6425C ENU Companion PDF

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
6425C
Configuring and Troubleshooting Windows
Server® 2008 Active Directory® Domain
Services
Companion Content
2 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
© 2011 Microsoft Corporation. All rights reserved.
Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
All other trademarks are property of their respective owners.
Product Number: 6425C
Part Number: X16-23526
Released: 05/2011
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services 3
Module 1
Introducing Active Directory® Domain Services
Contents:
Lesson 1: Overview of Active Directory, Identity, and Access 8
Lesson 2: Active Directory Components and Concepts 10

Lesson 3: Install Active Directory Domain Services 14
Module Reviews and Takeaways 16
Lab Review Questions and Answers 18

Lesson 1
Overview of Active Directory, Identity, and Access
Contents:
Additional Reading 9
Additional Reading
Information Protection
• Microsoft Identity and Access Solutions
Authentication and Authorization

• Logon and Authentication Technologies
• Authorization and Access Control Technologies
Authorization
• Logon and Authentication Technologies
• Authorization and Access Control Technologies

Lesson 2
Active Directory Components and Concepts
Contents:
Detailed Demonstration Steps 11
Detailed Demonstration Steps

Demonstration: Active Directory Schema
Detailed demonstration steps
1. Start 6425C-NYC-DC1 and log on as Administrator with the password, Pa$$w0rd.
2. Open D:\AdminTools\ADConsole.msc. Expand Active Directory, and then expand Active Directory
Schema.
3. Review the Attributes container. Attributes are definitions of a property and of its behavior. While
scrolling through attributes, notice a couple of attributes whose purpose (if not name) is familiar.
Open the Properties of each.
• objectSID
• sAMAccountName. Most admins call this the “user name”. This attribute defines the type of an
attribute (string in this case)
• unicodePwd
• member. Attributes can be multivalued. When used with a group, it is the list of one or more
members.
• description
4. Open the Classes container. While scrolling through, review the already familiar object classes,
including user, computer, and group. Object classes are created by referring to attributes in the
“pool” of attributes that you just saw.
5. Open the group object class and demonstrate that it refers to the member attribute.
Additional Reading
Active Directory Data Store
• You will learn more about the partitions of Active Directory and about SYSVOL throughout this
course. DNS is a focus of Module 11, and the PAS is examined in detail in Module 13. The contents of
SYSVOL are explored in Module 6 and the objects stored in the Configuration are covered in
Module 13. The objects in the Domain partition are covered in Modules 3-6 and database
maintenance and administration tasks are detailed in Modules 10 and 14.
Domain Controllers
• Domain Controllers are discussed throughout this course, but Modules 11 and 12 are focused
specifically on domain controller administration and placement. Module 10 discusses RODCs.
Demonstration: Active Directory Schema

• What Is the Active Directory Schema?
Organizational Units
• Modules 6 and 8 of this course examine the purpose, management, and design of organizational
units.
Domain
• You will learn more about domains throughout this course, and Module 15 focuses on the design
considerations related to how many domains you should have in your enterprise.
Forest
• The concepts and design of a multidomain forest are discussed in Module 15.
Tree
• The concepts and design of a multidomain forest are discussed in Module 15.
Replication
• Active Directory Replication is detailed in Module 12. SYSVOL replication is discussed in Module 10.
Sites
• Active Directory site and subnet objects are the focus of Module 13.
Global Catalog
• The global catalog is explored in detail in Module 12.
Functional Levels
• Functional levels are detailed in Module 15.
DNS and Application Partitions

• DNS is covered in Module 11.
Trust Relationships
• Trust relationships are discussed in Module 15.
Lesson 3
Install Active Directory Domain Services
Contents:
Additional Reading
Prepare to Create a New Forest with Windows Server 2008 R2
• This list comprises the settings that you will be prompted to configure when creating a domain
controller. There are a number of additional considerations regarding the deployment of AD DS in an
enterprise setting. See the Windows Server 2008 Technical Library at
http://go.microsoft.com/fwlink/?LinkID=214181 for more information.
Module Reviews and Takeaways

Review questions
1. What is the main difference between authentication and authorization?
Answer: Authentication is the process of providing credentials from user to identity store or an
authentication service. By performing authentication, no right to access resource is granted.
Authentication only confirms the identity of a user. On the other hand, authorization is a process of
granting rights to access a specific resource based on an ACL. To proceed with authorization,
authentication must first be performed.
2. Why is global catalog important in a multidomain environment?
Answer: Because the domain controllers in your domain will not contain information about objects in
other domains, you must rely on the global catalog, which has the indexed, partial attribute set for all
objects in other domains.
3. Which tools can you use to install AD DS?

Answer: First, you must use Server Manager to install the AD DS role, and then, you should run dcpromo
to make the server a domain controller*.
Common Issues and Troubleshooting Tips

Issue Troubleshooting Tip
Dcpromo wizard cannot perform installation of You must be the local administrator to perform the
AD DS Active Directory installation
You cannot start dcpromo.exe You must first install AD DS role by using Server
Manager
You cannot raise forest to the Windows Server Check that all domains in the forest are raised to
2008 R2functional level the Windows Server 2008 R2 functional level
Best Practices Related to AD DS

• Use a strong password for Directory Service Restore Mode.
• Make all domain controllers into Global Catalog servers.
• Use static IP addresses for domain controllers.

Tools
Tool Use to Where to find it
Server Manager Adding AD DS role Administrative Tools
Initial Configuration Tasks • Performing post-installation Type Oobe.exe in the Run

tasks on Windows Server 2008 window
R2
Dcpromo.exe • Installing Active Directory Type dcromo.exe in the Run

Domain Services and making window or use Server Manager
the server a domain controller to run the tool
Lab Review Questions and Answers

Question: What can you do with the Initial Configuration Tasks console?
Answer: This console is used to perform some basic administrative tasks such changing time
zone or computer name.
Question: What must you do before starting the dcpromo wizard?
Answer: You must add the Active Directory Domain Services role.
Question: Which tool is used to raise the domain functional level?
Answer: The Active Directory Domains and Trusts tool is used to raise the domain functional
level.
Module 2
Administering Active Directory Securely and Efficiently
Contents:
Lesson 1: Work with Active Directory Administration Tools 20
Lesson 2: Custom Consoles and Least Privilege 22

Lesson 3: Find Objects in Active Directory 26
Lesson 4: Use Windows PowerShell to Administer Active Directory 30

Lesson 1
Work with Active Directory Administration Tools
Contents:
Additional Reading
Active Directory Administration Snap-ins
• Active Directory Domain Services
• Managing Active Directory from MMC
• Install the Active Directory Schema snap-in
What Is the Active Directory Administrative Center?

• Active Directory Administrative Center: Getting Started
Find Active Directory Administration Tools

• Remote Server Administration Tools Pack
Lesson 2
Custom Consoles and Least Privilege
Contents:

Demonstration: Create a Custom MMC Console for Administering Active
Directory

Start 6425C-NYC-DC1.
Log on to NYC-DC1 as Pat.Coleman_Admin, with the password,Pa$$w0rd. Open the Run box and run
the following command with administrative credentials: D:\Labfiles\Lab02a\Lab02a_Setup.bat. This
command unregisters the schema mmc snap-in.
In this demonstration, create a custom MMC console with all four Active Directory management snap-ins.
This demonstration is a preview of an upcoming lab.
1. Click the Start button. In the Search programs and files box, type mmc.exe, and then press ENTER.
Click Yes in the User Account Control dialog box.
An empty MMC console appears. Maximize it.
2. Click File, and then click Add/Remove Snap-in.

3. If snap-ins are missing, install RSAT and turn on the snap-ins.
4. In the Add Or Remove Snap-ins dialog box, click Active Directory Users and Computers from the
Available Snap-ins list, and then click the Add button to add it to the Selected Snap-ins list.
5. Repeat for Active Directory Sites and Services and Active Directory Domains and Trusts.
6. Notice that the Active Directory Schema snap-in is not available to add. Click OK to close the Add or
Remove Snap-ins dialog box.
7. Register the Schema management snap-in: Open a command prompt as administrator, type
regsvr32.exe schmmgmt.dll, and then press Enter. Click OK. Close the command prompt.
8. Return to the MMC console and click File, and then click Add/Remove Snap-in.
9. Add the Active Directory Schema snap-in.
10. Click OK to close the Add Or Remove Snap-ins dialog box.
11. Click File, click Save, and save the console as C:\AdminTools\ADConsole.msc. Be sure to save the
console to a new folder. In the next demo, you will open the console with a different user account
that will not have access to your Desktop or Document folders.
12. Close MMC.
Demonstration: Secure Administration with User Account Control and Run

As Administrator
1. Log off from NYC-DC1.
2. Log on with user-level credentials: CONTOSO\Pat.Coleman, with the password, Pa$$w0rd.
3. Open the C:\AdminTools folder you created in the previous demonstration.
4. Right-click the ADConsole.msc console and click Run as administrator.

5. Enter the credentials of your administrative account, CONTOSO\Pat.Coleman_Admin, with the

password, Pa$$w0rd.
6. Click Yes.
7. Optionally, open Task Manager and click Show processes from all users. Enter the same
credentials: CONTOSO\Pat.Coleman_Admin; Pa$$w0rd.
The administrator account (Pat.Coleman_Admin) may not have immediate access to the Desktop,
Documents, or other folders that the user account (Pat.Coleman) has access to. If Pat.Coleman (user)
saves the console to a location accessible only to that account, and starts it from there, the moment
the process is elevated to the administrator (Pat.Coleman_Admin) account, it can no longer access the
console.
8. At the end of the demo, log off from NYC-DC1 and log back on as Contoso\Pat.Coleman_Admin,
with the password, Pa$$w0rd.
Additional Reading
Demonstration: Create a Custom MMC Console for Administering Active
Directory
• Add, Remove, and Organize Snap-ins and Extensions in MMC 3.0
Secure Administration with Least Privilege, Run As Administrator, and User

Account Control
• Using Run as
Demonstration: Secure Administration with User Account Control and Run

As Administrator
• Using Run as
Lesson 3
Find Objects in Active Directory
Contents:

Demonstration: Use the Select Users, Contacts, Computers, Service
Accounts, or Groups Dialog Box

If not already started, start 6425C-NYC-DC1 and log on as Pat.Coleman_Admin, with the password,
Pa$$w0rd.
Add users to the Instructors group (in the Groups\Role OU) by using the Members tab of the
group.
1. Open Active Directory Users and Computers and then browse to the Groups\Role OU. Open the
Properties of the Instructors security group and perform the following:
2. On the Members tab, click Add. Type linda;joan and click Check Names. This demonstrates a full
first name and partial first name, and that semicolons delimit multiple users.
Add a user to the Instructors group by using the Add To Group command of the user.
1. Browse to the User Accounts\Employees OU.
2. Right-click Pat Coleman and click Add to a group. Type Instrand click Check Names. This
demonstrates the resolution of a group. Note that Computers are not included by default. Click OK.
3. Set up the scenario: You want to deploy Microsoft Office Visio® to NYC-CL1. It is licensed per
computer, not per user, so the deployment of Visio should be targeted to a computer object (like
most software). You have a group that represents the computers that should have Visio.
4. Open the APP_Visio group from the Groups\Application OU.
5. On the Members tab, try to add NYC-CL1. Point out that it fails.
6. Try again. This time, click the Object Types button and select Computers.
Demonstration: Use Saved Queries

Create a saved query called All User Objects that returns all user objects in the domain.
1. In Active Directory Users and Computers, right-click Saved Queries, point to New, and then click
Query.
Note that saved queries can “virtualize” your view of your Active Directory: It doesn't matter where an
object is located (for example, in the Employees, Contractors, or Admin Identities OUs), just that it meets
search criteria.
Create a saved query called Non-Expiring Passwords that returns user objects with passwords that
do not expire.
1. Right-click Saved Queries, point to New, and then click Query
2. In the New Query dialog box, type Non-Expiring Passwords in the Name box.
3. Click Define Query. Select the Non expiring passwords check box. Click OK twice.
Note that all users in the sample domain are set to non-expiring passwords for the purpose of the course
only.
Demonstration: Find Objects by Using Active Directory Administrative

Center

If not already started, start 6425C-NYC-DC1 and log on to NYC-DC1 as Pat.Coleman_Admin, with the
password, Pa$$w0rd.
Create a saved query called Global Catalog servers that returns all Global Catalog Servers in the
domain.
1. In Active Directory Administrative Center, in the left-hand pane, click Global Search.
2. In the Global Search pane, click Add criteria.
3. Select the check box next to Computers running as a given domain controller type.
4. Click Add.
5. Click the Any domain controllers link and then choose Global catalogs.
6. Click Search.
Note that any domain controller that is configured as a Global Catalog is displayed.
7. Click the Save button.
8. In the text box, type Global Catalog Servers, and then click OK.
9. Click the Queries button to view the saved query.
10. Log off from NYC-DC1 when you are finished the demonstration.
Additional Reading
Options for Locating Objects
• Search Active Directory
Lesson 4
Use Windows PowerShell to Administer Active Directory
Contents:

Demonstration: Manage Users and Groups by Using Windows PowerShell
Note You require the 6425C-NYC-DC1 virtual machine to complete this demonstration.
Log on to the virtual machine as Contoso\Administrator with the password of Pa$$w0rd.
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Module
for Windows PowerShell.
2. To create a new OU, type the following command.
new-adorganizationalunit Test1
new-adorganizationalunit Test2
3. To create a new user type the following (Note: by default the user will be created in the Users
container if no other option is specified. For this demo, the account is created in the New Users OU.):
new-aduser -name TestUser1 -department IT -city "New York" -organization "Contoso"
4. To move the user to another OU, type the following command.
get-aduser -filter 'Name -eq "TestUser1"' | move-adobject -targetpath

"ou=Test2,dc=contoso,dc=com"
5. To get a group and view its members, type the following command.
get-adgroup -filter "Name -eq 'Domain Admins'"

get-adgroup -filter "Name -eq 'Domain Admins'" | get-adgroupmember
6. To add a new user to a group, type the following command.
add-adgroupmember "Marketing" testuser1
7. To set the password and enable a user account, type the following command.
Set-ADAccountPassword testuser1 -Reset -NewPassword (ConvertTo-SecureString -AsPlainText

"Pa$$w0rd1" -Force)
get-aduser -filter 'Name -eq "TestUser1"' | enable-adaccount
Additional Reading
Windows PowerShell Cmdlets for Active Directory
• Active Directory Administration with Windows PowerShell

Review questions
1. What are the four main snap-ins used for Active Directory administration?
Answer: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory
Domains and Trusts, and Active Directory Schema.
2. Is the Active Directory Administrative Center based upon an MMC?
Answer: No, it is based upon Windows PowerShell.
3. List some of the tasks that can be performed with Windows PowerShell.
Answer:
• User, Computer, and Group Management
• Organizational Unit Management

• Password Policy Management
• Object Search and Modification

• Forest and Domain Management
• Domain Controller and Operations Master Management
• Managed Service Account Management
Tools
Tool Use to Where to find it
Active Directory Users and • Managing an Active Directory • Administrative Tools
Computers domain
Active Directory Administrative • Managing an Active Directory • Administrative Tools

Center domain
Windows PowerShell • Managing an Active Directory • Administrative Tools

domain
Windows Server 2008 R2 Features Introduced in this Module

Windows Server 2008 R2
feature Description
Active Directory Administrative Used to manage Active Directory Domain Services
Center
Active Directory Module for Used to manage Active Directory Domain Services by using
Windows PowerShell Windows PowerShell

Question: Which snap-in are you most likely to use on a day-to-day basis to administer
Active Directory?
Answer: Answers will vary. Most students will use Active Directory Users and Computers
regularly, to administer users, computers, and groups.
Question: When you build a custom MMC console for administration in your enterprise,
what snap-ins will you add?
Answer: Answers will vary. The answer will depend on students' job responsibilities and
experience level.
Question: In your work, what scenarios require you to search Active Directory?
Answer: The correct answer will be based on your own experience and situation.
Question: What types of saved queries can you create to help you perform your
administrative tasks more efficiently?
Module 3
Managing Users and Service Accounts
Contents:
Lesson 1: Create and Administer User Accounts 36
Lesson 2: Configure User Object Attributes 39

Lesson 3: Automate User Account Creation 43
Lesson 4: Create and Configure Managed Service Accounts 45

Lesson 1
Create and Administer User Accounts
Contents:

Demonstration: Create a User Object
Before performing this demonstration open Windows Explorer and browse to D:\Labfiles\Lab03a. Run the
Lab03a_Setup command with administrative credentials.
Create a user account:

1. Expand contoso.com and then expand the User Accounts OU.
2. Right-click the Employees OU, point to New, and then click User.
3. In First name, type the user’s first name: Chris.

