MCITP Exam 70-640 Prep Kit: Independent and Complete Self-Paced Solutions

Visit us at w w w. s y n g r e s s . c o m Syngress is committed to publishing high-quality books for IT Professionals ...

Author: Anthony Piltzecker | Naomi Alpern | Tariq Azad | Laura Hunter | John Karnay | Jeffrery Martin | Gene Whitley

6 downloads 425 Views 21MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form

DOWNLOAD PDF

Visit us at w w w. s y n g r e s s . c o m Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our customers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site.

SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you may find an assortment of valueadded features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s).

ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few.

DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably.

SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings.

SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations. Contact us at [email protected] for more information.

CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use. Contact us at [email protected] for more information.use. Contact us at [email protected] for more information.

This page intentionally left blank

Tony Piltzecker

Technical Editor

Robert J. Shimonski Naomi Alpern Tariq Azad Laura Hunter

Technical Reviewer

John Karnay Jeffery Martin Gene Whitley

Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media® and Syngress® are registered trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY 001 002 003 004 005 006 007 008 009 010

SERIAL NUMBER HJIRTCV764 PO9873D5FG 829KM8NJH2 BPOQ48722D CVPLQ6WQ23 VBP965T5T5 HJJJ863WD3E 2987GVTWMK 629MP5SDJT IMWQ295T6T

PUBLISHED BY Syngress Publishing, Inc. Elsevier, Inc. 30 Corporate Drive Burlington, MA 01803 The Real MCTS/MCITP Exam 70-640 Prep Kit

Copyright © 2008 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN 13: 978-1-59749-235-5 Publisher: Andrew Williams Acquisitions Editor: David George Technical Editor: Tony Piltzecker Project Manager: Gary Byrne

Page Layout and Art: SPI Copy Editors: Audrey Doyle, Mike McGee Indexer: Ed Rush Cover Designer: Michael Kavish

For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email [email protected].

Technical Editor Tony Piltzecker (CISSP, MCSE, CCNA, CCVP, Check Point CCSA, Citrix CCA), author and technical editor of Syngress Publishing’s MCSE Exam 70-296 Study Guide and DVD Training System and How to Cheat at Managing Microsoft Operations Manager 2005, is an independent consultant based in Boston, MA. Tony’s specialties include network security design, Microsoft operating system and applications architecture, and Cisco IP Telephony implementations. Tony’s background includes positions as systems practice manager for Presidio Networked Solutions, IT manager for SynQor Inc, network architect for Planning Systems, Inc., and senior networking consultant with Integrated Information Systems. Along with his various certifications, Tony holds a bachelor’s degree in business administration. Tony currently resides in Leominster, MA, with his wife, Melanie, and his daughters, Kaitlyn and Noelle.

v

Technical Reviewer Robert J. Shimonski (MCSE, etc) is an entrepreneur, a technology consultant, and a published author with more than 20 years of experience in business and technology. Robert’s specialties include designing, deploying, and managing networks, systems, virtualization, storage-based technologies, and security analysis. Robert also has many years of diverse experience deploying and engineering mainframes and Linux- and UNIX-based systems such as Red Hat and Sun Solaris. Robert has in-depth work-related experience with and deep practical knowledge of globally deployed Microsoft- and Cisco-based systems and stays current on the latest industry trends. Robert consults with business clients to help forge their designs, as well as to optimize their networks and keep them highly available, secure, and disaster free. Robert is the author of many information technology-related articles and published books, including the best-selling Sniffer Network Optimization and Troubleshooting Handbook, Syngress (ISBN: 1931836574). Robert is also the author of other best-selling titles, including Security+ Study Guide and DVD Training System (ISBN: 1931836728), Network+ Study Guide & Practice Exams: Exam N10-003 (ISBN: 1931836426), and Building DMZs for Enterprise Networks (ISBN: 1931836884) also from Syngress. His current book offerings include the newly published Vista for IT Security Professionals, Syngress (978-1-59749-139-6), as well as being a series editor on the new Windows Server 2008 MCITP series from Syngress publishing.

vi

Contributing Authors Naomi J. Alpern currently works for Microsoft as a consultant specializing in Unified Communications. She holds many Microsoft certifications, including an MCSE and MCT, as well as additional industry certifications such as Citrix Certified Enterprise Administrator, Security+, Network+, and A+. Since the start of her technical career, she has worked in many facets of the technology world, including IT administration, technical training, and, most recently, full-time consulting. She likes to spend her time reading cheesy horror and mystery novels when she isn’t browsing the Web. She is also the mother of two fabulous boys, Darien & Justin, who mostly keep her running around like a headless chicken. Tariq Bin Azad is the principal consultant and founder of NetSoft Communications Inc., a consulting company located in Toronto, Canada. He is considered a top IT professional by his peers, coworkers, colleagues, and customers. He obtained this status by continuously learning and improving his knowledge and information in the field of information technology. Currently, he holds more than 100 certifications, including MCSA, MCSE, MCTS, MCITP (Vista, Mobile 5.0, Microsoft Communications Server 2007, Windows 2008, and Microsoft Exchange Server 2007), MCT, CIW-CI, CCA, CCSP, CCEA, CCI,VCP, CCNA, CCDA, CCNP, CCDP, CSE, and many more. Most recently, Tariq has been concentrating on Microsoft Windows 2000/2003/2008, Exchange 2000/2003/2007, Active Directory, and Citrix implementations. He is a professional speaker and has trained architects, consultants, and engineers on topics such as Windows 2008 Active Directory, Citrix Presentation Server, and Microsoft Exchange 2007. In addition to owning and operating an independent consulting company, Tariq works as a senior consultant and has utilized his training skills in numerous workshops, corporate trainings, and presentations. Tariq holds a Bachelor of Science in Information Technology from Capella University, USA, a bachelor’s vii

degree in Commerce from University of Karachi, Pakistan, and is working on his ALMIT (Masters of Liberal Arts in Information Technology) from Harvard University. Tariq has been a coauthor on multiple books, including the best-selling MCITP: Microsoft Exchange Server 2007 Messaging Design and Deployment Study Guide: Exams 70-237 and 70-238 (ISBN: 047018146X) and The Real MCTS/ MCITP Exam 640 Preparation Kit (ISBN: 978-1-59749-235-5). Tariq has worked on projects or trained for major companies and organizations, including Rogers Communications Inc. Flynn Canada, Cap Gemini, HP, Direct Energy, Toyota Motors, Comaq, IBM, Citrix Systems Inc., Unicom Technologies, and Amica Insurance Company. He lives in Toronto, Canada, and would like to thank his father, Azad Bin Haider, and his mother, Sitara Begum, for his lifetime of guidance for their understanding and support to give him the skills that have allowed him to excel in work and life. Laura E. Hunter (CISSP, MCSE, MCT, MCDBA, MCP, MCP+I, CCNA, A+, Network+, iNet+, Security+, CNE-4, CNE-5) is a senior it specialist with the University of Pennsylvania, where she provides network planning, implementation, and troubleshooting services for various business units and schools within the university. Her specialties include Microsoft Windows 2000/2003 design and implementation, troubleshooting, and security topics. As an “MCSE Early Achiever” on Windows 2000, Laura was one of the first in the country to renew her Microsoft credentials under the Windows 2000 certification structure. Laura’s previous experience includes a position as the director of computer services for the Salvation Army and as the LAN administrator for a medical supply firm. She also operates as an independent consultant for small businesses in the Philadelphia metropolitan area and is a regular contributor to the TechTarget family of Web sites. Laura has previously contributed to Syngress Publishing’s Configuring Symantec Antivirus, Corporate Edition (ISBN 1-931836-81-7). She has also contributed to several other exam guides in the Syngress Windows Server 2003 MCSE/MCSA DVD Guide and Training System series as a DVD presenter, contributing author, and technical reviewer. viii

Laura holds a bachelor’s degree from the University of Pennsylvania and is a member of the Network of Women in Computer Technology, the Information Systems Security Association, and InfraGard, a cooperative undertaking between the U.S. Government other participants dedicated to increasing the security of United States critical infrastructures. John Karnay is a freelance writer, editor, and book author living in Queens, NY. John specializes in Windows server and desktop deployments utilizing Microsoft and Apple products and technology. John has been working with Microsoft products since Windows 95 and NT 4.0 and consults for many clients in New York City and Long Island, helping them plan migrations to XP/Vista and Windows Server 2003/2008. When not working and writing, John enjoys recording and writing music as well as spending quality time with his wife, Gloria, and daughter, Aurora. Jeffery A. Martin MS/IT, MS/M (MCSE, MCSE:Security, MCSE: Messaging, MCDBA, MCT, MCSA, MCSA:Security, MCSE:Messaging, MCP+I, MCNE, CNE, CNA, CCA, CTT, A+, Network+, I-Net+, Project+, Linux+, CIW, ADPM) has been working with computer networks for more than 20 years. He is an editor, coeditor, author, or coauthor of more than 15 books and enjoys training others in the use of technology. Gene Whitley (MBA, MCSE, MCSA, MCTS, MCP, Six Sigma Green Belt) is a senior systems engineer with Nucentric Solutions (www.nucentric.com), a technology integration firm in Davidson, NC. Gene started his IT career in 1992 with Microsoft, earning his MCP in 1993 and MCSE in 1994. He has been the lead consultant and project manager on numerous Active Directory and Exchange migration projects for companies throughout the U.S. Gene has been a contributing author on such books as How To Cheat At IIS 7 Server Administration, How To Cheat At Microsoft Vista Administration, and Microsoft Forefront Security Administration Guide.When not working, he spends his time with his wife and best friend, Samantha. Gene holds an MBA from Winthrop University and a BSBA in Management Information Systems from The University of North Carolina at Charlotte. ix


Contents Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Chapter 1 Configuring Server Roles in Windows 2008 . . . . . . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 New Roles in 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Using Server Manager to Implement Roles . . . . . . . . . . . . . . . . . . . . . . 3 Using Server Core and Active Directory . . . . . . . . . . . . . . . . . . . . . . . . 9 What Is Server Core? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Read-Only Domain Controllers (RODCs) . . . . . . . . . . . . . . . . . . . . . . . . 15 Introduction to RODC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Its Purpose in Life . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Its Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Configuring RODC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Removing an RODC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Active Directory Lightweight Directory Service (LDS) . . . . . . . . . . . . . . . 22 When to Use AD LDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Changes from Active Directory Application Mode (ADAM) . . . . . . . . . 23 Configuring AD LDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Working with AD LDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Active Directory Rights Management Service (RMS) . . . . . . . . . . . . . . . . 28 What’s New in RMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 RMS vs. DRMS in Vista . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Configuring RMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Active Directory Federation Services (ADFS) . . . . . . . . . . . . . . . . . . . . . . 37 What Is Federation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Why and When to Use Federation . . . . . . . . . . . . . . . . . . . . . . . . . 38 Configuring ADFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . 54 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Chapter 2 Configuring Network Services . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Domain Name System (DNS) . . . . . . . . . . . . . . . . . . . . . . . . Identifying DNS Record Requirements . . . . . . . . . . . . . . . . . . . . .

61 62 63 68 xi

xii

Contents

Installing and Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Using Server Core and DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Configuring Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Zone Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Active Directory Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Reverse Lookup Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Configuring Reverse Lookup Zones . . . . . . . . . . . . . . . . . . . . . 87 Configuring Zone Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Configuring Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . 93 DHCP Design Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 DHCP Servers and Placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Installing and Configuring DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Using Server Core and DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 Configuring DHCP for DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102 Configuring Windows Internet Naming Service (WINS). . . . . . . . . . . . . .103 Understanding WINS Replication . . . . . . . . . . . . . . . . . . . . . . . . .105 Automatic Partner Configuration . . . . . . . . . . . . . . . . . . . . . . . .105 Push Partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106 Pull Partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107 Push/Pull Partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 Replication Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 Ring Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109 Hub-and-Spoke Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109 Hybrid Replication Models . . . . . . . . . . . . . . . . . . . . . . . . . . . .110 Static WINS Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110 Installing and Configuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111 Using Server Core for WINS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111 Configuring WINS for DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112 Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .117 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 Chapter 3 Working with Users, Groups, and Computers . . . . . . . . . . 125 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126 Navigating Active Directory Users and Computers . . . . . . . . . . . . . . . . . .126 Creating and Modifying User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . .129 User Account Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 Creating a New Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130

Contents

Domain User Account Considerations . . . . . . . . . . . . . . . . . . . . . . . . .131 Password Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Creating a New Account Using Active Directory Users and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 Modifying a Domain User Account Using Active Directory Users and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Common User Management Options . . . . . . . . . . . . . . . . . . . . . . . . .156 Creating a New User Account Using Script. . . . . . . . . . . . . . . . . . . . .157 Creating User Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158 Configuring User Principal Names . . . . . . . . . . . . . . . . . . . . . . . . . . .159 Creating and Modifying Computer Accounts . . . . . . . . . . . . . . . . . . . . . .160 Creating a New Computer Account Using Active Directory Users and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161 Modifying a Computer Account Using Active Directory Users and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162 Creating a New Computer Account Using a Script . . . . . . . . . . . . . . .167 Resetting a Computer Account Using Active Directory Users and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167 Creating and Modifying Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169 Creating a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169 Types of Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170 Group Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170 Universal Groups Replication Concerns . . . . . . . . . . . . . . . . . . . . .171 Group Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171 Creating a New Group Using Active Directory Users and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 Modifying a Group Using Active Directory Users and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173 Creating a New Group Using Script . . . . . . . . . . . . . . . . . . . . . . . . . .176 The Delegation of Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177 RODC (Read-Only Domain Controller) . . . . . . . . . . . . . . . . . . . . . .184 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .189 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195 Chapter 4 Configuring the Active Directory Infrastructure . . . . . . . . 197 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198 Working with Forests and Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199 Understanding Forests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200

xiii

xiv

Contents

Understanding Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200 Forest and Domain Functional Levels . . . . . . . . . . . . . . . . . . . . . . . . .202 Using Domain Functional Levels . . . . . . . . . . . . . . . . . . . . . . . . . .203 Using the Windows 2000 Domain Functional Level . . . . . . . . . .204 Windows Server 2003 Domain Functional Level . . . . . . . . . . . . .204 Windows Server 2008 Domain Functional Level . . . . . . . . . . . . .205 Configuring Forest Functional Levels . . . . . . . . . . . . . . . . . . . . . . .206 Windows 2000 Forest Functional Level (default) . . . . . . . . . . . . .206 Windows Server 2003 Forest Functional Level . . . . . . . . . . . . . .207 Windows Server 2008 Forest Functional Level . . . . . . . . . . . . . .208 Raising Forest and Domain Functional Levels . . . . . . . . . . . . . . . . .208 Raising the Domain Functional Level . . . . . . . . . . . . . . . . . . . . .209 Understanding the Global Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . .210 UPN Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212 Directory Information Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212 Universal Group Membership Information . . . . . . . . . . . . . . . . . . .214 Understanding GC Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214 Universal Group Membership . . . . . . . . . . . . . . . . . . . . . . . . . . . .215 Attributes in the Global Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . .215 Placing GC Servers within Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216 Bandwidth and Network Traffic Considerations. . . . . . . . . . . . . . . .217 Universal Group Membership Caching . . . . . . . . . . . . . . . . . . . . . .218 Working with Flexible Single Master Operation (FSMO) Roles . . . . . .220 Placing, Transferring, and Seizing FSMO Role Holders . . . . . . . . . .223 Locating and Transferring the Schema Master Role . . . . . . . . . . .224 Locating and Transferring the Domain Naming Master Role . . . .227 Locating and Transferring the Infrastructure, RID, and PDC Operations Master Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . .228 Placing the FSMO Roles within an Active Directory Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232 Working with Sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233 Understanding Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233 Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236 Site Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237 Criteria for Establishing Separate Sites . . . . . . . . . . . . . . . . . . . . . .237 Creating a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238 Renaming a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243 Creating Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244 Associating Subnets with Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . .247 Creating Site Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249

Contents

Configuring Site Link Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252 Understanding Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 Intrasite Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256 Intersite Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258 Bridgehead Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259 Site Link Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259 Scheduling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260 Forcing Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261 Replication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261 Planning, Creating, and Managing the Replication Topology . . . . . . . .262 Planning Replication Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . .262 Creating Replication Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . .262 Configuring Replication between Sites . . . . . . . . . . . . . . . . . . . . . . . .263 Troubleshooting Replication Failure . . . . . . . . . . . . . . . . . . . . . . . . . .264 Troubleshooting Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264 Using Event Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265 Working with Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266 Default Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272 Forest Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272 External Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273 Shortcut Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274 SID Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275 Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .281 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290 Chapter 5 Understanding Group Policy . . . . . . . . . . . . . . . . . . . . . . . . 291 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292 Types of Group Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292 Local Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293 Non-Local Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . .296 Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303 Network Location Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306 User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307 Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308 Group Policy Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309 Site, Domain, and OU Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . .309 Group Policy Processing Priority. . . . . . . . . . . . . . . . . . . . . . . . . . . . .311

xv

xvi

Contents

Creating and Linking GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314 Creating Stand-Alone GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314 Linking Existing GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315 Creating and Linking at One Time . . . . . . . . . . . . . . . . . . . . . . . . . . .316 Controlling Application of Group Policies . . . . . . . . . . . . . . . . . . . . . . . . .318 Enforce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318 Block Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322 Group Policy Results and Group Policy Modeling . . . . . . . . . . . . . . . .323 WMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330 Group Policy Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331 Group Policy Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334 GPO Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334 Administrative Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335 Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337 Starter GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341 Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .348 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356 Chapter 6 Configuring Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 357 Configuring Software Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358 Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358 Publishing to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361 Assigning to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364 Assigning to Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370 Redeploying Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370 Upgrading Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371 Removing Software Deployed with Group Policy . . . . . . . . . . . . . . . .375 Forced Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376 Optional Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377 Configuring Account Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378 Domain Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379 Account Lockout Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380 Fine-Grain Password and Account Lockout Policies . . . . . . . . . . . . . . .384 Configuring a Fine-Grain Password Policy . . . . . . . . . . . . . . . . . . .386 Applying Users and Groups to a PSO with Active Directory Users and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394

Contents

Configuring Audit Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397 Logon Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399 Directory Service Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401 Configuring Directory Service Access Auditing in Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401 Configuring Active Directory Object Auditing . . . . . . . . . . . . . .402 Object Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404 Configuring Object Access Auditing in Group Policy . . . . . . . . . . .405 Configuring Object Level Auditing . . . . . . . . . . . . . . . . . . . . . . . .405 Other Audit Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408 Configuring Additional Security-Related Policies . . . . . . . . . . . . . . . . . . .409 User Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409 Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .411 Restricted Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415 Adding a New Restricted Group . . . . . . . . . . . . . . . . . . . . . . . . . .416 Modifying a Restricted Group . . . . . . . . . . . . . . . . . . . . . . . . . . . .419 Deleting a Restricted Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420 Administrative Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420 ADMX Central Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422 Adding ADM Templates to a GPO . . . . . . . . . . . . . . . . . . . . . . . . .424 Converting ADM Files to the ADMX Format. . . . . . . . . . . . . . . . .427 Converting ADM Files to ADMX Files Using the Command Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427 Converting ADM Files to ADMX Files Using the MMC Snap-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427 Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .437 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .440 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444 Chapter 7 Configuring Certificate Services and PKI . . . . . . . . . . . . . . 445 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446 What Is PKI? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447 The Function of the PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449 Components of PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .450 How PKI Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452 PKCS Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454 How Certificates Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460 Public Key Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463

xvii

xviii Contents

Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465 Secret Key Agreement via Public Key . . . . . . . . . . . . . . . . . . . . . . .466 Bulk Data Encryption without Prior Shared Secrets . . . . . . . . . . . .466 User Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479 Machine Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480 Application Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480 Analyzing Certificate Needs within the Organization . . . . . . . . . . . . . . . .480 Working with Certificate Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481 Configuring a Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . .481 Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482 Standard vs. Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482 Root vs. Subordinate Certificate Authorities . . . . . . . . . . . . . . . .483 Certificate Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .484 Certificate Practice Statement . . . . . . . . . . . . . . . . . . . . . . . . . .489 Key Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489 Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489 Assigning Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .496 Enrollments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .496 Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .497 Working with Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501 General Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503 Request Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .505 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506 Subject Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .508 Issuance Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .509 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512 Types of Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513 User Certificate Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513 Computer Certificate Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .514 Other Certificate Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .516 Custom Certificate Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . .516 Securing Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .519 Versioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .520 Key Recovery Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .521 Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .523 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .524 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .526 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .529 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .532

Contents

Chapter 8 Maintaining an Active Directory Environment . . . . . . . . . 533 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534 Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534 Using Windows Server Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535 Scheduling a Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .540 Backing Up to Removable Media . . . . . . . . . . . . . . . . . . . . . . . . .548 Backing Up System State Data . . . . . . . . . . . . . . . . . . . . . . . . . . . .551 Backing Up Key Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555 Backing Up Critical Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . .556 Recovering System State Data . . . . . . . . . . . . . . . . . . . . . . . . . . . .557 Recovering Key Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .559 Directory Services Restore Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . .565 Performing Authoritative and Nonauthoritative Restores . . . . . . . . . . .568 Authoritative Restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568 Nonauthoritative Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .575 Linked Value Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .575 Backing Up and Restoring GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . .575 Off line Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584 Restartable Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584 Offline Defrag and Compaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . .587 Active Directory Storage Allocation. . . . . . . . . . . . . . . . . . . . . . . . . . .590 Monitoring Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .591 The Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .591 The Task Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594 The Applications Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .596 The Processes Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597 The Services Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .598 The Performance Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .598 The Networking Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599 The Users Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .601 The Event Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .602 Custom Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .602 Windows Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .605 Applications and Services Logs . . . . . . . . . . . . . . . . . . . . . . . . . .606 Subscriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .607 Replmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .611 Using Replmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .611 RepAdmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .618 Windows System Resource Manager . . . . . . . . . . . . . . . . . . . . . . . . . .621 The Windows Reliability and Performance Monitor . . . . . . . . . . . . . .623

xix

xx

Contents

Resource Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .624 The Performance Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .625 The Reliability Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .627 Data Collector Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .629 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .631 Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .633 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .635 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .637 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .639 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .644 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697

Foreword

This book’s primary goal is to help you prepare to take and pass Microsoft’s Exam 70-640, Windows Server 2008 Active Directory, Configuring. Our secondary purpose in writing this book is to provide exam candidates with knowledge and skills that go beyond the minimum requirements for passing the exam and help to prepare them to work in the real world of Microsoft computer networking.

What Is MCTS Exam 70-640? Microsoft Certified Technology Specialist (MCTS) Exam 70-640 is both a standalone test for those wishing to master Active Directory technology and a requirement for those pursuing certification as a Microsoft Certified Information Technology Professional (MCITP) for Windows Server 2008. Microsoft’s stated target audience consists of IT professionals with at least one year of work experience on a mediumsized or large company network. This means a multisite network with at least three domain controllers running typical network services such as file and print services, messaging, database, firewall services, proxy services, remote access services, an intranet, and Internet connectivity. However, not everyone who takes Exam 70-640 will have this ideal background. Many people will take this exam after classroom instruction or self-study as an entry into the networking field. Many of those who do have job experience in IT will not have had the opportunity to work with all of the technologies covered by the exam. In this book, our goal is to provide background information that will help you to understand the concepts and procedures described even if you don’t have the requisite experience, while keeping our focus on the exam objectives. xxi

xxii

Foreword

Exam 70-640 covers the basics of managing and maintaining a network environment that is built around Microsoft’s Windows Server 2008. The book includes the following task-oriented objectives: ■

Configuring Domain Name System (DNS) for Active Directory This objective includes configuring zones, configuring DNS server settings, and configuring zone transfers and replication.

■

Configuring the Active Directory Infrastructure This objective includes configuring a forest or domain, configuring trusts, configuring sites, configuring Active Directory replication, configuring the global catalog, and configuring operations masters.

■

Configuring Additional Active Directory Server Roles This objective includes configuring Active Directory Lightweight Directory Service (AD LDS), configuring Active Directory Rights Management Service (AD RMS), configuring the read-only domain controller (RODC), and configuring Active Directory Federation Services (AD FS).

■

Creating and Maintaining Active Directory Objects This objective includes automating the creation of Active Directory accounts, maintaining Active Directory accounts, creating and applying Group Policy Objects (GPOs), configuring GPO templates, configuring software deployment GPOs, configuring account policies, and configuring audit policies using GPOs.

■

Configuring Active Directory Certificate Services This objective includes installing Active Directory certificate services, configuring certificate authority (CA) server settings, managing certificate templates, managing enrollments, and managing certificate revocations.

Path to MCTS/MCITP/MS Certified Architect Microsoft certification is recognized throughout the IT industry as a way to demonstrate mastery of basic concepts and skills required to perform the tasks involved in implementing and maintaining Windows-based networks. The certification program is constantly evaluated and improved, while the nature of information technology is changing rapidly; consequently, requirements and specifications for

www.syngress.com

Foreword xxiii

certification can also change rapidly. This book is based on the exam objectives as stated by Microsoft at the time of writing; however, Microsoft reserves the right to make changes to the objectives and to the exam itself at any time. Exam candidates should regularly visit the Certification and Training Web site at www.microsoft. com/learning/mcp/default.mspx for the most updated information on each Microsoft exam. Microsoft currently offers three basic levels of certification on the technology level, professional level, and architect level: ■

Technology Series This level of certification is the most basic, and it includes the Microsoft Certified Technology Specialist (MCTS) certification. The MCTS certification is focused on one particular Microsoft technology. There are 19 MCTS exams at the time of this writing. Each MCTS certification consists of one to three exams, does not include job-role skills, and will be retired when the technology is retired. Microsoft Certified Technology Specialists will be proficient in implementing, building, troubleshooting, and debugging a specific Microsoft technology.

■

Professional Series This is the second level of Microsoft certification, and it includes the Microsoft Certified Information Technology Professional (MCITP) and Microsoft Certified Professional Developer (MCPD) certifications. These certifications consist of one to three exams, have prerequisites from the Technology Series, focus on a specific job role, and require an exam refresh to remain current. The MCITP certification offers nine separate tracks as of the time of this writing. There are two Windows Server 2008 tracks, Server Administrator and Enterprise Administrator. To achieve the Server Administrator MCITP for Windows Server 2008, you must successfully complete one Technology Series exam and one Professional Series exam. To achieve the Enterprise Administrator MCITP for Windows Server 2008, you must successfully complete four Technology Series exams and one Professional Series exam.

■

Architect Series This is the highest level of Microsoft certification, and it requires the candidate to have at least 10 years’ industry experience. Candidates must pass a rigorous review by a review board of existing architects, and they must work with an architect mentor for a period of time before taking the exam.

www.syngress.com

xxiv Foreword

NOTE Those who already hold the MCSA or MCSE in Windows 2003 can upgrade their certifications to MCITP Server Administrator by passing one upgrade exam and one Professional Series exam. Those who already hold the MCSA or MCSE in Windows 2003 can upgrade their certifications to MCITP Enterprise Administrator by passing one upgrade exam, two Technology Series exams, and one Professional Series exam.

Prerequisites and Preparation There are no mandatory prerequisites for taking Exam 70-640, although Microsoft recommends that you meet the target audience profile described earlier. Exam 70-640 is the logical choice for the first step in completing the requirements for the MCITP. Preparation for this exam should include the following: ■

Visit the Web site at www.microsoft.com/learning/exams/70-640.mspx to review the updated exam objectives.

■

Work your way through this book, studying the material thoroughly and marking any items you don’t understand.

■

Answer all practice exam questions at the end of each chapter.

■

Complete all hands-on exercises in each chapter.

■

Review any topics that you don’t thoroughly understand

■

Consult Microsoft online resources such as TechNet (www.microsoft.com/ technet/), white papers on the Microsoft Web site, and so forth, for better understanding of difficult topics.

■

Participate in Microsoft’s product-specific and training and certification newsgroups if you have specific questions that you still need answered.

■

Take at least one practice exam, such as the one included on the Syngress/ Elsevier certification Web site, www.syngress.com/certification.

Exam Overview In this book, we have tried to follow Microsoft’s exam objectives as closely as possible. However, we have rearranged the order of some topics for a better flow and included background material to help you understand the concepts and procedures that are www.syngress.com

Foreword

xxv

included in the objectives. Here is a brief synopsis of the exam topics covered in each chapter: ■

Configuring Server Roles in Windows 2008 In this chapter you will learn about the new server roles in Windows Server 2008, including RODCs, AD LDS, AD RMS, and AD FS. We begin with a discussion of Server Manager and Server Core, and configuring the Active Directory Role in Server Core. We then discuss Read-Only Domain Controllers (RODCs), and their purpose. We show you the features of RODCs, and then we show you how to install, configure, and remove them. Active Directory Lightweight Directory Service (AD LDS) is discussed next and how it differs from ADAM. We show you how to install and work with AD LDS. Next, we show you how to install and work with Active Directory Rights Management Service (AD RMS) and how it differs from DRMS in Windows Vista. Finally, we discuss Active Directory Federation Services (AD FS), including defining what it is, explaining why and how to use it, and describing how to configure it.

■

Configuring Network Services Chapter 2 presents the Network Services used in Windows Server 2008. We begin by presenting the Domain Name System (DNS), discussing its requirements, explaining how to install and configure it, and describing how it is used with Server Core. You’ll also learn how to configure zones and zone resolution. Next, we discuss the Dynamic Host Configuration Protocol (DHCP). We cover DHCP design principles, installing and configuring DHCP, using DHCP with Server Core, and configuring DHCP for DNS. The third network service covered in the chapter is Windows Internet Naming Service (WINS), including installation and configuration, using WINS with Server Core, and configuring WINS for DNS.

■

Working with Users, Groups, and Computers This chapter provides information about creating and modifying user accounts, creating and modifying computer accounts, creating and modifying groups, and delegation of tasks. Creating users, groups, and computers is discussed in the context of individual, manual creation, as well as creating each from scripts and modifying each using AD Users and Computers.

■

Configuring the Active Directory Infrastructure In this chapter you will learn about creating the organizational structure of your network. We begin with a discussion of forests and domains, understanding forests, forest functional levels and operations masters, domain functional levels www.syngress.com

xxvi Foreword

and operations masters, and domain migrations. We next cover topics such as subnets, site links, replication, and the global catalog. Finally, we cover trusts, including forest trusts, authentication, transitive, external, and shortcut trusts, and SID filtering. ■

Understanding Group Policy Group policy is presented in two chapters—the first of which covers group policy basics, and the second of which covers how to configure group policies. In this chapter, you learn about user group policies and computer group policies, site domain and OU group policy hierarchy, how to create and link group policy objects (GPOs), both new and existing, controlling the application of group policies, and using GPO templates.

■

Configuring Group Policy The second Group Policy chapter discusses configuration. We begin by explaining how to configure software deployment and publishing and assigning to users and computers. Next, we talk about configuring account policies, including domain password policy, account lockout policy, and fine-grain password policies. The last part of the chapter talks about configuring audit policies.

■

Configuring Certificate Services and PKI We look at Public Key Infrastructure, its components, how it works, and how certificates work. Next, we talk about working with certificate services, configuring a certificate authority, the different types of certificate authorities, backing up and restoring, assigning roles, enrollments, and revocation. In the last part of the chapter, we discuss working with templates, including types of templates, securing permissions, versioning, and key recovery agents.

■

Maintaining an Active Directory Environment In the last chapter of the book, we discuss how to maintain an Active Directory environment. We begin by discussing backup and recovery, including using Windows Server Backup, performing authoritative and nonauthoritative restores, linked value replication, directory services restore mode, and how to backup and restore group policy objects. Next, you’ll learn about offline maintenance, including offline defragmentation and compaction, restartable Active Directory, and storage allocation. Finally, you’ll learn how to monitor Active Directory. Discussed here are the various tools used, including network monitor, task manager, event viewer, replmon, repadmin, systems resource manager, reliability and performance manager, and server performance monitor.

www.syngress.com

Foreword xxvii

Exam Day Experience Taking the exam is a relatively straightforward process. Prometric testing centers administer the Microsoft 70-640 exam.You can register for, reschedule or cancel an exam through the Prometric Web site at www.register.prometric.com. You’ll find listings of testing center locations on these sites. Accommodations are made for those with disabilities; contact the individual testing center for more information. Exam price varies depending on the country in which you take the exam.

Exam Format Exams are timed. At the end of the exam, you will find out your score and whether you passed or failed. You will not be allowed to take any notes or other written materials with you into the exam room. You will be provided with a pencil and paper, however, for making notes during the exam or doing calculations. In addition to the traditional multiple choice questions and the select and drag, simulation and case study questions, you might see some or all of the following types of questions: ■

Hot area questions, in which you are asked to select an element or elements in a graphic to indicate the correct answer. You click an element to select or deselect it.

■

Active screen questions, in which you change elements in a dialog box (for example, by dragging the appropriate text element into a text box or selecting an option button or checkbox in a dialog box).

■

Drag and drop questions, in which you arrange various elements in a target area.

Test-Taking Tips Different people work best using different methods. However, there are some common methods of preparation and approach to the exam that are helpful to many test-takers. In this section, we provide some tips that other exam candidates have found useful in preparing for and actually taking the exam. ■

Exam preparation begins before exam day. Ensure that you know the concepts and terms well and feel confident about each of the exam objectives. Many test-takers find it helpful to make flash cards or review notes to study on the way to the testing center. A sheet listing acronyms and abbreviations

www.syngress.com

xxviii Foreword

can be helpful, as the number of acronyms (and the similarity of different acronyms) when studying IT topics can be overwhelming. The process of writing the material down, rather than just reading it, will help to reinforce your knowledge. ■

Many test-takers find it especially helpful to take practice exams that are available on the Internet and with books such as this one. Taking the practice exams can help you become used to the computerized examtaking experience, and the practice exams can also be used as a learning tool. The best practice tests include detailed explanations of why the correct answer is correct and why the incorrect answers are wrong.

■

When preparing and studying, you should try to identify the main points of each objective section. Set aside enough time to focus on the material and lodge it into your memory. On the day of the exam, you should be at the point where you don’t have to learn any new facts or concepts; instead, you’ll need simply to review the information already learned.

■

The value of hands-on experience cannot be stressed enough. Exam questions are based on test writers’ experiences in the field. Working with the products on a regular basis—whether in your job environment or in a test network that you’ve set up at home—will make you much more comfortable with these questions.

■

Know your own learning style and use study methods that take advantage of it. If you’re primarily a visual learner, reading, making diagrams, watching video files on CD, etc., may be your best study methods. If you’re primarily auditory, classroom lectures, audiotapes you can play in the car as you drive, and repeating key concepts to yourself aloud may be more effective. If you’re a kinesthetic learner, you’ll need to actually do the exercises, implement the security measures on your own systems, and otherwise perform hands-on tasks to best absorb the information. Most of us can learn from all of these methods, but have a primary style that works best for us.

■

Although it may seem obvious, many exam-takers ignore the physical aspects of exam preparation.You are likely to score better if you’ve had sufficient sleep the night before the exam, and if you are not hungry, thirsty, hot/cold or otherwise distracted by physical discomfort. Eat prior to going to the testing center (but don’t indulge in a huge meal that will leave you uncomfortable), stay away from alcohol for 24 hours prior to the test, and dress appropriately for the temperature in the testing center (if you don’t

www.syngress.com

Foreword xxix

know how hot/cold the testing environment tends to be, you may want to wear light clothes with a sweater or jacket that can be taken off ). ■

Before you go to the testing center to take the exam, be sure to allow time to arrive on time, take care of any physical needs, and step back to take a deep breath and relax. Try to arrive slightly early, but not so far in advance that you spend a lot of time worrying and getting nervous about the testing process. You may want to do a quick last-minute review of notes, but don’t try to “cram” everything the morning of the exam. Many testtakers find it helpful to take a short walk or do a few calisthenics shortly before the exam to get oxygen flowing to the brain.

■

Before you begin to answer questions, use the pencil and paper provided to you to write down terms, concepts and other items that you think you may have difficulty remembering as the exam goes on. Then you can refer back to these notes as you progress through the test. You won’t have to worry about forgetting the concepts and terms you have trouble with later in the exam.

■

Sometimes the information in a question will remind you of another concept or term that you might need in a later question. Use your pen and paper to make note of this in case it comes up later on the exam.

■

It is often easier to discern the answer to scenario questions if you can visualize the situation. Use your pen and paper to draw a diagram of the network that is described to help you see the relationships between devices, IP addressing schemes, and so forth.

■

When appropriate, review the answers you weren’t sure of. However, you should change your answer only if you’re sure that your original answer was incorrect. Experience has shown that more often than not, when testtakers start second-guessing their answers, they end up changing correct answers to the incorrect. Don’t “read into” the question (that is, don’t fill in or assume information that isn’t there); this is a frequent cause of incorrect responses.

■

As you go through this book, pay special attention to the Exam Warnings, as these highlight concepts that are likely to be tested. You may find it useful to go through and copy these into a notebook (remembering that writing something down reinforces your ability to remember it) and/or go through and review the Exam Warnings in each chapter just prior to taking the exam. www.syngress.com

xxx

Foreword ■

Use as many little mnemonic tricks as possible to help you remember facts and concepts. For example, to remember which of the two IPsec protocols (AH and ESP) encrypts data for confidentiality, you can associate the “E” in encryption with the “E” in ESP.

Pedagogical Elements In this book, you’ll find a number of different types of sidebars and other elements designed to supplement the main text. These include the following: ■

Exam Warning These sidebars focus on specific elements on which the reader needs to focus in order to pass the exam (for example, “Be sure you know the difference between symmetric and asymmetric encryption”).

■

Test Day Tip These sidebars are short tips that will help you in organizing and remembering information for the exam (for example, “When preparing for the exam on test day, it may be helpful to have a sheet with definitions of these abbreviations and acronyms handy for a quick last-minute review”).

■

Configuring & Implementing These sidebars contain background information that goes beyond what you need to know from the exam, but provide a “deep” foundation for understanding the concepts discussed in the text.

■

New & Noteworthy These sidebars point out changes in Windows Server 2008 from Windows Server 2003 as they will apply to readers taking the exam. These may be elements that users of Windows Server 2003 would be very familiar with that have changed significantly in Windows Server 2008 or totally new features that they would not be familiar with at all.

■

Head of the Class These sidebars are discussions of concepts and facts as they might be presented in the classroom, regarding issues and questions that most commonly are raised by students during study of a particular topic.

Each chapter of the book also includes hands-on exercises in planning and configuring the features discussed. It is essential that you read through and, if possible, perform the steps of these exercises to familiarize yourself with the processes they cover. You will find a number of helpful elements at the end of each chapter. For example, each chapter contains a Summary of Exam Objectives that ties the topics discussed in that chapter to the published objectives. Each chapter also contains an www.syngress.com

Foreword xxxi

Exam Objectives Fast Track, which boils all exam objectives down to manageable summaries that are perfect for last-minute review. The Exam Objectives Frequently Asked Questions section answers those questions that most often arise from readers and students regarding the topics covered in the chapter. Finally, in the Self Test section, you will find a set of practice questions written in a multiple-choice format that will assist you in your exam preparation These questions are designed to assess your mastery of the exam objectives and provide thorough remediation, as opposed to simulating the variety of question formats you may encounter in the actual exam. You can use the Self Test Quick Answer Key that follows the Self Test questions to quickly determine what information you need to review again. The Self Test Appendix at the end of the book provides detailed explanations of both the correct and incorrect answers.

Additional Resources There are two other important exam preparation tools included with this study guide. One is the DVD included in the back of this book. The other is the concept review test available from our Web site. ■

A DVD that provides book content in multiple electronic formats for exam-day review Review major concepts, test day tips, and exam warnings in PDF, PPT, MP3, and HTML formats. Here, you’ll cut through all of the noise to prepare you for exactly what to expect when you take the exam for the first time. You will want to watch this DVD just before you head out to the testing center!

■

Web-based practice exams Just visit us at www.syngress.com/ certification to access a complete Windows Server 2008 concept multiplechoice review. These remediation tools are written to test you on all of the published certification objectives. The exam runs in both “live” and “practice” mode. Use “live” mode first to get an accurate gauge of your knowledge and skills, and then use practice mode to launch an extensive review of the questions that gave you trouble.

www.syngress.com


Chapter 1

MCTS/MCITP Exam 640 Configuring Server Roles in Windows 2008 Exam objectives in this chapter: ■

New Roles in 2008

■

Read-Only Domain Controllers (RODCs)

■

Active Directory Lightweight Directory Service (LDS)

■

Active Directory Rights Management Service (RMS)

■

Active Directory Federation Services (ADFS)

Exam objectives review: ˛ Summary of Exam Objectives ˛ Exam Objectives Fast Track ˛ Exam Objectives Frequently Asked Questions ˛ Self Test ˛ Self Test Quick Answer Key 1

2

Chapter 1 • Configuring Server Roles in Windows 2008

Introduction With the introduction of new revisions to Microsoft products—be it Windows, Exchange, Communications Server, or others—we have seen a trend toward “roles” within each product, as opposed to the various products being an all-in-one type of solution (as with Exchange 2007), or being additional features that work as a snap-in, such as DNS in Windows 2003. With earlier versions of Windows Server 2000 or 2003, an Active Directory server was just that—an Active Directory server. What we are trying to say here is that it was more-or-less an “all-or-nothing” deal when creating a domain controller in Windows 2003. Very little flexibility existed in the way a domain controller could be installed, with the exception of whether a domain controller would also be a global catalog server or flexible single master operation (FSMO) server. With the release of Windows Server 2008, we have several new ways to deploy an Active Directory domain controller. In this chapter, we will discuss the new roles available in Windows Server 2008, how to create a domain controller, and how to implement and manage server roles.

New Roles in 2008 Windows Server 2008 offers many new ways to “skin the Active Directory cat,” if you will. With the introduction of these new roles is a new way to determine how they are implemented, configured, and managed within an Active Directory domain or forest. We will be discussing each of these Active Directory roles in depth later in this chapter, but the new roles (and the official Microsoft definitions) are as follows: ■

Read-only domain controller (RODC): This new type of domain controller, as its name implies, hosts read-only partitions of the Active Directory database. An RODC makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.

■

Active Directory Lightweight Directory Service (ADLDS): Formerly known as Windows Server 2003 Active Directory Application Mode (ADAM), ADLDS is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directoryenabled applications, without the dependencies required for Active

www.syngress.com

Configuring Server Roles in Windows 2008 • Chapter 1

Directory Domain Services (ADDS). ADLDS provides much of the same functionality as ADDS, but does not require the deployment of domains or domain controllers. ■

Active Directory Rights Management Service (ADRMS): Active Directory Rights Management Services (ADRMS), a format and application-agnostic technology, provides services to enable the creation of information-protection solutions. ADRMS includes several new features that were available in Active Directory Rights Management Services (ADRMS). Essentially, ADRMS adds the ability to secure objects. For example, an e-mail can be restricted to read-only, meaning it cannot be printed, copied (using Ctrl + C, and so on), or forwarded.

