able to quickly Enable Active Directory Recycle Bin feature
restore accidentally deleted
objects
• Always establish a baseline before starting to make decisions based on monitoring results.
• Use the ability to stop and start AD DS when Domain Controller is online instead of restarting to the
Directory Service Restore Mode.
Tools
Tool Used for Where to find it
Performance Monitor • Monitoring of system Administrative Tools
objects from performance
aspect
Active Directory Recycle Bin Windows Server 2008 R2 Active Directory provides a feature that
enables object restoration after accidental deletion
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 181
Question: To which events or performance counters would you consider attaching email
notifications or actions? Do you use notifications or actions currently in your enterprise
monitoring?
Question: In which other situations should you mount a snapshot of Active Directory?
Answer: If you discover a problem with Active Directory that will require restoring a backup,
you might want to look at snapshots to determine just how far back you need to go to
restore. After you’ve found the snapshot in which the correct data resides, you can restore
the backup taken on the same date.
Question: What are the disadvantages of restoring a deleted object with a tool such as LDP?
Question: Will it be possible to restore these deleted objects if they were deleted before
Active Directory Recycle Bin has been enabled?
Answer: Yes, but only as tombstone objects, without most of attributes or by using
authoritative restore of A D DS
Question: In which scenarios is Windows PowerShell a more appropriate method for object
restoration?
Answer: If we were restoring multiple objects, power shell is much more convenient method
because of possibility to pipeline commands so we can restore multiple objects with just one
command.
Question: What type of domain controller and directory service backup plan do you have in
place? What do you expect to put in place after having completed this lesson and this Lab?
Question: When you restore a deleted user (or an OU with user objects) by using
authoritative restore, will the objects be exactly the same as before? Which attributes might
not be the same?
Answer: Answers may vary somewhat, but the question is designed to frame a discussion of
group membership. A user’s group membership is not an attribute of the user object but
rather of the group object. When you authoritatively restore a user, you are not restoring
users’ membership in groups. The user was removed from the member attribute of groups
when it was deleted. So the restored user will not be a member of any groups other than its
primary group. In order to restore group memberships, you would have to consider
authoritatively restoring groups as well. This may or may not always be desirable, because
when you authoritatively restore the groups you return their membership to the day on
which the backup was made.
182 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Module 15
Managing Multiple Domains and Forests
Contents:
Lesson 2 : Manage Multiple Domains and Trust Relationships 183
Lesson 2
Manage Multiple Domains and Trust Relationships
Contents:
Detailed Demonstration Steps 184
2. Right-click the domain that will participate in one side of the trust relationship, and click Properties.
You must be running Active Directory Domains and Trusts with credentials that have permissions to
create trusts in this domain.
The New Trust Wizard guides you through the creation of the trust.
5. On the Trust Name page, type the DNS name of the other domain in the trust relationship, and then
click Next.
6. If the domain you entered is not within the same forest, you will be prompted to select the type of
trust, which will be one of the following:
• Forest
• External
• Realm
If the domain is in the same forest, the wizard knows it is a shortcut trust.
7. If you are creating a realm trust, you will be prompted to indicate whether the trust is transitive or
nontransitive. (Realm trusts are discussed later in this lesson.)
8. On the Direction Of Trust page, select one of the following:
• Two-Way.This establishes a two-way trust between the domains.
• One-Way: Incoming. This establishes a one-way trust in which the domain you selected in step
2 is the trusted domain, and the domain you entered in step 5 is the trusting domain.
• One-Way: Outgoing. This establishes a one-way trust in which the domain you selected in step
2 is the trusting domain, and a domain you entered in step 5 is the trusted domain.
9. Click Next.
• Both this domain and the specified domain. This establishes both sides of the trust. This
requires that you have permission to create trusts in both domains.
• This domain Only. This creates the trust relationship in the domain you selected in step 2. An
administrator with permission to create trusts in the other domain must repeat this process to
complete the trust relationship.
• The next steps will depend on the options you selected in steps 8 and 10. The steps will involve
one of the following:
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 185
• If you selected Both this domain and the specified domain, you must enter a user name and
password with permissions to create the trust in the domain specified in step 5.
• If you selected This Domain Only, you must enter a trust password. A trust password is entered
by administrators on each side of a trust to establish the trust. The passwords should not be the
administrators’ user account passwords. Instead, each should be a unique password used only for
creating this trust. The passwords are used to establish the trust, and then the domains change
them immediately.
11. If the trust is an outgoing trust, you are prompted to choose one of the following:
• Selective Authentication
12. The New Trust Wizard summarizes your selections on the Trust Selections Complete page. Click
Next.
13. The Trust Creation Complete page appears. Verify the settings, and then click Next.
You will then have the opportunity to confirm the trust. This option is useful if you have created both
sides of the trust or if you are completing the second side of a trust.
If you selected Both this domain and the specified domain in step 8, the process is complete. If
you selected This domain only in step 8, the trust relationship will not be complete until an
administrator in the other domain completes the process:
• If the trust relationship you established is a one-way outgoing trust, an administrator in the other
domain must create a one-way incoming trust.
• If the trust relationship you established is a one-way incoming trust, an administrator in the other
domain must create a one-way outgoing trust.
• If the trust relationship you established is a two-way trust, an administrator in the other domain
must create a two-way trust.
186 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Additional Reading
Define Your Forest and Domain Structure
• For more information about the security considerations related to domain and forest design, see “Best
Practices for Delegating Active Directory Administration” at
Forest Trusts
• You can learn about the DNS requirements for a forest trust at
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 187
Answer: The domain controller uses the trust relationship with its parent and refers the
user’s computer to a domain controller in its parent domain. This attempt to locate a
resource continues up the trust hierarchy, possibly to the forest root domain, and down the
trust hierarchy, until contact occurs with a domain controller in the domain where the
resource exists.
Question: Your organization has a Windows Server 2008 forest environment, but it has just
acquired another organization with a Windows 2000 forest environment that contains a
single domain. Users in both organizations must be able to access resources in each other’s
forest. What type of trust do you create between the forest root domain of each forest?
Answer: You will need to implement an external trust, because Windows 2000 does not
support forest trusts. Only Windows Server 2003 or later supports forest trusts.
Question: A user from Contoso attempts to access a shared folder in the Tailspin Toys
domain and receives an Access Denied error. What must be done to provide access to the
user?
Answer: A trust relationship must be established in which Tailspin Toys trusts Contoso, and
then the user (or a group to which the user belongs) must be given permission to the shared
folder in the Tailspin Toys domain.
Question: Can you raise the domain functional level of a domain to Windows Server 2008
when other domains contain domain controllers running Windows Server 2003?
Answer: Yes. Domain functional levels within a forest can be different.
Answer: You would be able to configure and verify one side of the trust only. Administrators
in the other organization must configure the trust in their domain.
Question: What is the main benefit of Selective Authentication?
Answer: The ability to restrict which resources are available over the trust.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 189
Note Not all training products will have a Knowledge Base article – if that is the case, please ask your
instructor whether or not there are existing error log entries.
Courseware Feedback
Send all courseware feedback to support@mscourseware.com. We truly appreciate your time and effort.
We review every e-mail received and forward the information on to the appropriate team. Unfortunately,
because of volume, we are unable to provide a response but we may use your feedback to improve your
future experience with Microsoft Learning products.
Reporting Errors
When providing feedback, include the training product name and number in the subject line of your e-
mail. When you provide comments or report bugs, please include the following:
1. Document or CD part number
Important All errors and suggestions are evaluated, but only those that are validated are added to the
product Knowledge Base article.