4. In Last name, type the user’s last name: Mayo.
5. In User logon name, type the user’s logon name: Chris.Mayo.
6. In the User logon name (pre-Windows 2000) text box, enter the pre-Windows 2000 logon name:
Chris.Mayo.
7. Click Next.
8. Type Pa$$w0rd in the Password and Confirm password boxes.
• The default password policy for an Active Directory domain requires a password of seven or more
characters. Additionally, the password must contain three of four character types: uppercase (A-
Z), lowercase (a-z), numeric (0-9), and non-alphanumeric (for example, !@#$%). The password
cannot contain any of the user’s name or logon name attributes.
• Optionally, attempt to create the user account with a password that does not meet the policy, so
that students can see the error that appears.
• In a production environment, you should use a unique, strong password for each user account
that you create.
9. Ensure that User must change password at next logon is selected, and then click Next.
10. Review the summary and click Finish.
Additional Reading
Create Users with Windows PowerShell
• Creating a user with Windows PowerShell
Demonstration: Create a User Object

• Active Directory Users and Computers Help: Managing Users
• Create a New User Account
Name Attributes
• Object Names
Account Attributes
• User Properties - Account Tab
• http://go.microsoft.com/fwlink/?LinkID=214193
Lesson 2
Configure User Object Attributes
Contents:

Demonstration: Create a User Template
1. Right-click the Employees OU, point to New, and then click User.
2. Leave the First name and Last name boxes empty.
3. In the Full name box, type _Sales User.
4. Note that the underscore prefix will put the template at the top of the user list in the OU, making it
easier to find.
5. In the User Logon name box, type: Template.Sales.

6. In the User logon name (pre-Windows 2000) text box, enter the pre-Windows 2000 logon name:
Template.Sales.
7. Click Next.
8. Type Pa$$w0rd in the Password and Confirm password boxes.

9. Ensure that User must change password at next logon is selected.
10. Select Account is disabled.
11. Click Next.

12. Review the summary and click Finish.
13. Right-click _Sales User, and then click Properties.

14. Click the Member Of tab.
15. Click Add.
16. Type Sales and click OK.
17. The Multiple Names Found dialog box appears. Select Sales and click OK.
18. Click the Organization tab.
19. In Department, type Sales.
20. In Company, type Contoso, Ltd.
21. Click the Change button in the Manager section.
22. Type Anibal Sousa and click OK.
23. Click the Account tab.
24. In the Account Expires section, click End Of, and then select the last day of the current year.
25. Click OK.
Creating a user from the template

1. Right-click _Sales User, and then click Copy.
2. In First name, type Amy.
3. In Last name, type Strande.

4. In User logon name, type Amy.Strande.
5. Confirm that the User logon name (pre-Windows 2000) is also Amy.Strande, and click Next.
6. In Password and Confirm password, type Pa$$w0rd.
7. Clear Account is disabled.
8. Click Next, review the summary, then click Finish.

Additional Reading
Modify User Attributes by Using Windows PowerShell
• Setting a User’s Profile Attributes
• Modifying an Attribute for Several Users at Once
Demonstration: Create a User Template

• Copy a User Account
Lesson 3
Automate User Account Creation
Contents:
Additional Reading
Export Users with CSVDE
• CSVDE
• LDAP QuerySyntax
Import Users with CSVDE

• CSVDE
Import Users with LDIFDE

• LDIFDE
Import Users with Windows PowerShell

• Creating a Large Quantity of Users
Lesson 4
Create and Configure Managed Service Accounts
Contents:
Additional Reading
Challenges of Using Standard User Accounts for Services
• What’s New in Service Accounts in Windows Server 2008 and Windows 7
What Is a Managed Service Account?

• Managed Service Accounts
Configure and Administer Managed Service Accounts

• PowerShell Commands for Managed Service Accounts

Review questions
1. Which administration tool should you use to create and manage user accounts within your
organization?
Answer: Answers will vary; however, options include Active Directory Users and Computers, Active
Directory Administrative Center, or the Active Directory Module for Windows PowerShell.
2. Which user account attributes will be important to use within your network environment?
Answer: Answers will vary, but possible answers should be based upon attributes listed in the user
account properties.

Windows Server 2008 R2 feature Description
Active Directory Module for Used to run Active Directory cmdlets for administering various AD
Windows PowerShell DS tasks
Managed Service Accounts Used to automate password and SPN management for service
accounts used by applications and services

Question: In this lab, which attribute can be modified to prompt for the password when you
are creating a user account with Windows PowerShell?
Answer: AccountPassword (Read-Host –AsSecurestring “AccountPassword”)
Question: What happens when you create a user account that has a password that does not
meet the requirements of the domain?
Answer: The account is created, but it is disabled. It cannot be enabled until a password
that meets the requirements of the domain is configured.
Question: What are the options for modifying the attributes of new and existing users?
Answer: Multiselecting users and opening the Properties dialog box, using the DSMod
command, and creating a user account based on a user account template.
Question: What methods have you learned for modifying attributes of new and existing
users?
Answer: Multiselecting users and opening the Properties dialog box, by using the DSMod
command, and then creating a user account based on a user account template.
Question: What scenarios lend themselves to importing users with CSVDE and LDIFDE?
Answer: If you are importing a large number of users, CSVDE and LDIFDE add significant
value. Also, CSVDE and LDIFDE give you the ability to configure most user attributes, unlike
templates, which support a very limited number of attributes.
Question: You need to obtain a list of all the managed service accounts in the domain.
Which command would you use?
Answer: The Get-ADServiceAccount cmdlet would be used to obtain a list of managed

service accounts in the domain.
Question: Which cmdlet can be used to reset the password of a managed service account?
Answer: The Reset-ADServiceAccountPassword cmdlet would be used to reset a password

of a specific managed service account.
Module 4
Managing Groups
Contents:
Lesson 1: Overview of Groups 50
Lesson 2: Administer Groups 52

Lesson 3: Best Practices for Group Management 57

Lesson 1
Overview of Groups
Contents:
Additional Reading
Role-Based Management: Role Groups and Rule Groups
• For more information about role-based management, see Windows Administration Resource Kit:
Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008).
Define Group Naming Conventions

• For more information about managing groups effectively, see Windows Administration Resource Kit:
Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008).
Default Groups
For more information about protected accounts, see:
• Knowledge Base article 817433 at
• Knowledge Base article 840001 at

• If you want to search the Internet for resources, use the keyword, adminSDHolder.
• Microsoft TechNet provides an exhaustive reference to the default groups in a domain and to the
default local groups.
• For reference information about local and domain groups, go to
• For reference information about default local groups, go to
• Default groups
• Windows Server 2008 Future Resources
Lesson 2
Administer Groups
Contents:

Demonstration: Create a Group Object
Note You require the 6425C-NYC-DC1 virtual machine to complete this demonstration. Log on to
the virtual machine as Contoso\Administrator with the password of Pa$$w0rd.
Create a group by using Active Directory Users and Computers
1. Open the Active Directory Users and Computers snap-in.

2. In the console tree, expand the node that represents your domain such as contoso.com, and navigate
to the OU or container (such as Users) in which you want to create the group. For the purpose of this
demo, use the Groups\Role OU.
3. Right-click the Role OU, point to New, and then click Group.
The New Object - Group dialog box appears
4. Type the name of the new group in the Group name box. For the purpose of this demonstration,
type ITConsultants for the name of group.
Most organizations have naming conventions that specify how group names should be created. Be
sure to follow the guidelines of your organization.
By default, the name you type is also entered as the Group name (pre-Windows® 2000). It is very
highly recommended that you keep the two names the same.
5. Do not change the name in the Group name (pre-Windows 2000) box.
6. Choose the Group type.
• A Security group is a group that can be given permissions to resources. It can also be configured
as an e-mail distribution list.
• A Distribution group is an e-mail–enabled group that cannot be given permissions to resources

and is therefore used only when a group is an
e-mail distribution list that has no possible requirement for access to resources.
For this demo, click Security
7. Select the Group scope.
• A Global group is typically used to identify users based on criteria such as job function, location,
etc.
• A Domain local group is used to collect users and groups who share similar resource access
needs, such as all users who need to be able to modify a project report.
• A Universal group is typically used to collect users and groups from multiple domains.
For this demo, click Global.
8. Click OK.
Group objects have a number of properties that are useful to configure. These can be specified after the
object has been created.
Configure Group Properties:

1. Right-click the ITConsultants group, and then click Properties.
2. Enter the properties for the group.
• Be sure to follow the naming conventions and other standards of your organization.
• The group’s Members and Member Of tabs specify who belongs to the group and what groups
the group itself belongs to.
• The group’s Description field, because it is easily visible in the details pane of the Active
Directory Users and Computers snap-in, is a good place to summarize the purpose of the group
and the contact information for the individual(s) responsible for deciding who is and is not a
member of the group.
• The group’s Notes field can be used to provide more detail about the group.
• The Managed By tab can be used to link to the user or group that is responsible for the group.
The contact information on the Managed By tab is populated from the account specified in the
Name box. The Managed By tab is typically used for contact information so that if a user wants
to join the group, you can decide who in the business should be contacted to authorize the new
member. However, if you select the Manager can update membershipList option, the account
specified in the Name box will be given permission to add and remove members of the group.
This is one method to delegate administrative control over the group.
To change the user or group that is referred to on the Managed By tab, click the Change button
underneath the Name box. By default, the Select User, Contact, or Group dialog box that
appears does not, despite its name, search for groups. To search for groups, you must first click
the Object Types button and select Groups.
3. Click OK.
Change Group Scope using Windows PowerShell with Active Directory Module:
1. Open Windows PowerShell with Active Directory Module from Administrative Tools in Start Menu. Be
sure to open as administrator.
2. When command line environment is opened, type the following command, and then press ENTER.
Set-ADGroup -Identity ITConsultants –GroupScope Universal
3. Open Active Directory Users and Computers console and check if the group scope is changed from
Global to Universal.
Additional Reading
Demonstration: Create a Group Object
• Create a New Group
Lesson 3
Best Practices for Group Management
Contents:
Additional Reading
Protect Groups from Accidental Deletion
• For more information about recovering deleted groups and their memberships, go to:
Knowledge Base article 840001

Review questions
1. Members of a Sales department in a company that has branches in multiple cities travel frequently
between domains. How will you provide these members with access to printers on various domains
that are managed by using domain local groups?
Answer: In this situation, you can create a group with domain local scope and assign it permission to
access the printer. Put the Sales user accounts in a group with global scope, and then add this group to
the group having domain local scope. When you want to give the Sales users access to a new printer,
assign the group with domain local scope permission to access the new printer. All members of the group
with global scope automatically receive access to the new printer.
2. You are responsible for managing accounts and access to resources for your group members. A user
in your group transfers into another department within the company. What should you do with the
user’s account?
Answer: Although your company may have an HR representative with AD DS permissions to move user
accounts, the best solution involves having the user account moved into the appropriate OU of the new
department. In this manner, the Group Policies associated with the new department will be enforced. If
applying the correct Group Policies is important, the user’s account should be disabled until somebody
with appropriate security permissions can move it into the new OU.
3. Which group scope can be assigned permissions in any domain or forest?

Answer: Universal groups scope can be assigned permission in any domain or forest.
Common Issues Related to Group Management

Issue Troubleshooting tip
Cannot convert group scope Check if conversion scenario is supported.
Cannot add group to another Check if desired nesting scenario is supported.

group
Cannot create group in AD DS Check if you have necessary permissions to create group objects.
Real-World Issues and Scenarios

• A project manager in your department is starting a group project that will continue for the next year.
Several users from your department and other departments will be dedicated to the project during
this time. The project team must have access to the same shared resources. The project manager must
be able to manage the user accounts and group accounts in AD DS. However, you do not want to
give the project manager permission to manage anything else in AD DS. What is the best way to do
this?
Answer: Create a new global security group. Add the project members to the group. Create a new OU
outside your department’s OU. Assign full control of the OU to the project manager. Add the global
group to the new OU. Add resources to the OU, such as shared files and printers. Keep track of the
project, and delete the global group when the work finishes. You can keep the OU if another project
requires it. However, you should delete it if there is no immediate need for it.

• When managing access to resources, try to use both rule and role groups.
• Use Universal groups only when necessary because they add weight to replication traffic.
• Use Windows PowerShell with Active Directory Module for batch jobs on groups.
• Avoid adding users to Built-in and Default Groups.
Tools
Tool Use Where to find it
Active Directory Users and • Manage groups Administrative Tools
Computers
Windows Power Shell with • Manage groups Installed as Windows Feature

Active Directory Module
DS utilities • Manage groups Command line

Feature Description
Windows PowerShell with Active New administration utility for Active Directory, based on Windows
Directory Module PowerShell

Question: Describe the purpose of global groups in terms of role-based management.
Answer: Global groups are generally used to define roles.

Question: What types of objects can be members of global groups?
Answer: Global groups can include as members users and other roles (global groups) from
the same domain.
Question: Describe the purpose of domain local groups in terms of role-based management
of resource access.
Answer: Domain local groups are generally used to define a scope of management, such as
managing a level of access to a resource.
Question: What types of objects can be members of domain local groups?
Answer: Domain local groups can contain roles (global groups) and individual users from
any trusted domain in the same forest or an external forest, as well as other domain local
groups in the same domain. Finally, domain local groups can contain universal groups from
anywhere in the forest.
Question: If you have implemented role-based management and are asked to report who
can read the Sales folders, what command would you use to do so?
Answer: You would use the DSGet command.

Question: What are some benefits of using the Description and Notes fields of a group?
Answer: Better documented groups are easier to find and understand and are less likely to
be misused for purposes other than their intended purpose.
Question: What are the advantages and disadvantages of delegating group membership?
Answer: Delegating group membership allows IT to get "out of the middle." In most
organizations, when a user needs access to a resource, he or she contacts IT, IT contacts the
business owner to get approval, and then IT adds the user to the groups. Delegating allows
the request to go straight to the business owner, who can then make the change to the
group.
Module 5
Managing Computer Accounts
Contents:
Lesson 1: Create Computers and Join the Domain 63
Lesson 3: Offline Domain Join 65


Lesson 1
Create Computers and Join the Domain
Contents:
Question and Answers 64
Question and Answers

Secure Computer Creation and Joins
Question: What two factors determine whether you can join a computer account to the domain?
Answer: To join a computer to a prestaged account, you must be given permission on the account to join
it to the domain. If the account is not prestaged, the ms-DS-MachineAccountQuota attribute will
determine the number of computers you can join to the domain in the default computer container
without explicit permission.
Lesson 3
Offline Domain Join
Contents:
Question and Answers 66

Question and Answers

Process for Performing an Offline Domain Join
Question: What is the content of the text file that is created during a djoin provisioning
process?
Answer: This file contains sensitive data that is needed to establish a relationship between a
computer and a domain. The data includes the machine account password and other
information about the domain, including the domain name, the name of a domain
controller, and the SID of the domain.

Demonstration: Perform an Offline Domain Join
Note You require the 6425C-NYC-DC1 virtual machine to complete this demonstration.
1. Log on to NYC-DC1 as Contoso\Administrator, with the password, Pa$$w0rd.
2. Open a Command Prompt with administrative privileges.