■

Active Directory Federation Services (ADFS): You can use Active Directory Federation Services (ADFS) to create a highly extensible, Internet-scalable, and secure identity access solution that can operate across multiple platforms, including both Windows and non-Windows environments. Essentially, this allows cross-forest authentication to external resources—such as another company’s Active Directory. ADFS was originally introduced in Windows Server 2003 R2, but lacked much of its now-available functionality.

So, these are the roles themselves, but as also mentioned, they can be managed in a number of new ways: ■

Server Manager: This is likely to be a familiar tool to engineers who have worked with earlier versions of Windows. It is a single-screen solution that helps manage a Windows server, but is much more advanced than the previous version.

■

Server Core: Server Core brings not only a new way to manage roles, but an entirely new way to deploy a Windows Server. With Server Core, we can say goodbye to unnecessary GUIs, applications, services, and many more commonly attacked features.

Discussing Server Core is going to take considerably longer, so let’s start with Server Manager.

Using Server Manager to Implement Roles Although we will be discussing Server Manager (Figure 1.1) as an Active Directory Management tool, it’s actually much more than just that. www.syngress.com

3

4


Figure 1.1 Server Manager

In fact, Server Manager is a single solution (technically, a Microsoft Management Console [MMC]) snap-in that is used as a single source for managing system identity (as well as other key system information), identifying problems with servers, displaying server status, enabled roles and features, and general options such as server updates and feedback. Table 1.1 outlines some of the additional roles and features Server Manager can be used to control:

www.syngress.com


Table 1.1 Partial List of Additional Server Manager Features Role/Feature

Description

Active Directory Certificate Services

Management of Public Key Infrastructure (PKI)

Dynamic Host Configuration Server

Dynamic assignment of IP addresses to clients

Domain Name Service

Provides name/IP address resolution

File Services

Storage management, replication, searching

Print Services

Management of printers and print servers

Terminal Services

Remote access to a Windows desktop or application

Internet Information Server

Web server services

Hyper-V

Server virtualization

BitLocker Drive Encryption

Whole-disk encryption security feature

Group Policy Management

Management of Group Policy Objects

SMTP Server

E-mail services

Failover Clustering

Teaming multiple servers to provide high availability

WINS Server Legacy NetBIOS name resolution Wireless LAN Service

Enumerates and manages wireless connections

Server Manager is enabled by default when a Windows 2008 server is installed (with the exception of Server Core). However, Server Manager can be shut off via the system Registry and can be re-opened at any time by selecting Start | Administrative Tools | Server Manager, or right-clicking Computer under the Start menu, and choosing Manage (Figure 1.2).

www.syngress.com

5

6


Figure 1.2 Opening Server Manager

So, those are the basics of Server Manager. Now let’s take a look at how we use Server Manager to implement a role. Since we will be discussing the four Active Directory roles in depth later in this chapter, let’s take the IIS role and talk about using the Add Role Wizard to install Internet Information Services (IIS).

EXERCISE 1.1 USING

THE

ADD ROLE WIZARD

Notice in Figure 1.1 that the Server Manager window is broken into three different sections: ■

Provide Computer Information

■

Update This Server

■

Customize This Server

www.syngress.com


Under the Customize This Server section, click the Add Role icon. When the wizard opens, complete the following steps to install IIS onto the server. 1. Click the Add Roles icon. 2. At the Before You Begin window, read the information provided, and then click Next. 3. From the list of server roles (Figure 1.3), click the check box next to Web Server (IIS) and then click Next.

Figure 1.3 List of Server Roles

4. If you are prompted to add additional required features, read and understand the features, and then click Add Required Features. 5. When you return to the Select Server Roles screen, click Next. www.syngress.com

7

8


6. Read the information listed in the Introduction to Web Server (IIS) window, and then click Next. 7. For purposes of this exercise, we will select all of the default Role Services, and then click Next. 8. Review the Installation Summary Confirmation screen (Figure 1.4), and then click Install.

Figure 1.4 The Installation Summary Confirmation Screen

9. When installation is complete, click Close. 10. Notice that on the Server Manager screen, Web Server (IIS) is now listed as an installed role.

www.syngress.com


Configuring & Implementing… Scripting vs. GUI Sure, you can always use a wizard to implement a role, but you also have the option of using a script. Realistically speaking, it’s generally not the most efficient way to deploy a role for a single server, however. Unless you are going to copy and paste the script, the chance of error is high in typing out the commands required. For example, take the following IIS script syntax: start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-Common HttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing; IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASPNET; IIS-NetFxExtensibility;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter; IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IISLoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IISODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication; IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IISRequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic; IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IISManagementConsole;IIS-ManagementScriptingTools;IIS-ManagementService;IIS-IIS6ManagementCompatibility;IIS-Metabase;IISWMICompatibility;IIS-LegacyScripts;IIS-LegacySnapIn;IIS-FTP PublishingService;IIS-FTPServer;IIS-FTPManagement;WAS-Windows ActivationService;WAS-ProcessModel;WAS-NetFxEnvironment; WAS-ConfigurationAPI This script installs ALL of the IIS features, which may not be the preferred installation for your environment, and within the time it took to type it out, you may have already completed the GUI install!

Using Server Core and Active Directory For years, Microsoft engineers have been told that Windows would never stand up to Linux in terms of security simply because it was too darn “heavy” (too much) code, loaded too many modules (services, startup applications, and so on), and was generally too GUI heavy. With Windows Server 2008, Microsoft engineers can stand tall, thanks to the introduction of Server Core. www.syngress.com

9

10


What Is Server Core? What is Server Core, you ask? It’s the “just the facts, ma’am” version of Windows 2008. Microsoft defines Server Core as “a minimal server installation option for Windows Server 2008 that contains a subset of executable files, and five server roles.” Essentially, Server Core provides only the binaries needed to support the role and the base operating systems. By default, fewer processes are generally running. Server Core is so drastically different from what we have come to know from Windows Server NT, Windows Server 2000, or even Windows Server 2003 over the past decade-plus, that it looks more like MS-DOS than anything else (Figure 1.5). With Server Core, you won’t find Windows Explorer, Internet Explorer, a Start menu, or even a clock! Becoming familiar with Server Core will take some time. In fact, most administrators will likely need a cheat sheet for a while. To help with it all, you can find some very useful tools on Microsoft TechNet at http://technet2.microsoft .com/windowsserver2008/en/library/e7e522ac-b32f-42e1-b914-53ccc78d18161033 .mspx?mfr=true. This provides command and syntax lists that can be used with Server Core. The good news is, for those of you who want the security and features of Server Core with the ease-of-use of a GUI, you have the ability to manage a Server Core installation using remote administration tools. Figure 1.5 The Server Core Console

www.syngress.com


Before going any further, we should discuss exactly what will run on a Server Core installation. Server Core is capable of running the following server roles: ■

Active Directory Domain Services Role

■

Active Directory Lightweight Directory Services Role

■

Dynamic Host Configuration Protocol (DHCP)

■

Domain Name System (DNS) Services Role

■

File Services Role

■

Hyper-V (Virtualization) Role

■

Print Services Role

■

Streaming Media Services Role

■

Web Services (IIS) Role

NOTE Internet Information Server is Microsoft’s brand of Web server software, utilizing Hypertext Transfer Protocol to deliver World Wide Web documents. It incorporates various functions for security, allows for CGI programs, and also provides for Gopher and FTP servers.

Although these are the roles Server Core supports, it can also support additional features, such as: ■

Backup

■

BitLocker

■

Failover Clustering

■

Multipath I/O

■

Network Time Protocol (NTP)

■

Removable Storage Management

■

Simple Network Management Protocol (SNMP)

■

Subsystem for Unix-based applications

■

Telnet Client

■

Windows Internet Naming Service (WINS) www.syngress.com

11

12


NOTE BitLocker Drive Encryption is an integral new security feature in Windows Server 2008 that protects servers at locations, such as branch offices, as well as mobile computers for all those roaming users out there. BitLocker provides offline data and operating system protection by ensuring that data stored on the computer is not revealed if the machine is tampered with when the installed operating system is offline.

The concept behind the design Server Core is to truly provide a minimal server installation. The belief is that rather than installing all the application, components, services, and features by default, it is up to the implementer to determine what will be turned on or off. Installation of Windows 2008 Server Core is fairly simple. During the installation process, you have the option of performing a Standard Installation or a Server Core installation. Once you have selected the hard drive configuration, license key activation, and End User License Agreement (EULA), you simply let the automatic installation continue to take place. When installation is done and the system has rebooted, you will be prompted with the traditional Windows challenge/response screen, and the Server Core console will appear.

EXERCISE 1.2 CONFIGURING THE DIRECTORY SERVICES ROLE IN SERVER CORE So let’s put Server Core into action and use it to install Active Directory Domain Services. To install the Active Directory Domain Services Role, perform the following steps: 1. The first thing we need to do is set the IP information for the server. To do this, we first need to identify the network adapter. In the console window, type netsh interface ipv4 show interfaces and record the number shown under the Idx column. 2. Set the IP address, Subnet Mask, and Default Gateway for the server. To do this, type netsh interface ipv4 set address name= “” source=static address=<StaticIP> mask=<SubnetMask>

www.syngress.com


gateway=. ID represents the number from step 1, <StaticIP> represents the IP address we will assign, <SubnetMask> represents the subnet mask, and represents the IP address of the server’s default gateway. See Figure 1.6 for our sample configuration.

Figure 1.6 Setting an IP Address in Server Core

3. Assign the IP address of the DNS server. Since this will be an Active Directory Domain Controller, we will set the DNS settings to point to the DNS server. From the console, type netsh interface ipv4 add dnsserver name=“” address= index=1. >. ID represents the number from step 1, and <StaticIP> represents the IP address of the DNS server (in this case, the same IP address from step 2). So, here is where things get a little tricky. When installing the Directory Services role in a full server installation, we would simply open up a Run window (or a command line) and type in DCPromo. Then, we would follow the prompts for configuration (domain name, file location, level of forest/domain security), and then restart the system. Installing the role in

www.syngress.com

13

14


Server Core isn’t so simple, yet it’s not exactly rocket science. In order to make this installation happen, we are going to need to configure an unattended installation file. An unattended installation file (see Figure 1.7) s nothing more than a text file that answers the questions that would have been answered during the DCPromo installation. So, let’s assume you have created the unattended file and placed it on a floppy disk, CD, or other medium, and then inserted it into the Server Core server. Let’s go ahead and install Directory Services: 1. Sign in to the server. 2. In the console, change drives to the removable media. In our example, we will be using drive E:, our DVD drive. 3. Once you have changed drives, type dcpromo answer:\answer.txt. Answer.txt is the name of our unattended file (see Figure 1.7).

Figure 1.7 Installing Directory Services in Server Core

www.syngress.com


4. Follow the installation process as it configures directory services. Once the server has completed the installation process, it will reboot automatically. When the server reboots, you will have a fully functional Active Directory implementation!

Read-Only Domain Controllers (RODCs) One of the biggest mistakes IT organizations make is underestimating the security risk presented by remote offices. As a consultant, I have seen many organizations (big and small) make major investments in their corporate IT security strategy, and then turn around and place a domain controller on top of a desk in a small/remote office—right next to an exit. Several times during the course of the day, employees, delivery people, solicitors, and more walk by this door—and often the server itself. Typically, little exists to stop these people from walking out the door and selling their newly found (stolen) hardware on eBay. And this is probably a best-case scenario. What would happen if the information on this server actually ended up in the wrong hands?

Introduction to RODC Read-only domain controllers were designed to combat this very problem. Let’s take a scenario where a corporation has a remote office with ten employees. On a daily basis, these ten people are always in the office, while another five to ten “float” in and out and sometimes aren’t there for weeks at a time. Overall, the company has about 1,000 employees. In a Windows 2000 Server or Windows Server 2003 Active Directory environment (or, pity you, a Windows NT 4.0 domain), if you have placed a domain controller in this remote office, all information for every user account in the organization is copied to this server. Right now, there’s probably a light bulb going off above your head (we can see it all the way from here) as to why this is a problem just waiting to happen.

Its Purpose in Life The purpose of the read-only domain controller (RODC) is to deal directly with this type of issue, and many issues like it. RODCs are one component in the Microsoft initiative to secure a branch office. Along with RODCs, you may also want to consider implementing BitLocker (whole-disk encryption), Server Core, as well as

www.syngress.com

15

16


Role Distribution—the ability to assign local administrator rights to an RODC without granting a user full domain administrator rights.

Its Features A number of features come with a RODC, which focus on providing heightened security without limiting functionality to the remote office users. Some of the key points here are: ■

Read-only replicas of the domain database: Clients are not allowed to write changes directly to an RODC (much like a Windows NT BDC). RODC holds all the Active Directory Domain Services (AD DS) objects and attributes that a writable domain controller holds, with the exception of account passwords. Clients, however, are not able to write changes directly to the RODC.

■

Filtered Attribute Sets: The ability to prevent certain AD attributes from being replicated to RODCs.

■

Unidirectional Replication: Since clients cannot write changes to an RODC, there is no need to replicate from an RODC to a full domain controller. This prevents potentially corrupt (or hijacked) data from being disbursed, and also reduces unnecessary bandwidth usage.

■

Read-only DNS: Allows one-way replication of application directory partitions, including ForestDNSZones and DomainDNSZones.

■

Cached accounts: By caching accounts, if the RODC were ever compromised, only the accounts that have been compromised need to be reset. The full DCs are aware of which accounts are cached, and a report can be generated for auditing purposes.

So these are the key features of a read-only domain controller. Now let’s step through the installation process.

Configuring RODC Configuring an RODC isn’t all that different from adding a traditional domain controller. The most important thing to remember about an RODC is that a writable domain controller must exist somewhere in the domain. Once this prerequisite is met, we can go ahead and configure our RODC. Let’s assume that our writable DC is in place, using the domain information from the previous exercise.

www.syngress.com


Head of the class ... Adding an RODC to an Existing Forest A read-only domain controller can be added to a preexisting forest, but this will require that schema changes be made to the forest for this to work properly. The process is fairly simple. Using the adprep tool with the /rodcprep switch (the actual syntax would be adprep /rodcprep), we can add the necessary schema changes to support our RODC.

EXERCISE 1.3 CONFIGURING

A

READ-ONLY DOMAIN CONTROLLER

Let’s begin configuring our RODC: 1. Click Start | Administrative Tools | Server Manager. 2. Scroll down to Role Summary, click Add roles. 3. When the Before You Begin page opens, click Next. 4. On the Select Server Roles page, choose Active Directory Domain Services, and then click Next. 5. Click Next again on the Active Directory Domain Services page. 6. On the Confirm Installation Selections page (Figure 1.8), click Install.

www.syngress.com

17

18


Figure 1.8 Confirming Installation Selections

7. When installation is complete, click Close. 8. If the Server Manager window has closed, re-open it. 9. Expand Roles, and then click Active Directory Domain Services. 10. Under Summary (Figure 1.9), click the link to Run The Active Directory Domain Services Installation Wizard.

www.syngress.com


Figure 1.9 The Summary Page

11. Click Next on the Welcome To The Active Directory Domain Services Installation Wizard page. 12. On the Operating System Compatibility page, click Next. 13. On the Choose A Deployment Configuration page, click Existing Forest. 14. Ensure Add A Domain Controller To An Existing Domain is selected, and then click Next. 15. On the Network Credentials page, verify that your domain is listed, and click Set. 16. In the User Name field, type <domain>\administrator. 17. In the Password field, type your administrator password, and then click OK (see Figure 1.10).

www.syngress.com

19

20


Figure 1.10 Setting Account Credentials

18. Click Next. 19. On the Select a Domain page, click Next. 20. On the Select a Site page (if you have Sites and Services configured), you can choose to which site to add this RODC. In this case, we are using the default site, click Next. Select DNS Server and Read-Only Domain Controller on the Additional Domain Controller Options page and then click Next. 21. In the Group Or User field, type <domain>\administrator, and then click Next. 22. Verify the file locations, and click Next. 23. On the Active Directory Domain Services Restore Mode Administrator Password page, type and confirm a restore mode password, and then click Next. 24. On the Summary page, click Next. 25. The Active Directory Domain Services Installation Wizard dialog box appears. After installation, reboot the server.

EXAM TIP It is possible to “stage” an RODC and delegate rights to complete an RODC installation to a user or group. In order to do this, you must first create an account in Active Directory for the RODC in Active Directory www.syngress.com


Users and Computers. Once inside of ADU&C, you must right-click the Domain Controllers OU container, and select Pre-create Read-Only Domain Controller Account. From here, you can set the alternate credential for a user who can then finish the installation. On the server itself, the user must type dcpromo /UseExistingAccount:Attach in order to complete the process.

Removing an RODC There may come a time when you need to remove an RODC from your forest or domain. Like anything in this world, there is a right way and a wrong way to go about doing this. For the exam, you’ll want to make sure you know the right way. Removing a read-only domain controller is almost as simple as adding an RODC. One important thing to remember with an RODC is that it cannot be the first—or the last—domain controller in a domain. Therefore, all RODCs must be detached before removing a final writable domain controller. Fewer steps make up the removal process. Let’s take a look at how this is done. 1. Choose Start | Run. 2. In the Run window, type dcpromo.exe. 3. At the Welcome To Active Directory Domain Services Installation Wizard screen, click Next. 4. On the Delete The Domain window, make sure the check box is not checked, and then click Next. 5. Enter your administrator password, and then click Next. 6. Click Next in the Summary window, and then click Next again. 7. When removal is complete, reboot the server. 8. When the server reboots, sign back in. 9. Select Start | Administrative Tools | Server Manager. 10. Scroll down to Role Summary. 11. Expand Roles, and then click Remove Roles.

www.syngress.com

21

22


12. On the Before You Begin page, click Next. 13. Remove the checkmark from Active Directory Domain Services and DNS Server and click Next. 14. Review the confirmation details, and then click Remove. 15. Review the results page, and click Close. 16. Restart the server if necessary.

Active Directory Lightweight Directory Service (LDS) As mentioned earlier, Active Directory Lightweight Directory Service is a slimmeddown version of AD. The concept of LDS is not new. In fact, it has been around for several years. However, to date it is probably not as widely known or recognized as the full ADS installation. Now that AD LDS is a part of the Windows Server 2008 media, you can expect to see many more deployments of the product.

When to Use AD LDS So, when should you use AD LDS? Well, there are many situations when this is a more viable option. Typically, LDS is used when directory-aware applications need directory services, but there is no need for the overhead of a complete forest or domain structure. Demilitarized Zones (DMZs) are a great example of this. If you are not familiar with DMZs, Wikipedia defines a DMZ as a physical or logical subnetwork that contains an organization’s external services to a larger untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN).You may be hosting an application or Web site in a DMZ where you want to have the added security of challenge/response using a directory services model. Since this is in a DMZ, you probably have no need for organizational units, Group Policy, and so on. By using LDS, you can eliminate these unnecessary functions and focus on what really is important: authentication and access control. The other popular option for using LDS is in a situation where you want to provide authentication services in a DMZ or extranet for internal corporate users. In this scenario, account credentials can be synchronized between the full internal domain controller and the LDS instances within the DMZ. This option provides a single sign-on solution, as opposed to the end user being required to remember multiple usernames and passwords.

www.syngress.com


Changes from Active Directory Application Mode (ADAM) As mentioned earlier, the LDS concept has been around since Windows Server 2003 R2, but many improvements and new features have been introduced since the previous release. Some of the key changes between ADAM and LDS are listed next: ■

Auditing: Directory Service changes can now be audited for when changes are made to objects and their attributes. In this situation, both old and new values are logged.

■

Server Core Support: AD LDS is now a supported role for installation in a Server Core implementation of Windows Server 2008. This makes it ideal for DMZ-type situations.

■

Support for Active Directory Sites and Services: This makes it possible for management of LDS instance replication using the morefamiliar ADS&S tool.

■

Database Mounting Tool: Provides a means to compare data as it exists in database backups that are taken at different times to help the process of deciding which backup instance to restore.

These are the “key” improvements from ADAM in Windows Server 2003 R2 to AD LDS in Windows Server 2008, but the fact that the product has had more time to be “baked in” will greatly improve the functionality and usage of this technology.

Configuring AD LDS By now, you’re probably beginning to see a trend in how things are accomplished in Windows Server 2008. Everything is done with the use of server roles. Active Directory Lightweight Directory Services are no different. In our example, we are going to walk through the process of installing a clean LDS implementation.

EXERCISE 1.4 CONFIGURING LDS 1. Choose Start | Administrative Tools | Server Manager. 2. Scroll down to Role Summary, and then click Add Roles. 3. When the Before You Begin page opens, click Next. www.syngress.com

23

24


4. On the Select Server Roles page, select the Active Directory Lightweight Directory Services option, and then click Next. 5. The installation steps for the role are very straightforward, follow the prompts and then click Install. After the role installation is complete, move on to creating an LDS instance. 6. Select Start | Administrative Tools | Active Directory Lightweight Directory Services Setup Wizard. 7. On the Welcome page, click Next. 8. On the page, select A Unique Instance, and then click Next. 9. On the Instance Name page (Figure 1.11), provide a name for the AD LDS instance and click Next.

Figure 1.11 The Instance Name Page

10. On the Ports page, we can specify the ports the AD LDS instance uses to communicate. Accept the default values of 389 and 636, and then click Next. www.syngress.com


11. On the Application Directory Partition (Figure 1.12) page, we will create an application directory partition by clicking Yes.

Figure 1.12 The Application Directory Partition Page

12. On this page, we will also need to specify the distinguished name of our partition. Follow the format in Figure 1.12, and then click Next. 13. On the File Locations page, review the file locations and click Next to accept the default locations. 14. On the Service Account Selection page, select an account to be used as the service account. By default, the Network Service account is used. Click Next to accept the default option. 15. On the AD LDS Administrators page (Figure 1.13), select a user (or group to) that will be used as the default administrator for this instance. Click the default value (Currently Logged On User) and then click Next. www.syngress.com

25

26


Figure 1.13 The AD LDS Administrators Page

16. Select particular LDIF files to work with our LDS implementation. We will use the MS-ADLDS-DisplaySpecifiers file later in this section, so check this option off, and then click Next. 17. Review the Ready To Install page and click Next to begin the installation process. When setup is complete, click Finish.

Working with AD LDS Several tools can be used to manage an LDS instance. In this book, we will work with two of these tools. The first is the ADSI Edit tool. ADSI stands for Active Directory Service Interfaces, and is used to access the features of directory services from different network providers. ADSI can also be used to automate tasks such as adding users and groups and setting permissions on network resources. While making changes to LDS (or Active Directory) is outside the scope of this book, we will show you how to use ADSI Edit to connect to an LDS instance. www.syngress.com


1. Choose Start |Administrative Tools | ADSI Edit. 2. In the console tree, click ADSI Edit. 3. On the Action menu, click Connect to. 4. In the Name field, type a recognizable name for this connection. This name will appear in the console tree of ADSI Edit. 5. In Select Or Type A Domain Or Server, enter the fully qualified domain name (or IP address) of the computer running the AD LDS instance, followed by a colon and 389—representing the port of the LDS instance. 6. Under Connection point, click Select and choose your distinguished name, then click OK. 7. In the console tree of the ADSI Edit snap-in, double-click the name you created in step 4, and then double-click the distinguished name of your LDS instance. 8. Navigate around the containers to view the partition configuration. The second tool we will discuss is the Active Directory Sites and Services snap-in. As mentioned earlier in this section, you can use the ADS&S snap-in to manage replication of directory information between sites in an LDS implementation. This is useful when LDS may be implemented in a geographically disbursed environment. For example, a server farm that may be collocated in a company datacenter and a disaster recovery location may require replication, and the easiest way to perform this is via this snap-in. However, it’s important to note that we must import the MS-ADLDS-DisplaySpecifiers.ldf file during the instance configuration (earlier in this section) in order to use ADS&S. Let’s review how to use ADS&S to connect to an LDS instance. 1. Choose Start |Administrative Tools | Active Directory Sites & Services. 2. Right-click Active Directory Sites and Services, and then click Change Domain Controller. 3. In the Change Directory Server window, type the FQDN or IP address of the server running the LDS instance, followed by :389. 4. Navigate the containers to view information about the LDS instance.

www.syngress.com

27

28


Active Directory Rights Management Service (RMS) If you were to poll 100 corporations, you would probably find out that 99 out of 100 companies have probably had a confidential e-mail or document leave their environment and fall into the hands of someone it was not originally intended. Microsoft recognized this issue several years back and began working on a product named Rights Management Server (RMS). RMS is a great product and is in use at many companies, but the price of the product often put it out of reach for many companies. With Windows Server 2008, Microsoft has rebranded and incorporated the product in the operating system itself. As industry and governmental restrictions continue to increase, as well as the penalties for mishandling information, providing a technology such as RMS (or AD RMS in 2008) essentially became a demand on the part of customers. Although Microsoft is including the server portion in Windows Server 2008, don’t be fooled—there is still a Client Access License (CAL) for Rights management. The three main functions of AD RMS are: ■

Creating rights-protected files and templates: Trusted users can create and manage protection-enhanced files using common authoring tools (including Office products such as Word, Excel, and Outlook), as well as templates from AD RMS-enabled applications.

■

Licensing rights-protected information: Certainly, the key component of RMS. Issues a special certificate, known as a rights account certificate, used to identify trusted objects, such as users and groups, which have the authority to generate rights-protected content.

■

Acquiring licenses to decrypt rights-protected content and applying usage policies: As the name implies, RMS works with Active Directory to determine if users have a required rights account certificate in order to access rights-protected content.

As stated earlier, RMS has been around for some time, but there have been a number of advancements since the product was released. Let’s take a look at some of these features.

What’s New in RMS We mentioned early on that probably the most substantial change from earlier versions of RMS is the fact that it is no longer a separate product from Windows Server. Besides

www.syngress.com


the fact that this significantly reduces the barrier to entry to use such a technology, it has also improved the installation and management of the product. At this stage, you should be familiar with how we install roles. In fact, the RMS installation also takes care of the prerequisites—such as IIS, Message Queuing—during the installation process. Isn’t it exciting to know that installing the RMS role is just as simple? We will get to the installation and configuration of RMS later in this section. First though, let’s look at three other areas where improvements have been made over the older product: ■

Self-Enrollment: In previous versions of RMS, an RMS server was forced to connect (via the Internet) to the Microsoft Enrollment Service in order to receive a server licensor certificate (SLC), which gives RMS the rights to issue licenses (and its own certificates). In Windows Server 2008, Microsoft has eliminated this need by bundling a self-enrollment certificate into Windows Server 2008, which signs the SLC itself.

■

Delegation of Roles: AD RMS now gives you the flexibility to delegate certain RMS roles out to other users/administrators. There are four RMS roles: AD RMS Service Group, AD RMS Enterprise Administrators, AD RMS Template Administrators, and AD RMS Auditors. The RMS Service Group essentially holds the service account used by RMS. Enterprise Administrators has full control of all settings and policies—much like an Active Directory Enterprise Administrator. As the name implies, a Template Administrator has rights to create, modify, read, and export templates. Auditors have rights to only view RMS information, as well as logs and report generation.

■

Integration with Federation Services: We will be covering AD FS in the next section, but this allows for the ability to share rights-protected documents with external entities.

RMS vs. DRMS in Vista Digital Rights Management (DRM) is a tricky topic, particularly when couched in the common terms of the movie makers versus the general public. Since that discussion is intensely personal and very controversial, I want to steer clear of making any statements that endorse or condemn DRM—it is your decision whether or not to use it. The key differentiator between RMS and DRM is that DRM is generally used by content manufacturers (music companies, movie companies, and so on), whereas RMS is intended more for corporations that want to protect company-sensitive data.

www.syngress.com

29

30


With DRM, content consumers intend to make sure their wishes are met when producing and distributing content—and it’s hard to argue with that goal. If you write the next Great American Novel, or you’ve painted “What the Mona Lisa Did Next,” you’re justified in releasing it only for what you consider to be appropriate recompense, or withholding it from the public until you are satisfied with your remuneration. The objection to DRM (except from those who insist that all information, all art, and all content “wants to be free”) comes from putative content consumers who are concerned that their own ability to consume the content is unnecessarily restricted—they may want to view the movie they purchased on a different screen, or add subtitles to it so that they can watch it with a deaf relative. Too much DRM protection on content means that the content is no longer acceptably usable by your targeted consumers—if your goal is to sell content to those consumers, clearly this is a losing proposition. You don’t make money by killing piracy, unless you make money by selling more products as a result. For publicly available content, however, some protection may remind otherwisehonest consumers that the content they are viewing is not completely licensed to them, distribution rights have not been granted, and the content is only intended to be accessed through the method or media purchased. Disappointing for the consumer who bought a DVD, intending to watch it on a remote device, but not totally unsurprising. (If there is a market for watching movies on remote devices, maybe a smart company will come along and exploit it by licensing content for distribution in that way.)

Configuring RMS Another day, another role. As you can imagine, we’re going to be using Server Manager to deploy Rights Management Server. In order to make this work, a number of things will be in play. During the installation process, we will need to configure a certificate (via IIS), and install and complete the configuration of the RMS server role. Let’s begin by configuring the certificate.

NOTE Exercise 1.5 will require the use of a certificate authority. You may want to wait on this exercise until you review Chapter 6, which covers CAs. We can understand how you may be too excited to wait, but rather than making you go through the CA process twice, bookmark this section and come back to it once you have completed that chapter.

www.syngress.com


EXERCISE 1.5 CONFIGURING RIGHTS MANAGEMENT SERVER 1. Select Start | Administrative Tools | Internet Information Services (IIS) Manager. We installed the IIS role earlier in this chapter. 2. Double-click the server name. 3. In the details pane, double-click Server Certificates. 4. Click Create Domain Certificate. 5. In the Common name field, type the FQDN name of your server (Figure 1.14).

Figure 1.14 Creating a Domain Certificate

6. In the Organization field, enter a company name. 7. In the Organization Unit field, enter a division. www.syngress.com

31

32


8. In the City/locality field, enter your city. 9. In the State/province field, enter your state, and then click Next. 10. Review the Online Certification Authority page, and click Select. 11. Select your Certificate Authority (Figure 1.15), and then click OK.

Figure 1.15 Selecting a Certificate Authority

12. In the Friendly name field, enter the NetBIOS name of this server (Figure 1.16), and click Finish.

www.syngress.com


Figure 1.16 Entering a Friendly Name

Now, let’s install the role. 1. Choose Start | Administrative Tools | Server Manager. 2. Scroll down to Role Summary, click Add Roles. 3. When the Before You Begin page opens, click Next. 4. On the Select Server Roles page, click Active Directory Rights Management Services. 5. In the Add Roles Wizard, click Add Required Role Services, and then click Next. 6. Click Next on the Active Directory Rights Management Services page. 7. Click Next on the Select Role Services page. 8. Click Next on the Create Or Join An AD RMS Cluster page. www.syngress.com

33

34


9. Click Next on the Set Up Configuration Database page. 10. On the Specify Service Account page, click Specify to choose an account, and then click Next. This cannot be the same account you are using to install RMS. 11. Click Next on the Set Up Key Management page. 12. On the Specify Password for AD RMS Encryption page (Figure 1.17), enter a password and then click Next.

Figure 1.17 The AD RMS Encryption Page

13. Click Next on the Select Web Site page. 14. Review the information on the Specify Cluster Address page (Figure 1.18), click Validate, and then click Next. www.syngress.com


Figure 1.18 Specifying a Cluster Address

15. Verify that Choose An Existing Certificate For Secure Socket Layer (SSL) Encryption is selected on the Choose A Server Authentication Certificate For SSL Encryption page (Figure 1.19), choose your server name, and then click Next. SSL provides secure communications on the Internet for such things as Web browsing, e-mail, Internet faxing, instant messaging, and other data transfers.

www.syngress.com

35

36


Figure 1.19 Setting SSL Encryption

16. Click Next on the Specify a Friendly Name for the Licensor Certificate. 17. Click Next on the Set up Revocation page. 18. Click Next on the Register This AD RMS Server In Active Directory page. 19. Click Next on the Web Server page. 20. Click Next on the Select Role Services page. 21. Review the confirmation page, and then click Install. 22. When the installation is complete, click Close. Next, we need to set up the RMS cluster settings. In this case, clusters are used as a single server—or set of servers—that share AD RMS publishing and licensing requests. Let’s walk through configuring the cluster settings. www.syngress.com


1. Choose Start | Administrative Tools | Active Directory Rights Management Services. 2. Select your server. 3. Right-click the server and choose Properties. 4. Move to the SCP tab and select Change SCP. Click OK. The SCP is the service connection point that identifies the connection URL for the service to the clients. 5. Click Yes in the Active Directory Rights Management Services dialog. 6. Right-click the server name, and then click Refresh. 7. Close the window. At this stage, the server setup is complete. If you wanted to test the RMS functionality, you could create a document in Word or Excel 2007 and set the permissions by clicking the Office ribbon and preparing access restrictions.

Active Directory Federation Services (ADFS) Federation Services were originally introduced in Windows Server 2003 R2. F provides an identity access solution, and AD Federation Services provides authenticated access to users inside (and outside) an organization to publicly (via the Internet) accessible applications. Federation Services provides an identity management solution that interoperates with WS-∗ Web Services Architecture–enabled security products. WS-Federation Passive Requestor Profile (WS-F PRP) also makes it possible for federation to work with solutions that do not use the Microsoft standard of identity management. The WS-Federation specification defines an integrated model for federating identity, authentication, and authorization across different trust realms and protocols. This specification defines how the WS-Federation model is applied to passive requestors such as Web browsers that support the HTTP protocol. WS-Federation Passive Requestor Profile was created in conjunction with some pretty large companies, including IBM, BEA Systems, Microsoft, VeriSign, and RSA Security.

What Is Federation? As we described earlier in this chapter, federation is a technology solution that makes it possible for two entities to collaborate in a variety of ways. When servers www.syngress.com

37

38


are deployed in multiple organizations for federation, it is possible for corporations to share resources and account management in a trusted manner. Earlier in this chapter, we were discussing Active Directory Rights Management Server. This is just one way companies can take advantage of FS. With ADFS, partners can include external third parties, other departments, or subsidiaries in the same organization.

Why and When to Use Federation Federation can be used in multiple ways. One product that has been using federation for quite some time is Microsoft Communication Server (previously, Live Communication Server 2005, now rebranded as Office Communication Server 2007). Federation is slightly different in this model, where two companies can federate their environments for the purposes of sharing presence information. This makes it possible for two companies to securely communicate via IM, Live Meeting, Voice, and Video. It also makes it possible to add “presence awareness” to many applications, including the Office suite, as well as Office SharePoint Server. If you want to know more about OCS and how federation works for presence, we recommend How to Cheat at Administering Office Communication Server 2007, also by Elsevier. A little closer to home, Federation Services can also be used in a variety of ways. Let’s take an extranet solution where a company in the financial service business shares information with its partners. The company hosts a Windows SharePoint Services (WSS) site in their DMZ for the purposes of sharing revenue information with investment companies that sell their products. Prior to Active Directory Federation Services, these partners would be required to use a customer ID and password in order to access this data. For years, technology companies have been touting the ability to provide and use single sign-on (SSO) solutions. These worked great inside an organization, where you may have several different systems (Active Directory, IBM Tivoli, and Solaris), but tend to fail once you get outside the enterprise walls. With AD FS, this company can federate their DMZ domain (or, their internal AD) with their partner Active Directory infrastructures. Now, rather than creating a username and password for employees at these partners, they can simply add the users (or groups) to the appropriate security groups in their own Active Directory (see Figure 1.20). It is also important to note that AD FS requires either Windows Server 2008 Enterprise edition or Datacenter edition.

www.syngress.com


Figure 1.20 The Active Directory Federation Services Structure

Configuring ADFS In this exercise, we are going to create the account side of the ADFS structure. The resource is the other half of the ADFS configuration, which is the provider of the service that will be provided to an account domain. To put it in real-world terms, the resource would provide the extranet application to the partner company (the account domain).

EXERCISE 1.6 CONFIGURING FEDERATION SERVICES 1. Click Start | Administrative Tools | Server Manager. 2. Scroll down to Role Summary, and then click Add Roles. 3. When the Before You Begin page opens, click Next. 4. On the Select Server Roles page, select Active Directory Federation Services (see Figure 1.21) from the list and click Next.

www.syngress.com

39

40


Figure 1.21 Selecting the Role

5. Click Next on the Active Directory Federation Services page. 6. In the Select Role Services window, select Federation Service, and then click Next. If prompted, add the additional prerequisite applications. 7. Click Create A Self-Signed Certificate For SSL Encryption (Figure 1.22), and then click Next.

www.syngress.com


Figure 1.22 Creating a Self-Signed Token-Signing Certificate

8. Click Create A Self-Signed Token-Signing Certificate, and then click Next. 9. Click Next on the Select Trust Policy page. 10. If prompted, click Next on the Web Server (IIS) page. 11. If prompted, click Next on the Select Role Services page. 12. On the Confirm Installation Selections page, click Install. 13. When the installation is complete, click Close. The next step in configuring AD FS is to configure IIS to require SSL certificates on the Federation server: 1. Choose Start | Administrative Tools | Internet Information Services (IIS) Manager. 2. Double-click the server name.

www.syngress.com

41

42


3. Drill down the left pane to the Default Web Site and double-click it. 4. Double-click SSL Settings and select Require SSL. 5. Go to Client Certificates and click Accept. Then, click Apply (Figure 1.23).

Figure 1.23 Requiring Client Certificates

6. Click Application Pools. 7. Right-click AD FS AppPool, and click Set Application Pool Defaults. 8. In the Identity pane (Figure 1.24), click LocalSystem, and then click OK.

www.syngress.com


Figure 1.24 Setting Application Pool Defaults

9. Click OK again. 10. Before we close IIS, we need to create a self-signed certificate. Double-click the server name again. 11. Double-click Server Certificates. 12. Click Create Self-Signed Certificate. 13. In the Specify Friendly Name field, enter the NetBIOS name of the server and click OK. www.syngress.com

43

44


Next, we need to configure a resource for use with AD FS. In this case, we are going to use the same domain controller to double as a Web server. What we will be doing is installing the AD FS Web Agent, essentially adding an additional role to the server, as part of the AD FS architecture. This will allow us to use our federated services within a Web application. 1. Choose Start | Administrative Tools | Server Manager. Scroll down to Role Summary, and then click Add Roles. 2. When the Before You Begin page opens, click Active Directory Federation Services. 3. Scroll down to Role Services and click Add Role Services. 4. In the Select Role Services window, select Claims-aware Agent (Figure 1.25), and then click Next.

Figure 1.25 Setting Services

www.syngress.com


5. Confirm the installation selections (Figure 1.26), and then click Install.

Figure 1.26 Confirming the Installation

6. When installation is complete, click Close. Now we need to configure the trust policy which would be responsible for federation with the resource domain. 1. Choose Start | Administrative Tools | Active Directory Federation Services. 2. Expand Federation Service by clicking the + symbol (see Figure 1.27).

www.syngress.com

45

46


Figure 1.27 AD FS MMC

3. Right-click Trust Policy, and then choose Properties. 4. Verify the information in Figure 1.28 matches your configuration (with the exception of the FQDN server name), and then click OK.

www.syngress.com


Figure 1.28 Trust Policies

5. When you return to the AD FS MMC, expand Trust Policy and open My Organization. 6. Right-click Organization Claims, and then click New | Organization Claim. 7. This is where you enter the information about the resource domain. A claim is a statement made by both partners and is used for authentication within applications. We will be using a Group Claim, which indicates membership in a group or role. Groups would generally follow business groups, such as accounting and IT. 8. Enter a claim name (we will use PrepGuide Claim). Verify that Group Claim is checked as well before clicking OK. 9. Create a new account store. Account stores are used by AD FS to log on users and extract claims for those users. AD FS supports www.syngress.com

47

48


two types of account stores: Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). This makes it possible to provide AD FS for full Active Directory Domains and AD LDS domains. 10. Right-click Account Store and choose New | Account Store. 11. When the Welcome window opens, click Next. 12. Since we have a full AD DS in place, select Active Directory Domain Services (AD DS) from the Account Store Type window (Figure 1.29), and then click Next.

Figure 1.29 The Account Store Type Window

13. Click Next on the Enable This Account Store window. 14. Click Finish on the completion page. www.syngress.com


Now, we need to add Active Directory groups into the Account Store. 1. Expand Account Stores. 2. Right-click Active Directory, and then click New | Group Claim Extraction. 3. In the Create A New Group Claim Extraction window (Figure 1.30), click Add and click Advanced.

Figure 1.30 The Create A New Group Claim Extraction Window

4. Click Object Types, remove the checkmarks from everything except Groups, and then click OK. 5. Click Find Now. 6. Select Domain Admins from the list of groups by double-clicking. 7. Click OK. 8. The Map To This Organization Claim field should show the claim we created earlier. Click OK to close the window. Finally, we will work to create the partner information of our resource partner, which is prepguides.ads. 1. Expand Partner Organizations. 2. Right-click Resource Partners, and then select New | Resource Partner. www.syngress.com

49

50


3. Click Next on the Welcome window. 4. We will not be importing a policy file, so click Next. 5. In the Resource Partner Details window (Figure 1.31), enter a friendly name for the partner, and the URI and URL information of the partner. Note it is identical to what we entered earlier in Figure 1.28. When the information is complete, click Next.

Figure 1.31 Resource Partner Details

6. Click Next on the Federation Scenario page. This is the default selection, which is used for two partners from different organizations when there’s no forest trust. 7. On the Resource Partner Identity Claims page, check UPN Claim and click Next. A UPN Claim is based on the domain name of your Active Directory structure. In our case, the UPN is uccentral.ads.

www.syngress.com


8. Set the UPN suffix. Verify that Replace All UPN Suffixes With The Following: is selected and then enter your server’s domain name. This is how all suffixes will be sent to the resource partner. Click Next. 9. Click Next to enable the partner. 10. Click Finish to close the wizard. We’re almost at the end of our account partner configuration. The last thing we need to do is create an outgoing claim mapping. This is part of a claim set. On the resource side, we would create an identical incoming claim mapping. 1. Expand Resource Partners. 2. Right-click your resource partner, and then choose New | Outgoing Group Claim Mapping. 3. Select the claim we created earlier, enter PrepGuide Mapping, and then click OK.