3. Type the following command and press Enter.
djoin /provision /domain contoso.com /machine NYC-CL2 /savefile NYC-CL2.txt
4. Ensure that the command is completed successfully.

5. Open the Active Directory Users and Computers console, navigate to New Computers OU and
ensure that NYC-CL2 account is created there. The next step would be to perform the djoin
/requestodj /loadfile command on the workstation or drive that is being provisioned. You will
perform this step in the lab.

Review questions
1. What is the main difference between the Computers container and an OU?
Answer: You cannot create an OU within a Computers container, so you cannot subdivide the Computers
OU. Also, you cannot link a Group Policy object to a container. Because of this, we recommend that you
move the newly created computer account from the Computers container to an OU.
2. When should you reset a computer account? Why is it better to reset the computer account than to
disjoin and rejoin it to the domain?
Answer: You should reset a computer account when the computer is no longer able to authenticate to
the domain. That can happen if the operating system is reinstalled, the computer is restored from backup,
or the password is out of sync interval. If you just disjoin the computer from a domain and rejoin it instead
of resetting the computer account, you risk losing the computer account altogether, which results in the
computer’s SID being lost, and more importantly, its group memberships. When you rejoin the domain,
even though the computer has the same name, the account has a new SID, and all the group
memberships of the previous computer object must be re-created.
3. In an Offline Domain Join, what should you do after you provision a new computer account to the
domain by using the djoin.exe utility?
Answer: After a new computer account is provisioned, you should transfer the blob text file, with the
domain and computer account information, to the destination computer that should be joined to the
domain. Then, you should run djoin.exe with /the requestODJ switch.
Common Issues Related to Computer Account Management

The computer cannot be joined • Check if the domain controller is available.
to the domain. • Check the IP address and DNS settings on a client computer.
• Check if the account that is being used to join the computer to the
domain has appropriate privileges to join computer to domain.
Group Policy is not applied to the Check if the computer account is still in the Computers container.
computer after it is joined to the You cannot link GPOs to this container.
domain.
The Offline Domain Join is not • Check if the name of the provisioned computer account is the
working as expected. same as the name of the computer being joined to the domain.
• Make sure that you do not use the /localos switch if you are
mounting a drive from the destination computer.

1. You are working as an IT technician in Contoso, Ltd. You are managing the Windows Server based
infrastructure. You have to find a method for joining new Windows 7 based computers to a domain
during the installation process without intervention of a user or an administrator.
Answer: The best way to do this will be to first provision the computer accounts to AD DS by using the
djoin utility with the /provision switch, and after that to use an unattended setup to perform the
installation. By using a utility such as Windows System Image Manager, you can perform an unattended
domain join during an operating system installation by providing information that is relevant to the
domain join in an Unattend.xml file.

• Always provision a computer account before joining computers to a domain and place them in
appropriate OUs.
• Redirect the default Computer container to another location.

• Reset the computer account, instead of just doing a disjoin and rejoin.
• Integrate the Offline Domain Join functionality with unattended installations.
Tools
Tool Use Where to find it
Windows PowerShell with Computer account Administrative Tools
Active Directory Module management
CSVDE,LDIFDE Importing computer Windows Server 2008 command prompt

accounts in AD DS
Djoin.exe Offline domain join Windows Server 2008 command prompt

Windows PowerShell with Active New administration utility for Active Directory, based on Windows
Directory Module PowerShell
Offline Domain Join New feature in Windows Server 2008 R2 and Windows 7 that
allows you to join machines to domain even when they don't
have network connection to domain controller

Question: What did you learn about the pros and cons of various approaches to creating
computer accounts in an AD DS domain?
Answer: Answers may vary depending on your own experience and situation.
Question: What are the two credentials that are necessary for any computer to join a
domain?
Answer: The necessary credentials are the local credentials that are in the local
Administrators group of the computer, and domain credentials that have permissions to join
a computer to the computer account.
Question: What insights did you gain into the issues and procedures regarding computer
accounts and administering computer accounts through their life cycle?
Answer: Answers will vary based on your own experience and situation.
Module 6
Implementing a Group Policy Infrastructure
Contents:
Lesson 1: Understand Group Policy 72
Lesson 2: Implement GPOs 75

Lesson 3: Manage Group Policy Scope 79
Lesson 4: Group Policy Processing 81

Lesson 1
Understand Group Policy
Contents:

Demonstration: Exploring Group Policy Settings
1. Switch to NYC-DC1.
2. In the GPMC, right-click the CONTOSO Standards GPO, and then click Edit.
3. Spend time exploring the settings that are available in a GPO. Do not make any changes.
4. Review the division between Computer Configuration and User Configuration.
5. Notice the timing with which computer and user settings are applied.
6. Examine the various policy categories and policy settings.

Additional Reading
Review the Components of Group Policy
TechNet contains detailed technical and operational guides to Group Policy, including the following:
• Windows Server Group Policy
• How Core Group Policy Works
• Deploying Group Policy Using Windows Vista
• Summary of New or Expanded Group Policy Settings
• What's New in Group Policy in Windows Vista

Lesson 2
Implement GPOs
Contents:

Demonstration: Create, Link, and Edit GPOs
Create a GPO
1. Start 6425C-NYC-DC1.
2. Log on to NYC-DC1 as Pat.Coleman with the password Pa$$w0rd.
3. Run Group Policy Management with administrative credentials. Use the account
Pat.Coleman_Admin with the password Pa$$w0rd.
4. In the console tree, expand Forest: contoso.com, Domains, and contoso.com, and then click the
Group Policy Objects container.
5. In the console tree, right-click the GroupPolicyObjects container, and then click New.
6. In Name: type CONTOSO Standards, and then click OK
Open a GPO for editing

1. In the details pane of the Group Policy Management console (GPMC), right-click the CONTOSO
Standards GPO, and then click Edit.
The Group Policy Management Editor (GPME) appears.
2. Close the GPME.
Link a GPO
1. In the GPMC console tree, right-click the contoso.com domain, and then click Link an Existing GPO.
2. Select CONTOSO Standards and click OK.
Delegate the management of GPOs

1. In the GPMC console tree, click the contoso.com domain.
2. In the details pane, click the Delegation tab.
3. Review the default delegation.
4. In the GPMC console tree, expand the Group Policy Objects container, and then click the CONTOSO
Standards GPO.
5. In the details pane, click the Delegation tab.
6. Review the default delegation.

7. Run Active Directory Users and Computers with administrative credentials. Use the account
8. In the console tree, click the Users container.
9. In the details pane, double-click the Group Policy Creator Owners group, and then click the
Members tab.
10. Review the default membership.
Delete a GPO
1. In the GPMC console tree, in the Group Policy Objects container, right-click the CONTOSO
Standards GPO, and then click Delete.
2. Click No.
Discuss the default connection to the PDC Emulator
1. In the GPMC console tree, right-click the contoso.com domain, and then click Change Domain
Controller.
2. Review the default settings.

Additional Reading
Local GPOs
• Multiple Local Group Policy objects
• Step-by-Step Guide to Managing Multiple Local Group Policy Objects
Manage GPOs and Their Settings

• GPO Operations
• Backing up, Restoring, Migrating, and Copying GPOs

Lesson 3
Manage Group Policy Scope
Contents:
Additional Reading
WMI Filters
For more information on WMI and for examples of WMI filters, go to:
• WMI filtering using GPMC
• Windows Management Instrumentation (WMI) software development kit (SDK)

Lesson 4
Group Policy Processing
Contents:
Additional Reading
Slow Links and Disconnected Systems
• How Core Group Policy Works

Review questions
1. You have assigned a logon script to an OU via Group Policy. The script is located in a shared network
folder named Scripts. Some users in the OU receive the script, whereas others do not. What might be
the possible causes?
Answer: Security permissions might be a problem. If some users do not have read access to shared
network folder where scripts are stored, they will not be able to apply policy. Also, security filtering on
GPO might be the cause for this problem.
2. What GPO settings are applied across slow links by default?
Answer: Registry policy and Security policy are always applied even when a slow link is detected. This
setting cannot be changed.
3. You need to ensure that a domain level policy is enforced, but the Managers global group needs to
be exempt from the policy. How would you accomplish this?
Answer: Set the link to be enforced at the domain level, and use security group filtering to deny Apply
Group Policy permission to the Administrators group.
Common Issues Related to Group Policy Management

Group Policy settings are not • Check security filtering on GPO
applied to all users or computers • Check WMI filters on GPO
in OU where GPO is applied
Group policy settings sometimes • Enable wait for network before logon option
need two restarts to apply
Best Practices Related to Group Policy Management

• Name Group Policy objects, so you can easily identify them by name
• Apply Group Policy Object as high as possible in AD DS hierarchy
• Use Block Inheritance and Enforced options only when really necessary
• Make comments on GPO settings
Tools
Tool Use for Where to find it
Group policy reporting Reporting information Group Policy Management Console
RSoP about the current
policies being delivered
to clients.
GPResult A command-line utility Command-line utility

that displays RSoP
information.
GPUpdate Refreshing local and AD Command-line utility


DS-based Group Policy
settings.
Dcgpofix Restoring the default Command-line utility

Group Policy objects to
their original state after
initial installation.
GPOLogView Exporting Group Policy- Command-line utility

related events from the
system and operational
logs into text, HTML, or
XML files. For use with
Windows Vista, Windows
7, and later versions.
Group Policy Management Sample scripts that

scripts perform a number of
different
troubleshooting and
maintenance tasks.

Question: Which policy settings are already being deployed by using Group Policy in your
organization?
Answer: Answers will vary.
Question: Which policy settings did you discover that you might want to implement in your
organization?
Question: Many organizations rely heavily on security group filtering to scope GPOs, rather
than linking GPOs to specific OUs. In these organizations, GPOs are typically linked very high
in the Active Directory logical structure—to the domain itself or to a first-level OU. What
advantages are gained by using security group filtering rather than GPO links to manage the
scope of the GPO?
Answer: The fundamental problem of relying on OUs to scope the application of GPOs is
that an OU is a fixed, inflexible structure within Active Directory, and that a single user or
computer can only exist within one OU. As organizations get larger and more complex,
configuration requirements are difficult to match in a one-to-one relationship with any
container structure. With security groups, a user or computer can exist in as many groups as
necessary, and can be added and removed easily without impacting the security or
management of the user or computer account.
Question: Why might it be useful to create an exemption group—a group that is denied the
Apply Group Policy permission—for every GPO you create?
Answer: There are very few scenarios in which you can be guaranteed that all of the settings
in a GPO will always need to apply to all users and computers within its scope. By having an
exemption group, you will always be able to respond to situations in which a user or
computer must be excluded. This can also help in troubleshooting compatibility and
functionality problems. Sometimes, specific GPO settings can interfere with the functionality
of an application. In order to test whether the application works on a "pure" installation of
Windows, you might need to exclude the user or computer from the scope of GPOs, at least
temporarily for testing.
Question: Do you use loopback policy processing in your organization? In which scenarios
and for which policy settings can loopback policy processing add value?
Answer: Answers will vary. Scenarios including conference rooms, kiosks, virtual desktop
infrastructures, and other "standard" environments should certainly be mentioned.
Question: In which situations have you used RSoP reports to troubleshoot Group Policy
application in your organization?
Question: In which situations have you used, or could you anticipate using, Group Policy
modeling?
Question: Have you ever diagnosed a Group Policy application problem based on events in
one of the event logs?
Module 7
Managing User Desktop with Group Policy
Contents:
Lesson 1: Implement Administrative Templates 87
Lesson 2: Configure Group Policy Preferences 91

Lesson 3: Manage Software with GPSI 94

Lesson 1
Implement Administrative Templates
Contents:

Demonstration: Work with Settings and GPOs
Use Filter Options to locate polices in Administrative Templates
3. In the console tree, expand Forest: contoso.com, Domains, and contoso.com, and then click the
4. In the details pane, right-click the 6425C GPO, and then click Edit.
The Group Policy Management Editor appears.
5. In the console tree, expand User Configuration, expand Policies, and then click Administrative
Templates.
6. Right-click Administrative Templates, and then click Filter Options.
7. Select the Enable Keyword Filters check box.
8. In the Filter for word(s) text box, type screen saver.

9. In the drop-down list next to the text box, select Exact, and click OK.
Administrative Templates policy settings are filtered to show only those that contain the words screen
saver.
10. Spend a few moments examining the settings that you have found.
11. In the console tree, right-click Administrative Templates under User Configuration, and then click
Filter Options.
12. Clear the Enable Keyword Filters check box.
13. In the Configured drop-down list, select Yes, and then click OK.
Administrative Template policy settings are filtered to show only those that have been configured
(enabled or disabled).
14. Spend a few moments examining those settings.

15. In the console tree, right-click Administrative Templates under User Configuration and clear the
Filter On option.
Add comments to a policy setting
1. In the console tree, expand User Configuration, Policies, Administrative Templates, and Control
Panel, and then click Personalization.
2. Double-click the Enable screen saver policy setting.

3. In the Comment section, type Corporate IT Security Policy implemented with this policy in
combination with Password Protect the Screen Saver, and click OK.
4. Double-click the Password protect the screen saver policy setting.

5. In the Comment section, type Corporate IT Security Policy implemented with this policy in
combination with Enable screen saver, and click OK.
Add comments to a GPO

1. In the console tree of the Group Policy Management Editor, right-click the root node, 6425C[NYC-
DC1.CONTOSO.COM], and then click Properties.
2. Click the Comment tab.
3. Type Contoso corporate standard policies. Settings are scoped to all users and computers in
the domain. Person responsible for this GPO: your name.
This comment appears on the Details tab of the GPO in the GPMC.
4. Click OK and then close the Group Policy Management Editor.
Create a new GPO from a starter GPO
1. In the console tree of the GPMC, click the Starter GPOs container.
2. In the details pane, click the Create Starter GPOsFolder button.

3. In the console tree, right-click the Starter GPOs container, and then click New.
4. In Name: type CONTOSO Starter GPO, and then click OK.

5. In the details pane, right-click CONTOSO Starter GPO, and then click Edit.
The Group Policy Management Editor appears. Review and edit the settings as desired.
6. Close the Group Policy Starter GPO Editor.

7. In the details pane, right-click CONTOSO Starter GPO, and then click New GPO From Starter GPO.
8. In Name: type CONTOSO Desktop, and then click OK.
Create a new GPO by copying an existing GPO
1. In the GPMC console tree, expand the Group Policy Objects container, right-click the CONTOSO
Desktop GPO, and then click Copy.
2. Right-click the Group Policy Objects container, click Paste, and then click OK.
3. Click OK.
Create a new GPO by importing settings that were exported from another GPO
1. In the GPMC console tree, expand the Group Policy Objects container, right-click the
CONTOSODesktop GPO, and then click Back Up.
2. In Location: type D:\Labfiles\Lab07c, and then click Back Up.
3. When the backup finishes, click OK.
4. In the GPMC console tree, right-click the Group Policy Objects container, and then click New.
5. In Name: type CONTOSO Import, and then click OK.
6. In the GPMC console tree, right-click the CONTOSO Import GPO, and then click Import Settings.
The Import Settings Wizard appears.

7. Click Next three times.
8. Select CONTOSO Desktop, and then click Next two times.

9. Click Finish, and then click OK.

Lesson 2
Configure Group Policy Preferences
Contents:

Demonstration: Configure Group Policy Preferences
1. On 6425C-NYC-DC1, in GPMC, click the Group Policy Objects folder, in the details pane, right-click
the Default Domain Policy, and then click Edit.
2. Expand Computer Configuration, expand Preferences, expand Windows Settings, right-click

Shortcuts, point to New, and then click Shortcut.
3. In the New Shortcut Properties dialog box, select Create from the Action list.
4. In the Name box, type Notepad.
5. In the Location box, click the arrow, and then select All Users Desktop.
6. In the Target path box, type C:\Windows\System32\Notepad.exe.
7. On the Common tab, select the Item-level targeting check box, and then click Targeting.
8. In the Targeting Editor dialog box, click New Item, and then click Computer Name.
9. In the Computer name box, type NYC-CL1, and then click OK twice.
10. Under Windows Settings, right click Folders, point to New, and then click Folder.
11. In the New Folder dialog box, select Create from the Action list.
12. In the Path field, type C:\Reports.
13. On the Common tab, select the Item-level targeting check box, and then click Targeting.
14. In the Targeting Editor dialog box, click New Item, and then click Operating System.
15. In the Product list, click Windows Server 2008 R2, and then click OK twice.
Additional Reading
Differences Between Group Policy Preferences and Settings
• For an overview of Group Policy preferences, see
Lesson 3
Manage Software with GPSI
Contents:

Demonstration: Create a Software Distribution Point
1. Start 6425C-NYC-DC1 and log on as Pat.Coleman with the password, Pa$$w0rd.
2. Start 6425C-NYC-SVR1, but do not log on.
5. In the console tree, expand the contoso.com domain and the Groups OU, and then click the
Application OU.
6. Right-click the Application OU, point to New, and then click Group.
7. Type APP_XML Notepad, and then press Enter.
8. In the console tree, expand the contoso.com domain and the Servers OU, and then click the File
OU.
9. In the details pane, right-click NYC-SVR1, and then click Manage.

The Computer Management console opens, focused on NYC-SVR1.
10. In the console tree, expand System Tools and Shared Folders, and then click Shares.
11. Right-click Shares, and then click New Share. The Create a Shared Folder Wizard appears.
12. Click Next.
13. In the Folder Path box, type C:\Software, and then click Next.
A message appears asking if you want to create the folder.

14. Click Yes.
15. Accept the default Share name, Software, and then click Next.
16. Click Customize permissions, and then click Custom.
17. Click Security.
18. Click Advanced.
The Advanced Security Settings dialog box appears.
19. Click Change Permissions.
20. Clear the Include inheritable permissions from this object's parent option.
A dialog box appears asking if you want to Add or Remove inherited permissions.
21. Click Add.

22. Select the first permission assigned to the Users group, and then click Remove.
23. Select the remaining permission assigned to the Users group, and then click Remove.
24. Select the permission assigned to Creator Owner, and then click Remove.
25. Click OK two times to close the Advanced Security Settings dialog boxes.
26. In the Customize Permissions dialog box, click the Share Permissions tab.
27. Select the Full Control check box.
The security management best practice is to configure least privilege permissions in the ACL of the
resource, which will apply to users, regardless of how users connect to the resource, at which point
you can use the Full Control permission on the SMB shared folder. The resultant access level will be
the more restrictive permissions defined in the ACL of the folder.
28. Click OK.
29. Click Finish.
30. Click Finish to close the wizard.
31. Click Start, click Run, type \\NYC-SVR1\c$, and then press Enter.
The Connect to NYC-SVR1 dialog box appears.
32. In the User name box, type CONTOSO\Pat.Coleman_Admin.

33. In the Password box, type Pa$$w0rd, and then press Enter.
A Windows Explorer window opens, focused on the root of the drive C on NYC-SVR1.
34. Open the Software folder.
35. Click New folder.
A new folder is created and is in "rename mode."

36. Type XML Notepad, and then press Enter.
37. Right-click the XML Notepad folder, and then click Properties.
38. Click Security.
39. Click Edit.

40. Click Add. The Select Users, Computers, Service Accounts, or Groups dialog box appears.
41. Type APP_XML Notepad, and then press Enter.

The group is given the default, Read & Execute permission.
42. Click OK twice to close all open dialog boxes.
43. Open the XML Notepad folder.
44. Open the D:\Labfiles\Lab07c folder in a new window.
45. Right-click XMLNotepad.msi, and then click Copy.
46. Switch to the Windows Explorer window, displaying \\NYC-SVR1\c$\Software\XML Notepad.
47. Right-click in the empty details pane, and then click Paste.
XML Notepad is copied into the folder on NYC-SVR1.
48. Close all open Windows Explorer windows.
49. Close the Computer Management console.

Additional Reading
Software Deployment Options
• Group Policy Software Installation overview

Review questions
1. What is the benefit of having Central Store?
Answer: Central Store is a single folder in SYSVOL that holds all the .ADMX and .ADML files that are
required. After you have set up Central Store, the GPME recognizes it and loads all administrative
templates from Central Store instead of from the local machine.
2. What is the main difference between Group Policy Settings and Group Policy Preferences?
Answer: While GPO settings enforce some setting on client side, and disable client interface for
modification, Group Policy preferences provide settings but still allows client to modify it.
3. What is the difference between publishing and assigning software through GPSI?
Answer: If you assign software to user or computer it will be installed without asking user if he wants to
install it. Publishing software will allow user to decide if software will be installed or not.
Common Issues Related to Group Policy Management

Group Policy Preferences are not Check the preference settings for item targeting or incorrect
being applied. configuration.
Group Policy Software installation Check security settings on network share where software
does not work for some users installation package resides
Check scoping of Group Policy Object

Question: You have a number of logon scripts that map network drives for users. Not all users need these
drive mappings, so you must ensure that only the right users get the mappings. You want to move away
from using these scripts.
Answer: You can achieve this by using Group Policy preferences. There is an option to configure drive
mapping, and you can use Preferences Targeting to distribute right mappings to appropriate users.
Best Practices Related to Group Policy Management

• Make comments on GPO settings
• Use Central Store for Administrative templates when having clients with Windows Vista and
Windows 7
• Use Group Policy preferences to configure settings not available in Group Policy set of settings
• Use Group Policy Software Installation to deploy packages in .msi format to a large number of users
or computers.
Tools
Group policy reporting Reporting information Group Policy Management Console
RSoP about the current
policies being delivered

to clients.
GPResult A command-line utility Command-line utility

that displays RSoP
information.
GPUpdate Refreshing local and AD Command-line utility

DS-based Group Policy
settings.
Dcgpofix Restoring the default Command-line utility

Group Policy objects to
their original state after
initial installation.
GPOLogView Exporting Group Policy- Command-line utility

related events from the
system and operational
logs into text, HTML, or
XML files. For use with
Windows Vista and later
versions.

Question: Describe the relationship between administrative template files (both .ADMX and
.ADML files) and the GPME.
Answer: .ADMX files create the user interface for the GPME and determine the registry
values that are applied when a policy setting is defined. .ADML files provide language-
specific elements (the text) in the user interface.
Question: When does an enterprise get a central store? What benefits does it provide?
Answer: A central store is manually created by adding a PolicyDefinitions folder to

\\domain\sysvol\domain\Policies. A central store provides a single point of management for
administrative templates and reduces the size of Group Policy templates (GPTs).
Question: What are the advantages of managing Group Policy from a client running the
latest version of Windows? Do the settings you manage apply to the previous versions of
Windows?
Answer: If you manage Group Policy with a client running the latest version of Windows,
you will be able to use the latest administrative templates, and you will be able to view
settings that apply to this and all previous versions of Windows. The policy settings you
configure will apply not based on the version of Windows from which you manage Group
Policy, but rather on the versions of Windows to which the policy setting can apply.
Question: What is the alternate method of providing drive mapping to users, instead of
using Preferences?
Answer: You can use the logon script configured in ordinary Group Policy settings.
Question: If you apply a Group Policy preferences setting, can you change this setting on
the client side?
Answer: Yes, because Group Policy preferences do not enforce settings and also not block
user interface.
Question: Consider the NTFS permissions you applied to the Software and XML Notepad
folders on NYC-SVR1. Explain why these least privilege permissions are preferred to the
default permissions.
Answer: The default permissions on a new NTFS folder include inherited permissions that are
not least privilege. First, the USERS group is given the ability to add files and folders. In a
software distribution folder, only administrators who need to add new applications should
have the ability to add files and folders. Second, CREATOR OWNER special identity is given
full control. This means that whoever adds a file or folder gets an explicit permission that
allows full control, which may or may not be appropriate for each file and folder added to a
software deployment point. Third, the USERS group is also given the ability to read all files
and folders, which will allow them to install any software in the software distribution folder.
Because most software is licensed per computer or per user, you can improve your
compliance by allowing only a specified group to read the installation files for each
application. The SOFTWARE folder (the root) gives access (full control) only to Administrators
and System. The application subfolder, for example, XML Notepad, gives read access to a
group that is allowed to install the application, such as APP_XML Notepad. Those users can
get to the subfolder even though they do not have access to the SOFTWARE folder. Windows
allows all authenticated users the "traverse folders" privilege by default, which allows users to
navigate to a specific subfolder to which they have access even if they do not have
permission to a parent folder. The least privilege ACLs used in this Lab are a perfect example
of the value of this user right.
Question: Consider the methods used to scope the deployment of XML Notepad: Assigning
the application to computers, filtering the GPO to apply to the APP_XML Notepad group
that contains only computers, and linking the GPO to the Client Computers OU. Why is this
approach advantageous for deploying most software? What would be the disadvantage of
scoping software deployment to users rather than to computers?
Answer: Most software is licensed per computer, so it is important to deploy such

applications scoped to computers, rather than to users. The result is the same—the
application is deployed to the computers of the users who require the application. If you
were to deploy an application to users, it would "follow" the users to whichever computers
they logged on to. For example, if a user is logged on to a conference room computer or to
a colleague's computer, the application would be installed on those computers as well. By
scoping to a group of computers, and linking the GPO to a high-level OU (or even to the
domain), it gives you maximum flexibility to deploy the application to whichever computers
require it.
Module 8
Managing Enterprise Security and Configuration with Group
Policy Settings
Contents:
Lesson 1: Manage Group Membership by Using Group Policy Settings 103
Lesson 2: Manage Security Settings 107

Lesson 4: Software Restriction Policy and AppLocker 110

Lesson 1
Manage Group Membership by Using Group Policy
Settings
Contents:


Demonstration: Delegate Administration by Using Restricted Groups
Policies

1. Start 6425C-NYC-DC1 and log on as Pat.Coleman with the password Pa$$w0rd.
2. On NYC-DC1 click Start, point to Administrative Tools and run Group Policy Management with
administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.
3. In the console tree, expand Forest:contoso.com, Domains and contoso.com, and then click the
4. Right-click the Group Policy Objects container, and then click New.
5. In the Name box, type Corporate Help Desk, and then click OK.
6. In the details pane, right-click Corporate Help Desk, and then click Edit.
7. In Group Policy Management Editor, go to Computer Configuration\Policies\Windows

Settings\Security Settings\Restricted Groups.
8. Right-click Restricted Groups and click Add Group.
9. Click Browse and, in the Select Groups dialog box, type the name of the group you want to add to
the Administrators group—for example, CONTOSO\Help Desk—and click OK.
10. Click OK to close the Add Group dialog box.
A Properties dialog box appears.

11. Click Add next to the This group is a member of section.
12. Type Administrators, and click OK.
The Properties group policy setting should look similar to the dialog box on the left of the side-by-
side dialog boxes shown earlier.
13. Click OK again to close the Properties dialog box.
Delegating the membership of the local Administrators group in this manner adds the group specified in
step 9 to that group. It does not remove any existing members of the Administrators group. The Group
Policy setting simply tells the client, “Make sure this group is a member of the local Administrators group.”
This allows for the possibility that individual systems could have other users or groups in their local
Administrators group. This group policy setting is also cumulative. If multiple GPOs configure different
security principals as members of the local Administrators group, all will be added to the group.
To take complete control of the local Administrators group, follow these steps:
Demonstration Steps
1. In Group Policy Management Editor, go to Computer Configuration\Windows
Settings\SecuritySettings\Restricted Groups.
2. Right-click Restricted Groups, and click Add Group.

3. Type Administrators, and click OK.
A Properties dialog box appears.
4. Click Add next to the Members of this group section.
5. Click Browse and enter the name of the group you want to make the sole member of the
Administrators group—for example, CONTOSO\Help Desk—and click OK.
6. Click OK again to close the Add Member dialog box.
The group policy setting Properties should look similar to the dialog box on the left of the side-by-
side dialog boxes shown earlier.
7. Click OK again to close the Properties dialog box.
When you use the Members setting of a restricted groups policy, the Members list defines the final
membership of the specified group. The steps just listed result in a GPO that authoritatively manages
the Administrators group. When a computer applies this GPO, it adds all members specified by the
GPO and removes all members not specified by the GPO, including Domain Admins. Only the local
Administrator account will not be removed from the Administrators group because Administrator is a
permanent and irremovable member of Administrators.
Additional Reading
Define Group Membership with Group Policy Preferences
• Group Policy Management Console Help, "Local Users and Groups Extension"
Lesson 2
Manage Security Settings
Contents:


Demonstration: Create and Deploy Security Templates
3. Click Startand in the search box, type mmc.exe and press Enter. When prompted, supply
4. Click File, and then click Add/Remove Snap-in.
5. In the Available snap-ins list, select Security Templates, then click Add.
6. Click OK.
7. Click File, and then click Save.
The Save As dialog box appears.

8. Type C:\Security Management, and then press Enter.
9. In the console tree, expand Security Templates.
10. Right-click C:\Users\Pat.Coleman_Admin\Documents\Security

\Templates, and then click New Template.
11. Type DC Remote Desktop, and then click OK.
12. Click Start, point toAdministrative Tools and run Group Policy Management with administrative
credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.
13. In the console tree, expand Forest:contoso.com, Domains, and contoso.com, and then click the
14. In the details pane, right-click the Corporate Help Desk, and then click Edit.
15. In the console tree, expand Computer Configuration,Policies,Windows Settings,and then click
Security Settings.
16. Right-click Security Settings, and then click Import Policy.
17. Select the DC Remote Desktop template, and then click Open.
Additional Reading
Configure the Local Security Policy
• Server Security Policy Settings
Manage Security Configuration with Security Templates

• For full details regarding Secedit.exe and its switches, see
Security Configuration Wizard

• Security Configuration Wizard
Lesson 4
Software Restriction Policy and Applocker
Contents:


Demonstration: How to Configure Application Control Policies
Note You require the 6425C-NYC-DC1 and 6425C-NYC-CL1 virtual machines to complete this
demonstration. Log on to the 6425C-NYC-DC1 as Contoso\Administrator, with the password,
Pa$$w0rd. Do not start NYC-CL1 until directed to do so.
Create a GPO to enforce the default AppLocker Executable rules.
1. On NYC-DC1, click Start, click Administrative Tools, and then click Group Policy Management.
2. Apply the GPO to the Contoso.com domain.
3. In the Group Policy Management window, expand Forest: Contoso.com.
4. Expand Domains.
5. Expand Contoso.com.
6. Expand Group Policy Objects.
7. Drag the WordPad Restriction Policy GPO on top of the Contoso.com domain container.
8. Click OK to link the GPO to the domain.
9. Close the Group Policy Management console.
10. Click Start, in the Search programs and files box, type cmd, and then press Enter.
11. In the Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy to
be updated.
Test the AppLocker rule.
1. Start and then log on to the NYC-CL1 as Contoso\Alan.Brewer, with the password, Pa$$w0rd.
2. Click Start, in the Search programs and files box, type cmd, and then press Enter.
3. In the Command Prompt window, type gpupdate /force, and press Enter. Wait for the policy to be
updated.
4. Click Start, click All programs, click Accessories, and then click WordPad.
5. Click OK when prompted with a message.