As you can imagine, this process would be duplicated on the resource domain, with the exception that the outgoing claim mapping would be replaced with an incoming mapping.

www.syngress.com

51

52


Summary of Exam Objectives As you can see, Windows 2008 includes a number of amazing advancements in Windows 2008, in particular those concerning Active Directory services. Each of these roles provides new layers of features, functions, and security options that were either not available in previous versions of the product or were not quite “baked in” enough, often being included in Version 1.0 of the solution. When you factor in the additional security of the Server Core installation, Active Directory has come a long way from its original release in Windows 2000. As you will find throughout the rest of this book, you can apply Active Directory roles, and Server Core, in many ways.

Exam Objectives Fast Track New Roles in 2008 ˛ With the release of Windows Server 2008, an Active Directory domain

controller can be deployed in several new ways. ˛ Server Manager is a single solution that is used as a single source for

managing identity and system information. ˛ Server Manager is enabled by default when a Windows 2008 server

is installed. ˛ Server Core is a minimal server installation option for Windows Server

2008 that contains a subset of executable files, as well as five server roles.

Read-Only Domain Controllers ˛ RODC holds all of the Active Directory Domain Services (AD DS)

objects and attributes that a writable domain controller holds, with the exception of account passwords. ˛ Unidirectional replication prevents RODCs from replicating information

to a writable domain controller. ˛ The installation of read-only domain controllers can be delegated to

other users.

www.syngress.com


Active Directory Lightweight Directory Service ˛ Active Directory Lightweight Director Service is a slimmed-down version

of AD. ˛ LDS is used when directory-aware applications need directory services, but

there is no need for the overhead of a complete forest or domain structure. ˛ LDS has many new features over ADAM, including Auditing, Server Core

Support, Support for Active Directory Sites and Services, and a Database Mounting Tool.

Active Directory Rights Management Services ˛ RMS does require a Client Access License. ˛ The three main functions of AD RMS are creating rights-protected

files and templates, licensing rights-protected information, and acquiring licenses to decrypt rights-protected content and apply usage policies. ˛ The three new features of AD RMS are delegation of roles, integration

with Federation Services, and self-enrollment.

Active Directory Federation Services ˛ Federation Services were first available in Windows Server 2003 R2. ˛ Federation Services provides an identity management solution that

interoperates with WS-∗ Web Services Architecture-enabled security products. ˛ WS-Federation Passive Requestor Profile (WS-F PRP) also makes it

possible for federation to work with solutions that do not use the Microsoft standard of identity management. ˛ The WS-Federation specification defines an integrated model for federating

identity, authentication, and authorization across different trust realms and protocols. ˛ WS-Federation Passive Requestor Profile was created in conjunction

between IBM, BEA Systems, Microsoft, VeriSign, and RSA Security.

www.syngress.com

53

54


Exam Objectives Frequently Asked Questions Q: Can an RODC replicate to another RODC? A: No. RODCs can only replicate with full domain controllers. This is a feature of the RODC, which is meant to be—as the name implies—a read-only server. Since neither RODC would have write capabilities in this example, it would be pointless to have them replicate to one another.

Q: Can I federate with a Windows Server 2003 R2 forest? A: Yes, you can, but keep in mind that they will not have all of the same functionality. Federation was introduced in Windows Server 2003 R2 to allow IT organizations to take advantage of the basics of federation. However, features such as integration with other applications like AD RMS and Office Sharepoint Server 2007 are not available.

Q: Can an RODC exist in a mixed-mode (Windows 2003 and Windows 2008) domain?

A: Yes, but you must run adprep with the proper switches in order for it to succeed. If the domain is not prepped for this new Windows Server 2008 role, the RODC installation will fail almost immediately. adprep is required to add the appropriate schema modifications for RODC.

Q: LDS sounds pretty cool. Can I just run that for my AD environment? A: The short answer is yes, but if you are running AD internally, you would probably want the full functionality of Domain Services. LDS is meant for smaller environments, such as a DMZ, where additional functionality—in particular, management—is not a requirement.

Q: Does Rights Management work with mobile devices? A: Yes, there is a mobile module for Rights Management Services. However, only Windows Mobile devices are supported with Rights Management. Check with your wireless vendor or mobile manufacturer for support and availability on particular models.

www.syngress.com


Q: I’ve heard that Server Core is only supported in 64-bit edition. Is that true? A: No. Server Core works in both 32-bit and 64-bit editions, Hyper-V (virtualization) only runs on 64-bit. It should be noted that as of the writing of this book, Windows Server 2008 is expected to be the final 32-bit server operating system released by Microsoft.

Q: Do I have to use Server Manager for role deployment? A: No. You can also use scripting tools to deploy roles. Also, depending on the role, role “bits” (the actual files that make up the role) can sometimes be added automatically. For example, if you forget to add the Directory Services role prior to running dcpromo.exe, dcpromo will add the role for you. However, this is not the case with all roles.

www.syngress.com

55

56


Self Test 1. You are the administrator for a nationwide company with over 5,000 employees. Your main office has approximately 4,500 employees, while the company’s ten remote offices have 50 users residing in each.You are often unaware of the physical security in place at these offices. However, since there is a fairly sizable amount of users at each office, you must provide them with directory services. What is the BEST option to use for directory services when security is often an unknown? A. Lightweight Directory Services B. Read-only domain controllers C. Active Directory Federation Services D. Active Director Rights Management Services 2.

is a format and application-agnostic technology, which provides services to enable the creation of information-protection solutions. A. Lightweight Directory Services B. Read-only domain controllers C. Active Directory Federation Services D. Active Director Rights Management Services

3. You are the administrator for a nationwide company with over 5,000 employees. Your director tells you your company has just signed into a partnership with another organization, and that you will be responsible for ensuring that authentication can occur between both organizations without the need for additional sign-on accounts.Your boss mentions that the partner has a variety of Directory Services installed throughout their organizations. Which of the following can Active Directory Federation Services NOT connect to? A. Lightweight Directory Services B. Windows Server 2003 Directory Services C. Windows Server 2003 R2 Directory Services D. All of the above 4. You are the administrator for a nationwide company with over 5,000 employees. Your main office has approximately 4,500 employees, while your company’s ten remote offices have 50 users each residing in them. You are often unaware of the physical security in place at these offices. However, since www.syngress.com


there is a fairly sizable amount of users at each office, you need to provide them with directory services. What is the BEST option to use for directory services when security is often an unknown? A. Lightweight Directory Services B. Read-only domain controllers C. Active Directory Federation Services D. Active Director Rights Management Services 5. The Web development team has requested that you implement a new Web server in a DMZ that will be used for presenting Web sites to customers. Which of the following is NOT a reason for using Windows Server 2008 Core Server? A. A Core installation does not require a Windows Server 2008 license. B. A Core installation does not provide GUIs, which limits console access. C. Core Server installs fewer services than a full installation of Windows Server 2008. D. Core Server uses fewer resources than a full installation of Windows Server 2008. 6. You have a Windows Server 2003 R2 domain currently running in your organization. You would like to install a read-only domain controller into your Directory Services structure, but you do not want to completely upgrade your domain to Windows Server 2008 Directory Services just yet. What do you need to do in order to add an RODC? A. Change the domain functional level to Windows Server 2008 mixed mode. B. Change the forest functional level to Windows Server 2008 mixed mode. C. Run adprep on a Windows Server 2003 R2 domain controller. D. An RODC cannot be added until the entire domain is a Windows Server 2008 Directory Services domain. 7. You are looking to upgrade your environment to Windows Server 2008, and you are explaining the new Server Manager console to your boss. Which three of the following answers correctly describe ways that Server Manager can be used? A. Server Manager can be used to add new server roles. B. Server Manager can be used to add new server features. C. Server Manager can be used to configure server failover. D. Server Manager can be used for scripting commands. www.syngress.com

57

58


8. You are attempting to install Directory Services on a Windows Server 2008 Server Core installation.You type dcpromo at the command prompt, but the server fails to install Directory Services. What is the MOST LIKELY reason for this? A. Directory Services are not supported on a Server Core installation, only read-only domain controllers. B. You must use an unattended file to complete the Directory Services installation. C. You must use the Server Manager from another Windows Server 2008 system to complete the installation. D. Your server’s chipset does not support Directory Services in a Server Core installation. 9. Which of the following Directory Services administration tools can be used in a Windows Server 2008 Lightweight Directory Services installation? A. Active Directory Users and Computers B. Active Directory Sites and Services C. Active Directory Domains and Trusts D. Active Directory Licensing Manager 10. BitLocker is a new technology that is available in Windows Server 2008 as well as Windows Vista. Which is NOT an advantage of using BitLocker? A. BitLocker can be used to prevent a hacker from detecting my password. B. BitLocker prevents someone from removing a hard drive from a system and reading it by installing it on another system. C. BitLocker prevents someone from loading another operating system onto the server and reading the contents of the disk using this additional operating system. D. All of the above selections are an advantage of using BitLocker.

www.syngress.com


Self Test Quick Answer Key 1.

B

6.

2.

D

7. A, B, and C

3.

B

8.

B

4.

B

9.

B

5. A

C

10. A

www.syngress.com

59


Chapter 2

MCTS/MCITP Exam 640 Configuring Network Services Exam objectives in this chapter: ■

Configuring Domain Name System (DNS)

■

Configuring Dynamic Host Configuration Protocol (DHCP)

■

Configuring Windows Internet Naming Service (WINS)


62

Chapter 2 • Configuring Network Services

Introduction When internetworking was first conceived and implemented in the 1960s and 1970s, the Internet Protocol (IP) addressing scheme was also devised. It uses four sets of 8 bits (octets) to identify a unique address, which is comprised of a network address and a unique host address. This provided enormous flexibility because the scheme allowed for millions of addresses. The original inventors of this system probably didn’t envision the networking world as it is today—with millions of computers spanning the globe, many connected to one worldwide network, the Internet. Network Services are to Active Directory what gasoline is to a combustion engine—without them, Active Directory would simply be a shiny piece of metal that sat there and looked pretty. As a matter of fact, network services are not only crucial to Active Directory, but are equally important to networking on a much larger scale. Imagine watching television at home and hearing the voice-over for a Microsoft commercial say “Come visit us today at 207.46.19.190!” instead of “Come visit us today at www.microsoft.com!” Networking services make networking much easier to understand for the end user, but they also go well beyond that in terms of what they provide for a networking architecture. In this chapter, we will explore the Domain Name System (DNS), a method of creating hierarchical names that can be resolved to IP addresses (which, in turn, are resolved to MAC addresses). We explain the basis of DNS and compare it to alternative naming systems. We also explain how the DNS namespace is created and resolved to an IP address throughout the Internet or within a single organization. Once you have a solid understanding of DNS, you will learn about Windows Server 2008 DNS servers, including the different roles DNS servers can play, the ways DNS Servers resolve names and replicate data, and how Windows Server 2008 Active Directory integrates with DNS. By the end of this chapter, you’ll have a detailed understanding of DNS on the Internet, as well as how DNS works within a Windows Server 2008 network. We will also discuss two additional services: Windows Internet Naming Service (WINS) and Dynamic Host Configuration Protocol (DHCP), two common services used on Transmission Control Protocol/Internet Protocol (TCP/IP) networks. Each of these services plays an important role in your environment, ultimately assisting IT professionals in their quest to automate much of the mundane tasks that would otherwise need to be managed manually.

www.syngress.com

Configuring Network Services • Chapter 2

Configuring Domain Name System (DNS) Microsoft defines the Domain Name System (DNS) as a hierarchical distributed database that contains mappings of fully qualified domain names (FQDNs) to IP addresses. DNS enables finding the locations of computers and services through user-friendly names and also enables the discovery of other types of records used for additional resources (which we will discuss later) in the DNS database. A much broader definition comes from the original Request For Comment (RFC), which was first released way back in November of 1983. RFC 882 (http://tools.ietf.org/html/rfc882) describes DNS conceptually, explaining how various components (domain name space, name servers, resolvers) come together to provide a domain name system. As you can imagine, a number of changes have been made to the original RFC. In fact, there have been three major RFC releases since the original debuted 25 years ago: RFC 883, RFC 1034, and RFC 1035. As you probably came to realize by looking at the date of the original DNS RFC, Microsoft was certainly not the first company to develop DNS services. In fact, the first Unix-based DNS service was written by four college students way back in 1984. Later, the code was rewritten by an engineer at Digital Equipment Corporation (DEC) and renamed Berkeley Internet Name Domain, or BIND, as it is more commonly known. Since the original DNS code was written, it has been rewritten by several companies, including Microsoft, Novell, Red Hat, and many others. Now that you’ve had a little history lesson on DNS, let’s discuss some of the various record types that can be held inside a DNS database. The record type will determine what information is provided to a DNS client requesting data. For instance, if the DNS server is configured to use an “A” record (a naming resource record), it converts an IP address to a hostname. As an example, consider using 207.46.19.190 as the IP address, and www.microsoft.com as the hostname. This would be a good example of how DNS resolution works. Another example of a record in use is the MX record. This record type is used when an e-mail server is trying to determine the IP address of another e-mail server. Table 2.1 outlines the types of records that can exist in a Windows Server 2008 DNS.

www.syngress.com

63

64


Table 2.1 Common DNS Record Types Type

Description

Host (A)

Maps a domain name (such as.www.microsoft.com) to an IP address

Canonical Name (CNAME) Maps an alias domain name to another server name Mail exchanger (MX)

Maps a domain name to a system that controls mail flow

Pointer (PTR)

Reverses the mapping process; used to convert domain names to IP addresses

Service location (SRV)

Used to map domain names to a specific service

Regardless of the type of DNS you’re using—Microsoft, Linux, or another vendor—the DNS database holds a nearly identical format. Several components make up a DNS database. Figure 2.1 provides an example of a primary zone database (we will discuss the various types of zones later in this chapter). Figure 2.1 A DNS Database File

www.syngress.com


Let’s take a moment to discuss some of the other information held in the database file. ■

IN – Internet Name This calls out that the information preceding the IN is the common name of the server. In the first line of the preceding database file, it indicates that the name at the top-left is the domain name this server supports. The names shown after the IN are the actual names of the server.

■

SOA – Start of Authority This indicates that the server shown in Figure 2.1 is authoritative over this particular domain. Thus, it has rights to add, remove, and change records for the domain.

■

1 – Serial number Each time a change is made to a DNS database, a new serial number is assigned. Other servers—known as secondary servers—can copy DNS databases for local storage. If this serial number changes, the secondary servers know they need to update their copy.

■

900 – Refresh Rate How often—in seconds—the secondary computer checks to see if it needs to update its database.

■

600 – Retry How long a secondary DNS server should wait before requesting another update, should an update fail.

■

86400 – Expire How long a secondary server can hold a database— without update—before it must purge its records.

■

3600 – Time to Live (TTL) How long a client machine can store a requested record before it must request a refreshed record.

Thus far, we’ve been focusing on how an individual DNS server is configured. However, we must also look at DNS structures on a much higher level as well. The first thing to understand is that the worldwide DNS structure is just incredibly massive—and continues to grow on a daily basis as new domains are brought online. As large as it is, the general structure behind it is relatively simple. DNS is based on a “tree” format—and an upside-down tree, at that. At the top of the tree is the root—the root is the beginning of all DNS naming conventions and has total authority over all naming conventions beneath it. DNS Root is essentially a period—yes, a period. Technically speaking, if you decide to shop online at Elsevier’s Web site, you are shopping at “www.elsevier.com.” If that doesn’t make sense, let’s break it down. Basically, domains (and domain server names) are really read from right-to-left in the computer world. The “.” is assumed in any DNS resolution, but is still the highest level. Com would be the second-highest level, followed by another period for separation, and then Elsevier. So, in regards to DNS hierarchy, the top level domain would be “.”, followed by the second-highest level domain, www.syngress.com

65

66


which would be com, followed by the third-highest level domain, Elsevier. When combined to form an FQDN, the result would be “Elsevier.com.” WWW represents nothing more than the name of a server that exists in the Elsevier.com domain. WWW has become commonplace for World Wide Web services, but it could just as easily be supercalafragalisticexpialidotious.elsevier. com—though I doubt it would get as many hits. If you are still confused by how DNS naming structures work, take a look at Figure 2.2, which shows a sample of how a DNS tree looks. Figure 2.2 A Sample DNS Tree

The summit of the DNS namespace hierarchy is the root, which has several servers managed by the Internet Name Registration Authority (INRA). Immediately below the root are the COM, NET, EDU, and other top-level domains listed in Table 2.2. Each of these domains is further divided into namespaces that are managed by the organizations that register them. For example, syngress.com is managed by a different organization than umich.edu. Table 2.2 Domain Suffixes Used on the Internet Domain Suffix

Typical Usage

.mil

United States military

.edu

Educational facilities

.com

Commercial organizations

.net

Networks

.org

Nonprofit organizations

.gov

United States government—nonmilitary Continued

www.syngress.com


Table 2.2 Continued. Domain Suffixes Used on the Internet Domain Suffix

Typical Usage

.us

United States

.uk

United Kingdom

.au

Australia

.de

Germany

Other two-letter abbreviations (.xx)

Other countries

NOTE In addition to the domain suffixes shown in Table 2.2, you will also find the occasional privately used domain suffix .local. The .local suffix is not managed by a DNS root server, so the namespace cannot be published on the Internet when you design the namespace for an Active Directory network, you can choose to use the .local suffix for domains that will not have any hosts on the Internet. Keep in mind that using the .local namespace internally will not prevent an organization from using Internet resources, such as browsing the Web.

Organizations often split the ownership of their DNS namespace. One team might be responsible for everything inside the firewall, while another team may be responsible for the namespace that faces the public. Since Active Directory often replaces Windows NT as an upgrade, the team responsible for Windows NT will often take over the DNS namespace management for Active Directory domains. Since Active Directory DNS design and implementation does differ somewhat from the standard DNS design and implementation, you can often find the two types of tasks split between two different groups in the same organization. Those are the basics on how Domain Name Services function on a much grander scale. In the coming sections of this chapter, we will discuss how to use DNS within a Windows Server 2008 environment. First, though, let’s discuss how to install and perform the initial configuration of a DNS on Windows Server 2008. www.syngress.com

67

68


EXAM WARNING Check for conflicts when asked questions regarding DNS namespace designs. For example, if the scenario states that a particular namespace is already being used for another purpose, it is likely not going to be the first choice for an Active Directory root domain namespace.

Identifying DNS Record Requirements A Resource Record (RR) is to DNS what a table is to a database. A Resource Record is part of DNS’s database structure that contains the name information for a particular host or zone. Table 2.3 contains an aggregation of the most popular RR types that have been collected from the various RFCs that define their usage: Table 2.3 RR Types Record Type

Common Name

Function

Address record

Maps FQDN to 32-bit IPv4 addresses.

IPv6 address record

Maps FQDN to 128-bit IPv6 addresses.

Andrews file system

Maps a DNS domain name to a server subtype that is either an AFS Version 3 volume or an authenticated name server using DCE or NCA.

Asynchronous Transfer Mode address

Maps a DNS domain name in the owner field to an ATM address referenced in the atm_address field.

RFC A RFC1035 AAAA RFC1886 AFSDB

RFC1183 ATMA

Continued

www.syngress.com


Table 2.3 Continued. RR Types Record Type

Common Name

Function

CNAME

Canonical name or alias name

Maps a virtual domain name (alias) to a real domain name.

Host info record

Specifies the CPU and operating system type for the host.

ISDN info record

Maps an FQDN to an ISDN telephone number.

KEY

Public key resource record

Contains a public key that is associated with a zone. In full DNSSEC (defined later in this chapter) implementation, resolvers and servers use KEY resource records to authenticate SIG resource records received from signed zones. KEY resource records are signed by the parent zone, allowing a server that knows a parent zone’s public key to discover and verify the child zone’s key. Name servers or resolvers receiving resource records from a signed zone obtain the corresponding SIG record, and then retrieve the zone’s KEY record.

MB

Mailbox name record

Maps a domain mail server name to the host name of the mail server.

Mail group record

Maps a domain mailing group to the mailbox resource records.

RFC1035 HINFO RFC1700 ISDN RFC1183

RFC1035 MG

Continued

www.syngress.com

69

70



Common Name

Function

Mailbox info record

Specifies a mailbox for the person who maintains the mailbox.

Mailbox renamed record

Maps an old mailbox name to a new mailbox name for forwarding purposes.

Mail exchange record

Provides routing info to reach a given mailbox.

Name server record

Specifies that the listed name server has a zone starting with the owner name. Identify servers other than SOA servers that contain zone information files.

NXT

Next resource record

Indicates the nonexistence of a name in a zone by creating a chain of all of the literal owner names in that zone. It also indicates which resource record types are present for an existing name.

OPT

Option resource record

One OPT resource record can be added to the additional data section of either a DNS request or response. An OPT resource record belongs to a particular transport level message, such as UDP, and not to actual DNS data. Only one OPT resource record is allowed, but not required, per message.

RFC1035 MINFO RFC1035 MR

RFC1035 MX RFC974 NS

RFC1035

Continued

www.syngress.com



Common Name

Function

PTR

Pointer resource record

Points to another DNS resource record. Used for reverse lookup to point to A records.

Responsible person info record

Provides info about the server admin.

Route-through record

Provides routing info for hosts lacking a direct WAN address.

SIG

Signature resource record

Encrypts an RRset to a signer’s (the RRset’s zone owner) domain name and a validity interval.

SOA

Start of Authority resource record

Indicates the name of origin for the zone and contains the name of the server that is the primary source for information about the zone. It also indicates other basic properties of the zone. The SOA resource record is always first in any standard zone. It indicates the DNS server that either originally created it or is now the primary server for the zone. It is also used to store other properties such as version information and timings that affect zone renewal or expiration. These properties affect how often transfers of the zone are done between servers that are authoritative for the zone.

Service locator record

Provides a way of locating multiple servers that provide similar TCP/IP services.

RFC1035 RP RFC1183 RT RFC1183

RFC1537 SRV

Continued

www.syngress.com

71

72



Common Name

Function

Text record

Maps a DNS name to a string of descriptive text.

Well-known services record

Describes the most popular TCP/ IP services supported by a protocol on a specific IP address.

X.25 info record

Maps a DNS address to a public switched data network (PSDN) address number.

RFC2052 TXT RFC1035 WKS

RFC1035 X25

RFC1183

The official IANA (Internet Assigned Numbers Authority) list of DNS parameters can be found at www.iana.org/assignments/dns-parameters, and a really good DNS glossary is available at www.menandmice.com/online_docs_and_faq/glossary/ glossarytoc.htm.

Installing and Configuring DNS DNS can be installed and configured on any version of Windows Server 2008— Web Edition, Standard Edition, Enterprise Edition, or Datacenter Edition. It is a network service that can be integrated with Active Directory (for security and replication purposes), or as a stand-alone service. A Windows Server 2008 DNS can manage not only internal namespaces, but external (Internet-facing) namespaces as well. In the following examples, we will be installing DNS on a Windows Server 2008 Standard Server. 1. Choose Start | Administrative Tools | Server Manager. 2. Scroll down to Role Summary and click Add Roles. 3. When the Before You Begin page opens, click Next.

www.syngress.com


4. On the Select Server Roles page, select DNS Server (see Figure 2.3), and then click Next. Figure 2.3 Selecting the DNS Server Role

5. At the DNS Server window, read the overview, and then click Next. 6. Confirm your selections, and then click Install. 7. When installation is complete, click Close. Next, we will configure some basic server settings: 1. Choose Start | Administrative Tools | DNS. 2. Find your server name in the left pane and double-click it. This will open the DNS configuration for this server (see Figure 2.4).

www.syngress.com

73

74


Figure 2.4 The Opening DNS Configuration Data

3. Look at the DNS properties of this server. Right-click the server name and select Properties from the drop-down menu. 4. The first tab that opens is the Interfaces tab. This tab can be adjusted if you have additional NICs in your server. This is particularly useful if you only want DNS queries to be answered by systems on a particular subnet. In general, you will likely leave it at the default of All IP Addresses. 5. Click the Root Hints tab. Notice there are multiple name servers with different IP addresses (Figure 2.5). With root hints, any queries that cannot be answered locally are forwarded to one of these root servers. Optionally, we can clear our root hints by selecting them and clicking Remove. Remove all of the servers, and click Forwarders.

www.syngress.com


Figure 2.5 DNS Root Hints

6. On the Forwarders tab, we can specify where DNS queries that are not resolved locally will be resolved. As opposed to Root Hints, this gives us much more control over where our queries are sent. For example, we can click Edit… and enter 4.2.2.1—a well-known DNS server. After you enter the IP address, click OK. 7. Look through the other tabs in the Properties dialog box. In particular, take a look at the Advanced tab (Figure 2.6). Notice the check box for BIND Secondaries—this makes it possible for BIND servers to make local copies of DNS databases. Also, look at the Enable Automatic Scavenging Of Stale Records option. With this option, you can specify the period before which DNS will perform a cleanup of old records. www.syngress.com

75

76


Figure 2.6 Advanced DNS Settings

8. Click Apply to save the changes we made, and then click OK to close the window. We still have a lot to do with configuring a DNS server, but before we move on to configuring zones, let’s walk through the process of installing DNS on a Windows Server 2008 Core Installation.

Using Server Core and DNS As we discussed in Chapter 1, a Windows Server 2008 Core Server Installation can be used for multiple purposes. One of the ways Server Core can be used is to provide a minimal installation for DNS. In the coming sections, we will discuss the various ways you can manipulate, manage, and configure DNS servers through the various Windows Server 2008 DNS Graphical User Interfaces (GUIs): DNS Manager and the Server Manager tool.

www.syngress.com


However, as you will recall, no GUIs are provided with Windows Server 2008 Core Server. A number of advantages to running DNS within Server Core include: ■

Smaller Footprint: Reduces the amount of CPU, memory, and hard disk needed.

■

More Secure: Fewer components and services running unnecessarily.

■

No GUI: No GUI means that users cannot make modifications to the DNS databases (or any other system functions) using common/user-friendly tools.

If you are planning to run DNS within a Server Core install, several steps must be performed prior to installation. The first step is to set the IP information of the server. To configure the IP addressing information of the server, do the following: 1. Identify the network adapter. To do this, in the console window, type netsh interface ipv4 show interfaces and record the number shown under the Idx column. 2. Set the IP address, Subnet Mask, and Default Gateway for the server. To do so, type netsh interface ipv4 set address name=“” source= static address=<StaticIP> mask=<SubnetMask> gateway= . ID represents the interface number from step 1, <StaticIP> represents the IP address we will assign, <SubnetMask> represents the subnet mask, and represents the IP address of the server’s default gateway. See Figure 2.7 for our sample configuration. Figure 2.7 Setting an IP Address in Server Core

www.syngress.com

77

78


3. Assign the IP address of the DNS server. If this server is part of an Active Directory domain and is replicating Active Directory–integrated zones (we will discuss those next), we would likely point this server to another AD-integrated DNS server. If it is not, we would point it to another external DNS server—usually the Internet provider of your company. From the console, type netsh interface ipv4 add dnsserver name=“” address= index=1. >. ID represents the number from step 1, while <StaticIP> represents the IP address of the DNS server. Once the IP address settings are completed—you can verify this by typing ipconfig /all—we can install the DNS role onto the Core Server installation: 4. To do this, from the command line, type start /w ocsetup DNSServer-Core-Role. 5. To verify that the DNS Server service is installed and started, type NET START. This will return a list of running services. 6. Use the dnscmd command-line utility to manipulate the DNS settings. For example, you can type dnscmd /enumzones to list the zones hosted on this DNS server. 7. We can also change all of the configuration options we modified in the GUI section earlier by using the dnscmd /config option. For example, we can enable BIND secondaries by typing dnscmd <servername> /config /bindsecondaries 1. You can see the results in Figure 2.8. Figure 2.8 Using the dnscmd Utility

www.syngress.com


There are many, many more things you can do with the dnscmd utility. For more information on the dnscmd syntax, visit http://technet2.microsoft.com/ WindowsServer/en/library/d652a163-279f-4047-b3e0-0c468a4d69f31033.mspx. So far, you have learned how to install and configure the DNS server, now we will discuss how to configure DNS zones.

Configuring Zones We’ve mentioned “zones” several times already in this chapter. Simply put, a zone is the namespace allocated for a particular server. Each “level” of the DNS hierarchy represents a particular zone within DNS. For the actual DNS database, a zone is a contiguous portion of the domain tree that is administered as a single separate entity by a DNS server. The zone contains resource records for all of the names within the zone. If Active Directory–integrated zones are not being used, some zone files will contain the DNS database resource records required to define the zone. If DNS data is Active Directory–integrated, the data is stored in Active Directory, not in zone files. ■

Primary Zone With a primary zone, the server hosting this zone is authoritative for the domain name. It stores the master copy of the domain information locally. When the zone is created, a file with the suffix .dns is created in the %windir%\System32\dns subdirectory of the DNS server.

■

Secondary Zone This is a secondary source—essentially a copy—of the primary DNS zone, with read-only capabilities.

■

Stub Zone Only stores information about the authoritative name servers for a particular zone.

Primary and secondary zones are standard (that is, non-Active Directory– integrated) forward lookup zones. The principal difference between the two is the ability to add records. A standard primary zone is hosted on the master servers in a zone replication scheme. Primary zones are the only zones that can be edited, whereas secondary zones are read-only and are updated only through zone transfer. DNS master servers replicate a copy of their zones to one or more servers that host secondary zones, thereby providing fault tolerance for your DNS servers. DNS standard zones are the types of zones you should use if you do not plan on integrating Active Directory with your DNS servers. An Active Directory–integrated zone is basically an enhanced primary DNS zone stored in Active Directory and thus can, unlike all other zone types, use multimaster replication and Active Directory security features. It is an authoritative primary zone www.syngress.com

79

80


in which all of the zone data is stored in Active Directory. As mentioned previously, zone files are not used nor necessary. Integrating DNS with Active Directory produces the following additional benefits: ■

Speed Directory replication is much faster when DNS and Active Directory are integrated. This is because Active Directory replication is performed on a per-property basis, meaning that only changes that apply to particular zones are replicated. Because only the relevant information is to be replicated, the time required to transfer data between zones is greatly reduced. On top of this, a separate DNS replication topology is eliminated because Active Directory replication topology is used for both ADI zones and AD itself.

■

Reduced Administrative Overhead Any time you can reduce the number of management consoles you have to work with, you can reduce the amount of time needed to manage information. Without the advantage of consolidating the management of DNS and Active Directory in the same console, you would have to manage your Active Directory domains and DNS namespaces separately. Moreover, your DNS domain structure mirrors your Active Directory domains. Any deviation between Active Directory and DNS makes management more time-consuming and creates more opportunity for mistakes. As your network continues to grow and become more complex, managing two separate entities becomes more involved. Integrating Active Directory and DNS provides you with the ability to view and manage them as a single entity.

■

Automatic Synchronization When a new domain controller is brought online, networks that have integrated DNS and Active Directory have the advantage of automatic synchronization. Even if a domain controller will not be used to host the DNS service, the ADI zones will still be replicated, synchronized, and stored on the new domain controllers.

■

Secure Dynamic DNS Additional features have been added that enhance the security of secure dynamic updates. These features will be discussed in the “DNS Security Guidelines” section later in this chapter.

A reverse lookup zone is an authoritative DNS zone that is used primarily to resolve IP addresses to network resource names. This zone type can be primary, secondary or Active Directory–integrated. Reverse lookups traverse the DNS hierarchy in exactly the same way as the more common forward lookups. Stub zones are a new feature introduced in Windows Server 2008. They contain a partial copy of a zone that can be hosted by a DNS server and used to resolve www.syngress.com


recursive or iterative queries. A recursive query is a request from a host to a resolver to find data on other name servers. An s query is a request, usually made by a resolver, for any information a server already has in memory for a certain domain name. Stub zones contain the Start of Authority (SOA) resource records of the zone, the DNS resource records that list the zone’s authoritative servers, and the glue address (A) resource records that are required for contacting the zone’s authoritative servers. Stub zones are useful for reducing the number of DNS queries on a network, and consequently the resource consumption on the primary DNS servers for that particular namespace. Basically, stub zones are used to find other zones and can be created in the middle of a large DNS hierarchy to prevent a query for a distant zone within the same namespace from having to ascend, traverse, and return over a multitude of zones. Windows Server 2008 also allows for a special type of Primary Zone—known as an AD-integrated zone—which basically means that the data is stored within Active Directory Domain Services, and is replicated to other DNS servers during normal AD replication periods. AD-integrated zones offer a number of benefits, including: ■

Secure Dynamic Updates Systems that are authenticated by Active Directory can update their DNS records. This allows name resolution for clients and servers while eliminating DNS poisoning by rogue systems that create DNS records.

■

Automatic Synchronization Zones are created and synchronized to new domain controllers (with DNS installed) automatically.

■

Efficient Replication Less data is replicated since only relevant changes are propagated.

TEST DAY TIP Don’t underestimate the importance of Secure Dynamic Updates on the exam. They are essential to providing security when using dynamic updates in two different ways. First, they provide enhanced security, which prevents “guests” (computers that are not part of Active Directory) from being able to update DNS independently. The second important feature ties directly to application-push and client management technologies, such as System Center Configuration Manager. By having a constantly refreshed (and accurate) database of clients, it makes technologies such as client management tools much more accurate and useful.

www.syngress.com

81

82


Zone Transfer Zone transfer is the process of copying the contents of the zone file on a primary DNS server to a secondary DNS server. Using zone transfer provides fault tolerance by synchronizing the zone file in a primary DNS server with the zone file in a secondary DNS server. The secondary DNS server can continue performing name resolution if the primary DNS server fails. Furthermore, secondary DNS servers can transfer to other secondary DNS servers in the same hierarchical fashion, which makes the higher-level secondary DNS server a master to other secondary servers. Three transfer modes are used in a Windows Server 2008 DNS configuration: ■

Full Transfer When you bring a new DNS server online and configure it to be a secondary server for an existing zone in your environment, it will perform a full transfer of all the zone information in order to replicate all the existing resource records for that zone. Older implementations of the DNS service also used full transfers whenever updates to a DNS database needed to be propagated. Full zone transfers can be very time-consuming and resource-intensive, especially in situations where there isn’t sufficient bandwidth between primary and secondary DNS servers. For this reason, incremental DNS transfers were developed.

■

Incremental Transfer When you are using incremental zone transfers, the secondary server retrieves only resource records that have changed within a zone, so that it remains synchronized with the primary DNS server. When incremental transfers are used, the databases on the primary server and the secondary server are compared to see if any differences exist. If the zones are identified as the same (based on the serial number of the Start of Authority resource record), no zone transfer is performed. If, however, the serial number on the primary server database is higher than the serial number on the secondary server, a transfer of the delta resource records commences. Because of this configuration, incremental zone transfers require much less bandwidth and create less network traffic, allowing them to finish faster. Incremental zone transfers are often ideal for DNS servers that must communicate over low-bandwidth connections.

■

DNS Notify The third method for transferring DNS zone records isn’t actually a transfer method at all. To avoid the constant polling of primary DNS servers from secondary DNS servers, DNS Notify was

www.syngress.com


developed as a networking standard (RFC 1996) and has since been implemented into the Windows operating system. DNS Notify allows a primary DNS server to utilize a “push” mechanism for notifying secondary servers that it has been updated with records that need to be replicated. Servers that are notified can then initiate a zone transfer (either full or incremental) to “pull” zone changes from their primary servers as they normally would. In a DNS Notify configuration, the IP addresses for all secondary DNS servers in a DNS configuration must be entered into the notify list of the primary DNS server to pull, or request, zone updates. Each of the three methods has its own purpose and functionality. How you handle zone transfers between your DNS servers depends on your individual circumstances.

TEST DAY TIP Remember that full and incremental transfers actually transfer the data between the DNS servers, and that DNS Notify is not a mechanism for transferring zone data. It is used in conjunction with AXFR (Full Transfer) and IXFR (Incremental Transfer) to notify a secondary server that new records are available for transfer.

Let’s take a look at how to create a new DNS zone: 1. Choose Start |Administrative Tools | DNS. 2. In the console tree, double-click your server, and then click Forward Lookup Zones. 3. Right-click Forward Lookup Zones, and then select New Zone. 4. The New Zone Wizard appears. Click Next (see Figure 2.9).

www.syngress.com

83

84


Figure 2.9 The New Zone Wizard

5. On the Zone Type page, click Primary zone and then click Next. 6. On the Active Directory Zone Replication Scope page, click Next. 7. On the Zone Name page, in the Name field, type a name for a test zone (Figure 2.10), and then click Next. Figure 2.10 The Zone Name Page

www.syngress.com


8. On the Zone File page, click Next. 9. On the Dynamic Update page, choose Allow Both Nonsecure And Secure Dynamic Updates and click Next.

NOTE Normally, when configuring Dynamic Updates, you should choose the Secure Only option. For lab purposes in this book, however, you can choose Allow Both Nonsecure And Secure Dynamic Updates.

10. On the Completing The New Zone Wizard page, click Finish.

Active Directory Records If you turned on dynamic updates in the previous exercise, and you have Active Directory loaded on your server, reboot your system. After your system reboots, notice the following new records in your zone. ■

_ldap._tcp. Enables a client to locate a domain controller in the domain named by . A client searching for a domain controller in the domain uccentral.ads would query the DNS server for _ldap._uccentral.ads.

■

_ldap._tcp.<SiteName>._sites. Enables a client to find a domain controller in the domain and site specified (such as _ldap._tcp.lab._sites.uccentral.ads for a domain controller in the Lab site of uccentral.ads).

■

_ldap._tcp.pdc._msdcs. Enables a client to find the PDC Emulator flexible single master operations (FSMO) role holder of a mixed- or native-mode domain. Only the PDC of the domain registers this record.

■

_ldap._tcp.gc._msdcs. Found in the zone associated with the root domain of the forest, this enables a client to find a Global Catalog (GC) server. Only domain controllers serving as GC servers for the forest will register this name. If a server ceases to be a GC server, the server will deregister the record. www.syngress.com

85

86

Chapter 2 • Configuring Network Services ■

_ldap._tcp. ._sites.gc._msdcs. Enables a client to find a GC server in the specified site (such as _ldap._tcp.lab._sites.gc._ msdcs.uccentral.ads).

■

_ldap._tcp..domains._msdcs. Enables a client to find a domain controller in a domain based on the domain controller’s globally unique ID (GUID). A GUID is a 128-bit (8 byte) number that is generated automatically for the purpose of referencing Active Directory objects. This mechanism and these records are used by domain controllers to locate other domain controllers when they need to replicate, for example.

■

Enables a client to find a domain controller via a normal Host (A) record.

Special records specifically associated with Active Directory allow servers and clients to interact with Active Directory services in a meaningful way.

Reverse Lookup Zones As mentioned earlier, a reverse lookup zone is an authoritative DNS zone that is used primarily to resolve IP addresses to network resource names. This zone type can be primary, secondary, or Active Directory–integrated. Reverse lookups traverse the DNS hierarchy in exactly the same way as the more common forward lookups. To handle reverse lookups, a special root domain called in-addr.arpa was created. Subdomains within the in-addr.arpa domain are created using the reverse ordering of the octets that form an IP address. For example, the reverse lookup domain for the 192.168.100.0/24 network would be 100.168.192.in-addr.arpa. The reason the IP addresses are inverted is that IP addresses, when read from left to right, get more specific; the IP address starts with the more general information first. FQDNs, in contrast, get more general when read from left to right; the FQDN starts with a specific host name. In order for reverse lookup zones to work properly, they use a special RR called a PTR record that provides the mapping of the IP address in the zone to the FQDN. Reverse lookup zones are used by certain applications, such as NSLookup (an important diagnostic tool that should be part of every DNS administrator’s arsenal). If a reverse lookup zone is not configured on the server to which NSLookup is pointing, you will get an error message when you invoke the nslookup command. www.syngress.com


Head of the class ... Security Considerations for the Presence of a Reverse Lookup Zone Being able to make NSLookup work against your DNS servers is not the only, or most important, reason why you should configure reverse lookup zones. Applications on your internal network, such as DNS clients that are trying to register PTR records in a reverse lookup zone, can “leak” information about your internal network out to the Internet if they cannot find a reverse lookup zone on the intranet. To prevent this information from leaking from your network, you should configure reverse lookup zones for the addresses in use on your network.