Additional Reading
What Is a Software Restriction Policy?
• Using Software Restriction Policies to Protect Against Unauthorized Software
Overview of Application Control Policies

• AppLocker Overview
• AppLocker Walkthrough

Review questions
1. Describe the procedure used to apply a security template to a computer.
Answer: Use the Security Configuration And Analysis snap-in to create a database. Import the template
into the database, and then apply the database settings to the computer by using the Configure
Computer Now command.
2. Why must AppLocker rules be defined in a GPO separate from SRP rules?
Answer: AppLocker rules are completely separate from SRP rules and cannot be used to manage pre-
Windows 7 computers. The two policies are also separate. If AppLocker rules have been defined in a GPO,
only those rules are applied. Therefore, define AppLocker rules in a separate GPO to ensure
interoperability between SRP and AppLocker policies.
Windows Server 2008 R2 Features Introduced in This Module

AppLocker Used to control how users can access and use applications

Question: Using only restricted groups policies, what should you do to ensure that the only
members of the local Administrators group on a client computer are the Help Desk in the
site-specific Support group and to remove any other members from the local Administrators
group?
Answer: This is a tricky question and requires some creative thinking. You can configure a
Members policy setting for the Administrators group that adds the Administrator account.
This would have the effect of cleaning out all other group members, and of course the
Administrator account is already a member of the Administrator forest and cannot be
removed. Then, you can configure restricted group policy settings for the Help Desk and the
site-specific Support groups, as you did in the Lab. Alternately, you could use a Local Group
preference configured to delete all member users and groups.
Question: Describe a situation where you would use both security templates and the
Security Configuration Wizard to secure a server.
Answer: Security templates contain some settings that are not available to the Security
Configuration Wizard, such as restricted groups, for example. If you need to incorporate
these additional settings, you can import a configured security template into the Security
Configuration Wizard, and convert it to a GPO.
Question: What are the three major steps required to configure auditing of file system and
other object access?
Answer: The three major steps are:

1. Configure auditing settings on the file/folder SACL.
2. Enable audit policy for object access in a GPO scoped to the server.
3. Examine event log audit entries.
Question: What systems should have auditing configured? Is there a reason not to audit all
systems in your enterprise? What types of access should be audited, and by whom should
they be audited? Is there a reason not to audit all access by all users?
Answer: Auditing should reflect IT security and usage policies. Auditing not only puts a
(small) burden on the performance of a system, but also generates excessive “noise” that can
make finding the “important” events even harder. What, who, and when auditing is
performed should be aligned with why auditing is being performed—as driven by your
business requirements.
Question: How can you permit access to only a specific set of applications for a set of
computers in your environment?
Answer: Place the computers in an OU, create a GPO, and link it to the OU. In the GPO,
configure the default AppLocker rules to block applications. Then, allow the applications you
want the computers to have access to.
Module 9
Securing Administration
Contents:
Lesson 1: Delegate Administrative Permissions 116
Lesson 2: Audit Active Directory Administration 120


Lesson 1
Delegate Administrative Permissions
Contents:


Demonstration: Assign a Permission by Using the Advanced Security
Settings Dialog Box

1. Start 6425C-NYC-DC1and log on as Pat.Coleman with the password Pa$$w0rd.
2. Click Start, point to Administrative Tools, and run Active Directory Users and Computers with
3. Click the View menu and select Advanced Features.
4. Right-click an object such as a user account, and then choose Properties. For this example use Jeff
Ford located in the User Accounts\Employees OU.
5. Click the Security tab.

6. Click the Advanced button.
7. Click the Add button.
If you have User Account Control enabled, you may need to click Edit, and perhaps enter the
administrative credentials to make the Add button will appear.
8. In the Select dialog box, select the security principal to which permissions will be assigned.
It is an important best practice to assign permissions to groups, not to individual users.

In this example, select your Help Desk group, and then press ENTER. The Permission Entry dialog
box appears.
9. Configure the permissions you want to assign.

For this example, on the Object tab, scroll down the list of Permissions, and then click Allow: Reset
password.
10. Click OK to close each dialog box.
Demonstration: Delegate Administrative Tasks with the Delegation of

Control Wizard
1. On NYC-DC1click Start, point to Administrative Tools and run Active Directory Users and
Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password
Pa$$w0rd.
2. Right-click the node (domain or OU) for which you want to delegate administrative tasks or control,
and choose Delegate Control.
In this example, select the Employees OU.
The Delegation of Control Wizard appears, to guide you through the required steps.
3. Click Next.
You will first select the administrative group to which you are granting privileges.
4. In the Users or Groups page, click the Add button.
a. Use the Select dialog box to select the group, and then click OK. For this example use the Help
Desk group.
5. Click Next.
You will next specify the task you wish to assign to that group.
6. On the Tasks to Delegate page, select the task.

In this example, select Reset User Passwords and Force Password Change at Next Logon.
7. Click Next.
8. Review the summary of the actions that have been performed, and click Finish.
The Delegation of Control Wizard applies the ACEs that are required to enable the selected group to
perform the specified task.
Additional Reading
Understand Effective Permissions
• The best way to manage delegation in Active Directory is through role-based access control.
Although this approach will not be covered on the certification exam, it is well worth understanding
for real-world implementation of delegation. See the Windows® Administration Resource Kit:
Productivity Solutions for IT Professionals by Dan Holme (Microsoft® Press, 2008) for more
information.
Design an OU Structure to Support Delegation

• See the Windows Administration Resource Kit: Productivity Solutions for IT Professionals by Dan
Holme (Microsoft Press, 2008) for much more detail regarding OU design.
Lesson 2
Audit Active Directory Administration
Contents:


Demonstration: Advanced Audit Policies
To configure an advanced domain logon audit policy setting
1. Start 6425C-NYC-DC1and log on as Pat.Coleman with the password Pa$$w0rd
2. Click Start, point to Administrative Tools, and then click Group Policy Management. Use the
account Pat.Coleman_Admin with the password Pa$$w0rd.
3. In the console tree, double-click Forest: contoso.com, double-click Domains, and then double-click
contoso.com.
4. Right-click Default Domain Policy, and then click Edit.

5. Double-click Computer Configuration, double-click Policies, and then double-click Windows
Settings.
6. Double-click Security Settings, double-click Advanced Audit Policy Configuration, and then
double-click Audit Policies.
7. Browse through sub-categories, show how to configure them. For example, open Account Logon
sub-node and show how you can configure four various types of auditing for Account Logon event.
Open each setting and show Explain tab with setting description.
8. Click Global Object Access Auditing.

9. Double-click File System, and then select the Define this policy setting check box. Click Configure
button
10. Click the Add button and add a user account of your choice here. Click Ok.
11. In Auditing Entry for Global File SACL, place a check mark in Successful and Failed column for List
folder/read data and Create files /write data options.
Note When you use Advanced Audit Policy Configuration settings, you need to confirm that these
settings are not overwritten by basic audit policy settings. The following procedure shows how to
prevent conflicts by blocking the application of any basic audit policy settings.
To ensure that Advanced Audit Policy Configuration settings are not overwritten:
1. Double-click Security Settings, open Local Policies, and then click Security Options.
2. Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override
audit policy category settings, and then click Define this policy setting.
3. Click Enabled, and then click OK.

Additional Reading
Enable Audit Policy
• AD DS Auditing Step-by-Step Guide
Advanced Audit Policies

• Advanced Security Audit Policy Settings

Review questions
Question: How does the Active Directory Users and Computers console indicate that you do
not have permissions to perform a particular administrative task?
Answer: The console has different ways of indicating that you do not have permissions to
perform a certain task. In some cases, the command that you cannot perform is trimmed
(hidden) by the Active Directory Users and Computers snap-in. For example, when you tested
whether Aaron Painter could create a new user in the Employees OU, the New menu was not
available. In other cases, the command appears but you receive an error message if you
attempt to perform it. For example, when Aaron Painter tried to disable Jeff Ford's account
or reset Pat Coleman's administrative account password, the command was executed but
returned an error message because Aaron's access was denied.
Question: What is the benefit of a two-tiered, role-based management group structure

when assigning permissions in Active Directory?
Note Role-based management is a detailed topic. There are other aspects of role-based
management such as discipline and auditing that are required to ensure that the members of
a group such as AD_UserAccounts_Support have the permissions they are supposed to have.
You also need to ensure that the members of this group have no other permissions, and that
no other users or groups have been delegated the same permissions.
Answer: There are several benefits. First, it allows you to change "who can do what" without
changing a single ACL in Active Directory. If another group or user needs to be able to reset
Employee passwords, simply add that group (or user) to the AD_UserAccounts_Support
group. Second, it makes it easier to report delegation. If you list the members (including
nested users) of AD_UserAccounts_Support, you instantly know who has permission to reset
passwords for users in the User Accounts OU. In other words, role-based management helps
overcome some of the difficulties that were identified with reporting.
Question: What is the main benefit of using new Advanced Audit Policies?
Answer: New Audit policies provide much more detailed control over auditing and
reporting, which enables administrators to narrow their search for specific information in
Security Logs. Also, new policies provide some additional possibilities for auditing such as
Global Object Access auditing, and also provide some additional information like in Reason
for Access auditing.
Common Issues related to Secure Administration

There is no un-delegate command or wizard after Use DACL of OU where you delegated
you finish delegation of control administrative control to remove identities whom
you want to un-delegate
Reason for Access auditing is not working Check whether you have enabled Audit Handle
Manipulation setting and that you are running
Windows 7 or Windows Server 2008 R2.
Best Practices Related to Secure Administration

• Use Delegation of Control Wizard to delegate administrative control instead of placing users in
built-in administrative groups.
• Use Advanced Audit Policies for better and more granular audit control.
• Avoid using the block inheritance option when configuring permissions.
Tools
Tool Used for Where to find it

Group Policy Editing security policy Administrative Tools
Management Console
Delegation of Control Delegating administrative Active Directory Users and Computers

Wizard control over OU
Auditpol Configuring auditing Command-line utility

Advanced Audit Policies New settings in Group Policy object for more detailed auditing of
various system events
Global Object Access Auditing Method to audit on server level instead on object level
Reason for access reporting New feature that allows administrators to see why someone was
able to access a resource that is being audited.

Question: When you evaluated the effective permissions for April Meyer on the User
Accounts OU, why didn't you see permissions such as Reset Password in this list? Why did the
permission appear when you evaluated effective permissions for Aaron Painter on Aaron
Lee's user account?
Answer: The Effective Permissions list is showing the permissions that apply to the selected
object, which in the first case is an organizational unit. One cannot reset the password of an
organizational unit, so that permission is not available to be evaluated.
When you assign permissions to reset passwords on the OU, the permission does not actually
apply to the OU itself; rather it applies to descendent user objects within the OU. The OU is a
container, so permissions are available that specify what types of objects can be created in
the OU.
When you examined permissions on Aaron Lee's user account, the Reset permission
appeared because it is available for user accounts.
Question: Does Windows make it easy to answer the following questions:

• Who can reset user passwords?
• What can XXX do as an administrator?
Answer: Lead a discussion that addresses the difficulty of reporting delegation. The user
interfaces and command-line tools are neither detailed nor "administrator-friendly" enough
to be useful reporting tools.
Question: What is the impact of resetting the ACL of an OU back to its schema-defined
default?
Answer: You don't necessarily know what permissions are applied to the OU unless you find
some way to do detail reporting. Moreover, you don't necessarily know why those
permissions were assigned to the OU or by whom. There may be good reasons for some
custom and explicit permissions, and removing them may cause something in your
environment to break. For example, when you install Microsoft Exchange Server, explicit
permissions are applied to certain Active Directory objects.
Question: What details are captured by Directory Services Changes auditing that are not
captured by Directory Service Access auditing?
Answer: Directory Services Changes auditing captures important details, including the
specific attribute that is changed and the change that was made.
Question: Which type of administrative activities would you want to audit by using Directory
Services Changes auditing?
Answer: Lead a discussion to elicit suggestions from students. Pose the question: Why not
audit all changes in Active Directory? Answer: The volume of event log entries would make
finding particularly important changes difficult. Guide students to an understanding that the
configuration of Directory Services auditing should be driven by the requirements of an
organization's IT Security policies and procedures.
Module 10
Improving the Security of Authentication in an AD DS
Domain
Contents:
Lesson 1: Configure Password and Lockout Policies 127
Lesson 3: Configure Read-Only Domain Controllers 132


Lesson 1
Configure Password and Lockout Policies
Contents:


Demonstration: Configure Domain Account Policies
1. Start 6425C-NYC-DC1and log on to NYC-DC1 as Pat.Coleman with the password Pa$$w0rd.
3. In the console tree, expand Forest:contoso.com, Domains, and contoso.com.
4. Right-click Default Domain Policy underneath the domain, contoso.com and click Edit.
• You may be prompted with a reminder that you are changing the settings of a GPO. If so, click
OK.
• Group Policy Management Editor opens.
5. In the console tree, expand Computer Configuration, Policies, Windows Settings, Security Settings,
and Account Policies, and then click Password Policy.
6. Double-click the following policy settings in the console details pane and configure the settings as
indicated:
• Enforce password history: 20 passwords remembered
• Maximum password age: 90 Days
• Minimum password age: 7 days

• Minimum password length: 8 characters
• Password must meet complexity requirements: Enabled
7. Close the Group Policy Management Editor window.

8. Close the Group Policy Management window.
Demonstration: Configure Fine-Grained Password Policy

1. Run Active Directory Users and Computers with administrative credentials and verify that the
Current domain functional level is Windows Server 2008. User name Pat.Coleman_Admin and
password Pa$$w0rd.
2. Run ADSI Edit, with administrative credentials, user namePat.Coleman_Admin and password
Pa$$w0rd.
3. Right-click ADSI Edit, and then click Connect To.
4. Accept all defaults. Click OK.
5. In the console tree, click Default Naming Context.

6. In the console tree, expand Default Naming Context, and then expand DC=contoso,DC=com, and
then click CN=System.
7. In the console tree, expand CN=System, and then click CN=Password Settings Container.
All PSOs are created and stored in the Password Settings Container (PSC).
8. Right-click CN=Password Settings Container, point to New, and then click Object.
The Create Object dialog box appears. It prompts you to select the type of object to create. There is
only one choice: msDS-PasswordSettings—the technical name for the object class referred to as a
PSO.
9. Click Next.
You are then prompted for the value for each attribute of a PSO. The attributes are similar to those
found in the domain account policies.
10. Configure each attribute as indicated below. Click Next after each attribute.
• cn:My Domain Admins PSO. This is the common name of the PSO.
• msDS-PasswordSettingsPrecedence:1. This PSO has the highest possible precedence.
• msDS-PasswordReversibleEncryptionEnabled:False. The password is not stored using

reversible encryption.
• msDS-PasswordHistoryLength:30. The user cannot reuse any of the last 30 passwords.
• msDS-PasswordComplexityEnabled:True. Password complexity rules are enforced.

• msDS-MinimumPasswordLength:15. Passwords must be at least 15 characters long.
• msDS-MinimumPasswordAge:1:00:00:00. A user cannot change his or her password within
one day of a previous change. The format is d:hh:mm:ss (days, hours, minutes, seconds).
• msDS-MaximumPasswordAge:45:00:00:00. The password must be changed every 45 days.
• msDS-LockoutThreshold:5. Five invalid logons within the time frame specified by XXX (the next
attribute) will result in account lockout.
• msDS-LockoutObservationWindow:0:01:00:00. Five invalid logons (specified by the previous

attribute) within one hour will result in account lockout.
• msDS-LockoutDuration:1:00:00:00. An account, if locked out, will remain locked for one day, or
until it is unlocked manually. A value of zero will result in the account remaining locked out until
an administrator unlocks it.
11. Click Finish and close ADSI Edit.
12. Run Active Directory Users and Computers as before and in the console tree, expand the System
container.
If you do not see the System container, then click the View menu of the MMC console, and ensure
that Advanced Features is selected.
13. In the console tree, click the Password Settings Container.
14. Right-click My Domain Admins PSO, click Properties and then click the Attribute Editor tab.
15. In the Attributes list, select msDS-PSOAppliesTo, and then click Edit.
The Multi-valued Distinguished Name With Security Principal Editor dialog box appears.
16. Click Add Windows Account.
The Select Users, Computers, or Groups dialog box appears.

17. Type Domain Admins, and then press Enter.
18. Click OK twice to close the open dialog boxes.
19. In the console tree, expand the contoso.com domain and the Admins OU, and then click the Admin
Identities OU.
20. Right-click Pat Coleman (Administrator) and click Properties.
21. Click the Attribute Editor tab.

22. Click the Filter button, and click the Constructed option, so that it is selected.
23. Open the value of the msDS-ResultantPSO attribute.

Additional Reading
Configure the Domain Password and Lockout Policy
• Windows Server 2003 Security Guide Chapter 3: The Domain Policy:
Fine-Grained Password and Lockout Policy

• AD DS: Fine-Grained Password Policies:
Demonstration: Configure Fine-Grained Password Policy

• AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide:
Lesson 3
Configure Read-Only Domain Controllers
Contents:


Demonstration: Configure a Password Replication Policy
Provision a Read-Only Domain Controller Account and delegate permissions
Note Before performing this demonstration, if the Domain Controller object for BRANCHDC01 does
not yet exist, pre-create it on NYC-DC1 using these steps:
2. In the console tree, expand the contoso.com domain, and then click the Domain Controllers OU.
3. Right-click Domain Controllers and click Pre-create Read-only Domain Controller Account. The
Active Directory Domain Services Installation Wizard appears.
4. Click Next.
5. On the Operating System Compatibility page, click Next.

6. On the Network Credentials page, click Next.
7. On the Specify the Computer Name page, type BRANCHDC01, and then click Next.
8. On the Select a Site page, click Next.

9. On the Additional Domain Controller Options page, click Next.
Note that the Read-only domain controller option is selected and cannot be cleared. That is
because, of course, you launched the wizard by choosing to pre-create a read-only domain controller
account.
10. On the Delegation of RODC Installation and Administration page, click the Set button.
The Select User or Computer dialog box appears.
11. Type Aaron.Painter_Admin, and then press Enter.
12. Click Next.
13. Review your selections on the Summary page, and then click Next.
14. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.
Configure a password replication policy
1. Start 6425C-NYC-DC1 log on as Pat.Coleman with the password Pa$$w0rd.
3. In the console tree, click the Domain Controllers OU.
4. Right-click BRANCHDC01 and click Properties.
5. Click the Password Replication Policy tab and view the default policy.
6. Click Cancel to close the BRANCHDC01 properties.
7. In the Active Directory Users and Computers console tree, click the Users container.
8. Double-click Allowed RODC Password Replication Group.
9. Click the Members tab.
10. Examine the default membership of Allowed RODC Password Replication Group.
11. Click OK.
12. Double-click Denied RODC Password Replication Group.
13. Click the Members tab.
14. Click Cancel to close the Denied RODC Password Replication Group properties.
Demonstration: Administer RODC Credentials Caching
Detailed Demonstration Steps:

1. In the Active Directory Users and Computers console tree, click the Domain Controllers OU.
2. In the details pane, right-click BRANCHDC01, and then click Properties.
3. Click the Password Replication Policy tab.
4. Click Advanced. The Advanced Password Replication Policy for BRANCHDC01 dialog box
appears. The Policy Usage tab displays Accounts whose passwords are stored on this Read-Only
Domain Controller.
5. From the drop-down list, select Accounts Whose Passwords Are Stored On This Read-Only
Domain Controller.
6. From the drop-down list, select Accounts that have been authenticated to this Read-only
Domain Controller.
7. Click the Resultant Policy tab, and then click Add. The Select Users or Computers dialog box
appears.
8. Type Chris.Gallagher, and then press Enter.

9. Click the Policy Usage tab.
10. Click Prepopulate Passwords.The Select Users or Computers dialog box appears.
11. Type the name of the account you want to prepopulate (for example, type Chris.Gallagher), and then
click OK.
12. Click Yes to confirm that you want to send the credentials to the RODC. The following message
typically appears: Passwords for all accounts were successfully prepopulated. Note that for this
demonstration the BRANCHDC01 is not running as so an error is observed. Click OK.
13. Click Close.

Additional Reading
Installing an RODC
• For details regarding other options for installing an RODC, including delegated installation see
Administrative Role Separation

• RODCs are a valuable new feature for improving authentication and security in branch offices. Be sure
to read the detailed documentation on the Microsoft Web site at

Review Questions
Question: In your organization, a number of users deal with confidential files on a regular
basis. You need to ensure that all these users have strict account polices enforced. The user
accounts are scattered across multiple OUs. How would you accomplish this with the least
administrative effort?
Answer: Create a shadow global group and place all the appropriate users into that group.
Then create and assign a PSO to the group.
Question: Where should you define the default password and account lockout policies for
user accounts in the domain?
Answer: Configure the baseline password and account lockout policies in the Default
Domain Policy GPO.
Question: What would be the disadvantage of auditing all successful and failed logons on all
machines in your domain?
Answer: Such an audit policy would generate a tremendous amount of audit entries across
every machine in your domain. Managing the security event logs and locating the events
that indicate potential problems would be very difficult. It is best to align your audit policy
with specific, narrowly-targeted auditing goals and requirements of your organization.
Question: What are the advantages and disadvantages of prepopulating the credentials for
all users and computers in a branch office to that branch's RODC?
Answer: There is no clear-cut answer to this question. Use it to review the strategic role of an
RODC. By prepopulating the credentials of users and computers in the branch RODC cache,
you ensure that authentication performance is maximized (on the first logon—after that, the
credential would have been cached because the users are on the Allow list anyway); and you
ensure that, if the WAN link is unavailable on the first logon, users can authenticate. The
disadvantage is that, should there be a breach of physical security on the RODC, those
credentials are exposed even if the users have not yet logged on in the branch.
Common Issues Related to Authentication in Active Directory

User is not forced to change the Check the user account properties in Active Directory Users and
password even if that setting is Computers. The Password never expires option might be enabled
configured in Default Domain for that specific user.
Policy.
User or group does not have the Check if you have created multiple PSOs and linked them on the
right PSO applied. same user or group. If that is correct, you should check the
Precedence value.
You cannot deploy an RODC. Check if you have at least one Windows Server 2008 or Windows
Server 2008 R2 Domain Controller.
Check if the domain functional level is Windows Server 2003.
Real World Issues and Scenarios

Question: You must ensure that all users change their password every 30 days. Company
procedures specify that if a user's password will expire while the user is out of the office, the user
may change the password prior to departure. You must account for a user who is out of the
office for up to two weeks. Additionally, you must ensure that a user cannot reuse a password
within a one-year time period. How would you configure account policies to accomplish this?
Answer: One possible solution is to define minimum password age to the value of two weeks,
enforce password change every 30 days, and to set password history to remember 24 last
passwords.
• Max password age: 30 days
• Min password age: 16 days (answers between 14 and 17 are acceptable) to account for a user who
leaves the office exactly two weeks before the password expires, and wants to change the password
• Enforce password history: 22 (answers between 21 and 27 are acceptable) to account for the
possibility that a user might change the password every Min password age (14-17 days) for the entire
year. Password history must be (365 days per year/Min password age)
Best Practices Related to Authentication in an AD DS Domain

• Use Default Domain Policy GPO to specify general password and account lockout policies that will
apply for most users.
• Use fine-grained password policy to specify password and account lockout policies for specific users
and groups with administrative privileges.
• Do not enable all options for auditing because you will have many security logs, which will be hard to
search. Use advanced audit logging to have more granular control.
• Deploy RODCs in sites where physical security is an issue.
Tools
Group Policy • Editing and managing group Administrative Tools
Management console policy objects
ADSI Edit • Creating Password Setting Administrative Tools

Objects
Dcpromo • Creating and managing Command-line utility

domain controllers

Feature Description
Advanced Audit Policies New settings in Group Policy object for more detailed auditing of
various system events

Question: What are the best practices for managing PSOs in a domain?
Answer: Each PSO must fully define the appropriate password and account lockout policies,
because PSOs do not "merge." Link PSOs to global groups, and not to individual user
accounts. Ensure that each PSO has a unique precedence value
Question: How can you define a unique password policy for all the service accounts in the
Service Accounts OU?
Answer: PSOs cannot be linked to an OU. You must create a global group that contains the
accounts that are in the Service Accounts OU. You can then link a PSO to that group.
Question: You have been asked to audit attempts to log on to desktops and laptops in the
Finance division by using local accounts such as Administrator. What type of audit policy do
you set, and in what GPO(s)?
Answer: You will need to enable auditing for successful and failed account logon events.
However, the accounts you are interested in are local accounts, which are authenticated by
the local security authority on each desktop and laptop. Therefore, you will need to enable
auditing in a GPO that is scoped to apply to the desktops and laptops in the Finance division.
The settings do not need to be scoped to domain controllers.
Question: Why should you ensure that the password replication policy for a branch office
RODC has, in its Allow list, the accounts for the computers in the branch office as well as the
users?
Answer: Computers must authenticate to the domain as well as users, so the logic is the
same as with users: you want to improve authentication performance over the WAN and
ensure that authentication can continue even if the WAN link is unavailable.
Question: What would be the most manageable way to ensure that computers in a branch
are in the Allow list of the RODC's password replication policy?
Answer: Create a group for computers, for example Branch Office Computers.
Module 11
Configuring Domain Name System
Contents:
Lesson 2 : Integration of AD DS, DNS, and Windows 140
Lesson 3 : Advanced DNS Configuration and Administration 143


Lesson 2
Integration of AD DS, DNS, and Windows
Contents:

Demonstration: SRV Resource Records Registered by AD DS Domain
Controllers

If the virtual machines are not already started, perform these steps.
1. Start 6425C-NYC-DC1and log on as Pat.Coleman with the password Pa$$w0rd.

2. Open D:\Labfiles\Lab11b.
3. Run Lab11b_Setup.bat with administrative credentials. Use the account Pat.Coleman_Admin with
the password Pa$$w0rd.The lab setup script runs. When it is complete, press any key to continue.
4. Close the Windows Explorer window, Lab11b.

7. Start 6425C-BRANCHDC02. Do not log on. Wait for BRANCHDC02 to complete startup before
continuing.
When all the virtual machines are ready, perform the following steps
1. On 6425C-NYC-DC1, run DNS Management with administrative credentials. Use the account
2. In the console tree, expand NYC-DC1, Forward Lookup Zones, and contoso.com, and then click the
_tcp node. Examine the SRV records.
3. In the console tree, expand NYC-DC1, Forward Lookup Zones, contoso.com, _sites, Default-First-
Site-Name, and then click the _tcp node. Examine the SRV records.
4. Run Command Prompt with administrative credentials. Use the account Pat.Coleman_Admin with
the password Pa$$w0rd.
5. Type nslookup, and then press Enter.
6. Type set type=srv, and then press Enter.
7. Type _ldap._tcp.contoso.com, and then press Enter. Type Exit and then press Enter.
8. Switch to DNS Manager.

9. In the console tree, expand NYC-DC1, Forward Lookup Zones, and contoso.com, and then click the
_tcp node.
10. Right-click the SRV records for NYC-DC1.contoso.com, and then click Delete.
11. Switch to Command Prompt.
12. Type net stop netlogon, and then press Enter.
13. Type net start netlogon and then press Enter.

14. Switch to DNS Manager.
15. In the console tree, right-click the _tcp node, and then click Refresh. Examine the SRV records for
NYC-DC1.contoso.com.
16. Click Start, and in the Start Search box, type notepad.exe.
Note You should run this with administrative credentials to open the netlogon file in the next
step.
17. Click File, click Open, type %systemroot%\system32\config\netlogon.dns in the File Name box,
and then press Enter
18. Examine the default SRV records.

Lesson 3
Advanced DNS Configuration and Administration
Contents:
Additional Reading
Resolving Single-Label Names
• Providing Single-Label DNS Name Resolution
• Deploying the GlobalNames Zone

Module Review and Takeaways

Review Questions
Question: You are conducting a presentation for a potential client about the advantages of
using Windows Server 2008 R2. What are the new features that you would point out when
discussing the Windows Server 2008 R2 DNS server role?
Answer: You would point out DNS Security Extensions, DNS Devolution, DNS Cache Locking
and DNS Socket Pool.
Question: You are deploying DNS servers into an Active Directory domain, and your
customer requires that the infrastructure is resistant to single points of failure. What must
you consider while planning the DNS configuration?
Question: You must automate a DNS server configuration process so that you can automate
the deployment of Windows Server 2008. Which DNS tool can you use to do this?
Answer: You can use dnscmd.exe.
Common Issues Related to DNS

Client can sometimes cache invalid Clear the DNS cache
DNS records
Zone transfer is not working Ensure that the server trying to transfer the zone is permitted in
the primary zone configuration
Ensure that a firewall or other port-management devices that
reside between the two DNS servers are not blocking Port 53
UDP.
DNS server performs slowly Use Performance Monitor to identify the load on the server that
DNS requests generate. It may be necessary to split the load or
create additional subzones.

• DNS and Active Directory trusts
When creating trusts between two Active Directory domains, the ability for domain A to lookup
records in domain B (and vice versa) is tied to the configuration of the DNS infrastructure. Active
Directory domains are accessible rarely on the Internet. Therefore, you need conditional forwarders,
stub zones, or secondary zones to replicate the DNS infrastructure across domains and forests.
• Secure zones against zone dumping
By default, zone transfers are disabled in Windows Server 2008. When configuring zone transfers, it is
a best practice to specify the IP address of the servers to which you want to transfer zone data. Do
not select the Allow zone transfer to Any Server, especially if the server is on the Internet. With this
option enabled, it is possible to dump the entire zone, which can provide a significant amount of
information about the network to possible attackers.
Best Practices Related to DNS

• If you are using Active Directory, use directory-integrated storage for your DNS zones. This offers
increased security, fault tolerance, and simplified deployment and management.
• Disable recursion for servers that do not answer client queries or communicate by using forwarders.
As DNS servers communicate amongst themselves by using iterative queries, this ensures that the
server responds only to queries that are intended for it.
• Consider the use of secondary zones to assist in off-loading DNS query traffic wherever appropriate.
• Enter the correct email address of the responsible person for each zone you add to, or manage on, a
DNS server. Applications use this field to notify DNS administrators for a variety of reasons. For
example, query errors, incorrect data returned in a query, and security problems are a few ways in
which this field can be used. Although most Internet email addresses contain the “@”symbol to
represent the word “at” in email, this symbol must be replaced with a period (.) when entering an
email address for this field. For example, instead of “administrator@microsoft.com,” you would use
“administrator.microsoft.com.”
Tools
DNS Management • DNS administration and management Administrative Tools
Console
Nslookup • Use to perform query testing of the DNS Command-line utility

domain namespace.
Dnscmd • Use this command-line interface to manage Command-line utility

DNS servers. This utility is useful in scripting
batch files to help automate routine DNS
management tasks or to perform simple
unattended setup and configuration of new
DNS servers on your network.
Ipconfig • Use this command to view and modify IP Command-line utility

configuration details that the computer uses.
This utility includes additional command-line
options to provide help in troubleshooting
and supporting DNS clients.
DNSlint • Provides several automated tests to verify Command-line utility

that DNS servers and resource records are
configured properly and pointing to valid
services.
• You can download this command from
Microsoft at http://go.microsoft.com/fwlink
/?LinkID=214201
Windows Server 2008 R2 Features Introduced in This Module

Feature Description
DNS Enhancements in New features in DNS that allow administrators to configure digital
Windows Server 2008 R2 signing of DNS responses, cache locking, devolution and socket
pooling.