Configuring Reverse Lookup Zones Now, we need to create a matching reverse lookup zone. This will handle reverse resolution for our subnet. In this case, it is 192.168.1.x. 1. Choose Start |Administrative Tools | DNS. 2. In the console tree, click Reverse Lookup Zones. 3. Right-click Reverse Lookup Zones, and then click New Zone. 4. When the New Zone Wizard appears, click Next. 5. On the Zone Type page, select Primary Zone, and then click Next. 6. On the Reverse Lookup Zone Name page, make sure IPv4 is selected, and then click Next. 7. On the Reverse Lookup Zone Name page (Figure 2.11), in the Network ID field, type the start of the subnet range of your network (in this case, 192.168.1.x), and then click Next.

www.syngress.com

87

88


Figure 2.11 The Reverse Lookup Zone Name Page

8. On the Zone File page, click Next. 9. On the Dynamic Update page, click Next. 10. On the Completing The New Zone Wizard page, click Finish. Now we need to enable IPv6 so we can offer domain name resolution for clients who may use IPv6 as opposed to IPv4. We’re also going to need it if we want to enable IPv6 DHCP addressing later in this chapter. First, we need to set an IPv6 address for our server. To do so, perform the following steps: 1. Choose Start and right-click Network. 2. Select Properties from the drop-down menu. 3. Click Manage Network Connections.

www.syngress.com


4. Right-click the Network connection and choose Properties. 5. Double-click Internet Protocol Version 6 (TCP/IPv6). 6. Click the radio button for Use The Following IPv6 Address. If you are not familiar with IP addressing, you can use 2001:0db8:29cd:1a0f:857b:455 b:b4ec:7403. 7. Enter a Subnet prefix length of 64. 8. Your preferred DNS server would be the same as that mentioned earlier (your IPv6 address). 9. Close the Network Connections window and re-open the DNS administrator console. 10. In the console tree, click Reverse Lookup Zones. 11. Right-click Reverse Lookup Zones, and then click New Zone. 12. When the New Zone Wizard appears, click Next. 13. On the Zone Type page, select Primary Zone, and then click Next. 14. On the Reverse Lookup Zone Name page, make sure IPv6 is selected, and then click Next. 15. In the Reverse Lookup Zone Name field, type in the prefix 2001:0db8: 29cd:1a0f::/64, and then click Next. 16. On the Dynamic Update page, choose Allow Both Nonsecure And Secure Dynamic Updates (for testing purposes in this book only— normally, you should use Secure Only), and click Next. 17. Click Finish to create the New Zone. 18. To create an IPv6 record, right-click the Primary Lookup Zone for your domain (in our lab, it is uccentral.ads), and then click New Host. 19. In the Name field, enter the name of your server. Our server name is dc1. 20. In the IP address field, enter the IPv6 address we set for the server. 21. Verify that Create Associated Pointer (PTR) Record is checked, and click Add Host. You should now see a new AAAA record for the server, as well as a new PTR record in the Reverse Lookup Zone we created.

www.syngress.com

89

90


Configuring & Implementing … Developing the DNS Design for Your Network There are few limitations to developing DNS designs and deploying the service thereafter. You should consider the following points during your design process: ■

Each domain contains a set of resource records. Resource records map names to IP addresses or vice versa depending on which type of record it is. Special resource records exist to identify types of servers on the networks. For example, an MX resource record identifies a mail server.

■

If the organization has a large number of hosts, use subdomains to speed up the DNS response.

■

The only limitation to using subdomains on a single DNS server is the server’s own memory and disk capacity.

■

A zone contains one or more domains and their resource records. Zones can contain multiple domains if they have a parent and child relationship.

■

A DNS server with a primary zone is authoritative for the zone, and updates can be made on that server. There can only be one primary zone for each zone defined.

■

A DNS server with a secondary zone contains a read-only copy of the zone. Secondary zones provide redundancy and speed up query responses by being placed near the computers that place DNS queries.

■

DNS servers can use primary and secondary zones whether they are running Windows Server 2008 or are a third-party DNS server.

Now you can double-click the Forward Lookup Zones and Reverse Lookup Zones and view the zones you have created. The zones will be displayed in the console pane under the appropriate zone type. From here, you can add records by right-clicking the zone and selecting the type of record you want www.syngress.com


to create. Likewise, you can right-click the zone and select Properties to modify the properties of the zone. Some of the properties you can modify include: ■

Dynamic Updates: The ability for clients to automatically update DNS records.

■

Zone Type: You can change a zone type from Primary, to Secondary, or to Stub Zone. If Active Directory is installed, you can also make the zone Active Directory–integrated.

■

WINS integration: We will discuss this later in the chapter, but this is where you can involve WINS resolution with DNS resolution.

■

Name Servers: You can add the names and IP addresses of servers that have the rights to create copies of the DNS zone.

■

Zone Transfer: Here, you can specify whether the zone can be transferred to another DNS server.You can also specify whether it can be transferred to any server, only the servers in the Name Servers tab (discussed earlier), or to only specific DNS servers by IP address or FQDN.

Configuring Zone Resolution There is a new name resolution available with the release of Windows Server 2008: GlobalNames Zones. The GlobalNames zone was introduced to help phase out the Windows Internet Naming Service (WINS), which we will discuss later. However, it is important to note that the GlobalNames zone is not intended to support the same type of name resolution provided in WINS, records which typically are not managed by IT administrators. After the configuration of the GlobalNames zone, you are responsible for management of all records in the zone, as there are no dynamic updates. So, where this is really relevant is within organizations that have multiple domain names. Without single-label names (also known as NetBIOS names), Windows-based computers will append DNS suffixes based on the order provided, either via the individual TCP/IP settings of the client, DHCP settings, or Group Policy settings. Again, the key here is that if there are MULTIPLE domain names an organization must manage, they may find it easier to use the GlobalNames zone since the GlobalNames zone records can be configured globally for the single-label names. Records that are contained within the GlobalNames zone are known as global names. Several prerequisites must be met before using the GlobalNames zone: ■

No existing DNS zone can be named GlobalNames.

■

All authoritative DNS servers must be running Windows Server 2008. www.syngress.com

91

92

Chapter 2 • Configuring Network Services ■

All DNS servers running on Windows Server 2008 must store a local copy of the GlobalNames zone or must be able to remotely communicate with a server that does.

■

The GlobalNames Zone Registry setting must be enabled on the server. This can be done by typing dnscmd /config /enableglobalnamessupport 1.

Let’s walk through the steps in configuring a GlobalNames zone: 1. Choose Start. 2. Right-click Command Prompt and select Run As Administrator. 3. At the command prompt, type dnscmd /config /enableglobalnamessupport 1. 4. Close the command-line prompt. 5. Select Start | Administrative Tools | DNS. 6. Right-click your DNS server, and then click New Zone to open the New Zone Wizard. 7. Create a new zone and give it the name GlobalNames (see Figure 2.12). Figure 2.12 Creating a GlobalNames Zone

www.syngress.com


8. Complete the remaining configuration options as we have done previously, and then click Finish to complete the process. Next, we will create a CNAME record for use with the GlobalNames zone: 1. Right-click the GlobalNames zone now available under the Forward Lookup Zones. 2. Select New Alias (CNAME). 3. Enter the alias of the server. For example, we can name it widgetserver. 4. Enter the FQDN of the target host. In this case, it will be our DNS server for testing purposes: dc1.uccentral.ads. If you do not have a record for your server, you may need to stop the CNAME process, and create an A record in the primary zone for your domain. 5. Click OK. To test the GlobalNames zone record, simply go to the command prompt of a client PC and type ping gnztest. This will return the IP address as expected.

Configuring Dynamic Host Configuration Protocol (DHCP) The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows administrators to manage and automate the assignment of IP addresses in a centralized console. Without DHCP, the IP address must be “statically” configured on each computer. This isn’t such a big deal in a small (ten client-or-less) environment, but when you get into significantly larger environments, static IP address management can become a nightmare. Factor in the mobility of using laptops, and the need to be able to connect to other networks dynamically, and you’ll find it’s almost impossible in today’s world not to use DHCP.

TEST DAY TIP Review the way in which DHCP traffic is affected by placement of DHCP servers. For example, when servers are placed locally, the traffic remains on the subnet. You should also understand how subnetting works when designing DHCP scopes. For more information on DHCP placement, you should visit the following Microsoft TechNet site: http://technet2. microsoft.com/WindowsServer/en/library/3040afd1-e82b-4ded-8fcdaa8fe021fcc11033.mspx?mfr=true. www.syngress.com

93

94


The way DHCP works is fairly simple. Using a client/server model, a DHCP server maintains a pool of IP addresses. DHCP clients request and obtain leases for IP addresses during the boot process. DHCP was derived from the Bootstrap Protocol (BOOTP), which was a protocol typically used to allow clients to boot from the network rather than from a hard drive. Through this boot process, BOOTP assigned an IP address dynamically to the client computer. Some benefits of using a Windows Server 2008 DHCP server include: ■

DNS integration Windows Server 2008 DHCP integrates directly with DDNS. When a computer obtains a lease for an IP address, the DHCP server can then register or update the computer’s Address (A) records and pointer (PTR) records in the DNS database via Dynamic DNS on behalf of the client computer. The result of the two—DHCP used with DDNS—is true dynamic IP address management. Any computer can start up on the network and receive an IP address that is further registered in the DNS name server.

■

Multicast address allocation The Windows Server 2008 DHCP can assign IP addresses to multicast groups in addition to the standard individual hosts. Multicast addresses are used to communicate with groups such as server clusters using network load balancing.

■

Detection of unauthorized DHCP servers By restricting DHCP servers to those that are authorized, you can prevent conflicts and problems on the network. An administrator must configure Active Directory to recognize the DHCP server before it begins functioning on the network. The Windows Server 2008 DHCP service contacts Active Directory to determine whether it is an authorized DHCP server. Active Directory also enables you to configure which clients a DHCP server can service.

■

Enhanced monitoring With the Windows Server 2008 DHCP service, you have the ability to monitor the pool of IP addresses and receive notification when the address pool is utilized at a threshold level. For example, you might monitor for a threshold of 90 percent or above.

■

Vendor and user classes Vendor and user classes enable you to distinguish the types of machines that are obtaining DHCP leases. For example, you can use a predefined class to determine which users are remote access clients.

■

Clustering Windows Server 2008 DHCP services support clustering. Through a cluster, you can ensure a higher reliability and availability of DHCP services to clients.

www.syngress.com


The negotiation process consists of only four messages, two from the client and two from the server. The first message is the DHCP Discover message from the client to the server. This message looks to a DHCP server and asks for an IP address lease. The second message is the DHCP Offer message responding from the server to the client. A DHCP Offer tells the client that the server has an IP address available. The third message is a DHCP Request message from the client to the server. In this message, the client accepts the offer and requests the IP address for lease. The fourth and final message is the DHCP Acknowledge message from the server to the client. With the DHCP Acknowledge message, the server officially assigns the IP address lease to the client. Each DHCP server requires a statically applied IP address DHCP was originally introduced in RFC 2131 back in March of 1997 (http:// www.rfc-editor.org/rfc/rfc2131.txt). Since the inception of DHCP, a number of addon DHCP options have made it possible to disburse even more IP-related information to clients, making IP management much more flexible for IT administrators.

DHCP Design Principles DHCP is heavily reliant on network topology, and is heavily relied upon by the hosts within a network. For DHCP to function at an optimal level, client computers must be able to access at least one DHCP server at all times. When developing a DHCP approach for your network, you must consider several things first: ■

How many clients will be using DHCP for IP addresses?

■

Where are these clients located and what roles do they have?

■

What does the network topology look like?

■

Are there any unstable WAN links that might cause a network outage if DHCP clients cannot contact a DHCP server for an IP address lease?

■

Are there any clients that cannot use DHCP?

■

Are there any clients that will be using BOOTP?

■

Which IP addresses are dedicated and must be held outside the IP address pool?

■

Will you be using Dynamic DNS?

DHCP clients do not wait for the DHCP lease to be over before beginning renewal. Instead, they begin the renewal at the point when 50 percent of the lease is up. For example, when a client has a ten-day lease, then after five days, the client www.syngress.com

95

96


sends the DHCP Request message to the DHCP server. If the server agrees to renew the lease, it responds with a DHCP Acknowledge message. If the client does not receive the DHCP Acknowledge response, the client waits for 50 percent of the remaining time (7.5 days after the original lease was made) before sending another DHCP Request message. This is repeated at 50 percent that remaining time (8.75 days after the original IP address lease). If the client cannot renew the address, or if the DHCP server sends a DHCP Not Acknowledged response, the client must begin a new lease process. DHCP has only a couple of design requirements: ■

You should have at least two DHCP servers to ensure redundancy. You can use clustering to ensure availability, but also keep in mind that two separate DHCP servers at different locations in the network can prevent DHCP problems resulting from a network link failure.

■

You must either provide a DHCP server on each network segment or configure routers in between those segments to forward the DHCP messages.

When planning the DHCP servers, the network topology comes into play. It is critical you place DHCP servers at locations most available to the computers that need IP addresses.

DHCP Servers and Placement The number of DHCP servers you need on a network is driven by the number of clients, availability requirements for the DHCP server, and the network topology. The number of clients a DHCP server can serve varies based on the hardware of the server and whether it provides multiple roles or is strictly a DHCP server. Most can provide IP addresses to thousands of hosts. Server hardware that will have the greatest impact on DHCP performance includes the network interface and hard disk. The faster the network interface card (NIC) and disk access, the better. In addition, multiple NICs will greatly improve performance, since NIC speed in no way compares to the speed of the internal PC hardware, and adding NICs literally relieves a bottleneck. The availability of the DHCP services to the network drives multiple DHCP servers. You must have at least two DHCP servers. You might want to cluster the server if you have a large scope of addresses that are provided to a network segment. The network topology will drive additional servers as well. This is something that must be reviewed and then planned. Ideally, a network should have a DHCP server on each segment, although this becomes impractical. Because you can configure www.syngress.com


routers to forward DHCP requests using a DHCP Relay Agent, you can place DHCP servers at any location on the network. Therefore, you should probably look at the unstable WAN links as the deciding factors for additional DHCP servers. A network that has a highly unstable satellite link to a location that has thousands of clients will require its own DHCP server. However, a network with a highly unstable satellite link to a location that has only a few clients will probably be better served by a statically applied IP address or alternate IP configuration used with DHCP from across the link.

Installing and Configuring DHCP Installing DHCP in Windows Server 2008 is as simple as adding another role to a server. Some additional steps must be taken, however, to authorize the DHCP server. Back in Windows 2000 Server, Microsoft introduced the concept of authorizing a DHCP server. Microsoft did this because of the problem of “rogue” DHCP servers—servers that users would install on the network, and configure to hand out IP addresses, thus causing problems with production DNS servers. The problem with rogue DHCP servers was that IP addresses that were handed out would either: ■

Overlap with existing IP addresses in the network, causing a conflict

■

Hand out correct IP addresses, but possibly hand out other incorrect information, such as DNS, WINS, Subnet Mask, and Gateway information

■

Hand out a completely incorrect range of IP addresses

■

Create unnecessary traffic on the network

During the installation process, we will walk through installing the DHCP role, configuring DHCP settings, and authorizing the DHCP server. Let’s begin. 1. Choose Start | Administrative Tools | Server Manager. 2. Scroll down to Role Summary and click Add Roles. 3. When the Before You Begin page opens, click Next. 4. On the Select Server Roles page, select DHCP Server, and then click Next. 5. Click Next to get through the DNS Server settings. This screen is verifying the IP address of our DNS server, which will be passed to clients. 6. Click Next again to skip the WINS settings. If WINS was running (we will discuss WINS later), we could select the WINS server here. www.syngress.com

97

98


Next, we need to configure a DHCP scope. A DHCP scope is a range of IP addresses (as well as additional IP options, such as gateway, DNS servers, and WINS servers) that can be handed out by a DHCP server. In the first example, we are going to configure both an IPv4 and IPv6 scope.

TEST DAY TIP You should understand the 80/20 rule for DHCP. The 80/20 rule means that IP scopes should be split between two DHCP servers, so server A can distribute 80 percent of IP addresses, while server B can hand out the remaining 20 percent of IP addresses. In this scenario, you would now have fault tolerance for your subnets. The idea behind the 80/20 rule is that during the period in which server A is unavailable, the other server can service requests for addresses.

Now, let’s configure our scope: 1. Click Add… to add a new DHCP Scope. 2. In the Scope Name field, type Internal Scope. 3. In the Starting IP Address field, type 192.168.1.200, or any IP range you have available on your network. 4. In the Ending IP Address field, type the end of your scope. We will use 192.168.1.220. 5. In the Subnet Mask field, enter the subnet mask of your network. Our subnet mask is 255.255.255.0. 6. Skip the default gateway for now, we will add this later. 7. Choose Wired as the Subnet type, but click the down arrow to see the Wireless option. 8. Verify that Activate This Scope is checked (see Figure 2.13), and then click OK.

www.syngress.com


Figure 2.13 Scope Settings for DHCP

9. Click Next once your scope is added. 10. Determine what to do with IPv6 clients. We want to manage IPv6 clients through DHCP when necessary. To do this, select Disable DHCPv6 Stateless Mode For This Server and click Next. 11. Specify the IP address of an IPv6-enabled DNS server. To do this, enter the IP address of this server. If you recall, we set IPv6 options in the DNS section. Verify that our server’s IPv6 settings appear in the Preferred DNS Server IPv6 Address, validate it, and then click Next. 12. On the Authorize DHCP Server, you can specify the credentials of an authorized user, or just click Next. 13. Click Install to begin the installation. 14. When installation is complete, click Close.

www.syngress.com

99

100


Using Server Core and DHCP DHCP is also a role that is supported in a Windows Server 2008 Core installation. DHCP installation is handled via the command line of the Server Core installation. However, management of the DHCP server (as well as the DHCP scopes) can be controlled from a remote Windows Server 2008 system. In this section, we will install the DHCP role and configure a DHCP scope using the Server Core command line. Let’s begin by installing the role: 1. Sign in to your Windows Server 2008 Core Server system. 2. Install the DHCP bits. To do this, type in start /w ocsetup DHCPServerCore (Figure 2.14).

Figure 2.14 Installing the DHCP Role

3. Start the DHCP service and set it to start automatically. To do this, type in sc config dhcpserver start= auto. 4. Type sc query dhcpserver. If the service is not running, start it by typing sc start dhcpserver. You can see the command syntax in Figure 2.15.

www.syngress.com


Figure 2.15 Starting the DHCP Role

5. Next, we need to configure our DHCP server by adding the DHCP scope. To do this, we must first start the netsh application. At the command prompt, type netsh. 6. At the netsh> prompt, type dhcp server. 7. Add the DHCP Scope at the dhcp server> prompt by typing in initiate auth. 8. Add the scope by typing in add scope 10.0.0.0 255.0.0.0 BackupScope. 10.0.0.0 indicates the network leased by the DHCP server, while 255.0.0.0 represents the subnet mask. BackupScope is the name we’ve given to the scope. 9. Type in scope 10.0.0.0. This allows us to begin adjusting the scope options. 10. Configure the start and end of the lease range. To set the start of the range, type set optionvalue 003 IPAddress 10.0.0.1. 11. To set the end of the range, type set optionvalue 006 IPAddress 10.0.0.50. 12. Enable the scope by typing in set state 1. 13. Type exit to close the netsh application. The preceding syntax can be seen in Figure 2.16. www.syngress.com

101

102


Figure 2.16 The netsh Syntax for DHCP

Configuring DHCP for DNS We discussed dynamic updates earlier in this chapter, but it is important to note that, by default, DHCP does not automatically update DNS servers. Instead, DHCP can update DNS in two different ways—it can either pass fully qualified domain name (FQDN) information to client computers running Windows Server or Workstation 2000 (or later), which can in turn update DNS themselves, or DHCP can be configured to update DNS for legacy (or non-Windows) clients. Non-legacy Windows clients can update DNS when: ■

Static IP address information is updated

■

An IP address lease period ends and a new address is given to a client

■

When the ipconfig /registerdns command is entered at a command prompt. This re-registers a client within DNS.

In order for clients to update automatically, we must adjust the properties of our DHCP scope appropriately by performing the following steps: 1. Choose Start | Administrative Tools | DHCP. 2. Right-click your IPv4 scope. 3. Click the DNS tab. 4. Notice that, by default, dynamic updates are set for DHCP to control updates only when requested by the client. www.syngress.com


5. We need to set DHCP to also dynamically update clients (such as Windows NT 4.0) that cannot update automatically. Place a checkmark next to the Dynamically Update DNS A And PTR Records For DHCP Clients That Do Not Request Updates option. 6. Click Apply and then OK. This is not required for IPv6 scopes since IPv6 was not available in these older operating systems.

Configuring Windows Internet Naming Service (WINS) Windows Internet Naming Service (WINS) was originally developed by Microsoft as a part of Windows NT. Similar to DNS, WINS adds an IP address-to-system name mapping in a server-side database. Unlike DNS, WINS focused solely on the hostname and does not offer a complete naming structure. WINS is a service that has been “going away” since Windows 2000 Server, and yet it remains part of Windows even today. Many problems existed with WINS, particularly in terms of scalability. Over the years, the need for WINS and NetBIOS name resolution has been greatly reduced. However, some applications (legacy versions of Outlook, for example) still require NetBIOS resolution. In certain situations, LMHOST files can be used in the absence of a WINS server. LMHOST files have their own problems and limitations as well—most specifically, the fact that LMHOST files can become outdated and contain incorrect data. They require constant updating and maintenance. Similar to DHCP, once the need for NetBIOS name resolution goes beyond a handful of systems, using WINS is a much more reasonable solution since it allows for dynamic updates. Interestingly enough, WINS has become such an afterthought that the TechNet site for WINS under Windows Server 2008 simply refers you to the documents for Windows Server 2003. Your first task in developing a WINS design is to determine whether you need WINS at all. One thing you need to test for is whether NetBIOS over TCP/IP is being used to communicate across the network.You can do this through the Performance. Once you determine whether NetBIOS naming is currently needed, your next task is to determine whether the network can function without NetBIOS naming at all. This will require you to test applications and services on a test network in a lab without using NetBIOS, LMHOSTS, or WINS.

www.syngress.com

103

104


The design of a WINS topology should take into account how WINS servers replicate. Each WINS server pushes or pulls the database from its replication partners. If you configure the replication partners so they replicate in a domino fashion, it will take several steps for any change to be updated across the network. The time for replication to fully synchronize across all WINS servers is called convergence time. The longer convergence takes, the higher the likelihood of errors. To reduce convergence time, you can create a hub and spoke topology in which all WINS servers replicate with a central WINS server. In this topology, you will have the result of a two-step replication process at any point in time when an update is made on any WINS server in the network. Windows Server 2008 DNS is compatible with WINS. You can use both in a network environment that has WINS clients and DNS clients. We will discuss this a little later in the chapter. Keep in mind that WINS is a flat file database. All names are considered equal, and as such, must be unique. This means you can only have one computer named Ned and one computer named Joe. When there are two computers configured with the same NetBIOS name, only the first will be able to access the network. Older Microsoft networks not only used WINS, but also transmitted data across NetBEUI, a protocol that does not incorporate a network layer. Without a network layer, NetBEUI is not routable. However, NetBIOS can be routed over TCP/IP or even over IPX. In the Windows Server 2003 and Windows Server 2008 operating systems, NetBIOS is only routed over TCP/IP, if it is used at all. If you determine that you will install or upgrade an existing WINS network, you must first determine whether the hardware of your server will be sufficient for WINS. WINS servers use their hard disks quite heavily, so you should make certain you have sufficient hard disk performance. You should also determine how many WINS servers you should deploy. A single WINS server with sufficient hardware and network performance can provide services to 10,000 clients.You should always plan for at least two WINS servers for redundancy. WINS has the ability to integrate with DNS so DNS clients can use DNS to look up records in the WINS database. This helps in case a network has client computers running non-Microsoft operating systems, such as Unix or Linux. To use the WINS Lookup Integration feature, you must add a special WINS resource record for the WINS servers on the network. From the client perspective, you should be aware of how the node types will affect the communication preferences of the client computer. Node types affect the type of WINS traffic that traverses the network. For example, if you want to avoid all broadcast traffic, you would configure WINS clients to be p-nodes because they

www.syngress.com


do not invoke broadcasts to resolve NetBIOS names.You can then configure DHCP to tell a computer what type of WINS node it will be. The options you have are: ■

b-node A b-node depends on broadcasts to register and resolve names. If there are no WINS servers configured, this is the default node type used.

■

h-node An h-node will search the configured WINS server first, and then resort to broadcasts, followed by LMHOSTS, and then DNS to register and resolve names.

■

m-node The m-node is the opposite of an h-node. It will broadcast first, and then search the configured WINS server.

■

p-node A p-node only uses point-to-point connections with a configured WINS server.

Understanding WINS Replication If WINS is a network service that you will require in your organization, it will be important to understand how WINS handles redundancy and partnerships. In order for WINS servers to replicate WINS records with each other, a replication partnership must be configured between them. Three possible kinds of replication partnerships can be configured between WINS servers: push/pull (also known as full ), push-only, and pull-only (also known as limited).You can set up a replication partnership manually or implement it automatically.

Automatic Partner Configuration Automatic partner configuration is an option that can be implemented on small networks to eliminate the administrative effort of configuring replication partnerships between WINS servers. When the automatic partner configuration is enabled, the WINS server will send announcements using the multicast Internet Group Messaging Protocol (IGMP) address at 224.0.1.24, which is the well-known multicast address for WINS servers. When the WINS server discovers other WINS servers that are announcing themselves, the WINS server will automatically configure a partnership agreement between itself and the discovered WINS server. (Both must be enabled for automatic partner configuration.) When the WINS server discovers another WINS server, it will add the server to its list of replication partners, configure push/ pull replication between the servers, and set the pull replication interval for every two hours. Normally, routers do not forward IGMP traffic, so this configuration is best used on small unsegmented LANs. However, it is possible to configure routers to forward this traffic, allowing automatic partner configuration to be used in a routed www.syngress.com

105

106


environment. If the environment has only a few routers, the amount of multicast broadcast traffic should be minimal.

Push Partnerships As the name implies, when a push partnership is configured, changes in the WINS database are pushed to the remote WINS server. More accurately, a WINS server with records to replicate sends a push notification to target servers (those configured to use it as a pull partner), alerting them that it has records to update on the target WINS servers. The push notification includes an owner table that lists the owner IDs and the highest version ID for each owner. The target servers compare this information with their own owner tables to determine which records to replicate. The target servers reply to the push notification with a pull request, and the transfer of records takes place. Accordingly, since a transfer of records will not take place until a pull request has been received by the server that sent the push notification, pull replication is the single mechanism for replication. The process for push replication occurs as follows: 1. The source WINS server receives updates to its database and, based on a configurable threshold, sends a push notification to the destination WINS server (its push partner), indicating it has updates to replicate. 2. The destination WINS server for the notification (the push partner) responds by initiating a pull request to its pull partner (the WINS server that sent the notification), and the replication is initiated between the replication partners. Push replication is not schedulable according to an interval of time. Rather, the WINS administrator configures an update threshold that will trigger a push notification. For example, the WINS server could be configured to send a notification to its push partner after it has received 100 updates. It is also possible to manually initiate the push notification. When you manually initiate the push notification, you can choose to push the notification to the replication partner or trigger the replication to send a notification to all its partners as well. As an example, consider a replication topology where three WINS servers are configured as push replication partners. WINS-A replicates to WINS-B, which replicates to WINS-C. So, if you manually sent a push notification from WINS-A to its replication partner, WINS-B, you could force WINS-B to also send a push notification to its other replication partner, WINS-C. In certain rare situations, it might be desirable to use a push-only replication partnership for one-way replication—for instance, from a head office to a branch office. As an example, suppose WINS-A in the head office configures WINS-B in www.syngress.com


the branch office as its push-only partner. (WINS-B should also configure WINS-A as its pull-only partner.) When WINS-A receives updates to its records, it notifies WINS-B, which sends an update (pull) request to WINS-A for the changed records since the last replication cycle. In this scenario, WINS-B never sends its updated records to WINS-A. Push partnerships are generally configured in LAN environments where bandwidth is not an issue, and it is not necessary to schedule replication to occur during off-peak hours. In general, you should use push replication partnerships in the following situations: ■

There is ample bandwidth over LAN or WAN connections.

■

There is a need to ensure that updates are replicated as soon as possible and the frequency of replication traffic is not a consideration.

Pull Partnerships Pull replication differs from push replication in that the replication frequency is defined as an interval of time. At regularly scheduled intervals, a pull partner requests updates from other WINS servers (those configured to use it as a push partner) for updated records that have a higher version ID than the ones it currently has in its database. Pull replication is configured similarly to push replication. The primary difference is that the WINS administrator schedules the times that the pull replication will take place. In some situations, it might be desirable to configure pull-only replication between replication partners. Usually, this configuration is implemented where WAN links are operating close to capacity and there is a need to schedule WINS replication during off-peak hours. Pull-only replication has an advantage over push-only replication in that the replication schedule can be known in advance. With push-only replication, replication is triggered by reaching a configured threshold of updates, and you can only estimate when this would occur based on experience with the network. However, a disadvantage of pull-only replication is that the WINS server could potentially have acquired a large number of updates to replicate between cycles. In general, you should use pull replication partnerships in the following situations: ■

There is limited bandwidth between WINS servers that requires replication to be scheduled during off hours.

■

There is a need to consolidate updates and reduce the frequency and amount of replication traffic.

■

There is a need to exercise finer control over the timing and frequency of replication traffic. www.syngress.com

107

108


Push/Pull Partnerships A push/pull partnership is the default when you configure replication between WINS servers. In fact, Microsoft recommends a push/pull partnership as a best practice and it further recommends that all WINS partnerships be set up this way, unless there is an overriding need to implement a limited partnership. The only need that Microsoft cites for a limited partnership is the presence of a large network connected by relatively slow WAN links. Microsoft often stresses the need for simplicity in a WINS environment. With a push/pull partnership, a WINS server will be configured both to send push notifications and to make pull requests to its replication partner. The replication partner will also be configured in a similar way. Such a configuration helps ensure that synchronization among WINS servers is optimal, depending on the pull schedule and the configured threshold for push notifications, among other factors. For example, suppose a WINS server suddenly experiences a large number of updates and immediately sends a push notification to its push partner. The push partner would immediately request these updates, without waiting for the request to be triggered by its pull schedule. Conversely, a WINS server always pulls up-to-date records from its pull partner according to the replication schedule, regardless of how few records have been updated on the pull partner WIN server. You should always try to deploy a push/pull partnership, unless there is an overriding concern that requires the implementation of a limited partnership.

Replication Models As we mentioned earlier, the replication model you design will have an effect on the convergence time for replicated WINS records and fault tolerance for replicated records. A replication model that is appropriate for your network topology will ensure the shortest convergence time for replicated WINS records. Where possible, it is recommended your replication model mirror your network topology and that you keep this model as simple as possible. In WINS environments where there are three or more WINS servers, you can employ either a ring replication model or a hub-and-spoke replication model. In more complex environments, these models can be combined to ensure optimal convergence time and fault tolerance for a given network topology. In the following sections, we will discuss each of these models in more detail.

www.syngress.com


Ring Models In a ring model, three or more WINS servers are configured to replicate with one another in a circular fashion. The ring model provides for good convergence times for all replication partners when there are no more than four WINS servers. In this model, fault tolerance for replication of WINS records is given priority. Imagine that a record is updated on WINS-A. The record must travel through either WINS-A or WINS-B before it is replicated to WINS-C. However, suppose that the WAN link connecting WINS-A and WINS-D fails. The updated record can still arrive at WINS-C and WINS-D (via WINS-C). Conversely, a record created on WINS-D can still be replicated to WINS-A via WINS-C and WINS-B.

Hub-and-Spoke Models In a hub-and-spoke model, all WINS servers replicate with a centrally located hub WIN server. The hub-and-spoke model provides for the shortest convergence time in a replication environment that comprises five or more WINS servers, because it provides for the shortest replication paths between any two WINS servers. Furthermore, by implementing a hub-and-spoke model, you reduce the number of replication partnership agreements that you need to maintain. Even though there are five WINS servers that replicate information, there are only four replication agreements to maintain. Furthermore, no server is more than two hops from any other server, regardless of the number of servers added to the topology. A disadvantage of this model is that it is not as fault tolerant as the ring model. If WINS-A fails, no WINS server will be able to replicate its records to other WINS servers. Furthermore, depending on the average number of records the spoke WINS servers need to replicate and the settings for the push and pull triggers, WINS-A can be continuously replicating with other servers and processing updates. It should be well connected to the other WINS servers and have the capacity to handle the load. To enhance fault tolerance in this situation, you could set up a backup WINS server in the same location as WINS-A and configure a replication partnership agreement between them. This solution, however, increases administrative complexity for the maintenance of replication partnerships. An alternative solution that still provides a high degree of availability is to use Windows clustering for the hub WINS server. A Windows cluster gives you the ability to set up separate WINS servers, known as cluster nodes, that use the same database located in a shared SCSI or Fibre Channel device. When the WINS server that is the active node in the cluster fails, the services

www.syngress.com

109

110


will failover to another node. Failover is the process of taking resources offline in one node and bringing them online in a new node. The primary advantage of using a Windows cluster is that in the event of a failure of a WINS server, no subsequent replication needs to occur to synchronize records when the failed server is brought online, because only a single database is used.

Hybrid Replication Models In many situations, it is desirable to combine replication models. As an example, consider a large organization that has three divisions in different geographic locations. Each of these divisions has a number of branch offices that are connected to their respective divisional offices. It might be advantageous to use a ring model of WINS replication among the divisional offices and use hub-and-spoke replication for replication between the divisional offices and their respective branch offices. Many other variations are possible. A hybrid replication model can employ any mixture of full and limited replication partnerships, driven by the contingencies of the network topology.

Static WINS Entries One of the advantages of using WINS is that it provides a way to dynamically register NetBIOS names, eliminating the need for static entries in LMHOSTS files. However, certain situations require the use of static mappings in the WINS server database. For example, if you have non-WINS clients that are running NetBIOS applications, you might find it desirable to have entries for these clients in the WINS database so you can allow WINS clients to resolve the NetBIOS names of those clients. Static mappings are superior to entries in an LMHOSTS file because they can be replicated throughout the WINS infrastructure. The use of static mappings can create problems on your network. Unlike dynamic mappings, static mappings stay in the WINS database until they are manually removed. (The expiration date for the static mapping entry in the WINS database is labeled as infinite.) Furthermore, unless the migrate on setting is enabled, static mappings are not overwritten by dynamic mappings. For example, a client computer might be given a static mapping in the WINS database, or an LMHOSTS file might be imported to the WINS database, creating a number of static WINS entries. If the clients associated with the static mappings are later configured as WINS clients, they would not be able to perform dynamic registration of their NetBIOS names, unless the migrate on setting was enabled.

www.syngress.com


NOTE Even though the migrate on setting can prevent a number of problems associated with the ability to overwrite static entries, this setting does not affect all NetBIOS record types. For example, the domain [1Ch] record type is never overwritten, regardless of this setting.

In general, static entries should never be created for WINS-capable client computers. However, it is sometimes desirable for security purposes to use static entries for mission-critical servers to prevent redirection. Now that you understand the purpose of WINS design fundamentals, as well as some of the history behind it, let’s take a look at how to configure WINS in Windows Server 2008.

Installing and Configuring Unlike DNS and DHCP, WINS is a feature of Windows Server 2008, not a role. Features in Windows Server 2008 simply augment the functionality of roles. In this scenario, WINS is a feature used to add functionality to name resolution as a whole. That said, we will discuss how to integrate WINS with DNS later in this section. Let’s install our WINS feature: 1. Choose Start | Administrative Tools | Server Manager. 2. Scroll down to the Features Summary section and click Add Features. 3. At the Select Features window, scroll down and click WINS Server and then click Next. 4. Click Install to begin the installation process. 5. Click Close once the installation is complete. As mentioned, WINS is a legacy technology. As such, you can expect that there won’t be an abundance of questions on the exam. However, you should still familiarize yourself with the console, which is available under Administrative Tools.

Using Server Core for WINS Installing a feature in Windows Server 2008 Server Core is basically the same as adding a role. In this section, we are going to walk though the setup of the feature, as well as set the role to start automatically. www.syngress.com

111

112


As you know from Chapter 1 of this book, very few roles can be installed as part of Windows Server 2008 Server Core. However, many features can be installed, including: ■

Failover Cluster

■

Network Load Balancing

■

Subsystem for Unix-based applications

■

Multipath IO

■

Removable Storage Management

■

BitLocker Drive Encryption

■

Backup

■

Simple Network Management Protocol (SNMP)

■

WINS

Obviously, at this point in this book, we are only focusing on WINS. So, let’s take a look at how to install the WINS feature and start the service: 1. At the command line, type start /w ocsetup WINS-SC. 2. When installation completes, type sc query WINS or NET START to verify that the WINS service is running. 3. If the service is not running, type sc start WINS. 4. We can also verify that the service will start automatically by typing sc config WINS start= auto. Generally speaking, management of WINS will occur via the GUI from another Windows Server. However, a number of command-line management options exist for WINS. Essentially, most of the management will be through the netsh tool, which we used earlier for setting IP information. To learn more about these commands, visit http://technet2.microsoft.com/WindowsServer/en/library/430701f0-743a4af5-9dd6-95c5c2f956531033.mspx.

Configuring WINS for DNS As mentioned, WINS has become less relevant in organizations that are running the latest operating systems and applications. However, there are situations where WINS is still necessary. One way we can improve name resolution is to tie WINS to DNS so the two are aware of one another, thereby increasing response time to name www.syngress.com


requests and reducing complexity in name resolution scenarios. Let’s look at how we configure DNS to use WINS as a secondary resource for naming: 1. Choose Start | Administrative Tools | DNS. 2. Find your server name in the left pane and double-click it. This will open the DNS configuration for this server. 3. Right-click your domain name and select Properties. 4. Select the WINS tab. 5. Place a checkmark next to the Use WINS Forward Lookup option. 6. Enter the IP address of the WINS server and click Add. 7. Click Apply and OK to save your changes. DNS will now be able to forward requests to WINS to resolve names not found within its own namespace.

EXAM WARNING Watch out for any questions that may involve WINS integration with DNS and IPv6. WINS integration with DNS only supports IPv4 addresses.

www.syngress.com

113

114


Summary of Exam Objectives Having the proper network services installed on your server can make the difference between a functional Active Directory environment, and one that is infested with various errors and latency. Microsoft focused on the Core Infrastructure Optimization model—taking IT organizations from a “basic” approach to infrastructure design to a more dynamic one. DNS, DHCP, and even WINS are steps that move IT professionals from the basic model. Imagine the time (and pain) involved in updating spreadsheets with client IP addresses, HOSTS, and LMHOSTS files on client machines for a 500-PC organization! DNS truly is the backbone of the Windows network. Without DNS, Active Directory would cease to function. When it comes to Active Directory, DNS does much more than simple name resolution. It stores information about our LDAP resources, Global Catalog resources, as well as other resources (such as SIP servers) within our environment. If a client or server is unable to find these resource records, having Active Directory in place does us very little good. As an IT professional, you will also be required to understand the different types of Resource Records (RRs) that can be used as part of DNS. There are traditional—or more common— Resource Records such as A and PTR records, but you should also familiarize yourself with special records such as SIP records, since the demand for these types of records is becoming more and more common. DHCP is another crucial piece of the network services puzzle. Again, trying to maintain static addresses for hundreds of systems is not only impractical, it is quite foolish. Trying to maintain IP ranges for IPv4 systems is cumbersome enough, but trying to do it with the extended IPv6 addresses will likely become impossible! Add in the additional information we can push out to our DHCP clients (such as gateways, Trivial File Transfer Protocol [TFTP] servers, time clock servers, and domain suffixes, for example) and it makes this a crucial tool in the IT professional’s toolbox. Anyone who is familiar with the Microsoft management consoles can probably create and authorize a DHCP scope, but it takes a skilled professional to correctly design and implement a DHCP strategy. In order to do this, you need to understand not only fundamental IP principles, but also network topologies and common requirements, such as the 80/20 rule. Lastly, we have WINS. Although it is going away, there are still places in certain organizations where it is necessary. Older Microsoft networks not only used WINS, but also transmitted data across NetBEUI, a protocol that does not incorporate a network layer. Without a network layer, NetBEUI is not routable. However, NetBIOS can be routed over TCP/IP or even over IPX. In the Windows Server 2003 and www.syngress.com


Windows Server 2008 operating systems, NetBIOS is only routed over TCP/IP, if it is used at all. The replication model you design will have an effect on the convergence time for replicated WINS records and fault tolerance for replicated records. A replication model that is appropriate for your network topology will ensure the shortest convergence time for replicated WINS records. Where possible, it is recommended that your replication model mirror your network topology and that you keep this model as simple as possible. If NetBIOS resolution is only necessary for a few systems, you should consider using GlobalNames zone as an alternative. Will we still see WINS in the next version of Windows? Only time will tell.

Exam Objectives Fast Track Configuring Domain Name System (DNS) ˛ DNS in Windows Server 2008 supports primary zones (including Active

Directory–integrated zones), secondary zones, and stub zones. ˛ Active Directory–integrated zones provide additional functionality,

including secure dynamic updates and Active Directory–integrated replication. ˛ The GlobalNames zone was introduced to help phase out the Windows

Internet Naming Service. The GlobalNames zone requires the creation of a zone named GlobalNames.

Configuring Dynamic Host Configuration Protocol (DHCP) ˛ Since the inception of DHCP, there have been a number of add-on

DHCP options that make it possible to disburse even more IP-related information to clients, which makes IP management much more flexible for IT administrators. ˛ DHCP works by “leasing” IP addresses for a period of time to a specific

computer. The lease time can be adjusted based on the need for a client to maintain the address for a period of time. ˛ DHCP can also be used to “reserve” addresses for systems that would

otherwise need a static address, such as departmental servers and some client machines where it is required by third-party applications.

www.syngress.com

115

116


˛ The 80/20 rule means that IP scopes should be split between DHCP

servers, and that server A can distribute 80 percent of IP addresses, while server B can hand out the remaining 20 percent of IP addresses.

Configuring Windows Internet Naming Service (WINS) ˛ WINS was originally introduced by Microsoft as part of Windows NT

Server and was intended to be the de facto name resolution solution. ˛ WINS is still required for the NetBIOS name resolution of legacy operating

systems and applications. ˛ WINS can be incorporated into DNS to provide seamless name resolution.

www.syngress.com


Exam Objectives Frequently Asked Questions Q: Is the GlobalNames zone intended to replace WINS? A: No. In fact, Microsoft has gone out of its way to stress the fact that the GlobalNames Zone is not a replacement for WINS. The GlobalNames zone is simply intended to assist in the retirement of WINS. As companies upgrade their legacy operations systems and legacy applications, the need for both GlobalNames zones and WINS will eventually go away.

Q: I have seen several examples where non-Internet standard DNS names are used. Is it better to use a standard DNS name (such as .com, .net, or .edu) or to use a private nonstandard name (for example, .ads or .internal)?

A: This really is a matter of preference—and in some cases, a bit of a “religious war.” Separation of name spaces is common in organizations that do not want their external namespace (for example, uccentral.com) to match their internal namespace. This can be beneficial when you want to use similar server names both internally and externally. Separating namespaces can, however, create confusion at times when you try to tell someone to go to a server. For example, you may have a server called “mail,” which could be an internal or external server, and if someone doesn’t specify “mail.uccentral.ads,” you may end up on the wrong server!

Q: Why did Microsoft make WINS a feature and not a role? A: Simply put, WINS is a solution that is end-of-life. WINS alone cannot provide an enterprisewide solution for name resolution. In today’s environment, we need DNS in order for Active Directory to function properly—we don’t need WINS.

Q: I have a mixed Unix/Windows environment. Some of my DNS zones are hosted on BIND, and some on Windows Server 2008. Is there any way to integrate the two?

A: Yes, there are a few ways. First, you can create “secondary zones” on each of the DNS servers that stores a local copy of the other’s zones. Second, you create “DNS Forwarders” on the Windows Servers, which will forward any requests for these zones to the BIND servers. Lastly, you can delegate DNS zones to the BIND or Windows servers for control over a particular zone. www.syngress.com

117

118


Q: I like the idea of being able to implement DNS, WINS, and DHCP on a Windows Server 2008 Core Server installation. However, I’m not much of a command-line person. Is there any way I can manage these roles and features from a GUI?

A: Yes, however you must use the MMC from another Windows Server 2008 (full installation) server to manage these roles and features. If you recall, no GUIs are provided with Windows Server 2008 Core Server, even after a role has been installed.

Q: In the past when I’ve installed DNS with Active Directory onto a Windows Server, a domain called “.” was created. Because of this, I couldn’t get to external servers. Why does this happen?

A: Depending on how DNS was installed, it is possible for the “.” (root) domain to be installed within your DNS. Because “.” is the top-level DNS zone, if installed, it assumes that there are no other domains except those listed on the server itself. To fix this, you simply need to remove the “.” from DNS.

Q: I see there are numerous options that I can push out via DHCP to client machines. What is the bare minimum I need in order to offer networking services?

A: The absolute bare minimum would be the IP address and subnet mask to communicate with a directly connected host on the same subnet. However, this will severely limit the resources that a client can contact outside of that subnet. Realistically, you need the IP address, subnet mask, gateway (called the router in the DHCP options), and at least one DNS server to at least be able to connect to and use the Internet through your Internet service provider (ISP) or to communicate with other hosts on remote subnetworks.

Q: I want to use Active Directory–integrated zones for my DNS servers, but I need to be able to create secondary copies of the zones to non-Microsoft servers. Is this possible?

A: Yes, but it couldn’t be a live/replicated copy of the zone. In this scenario, you can only create a secondary copy of the DNS zone. This means that DNS clients of this non-Microsoft server will have the ability to resolve records, but the zone cannot be updated (either manually or via dynamic update).

www.syngress.com


Self Test 1. You are the administrator for a nationwide company that currently runs Windows Server 2008 DNS and are reviewing the resource records in your Active Directory–integrated DNS zone. You notice there are hostnames that do not meet your company’s naming convention and verify that the computers are not members of your Active Directory domain. What must you do to ensure these hosts cannot create records in your DNS zone? A. Disable DNS and enable DHCP. B. Configure your zone to enable secure dynamic updates. C. Disable dynamic updates in your zone. D. You cannot prevent this from occurring in DNS. 2. You are creating a new standard primary zone for the company you work for, Name Resolution University, using the domain nru.corp. You create the zone through the DNS management console, and now you want to view the corresponding DNS zone file, nru.corp.dns. Where do you need to look in order to find this file? A. You cannot view the zone file because it is stored in Active Directory. B. You can look in the %systemroot%\system32\dns folder. C. You cannot view the DNS file except by using the DNS management console. D. The DNS zone file is actually just a key in the Windows Registry. You need to use the Registry Editor if you want to view the file. 3. You have removed WINS from your environment, but still have at least one legacy PC and application that requires NetBIOS resolution. What solution can you use in place of WINS to address NetBIOS resolution? A. GlobalNames zones. B. Reverse zones. C. Dynamic updates. D. None of the above. You need WINS for NetBIOS.

www.syngress.com

119

120


4. You’ve just created a new zone in DNS on a Windows Server 20083–based computer. You check the zone and notice that the only records in it are the SOA and NS RRs. Checking the configuration, you see that the zone is configured to accept dynamic updates. What should you do next? A. Manually add all RRs for the zone, including A, CNAME, PTR, and SRV records. B. Manually add A records for all hosts that cannot use dynamic updating. C. Manually add A RRs and PTR RRs for all hosts that will be using dynamic updating. D. Manually initiate a zone transfer to replicate all the needed RR to the new zone. 5. A DNS server, Aspen, has been successfully resolving queries but with the wrong information.You use the Monitoring function in the DNS Management Console for Aspen and test the simple and recursive queries. Both work fine. What is the most likely cause of the problem? A. Aspen is not authoritative for the zone in which the wrong information is being returned. B. Aspen is not configured to perform iterative queries. C. Some clients do not support dynamic updates, or manually entered RRs have errors. D. The clients that received the wrong information do not support the OPT record type. 6. Your company has recently migrated from Windows NT 4.0 to Windows Server 2008 on all of its networked servers, including those running the DHCP and DNS server services. During the migration, you implemented Active Directory–integrated zones. A colleague says you cannot do this because the zones converted from non-AD-aware operating systems will not allow secure updates, creating a significant security risk to the organization. What is your response? A. When any zone is integrated into AD, it takes on the security features of AD. B. If the zone is created outside of the AD, it will be configured for no secure updates and must be re-created to allow for secure updates. C. If the zone is created outside of AD, it will not be configured for secure updates but can be modified via the DNS Management Console. www.syngress.com


D. When any zone created before Windows 2000 is integrated into AD, it will use whatever update type other zones are configured to use. 7. You have been tasked with designing a new Windows Server 2008 Active Directory forest. The network is currently a combination of Windows 2000 Professional, Windows XP, Windows Vista, and Macintosh clients.You want to reduce the administration of IP addresses. Which of the following services would you implement to accomplish this? A. DHCP B. DNS C. WINS D. DDNS 8. Your company has a Windows Server 2008 domain. All of your servers run Windows Server 2008 and all of your workstations run Windows Vista Business. Your DHCP server is configured with the default settings and all of your Windows Vista machines are configured as DHCP clients with the default DHCP client settings.You want to use DNS dynamic updates to automatically register the host record and PTR record for all of your workstations. Which of the following must you do to accomplish your goal? A. None. The default settings are sufficient. B. Configure the DHCP server to always Dynamically Update DNS And PTR Records. C. Configure the DHCP server to Dynamically Update DNS And PTR Records Only If Requested By The DHCP Clients. D. Configure the workstation to use dynamic updates. 9. Your network contains a mix of Windows 2003 and Windows Server 2008. You have three domain controllers running Windows Server 2003. Your file server, print server, and Exchange server are running Windows 2000 Server. Your DNS, DHCP, and WINS servers are running Windows Server 2008. All of your clients are running Windows XP Professional with Service Pack 2. All machines, other than the servers that require a static IP address, are configured as DHCP clients with the default settings. Your DNS server has been configured to allow dynamic updates. Which of the following records will be registered in DNS automatically? (Choose all that apply.)

www.syngress.com

121

122


A. MX B. Host (A) C. SRV D. PTR 10. You have implemented DNS on a Windows Server 2008 Core Server installation. You want to list the DNS zones on this server. What command-line utility would you use to accomplish this? A. ocsetup. B. netsh. C. dnscmd. D. None of the above. You must use the GUI from another Windows Server 2008 host.

www.syngress.com



B

6.

2.

B

7. A

3. A

8. A

4.

B

9.

5.

C

10.

C

B, C, and D C

www.syngress.com

123


Chapter 3

MCTS/MCITP Exam 640 Working with Users, Groups, and Computers Exam objectives in this chapter: ■

Navigating Active Directory Users and Computers

■

Creating and Modifying User Accounts

■

Creating and Modifying Computer Accounts

■

Creating and Modifying Groups

■

Delegation of Tasks

Exam objectives review: ˛ Exam Objectives Fast Track ˛ Exam Objectives Frequently Asked Questions ˛ Self Test ˛ Self Test Quick Answer Key 125

126

Chapter 3 • Working with Users, Groups, and Computers

Introduction The network administrator’s daily tasks can be made easier—or more difficult—by the number and quality of administrative tools available to perform those tasks. In Windows Server 2008, Microsoft has provided administrators with a wealth of graphical and command-line utilities for carrying out their job duties. The Administrative Tools menu is the place to start, and there you’ll find predefined management consoles for configuring and managing most of Windows Server 2008 services and components, including Active Directory tools, DNS, Security policies, Licensing, Routing and Remote Access, Terminal Services, Media Services, and more. Also, you can use Server Manager to access all or most of these tools to perform day-to-day administration tasks from a central console. As an administrator, one of your major responsibilities is to create and manage users, groups, computer accounts, OUs, and group policies. Like Active Directory in Windows 2000 Server and Windows Server 2003, Windows Server 2008 Active Directory also uses the Active Directory Users and Computers MMC snap-in to manage user, computer, and group accounts. We will be spending a great amount of time working with this tool to perform day-to-day activities involving users and computers. This Active Directory Users and Computers MMC snap-in is one of thethree most used Active Directory snap-ins employed to manage Active Directory. From this interface, you not only can manage user, group, and computer accounts, but you can also use it to manage other aspects of Active Directory, including group policies, domain controllers, domain security policies, and others. This chapter focuses on creating users, groups, and computers, and you’ll learn different tips and techniques here that will help you manage your Active Directory along the way.

Navigating Active Directory Users and Computers The powerful Active Directory Users and Computers administration tool is still included with Windows Server 2008 to manage Active Directory objects. The Active Directory Users and Computers administrative console enables you to perform day-to-day administration tasks, including adding, modifying, deleting, and organizing Windows Server 2008 user accounts, groups, computer accounts, share resources, printers, and others. It also allows you to manage domain controllers, organizational units (OUs), group policies, and domain security policies. To manage Active Directory users, a number of tools are available, including ADSIEdit.msc, LDIFDE, CSVDE, command-line utilities, and many more. www.syngress.com

Working with Users, Groups, and Computers • Chapter 3

TEST DAY TIP Attribute Editor is available in the Active Directory Users and Computers MMC snap-in with advanced features enabled. It is easier to use and navigate the Active Directory Users and Computers snap-in than ADSIEdit.msc.

So many administrative tools are available that it can be bit challenging knowing which one to use. The solution is to practice, practice, practice. With the passage of time, experience brings familiarity—and suddenly it won’t seem nearly as difficult finding the right tool, command, or switch to manage a particular object or perform bulk user management. You can access Active Directory Users and Computers snap-ins by selecting (a) Start | Programs | Administrative Tools | Active Directory Users and Computers; (b) Start | Control Panel | Administrative Tools | Active Directory Users and Computers; or (c) Start | Run and then typing MMC in the Run dialog box to open an empty MMC. Choose File | Add/Remove Snap-in … | Active Directory Users and Computers | Add>, and then click OK.

NOTE The Active Directory administrative console is installed automatically on Windows Server 2008 domain controllers.

Now that you’re familiar with how to access and open Active Directory Users and Computers, it’s time to understand the default containers and OUs. After you install and configure a domain controller, you will see several built-in containers and OUs within the Active Directory Users and Computers snap-in, as shown in Figure 3.1.

www.syngress.com

127

128


Figure 3.1 Default Containers and OUs in the Domain

■

Built-In The Built-In container includes all of the standard groups that are created automatically when you install a domain controller. These groups have standard permissions on different objects in the Active Directory domain. Examples include the Account Operators group, Administrators, Backup Operators, Server Operators, Replicators, Users, Remote Desktop Users, and Print Operators.

■

Computers The Built-In Computers container contains the workstations in your domain. By default, there is no workstation in the container; however, you will see a list of computers over a period of time as you install and join workstations within your domain.

■

Domain Controllers The Built-In Domain Controllers OU contains domain controllers for the domain.

■

Foreign Security Principals The Built-In Foreign Security Principals container holds objects that are not part of the current domain to which permissions can be applied.

www.syngress.com

Working with Users, Groups, and Computers • Chapter 3 ■

Users The Built-In Users container holds security accounts that are part of the domain. Several groups are held in this container, and are created automatically during the installation of the domain controller. For example, this container holds the default Administrator account and other groups, including Domain Admins, Enterprise Admins, Domain Controllers, Domain Guests, Domain Users, Schema Admins, Guests, and many others in the domain.

Creating and Modifying User Accounts Now that you are familiar with the default containers and OU structure, it is time to understand the types of user accounts and the information needed to create them. In the following section, we will discuss various types of user accounts, built-in accounts, and how to create and manage user accounts. It is important you understand that the process involved in creating and managing user accounts, because user accounts are one of the most frequently used types of objects in Active Directory. A user account is a record in the Active Directory database that consists of all the information that defines a user to Windows Active Directory. This information includes the username, password, logon hours, profile location, group membership information, and the password required for the user to log on. User account enables the user to prove his user’s identity, authenticate to the network and log on to a local computer or a network to access resources. In the Windows Active Directory environment, authentication for domain users is based on user accounts in Active Directory. Authentication confirms the identity of a domain user and allows them to access network resources. Once logged on, users can access all network resources. This is known as the single sign-on process, which helps users log on to the client computer once, using a single user ID and password, and then authenticate to any computer in the domain.

User Account Types Three types of user accounts exist in the Windows Server 2008 environment: built-in user accounts, local user accounts, and domain user accounts. Built-in user accounts are created automatically during the installation of Windows Server 2008 and Active Directory. Built-in accounts have pre-assigned permissions and are used to perform specific administrative tasks like managing printers, backing up files, remote access, and so on. Examples of two common built-in accounts are Administrator and Guest. With a local user account, a user authenticates locally from a specific computer to gain access to a local resource on that computer. Local user accounts are created www.syngress.com

129

130


only in the computer’s local security database, and do not replicate with the domain controllers in Active Directory domain. In the Active Directory domain, if your users need to access domain resources, then you should create domain user accounts instead of local user accounts since the domain will not recognize local user accounts. Local accounts are used in Workgroup environments instead of in Domain environments. With a domain user account, a user authenticates from a domain controller in a domain to gain access to domain resources anywhere on the network. At the time of authentication, the user provides his logon information to authenticate from the domain controller, which in turn authenticates the user and creates an access token containing user information and security settings. This access token identifies the user and helps him access domain resources without reentering his credentials. All domain controllers in the Active Directory domain replicate the user account information so the user is able to authenticate from any domain controller. This chapter focuses on domain user accounts.

Creating a New Account Like Windows 2000 Server and Windows Server 2003 Active Directory, domain users are created and managed in the Windows Server 2008 Active Directory environment by using the Active Directory Users and Computers MMC snap-in. Creating and managing a user account in Windows Server 2008 is really no different than Windows 2000 Server and Windows Server 2003. If you are an experienced Windows 2000 Server and/or Windows Server 2003 Administrator, you can skip this section and move on to the next section, because most of the information here will seem repetitive. Before I start discussing the user account creation process in detail, I would like to explain the two built-in accounts on Windows Server 2008 computers: the Administrator and Guest accounts. The built-in administrator account uses the password you specified during operating system installation and has full permissions to the local machine as well as on a domain controller to administer the domain. It is used to create and modify user accounts, group accounts, manage account and security policies, group policies, create published printers and sharing, assign rights to users, change domain policies, and so on. As this account has full permissions on the Active Directory domain, you must secure this account from hackers and intruders. This account can be secured in multiple ways, including: ■

Rename this account to hide it from hackers and intruders. Since you cannot delete this account or remove it from the Administrator account, renaming it makes it difficult for unauthorized users to guess the administrative account’s logon name.

www.syngress.com

Working with Users, Groups, and Computers • Chapter 3 ■

Create a dummy administrator account with no permissions and disable that account to make it difficult for hackers to crack the administrative account.

■

Choose a long and complex password and change your password on a regular basis. Make sure your password is a combination of alphabets, numbers, and special characters, which makes it difficult to guess and/or crack.

■

If you are responsible for managing the Active Directory domain, you should create a separate user account to perform other day-to-day activities and use the built-in Administrator account only when you perform administrative tasks.

The built-in Guest account allows your users who do not have an Active Directory account to log on to the domain and access network resources. For example, a contractor or a partner who needs to access domain resources for a very short time may use this account to access network resources. By default, this account is disabled; however, you can enable this account. The Guest account can use a blank password; however, it is recommended that you assign it a password and use it only in low-security environments where you have limited resources or where there is no threat. Like with built-in Administrator account, it is recommended you rename this account to make it difficult for unauthorized users to guess the Guest account’s logon name. You can further secure this account by using a long and complex password. As with the built-in Administrator account, you cannot delete the Guest account, but you can rename and disable it.

Domain User Account Considerations Before you create any user accounts, be aware of user account creation rules and practices. These are mentioned next for your reference: 1. The user account must be unique to other user names in your Active Directory domain. 2. The user logon name and SAM name must be unique in your Active Directory domain. 3. User account names can be from 1 to 20 characters in length. 4. You can choose to use any combination of letters, symbols, and numbers except /\ [ ] :; | = ,+∗? @ ”. 5. The New User window displays both the Active Directory username, such as [email protected], and the NetBIOS name, such as Shannon. 6. User logon names are not case-sensitive. www.syngress.com

131

132


7. Some organizations use best practices to create standardized usernames, such as using the user’s first and last name (Demi.Starr), while others use first name and last initial (ShannonS). This is just an administrative best practice to minimize administrative headaches in managing users. Also, if you have two users with the same name—for example, Shannon DiSouza—you can use the first name and last initial for the first user, and then for the second user add additional letters from the last name to differentiate the duplicate accounts—for example, ShannonD for the first user, and ShannonDi for the second user. 8. Some organizations also use different letters and best practices to identify full-time and part-time employees, contractors, and vendors. To identify fulltime employees, you can use parentheses in the name after the user’s logon name—for example, Elanda DiSouza (Full Time) and Demi Starr (Temp).

Password Considerations To protect user accounts from hackers and intruders, you must assign a strong password to every user account in your Active Directory domain. As an administrator, you can assign a password when you create a user account or assign a default password and then ask users to change the password during logon. To make sure your users use a strong password, you may have to educate them about how to create passwords that are actually strong.You may have to remind them from time to time that a strong password provides an effective defense against unauthorized access and protects your resources from intruders and unauthorized users. In addition to educating your users, you may want to implement group policies to enforce strong password policy settings by enabling password meets complexity requirements to force users to create complex passwords. Please keep in mind that a strong password: ■

Does not contain dictionary words.

■

Does not contain a username, real name, pet name, family member’s name, or company name.

■

Is between 7 and 14 characters long.

■

Will be different from previous passwords.

■

Is a combination of uppercase, lowercase, numbers, and special characters. An example of a strong password is Sh4$$n0n87r67}D.

www.syngress.com


Creating a New Account Using Active Directory Users and Computers The Active Directory Users and Computers console is used to create a new domain user account. You can create User accounts by performing the steps outlined in Exercise 3.1.

EXERCISE 3.1 CREATING A NEW USER ACCOUNT BY USING ACTIVE DIRECTORY USERS

AND

COMPUTERS

1. Log on to the Active Directory domain controller using administrative privileges. 2. Choose Start | Programs | Administrative Tools and then click Active Directory Users and Computers. 3. Select the appropriate Active Directory container or organizational unit to house the new user account. Right-click the container, click New, and then click User to create the new user account. This will bring up the New Object—User window (see Figure 3.2). 4. Enter the user’s first and last names in the First Name and Last Name boxes, respectively. Windows Server 2008 automatically enters the full name. Enter a username in the box under User Logon Name. The logon name is required and, in combination with the domain name on the right (such as [email protected]), uniquely identifies a user in a domain, tree, or forest. Based on your naming environment, you may have to choose different domains for which you have appropriate permissions. Once you enter the user logon name information, click Next to continue. 5. Enter a password for the user in the Password box. Retype the password in the Confirm Password box. Check the appropriate boxes for the various password options, as shown in Figure 3.3. Table 3.1 lists several password options.

www.syngress.com

133

134


NOTE You don’t have to enter any information in the User Logon Name area (pre-Windows 2000 Server) as this information is entered automatically. The entry is the user’s unique logon name that is used to log on from earlier versions of Windows, such as Microsoft Windows NT 4.0. This information is required and must be unique within the domain.

Figure 3.2 Examining the New Object – User Window

Table 3.1 Password Options Option

Action

User must change password at next logon

Select this option to force the user to change their password the first time they log on. This provides a higher level of security by ensuring that the user is the only person who knows the password.

User cannot change password

Select this option if you have more than one person using the same domain user account (such as Guest). Choosing this option also makes sure the account’s password can only be changed with Administrator privileges, which means it will prevent the user from creating a new password or altering an existing password. Continued

www.syngress.com


Table 3.1 Continued. Password Options Option

Action

Password never expires

Select this option if the user is not required to change his or her password periodically or if you don’t want to force any time restrictions on the life of the password—for example, for a domain user account that is used by a Windows Server 2008 service.

Account is disabled

Select this option to deactivate an account so it cannot be used to log on to the network. This option is useful when a user doesn’t need it and leaves for an extended period or in the case of a new employee who has not yet started.

Figure 3.3 Examining the Password Options

6. Click Next to bring up the User Account Confirmation screen. This verifies the user’s full name, logon name, and any password restrictions. Click Finish to finalize the new account and view the new user within the Active Directory container from the Active Directory Users and Computers snap-in. www.syngress.com

135

136


Modifying a Domain User Account Using Active Directory Users and Computers Like all Windows Server 2008 objects, there is a set of default properties or attributes associated with the domain user account. Once the domain user account has been created, these properties can be modified to search for users in the Active Directory. For example, you can set the office location in the office property and other sections so you can locate users from a particular office. In Exercise 3.2, we will examine several user attributes and values. An explanation of each tab setting is provided to help you understand the various attributes and values.

EXERCISE 3.2 MODIFYING A NEW USER ACCOUNT BY USING ACTIVE DIRECTORY USERS

AND

COMPUTERS

1. Log on to the Active Directory domain controller with administrative privileges. 2. Click Start | Programs | Administrative Tools and then click Active Directory Users and Computers. 3. Select the appropriate Active Directory container or organizational unit where the user account is residing. Right-click the desired user and then select Properties. 4. The General tab contains the user’s first name, initials, last name, display name, description (usually a job title—for example, Sr. Manager—that will appear on the management console), office location, telephone number(s), e-mail address, and Web page(s). Type in the appropriate information, as shown in Figure 3.4.

www.syngress.com


Figure 3.4 The General Tab

5. Click the Address tab. This tab contains the user’s street address, P.O. Box, city, state/province, ZIP/postal code, and country/region information, as shown in Figure 3.5. It’s helpful to have this information if you want to retrieve it later to locate a user and mail them any packages or information.

www.syngress.com

137

138


Figure 3.5 The Address Tab

6. Click the Accounts tab. This tab contains the user’s logon name, domain, the user’s pre-Windows 2000 logon, their logon hours, the computers they’re permitted to log on to, their unlock account settings, account options, and account expiration date settings (see Figure 3.6).

www.syngress.com


Figure 3.6 The Accounts Tab

7. Set the account properties by clicking the appropriate boxes for the Account options, as explained in Table 3.2.

Table 3.2 Password Options Option

Action

User must change password at next logon

Select this option to force user to change his or her password the first time that he or she logs on. This provides higher level of security by ensuring that the user is the only person who knows the password. Continued

www.syngress.com

139

140



Action

User cannot change password

Select this option if you have more than one person using the same domain user account (such as Guest). Choosing this option also enforces account’s password can be changed only with Administrator privileges, which means that it will prevent the user from creating a new password or altering an existing password.

Password never expires

Select this option if user is not required to change his or her password periodically or if you don’t want to force any time restriction on the life of the password — For example, for a domain user account that is used by a Windows Server 2008 services.

Store password using reversible encryption

This option is use to enhance security of password by using reversible encryption to store the password.

Account is disabled

This option is use to deactivate an account, so it cannot be used to logon to the network – This option is useful when a user doesn’t need it and leaves for an extended leaves or in a case of new employee who has not yet started.

Smart card is required for interactive logon

This option enables you to use smart card in the network if you would like to enhance domain logon security by using Smart cards and PIN instead of using a user name and password.

Account is sensitive and cannot be delegated

This option enables you to disable account delegation. This is an additional security level to delegate/not to delegate user account. Ideally, you should enable this option for domain service accounts.

Use Kerberos DES encryption This option enables you to use DES encryption types for this account for this account instead of standard Kerberos encryption. This account supports Kerberos AES 128-bit encryption

This option enables you to use AES 128 bit encryption for this account instead of standard Kerberos encryption. Continued

www.syngress.com



Action

This account supports Kerberos AES 256-bit encryption

This option enables you to use AES 256 bit encryption for this account instead of standard Kerberos encryption.

Do not require Kerberos preauthentication

This option allows user to log on from a computer that supports Kerberos, but does not support the preauthentication feature of Kerberos.

8. Click Logon Hours … to allow the user to only log on at certain days and times of the week (Figure 3.7), which is useful in forcing employees to log on to the domain only during their allowed working hours. This will help you increase your domain security by reducing the amount of time the account is vulnerable to unauthorized access. In the Logon Hours For User, shown in Figure 3.7, select the days and hours for which you want to allow or deny access. By default, Windows Server 2008 permits access for all hours on all days. Two settings control logon hours: ■

Logon Permitted is used to control the hours during which a user is permitted to log on. The days and hours within which the user has allowed access appear in blue.

■

Logon Denied is used to designate the hours during which a user is denied logon. The days and hours within which the user is denied access appear in white.

Figure 3.7 The Logon Hours Dialog Box

www.syngress.com

141

142


NOTE Changing the logon hours setting would apply to the user’s next attempted connection. It wouldn’t affect a user currently logged on to the system. 9. Click OK to continue. 10. Click Log On To … lets the user log on to only certain workstations (Figure 3.8). This will help you increase your domain security by forcing employees to log on to the domain only from their allowed workstations, thus preventing users from accessing another user’s data (accidentally or intentionally) that is stored on that user’s computer. By default, Windows Server 2008 lets users access all workstations in the domain. In the Logon Workstations dialog box, as shown in Figure 3.8, select The Following Computers, and then type in the NETBIOS name of the computer from which a user is permitted to log on in the Computer name box (for example, WORKSTATION01), and then click Add to add the computer. The main point to remember here is that the computer name must be the NetBIOS name, and the NetBIOS protocol must be installed and enabled on all machines that use this account policy. Repeat this step to add other computers to the list.

Figure 3.8 The Logon Workstations Dialog Box

www.syngress.com


NOTE You can also edit an existing list and remove computers from an existing list by clicking the Edit and Remove buttons. 11. Click OK to continue. 12. In addition to logon hours and logon workstations, you can use an account expiration date, shown in Figure 3.9, to increase domain security. You can choose either of the following settings: ■

Never is used if you do not want the user account to expire. Generally, you may want to choose this setting for service accounts and Domain Admin accounts.

■

End of (date) is used to disable the user account automatically on the date you specify. You may want to use this setting to force to expire temporary employees and contractors’ accounts.

Figure 3.9 The Accounts Tab

www.syngress.com

143

144


13. Click the Profile tab to define the profile path, logon script, home folder local path, and shared folder location, shown in Figure 3.10. You can choose one of the following settings: ■

Profile path contains the path where a user’s profile will be stored. If no directory location is entered, the default location is \Documents and Settings\username. It is important to define the user profile path because user profiles are used to provide consistency to each user by saving and retrieving the user’s desktop environment. User profiles come in four different types: local user profiles, roaming user profiles, temporary user profiles, and mandatory user profiles.

Figure 3.10 The Profile Tab

www.syngress.com


NOTE Local user profiles are available only at the local computer. They are created in the user’s profile directory on each system where the user logs on. When the user logs on to a system for the first time, and if there is no profile defined, the system will use the \Document and Settings\Default User profile to create the new local user profile in the Document and Settings\username directory. If the user logs on to many different systems in your domain, he will be unable to maintain one profile, and may end up with many profiles on many different systems. Roaming user profiles allow users to maintain one profile while they log on at multiple computers and move from system to system. A roaming profile is a shared folder on a server, which allows a user to access a roaming profile from any system in the domain. Whenever a user starts a session, the profile is copied from the shared network folder to the local computer. Once copied to the local system, all the user’s settings will be updated locally on the local profile and will be copied to the shared folder on a server when the user logs off. Mandatory user profiles are read-only roaming profiles that are used to maintain desktop consistency. No modifications will ever be saved on the user’s profile. Users will be able to modify desktop settings and several other settings, but they won’t be saved when the user logs off. Like roaming profiles, the mandatory profile is also a shared network folder, which allows the user to access mandatory profiles from any system in the domain. No user should be allowed to make changes to mandatory user profiles except system administrators. Temporary User Profiles are used only if a user’s profile is unable to load due to errors. At the end of each session, temporary user profiles are deleted. Therefore, all changes made during the session will be lost when the user logs off the system.

■

Logon script contains the path to optional traditional MS-DOS command scripts (.exe, .bat, and .com) for downlevel operating systems, or Visual Basic Scripting (.vbs) for operating systems that support Windows Scripting Host (WSH).

■

Home folder local path contains the home directory path on the local machine. www.syngress.com

145

146

Chapter 3 • Working with Users, Groups, and Computers ■

Home folder connect contains the home directory path targeted on a shared network folder. This option requires you to choose a network drive letter from the pull-down menu, which will be used to reference the remote connection from the local machine. Also, the To field should contain the UNC name of the remote directory—for example, \\Servername\Sharename\Directory.

Test Day Tip Home Folder Overview Home folder is an additional folder that can be used to centralize a user’s documents on a networked server for easy access from any client computer, central backup/restore, and version control. As home folder is not a part of a user’s profile, its size can vary to meet the user’s need. It is not uncommon to find you have a home folder that is in the hundreds of megabytes.

14. Click the Telephones tab to store home, pager, mobile, FAX, and IP phone info for quick reference (as shown in Figure 3.11) on where to contact the user. Entering information in this tab is optional.

www.syngress.com


Figure 3.11 The Telephones Tab

15. Click the Organization tab to enter information regarding a user’s relations with an organization, such as job title, department, company, and manager name (as shown in Figure 3.12).

www.syngress.com

147

148


Figure 3.12 The Organization Tab

16. Click the Member Of tab to add a user to different security groups and to assign permissions on domain resource (see Figure 3.13). By default, each computer is a member of the Domain Users groups. You can make a user account a member of different groups; however, the best practice is to give group memberships that are necessary, but not assign excessive memberships to either users or computers. By default, each user is a member of the Domain Users groups. Windows allows a user to belong to many groups, one of which is the user’s primary group. You can set the user’s Primary Group in the Member Of tab by clicking Set Primary Group. The selected group becomes the primary group and is displayed in bold; the group that was previously the primary group is no longer in bold. To add the user into a different security group, click Add, type in the group name, and then click Check Names. Click OK to add the user to the particular group. Click OK to return to Active Directory Users and Computers snap-ins. www.syngress.com


Figure 3.13 The Member Of Tab

17. Click the Dial-in tab to configure the user account for use with remote access (as shown in Figure 3.14). Many different settings included here can be used individually or in combination with other settings to control user dial-in permissions. Network Access Permissions is the first section, which allows you to control a user’s access by choosing Allow Access and Deny Access and also control his access through NAP by clicking Control Access Through NPS Network Policy. In addition to NAP policies and NAP server, you can also decide to use Callback as a security feature. Three different options control callback: ■

No Callback is the first and default choice, which allows users to directly dial into the domain to gain access to the network. www.syngress.com

149

150


Set by Caller (Routing And Remote Access Service Only) is used to allow users to specify callback telephone numbers during an initial connection. This is a good choice for traveling professionals, such as executives, sales, and IT staff, since it prevents long-distance telephone bills.

■

Always Callback to is where you enter a specific telephone number to restrict users from establishing remote connections from a specific location / telephone number.

In addition to the preceding settings, you can also choose Assign Static IP Addresses and Apply Static Routes to define a static IP address and a default route.

Figure 3.14 The Dial-in Tab

www.syngress.com


18. Click the Environment tab to configure the user account for use with the Terminal Services startup environment. The Starting Program lets you specify the program that will open whenever the user connects and logs on to a terminal server, whereas Client Devices allows you to specify whether the user’s local drives and printers will be available in the terminal services session (as shown in Figure 3.15).

Figure 3.15 The Environment Tab

19. Click the Sessions tab (as shown in Figure 3.16) to configure the Terminal Services session timeout, active session limit, the idle session limit, and reconnection settings, as explained in Table 3.3. www.syngress.com

151

152


Figure 3.16 The Sessions Tab

Table 3.3 The Sessions Tab Setting

Description

End a disconnected session

Select this option to specify the amount of time that terminal services will keep user’s session active even though user is no longer actively connected. This takes memory space on the terminal server, but it is useful if your user gets disconnected because of network connectivity issues. Continued

www.syngress.com


Table 3.3 Continued. The Sessions Tab Setting

Description

Active session limit

Select this option to specify the maximum amount of time that the user’s Terminal Services session can be active before the session is automatically disconnected. Users will receive a warning message two minutes before a Terminal Services session disconnects. This will allow users to move mouse or press any key on the keyboard to keep the session active and running.

Idle session limit

Select this option to specify the maximum amount of time that an active Terminal Services session can be idle before the session is discon nected. Users will receive a warning message two minutes before a Terminal Services session disconnects. This will allow users to move mouse or press any key on the keyboard to keep the session active and running.

When a session limit is reached or connection is broken

Select this option to specify the session limits including whether to disconnect or end the user’s Terminal Services session when an active session limit or an idle session limit is reached.

Allow reconnection

Select this option to specify if the user can reconnect from any client to a disconnected session on a terminal server. From originating client only is use for Citrix clients only.

20. Click the Remote Control tab (as shown in Figure 3.17) to configure the Terminal Services remote control settings that will allow the user to observe or actively control the user’s Terminal Services session, including being able to input keyboard and mouse actions to the session.

www.syngress.com

153

154


Figure 3.17 The Remote Control Tab

21. The Terminal Service Profile tab (as shown in Figure 3.18) allows you to specify the location of the Terminal Service profile and home folder. Settings in this tab will apply to Terminal Services only.

www.syngress.com


Figure 3.18 The Terminal Services Profile Tab

22. The COM+ tab (Figure 3.19) lets you specify the Partition Set.

www.syngress.com

155

156


Figure 3.19 The COM+ Tab

23. Click Apply, and then click OK to finalize the account changes and view the user within the Active Directory container from the Active Directory Users and Computers snap-in.

Common User Management Options Aside from creating and configuring user accounts, you may be responsible for performing a number of different management tasks. Table 3.4 lists different management actions you can take on the user account. www.syngress.com


Table 3.4 Common User Management Options Tasks

Description

Copy

The option enables you to create a new user account by copying an existing user account.

Disable Account

This option disables the user account and prevents the account from being used.

Enable Account

This option enables the user account, so that you will be able to use it in a network.

Reset Password

This option enables you to assign / reset a new password in case if a user forgets his/her password.

Move

This option enables you to move the user account between different containers and OUs.

Delete

This option deletes the user account for users who do not belong to your company or has left the company.

Rename

This option enables you to rename a user account in case of any Name change.

Creating a New User Account Using Script To create users by using script, you can use VBScript or the built-in dsadd command. I’ve found the dsadd command useful because it allows you to use command lines in batch files for day-to-day user administrative tasks. The following is an example of the VBScript used to create a user in Active Directory: ′ This code creates a single user named Joanna DiSouza Const ADS_UF_NORMAL_ACCOUNT = 512 set objParent = GetObject(“LDAP://<ParentDN>”) set objUser = objParent.Create(“user”, “cn=<UserName>”) ′ e.g. Joanna objUser.Put “sAMAccountName”, “<UserName>” ′ e.g. Joanna objUser.Put “userPrincipalName”, “<UserUPN>” ′ e.g. [email protected] objUser.Put “givenName”, “<UserFirstName>” ′ e.g. Joanna objUser.Put “sn”, “<UserLastName>” ′ e.g. DiSouza

www.syngress.com

157

158

Chapter 3 • Working with Users, Groups, and Computers objUser.Put “displayName”, “<UserFirstName> <UserLastName>” ′ e.g. Joanna DiSouza objUser.Put “userAccountControl”, ADS_UF_NORMAL_ACCOUNT objUser.SetInfo objUser.SetPassword(“<Pa$$w0rd>”) objUser.AccountDisabled = FALSE objUser.SetInfo

Creating User Template As you know, templates simplify the creation of a large number of user accounts. In a template, you can define all the account parameters you need to define for your users. You can then use this template to create user accounts by simply filling in the Name, Full Name and Description Password, and Confirm Password fields. Make sure this template account is disabled and has all the desired properties you need for most of your users. During creation of a new user account, you will get the same wizard and dialog pages as when creating any new user; however, the new user object will have most of the attributes the template user has. Templates help you create users more quickly than creating them individually. Creating and managing user templates in Windows Server 2008 is really no different than Windows 2000 and Windows 2003. If you are an experienced Windows 2000 and/or Windows 2003 administrator, you can skip this section and move on to the next. In Exercise 3.3, we will use an existing user account of Shannon Forever to create a new user account for a different user by utilizing the copy process.

EXERCISE 3.3 CREATING A NEW USER ACCOUNT BY USING AN EXISTING USER ACCOUNT IN ACTIVE DIRECTORY USERS AND COMPUTERS 1. Log on to the Active Directory domain controller with administrative privileges. 2. Click Start | Programs | Administrative Tools and then click Active Directory Users and Computers.

www.syngress.com


3. Right-click the desired user (in our case, it’s Shannon Forever), and then select Copy. 4. Enter the name information of the new user (Demi), and then click Next. 5. Enter a password, select any appropriate account options you want enabled, and then click Next. 6. Click Finish.

Configuring User Principal Names Like Windows 2000 and Windows 2003 Active Directory, every domain user account in Windows Server 2008 Active Directory is given a friendly name, known as the user principal name (UPN), in order to help a user log on to the domain. UPN is an Internet-style logon name, which is shorter than the distinguished name, making it easy to remember. The UPN is made up of a prefix and suffix, composed of the user’s logon name and the domain DNS name, such as admastering.com. In large enterprise environments, some organizations may want to map an additional UPN suffix to the e-mail address to provide additional security and simplify the logon process. This can provide an additional layer of security without revealing your Active Directory infrastructure information to your users during the logon process. Some organizations may have several domain trees and domains, which can confuse users. For example, the user objects, Joanna DiSouza in the Toronto.Ontario.Canada. admastering.com domain may have to log on as [email protected]. admastering.com. This may not only confuse users, but some users may find this longer DNS hard to remember and difficult to type in. If this is the case or if you are looking to map the user logon name to the e-mail address, you may want to add an additional UPN suffix by using the Active Directory Domains and Trusts tool. For example, Toronto.Ontario.Canada.admastering.com may have an alternate DNS suffix of admasteringcanada.com, which can help users logon to Toronto.Ontario. Canada.admastering.com domain as [email protected] instead of [email protected]. The UPN suffix serves as an alias or substitute for the real domain name. In the following section, we will add an additional UPN suffix to map a user’s logon name to their e-mail address. In Exercise 3.4, we are assuming that the AD forest is rooted at a different domain name (for example, admastering.com) than the e-mail domain name (for instance, admasteringcorp.com).

www.syngress.com

159

160


EXERCISE 3.4 ADDING

AN

ALTERNATE UPN SUFFIX

1. Log on to the Active Directory domain controller with administrative privileges. 2. Click Start | Programs | Administrative Tools and then click Active Directory Domains and Trusts. 3. Click Action | Properties. The UPN Suffixes tab appears 4. To add an alternative suffix, just type the suffix in the box (for example, admasteringcorp.com) and then click the Add button. 5. Repeat step 4 to add other suffixes from the list. 6. To remove an alternative suffix, just select the suffix in the box and click the Remove button. 7. Repeat step 6 to remove other suffixes from the list. 8. Close the Active Directory Domains and Trusts console.

Creating and Modifying Computer Accounts All computers in your Active Directory domain must have computer accounts in the Active Directory. Just like how an Active Directory user account represents a person; computer accounts represent computers. To access domain resources securely, every computer in your domain needs to access domain controllers by establishing a secure channel to a domain controller. This secure channel is an authenticated channel in which a computer presents a password to a domain controller (which is verified against the password stored in Active Directory with the computer’s account) so that later on computers will be able to use this secure channel to securely transfer encrypted data to and from the domain controller. Computer accounts are also utilized to force domain permissions and group policies. Computer accounts are inherited directly from the user object class and inherit all or most of the attributes of user objects with the addition of some additional attributes.You can create a computer account manually in an Active Directory domain by using Active Directory Users and Computers; however, the computer accounts are created

www.syngress.com


automatically when an administrator joins a computer to a domain. Just like Active Directory user accounts, you can access computer account properties by using the Active Directory Users and Computers console, where you would see some/most of the same generic tabs you have seen earlier in this chapter when configuring user accounts.

Creating a New Computer Account Using Active Directory Users and Computers The Active Directory Users and Computers console is used to create a new computer account. The process of creating a computer account in Active Directory is the same as creating a user account—by right-clicking the appropriate container, choosing New, and then clicking Computer to create the computer account. You can create computer accounts by performing the steps outlined in Exercise 3.5.

EXERCISE 3.5 CREATING A NEW COMPUTER ACCOUNT BY USING ACTIVE DIRECTORY USERS AND COMPUTERS 1. Log on to the Active Directory domain controller with administrative privileges. 2. Click Start | Programs | Administrative Tools and then click Active Directory Users and Computers. 3. Select the appropriate Active Directory container or organizational unit to house the new computer account. Right-click the container, click New, and then click Computer to create the new computer account. This will bring up the New Object—Computer window. 4. Enter the computer name, as shown in Figure 3.20. Creating a computer account is a one-step process, which prompts you to enter a computer name and pre-Windows 2000 name to identify the computer (Windows Server 2008, Windows 2003, Windows 2000, member server, or domain controller). Notice the User Or Group: option, which is used to change the group that can join the computer to the domain. By default, Domain Admins have an authority to join new computers with the domain. Depending on your environment, you may have to change this group to allow desktop deployment groups to join computers with the domain.

www.syngress.com

161

162


Figure 3.20 The New Object – Computer Window

5. If yours is a pre-Windows 2000 computer, you may want to click the Assign This Computer Account As A Pre-Windows 2000 Computer check box (as shown in Figure 3.20) at the bottom of the dialog box. This option is used to create computer accounts for computers running legacy operating systems. 6. Click OK. Close the Active Directory Users and Computers console.