Question: If you did not configure forwarders on NYC-DC2, what would be the result for
clients that use NYC-DC2 as their primary DNS server?
Answer: They cannot resolve names other than those in the contoso.com domain (zone).
Question: What would happen to clients' ability to resolve names in the

development.contoso.com domain if you had chosen a stand-alone DNS zone, rather than
an Active Directory–integrated zone? Why would this happen? What should you do to solve
this problem?
Answer: Clients who query the other DNS server would be unable to resolve names in the
zone, because the server would not receive a replica of the zone. This could be solved by
making the zone Active Directory–integrated, by hosting a secondary zone on the other DNS
server, or by creating a stub zone that refers queries to the server hosting the
development.contoso.com zone.
Question: In this lab, you used a stub zone and a conditional forwarder to provide name
resolution between two distinct domains. What other options you could have used?
Answer: You could create a secondary zone in each domain that hosts a copy of the zone
from the other. If the domains have delegations in the top-level .com domain, you could use
root hints and standard DNS recursive queries to get them to resolve names in each other’s
domains.
Module 12
Administering AD DS Domain Controllers
Contents:
Lesson 1: Domain Controller Installation Options 149
Lesson 2: Install a Server Core Domain Controller 151


Lesson 1
Domain Controller Installation Options
Contents:
Additional Reading
Unattended Installation Options and Answer Files
• For a complete reference of dcpromo parameters and unattended installation options, see
Prepare an Existing Domain for Windows Server 2008 Domain Controllers

• Running Adprep.exe
• ADPrep
• Windows Server 2008: Appendix of Changes to Adprep.exe to Support AD DS
Remove a Domain Controller

• For detailed steps for removing a domain controller, see
• See article 216498 in the Microsoft Knowledge Base for information about performing metadata
cleanup. The article is located at
Lesson 2
Install a Server Core Domain Controller
Contents:
Additional Reading
Understand Server Core
• Server Core Installation Option
• What's New in the Server Core Installation Option
Server Core Configuration Commands

• Appendix of Unattended Installation Parameters

Review Questions
Question: In which scenario will you have the option to choose domain and forest functional
level during dcpromo wizard?
Answer: This option will be available only during installation of first domain controller in
domain/forest.
Question: How can you easily prepare an unattended file for domain controller installation?
Answer: You can do it by running dcpromo.exe on full version of Windows Server 2008 or
2008 R2, and by exporting configured settings at the end of wizard.
Question: How can you say that RID master is not working?
Answer: If the RID master fails, eventually you will be prevented from creating new security
principals. For example, you will not be able to create new user objects. However, this might
not happen immediately. Domain Controllers will contact RID master after they spend all
SIDs from last allocation.
Question: If you seize the operations master role, can you bring online the original
operation master?
Answer: Only if the failed domain controller was the PDC emulator or infrastructure master.
Schema, domain naming, and RID master role holders cannot be brought back online if the
role was seized while the domain controller was offline. Instead, the failed domain controller
must be demoted or, preferably, reinstalled entirely while offline. After the server is back
online, it can be re-promoted to a domain controller and, at that time, the operations master
role can be transferred gracefully to it.
Common Issues Related to Administering AD DS Domain Controllers

Cannot raise domain or forest Check whether all domain controllers are running same version of
functional level operating system that is equal to domain functional level. If forest
case, check that all domains are running same functional level that
is equal to desired forest functional level
You cannot transfer one or more Check whether the current role master is online. If not, you must
operation masters roles seize the role instead transferring it.
You cannot install role or feature Check whether the role that you want to install is supported on
on Server Core Server Core, as this version supports only limited number of roles
and features.
You cannot add additional domain • Check whether there is at least one domain controller available
controller to current AD DS • Check DNS functionality
infrastructure
• Check IP settings
Best Practices Related to Administering AD DS Domain Controllers

• Always install at least two domain controllers per one domain to achieve high availability.
• Use the Server Core domain controller when using role-centric servers, and to maintain higher
security and easier management.
• Distribute operations masters roles on several servers. Be sure to co-locate compatible roles.
• Use DFS-R for SYSVOL replication.
Tools
Active Directory Users • Managing operation masters Administrative Tools
and Computers
• Managing domain
functional level
• Creating and managing AD

objects
Active Directory • Managing domain and Administrative Tools

Domains and Trusts forest functional level
• Trust management
Dcpromo.exe • Installation and You can run it manually

configuration of Active
Directory Domain Services
Server Manager • AD DS role installation Administrative Tools
Active Directory • Managing schema master Must be added as a separate snap-in

Schema Management role

New Server Core roles and In Windows Server 2008 R2, new roles and features are provided
Features for Server Core installation

Question: Why would you choose to use an answer file or a dcpromo.exe command line to
install a domain controller rather than the Active Directory Domain Services Installation
Wizard?
Answer: Automation of installation, consistency (always using the same options in a script
versus hoping that an admin uses the correct options), documentation (the script
“documents” how the domain controller was installed), andServer Core installation.
Question: In which situations does it make sense to create a domain controller using
installation media?
Answer: When the replication of Active Directory to the new domain controller will be
problematic from a performance or network impact perspective.
Question: Did you find the configuration of Server Core to be particularly difficult?
Answer: Answers will vary, some administrators may find difficult to perform initial
configuration using just command line utilities.
Question: What are the advantages of using Server Core for domain controllers?
Answer: Reduced system requirements, reduced attack surface (vulnerability) and therefore
increased security.
Question: If you transfer all roles before taking a domain controller offline, is it okay to bring
the domain controller back online?
Answer: Yes
Question: When you enable global catalog, what actually happens on that domain
controller?
Answer: The domain controller that is designated as global catalog, in addition to its full,
writable domain directory partition replica, also starts to store a partial, read-only replica of
all other domain directory partitions in the forest.
Question: On which level would you enable Universal Group Membership Caching?
Answer: It is enabled on site level.
Question: What would you expect to be different between two enterprises, one which
created its domain initially with Windows 2008 domain controllers, and one that migrated to
Windows Server 2008 from Windows Server 2003?
Answer: In a domain that was created with Windows 2008 in the first place, the SYSVOL
share will refer to a folder named SYSVOL that is replicated with DFS-R. In a domain that was
created with domain controllers prior to Windows 2008, SYSVOL will be replicated with FRS,
until it has been migrated. After that point, the SYSVOL share will refer to a folder named
SYSVOL_DFSR.
Question: What must you be aware of while migrating from the Prepared to the Redirected
state?
Answer: While migrating from the Prepared to the Redirected state, any changes made to
SYSVOL must be manually duplicated in SYSVOL_DFSR.
Module 13
Managing Sites and Active Directory® Replication
Contents:
Lesson 1: Configure Sites and Subnets 157
Lesson 2: Configure Replication 159


Lesson 1
Configure Sites and Subnets
Contents:
Additional Reading
How Client Locates Domain Controller
• For more information about domain controller location, see
Lesson 2
Configure Replication
Contents:
Additional Reading
Bridgehead Servers
• Bridge Server Selection

Review Questions
Question: Why is it important that all subnets are identified and associated with a site in a
multisite enterprise?
Answer: The process of locating domain controllers and other services can be made more
efficient by referring clients to the correct site, based on the client’s IP address and the
definition of subnets. If a client has an IP address that does not belong to a site, the client will
query for all DCs in the domain, and that is not at all efficient. In fact, a single client can be
performing actions against domain controllers in different sites, which (if those changes have
not replicated yet) can lead to very strange results. It is very important that each client
knows what site it is in, and that’s achieved by ensuring that DCs can identify what site a
client is in.
Question: What are the advantages and disadvantages of reducing the intersite replication
interval?
Answer: Convergence is improved. Changes made in one site are replicated more quickly to
other sites. There are actually few, if any, disadvantages. If you consider that the same
changes must replicate whether they wait 15 minutes or 3 hours to replicate, it’s really a
matter of timing of replication rather than the quantity of replication. However, in some
extreme situations, it’s possible that allowing a smaller number of changes to happen more
frequently might be less preferable than allowing a large number of changes to replicate less
frequently.
Question: What is the purpose of bridgehead server?

Answer: The bridgehead server is responsible for all replication into and out of the site for a
partition. Instead of replicating all domain controllers from one site with all domain
controllers in another site, bridgehead servers are used to handle intersite replication.
Question: Which protocol can be used as an alternative for Active Directory replication?
What is the disadvantage of using it?
Answer: SMTP can be used. Disadvantage is the inability to replicate domain partition.
Common Issues Related to Managing Sites and Replication

Client cannot locate • Check whether all SRV records for domain controller are present in DNS.
domain controller in its
site. • Check whether the domain controller has an IP address from subnet that
is associated to that site.
Replication between • Check whether site links are configured correctly

sites does not work.
• Check replication schedule
• Check whether firewall between sites permits traffic for AD replication
Replication between • Check whether both domain controllers appear in same site
two Domain Controllers
in the same site does • Check whether Active Directory on domain controllers is operational.
not work.
Best Practices Related to Managing Active Directory Sites and Replication

You should implement the following best practices when you manage Active Directory sites and
replication in your environment:
• Always provide at least one Global Catalog per site.

• Be sure that all sites have appropriate subnets associated.
• Do not setup long intervals without replication when you configure replication schedules for intersite
replication.
• Avoid using SMTP as a protocol for replication.
• Do not use universal groups unless necessary because they create additional replication traffic.
Tools
Active Directory Sites • Manage site objects Administrative Tools
and services
• Manage site links
• Manage replication
ADSI Edit • View and manage Active Administrative Tools

Directory partitions
Repadmin • Monitoring and managing Command-line utility

replication
dcdiag • Reports on the overall health Command-line utility

of replication and security
for Active Directory Domain
Services

Question: You have a site with 50 subnets, each with a subnet address of 10.0.x.0/24, and
you have no other 10.0.x.0 subnets. What should you do to make it easier to identify the 50
subnets and associate them with a site?
Answer: Define a single subnet, 10.0.0.0/16.

Question: Is the procedure you performed in Exercise 2 enough to create a "hub and spoke"
replication topology, which ensures that all changes from branches are replicated to the
headquarters before being replicated to other branches? If not, what should be done?
Answer: You must disable “Bridge all site links.”
Module 14
Managing Sites and Active Directory® Replication
Contents:
Lesson 1: Monitor Active Directory 165
Lesson 2: Manage the Active Directory Database 168

Lesson 3: Active Directory Recycle Bin 172
Lesson 4: Back Up and Restore AD DS and Domain Controllers 176

Lesson 1
Monitor Active Directory
Contents:


Demonstration: Monitor AD DS
Create a new Data Collector Set named Custom Active Directory.
1. If it is not already started Launch the virtual machine 6425C-NYC-DC1 and log on as
Contoso\Pat.Coleman_Admin with Password Pa$$w0rd
2. Open Performance Monitor and then add the server baseline counters.
3. Add some of the Active Directory counters, and then start the Data Collector Set.
4. Perform some activity to generate statistics.

5. Stop the Data Collector Set, and then look at the user-defined report.
6. In the system container, start the Active Directory Diagnostics Data Collector Set.
7. Perform some activity to generate statistics.

8. Stop the Data Collector Set, and then look at the system-defined report.
Demonstration: Using Active Directory Best Practices Analyzer
Detailed demonstration Steps:

1. Log on to 6425C-NYC-DC1 as Contoso\Pat.Coleman_Admin with Password Pa$$w0rd
2. Open Server Manager console
3. In left console pane, expand Roles and click on Active Directory Domain Services role
4. In central pane, scroll down to the Best Practices Analyzer section

5. Click Scan This Role and wait until scanning is completed
6. Review events that showed up in Noncompliant tab. Emphasize that some events have severity Error
and some are Warning
7. Right click any event and select Properties
8. Show the detailed description of event. Click Close
9. Right click any event and select Exclude Result. Show that event now appears in Excluded tab
10. Click Compliant tab and show events that appear there.
11. Close Server Manager.
Additional Reading
Performance Monitor
• Using Performance Monitor
Data Collector Sets

• Creating Data Collector Sets
Lesson 2
Manage the Active Directory Database
Contents:
Questions and Answers 169

Questions and Answers

Active Directory Database Files
Question: What other Microsoft services use a transactional model for making database
changes? How does the AD DS model compare to these other services?
Answer: Both Microsoft Exchange Server and Microsoft SQL Server® use the transaction
model. The AD DS model is very similar in all cases, although some details, such as the size of
the transaction logs, vary. For example, in Exchange Server 2007, the transaction logs are
only 1 MB in size.
Perform Database Maintenance

Question: How often will you need to perform an offline defragmentation of your AD DS
databases in your environment?
Answer: Most organizations will have to perform an offline defragmentation only when they
need to optimize database usage. In general, you will do this only when the amount of data
that you are storing in the AD DS database on a domain controller decreases significantly.
Demonstration: AD DS Database Maintenance

Question: Why is it necessary to stop AD DS before defragmenting?
Answer: The database needs to be closed completely before it can be overwritten. An online
database may have locked records that are being written to, thus preventing file
modification.
Question: Why is it necessary to compact the database to a temporary directory first?
Answer: Compacting the database actually creates a contiguous copy, which will be used to
overwrite the fragmented original.

To stop or start the AD DS service:
1. If it is not already started, start the virtual machine 6425C-NYC-DC1 and log on as
Contoso\Pat.Coleman_Admin with Password Pa$$w0rd
2. Click Start, click Administrative Tools, and then click Services.
3. Right-click Active Directory Domain Services, and then select Stop from the context menu.
4. In the Stop Other Services dialog box, click Yes.

To perform an offline defrag of the Advanced Directory database while in an AD DS stopped state:
1. Click Start, click Run, type CMD, and then press Enter.
2. In the command window, type ntdsutil, and then press Enter. Click Yes.
3. At the ntdsutil: prompt, type Activate Instance NTDS, and then press Enter.
4. At the ntdsutil: prompt, type files, and then press Enter.
5. At the file maintenance: prompt, type compact to drive:\ LocalDirectoryPath (where drive:\
LocalDirectoryPath is the path to a location on the local computer), and then press Ctrl+C to break
the process. It takes too long to demonstrate.
6. Next, you would copy NTDS.dit to a “backup” location, along with the logs (*.log), and then you
would delete the logs (*.log).
7. Next, check the integrity of the newly compacted database. Type integrity to check the integrity of
the newly compacted database, but press Ctrl+C to break the process.
To move the AD DS database:

8. In the File Maintenance command window, type move db to pathname, and then press Ctrl+C to
break the process. Explain that the NTDS.dit file would be moved to the new location and permissions
would be set accordingly
To restart AD DS:
9. In the Services MMC, right-click Active Directory Domain Services, and then click Start.
Additional Reading
Active Directory Database Files
• How the Data Store Works
NTDSUtil
• Data Store Tools and Settings
• How to remove data in Active Directory after an unsuccessful domain controller demotion

• Compact the Directory Database File (Offline Defragmentation)
Active Directory Snapshots

• Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser)
Step-by-Step Guide
Restore Deleted Objects

• End-to-End Scenario That Uses the Active Directory Database Mounting Tool
Lesson 3
Active Directory Recycle Bin
Contents:


Demonstration: Restore Deleted Objects with Active Directory Recycle Bin
Before performing this demonstration, run the script located at D:\Labfiles\Lab14a\Lab14a_Setup.bat.
1. On NYC-DC1, click Start, point to Administrative Tools and then click Active Directory
Domainsand Trusts.
2. Right click Active Directory Domains and Trusts and click Raise Forest Functional Level.
3. Check the value of Current forest functional level. If it is not set to Windows Server 2008 R2,
proceed to the next step. If it is, click OK and close the Active Directory Domains and Trust
console.
4. In a Select an available forest functional level drop-down list, select Windows Server 2008 R2.
5. Click Raise.
6. In the Warning window, click OK.
7. In confirmation window, click OK.
8. Close the Active Directory Domains and Trust console.
Enable the Active Directory Recycle Bin Feature

1. Click Start, click Administrative Tools, and then right-click Active Directory Modulefor Windows
PowerShell. Click Run as administrator, and then click Yes.
2. Type the following command, and then press Enter.
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional

Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,
DC=contoso,DC=com’ –Scope ForestOrConfigurationSet –Target ‘contoso.com’
3. Type y and press Enter,
4. After command prompt is returned to you, close the PowerShell window,
Delete an object
1. Open the Active Directory Users and Computers console from Administrative Tools.
2. Expand Contoso.com and expand User Accounts and then click the Employees organizational unit.
3. In the central pane, right-click Aaron Lee and select Delete.
4. In the confirmation window, click Yes.
5. Close Active Directory Users and Computers.
Restore Deleted Object by using LDP.exe

1. To open Ldp.exe, click Start, and in the search box type ldp.exe. Under Programs, right-click
ldp.exe and then click Run as administrator. Click Yes.
2. On the Options menu, click Controls.