Modifying a Computer Account Using Active Directory Users and Computers Like all Windows Server 2008 objects, a set of default properties or attributes is associated with the computer account. Once the computer account has been created, these properties can be modified to search for computers in Active Directory. For example, you can set the office location in the location property so you’re able to locate computers belonging to a particular office. In Exercise 3.6, we will examine several computer attributes and values. An explanation of each tab setting is provided to help you understand these attributes and values. www.syngress.com


EXERCISE 3.6 MODIFYING A COMPUTER ACCOUNT BY USING ACTIVE DIRECTORY USERS

AND

COMPUTERS

1. Log on to the Active Directory domain controller with administrative privileges. 2. Click Start | Programs | Administrative Tools and then click Active Directory Users and Computers. 3. Select the appropriate Active Directory container or organizational unit where the computer account is residing. Right-click the desired computer account and then click Properties. The General tab contains the Computer Name (pre-Windows 2000 name), DNS Name, DC Type, Site, and Description fields. Type in the description of the computer, as shown in Figure 3.21.


www.syngress.com

163

164


NOTE In Windows 2000 and after, all earlier versions of Windows, such as Windows NT and Windows 9x are referred as pre-Windows 2000 computers, which use NetBIOS names to establish connections. In Windows 2000 and later versions, DNS is the primary name resolution method, so in a mixed environment, both the NetBIOS and DNS names are often displayed for objects.

4. Click the Operating System tab. This tab contains the operating system name and version running on the machine, as well as any operating system service packs that have been applied to the machine. 5. Click the Member Of tab. As shown in Figure 3.22, this tab contains the Active Directory security group information of which this computer is a member. Just as we can organize users into security groups to assign permissions about domain resources, we can also organize computers into groups to assign permissions. For example, you can put certain computers into a group and then assign permission to the group to access a certain printer. This way, no matter which user is logged on to the computer, that user will be able to access the printer for that group unless he was assigned denied permissions. By default, each computer is a member of the Domain Computers groups. You can make a computer account a member of different groups; however, the best practice is to give group memberships that are necessary, but to not assign excessive memberships since managing permissions may get confusing in your environment when a user logs on to that computer and he/she effectively has membership to the groups to which the computer is assigned. Like user accounts, group membership with computer accounts is of utmost importance. To add a computer into a different security group, click Add, type in the group name, and then click Check Names. Click OK to return to the computer properties. Repeat this process to add a computer to multiple groups.

www.syngress.com


Windows allows a computer to belong to many groups, one of which is the computer’s primary group. You can also set the computer’s Primary Group in the Member Of tab by clicking Set Primary Group. The selected group becomes the primary group and is displayed in bold; the group that was previously the primary group is no longer in bold.

Figure 3.22 The Member Of Tab

www.syngress.com

165

166


6. Click the Location tab. This tab contains the physical location of the computer. 7. Click the Managed By tab. As shown in Figure 3.23, this tab contains the contact information for the person responsible for this computer. To add an appropriate person, click the Change … button, type in an appropriate person’s name, and then click Check Names. Click OK to return to the Managed By screen.

Figure 3.23 The Managed By Tab

www.syngress.com


8. Click the Dial-in tab. This tab contains the dial-in settings used to control whether this computer is allowed to utilize dial-in services. 9. Click OK. Close the Active Directory Users and Computers console.

Creating a New Computer Account Using a Script To create a computer account using script, you can either use VBScript or the built-in dsadd command. I have found the dsadd command useful because it lets you use command lines in batch files for day-to-day administrative tasks. The following is an example of VBScript used to create a computer account in Active Directory: ′ This code creates a computer account named JOANNAWKS ′ ------ SCRIPT CONFIGURATION -----strBase = “<ParentComputerDN>” ′ e.g. cn=Computers,dc=admastering,dc=com strComp = “” ′ e.g. JOANNAWKS strDescr = “” ′ e.g. Joanna’s workstation ′ ------ END CONFIGURATION -----′ ADS_USER_FLAG_ENUM Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &h1000 set objCont = GetObject(“LDAP://” & strBase) set objComp = objCont.Create(“computer”, “cn=” & strComp) objComp.Put “sAMAccountName”, strComp & “$” objComp.Put “description”, strDesc objComp.Put “userAccountControl”, ADS_UF_WORKSTATION_TRUST_ACCOUNT objComp.SetInfo

Resetting a Computer Account Using Active Directory Users and Computers As explained in the previous section, every computer in your domain establishes a secure channel of communication with the domain controller to transfer data securely. This requires each computer to provide a password at the time of logon. This randomly selected password is stored on the domain controllers for authentication purposes and is updated automatically every 30 days. It is possible that the computer’s password and the domain controller’s password don’t match, and so communication between the two www.syngress.com

167

168


machines fails. If that is a case, you may want to reset a computer account in Active Directory so that computer will be able to reestablish the connection. In Exercise 3.7, we will reset a computer account.

EXERCISE 3.7 RESETTING A COMPUTER ACCOUNT BY USING ACTIVE DIRECTORY USERS

AND

COMPUTERS

1. Log on to the Active Directory domain controller with administrative privileges. 2. Click Start | Programs | Administrative Tools and then click Active Directory Users and Computers. 3. Select the appropriate Active Directory container or organizational unit where the computer account is residing. Right-click the desired computer account and then click Reset Account. 4. Click Yes in the Active Directory Domain Services dialog box, confirming that the computer account be reset. 5. You will receive a confirmation box, as shown in Figure 3.24, indicating that the computer account (computer name) was successfully reset. 6. Click OK to continue.

Figure 3.24 Active Directory Domain Services

www.syngress.com


Creating and Modifying Groups As an Active Directory administrator, you will be working with groups in order to minimize and simplify administrative efforts by assigning permissions and rights to a group of users rather than individual users. In generic terms, a group is just a collection of objects. Groups are used most frequently in a security context, whereby you set up a group of users and apply certain permissions or rights to that group. Using a group is much easier, quicker, and fun when applying security than when using individual users. In an Active Directory environment, you can use these groups for many different purposes, including controlling access to resources (such as shared folders, files, printers, and so on), e-mail distribution lists, and defining a filter for the application of group policies. A group is not a new concept in Active Directory and the Windows environment. As an administrator, it is important you understand these different types of groups, and how to create, delete, and modify these groups, as well as perform other common tasks, such as adding to groups, changing a group’s scope, and assigning permissions to a group rather than an individual user. In Active Directory, groups are flexible objects, given that they can contain any other type of Active Directory object as a member. For example, besides creating groups of users, you can also create groups of computers, contacts, and other types of groups. The type and scope of the group will determine their usage in Active Directory. Active Directory allows you to create security and distribution groups. Security groups are mostly used to assign permission to resources, whereas distribution groups are used for e-mail distribution. Most of your management should be done through the groups. You can also use Security groups for e-mail distribution groups; however, it is recommended you use Distribution groups rather than Security groups. The scope, or area of influence, for a group determines where members of the group can be located in the forest and where in the forest you can use the group to assign permissions. This lesson introduces you to the various types of groups along with common administrative tasks you can perform on them.You will also learn about the various categories of default groups, and at the end I’ll share with you how to plan a group strategy.

Creating a Group Groups are created in Active Directory using the Active Directory Users and Computers MMC snap-in or via the script using a command-line utility like dsadd. However, before we get into the business of creating and managing groups, we must understand group types, the scope of groups, and their relationship with other objects in Active Directory. www.syngress.com

169

170


The Active Directory environment includes several built-in groups. I’ll describe them over the course of the next few pages to make sure you understand their scope and usage before you attempt to create your own custom groups (as well as built-in groups) to meet the needs of your organization.

Types of Groups As discussed before, the purpose of groups is to control user permissions by grouping users according to similar permissions or job functions. This simplifies our work as an Active Directory administrator because we can manage users at a group level instead of giving them permissions at an individual user level. If you worked at all with Windows 2000 and Windows 2003, you are certainly familiar with local, global, and universal groups, and how they are employed to organize users so they can access resources. Not many changes have occurred with these groups except that in Windows Server 2008 there are few new built-in groups. In the next few pages, we will get into the details of groups and their various types. In Active Directory, you can either create groups to assign permissions or to distribute e-mail messages. To facilitate this, Active Directory uses two types of groups: the security group and the distribution group. All group details and membership information are stored in the Active Directory database. ■

Security Groups Windows Server 2000/2003/2008 uses security groups to assign permissions to resources like folders, files, printers, and applications. Technically, security groups can be used to distribute e-mails also, but it is recommended security groups only be used for one purpose: to assign permissions to resources.

■

Distribution Groups Distribution groups cannot be used to assign permissions. They are used only for nonsecurity-related functions, such as sending e-mail messages to a group of users. Programs like Microsoft Exchange are designed to use distribution groups as distribution lists for sending e-mail messages to multiple users.

Group Scopes Now that we understand groups, it’s time to discuss group scopes. When we create a group, we must select a group scope along with group types. The scope of a group determines the boundaries of the group, such as where in the network you’re able to use the group to assign permissions to it. The three group scopes are domain local, global, and universal. Table 3.5 lists different group scopes. www.syngress.com


Table 3.5 Group Scopes Group Scope

Description

Domain local

■

Limited to a single domain only.

■

Members can come from any domain in a forest.

■

Members access resources only in the local domain.

■

Domain local groups are not visible outside their own domain.

■

Members can come only from local domains.

■

Members can access resources in any domain in a forest.

■

Domain global groups are visible to all trusted domains.

■

Domain global groups can have members’ users and groups within their own domain.

■

Global groups can be nested.

■

Members can come from any domain in a forest.

■

Members can access resources in any domain in a forest.

■

Universal groups are visible to all trusted domains.

■

Universal groups can have members’ users and groups from any trusted domain.

Global

Universal

Universal Groups Replication Concerns Before we get into more details about group membership and the step-by-step procedure to create these groups, it is time to understand one critical factor: the universal group replication impact. Universal security groups get members information from a global catalog server. Universal groups continuously communicate with a global catalog server to get information about members from the other domains. In case of any changes, such as adding/removing a user from a universal group, changes are replicated to other global catalogs in the forest.

Group Strategies If you have used Windows NT 4.0, Windows 2000, and Windows 2003, then you might be familiar with the term “group nesting,” which refers to adding groups to other groups (known as nesting) to reduce the number of times permissions need www.syngress.com

171

172


to be assigned. In Windows Server 2008, you can add unlimited levels of nesting in domains. Let me give you a quick example to clarify and explain group nesting. For instance, your organization may have offices in diverse geographical locations and have a number of sales people working in each geographical region. You can create a group for all salespeople in your region and add them to their own regional group, such as East Sales, West Sales, North Sales, and Central Sales.You can then later add each regional group into another group called Worldwide Sales Team. If you need to assign permissions to access regional resources, use regional groups. When all the salespeople in the network need access to a resource, you assign permissions only to the Worldwide Sales Team. This group strategy allows for the easy assignment of permissions. The following are general guidelines for group nesting: ■

Minimize the level of nesting. If you have multiple groups nested within each other, it will be harder for you to troubleshoot permissions issues.

■

Document group membership to keep track of group memberships and permission assignments.

Microsoft has introduced a concept of AGDLP and AGGUDLP in order to manage domain resources. AGDLP stands for Accounts > Global > Domain Local > Permissions, while AGGUDLP stands for Accounts > Global Groups > Global Groups > Universal Groups > Domain Local Groups and is applied when planning and implementing the construction groups as well as assigning permissions on resources. Here is how AGDLP is used to describe the practice: ■

A: Create a user account(s).

■

G: Create a global group and add the user account(s) in the global group as members.

■

DL: Create a domain local group in the domain that contains the resource, and then add the global group as a member of this domain local group.

■

P: Assign permissions on the resource using the domain local group.

Creating a New Group Using Active Directory Users and Computers The Active Directory Users and Computers console is used to create new groups and add members to those groups. You can create groups by performing the steps outlined in Exercise 3.8. www.syngress.com


EXERCISE 3.8 CREATING A NEW GROUP BY USING ACTIVE DIRECTORY USERS AND COMPUTERS 1. Log on to the Active Directory domain controller with administrative privileges. 2. Click Start | Programs | Administrative Tools and then click Active Directory Users and Computers. 3. Select the appropriate Active Directory container or organizational unit to house the new group. Right-click the container, click New, and then click Group to create the new group. This will bring up the New Object—Group window. 4. Enter the name of the group and select the group scope (Domain Local, Global, or Universal) and the group type (Security or Distribution). Once you enter the group information, click OK to continue.

Modifying a Group Using Active Directory Users and Computers Like all Windows Server 2008 objects, a set of default properties or attributes are associated with the group. Once the group has been created, these properties can be modified. For example, you can add the description of the group and define the group manager. Once you have created the group, you can manage the group by double-clicking the group object in the Active Directory Users and Computers MMC snap-in tool. In Exercise 3.9, we will examine several group attributes and values. An explanation of each tab setting is provided to help you understand these attributes and values.

EXERCISE 3.9 MODIFYING A NEW GROUP BY USING ACTIVE DIRECTORY USERS AND COMPUTERS 1. Log on to the Active Directory domain controller with administrative privileges. www.syngress.com

173

174


2. Click Start | Programs | Administrative Tools and then click Active Directory Users and Computers. 3. Select the appropriate Active Directory container or organizational unit where the group resides. Right-click the desired group and then select Properties. 4. The General tab contains the group name, description, e-mail, group scope, group types, and notes. Type in the appropriate information, as shown in Figure 3.25.


5. Click the Members tab. This tab contains the group members, as shown in Figure 3.26. By default, there are no users in the newly created groups. You can add a user account, a member, or a group by clicking Add, typing in the username, and then clicking Check Names. Click OK to add the user to the particular group. www.syngress.com


Figure 3.26 The Members Tab

6. Click the Member Of tab to add groups to different security groups, and to assign permissions to domain resources. To add a group into a different security group, click Add, type in the group name, and then click Check Names. Click OK to add the group to a particular group. 7. Click the Managed By tab. As shown in Figure 3.27, this tab contains the contact information of a person who is responsible for this group. To add an appropriate person, click the Change … button, type in an appropriate person name, and then click Check Names. Click OK to return to the Managed By screen.

www.syngress.com

175

176


Figure 3.27 The Managed By Tab

8. Click Apply, and then click OK to finalize the account changes and view the user within the Active Directory container from the Active Directory Users and Computers snap-in.

Creating a New Group Using Script To create a group using script, you can use VBScript or the built-in dsadd command. I’ve found the dsadd command useful since it allows you to use command lines in batch files for day-to-day user administrative tasks. The following is an example of VBScript used to create a group in Active Directory: ′ This code creates a single group named Sales ′ ------ SCRIPT CONFIGURATION -----strGroupParentDN = “” ′ e.g. ou=Users,dc=admastering,dc=com strGroupName = “” ′ e.g. Sales

www.syngress.com

Working with Users, Groups, and Computers • Chapter 3 strGroupDescr = “” ′ e.g. Sales group ′ ------ END CONFIGURATION -----′ Constants taken from ADS_GROUP_TYPE_ENUM Const ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 1 Const ADS_GROUP_TYPE_GLOBAL_GROUP = 2 Const ADS_GROUP_TYPE_LOCAL_GROUP = 4 Const ADS_GROUP_TYPE_SECURITY_ENABLED = -2147483648 Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = 8 set objOU = GetObject(“LDAP://” & strGroupParentDN) set objGroup = objDomain.Create(“group”,“cn=” & strGroupName) objGroup.Put “groupType”, ADS_GROUP_TYPE_GLOBAL_GROUP _ Or ADS_GROUP_TYPE_SECURITY_ENABLED objOU.Put “description”, strGroupDescr objOU.SetInfo

The Delegation of Tasks One reason to create multiple OUs is to delegate administrative responsibilities and divide the administrative workload between different administrators. Delegation is a powerful concept and a tool in Active Directory. As a concept, it’s been around for a while, thus Windows 2000 and Windows 2003 administrators may find information in this section little repetitive—but hey, you can either skip the section or take a quick glance to review the information. In this lesson, we’ll learn how to use the Delegation Of Control Wizard and will delegate administrative control of domains, OUs, and containers to other administrators, groups, or users within your organization so they will be able to perform certain administrative functions according to their requirements. Delegation lets you set up decentralized administration (to share a workload) while still maintaining control of your overall Enterprise network. Delegation is easy to configure, but you must establish a careful plan before implementing delegation. Though the delegation wizard is simple and straightforward, you still need to be aware of how permissions and permission inheritance work in the AD structure. In a small or medium-sized organization, a few administrators would be responsible for managing Active Directory objects. However, in any large organization, the administration is divided between different administrators. To ensure these administrators receive appropriate permissions, you must run the delegation wizard to set up permissions on the domain, OU, and container levels. Consider an example. If Khalid is an administrator of the domain, he can assign permissions to a new trainee www.syngress.com

177

178


or group of users and assign them permissions on a particular container in Active Directory—therefore, a trainee or a group of users will have Full Control in every container below North America. Depending on your requirements, Khalid can assign users a full control or give them granular level permissions, such as resetting passwords or creating new users only, so that they will be able to perform limited tasks. In other words, as an administrator, you can delegate some responsibilities, but not necessarily all of them. With Delegation of Control, you can still keep your “administrative hand” over an enterprise and all the tasks performed in an enterprise, while delegating easier tasks to other people. Delegation of Control is an excellent tool that allows you to divide your workload to new or inexperienced administrators without creating any challenges for yourself or anyone else. You can use Delegation of Control in many different ways, but make sure that whichever method you choose fits in your administrative model. In most cases, we delegate permissions on OU and container levels rather than the domain level. You can further fine-tune your permissions by controlling the inheritance to take effect for all objects and child and grandchild OUs within that OU. In the following section, we will delegate task responsibilities to several inexperienced administrators. An explanation of each step is provided to help you understand these values.

EXERCISE 3.10 DELEGATING PERMISSIONS ON AN OU TO NEW USERS BY USING ACTIVE DIRECTORY USERS AND COMPUTERS 1. Log on to the Active Directory domain controller with administrative privileges. 2. Click Start | Programs | Administrative Tools and then click Active Directory Users and Computers. 3. Select the appropriate Active Directory container or organizational unit where you want to delegate control, click the Action menu, and then click Delegate Control. 4. The Delegation of Control Wizard begins with a Welcome screen, shown in Figure 3.28. Click the Next button to continue.

www.syngress.com


Figure 3.28 The Delegation of Control Wizard

5. The Users Or Groups window appears (Figure 3.29). Click the Add button and type in the user(s) or group(s) name to which you want to delegate control. Click Check Names to verify your names, and then click OK to add a group to a particular group. Use the Remove button if you need to remove a user or group from the list. Click the Next button on the Users Or Groups page.

www.syngress.com

179

180


Figure 3.29 The Users Or Groups Screen

6. On the Tasks To Delegate page, as shown in Figure 3.30, you have two radio button options. You can either choose to Delegate The Following Common Tasks, in which you select the desired options, or you can choose to Create A Custom Task To Delegate. The first option has many predefined tasks, while the custom option allows you to have more granular control and delegation. Most organizations may find that delegating the following common tasks is sufficient for their needs. This section is focused only on delegating common tasks instead of creating a custom task. If you decide to delegate common tasks, you have the following check box list from which to select.

www.syngress.com


Figure 3.30 Tasks to Delegate

■

Create, delete, and manage user accounts: This option enables you to delegate the right to create, delete, and configure user accounts.

■

Reset user passwords and force password changes at the next logon: This option enables you to delegate the right to permit the resetting of passwords only. This option is helpful if you would give a particular user or group, such as help desk users, the right to reset passwords when users forget their passwords or need to be assigned a new password.

■

Read all user information: This option enables you to delegate the right to read all user information.

■

Create, delete, and manage groups: This option lets you delegate the right to permit the user or group to create, delete, and configure group accounts.

www.syngress.com

181

182


Modify the membership of a group: This option lets you delegate the right to the user or group to modify the membership of an existing group, but not to create, delete, or configure group accounts.

■

Manage Group Policy links: This option enables you to delegate the user or group to manage Group Policy links and make changes to them.

■

Generate Resultant Set of Policy (Planning): This option enables you to delegate the user or group to manage and generate resultant sets of policies to plan any group policy implementation, but they won’t be able to perform any logging or manage group policy links.

■

Generate Resultant Set of Policy (Logging): This option lets you delegate to a user or group the right to generate a resultant set of policies (logging), but they won’t be able to perform any planning or manage any group policy links.

■

Create, delete, and manage inetOrgPerson accounts: This option enables you to delegate the right to create, delete, and manage inetOrgPerson accounts.

■

Reset inetOrgPerson passwords and force password change at next logon: This option lets you delegate the right to reset passwords and force password changes at the next logon.

■

Read all inetOrgPerson information: This option enables you to delegate the right to read all inetOrgPerson user information.

7. On the Completing The Delegation Of Control Wizard page, as shown in Figure 3.31, review your selections, and then click the Finish button if it is accurate. If it is not accurate, use the Back button to make changes and then click Finish.

www.syngress.com


Figure 3.31 Completing the Delegation of Control Wizard

■

Verifying Delegated Permissions: Once you finish the delegation, you can verify permissions by right-clicking the container, and then clicking Properties. Click the Security tab. Here you will be able to verify your permissions.

■

Removing Delegating Permissions: The Delegation Of Control Wizard can be used only to grant administrative permissions. If you want to remove those privileges, you must do so manually in the Security tab in the Properties dialog box for the container and in the Advanced Security Settings dialog box for the container.

www.syngress.com

183

184


RODC (Read-Only Domain Controller) A read-only domain controller (RODC) is a new type of domain controller in the Windows Server 2008 Active Directory environment that allows organizations to easily deploy a domain controller in locations where physical security cannot be guaranteed. Besides providing improved security, faster logon, unidirectional replication, credential caching, and more efficient resource access, one of the biggest advantages of RODC is Admin role separation. Instead of your remote administrators having access to the RODC remotely to perform administrative tasks on the server, the RODC allows you to assign a user local administrator rights to the RODC without giving that person domain administrative permissions. You can delegate local administrative permissions for an RODC to any domain user to perform day-to-day administrative tasks, such as stopping services, running backups, installing drivers, rebooting the server, and installing updates, patches, and service packs. This limits the RODC local administrator to have permissions on that particular branch office RODC without having any user rights for the domain or other domain controllers. In this way, the branch user performs certain tasks to manage the RODC without compromising security. Administrative separation on RODC has the potential to reduce the administrative burden on central administrators by delegating basic operation responsibilities to the branch office user. This option may require additional training for your branch office user; however, it is an excellent way to decentralize operation tasks. This option provides extensive security since the site administrator will log on using an administrative account that is local to the RODC rather than use their domain credentials. On the other hand, this option will produce more work for you as an administrator because you have to manage separate logons for each RODC in each remote location. Though it may add some extra challenges, the benefits are well worth it.

www.syngress.com


Exam Objectives Fast Track Navigating Active Directory Users and Computers ˛ The Active Directory Users and Computers administration console allows

you to manage domain controllers, organizational units (OUs), group policies, and domain security policies. ˛ Attribute Editor is available in the Active Directory Users and Computers

MMC snap-in with advanced features enabled. It is easier to use and navigate the Active Directory Users and Computers snap-in than ADSIEdit.msc. ˛ The Active Directory administrative console is installed automatically on

Windows Server 2008 domain controllers.

Creating and Modifying User Accounts ˛ Local user profiles are available only at the local computer. They are

created in the user’s profile directory on each system where the user logs on. When the user logs on to a system for a first time, and if there is no profile defined, the system will use the \Document and Settings\Default User profile to create the new local user profile in the Document and Settings\username directory. If the user logs on to many different systems in your domain, he will be unable to maintain one profile, and may be ended up with many profiles on many different systems. ˛ Roaming user profiles allow users to maintain one profile while they log

on at multiple computers and move from system to system. A roaming profile is a shared folder on a server that allows a user to access a roaming profile from any system in the domain. Whenever a user starts a session, the profile is copied from the shared network folder to the local computer. Once copied to the local system, all the user’s settings will be updated locally on the local profile and will be copied over to the shared folder on a server when users logs off. ˛ Mandatory user profiles are read-only roaming profiles that are used to

maintain desktop consistency. No modifications will ever be saved on the user’s profile. Users will be able to modify desktop settings and several other settings, but these won’t be saved when the user logs off. Like roaming profiles, a mandatory profile is also a shared network folder that allows the user to access mandatory profiles from any system in the domain. No user www.syngress.com

185

186


should be allowed to make changes to mandatory user profiles except system administrators. ˛ Temporary user profiles are used only if the user’s profile is unable to

load due to errors. At the end of each session, temporary user profiles are deleted, and therefore all changes made during the session will be lost when the user logs off from the system. ˛ Understand that users in your Active Directory domain must have a strong

password. A strong password is at least seven to nine characters long, does not contain the user’s account name, and consists at least three of the four following groups of characters: uppercase characters, lowercase characters, numbers, and special keyboard symbols, such as !, @, #, $, ∗.

Creating and Modifying Computer Accounts ˛ Each computer in your domain provides a password to the domain con-

troller at the time of logon. This randomly selected password is updated automatically every 30 days. It is possible that the computer’s password and the domain controller’s password don’t match, and communication between the two machines fails. If this is the case, you may want to reset a computer account in Active Directory so that computer will be able to reestablish the connection.

Creating and Managing Objects ˛ Many graphical management tools are built using the Microsoft

Management Console and snap-ins. ˛ You can create and manage an Active Directory object via MMC snap-ins,

scripts, and the power shell. ˛ Most graphical administration tools can be found as preconfigured

management consoles accessible via Start | Programs | Administrative Tools. Understand how Active Directory objects can be organized by using the Active Directory Users and Computers tool.

Creating and Modifying Groups ˛ Windows Server 2000/2003/2008 uses security groups to assign permissions

to resources like folders, files, printers, and applications. Technically, Security groups can also be used to distribute e-mails, but it is recommended you use www.syngress.com


Security groups only for one purpose: to assign permissions to resources. ˛ Understanding the purpose of local, global, and universal groups is essential

in Windows Server 2008. ˛ Domain Local groups are limited to a single domain only. Members can

come from any domain in a forest; members can access resources only in the local domain; and Domain Local groups are not visible outside their own domain. ˛ Global group members can come only from the local domain; members can

access resources in any domain in a forest; Domain Global groups are visible to all trusted domains and Domain Global groups can have members’ users and groups from within their own domain. Global groups can be nested. ˛ Universal group members can come from any domain in a forest; Members

can access resources in any domain in a forest. Universal groups are visible to all trusted domains and can include members’ users and groups from any trusted domain. ˛ Using groups can help you simplify administration by granting rights and

assigning permissions once to a group rather than multiple times to each individual member. ˛ The concepts of AGDLP and AGGUDLP are important in managing

domain resource. AGDLP stands for Accounts > Global > Domain Local > Permissions, while AGGUDLP stands for Accounts > Global Groups > Global Groups > Universal Groups > Domain Local Groups and is applied when planning and implementing the construction of groups, as well as the assigning of permissions on resources. ˛ Universal security group replication issues are important because universal

security groups get members information from a global catalog server. Universal groups continuously communicate with a global catalog server to get information about members from the other domain. In case of any changes, such as adding/removing a user from a universal group, changes are replicated to other global catalogs in the forest. ˛ Group deletion only deletes the group and removes the permissions associated

with it. Deleting a group does not delete user accounts that are members of the group. ˛ Members of groups may include user accounts, contacts, other groups, and

computers. www.syngress.com

187

188


˛ Every domain user is given a friendly name, known as the user principal

name (UPN), in order to help users log on to the domain. UPN is an Internet-style logon name, which is shorter than the distinguished name and thus is easier to remember.

Delegation of Tasks ˛ The Delegation of Control Wizard is used to assign specific permissions to

specific users. It helps administrators distribute the load to system administrators and the regional administrator. ˛ RODC allows you to delegate local administrative permissions for an RODC

to any domain user to perform day-to-day administrative tasks such as stopping services, making backups, installing drivers, rebooting the server, and installing updates, patches, and service pack.

www.syngress.com


Exam Objectives Frequently Asked Questions Q: What methods are available for me as an administrator to navigate Active Directory?

A: Administrators can use Active Directory Users and Computers, Power Shell, and ds commands to navigate Active Directory.

Q: Which tools can I use to edit attributes of objects in Active Directory? A: ADSIEdit.msc is a graphical console that is used to edit attributes of objects in Active Directory.

Q: What is the difference between Active Directory Users and Computers and ADSIEdit.msc?

A: Active Directory Users and Computers tool is used for day-to-day administration, whereas ADSIEdit.msc is another graphical tool, but allows you to modify object attributes and low-level object information.

Q: What is the difference between a local user account and a domain user account? A: Local user accounts are created only in the computer’s local security database and do not replicate with the domain controllers. They authenticate locally to gain access to local resources, whereas domain user accounts are used to gain access to domain resources.

Q: What is the purpose of renaming the Administrator user account? A: Renaming the Administrator account provides you with extra security against hackers and intruders, and makes it difficult for unauthorized users to guess the administrative account’s logon name.

Q: My organization does not wish to allow users to save their desktop settings in their profile. What can I do to prevent users from saving their desktop settings in their profile?

A: Use mandatory profiles since they are read-only profiles and allow you to maintain desktop consistency.

www.syngress.com

189

190


Q: What is an example of a strong user password? A: A strong password: ■

Does not contain dictionary words.

■

Does not contain a username, real name, pet name, family member’s name, or company name.

■

Is between 7 and 14 characters long.

■

Is different from previous passwords.

■

Is a combination of uppercase, lowercase, numbers and special characters. An example of a strong password is Sh4$$n0n87r67}D.

Q: My organization is planning to create multiple users in Active Directory. Can I use scripting to achieve this?

A: Yes, you can use scripting and a combination of built-in tools like dsadd to add multiple users.

Q: What is the purpose of a computer account? A: Computer accounts are just like user accounts; however, user accounts are used to represent users, whereas computer accounts are used to represent computers.

Q: How long does a domain controller store computer account passwords? A: Thirty days. Q: Why does a domain controller store computer account passwords? A: To access domain resources securely, every computer in your domain needs to access domain controllers by establishing a secure channel to a domain controller. This secure channel is an authenticated channel in which a computer presents a password to a domain controller (which is verified against the password stored in Active Directory with the computer’s account) so that computers can later be able to use this secure channel to securely transfer encrypted data to and from the domain controller.

Q: Which group should I use to allow users to access resources? A: Windows Server 2000/2003/2008 uses security groups to assign permissions to resources like folders, files, printers, and applications. www.syngress.com


Q: Which group should I use to allow users to send e-mails? A: Both Security and Distribution groups can be used to allow users to send e-mails to multiple users; however, distribution groups are designed solely for distributing e-mails.You cannot use distribution groups to assign permissions. They used only for nonsecurity-related functions, such as sending e-mail messages to groups of users.

Q: Which group type should I use in my environment if I want to add users from different trees and forests in my domains?

A: Universal groups. Q: Is there any strategy recommended by Microsoft to create groups and users? A: Yes, Microsoft has created AGDLP and AGGUDLP to manage domain resources. AGDLP stands for Accounts > Global > Domain Local > Permissions, while AGGUDLP is short for Accounts > Global Groups > Global Groups > Universal Groups > Domain Local Groups and is applied when planning and implementing the construction of groups, as well as when assigning permissions on resources.

Q: Is there an easy way to configure delegation? A: Yes, you can use the delegation wizard to configure delegation in your environment. Q: What is the purpose of delegation? A: Delegation lets you set up decentralized administration (to share a workload) while still maintaining control of your overall Enterprise network. Delegation of Control is an excellent tool that allows you to divide your workload between new and/or inexperienced administrators without creating any challenges for yourself or them. You can use Delegation of Control in many different ways, but make sure that whichever method you choose fits with your administrative model. In most cases, we delegate permissions on the OU and container levels rather than the domain level. You can further fine-tune your permissions by controlling the inheritance so it takes effect for all objects.

Q: What is RODC and how is it different than regular Active Directory domain controllers?

A: RODC is a new type of domain controller in the Windows Server 2008 Active Directory environment. It allows organizations to easily deploy a domain controller in locations where physical security cannot be guaranteed. It provides improved security, faster logon, unidirectional replication, credential caching, and more efficient resource access, along with an Admin role separation. www.syngress.com

191

192


Self Test 1. You have just installed a Windows Server 2008 domain controller in your environment. Which of the following default containers holds the default groups? A. Users B. Computers C. Built-in D. Default Groups 2. You tried to reset a password, but received a message that your password does not meet the password complexity requirements. What might be the problem? A. The user password is not complex enough. B. The user is accessing a domain from a Windows 98 workstation machine. C. The user is accessing a domain from a Windows MT workstation machine. D. The user is accessing a domain from a Windows NT 4.0 machine. 3. Your organization has one Active Directory domain in the Active Directory forest. You are responsible for creating accounts for all users in your domain. Your company just bought another company with 5000 user accounts, and you are required to create their new user accounts without using a third-party tool. Which of the following commands should be used to achieve this? A. dsadd B. dsuseradd C. adduser D. adduser.ps 4. You suspect that a user may be able to log on after office hours. From which tab on a user’s Properties dialog box can you set logon hours? A. The Account tab B. The Security tab C. The General tab D. The Profile tab 5. You are at a branch office of your company assisting a user on his PC. While assisting the user, you receive a phone call from your boss who wants to know www.syngress.com


why all the users are required to change their passwords the first time they log on? What would be the best way to answer his question? A. It’s a default Active Directory group and domain policy to enforce user passwords set by the administrator. B. It’s a default Active Directory group policy and cannot be modified. C. This is a new feature in Active Directory 2008 to introduce extra security. D. This is just a check box for user account properties to force users to change the default passwords set by the administrator at the time of the creation of their account. This then forces users to pick their own password. 6. Lisa works as a branch office administrator for your organization. She receives a call from her manager, Dina, asking which of the following characteristics make up a strong password. Which one is correct? A. Contains a username or pet’s name. B. Contains dictionary words. C. Contains place names. D. Is a combination of letters and numbers. 7

Which of the following options require administrative privileges to change the password? A. User must change password at next logon. B. User cannot change password. C. Password never expires. D. Store password using reversible encryption.

8. You are attempting to describe the purpose of a template account to a co-worker. What should you tell them? A. A template account exists only for Novell users. B. A template account exists only for Unix users. C. A template account exists only for Windows NT 4.0 users. D. A template account simplifies the creation of a large number of user accounts. In a template, you can define all the account parameters you need to for your users. You can then use this template to create user accounts by simply filling in the Name, Full Name and Description Password, and Confirm Password fields. www.syngress.com

193

194


9. Joanna is responsible for administering a small Active Directory domain. Recently, your company has acquired a small company where all the computers are installed in a workgroup. Which of the following operations must she perform in order to create the computer accounts? (Choose all that apply.) A. Select Start | Run, and then type in the joinallwks /user:administrator command. B. Select Start | Programs | Administrative Tools | Active Directory Users and Computers, and then right-click the computer container and create the computer objects. C. Rename the existing computers in a workgroup. D. Query for resources. 10. What is the purpose of resetting an account? A. Helps you reset a computer password stored in Active Directory so the computer can make a trusted connection with Active Directory. B. Helps you reboot the computer. C. Helps you restart netlogon services. D. Helps you change the authentication protocol from NTML to Kerberos.

www.syngress.com


Self Test Quick Answer Key C

6.

D

2. A

7.

B

3. A

8.

D

4. A

9.

B

1.

5.

D

10. A

www.syngress.com

195


Chapter 4

MCTS/MCITP Exam 640 Configuring the Active Directory Infrastructure

Exam objectives in this chapter: ■

Working with Forests and Domains

■

Working with Sites

■

Working with Trusts


198

Chapter 4 • Configuring the Active Directory Infrastructure

Introduction A Microsoft Active Directory network has both a physical and a logical structure. Forests and domains define the logical structure of the network, with domains organized into domain trees in which subdomains (called child domains) can be created under parent domains in a branching structure. Domains are logical units that hold users, groups, computers, and organizational units (OUs, which in turn can contain users, groups, computers, and other OUs). Forests are collections of domain trees that have trust relationships with one another, but each domain tree has its own separate namespace. In order to allow Active Directory to support the physical structure of your network, we will also discuss the configuration of Active Directory sites, site links, and subnet objects. Active Directory sites and subnets define the physical structure of an Active Directory network. Sites are important in an enterprise-level multiple location network, for creating a topology that optimizes the process of replicating Active Directory information between domain controllers (DCs). Sites are used for replication and for optimizing the authentication process by reducing authentication traffic across slow, high-cost WAN links. Site and subnet information is also used by Active Directory-enabled services to help clients find the nearest service providers. In this chapter, you will learn all about the functions of forests and domains in the Windows Server 2008 Active Directory infrastructure, and we will walk you through the steps of creating a forest and domain structure for a network. You’ll learn to create the forest root domain and a child domain, as well as the importance of Flexible Single Manager Operation (FSMO) roles within an Active Directory domain and forest. We will also discuss the role of sites in the Active Directory infrastructure, and how replication, authentication, and distribution of services information work within and across sites. We will explain the relationship of sites with domains and subnets, and how to create sites and site links.You’ll also learn about site replication and how to plan, create, and manage a replication topology. We’ll walk you through the steps of configuring replication between sites, and discuss how to troubleshoot replication failures. In addition to these concepts, we will also discuss Active Directory trust relationships. Trust relationships define the ways in which users can access network

www.syngress.com

Configuring the Active Directory Infrastructure • Chapter 4

resources across domains and forests. Without a trust between the domain to which a user belongs and the domain in which a resource resides, the user won’t be able to access that file, folder, printer, or other resource. Hence, it is important for network administrators to understand how the built-in (implicit) trusts in the Active Directory network function, and how to create explicit trusts to provide access (or faster access) between domains.

Working with Forests and Domains Active Directory is composed of a number of components, each associated with a different type of Active Directory functionality; you should understand each component before making any changes to the network. Active Directory Domain Services is a distributed database, which means it can be spread across multiple computers within a domain or a forest. Among the major logical components that you need to be familiar with are: ■

Forests

■

Trees

■

Domains

■

The domain namespace

Administrative boundaries, network and directory performance, security, resource management, and basic functionality are all dependent on the proper design and placement of these elements. Figure 4.1 shows the logical view of a Windows Server 2008 Active Directory. Note that the differentiation between forests and trees is most obvious in the namespace. By its nature, a tree is one or more domains with a contiguous namespace. Each tree consists of one or more domains, and each forest consists of one or more trees. Because a forest can be composed of discrete multiple trees, a forest’s namespace can be discontiguous. By discontiguous, we mean that the namespaces anchor to different forest-root domain name system (DNS) domains, such as cats.com and dogs.com. Both are top-level domains and are considered two trees in a forest when combined into a single directory, as shown in Figure 4.1.

www.syngress.com

199

200


Figure 4.1 The Logical View of a Windows Server 2008 Active Directory

Forest

Root Domain

Dogs.com

Cats.com Domain Child Labs.dogs.com Domain Tree Tree

Child Domain

Child Domain

Child Domain

Yellow.labs .dogs.com

Black.labs .dogs.com

Calico.cats.com

Understanding Forests An Active Directory always begins with a forest root domain, which is automatically the first domain you install. This root domain becomes the foundation for additional directory components. As the cornerstone of your enterprise-computing environment, you should protect it well. Fault tolerance and good backups are not optional—they are essential. If an administrative error or hardware failure results in the unrecoverable loss of this root structure, the entire forest becomes inoperable. Certain forest objects and services are present only at the root (e.g., the Enterprise Administrators and Schema Administrators groups, and the Schema Master and Domain Naming Master FSMO roles which we will discuss later in this chapter).

Understanding Domains The domain serves as the administrative boundary of Active Directory. It is the most basic component that can functionally host the directory. Simply put, Active Directory uses the domain as a container of computers, users, groups, and other object containers. Objects within the domain share a common directory database partition, replication boundaries and characteristics, security policies, and security relationships with other domains. Typically, administrative rights granted in one domain are valid only within that domain. This also applies to Group Policy Objects (GPOs), but not necessarily www.syngress.com


to trust relationships, which you will learn more about later in the book. Security policies such as the password policy, account lockout policy, and Kerberos ticket policy are defined on a per-domain basis. The domain is also the primary boundary defining your DNS and NetBIOS namespaces. The DNS infrastructure is a requirement for an Active Directory domain, and should be defined before you create the domain. There are several good reasons for a multiple-domain model, although a significant number of Active Directory implementations rely on a single-domain forest model. In the early days of Windows 2000, the most common recommendation was for a so-called “empty forest root” model, in which the forest root domain contains only built-in objects, and all manually created objects reside in one or more child domains. Whatever the design decision reached by your organization, it is a good practice to avoid installing additional domains unless you have a specific reason for them, as each additional domain in a forest incurs additional administrative overhead in the form of managing additional DCs and replication traffic. Some of the more common reasons to create additional domains include: ■

Groups of users with different security policy requirements, such as strong authentication and strict access controls.

■

Groups of users requiring additional autonomy, or administrative separation for security reasons.

■

A requirement for decentralized administration due to political, budgetary, time zone, or policy pressures.

■

A requirement for unique namespaces.

■

Controlling excessive directory replication traffic by breaking the domain into smaller, more manageable pieces. This often occurs in an extremely large domain, or due to a combination of geographical separation and unreliable WAN links.

■

Maintaining a preexisting NT domain structure.

You can think of a domain tree as a DNS namespace composed of one or more domains. If you plan to create a forest with discontiguous namespaces, you must create more than one tree. Referring back to Figure 4.1, you see two trees in that forest, Cats.com and Dogs.com. Each has a contiguous namespace because each domain in the hierarchy is directly related to the domains above and below it in each tree. The forest has a discontiguous namespace because it contains two unrelated top-level domains. www.syngress.com

201

202


The primary Active Directory partitions, also called naming contexts, are replicated among all DCs within a domain. These three partitions are the schema partition, the configuration partition, and the domain partition. ■

The schema partition contains the classSchema and the attributeSchema objects that make up the directory schema. These classes and attributes define all possible types of objects and object properties within the forest. Every DC in the entire forest has a replica of the schema partition.

■

The configuration partition, replicated identically on all DCs throughout the forest, contains Active Directory’s replication topology and other configuration data.

■

The domain partition contains the local domain objects, such as computers, users, and groups, which all share the same security policies and security relationships with other domains. If multiple DCs exist within a domain, they contain a replica of the same domain partition. If multiple domains exist within a forest, each domain contains a unique domain partition.

Because each domain contains unique principles and resources, there must be some way for other domains to locate them. Active Directory contains objects that adhere to a naming convention called the DN, or distinguished name. The DN contains enough detail to locate a replica of the partition that holds the object in question. Unfortunately, most users and applications do not know the DN, or what partition might contain it. To fulfill that role, Active Directory uses the Global Catalog (GC ), which can locate DNs based on one or more specific attributes of the needed object. (We will discuss the GC later in this chapter).

Forest and Domain Functional Levels Forest functional levels and domain functional levels are a mechanism that Microsoft uses to support backward compatibility with previous versions of Active Directory, and to expose more advanced functionality as functional levels are raised. Functional levels are a feature that helps improve performance and security. In Windows 2000, each domain had two functional levels (which were called “modes”), native mode and mixed mode, and the forest had only one functional level. Windows Server 2003 introduced two more functional levels to consider in both domains and forests. Windows Server 2008 drops support for two legacy functional levels that were designed to support Windows NT Backup Domain Controllers, and adds another forest and domain functional level to support pure Windows Server 2008 environments. To enable the Windows Server 2008 forest and domain-wide features, all DCs must be running Windows Server 2008 www.syngress.com


and the functional levels must be set to Windows Server 2008. Table 4.1 summarizes the levels, DCs supported in each level, and each level’s primary purpose. Table 4.1 Domain and Forest Functional Levels Type

Functional Level

Supported DCs

Purpose

Domain Default

Windows 2000

2000, 2003, 2008

Supports upgrades from 2000 to 2008; no support for NT backup domain controllers (BDCs).

Domain

Windows Server 2003

2003, 2008

Supports upgrades from 2003 to 2008; all Windows Server 2003 domain-wide Active Directory features are enabled.

Domain

Windows Server 2008

2008

Provides support for all features of Windows Server 2008 Active Directory

Forest Default

Windows 2000

2000, 2003, 2008

Supports mixed environ ments during upgrade; lower security, high compatibility

Forest

Windows Server 2003

2003, 2008

Supports upgrades from 2003 to 2008; all Windows Server 2008 Active Directory features are enabled.

Forest

Windows Server 2008

2008

Provides support for all features of Windows Server 2008 Active Directory

Using Domain Functional Levels Active Directory technology debuted with Windows 2000. Now, with Windows Server 2008, it has been refined and enhanced. Active Directory is now easier to deploy, is more efficient at replication, has improved administration, and poses a better end-user experience. Some features are enabled right away, whereas others require www.syngress.com

203

204


a complete migration of DCs to the new release before they become available. There are countless new features, the most significant of which we will discuss next.

Using the Windows 2000 Domain Functional Level The Windows 2000 domain functional level is the default domain functional level in Windows Server 2008, and is primarily intended to support an upgrade from Windows 2000 to Windows Server 2008. This domain functional level offers full compatibility with all down-level operating systems for Active Directory DCs, and is characterized by the following features: Microsoft Windows NT 4.0 DCs are not supported. The following Active Directory features are supported in this mode: ■

Universal Security Groups

■

Group nesting

■

Converting groups between distribution and security groups

■

SIDHistory

The following Active Directory features are not supported in this mode: ■

DC rename

■

Logon timestamp attribute updated and replicated

■

User password support on the InetOrgPerson objectClass

■

Constrained delegation

■

Users and Computers container redirection

■

Can be raised to the Windows Server 2003 or Windows Server 2008 domain functional level

Windows Server 2003 Domain Functional Level The Windows Server 2003 domain functional level supports both Windows Server 2003 and Windows Server 2008 DCs. This level does not allow for the presence of Windows NT or Windows 2000 DCs, and is designed to support an upgrade from 2003 to 2008. All 2003 Active Directory domain features are enabled at this level, providing a good balance between security and backward compatibility. DCs not supported at this level: ■

Windows NT 4.0 DCs

■

Windows 2000 DCs

www.syngress.com


The following Active Directory domain-wide functions are supported at both this level and the Windows 2000 domain functional level: ■

Universal Security Groups

■

Group nesting

■

Converting groups between distribution and security groups

■

SIDHistory

The following upgraded Active Directory domain-wide functionality is supported at this domain functional level: ■

DC rename

■

Logon timestamp attribute updated and replicated

■

User password support on the InetOrgPerson objectClass

■

Constrained delegation

■

Users and Computers container redirection

■

Can be raised to the Windows Server 2008 domain functional level

■

Can never be lowered to the Windows 2000 domain functional level

In the Windows Server 2003 domain functional level, only Windows Server 2003 and Windows Server 2008 DCs can exist.

Windows Server 2008 Domain Functional Level The Windows Server 2008 domain functional level supports only Windows Server 2008 DCs. This level does not allow for the presence of Windows NT, Windows 2000, or Windows Server 2003, and is designed to support the most advanced Active Directory feature set possible. All 2008 Active Directory domain features are enabled at this level, providing the highest level of security and functionality and the lowest level of backward compatibility. The following Windows Server 2008 domain-wide functions are supported only at this level: ■

Distributed File System (DFS) replication support for the Windows Server 2008 System Volume (SYSVOL) share, providing more robust and fault-tolerant replication of SYSVOL and its contents

■

Advanced Encryption Standard (AES 128 and AES 256) encryption support for the Kerberos protocol www.syngress.com

205

206

Chapter 4 • Configuring the Active Directory Infrastructure ■

Logging of Last Interactive Logon Information, including: ■

The time of the last successful interactive logon for a user

■

The name of the workstation from which the used logged on

■

The number of failed logon attempts since the last logon

■

Fine-grained password policies, which allow you to specify password and account lockout policies for individual users and groups within an Active Directory domain

■

Cannot be raised to any higher domain functional level, because no higher level exists at this time

■

Can never be lowered to the Windows 2000 or Windows Server 2003 domain functional level

In the Windows Server 2008 domain functional level, only Windows Server 2008 DCs can exist.

Configuring Forest Functional Levels The Windows Server 2008 forest functional levels are named similarly to the domain functional levels, and serve a similar purpose. Table 4.1 summarizes the levels, the DCs supported in each level, and each level’s primary purpose. As with domain functional levels, each forest functional level carries over the features from lower levels, and activates new features as well. These new features apply across every domain in your forest. After you raise the forest functional level, earlier OSs cannot be promoted to DCs. For example, Windows NT 4.0 BDCs are not supported by any forest functional level, and Windows 2000 DCs cannot be part of the forest except through external or forest trusts once the forest level has been raised to Windows Server 2003.

Windows 2000 Forest Functional Level (default) The Windows 2000 forest functional level is primarily designed to support mixed environments during the course of an upgrade. Typically, this applies to a transition from Windows 2000 to Windows Server 2003 or Windows Server 2008. It is also the default mode for a newly created Windows Server 2008 domain. It is characterized by relatively lower-security features and reduced efficiency, but maintains the highest compatibility level possible for Active Directory. In the Windows 2000 forest functional level:

www.syngress.com

Configuring the Active Directory Infrastructure • Chapter 4 ■

Windows 2000, Windows Server 2003, and Windows Server 2008 DCs are supported

■

Windows NT 4.0 BDCs are not supported

A Windows Server 2008 forest at the Windows 2000 forest functional level can be raised to either the Windows 2003 or the Windows Server 2008 forest functional level.

Windows Server 2003 Forest Functional Level The Windows Server 2003 forest functional level enables a number of forest-wide features that were not available at the Windows 2000 forest functional level, and is designed to allow for a 2003 to 2008 upgrade process. This level does not allow for the presence of Windows NT or Windows 2000 DCs anywhere in the forest. All Windows Server 2003 Active Directory forest features are enabled at this level, as follows: ■

■

DCs not supported at this level: ■

Windows NT 4.0 DCs

■

Windows 2000 DCs

All new Active Directory forest features are supported at this level.

The following forest-wide improvements are available at this forest functional level: ■

Efficient group member replication using linked value replication

■

Improved Knowledge Consistency Checker (KCC) intersite replication topology generator algorithms

■

ISTG aliveness no longer replicated

■

Attributes added to the GC, such as ms-DS-Entry-Time-To-Die, Message Queuing-Secured-Source, Message Queuing-Multicast-Address, Print-Memory, Print-Rate, and Print-Rate-Unit

■

Defunct schema objects

■

Cross-forest trust

■

Domain rename

■

Dynamic auxiliary classes

www.syngress.com

207

208

Chapter 4 • Configuring the Active Directory Infrastructure ■

InetOrgPerson objectClass change

■

Application groups

■

Reduced NTDS.DIT size

■

Improvements in intersite replication topology management

■

Can be raised to the Windows Server 2008 forest functional level

■

Cannot be downgraded to the Windows 2000 forest functional level without performing a full forest recovery

In the Windows Server 2003 forest functional level, both Windows Server 2003 and Windows Server 2008 DCs can exist.

Windows Server 2008 Forest Functional Level The Windows Server 2008 forest functional level is the highest forest functional level available in Windows Server 2008, and supports only Windows Server 2008 DCs in each domain within a forest. At present, this forest functional level does not expose any new functionality over and above the 2003 forest functional level. The primary advantage of the 2008 forest functional level at present is that, once you have raised the functional level to 2008, any domains that are subsequently added to the forest will be automatically created at the Windows Server 2008 domain functional level.

Raising Forest and Domain Functional Levels Before increasing a functional level, you should prepare for it by performing the following steps: 1. Inventory your domain or forest for DCs that are running any earlier versions of the Windows Server operating system. 2. Physically locate any down-level DCs in the domain or forest as needed, and either upgrade or remove them. 3. Verify that end-to-end replication is working in the forest using repadmin. exe and/or dcdiag.exe. 4. Verify the compatibility of your applications and services with the version of Windows that your DCs will be running, and specifically their compatibility with the target functional level. Use a lab environment to test for compatibility issues, and contact the appropriate vendors for compatibility information. www.syngress.com


When you are considering raising the domain functionality level, remember that the new features will directly affect only the domain being raised. The two domain functional levels available to raise are: ■

Windows Server 2003

■

Windows Server 2008

Once the functional level of a particular domain has been raised, no prior version DCs can be added to the domain. In the case of the Windows Server 2003 domain functional level, no Windows 2000 servers can be promoted to DC status after the functionality has been raised. In the case of the Windows Server 2008 domain functional level, no Windows Server 2003 DCs can be added to the domain after the functional level has been raised to Windows Server 2008.

Raising the Domain Functional Level Before raising the functional level of a domain, all DCs must be upgraded to the minimum OS level as shown in Table 4.1. Remember that when you raise the domain functional level to Windows Server 2003 or Windows Server 2008, it can never be changed back to a previous domain functional level. Exercise 4.1 takes you systematically through the process of verifying the current domain functional level. Exercise 4.2 takes you through the process of raising the domain functional level. To raise the domain functional level, you must be a Domain Admin in the domain in question.

EXERCISE 4.1 VERIFYING

THE

DOMAIN FUNCTIONAL LEVEL

1. Log on as a Domain Admin of the domain you are checking. 2. Click on Start | Control Panel | Performance and Maintenance | Administrative Tools | Active Directory Users and Computers, or use the Microsoft Management Console (MMC) preconfigured with the Active Directory Users and Computers snap-in. 3. Locate the domain in the console tree that you are going to raise in functional level. Right-click the domain and select Raise Domain Functional Level. 4. In the Raise Domain Functional Level dialog box, the current domain functional level appears under Current domain functional level.

www.syngress.com

209

210


EXERCISE 4.2 RAISING

THE

DOMAIN FUNCTIONAL LEVEL

1. Log on locally as a Domain Admin to the PDC or the PDC Emulator FSMO of the domain you are raising. 2. Click on Start | Administrative Tools | Active Directory Domains and Trusts, or use the MMC preconfigured with the Active Directory Domain and Trusts snap-in. 3. Locate the domain in the console tree that you are going to raise in functional level. Right-click the domain and select Raise Domain Functional Level. 4. A dialog box will appear titled Select an available domain functional level. There are only two possible choices, although both might not be available: ■

Select Windows Server 2003, and then click the Raise button to raise the domain functional level to Windows Server 2003.

■

Select Windows Server 2008, and then click the Raise button to raise the domain functional level to Windows Server 2008.

Understanding the Global Catalog Active Directory uses the Global Catalog (GC), which is a copy of all the Active Directory objects in the forest, to let users search for directory information across all the domains in the forest. The GC is also used to resolve user principal names (UPNs) when the DC that is authenticating logon isn’t aware of the account (because that account resides in a different domain). When the DC can’t find the user’s account in its own domain database, it then looks in the GC. The GC also stores information about membership in Universal Groups. The GC contains a portion of every naming context in the directory, including the schema and configuration partitions. To be able to find everything, the GC must contain a replica of every object in the Active Directory. Fortunately, it maintains only a small number of attributes for each object. These attributes are those most commonly used to search for objects, such as a user’s first, last, and logon names. The GC extends an umbrella of awareness throughout the discontiguous namespace of the enterprise. Although the GC can be modified and optimized, it typically requires infrequent attention. The Active Directory replication system automatically builds and maintains www.syngress.com


the GC, generates its replication topology, and determines which attributes to include in its index. The GC is a vital part of Active Directory functionality. Given the size of enterpriselevel organizations, on many networks, there will be multiple domains and, at times, multiple forests. The GC helps in keeping a list of every object without holding all the details of those objects; this optimizes network traffic while still providing maximum accessibility.

NOTE The first DC in a domain becomes the GC server by default.

Whenever a user is searching for an object in the directory, the GC server is used in the querying process for multiple reasons. The GC server holds partial replicas of all the domains in a forest, other than its own (for which it holds a full replica). Thus, the GC server stores the following: ■

Copies of all the objects in the domain in which it resides

■

Partial copies of objects from other domains in the forest

NOTE When we say that the GC server holds a partial copy of an object, we mean that it includes only some of the object’s attributes in its database. Attributes are object properties, and each object has a number of attributes. For example, one attribute of a User Account object would be the username. You can customize the attributes of a particular object type by editing the schema, which we will discuss later in this chapter.

The key point is that the GC is designed to have the details that are most commonly used for searching for information. This allows for efficient response from a GC server. There is no need to try to find one item out of millions of attributes, because the GC has the important search-related items only. This makes for quick turnaround on queries. www.syngress.com

211

212


The scope of Directory Services has changed from the days of Windows NT 4.0 Directory Services. With Active Directory, a user record holds more than just a username for an individual. The person’s telephone number, e-mail address, office location, and so forth can be stored in Active Directory. With this type of information available, users will search the directory on a regular basis. This is especially true when Microsoft Exchange is in the environment. Whether a person is looking for details on another user, looking for a printer, or simply trying to locate another resource, the GC will be involved in the final resolution of the object. As mentioned previously, the GC server holds a copy of every object in its own domain and a partial copy of objects in other domains in the forest. Therefore, users can search outside their own domains as well as within, something that could not be done with the old Windows NT Directory Services model.

UPN Authentication The UPN is meant to make logon and e-mail usage easier, because the two (your user account and your e-mail address) are the same. An example of a UPN is Brian@ syngress.com. The GC provides assistance when a user from a domain logs on and the DC doesn’t know about the account. When the DC doesn’t know the account, it generally means that the account exists in another domain. The GC will help in finding the user’s account in Active Directory. The GC server will help to resolve the user account so that the authenticating DC can finalize logon for the user.

EXAM WARNING With Windows Server 2008 and beyond, you will see more and more references to UPN use in single or multiple domain environments. Be sure to understand how the UPN works in relation to logon, and how the GC keeps this information available efficiently.

Directory Information Search With Active Directory, users have the ability to search for objects such as other users or printers. To help a user who is searching the database for an object, the GC answers requests for the entire forest. Because the complete copy of every object available is listed in the GC, searches can be completed quickly and with little use of network bandwidth. www.syngress.com


When you search the entire directory, the request is directed to the default GC port 3268. The GC server is also known to other computers on the network because of SRV records in the DNS. That is how a node on the network can query for a GC server. There are SRV records specifically for GC services. These records are created when you create the domain. When users search for information in Active Directory, their queries can cross WAN links, depending on the network layout. Each organization is different. Figure 4.2 shows an example layout with GC servers in the corporate office in Chicago and a branch office in Seattle. The other two sites do not have GC servers. When queries are initiated at the Chicago branch office, the queries use the corporate office GC server. With a high-speed fiber connection, bandwidth isn’t an issue.

Figure 4.2 Example GC Search Query Branch Office 25 users

Fiber connection

Chicago

Corporate Headquarters

Branch Office 100 Users Seattle Global Catalog Server

T1 Global Catalog Server

56 K Frame

Branch Office . In our case, it reads Server Manager (SIGMA). www.syngress.com

535

536

Chapter 8 • Maintaining an Active Directory Environment

4. You’ll now see a list of different options. Go to Features and click on it. Server Manager will show the different features installed on that particular server in the Details pane to the right of the console tree. Figure 8.1 is an example of what an administrator would see after doing this.

Figure 8.1 The List of Features Installed

5. In the console tree, right-click Features and choose Add Features. You will now come to the Select Features window via the Add Features Wizard. Scroll down the list to where you see Windows Server Backup Features and put a check beside it and click Next. In Figure 8.2, you’ll notice that you are installing the Windows Server Backup and the Command-line Tools.

www.syngress.com

Maintaining an Active Directory Environment • Chapter 8

Head of the Class… Command-Line Tools If you want to install the Command-line Tools with the Windows Server Backup Features, you must also install the Windows PowerShell. The Windows PowerShell is a command-line and scripting language that allows IT professionals to better control system administration and automation. It is built on top of the .NET Framework and uses cmdlet’s (command lets), which is a single-function command-line tool built into the shell.

Figure 8.2 Selecting Windows Server Backup Features

www.syngress.com

537

538


6. Now you will come to the Confirm Installation Selections screen. Once you’ve verified that the feature(s) you plan to install are shown in the confirmation list, click Install. 7. Once the installation has completed, you will come to the Installation Results screen, as shown in Figure 8.3. Notice that we installed the Windows PowerShell and the Windows Server Backup Features successfully. Once the installation is complete, click on Close.

Figure 8.3 Installation Results

8. Back in Server Manager, you will see the list of features installed, and in the list you will see Windows Server Backup Features, just as you see in Figure 8.4.

www.syngress.com


Figure 8.4 The List of Features Installed

To use the newly installed Windows Server Backup, simply click Start | Administrative Tools | Windows Server Backup. As you can see in Figure 8.5, Windows Server Backup’s interface is pretty straightforward. Information about backups and messages is shown in the left pane, and options such as the following are shown in the right pane: ■

Backup Schedule

■

Backup Once

■

Recover

■

Configure Performance Settings

■

Connect To Another Computer

www.syngress.com

539

540


Figure 8.5 Windows Server Backup

Scheduling a Backup Windows Server Backup allows administrators and operators with sufficient rights to schedule backups to take place at certain times on a regular basis. In scheduling a backup, you need to decide what you want to back up, how often and when the backup(s) are to take place, and where to store the backup(s). To schedule a backup, follow the steps in Exercise 8.2.

EXERCISE 8.2 SCHEDULING

A

BACKUP

1. In Windows Server Backup go to the Actions pane and select Backup Schedule. This will kick off the Backup Schedule Wizard which you see in Figure 8.6. www.syngress.com


Figure 8.6 The Backup Schedule Wizard’s Getting Started Screen

2. Next you’re asked what type of configuration you want to schedule. You can select Full Server or you can select Custom, as shown in Figure 8.7. The full server configuration will back up all data, applications, and system state. Selecting Custom, though, allows you to select which items you would prefer to back up. For our example, we will choose to conduct a Full Server backup. After you have made your decision just click Next.

www.syngress.com

541

542


Figure 8.7 Selecting Backup Configuration

3. The next thing we need to do in scheduling our backup is decide how often we want to conduct a backup and what time(s) to run it. In Figure 8.8, you see we have decided to kick off our backup once a day at midnight. After deciding when and how often backups are to take place, click Next to continue.

www.syngress.com


Figure 8.8 Specifying the Backup Time

4. Now we need to tell Windows Server Backup where we want to store the backup. For scheduled backups, we have to use a locally attached drive. This can be a DVD drive, a USB flash drive, or even an externally attached drive. It cannot be a network drive. Although Windows Server Backup does allow you to back up to a network drive, you are not allowed to schedule a job that does. On our system, we have a second drive listed as volume E. We will have our scheduled backup job use this as the destination; to continue we just click Next. You’ll notice a pop-up from Windows Server Backup, letting you know that it will reformat the destination drive you selected and that it will only be dedicated to backing up files and will not show up in Windows Explorer. www.syngress.com

543

544


To continue, just click Yes. Figure 8.9 shows that we have chosen the E drive as our destination disk and Figure 8.10 informs us that the destination drive will be reformatted, among other things.

Figure 8.9 Selecting the Destination Disk

Figure 8.10 The Destination Drive Will Be Reformatted

www.syngress.com


5. Windows Server Backup will now label the destination disk. The default name will be in the form of <server name> year_month_ date <military time>. As you see in Figure 8.11, our label will be SIGMA 2008_01_10 14:08. After confirming this, you can click Next.

Figure 8.11 Labeling the Destination Disk

EXAM WARNING It is highly recommended that administrators and backup operators alike write the label name on the destination drive. During recovery Windows Server Backup may specify a disk holding backups with a specific label name.

www.syngress.com

545

546


6. The final step in scheduling a backup is to confirm your selections. The Confirmation screen will show you what you have chosen at the backup items, times, and the destination, as you see in Figure 8.12. After you’ve confirmed your choices, click Finish.

Figure 8.12 The Backup Schedule Confirmation

Now that we have a scheduled backup, we can just wait for it to kick off at midnight. In Figure 8.13, you’ll notice in Windows Server Backup we went ahead and ran a full backup. You’ll see under Messages and Status that we have conducted a successful backup. We did this by going into the Actions pane and selecting Backup Once. This gave us a chance to test the backup configuration. www.syngress.com


Figure 8.13 A Successful Backup

As you’ve seen, we’ve gone through installing Windows Server Backup, and gone over the media it supports, how to schedule a backup, and how to immediately start one. What we have not covered, which you will be tested on, is how to use the wbadmin command. Wbadmin.exe is the command-line utility that comes with Windows Server Backup. It can be used to perform backups and restores from the command line or via batch files and scripts. Table 8.1 is a list of the commands supported by wbadmin.exe. Table 8.1 The wbadmin.exe Command Command

Description

wbadmin enable backup

Enables or configures scheduled daily backups

wbadmin disable backup

Disables running scheduled daily backups

wbadmin start backup

Runs a backup job Continued

www.syngress.com

547

548


Table 8.1 Continued. The wbadmin.exe Command Command

Description

wbadmin stop job

Stops a running backup or recovery job

wbadmin get versions

Reports information about the available backups

wbadmin get items

Lists the items included in a backup based on parameters you specify

wbadmin start recovery

Runs a recovery of the volumes, applications, or files and folders specified

wbadmin get status

Gives the status of a backup or recovery job

wbadmin get disks

Lists disks that are currently online

wbadmin start systemstaterecovery

Recovers the system state from a backup

wbadmin start systemrecovery

Runs a full system recovery. Available only if you are using the Windows Recovery environment.

wbadmin start recovery

Runs a recovery

wbadmin restore catalog

Recovers a catalog that has been corrupted. Helpful in times if the recovery from the backup catalog has been corrupted.

wbadmin delete catalog

Deletes a catalog that has been corrupted

wbadmin start systemstatebackup

Runs a system state backup

wbadmin delete systemstatebackup

Deletes a system state backup(s)

Backing Up to Removable Media Windows Server 2008, WBS can back up to removable media such as DVD and USB-based flash drives. Although the wizard-driven GUI interface cannot back up to removable media, wbadmin.exe can. One of the big advantages of being able to back up to removable media is that you can easily take it offsite. One disadvantage to using removable media with WBS is that recovery can be done only at the volume level. It cannot be done by recovering individual files or folders that can www.syngress.com


be done only via the GUI which does not support removable media. So, how do we back up to removable media? That’s a good question. In Exercise 8.3, we will back up a server to DVDs.

EXERCISE 8.3 BACKING

UP TO

DVD

1. Make sure your system has a DVD burner either attached to it or internal to the server. 2. Log on as either the Administrator or a member of the Backup Operators. 3. Put a blank DVD in the DVD burner. 4. Open a command prompt (Start | Command Prompt); at the prompt type wbadmin start backup –backupTarget:E: -include:C: and then press Enter. You should see a screen similar to that shown in Figure 8.14 (if your DVD drive is another drive letter instead of E, use that drive letter for the backupTarget argument).

Figure 8.14 Backing Up the Server to DVD

5. At the Do you want to start the backup operation? prompt, type Y for yes and press Enter. 6. Now you are told to insert new media, which in this case is a DVD, which we will label as SIPOC 2008_01_14 23:19 DVD_01, as shown in Figure 8.15. The naming standard is <server name> www.syngress.com

549

550


. So, take the first DVD out, write down the proper label, and put in a newly blank DVD and type C to continue. For our example, we are also asked to submit a third DVD. The second DVD will have the name SIPOC 2008_01_14 23:19 DVD_02 and any additional DVDs will have the same name except for the DVD_##.

Figure 8.15 Labeling the First DVD and Continuing

7. Once the backup is complete, you will get a summary by wbadmin similar to the one in Figure 8.16. After you’re finished with the backup, just take the last DVD out of the DVD burner.

Figure 8.16 The Completed Backup

www.syngress.com


Head of the Class… Unformatted DVDs If a DVD is unformatted, Windows Server 2008 will automatically format it during the backup.

Backing Up System State Data The components that make up the system state in Windows Server 2008 depend on the role(s) that are installed on a server and which volumes host the critical files that the operating system and the installed roles use. The system state for all servers at a minimum includes the Registry, the COM+ Class Registration database, system files, boot files, and files under Windows Resource Protection (WRP). WRP is the new name for what was known as Windows File Protection under Windows Server 2003 and earlier. Servers that are domain controllers (DCs) also include the Active Directory Domain Services database and the System Volume (SYSVOL) directory. Other servers, depending on their roles, may also include the Active Directory Certificate Services database, cluster service information, and the Internet Information Server (IIS) metadirectory. Backing up the System State in Windows Server 2008 creates a point-in-time snapshot that you can use to restore a server to a previous working state. It does this using the Volume Shadow Copy Service (VSS). VSS helps to prevent inadvertent data loss. It creates “shadow” copies of files and/or folders stored on network file shares set up at predetermined time intervals. It is essentially a previous version of the file or folder at a specific point in time. Without a copy of the System State, recovery of a crashed server would be impossible. The System State is always backed up when full backups are invoked, whether through the WBS Wizard or wbadmin. To back up the System State by itself you must use the wbadmin command, though, and it cannot be scheduled unless you create a script that forces it to. In Exercise 8.4, we will back up the system state to our E drive. www.syngress.com

551

552


EXERCISE 8.4 PERFORMING

A

SYSTEM STATE BACKUP

1. Log on to a Windows Server 2008 server and open a command prompt (Start | Command Prompt). 2. In the command prompt, type wbadmin.exe Start SystemStateBackup –backuptarget:E:. 3. We are told that This would backup the system state from volume(s) Local Disk (C:) to E:. Do you want to start the backup operation? Type Y for yes. Next, wbadmin creates the shadow copy of the C drive. After it does this it identifies the system state files to back up. Once it has completed its search for system state files, it begins the backup. Figure 8.17 shows that we have finished performing a system state backup.

Figure 8.17 The System State Backup Is Complete

www.syngress.com


As you can see, once the backup is complete, wbadmin creates a log with a naming convention of SystemStateBackup 13-01-2008 00-55-41.log. Opening the log you see the different files that were backed up. Figure 8.18 is a view of our log.

Figure 8.18 A SystemStateBackup Log

Our system state backup resides at E:\WindowsImageBackup\ SIGMA\SystemStateBackup\Backup 2008-01-13 055541. The E drive here is another fixed disk within our local server. Figure 8.19 shows the files in this directory. Notice that the system state backup alone is around 6 GB and that it is a .vhd file, the new format for Windows Backup Server, and no longer a .bkf file.

www.syngress.com

553

554


Figure 8.19 The System State VHD File

EXAM WARNING System state backups must have local drives as targets. They are not supported on DVDs, removable media, or remote/network drives. You can back up to a local drive and then copy the SystemStateBackup directory to another drive or device once the system state backup has been completed.

www.syngress.com


Backing Up Key Files Windows Server Backup does not allow you to back up specific files or directories. In other words, you must specify the volume you plan to back up. For example, if I wanted to back up the Users directory on a server, I would need to back up that entire volume so that any other files and folders are automatically backed up. So, if the Users directory resides on the C drive of the server, performing a backup on that volume will back up that directory and the files within it. On our server, in Figure 8.20, you see that the user swhitley has numerous files in the Users\swhitley\ lab results directory. To back this up we can do a full backup of the server or a backup of the volume where this user’s data resides. As we showed earlier, to manually back up the server, just open Windows Server Backup, go to the Actions pane and select Backup Once. After the backup, we’ll run through a scenario where we will need to restore this data. Let’s walk through backing up the drive to DVD using wbadmin.exe. Figure 8.20 swhitley’s User Directory

www.syngress.com

555

556


Backing Up Critical Volumes Disks and volumes in a Windows Server 2008 system are divided into two categories: critical and noncritical. Critical volumes are those containing system state or operating system components. They include the boot and system volumes. A volume containing the Active Directory database (ntds.dit) on a DC is also an example of a critical volume. Critical disks are those that contain critical volumes. Here are two ways to back up critical volumes; the first uses the Windows Server Backup utility and the second uses wbadmin. To back up critical volumes with the GUI: 1. Click Start | Administrative Tools | Windows Server Backup. 2. In the Action pane, select Backup Once. 3. In the wizard, at the Backup options screen, select Different options and then click Next. 4. If this is the first backup of the DC, select Yes to confirm that this is the first backup. 5. On the Select backup configuration screen, select Custom and then Next. 6. On the Select backup items screen, select the Enable system recovery checkbox, or you can clear that checkbox and select the individual volumes that you want to include. If you do this, you must select the volume(s) that store the operating system, ntds.dit, and SYSVOL. 7. On the Specify destination type screen, select Local drives or Remote shared folder and then click Next. 8. On the Select backup destination screen, select the backup location. If you are backing up to a local drive, in the Backup destination select a drive and click Next. If you’re backing up to a remote shared folder, type the path using the UNC name and click Next. 9. On the Specify advanced option screen, select VSS copy backup (default) then click Next. 10. At the Summary screen, review your selections and click Backup. 11. After the backup is complete choose Close.

www.syngress.com


To back up critical volumes using wbadmin.exe do the following: 1. Click Start | Command Prompt. 2. At the command prompt type wbadmin start backup –allCritical –backuptarget: targetdrive: -quiet. The –quiet switch allows you to bypass having to type Y when asked to proceed with the backup operation.

Recovering System State Data Sometimes the operating system may become corrupt or unstable. Maybe a role or service needs to be rolled back to a previously backed up state. The fastest and easiest method to do this is to perform a system state recovery. As we already know, the only way to back up system state independently is to use wbadmin.exe. This is the same for recovery. You must use wbadmin to independently restore the system state. In our example in backing up the system state, we saved the system state on another local hard drive on the server (the E drive). The .vhd file, which is the actual backup file, resides in E:\WindowsImageBackup\SIGMA\ SystemStateBackup\Backup 2008-01-13 055541. Exercise 8.5 walks you through the steps in recovering the system state for a member server.

EXERCISE 8.5 RECOVERING SYSTEM STATE

FOR

MEMBER SERVER

1. To recover a system state we must log on to the server as the administrator. 2. Pull up the command prompt (Start | Command Prompt). 3. In the command prompt type wbadmin get versions. You’ll see a list of the backups you’ve made on that server. They will be arranged by date and time. You’ll also see what you can recover with each backup. At the bottom of the list in Figure 8.21, notice that the last backup’s time of backup, its target, the version identifier, and what it can recover match our example earlier in the chapter. That is the backup we will recover.

www.syngress.com

557

558


Figure 8.21 The Command Prompt

4. In the command prompt, select your desired backup by highlighting the version identifier, which in our case is 01/13/2008-05:55, and pressing Enter. This stores it in the Clipboard. 5. At the prompt, type wbadmin Start SystemStateRecovery -version: 01/13/2008-05:55 and press Enter (remember that you can paste the version identifier by clicking on the upper-left corner of the command prompt and selecting Edit | Paste). 6. Next, wbadmin will prompt you with Do you want to start the system state recovery operation? Type Y for yes and press Enter. 7. The system state recovery takes a few minutes to complete. After it’s finished, reboot the server and that’s it. You’ve recovered the system state.

EXAM WARNING To recover the system state for a DC, you must be in Directory Services Restore Mode (DSRM).

www.syngress.com


Recovering Key Files With WSB, we can recover individual files and folders as long as the backup resides on a local drive with the system. In other words, if a full backup was made to a network drive, DVD, or any other remote/removable media we would have to restore the entire volume. In the “Backing Up Key Files” section earlier in this chapter, we showed that the user swhitley had a directory called lab results within her Users directory (refer back to Figure 8.20). As we all know, sometimes files and, worse, directories are deleted accidentally. Well, one day swhitley gets to work and notices her lab results directory is gone, as shown in Figure 8.22. She needs this directory ASAP. One option with Windows Server 2008 is to use WSB to individually recover directories and/or files. Exercise 8.6 shows how to do this.

EXERCISE 8.6 RECOVERING FILES

AND

DIRECTORIES

Figure 8.22 An Accidentally Deleted Directory

www.syngress.com

559

560


1. Pull up WSB (Start | Administrative Tools | Windows Server Backup). 2. In the Actions pane select Recover. 3. At the Getting Started screen, you’re asked Which server do you want to recover data from? For our scenario, we will select This server (SIGMA). Click Next. 4. In Figure 8.23, you see that we must select the date of a backup we want to use for the recovery. We will select a backup done on 01/14/2008 at 6:45 P.M. located on the E drive. Click Next.

Figure 8.23 Selecting the Backup Date

5. We now need to select a recovery type. We have three options: File and Folders, Applications (grayed out), and Volumes. If we select Volumes, we can restore the entire volume, such as drive C, but we will not be able to individually select files or folders to www.syngress.com


recover. Applications are available when an application’s plug-ins are registered. Currently we do not have any; therefore, this option is grayed out. Files and Folders will allow us to individually select what files or folders we want to recover. Because we want to recover swhitley’s lab results folder, we will choose this option, as shown in Figure 8.24. Click Next.

Figure 8.24 Selecting the Recovery Type

6. We must now choose what items we want to recover. We need to get to swhitley’s Users directory and choose Lab Results, as shown in Figure 8.25, and then click Next.

www.syngress.com

561

562


Figure 8.25 Selecting Items to Recover

7. Figure 8.26 shows that we have to specify recovery options such as recovery destination, how to handle conflicts, and whether to restore security settings. We will be recovering the lab results folder in its original destination. We will also select Create copies so I have both versions of the file or folder. This is the safest option we have. Finally, we want the original security settings that were there before the folder was deleted in place. Once we’ve done that we can click Next.

www.syngress.com


Figure 8.26 Specifying Recovery Options

8. WSB will now ask us to confirm what we want to recover, as shown in Figure 8.27. Once we’ve done that we can click Recover.

www.syngress.com

563

564


Figure 8.27 Confirming What We Want to Recover

9. After the recovery process is over, just click Close.

We can now check swhitley’s Users directory to see whether the lab results directory was recovered and whether the files that resided there are restored as well. Figure 8.28 shows that we have a successful recovery of her directory and the files that reside there.

www.syngress.com


Figure 8.28 Verifying That the Directory and Files Have Been Restored

Directory Services Restore Mode Directory Services Restore Mode (DSRM) is a special boot mode in Windows Server 2008.You use it to log on to a DC when either Active Directory has failed or an object needs to be restored. During setup, you were asked to provide a password for the DSRM administrator. This administrator account (Administrator) is separate from the domain administrator account. This account is used once you boot into DSRM. If you have forgotten the DSRM password, you can reset it by doing the following: 1. Click Start | Command Prompt. 2. In the command prompt, type ntdsutil then press Enter. 3. At the ntdsutil prompt, type set dsrm password and press Enter. www.syngress.com

565

566


4. At the Reset DSRM Administrative Password prompt, type reset password on server null (if you are resetting the DSRM password on a remote server, type reset password on server <servername>). 5. Type in the new password, press Enter, and then retype the password for verification and press Enter again. 6. After you receive the Password has been set successfully message, type quit at both the Reset DSRM Administrator Password prompt and the ntdsutil prompt. To access DSRM, you must restart the DC and then press F8 immediately after the BIOS POST screen and before the Windows Server 2008 logo appears. Once you’ve done this, you will see the Advanced Boot Options screen shown in Figure 8.29. To restore Active Directory you would choose Directory Services Restore Mode and then perform either an authoritative or a nonauthoritative restore, which we will cover in more detail in the next section. Figure 8.29 Choosing Directory Services Restore Mode

So, what if you don’t remember the password for the DSRM administrator? No problem; Microsoft anticipated this. Just follow the steps in Exercise 8.7. www.syngress.com


EXERCISE 8.7 RESETTING

THE

DSRM ADMINISTRATOR PASSWORD

1. Open a command prompt (Start | Command Prompt). 2. At the C prompt, type ntdsutil and press Enter. 3. At the ntdsutil prompt, type set dsrm password and press Enter. 4. You will now come to the Reset DSRM Administrator Password prompt. Type reset password on server null and press Enter.

Configuring and Implementing… Resetting DSRM Administrator Passwords You can reset the DSRM Administrator password on another server by typing reset password on server <servername’s FQDN> at the Reset DSRM Administrator Password prompt.

5. At the Please type password for DS Restore Mode Administrator Account type the new password. You will notice that you will not see the characters that you are typing. After you do this, press Enter. 6. You will now be prompted to confirm the password; do so and press Enter. 7. After you have done this correctly, ntdsutil will confirm that the password has been reset. 8. Now type q and press Enter at the Reset DSRM Administrator Password prompt. 9. At the ntdsutil prompt, type q and press Enter. You have now reset the DSRM Administrator’s password, which you can see in Figure 8.30.

www.syngress.com

567

568


Figure 8.30 Successfully Resetting the DSRM Administrator’s Password

Performing Authoritative and Nonauthoritative Restores One day you may find yourself with a DC that has a corrupted copy of ntds.dit. To resolve issues such as this you would need to perform a nonauthoritative restore, which we will cover soon. Other times you may have accidentally deleted an object (user, computer, printer, etc.) from Active Directory and you have no way to restore it within Active Directory. This is usually because after the object is deleted, the change has already been replicated to the other DCs in the domain. To fix this you need to perform an authoritative restore, which we will discuss in the next section.

Authoritative Restore As just mentioned, one of the reasons to perform an authoritative restore is when an object is accidentally deleted in Active Directory and the deletion has already replicated to the remaining DCs. If you simply did a nonauthoritative restore, the object would restore but would be deleted after the other DCs replicated with the recovered system. Exercise 8.8 provides the steps for conducting an authoritative restore.

www.syngress.com


EXERCISE 8.8 PERFORMING

AN

AUTHORITATIVE RESTORE

In this example, we are going to “accidentally” delete the user Alan T. Jackson. As you see in Figure 8.31, you Alan’s user account is in the Users organizational unit (OU). We will now “accidentally” delete it.

Figure 8.31 User Alan T. Jackson before Deletion

In Figure 8.32, you can see that Alan’s user account has been deleted.

www.syngress.com

569

570


Figure 8.32 User Alan T. Jackson Deleted

Here are the steps to follow to perform an authoritative restore so that we can restore Alan’s user account: 1. First we need to get the version identifier for the most recent backup. Go into a command prompt (Start | Command Prompt) and type wbadmin Get Versions and press Enter. You should see a list of the backups that have been performed on that server. At the bottom is the backup about which we need to get the information. The Version identifier for the backup we want is 01/15/2008-01:05. Also notice that it is stored on the server’s E drive in Figure 8.33.

www.syngress.com


Figure 8.33 Getting Backup Information

2. Restart the server and press F8 to open the Advanced Boot Options. However, in the Advanced Boot Options, select Directory Services Restore Mode and press Enter. 3. DSRM will boot up into safe mode and will check the file system on all locally attached drives (except for DVDs). Press Ctrl + Alt + Del when asked. At the logon screen, click on Switch User so that you don’t try to log on as the domain administrator, and then click on Other User, as shown in Figure 8.34.

www.syngress.com

571

572


Figure 8.34 Selecting Other User

4. For the username, type in the DSRM’s administrator account and its password. Notice in Figure 8.35 that we have typed it as sigma\administrator. Click on the blue button with the white arrow next to where the password is typed to continue.

www.syngress.com


Figure 8.35 Logging On As the DSRM Administrator

5. Once in safe mode, open the command prompt. Because all we need to do is restore the system state, we can type wbadmin start SystemStateRecovery –version:01/15/2008-01:05. This is the same format we covered earlier in recovering the system state. 6. You are then asked whether you want to start the system state recovery. Type Y for yes and press Enter. Recovery may take a few minutes or longer. 7. Once recovery is finished, you are asked to restart your computer, as shown in Figure 8.36. For an authoritative restore you do not restart the system.

www.syngress.com

573

574


Figure 8.36 The System State Recovery Is Complete

8. As this is an authoritative restore, we must pull up ntdsutil to restore the user ajackson. At the command prompt, type ntdsutil and press Enter. 9. At the ntdsutil prompt, type activate instance ntds and press Enter. 10. The ntdsutil prompt will return. At the prompt, type authoritative restore and press Enter. 11. This will bring up an authoritative restore prompt. At the prompt, type restore subtree CN=ajackson,CN=Users,DC=MMA, DC=LOCAL and press Enter. Note there are no spaces between the commas and the next entry. 12. You will now be asked whether you are sure you want to perform the authoritative restore. Click Yes. 13. One record will be found and will be successfully updated. You will see the message Authoritative Restore completed successfully. At the authoritative restore prompt just type q for quit and do the same at the ntdsutil prompt. You can now restart the computer and let it come to the normal logon screen. 14. Log on as the domain administrator and let the system state recovery finish. Once it’s done, you can examine Active Directory Users and Computers (ADUC) and go to the Users OU and see that the user Alan T. Jackson has been restored.

www.syngress.com


Nonauthoritative Restore Nonauthoritative restores are used to bring back Active Directory Domain Services to a working state on a DC. The prerequisite for a nonauthoritative restore is that a critical-volume backup exists. A nonauthoritative restore is in order for situations such as lost data that can include updates to passwords for user accounts, computer accounts, and even trusts. Updates to group memberships, policies, the replication topology, and its schedules to name a few. To conduct a nonauthoritative restore follow the same procedures we outlined for the authoritative restore. After the system state is restored, you can go ahead and restart the server when prompted instead of loading ntdsutil. Once a nonauthoritative restore is complete, any changes to Active Directory objects are replicated to the server from ….. that has just gone through a nonauthoritative restore.