3. In the Controls dialog box, expand the Load Predefined menu, click Return deleted objects, and
then click OK.
4. To verify that the Deleted Objects container is displayed:

• To connect and bind to the server that hosts the forest root domain of your AD DS environment,
under Connection, click Connect, click OK, and then under Connection, click Bind, and then
click OK.
• Click View, click Tree, and in BaseDN, type DC=contoso,DC=com, and then click OK
• In the console tree, double-click the root distinguished name (also known as DN) and locate the
CN=Deleted Objects, DC=contoso,DC=com container. Expand that object and ensure that
Aaron Lee object appears below it.
5. Right-click the CN=Aaron Lee,... object, and click Modify
6. In the Edit Entry Attribute box, type isDeleted.
7. Under Operation, click Delete, and then click Enter.

8. In the Edit Entry Attribute box, type distinguishedName.
9. In the Values box, type the original distinguished name, which is CN=Aaron Lee,OU=Employees,
OU=User Accounts,DC=contoso,DC=com.
10. Under Operation, click Replace.
11. Ensure that the Extended check box is selected, click Enter, and then click Run.
12. Click Close.
13. From Administrative Tools, open the Active Directory Users and Computers console
14. Expand Contoso.com and expand User Accounts and then click the Employees organizational unit.
15. Ensure that the Aaron Lee user object exists and that all attributes like group membership are
retained.
Additional Reading
What Is Active Directory Recycle Bin?
• Active Directory Recycle Bin Step-by-Step Guide
Lesson 4
Back Up and Restore AD DS and Domain Controllers
Contents:


Demonstration: Backing Up AD DS
Before performing this demonstration, you will need to open Server Manager and install the Windows
Server Backup Features on NYC-DC1.
1. On NYC-DC1, open the Windows Server Backup snap-in.

2. Click the Backup Once link. The Backup Once Wizard appears.
3. On the Backup Options page, ensure that Different options is selected, and then click Next.
4. On the Select Backup Configuration page, click Custom, and then click Next.
5. On the Select Items for Backup page, click Add Items.
6. On the Select Items dialog box, click System state, and then click OK. Click Next.
7. On the Specify Destination Type page, click Next.

8. On the Select Backup Destination page, click Next.
9. On the Confirmation page, click Backup.

Additional Reading
Backup and Recovery Tools
• Backup and Recovery Overview for Windows Server 2008
• Windows Server Backup
• Windows Server Backup Step-by-Step Guide for Windows Server 2008

• Backing Up Your Server
Overview of AD DS and Domain Controller Backup

• AD DS Backup and Recovery Step-by-Step Guide
Additional Backup and Recovery Tools

For more information about WinRE and the other tools on this slide, go to:
• Backup and Recovery Overview for Windows Server 2008


Review Questions
Question: Why is it necessary to stop AD DS before defragmenting?
Answer: The database needs to be closed completely before it can be overwritten. An online
database may have locked records that are being written to, thus preventing file
modification.
Question: Why is it necessary to compact the database to a temporary directory first?
Answer: Compacting the database actually creates a contiguous copy, which will be used to
overwrite the fragmented original.
Question: Which tool should be used to clean up metadata from offline domain controller?
Answer: You should use ntdsutil for this purpose.
Question: What should you do before starting to use Active Directory Recycle Bin?
Answer: You should check if your forest functional level in on Windows Server 2008 R2, and
you must enable Active Directory Recycle Bin feature by using Windows PowerShell or by
using ldp.exe.
Question: What kind of restore can you perform with Active Directory?
Answer: You can perform authoritative restore, nonauthoritative restore and restore of
single objects with Active Directory Recycle Bin,
Common Issues Related to Directory Service Continuity

Active Directory is responding Enable performance monitoring on AD DS–related counters
slowly to client requests
You suspect that Active Directory Run Active Directory Best Practices analyzer
is not configured according to
best practices
You want to be able to quickly Enable Active Directory Recycle Bin feature
restore accidentally deleted
objects
Best Practices Related to Directory Service Continuity

• Use Performance Monitoring tools to monitor Active Directory counters.
• Always establish a baseline before starting to make decisions based on monitoring results.
• Use the ability to stop and start AD DS when Domain Controller is online instead of restarting to the
Directory Service Restore Mode.
• Perform a backup of Active Directory database as often as possible.

Tools
Performance Monitor • Monitoring of system Administrative Tools
objects from performance
aspect
Reliability Monitor • Monitoring events that Administrative Tools

affect system stability and
reliability
Event Viewer • Reviewing logged events on Administrative Tools

server or workstation
Active Directory with • Active directory Administrative Tools

PowerShell Module administration
Ldp.exe • Management of Active Can be started from run window

Directory objects
Ntdsutil • Management of Active Command-line utility

Directory database
Active Directory • Management of forest and Administrative Tools

Domains and Trusts domain functional levels
and trusts
Windows Server • Backup and restore of files Administrative Tools

Backup and Active Directory

Active Directory Best Practices Windows Server 2008 R2 provides a new tool to analyze Active
Analyzer Directory configuration
Active Directory Recycle Bin Windows Server 2008 R2 Active Directory provides a feature that
enables object restoration after accidental deletion

Question: In which situations do you currently use, or plan to use event subscriptions as a
monitoring tool?
Question: To which events or performance counters would you consider attaching email
notifications or actions? Do you use notifications or actions currently in your enterprise
monitoring?
Question: In which other situations should you mount a snapshot of Active Directory?
Answer: If you discover a problem with Active Directory that will require restoring a backup,
you might want to look at snapshots to determine just how far back you need to go to
restore. After you’ve found the snapshot in which the correct data resides, you can restore
the backup taken on the same date.
Question: What are the disadvantages of restoring a deleted object with a tool such as LDP?
Answer: You must repopulate all attributes.
Question: Will it be possible to restore these deleted objects if they were deleted before
Active Directory Recycle Bin has been enabled?
Answer: Yes, but only as tombstone objects, without most of attributes or by using
authoritative restore of A D DS
Question: In which scenarios is Windows PowerShell a more appropriate method for object
restoration?
Answer: If we were restoring multiple objects, power shell is much more convenient method
because of possibility to pipeline commands so we can restore multiple objects with just one
command.
Question: What type of domain controller and directory service backup plan do you have in
place? What do you expect to put in place after having completed this lesson and this Lab?
Question: When you restore a deleted user (or an OU with user objects) by using
authoritative restore, will the objects be exactly the same as before? Which attributes might
not be the same?
Answer: Answers may vary somewhat, but the question is designed to frame a discussion of
group membership. A user’s group membership is not an attribute of the user object but
rather of the group object. When you authoritatively restore a user, you are not restoring
users’ membership in groups. The user was removed from the member attribute of groups
when it was deleted. So the restored user will not be a member of any groups other than its
primary group. In order to restore group memberships, you would have to consider
authoritatively restoring groups as well. This may or may not always be desirable, because
when you authoritatively restore the groups you return their membership to the day on
which the backup was made.
Module 15
Managing Multiple Domains and Forests
Contents:
Lesson 2 : Manage Multiple Domains and Trust Relationships 183

Lesson 2
Manage Multiple Domains and Trust Relationships
Contents:


Demonstration: Create a Trust
The steps for creating trusts are similar across categories of trusts. You must be a member of the Domain
Admins or Enterprise Admins group to create a trust successfully.
To create a trust relationship:

1. Open the Active Directory Domains and Trusts snap-in.
2. Right-click the domain that will participate in one side of the trust relationship, and click Properties.
You must be running Active Directory Domains and Trusts with credentials that have permissions to
create trusts in this domain.
3. Click the Trusts tab.
4. Click the New Trust button.
The New Trust Wizard guides you through the creation of the trust.
5. On the Trust Name page, type the DNS name of the other domain in the trust relationship, and then
click Next.
6. If the domain you entered is not within the same forest, you will be prompted to select the type of
trust, which will be one of the following:
• Forest
• External
• Realm
If the domain is in the same forest, the wizard knows it is a shortcut trust.
7. If you are creating a realm trust, you will be prompted to indicate whether the trust is transitive or
nontransitive. (Realm trusts are discussed later in this lesson.)
8. On the Direction Of Trust page, select one of the following:
• Two-Way.This establishes a two-way trust between the domains.
• One-Way: Incoming. This establishes a one-way trust in which the domain you selected in step
2 is the trusted domain, and the domain you entered in step 5 is the trusting domain.
• One-Way: Outgoing. This establishes a one-way trust in which the domain you selected in step
2 is the trusting domain, and a domain you entered in step 5 is the trusted domain.
9. Click Next.
10. On the Sides Of Trust page, select one of the following:
• Both this domain and the specified domain. This establishes both sides of the trust. This
requires that you have permission to create trusts in both domains.
• This domain Only. This creates the trust relationship in the domain you selected in step 2. An
administrator with permission to create trusts in the other domain must repeat this process to
complete the trust relationship.
• The next steps will depend on the options you selected in steps 8 and 10. The steps will involve
one of the following:
• If you selected Both this domain and the specified domain, you must enter a user name and
password with permissions to create the trust in the domain specified in step 5.
• If you selected This Domain Only, you must enter a trust password. A trust password is entered
by administrators on each side of a trust to establish the trust. The passwords should not be the
administrators’ user account passwords. Instead, each should be a unique password used only for
creating this trust. The passwords are used to establish the trust, and then the domains change
them immediately.
11. If the trust is an outgoing trust, you are prompted to choose one of the following:
• Selective Authentication
• Domain-Wide Authentication or Forest-Wide Authentication, depending on whether the trust

type is an external trust or a forest trust, respectively.
12. The New Trust Wizard summarizes your selections on the Trust Selections Complete page. Click
Next.
The wizard creates the trust.
13. The Trust Creation Complete page appears. Verify the settings, and then click Next.
You will then have the opportunity to confirm the trust. This option is useful if you have created both
sides of the trust or if you are completing the second side of a trust.
If you selected Both this domain and the specified domain in step 8, the process is complete. If
you selected This domain only in step 8, the trust relationship will not be complete until an
administrator in the other domain completes the process:
• If the trust relationship you established is a one-way outgoing trust, an administrator in the other
domain must create a one-way incoming trust.
• If the trust relationship you established is a one-way incoming trust, an administrator in the other
domain must create a one-way outgoing trust.
• If the trust relationship you established is a two-way trust, an administrator in the other domain
must create a two-way trust.
Additional Reading
Define Your Forest and Domain Structure
• For more information about the security considerations related to domain and forest design, see “Best
Practices for Delegating Active Directory Administration” at
• For more information about planning the architecture of an AD DS enterprise see
Demonstration: Create a Trust

• Detailed procedures for creating each type of trust are available at
Forest Trusts
• You can learn about the DNS requirements for a forest trust at

Review questions
Question: If a there is a trust within a forest, and the resource is not in the user’s domain,
how does the domain controller use the trust relationship to access the resource?
Answer: The domain controller uses the trust relationship with its parent and refers the
user’s computer to a domain controller in its parent domain. This attempt to locate a
resource continues up the trust hierarchy, possibly to the forest root domain, and down the
trust hierarchy, until contact occurs with a domain controller in the domain where the
resource exists.
Question: Your organization has a Windows Server 2008 forest environment, but it has just
acquired another organization with a Windows 2000 forest environment that contains a
single domain. Users in both organizations must be able to access resources in each other’s
forest. What type of trust do you create between the forest root domain of each forest?
Answer: You will need to implement an external trust, because Windows 2000 does not
support forest trusts. Only Windows Server 2003 or later supports forest trusts.
Question: A user from Contoso attempts to access a shared folder in the Tailspin Toys
domain and receives an Access Denied error. What must be done to provide access to the
user?
Answer: A trust relationship must be established in which Tailspin Toys trusts Contoso, and
then the user (or a group to which the user belongs) must be given permission to the shared
folder in the Tailspin Toys domain.
Question: Can you raise the domain functional level of a domain to Windows Server 2008
when other domains contain domain controllers running Windows Server 2003?
Answer: Yes. Domain functional levels within a forest can be different.

Windows Server 2008 R2 domain and forest Used to enable Windows Server 2008 R2-specific
functional levels features

Question: How would you configure a forest trust with another organization if the
organization does not provide you with their administrator credentials?
Answer: You would be able to configure and verify one side of the trust only. Administrators
in the other organization must configure the trust in their domain.
Question: What is the main benefit of Selective Authentication?
Answer: The ability to restrict which resources are available over the trust.
Send Us Your Feedback

You can search the Microsoft Knowledge Base for known issues at Microsoft Help and Support before
submitting feedback. Search using either the course number and revision, or the course title.
Note Not all training products will have a Knowledge Base article – if that is the case, please ask your
instructor whether or not there are existing error log entries.
Courseware Feedback
Send all courseware feedback to support@mscourseware.com. We truly appreciate your time and effort.
We review every e-mail received and forward the information on to the appropriate team. Unfortunately,
because of volume, we are unable to provide a response but we may use your feedback to improve your
future experience with Microsoft Learning products.
Reporting Errors
When providing feedback, include the training product name and number in the subject line of your e-
mail. When you provide comments or report bugs, please include the following:
1. Document or CD part number
2. Page number or location

3. Complete description of the error or suggested change
Please provide any details that are necessary to help us verify the issue.
Important All errors and suggestions are evaluated, but only those that are validated are added to the
product Knowledge Base article.

6425C ENU Companion PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

6425C ENU Companion PDF

Uploaded by

Copyright:

Available Formats

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

© 2011 Microsoft Corporation. All rights reserved.

All other trademarks are property of their respective owners.

Product Number: 6425C

Part Number: X16-23526

Lesson 2: Active Directory Components and Concepts 10

Module Reviews and Takeaways 16

Lab Review Questions and Answers 18

Authentication and Authorization

• Authorization and Access Control Technologies

• Authorization and Access Control Technologies

Detailed Demonstration Steps

Demonstration: Active Directory Schema

DNS and Application Partitions

Module Reviews and Takeaways

3. Which tools can you use to install AD DS?

Common Issues and Troubleshooting Tips

Best Practices Related to AD DS

• Make all domain controllers into Global Catalog servers.

• Use static IP addresses for domain controllers.

Initial Configuration Tasks • Performing post-installation Type Oobe.exe in the Run

Dcpromo.exe • Installing Active Directory Type dcromo.exe in the Run

Lab Review Questions and Answers

Question: What must you do before starting the dcpromo wizard?

Question: Which tool is used to raise the domain functional level?

Lesson 2: Custom Consoles and Least Privilege 22

Lesson 4: Use Windows PowerShell to Administer Active Directory 30

Module Reviews and Takeaways 33

• Managing Active Directory from MMC

• Install the Active Directory Schema snap-in

What Is the Active Directory Administrative Center?

Find Active Directory Administration Tools

Detailed Demonstration Steps

Detailed demonstration steps

2. Click File, and then click Add/Remove Snap-in.

12. Close MMC.

Demonstration: Secure Administration with User Account Control and Run

3. Open the C:\AdminTools folder you created in the previous demonstration.

4. Right-click the ADConsole.msc console and click Run as administrator.

5. Enter the credentials of your administrative account, CONTOSO\Pat.Coleman_Admin, with the

Secure Administration with Least Privilege, Run As Administrator, and User

Demonstration: Secure Administration with User Account Control and Run

Detailed Demonstration Steps

Detailed demonstration steps

1. Browse to the User Accounts\Employees OU.

4. Open the APP_Visio group from the Groups\Application OU.

Demonstration: Use Saved Queries

Detailed demonstration steps

1. Right-click Saved Queries, point to New, and then click Query

Demonstration: Find Objects by Using Active Directory Administrative

Detailed demonstration steps

2. In the Global Search pane, click Add criteria.

7. Click the Save button.

Detailed Demonstration Steps

2. To create a new OU, type the following command.

new-aduser -name TestUser1 -department IT -city "New York" -organization "Contoso"

4. To move the user to another OU, type the following command.

get-aduser -filter 'Name -eq "TestUser1"' | move-adobject -targetpath

get-adgroup -filter "Name -eq 'Domain Admins'"

6. To add a new user to a group, type the following command.

add-adgroupmember "Marketing" testuser1

Set-ADAccountPassword testuser1 -Reset -NewPassword (ConvertTo-SecureString -AsPlainText

Module Reviews and Takeaways