Linked Value Replication When the forest level is at Windows Server 2003 or above, linked value replication (LVR) is available. Previously in Active Directory, primarily with Windows 2000, when an attribute changed the entire attribute was replicated to all other DCs on the network. Now, with LVR, changes in group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit. LVR lowers the amount of bandwidth used in replication and the amount of processor power used during replication.

Backing Up and Restoring GPOs Backing up a Group Policy Object (GPO) consists of making a copy of the GPO data to the file system. The backup consists of the following data: ■

Domain where the GPO resides

■

Owner of the GPO

■

Date created

■

Date modified

■

User revisions

■

Computer revisions

■

Globally unique identifier (GUID)

■

GPO status

Exercise 8.9 takes you through the steps of backing up a GPO. www.syngress.com

575

576


EXERCISE 8.9 BACKING

UP THE

GPO

You must back up GPOs from the Group Policy Management Console (GPMC). You can get to it by clicking on Start | Administrative Tools | Group Policy Management. Let’s walk through the process of backing up GPOs: 1. Open the GPMC. 2. In the console tree, click on the plus sign (+) next to the forest. In our case, we click on the plus sign next to Forest:MMA.LOCAL. 3. Scroll down the tree Domains | | Group Policy Objects. In Figure 8.37, you see that we have four GPOs. In reality, you would probably have significantly more, but for demonstration purposes we’ll keep it simple.

Figure 8.37 The GPMC

www.syngress.com


4. Highlight Group Policy Objects and right-click it. Select Back Up All, as shown in Figure 8.38.

Figure 8.38 Selecting Back Up All

5. When the Back Up Group Policy Object screen comes up, as shown in Figure 8.39, set the location to a directory either on a local drive or on a mapped drive on a remote server. In our case, we are backing up our GPOs to the directory C:\GPO Backups. As for a description, you can type anything you want that will remind you what this certain backup pertains to. After you’ve done this, you can click on Back Up.

www.syngress.com

577

578


Figure 8.39 Location to Store Backups

6. Next you’ll see the backup progress take place. Once it’s finished, it will provide you with the status of the backup for each GPO. As you can see in Figure 8.40, our four GPOs were successfully backed up. Once your GPOs have backed up successfully, just click OK to finish.

www.syngress.com


Figure 8.40 Backup Status

EXAM WARNING With Windows Server 2008 comes a new type of GPO called Starter GPOs. Starter GPOs are not included in the backup of GPOs; you have to back them up separately. To do so, highlight the Starter GPOs folder, right-click it, select Backup Up All, and follow the same procedure we went through in Exercise 8.9.

www.syngress.com

579

580


In the directory where we backed up our GPOs, you see that each GPO has a folder with a GUID as the name, as shown in Figure 8.41. Inside each folder will be two XML documents—one named Backup and the other named gpreport—along with a folder called DomainSysvol. The DomainSysvol folder holds a GPO folder with two subfolders—one for machine settings and the other for user settings. If there are settings, say, for a machine and none for a user a registry.pol file will exist in that folder and vice versa, or if the GPO has settings for both each folder will contain a registry.pol file. Figure 8.41 The Folder Layout for GPO Backups

In Figure 8.38, you can see that we have a GPO named Tagged. How would we restore that GPO if it were accidentally deleted? The process is quite simple; let’s walk through it in Exercise 8.10.

www.syngress.com


EXERCISE 8.10 RESTORING

A

GPO

1. Open the GPMC (Start | Administrative Tools | Group Policy Management). 2. In the GPMC, go to Forest:MMA.LOCAL | Domains | MMA.LOCAL | Group Policy Objects and verify that the GPO has been deleted. In Figure 8.42, you see that the Tagged GPO is no longer there.

Figure 8.42 The Tagged GPO Deleted

3. In the GPMC, right-click Group Policy Objects and select Manage Backups, as shown in Figure 8.43.

www.syngress.com

581

582


Figure 8.43 Selecting Manage Backups

4. In the Manage Backups screen shown in Figure 8.44, select the Tagged GPO and click Restore. You will be asked whether you want to restore the selected backup; choose OK. As you’ll notice here, we could show only the most up-to-date backups if we wanted to, or we could have all backups come up. We can delete the backup of the GPO(s) and we can view settings from the GPO itself. In the settings you will see items such as the GPO’s GUID, whether it is enabled, any links, Security Filtering, WMI Filtering, delegation, and computer and user configuration. The settings will come up as an .htm file and will be shown in Internet Explorer.

www.syngress.com


Figure 8.44 The Manage Backups Screen

5. Once the restore is complete, the status window should read Tagged…Succeeded. If so, just click OK. Then click Close in the Manage Backups screen. 6. Now looking at the GPOs via the GPMC, you should see that the Tagged GPO has been restored, as shown in Figure 8.45.

www.syngress.com

583

584


Figure 8.45 The Tagged GPO Restored

Offline Maintenance In the past, with Windows 2000 and Windows Server 2003, to do any offline maintenance such as defragging the Active Directory database you would have to reboot and go into the DSRM. If users relied on services such as file and print, the Dynamic Host Configuration Protocol (DHCP), and others they were out of luck until the server was back online. That has now changed under Windows Server 2008. Windows Server 2008 now supports the use of restartable Active Directory Domain Services which brings offline maintenance to a whole new level.

Restartable Active Directory Restartable Active Directory Domain Services is a new feature in Windows Server 2008. It allows administrators to perform routine maintenance tasks on a DC far quicker and with less interruption than ever before. The key is that Active Directory www.syngress.com


Domain Services can be stopped without affecting other services on a DC, such as DHCP and file/print. With the advent of restartable Active Directory Domain Services, DCs running Windows Server 2008 now have three possible states to run in, as shown in Table 8.2.

Table 8.2 Three States of Server 2008 DCs State

Description

Active Directory Domain Services Started

Active Directory Domain Services is running. Services provided by a DC are running.

Active Directory Domain Services Stopped

Active Directory Domain Services has been stopped. From an administrator’s point of view, this provides the ability to perform offline maintenance just like running in DSRM. Maintenance is much faster than having to use DSRM. This primarily will act as a member server while the service is stopped.

Directory Services Restore Mode

This is unchanged from Windows Server 2003, except that an administrator can run dcpromo /forceremoval to remove Active Directory Domain Services from that particular DC.

There are some things to keep in mind regarding restartable Active Directory Domain Services. A DC cannot start up with Active Directory Domain Services stopped. If you set the startup type to Disabled and reboot the server, it will come back with Active Directory Domain Services started and set back to automatic. Stopping Active Directory Domain Services also stops the File Replication Service (FRS), Kerberos Key Distribution Center (KDC), intersite messaging, the domain name system (DNS) server (if installed), and Distributed File System (DFS) replication. Restarting Active Directory Domain Services, though, will automatically restart those services as well. You can stop and start restartable Active Directory Domain Services using the Microsoft Management Console (MMC) via Services or by using the net.exe command. Exercise 8.11 runs through stopping and starting Active Directory Domain Services in Windows Server 2008. www.syngress.com

585

586


EXERCISE 8.11 STOPPING AND STARTING RESTARTABLE ACTIVE DIRECTORY DOMAIN SERVICES 1. Log on to a DC as an administrator. 2. Click Start | Administrative Tools | Services. 3. In the list of services, highlight and right-click on Active Directory Domain Services and click Properties. 4. The service status should read Started; just click Stop. 5. After you click Stop, a window will pop up titled Stop Other Services, which you can see in Figure 8.46. This window will inform you of the other services that will also be stopped. Click Yes and then OK.

Figure 8.46 Services That Stop with Active Directory Domain Services

6. Now you will see that Active Directory Domain Services has stopped (see Figure 8.47).

www.syngress.com


Figure 8.47 Active Directory Domain Services Stopped

EXAM TIP In step 3 of Exercise 8.11, you could simply right-click on the Active Directory Domain Services service and select Stop. This will stop the service just as well.

Offline Defrag and Compaction Active Directory’s database file is ntds.dit, and it is based on the Extensible Storage Engine (ESE) and is located in C:\Windows\NTDS. One of the biggest reasons, if not the only reason, to defrag/compact the ntds.dit file is if you are running low on disk space. Depending on the size of your environment, the ntds.dit file can grow www.syngress.com

587

588


to more than 6 GB in size, even though the database within it may only be 1 GB. Back in the days of Windows 2000 and Windows Server 2003, we had to perform offline defrags in the DSRM because there was no way to easily shut down Active Directory and perform the defrag. As you’ve already seen, that has changed, and for the better, in Windows Server 2008. We simply go into Services and stop Active Directory Domain Services. Exercise 8.12 lists the steps involved in defragging Active Directory in Windows Server 2008.

EXERCISE 8.12 DEFRAGGING ACTIVE DIRECTORY DOMAIN SERVICES 1. Before performing a defrag of ntds.dit, perform a system state backup of the DC or perform a full server backup. Even though we can move or rename the old ntds.dit file, having a backup is essential in case of catastrophe. 2. Go to C:\Windows\NTDS and note the size of the ntds.dit file. In our case, because this is a lab machine our ntds.dit file is only 12 MB. Create a new directory to initially hold the new ntds.dit file that will be created during the defragging process. Our directory is C:\Windows\NTDS\defragged. 3. Log on to the server as an administrator and stop the Active Directory Domain Services service, as discussed in the preceding section. 4. After Active Directory Domain Services has stopped, open a command prompt (Start | Command Prompt), type ntdsutil, and press Enter. 5. At the ntdsutil prompt, type Activate Instance ntds and press Enter. You will get a message stating Active instance set to “ntds”. 6. At the ntdsutil prompt, type files and press Enter. This will pull up the file maintenance prompt. 7. At the file maintenance prompt, type info and press Enter. This provides you with information about the location of the ntds.dit file, the backup directory, the working directory, and the log directory. Figure 8.48 shows an example.

www.syngress.com


Figure 8.48 The Drive and DS Path Information

8. At the file maintenance prompt, type compact to c:\windows\ ntds\defragged and press Enter. The defrag process will run. The larger your ntds.dit file is, the longer the defrag process will take. Figure 8.49 shown an example of a successful defrag.

Figure 8.49 A Successful Defrag

www.syngress.com

589

590


9. After the defrag has completed, type q at the file maintenance prompt and do the same at the ntdsutil prompt. This should bring you back to a normal C prompt; you can close the command prompt at this time. 10. Go to the C:\Windows\NTDS folder and either rename the ntds.dit file there or delete it. 11. Go to the defragged directory and move the ntds.dit file from there to the C:\Windows\NTDS directory. 12. In the C:\Windows\NTDS directory, rename or delete the edb.log file. 13. Go back to Services and restart Active Directory Domain Services. After it restarts, you’re finished.

Active Directory Storage Allocation As you’ve learned, the ntds.dit file can get quite large. With this comes concern regarding available drive space. To conserve drive space, we’ve already walked through defragging and compacting the ntds.dit file. Sometimes that’s not enough, and you have to move it and its log files to another drive or partition. Before doing this, you have to confirm the size of the files in the C:\Windows\NTDS folder. You need to check the amount of drive space used by the files in the directory when Active Directory Domain Services is online and offline, because the files that are offline are what you will actually move, but when Active Directory Domain Services is back online the amount of drive space increases. So, why is there a difference in the amount of space used in C:\Windows\NTDS when Active Directory Domain Services is offline versus online? The answer is quite simple: Active Directory will create a temp.edb file and you have to consider that when determining the amount of space to allocate to Active Directory. Here are some scenarios in which you would determine storage allocation for Active Directory: ■

NTDS.DIT only The size of the file plus an additional 20% of the current file size or 500 MB, whichever is greater

■

Log files only The combined size of the log files plus 20% of the combined logs or 500 MB, whichever is greater

www.syngress.com

Maintaining an Active Directory Environment • Chapter 8 ■

NTDS.DIT and log files If the database file and the logs are located on the same partition, the free space should be at least 20% of the combined NTDS.DIT and log files, or 1 GB, whichever is greater

Monitoring Active Directory Monitoring Active Directory is a key in making sure that objects and attributes are up-to-date and consistent among DCs, whether they are local to each other or located at different sites. One area to monitor is replication between the DCs. To do this we use tools such as Network Monitor, the Event Viewer, replmon, and repadmin. We also need to ensure the performance of the DCs so that they are able to authenticate and replicate in a timely manner by using tools such as the Task Manager, systems resource manager, reliability and performance monitor, and the Event Viewer. Let’s examine each of these tools.

The Network Monitor It’s important for administrators to keep tabs on network traffic that’s flowing across the network. Monitoring the network has allowed administrators to have a better understanding of how the bandwidth on their networks is being utilized. Network Monitor from Microsoft is such a tool. It is a protocol analyzer that allows administrators to capture network traffic, and then view and analyze it. Administrators can see things such as DHCP requests, DNS name resolutions, Hypertext Transfer Protocol (HTTP), and so on. As of this writing, Network Monitor Version 3.1 runs on Windows Server 2008. It does not ship with Active Directory, but you can download it from www.microsoft.com/downloads/details.aspx?FamilyID=18b1d59df4d8-4213-8d17-2f6dde7d7aac&displaylang=en. To start Network Monitor just click Start | Microsoft Network Monitor 3.1 | Microsoft Network Monitor 3.1. You will see the Start Page shown in Figure 8.50. Here you can create a new capture or open an existing one. You will also notice the Welcome screen to the right, which will mention all the changes in Network Monitor. In addition to the Start Page tab, you will see the Parsers tab, which allows you to parse packs. Network Monitor applies knowledge of the structure of the various protocols to the hex data contained in the packets and displays the resultant interpretation.

www.syngress.com

591

592


Figure 8.50 The Network Monitor

Although we can’t actually see the information transmitted across the wire for Active Directory replication, we can see things such as when a new DC comes up and queries DNS for an existing Lightweight Directory Access Protocol (LDAP) server at the Default-First-Site-Name sight. Figure 8.51 shows this in the Display Filter.

www.syngress.com


Figure 8.51 The Display Filter in Network Monitor 3.1

Figure 8.51 represents a snapshot of what was happening when a member server was running DCPROMO and was being promoted to a DC. In the figure, the new DC (192.168.1.6) performs a DNS query to SIGMA.MMA.LOCAL, wanting the information about the LDAP server at that site. The DNS server, in this case SIGMA.MMA.LOCAL, responds with the A record and a type SRV of _ldap._tcp.Default-First-Site-Name. As you can see in Figure 8.52, it informs the new DC (192.168.1.6) that the resource name is SIGMA.MMA.LOCAL and that the Internet Protocol (IP) address is 10.10.10.8. In this example, it just so happens that the LDAP server at this site is also the DNS server. In some instances it may not be, depending on the environment.

www.syngress.com

593

594


Figure 8.52 The Response to the DNS Query

To get the view in Figure 8.52, we highlighted the Frame Number in the Frame Summary and right-clicked on it, and then chose View Selected Frame(s) in a New Window. This made it easier for us to read the DNS server’s response. Alternatively, we could have right-clicked the Frame Number and selected Copy, Copy Cell Value, Copy Cell as Filter, Add Cell to Display Filter, Parse Frame as XML, View Selected Frame(s) in a New Window, or Add Selected Frame(s) To. As you can see, a tool such as Network Monitor can be valuable in determining what is actually happening on the wire and where problems may arise.

The Task Manager You can monitor the load and performance of DCs through the Task Manager, which hasn’t changed much since Windows Server 2003. The Task Manager shown in Figure 8.53 can show administrators what may be causing slow logons for users, www.syngress.com


along with what processes and executables are using resources, causing strain on a DC. You can pull up the Task Manager in quite a few ways. The easiest way is to just click Start | Run and type taskmgr.exe and press Enter. Other ways to launch the Task Manager include right-clicking the task bar and selecting Task Manager, pressing Ctrl + Shift + Esc, and pressing Ctrl + Alt + Delete and selecting Start Task Manager. Figure 8.53 The Task Manager

The Task Manager is very useful for administrators looking for an immediate view of resources such as processor activity, process activity, network activity, memory usage, resource consumption, and even user information. A Services tab has been added to the Task Manager, along with a Services button that allows administrators www.syngress.com

595

596


to pull up the Services Management Console. Another big change is the Resource Monitor button within the Performance tab. Let’s briefly go over each tab in the Task Manager.

The Applications Tab The first tab in the Task Manager is the Applications tab, which lists all the tasks and programs currently running on the server and their status. The status of programs will be either Running or Not Responding. However, when an application’s status is at Not Responding, it may be waiting for a process to respond, in which case it could return to a Running state. If an application remains at a Not Responding state for some time, an administrator can simply right-click the application in the list and choose End Task, as shown in Figure 8.54. Figure 8.54 Ending a Task

www.syngress.com


Figure 8.54 shows other options as well. By selecting Switch To you can switch to a different running task. Selecting Bring To Front will bring that application/task to the front of the desktop. You can use Create Dump File for a point-in-time snapshot of whatever process you need to examine for more advanced troubleshooting.

The Processes Tab The Processes tab provides a list of processes that are currently running on the server. These processes are measured by performance by such things as CPU, User Name (or the context under which the image is running), and Memory (Private Working Set), among others. Administrators can sort out what processes are using the most or least CPU cycles by clicking on CPU and Memory column headers. You can shut down a process by right-clicking the process name and selecting End Process. You also can add other columns; for instance, you can add a PID column by clicking on View | Select Columns and choosing PID (Process Identifier), and then clicking OK. Figure 8.55 shows the results. Figure 8.55 Adding a PID Column

www.syngress.com

597

598


The Services Tab The newest tab in the Task Manager—but one that’s been overdue—is the Services tab. With this tab, administrators can quickly assess and troubleshoot a specific service by viewing its status. By default, it shows the service’s name, PID, description, status, and group. As mentioned earlier, you can even launch the Services Console by clicking on the Services button in the bottom-right corner, as shown in Figure 8.56. Figure 8.56 The Services Tab

The Performance Tab The Performance tab allows administrators to view CPU and physical memory usage in an easier-to-understand/graphical manner. It is very useful when an administrator needs a quick analysis of how the system is running. The Performance tab shows CPU usage in a real-time manner, while also showing a brief usage history. www.syngress.com


It does the same for memory usage as well. By default, the Performance tab shows usage by User Mode processes and threads. If you want to see Kernel Mode usage as well, all you have to do is click on View | Show Kernel Times. You will then see kernel mode operations in red in the CPU Usage area. If your server has multiple processors, you will be able to view each individual processor and its corresponding graph. Notice in Figure 8.57 a button in the bottom right labeled Resource Monitor. By clicking on this, you can perform even more analysis. We will cover the System Resource Monitor a little later. Figure 8.57 The Performance Tab

The Networking Tab The Networking tab provides information about network traffic for each adapter in a particular server. Multiple adapters and adapter types are supported. For instance, www.syngress.com

599

600


you could have a LAN connection, a virtual private network (VPN) connection, and a dial-up connection all showing up as separate adapters. The Networking tab will show a graphical comparison of the traffic for any connection a server has. Administrators are able to get information about network utilization, link speed, and even the state of the connection.You can examine network traffic in the graph in terms of bytes sent, bytes received, and the total number of bytes simply by clicking View | Network Adapter History and selecting what you want. As with many of the other tabs in the Task Manager, you can add more columns to widen your analysis. Simply click View | Select Columns and select the column(s) you need. In Figure 8.58, you see that we have added the column Adapter Description.

Figure 8.58 The Networking Tab

www.syngress.com


EXAM WARNING You may be asked on the exam about a problem with a server and you’ll need to quickly gather data. You should start up the Task Manager and look at key indicators such as CPU utilization, process utilization, available memory, and network utilization. Look for skewed numbers around 70% or higher that might be causing performance issues.

The Users Tab The last tab in the Task Manager is the Users tab. It displays the users who are connected to or logged on to the server. It provides user, ID, status, client name, and session information by default. Although there are no additional columns to add, you can remove any you feel are unnecessary. Figure 8.59 shows that the only user connected to this server is the administrator and that he is at the console. Figure 8.59 The Users Tab

www.syngress.com

601

602


The Event Viewer The Event Viewer is traditionally the first place to look when troubleshooting anything in Windows (see Figure 8.52). You can access the Event Viewer by clicking on Start | Administrative Tools | Event Viewer. This tool which has stood the test of time since the days of NT 3.1 has been completely rewritten and is based on XML. Many new features, functionality, and even a new interface have been added to the Event Viewer in Windows Server 2008. Figure 8.60 shows the new interface for the Event Viewer, taken from MMC Version 3.0. Figure 8.60 The Event Viewer

Looking at Figure 8.60, you’ll notice that the Event Viewer consists of Custom Views, Windows Logs, Applications and Services Logs, and Subscriptions. Let’s examine each of these more closely.

Custom Views Custom Views in the Event Viewer are filters created by either Windows Server 2008 or an administrator to the system. Custom views created by Windows www.syngress.com


Server 2008 can happen when a server takes on a new role such as a DC running Active Directory Domain Services or installs a feature such as DNS. Administrators are able to create filters that target only the events they are interested in viewing. In Exercise 8.13, we’ll create a custom view in the Event Viewer. To create a custom view in the Event Viewer, right-click Custom Views and select Create Custom View.

EXERCISE 8.13 CREATING

A

CUSTOM VIEW

1. Open the Event Viewer by clicking Start | Administrative Tools | Event Viewer. 2. In the Event Viewer, right-click Custom Views and select Create Custom View. 3. Next, the Create Custom View form comes up. In the Logged drop-down list choose when you want events logged. For instance, you can choose to do Any time, Last hour, Last 12 hours, Last 24 hours, Last 7 days, Last 30 days, or a Custom range. When choosing Custom range you decide the date and time from the first event to the date and time of the last event. You can even choose the actual time. For our example, we chose Last 30 days for this exercise. 4. Next, choose the Event level you want to include. These are the same old standbys we’ve seen in previous versions of Windows: Critical, Warning, Verbose, Error, and Information. For our example, we’ll select only Warning. 5. After you have decided on the Event level, you need to choose the event log(s) or the specific event sources to filter by. We’ll simply choose By log and select System found beneath Windows Logs. 6. If you know exactly what event IDs you want to filter you can do that by simply typing the event ID(s). Because we don’t, we’ll leave it at . For Keywords, we can click on the pull-down menu and see a list of keywords from which to choose. We can enter any particular user or computer we like. For our example, we will only specify the server SIGMA in the Computer(s) line. Your Create Custom View should appear like the one in Figure 8.61. When you’re done, click OK. www.syngress.com

603

604


Figure 8.61 Creating a Custom View

7. Next, you come to Save Filter to Custom View. You can choose a name to call your filter and provide a description if you like. You also get to choose where you want your custom view saved. For our example, the name will be SIGMA SysLog Warn and we’ll allow it to be saved in the default location. In Figure 8.62, you see we have created our custom view SIGMA SysLog Warn and that there are five events in it. Your server will probably have different warnings than the one shown in the figure. www.syngress.com


Figure 8.62 A Newly Created Custom View

Windows Logs Underneath the Windows Logs folder are the traditional logs we’ve seen before, with two new ones added. Table 8.3 provides a brief description of each log. Table 8.3 Windows Logs Log

Description

Application

Contains events from applications residing on the system

Security

Captures authentication and object access events that are audited

Setup

New log that captures events tailored around the installation of applications, server roles, and features

System

Events built around Windows system components are logged here

Forwarded Events

Consolidates and stores events that were captured from remote systems and sent to a single log to facilitate the identification, isolation, and solving of problems

www.syngress.com

605

606


Applications and Services Logs There is a new category of event logs in Windows Server 2008: the Applications and Services logs. In Figure 8.62, you can see them just below the Windows Logs folder. These logs store events from a single application or component rather events like the logs underneath Windows Logs. You can find four subtypes of logs here: Admin, Operational, Analytic, and Debug. Admin logs are tailored more for users and administrators looking to troubleshoot problems. The events in the Admin log will provide administrators with information and guidance regarding how to respond. Events found in the Operational log are more likely to require more interpretation but can be helpful as well. The Analytic and Debug logs are not user-friendly. You can use Analytic logs to trace an issue, and therefore a high number of events are logged. Developers use the Debug logs when debugging applications. The Analytic and Debug logs are hidden and disabled by default in Windows Server 2008. To show these logs select Event Viewer | View | Show Analytic and Debug Logs. Remember that this only shows the logs; it does not enable them. To enable the Analytic and Debug logs, make sure they are not hidden and then highlight the Analytic or Debug log you want to enable. Click on Action | Properties and in the Log Properties screen, shown in Figure 8.63, select Enable logging and click OK. You can also enable these logs via the command line by typing wevutil sl /e:true.

www.syngress.com


Figure 8.63 Enabling an Analytic Log

Subscriptions The last folder shown in the Event Viewer is also a new feature in Windows Server 2008, called Subscriptions. The Subscriptions folder allows remote servers to forward events so that they can be locally viewed at a central station. A subscription specifies exactly what events will be collected and to which log they will be stored. Once collected, data from a subscription can be viewed and manipulated just as though it came directly from the server from which you’re examining them. To use subscriptions, you must configure both the forwarding and collecting servers. Both the Windows Remote Management (WinRM) and Windows Event Collector (Wecsvc) services are required. Exercise 8.14 teaches how to create a new subscription. www.syngress.com

607

608



A

NEW SUBSCRIPTION

1. Go to the collector computer and run the Event Viewer as an administrator. 2. In the Event Viewer click Subscriptions in the console tree. If the Windows Event Collector service is not running, you will be prompted to run it; if you receive this message click Yes. 3. Click Actions | Create Subscription. The Subscription Properties box appears, as shown in Figure 8.64.

Figure 8.64 The Subscription Properties Box

4. In the Subscription name box, type a name for the subscription. For our example, we chose Test as the name. www.syngress.com


5. In the Description box, type an optional description for the subscription. We typed Test subscription for ours. 6. At the Destination log drop-down list, select the log file where the collected events are to be stored. The default, as you see in Figure 8.64, is Forwarded Events. For our example, we will accept the default. 7. Under Subscription type and source computers, choose the default of Collector initiated and click Select Computers. 8. In the Computers screen, click Add Domain Computers. You will now be asked to type the name of the computer(s) from which you would like to collect information. For our scenario, we typed FMEA. Click Check Names to verify and then click OK to continue. 9. Now the Computers screen will look like Figure 8.65, and you will see the computer we just selected. If it is correct click OK then OK again at the Subscription Properties screen.

Figure 8.65 The Computer Selected for Subscription

10. Now click Select Events and you should see the Query Filter. The Query Filter will be exactly like the Create Custom View you saw in Figure 8.61. For our example, we will choose Any time for www.syngress.com

609

610


Logged, and Critical, Warning, and Error for Event Level. We will choose By log and the Application for Event logs. Everything else will remain the same, as shown in Figure 8.66. Now click OK.

Figure 8.66 The Query Filter

11. Now just go to the source server (the one that will forward events) and open a command prompt. In the command prompt, type winrm quickconfig and press Enter. On the collector server, at a command prompt type wecutil qc and press Enter. www.syngress.com


12. Now add the collector server to the Administrators local group of the computer, and that’s it!

Replmon Replication Monitor, better known as Replmon, is a GUI tool that you can install with the Support Tools found on the Windows Server 2008 DVD. This tool enables administrators to view the detailed status of Active Directory replication. It also allows administrators to force synchronization between DCs, view the topology in an easier-to-understand graphical format, and monitor the status and performance of DC replication. Replmon is useful but not limited to the following: ■

Noticing when a replication partner fails

■

Viewing the history of both failed and successful replication

■

Viewing the properties of directory replication partners

■

Generating status reports including direct and transitive replication partners along with detailing a record of changes

■

Displaying replication topology

■

Forcing replication

■

Triggering the Knowledge Consistency Checker (KCC) to recalculate the replication topology

■

Displaying a list of trust relationships maintained by a DC that is being monitored

■

Monitoring the replication status of DCs from multiple forests

Using Replmon To use replmon you must be logged on to a DC. Once logged on, select Start | Run and type replmon.exe and press Enter. Replmon will then come up with a fairly blank page, as shown in Figure 8.67.

www.syngress.com

611

612


Figure 8.67 Replmon’s Default Screen

Right-click on the Monitored Servers icon in the upper left.You now have the option to Add Monitored Server. In the Add Monitored Server Wizard you have the choice to explicitly type in the name of the DC you want to add or enter a name of a domain within the forest from which to read site data. Figure 8.68 shows that we have decided to search the directory for a server and that our domain is MMA.LOCAL. Once you’ve done this select Next.

www.syngress.com


Figure 8.68 The Add Monitored Server Wizard

At the next screen, you see a list of sites that are available from Active Directory. You can expand a site and select any particular server located there. In Figure 8.69, you see that we have chosen to monitor a DC out of the South-Region called FMEA. Once you’ve done this you can click Finish. Figure 8.69 Selecting a DC to Monitor

www.syngress.com

613

614


In Figure 8.70, you see that the DC we’re monitoring has five directory partitions displayed. Underneath each partition you see this DC’s replication partner. In this case, it is a DC called SIGMA. Normally, if there are any replication issues you will see a red X underneath the partition(s) where the problem exists. In Figure 8.71, we show the replication status of the Schema and the Update Sequence Number (USN). Figure 8.70 Directory Partitions

Figure 8.71 Viewing the Logs Pane in Replmon

www.syngress.com


If you right-click the server, you will see a list of options you have in replmon, as shown in Figure 8.72. Figure 8.72 Replmon Options

Table 8.4 lists the options and their descriptions. Table 8.4 Replmon Options Described Option

Description

Update Status (only for this server)

Rechecks the replication status of the server. The time of the updated status is logged and displayed.

Check Replication Topology

Causes the KCC to recalculate the replication topology for the server

Synchronize Each Directory Partition with All Servers

Starts an immediate replication for all of the server’s directory partitions with each replication partner

Show Domain Controllers in Domain

Lists all known DCs Continued

www.syngress.com

615

616


Table 8.4 Continued. Replmon Options Described Option

Description

Show Replication Topologies

Shows a graphical view of the replication topology

Show Group Policy Object Status

Lists all the Domain’s Group Policies and their respective Active Directory and SYSVOL version numbers

Show Global Catalog Servers in Enterprise

Lists all Global Catalog servers

Show Bridgehead Servers

Two options are available: In This Server’s Site and In the Enterprise. Will show bridgehead servers based on information provided by the monitored DC.

Show Trust Relationships

Will show all trusts with this domain

Show Attribute Meta-Data for Active Directory Object

Shows attribute data for a particular object specified using that object’s distinguished name (DN)

Clear Log

Clears the <site-dcname>.log file

Delete

Deletes the DC from the monitored servers list

Properties

Shows server properties of the monitored DC. Provides information such as Flexible Single Manager Operation (FSMO) roles for the domain (shown in Figure 8.73), inbound replication connections, Transmission Control Protocol/Internet Protocol (TCP/IP) configuration, server flags, and other general information.

www.syngress.com


Figure 8.73 The FSMO Roles Tab in Server Properties

Replmon is a very useful and powerful tool in troubleshooting replication issues and for just finding information about a domain.

Head of the Class… Support Tools After installing Windows Server 2008, it is highly recommended that you install the support tools that reside on the installation media, allowing you immediate access to tools such as replmon.

www.syngress.com

617

618


RepAdmin Another tool that comes with the installation of Windows Server 2008 is the command-line tool RepAdmin. Administrators can use RepAdmin to view replication topology, create replication topology, and force replication, whether it is for the entire directory or for specific portions of it. You also can use RepAdmin for monitoring an Active Directory forest. You must run the RepAdmin command in an elevated prompt, either by right-clicking the Command Prompt and then clicking Run as administrator or simply by logging on as an administrator and running it.You must also have administrative rights on every DC that RepAdmin targets. For instance, Domain Admins can run RepAdmin on any DC in the domain. Enterprise Admins can run RepAdmin on any DC in the forest. Here is the syntax for RepAdmin; Table 8.5 lists the commands: Repadmin <args> [/u: {domain\user}] [/pw:{password | ∗}] [/retry [:] [:<delay>] ] [/csv] Table 8.5 RepAdmin Commands Command/Parameters

Description

Repadmin /kcc

Forces the KCC to immediately recalculate the inbound replication topology from the targeted DCs. Example: repadmin /kcc site:south The preceding command triggers the KCC to run on each DC in the south site.

Repadmin /prp

Specifies the Password Replication Policy (PRP) for read-only DCs (RODCs). Example: repadmin /prp view SIGMA reveal The preceding command lists the users whose passwords are currently cached on the DC named SIGMA.

Repadmin /queue

Shows the inbound replication requests that the DC must issue to become consistent with its source replication partners. Example: repadmin /queue FMEA The preceding command returns the queue of inbound replication requests that a bridgehead server named FMEA has yet to process. Continued

www.syngress.com


Table 8.5 Continued. RepAdmin Commands Command/Parameters

Description

Repadmin /replicate

Triggers immediate replication of the specified directory partition to a target DC from a source DC. Example: repadmin /replicate SIGMA FMEA DC=MMA, DC=com The preceding command replicates the MMA naming context from the SIGMA DC to the FMEA DC.

Repadmin /replsingleobj

Replicates a single object between two DCs that share common directory partitions. Example: repadmin /replsingleobj SIGMA FMEA cn=swhitley, ou=sales, dc=MMA, dc=com The preceding command triggers replication of the swhitley object from the SIGMA DC to the FMEA DC.

Repadmin /replsummary

Identifies DCs that are failing inbound replication or outbound replication and summarizes the results in a report. Example: repadmin /replsum ∗ /bysrc /bydest /sort:delta The preceding command targets all DCs in the forest to retrieve summary replication status from each.

Repadmin /rodcpwdrepl

Triggers the replication of passwords for the specified users from the source DC to one or more RODCs. Example: repadmin /rodcpwdrepl dest-rodc∗ source-dc cn=swhitley, ou=sales, dc=MMA, dc=com The preceding command triggers replication of the passwords for the user swhitley from the source DC named source-dc to all RODCs that have the name prefix dest-rodc.

Repadmin /showattr

Displays the attributes of an object Example: repadmin /showattr SIGMA “cn=accountants, cn=users, dc=MMA, dc=com” Continued

www.syngress.com

619

620



Description The preceding command queries the SIGMA DC and shows all attributes for the above object using its DN.

Repadmin /showobjmeta

Displays the replication metadata for a specified object in Active Directory Domain Services. It can be an attribute ID, version number, originating and local USNs, the GUID of the originating server, and even a date and timestamp Example: repadmin /showobjmeta SIGMA “” The preceding command targets the SIGMA DC and requests the replication metadata for an object by specifying its GUID.

Repadmin /showrepl

Displays the replication status when the specified DC last attempted to perform inbound replication on Active Directory partitions. Example: repadmin /showrepl ∗ /errorsonly The preceding command reports inbound replication status for all DCs in the forest that are experiencing a replication error.

Repadmin /showutdvec

Displays the highest committed USN that Active Directory Domain Services, on the targeted DC, shows as committed for itself and its transitive partners. Example: repadmin /showutdvec dc=MMA, dc=com The preceding command shows the highest committed USN on the local DC for the MMA. com directory partition.

Repadmin /syncall

Synchronizes a specified DC with all replication partners. Continued

www.syngress.com



Description Example: repadmin /syncall FMEA dc=MMA, dc=com /d /e /a The preceding command synchronizes the target DC with all its partners, including DCs at other sites.

Windows System Resource Manager Sometimes an application, process, or service will take up a majority of the CPU cycles to the point that it affects everything else running on the server. To combat that Microsoft has provided a feature in Windows Server 2008 called Windows System Resource Manager (WSRM). WSRM provides an interface where administrators can configure how both processor and memory resources are allocated among applications, services, and processes. The ability to do this allows administrators to ensure server stability. To install WSRM do the following: 1. Log on to a Windows Server 2008 system and launch Server Manager. 2. In Server Manager, click Features in the console pane on the left side and choose Add Features in the Details pane. 3. Next, the Select Features box opens. Scroll down to Windows System Resource Manager and select it. Then click Next. 4. At the Confirm Installation Selections screen, verify the feature you are installing and then click Install. 5. After the installation is finished, just click Close and you’re done. WSRM uses resource allocation policies to allocate CPU time and memory usage among applications, services, processes, and even users. These resource allocation policies can be in effect all the time or you can run them on a scheduled basis. WSRM policies, though, are enforced only when CPU usage goes above 70% and are never active on processes owned by the operating system or items in the exclusion list. If and when certain events take place or the system behaves differently, WSRM can switch to a different policy and ensure system stability. If accounting is enabled in WSRM, administrators of the servers can examine the data collected and determine when and why resource allocation policies were either too restrictive www.syngress.com

621

622


or too lax. Administrators can adjust resource allocation policies using the information obtained by accounting. There are four predefined resource allocation policies with WSRM in Windows Server 2008. These predefined policies make it easy for administrators to quickly allocate resources. Table 8.6 shows the predefined resource allocation policies.

Table 8.6 WSRM Predefined Policies Policy

Description

Equal per Process

Resources are equally allocated among all running processes, thus preventing one process from monopolizing all available CPU and memory resources.

Equal per User

Resources are equally allocated among all users, thus preventing one user from monopolizing all available CPU and memory resources.

Equal per Session

Resources are equally allocated among all Terminal Services sessions, thus preventing one session from monopolizing all available CPU and memory resources.

Equal per IIS Application Pool

Resources are allocated equally among all IIS application pools, thus preventing one application pool from monopolizing all available CPU and memory resources.

Matching criteria is a common task performed with WSRM. Administrators use these rules to include or exclude processes, services, or applications that WSRM needs to monitor. These rules are used later in the WSRM management process. Custom resource allocation policies are similar to matching criteria rules in that they look for specific processes, services, and application criteria. The custom resource allocation policy provides an administrator with the ability to define how much of a resource should be allocated to a specific process, service, or application. For instance, if only 15% of the system processing should be reserved to the sqlwriter.exe process, the resource allocation would be defined to limit the allocation of resources to that process. www.syngress.com


The calendar in WSRM is used to schedule policy enforcement on a set basis by one time event or recurring event(s). It’s possible, for instance, that policy enforcement may be necessary only during business hours. Administrators can allocate system resources to sessions or users who are active on Terminal Services. Configuring a policy can ensure that the sessions will behave correctly and that system availability will be stable for all users of Terminal Services. You can do this using the Equal per User or Equal per Session policy within WSRM.

The Windows Reliability and Performance Monitor The Windows Reliability and Performance Monitor allows administrators to monitor application and hardware performance in real time and customize data they want to collect in logs, predefined thresholds for alerts, and automatic actions. Administrators can generate reports and view past performance data in a variety of ways. The Windows Reliability and Performance Monitor is a combination of pervious tools such as Performance Logs and Alerts, Server Performance Advisor, and System Monitor. It provides a graphical interface for the customization of Data Collector Sets and Event Trace Sessions. The Windows Reliability and Performance Monitor consists of three monitoring tools: ■

Resource Overview

■

Performance Monitor

■

Reliability Monitor

There are two ways to start the Windows Reliability and Performance Monitor. One way is to click Start | Administrative Tools | Reliability and Performance Monitor; the other is to simply click Start | Run, type perfmon, and then press Enter. Figure 8.74 is a view of the Windows Reliability and Performance Monitor console.

www.syngress.com

623

624


Figure 8.74 The Windows Reliability and Performance Monitor

Resource Overview The Resource Overview screen is also known as the Home Page in the Details pane. The Resource Overview screen presents data about the system in a real-time graphical manner. You see similar categories as those you saw in the Task Manager: CPU, Network, Memory, and Disk (the latter which is not shown in the Task Manager). You can expand the subsections by clicking on the white down arrow to the far right of the bar. When you do you will see additional, more detailed information. For instance, if you expand CPU, you will see information such as the image, PID, description, threads, CPU, and average CPU. Table 8.7 lists the subsections and their associated headings.

www.syngress.com


Table 8.7 Subsections and Headings Subsection

Headings

CPU

Image, PID, Description, Threads, CPU, Average CPU

Disk

Image, PID, File, Read, Write, IO Priority, Response Time

Network

Image, PID, Address, Send, Receive, Total

Memory

Image, PID, Hard Faults, Commit, Working Set, Shareable, Private

The Performance Monitor Under Monitoring Tools is the Performance Monitor, which provides a display of built-in performance counters, in real time or viewed as historical data. The Performance Monitor allows administrators the ability to analyze system data, research performance, and bottlenecks. To open the Performance Monitor you can click on it underneath Monitoring Tools. The Performance Monitor is just like the System Monitor before it. The System Monitor in Windows Server 2003 allowed you to measure the performance of your own system or that of other Windows systems on the network. It allowed you to collect and view real-time performance data. With the Performance Monitor in Windows Server 2008, you have objects, counters, and instances. Table 8.8 provides a quick description of each.

Table 8.8 Components of the Performance Monitor Component

Description

Object

System components are grouped into objects. They are grouped according to system functionality. Depending on the configuration, the number of objects depends on the system.

Counter

Provides a subset of objects. Also provides more detailed information about an object. Examples are queue length, session % used, and pages converted.

Instances

If more than one similar object is on a server, each one is considered an instance. Servers with multiple processors have an instance for each.

www.syngress.com

625

626


Exercise 8.15 takes you through the steps of counters in the Performance Monitor.

EXERCISE 8.15 ADDING COUNTERS IN THE PERFORMANCE MONITOR 1. Open Reliability and Performance Monitor either by clicking Start | Administrative Tools | Reliability and Performance Monitor or Start | Run. Type perfmon and press Enter. 2. In the console tree, click Monitoring Tools | Performance Monitor. This will open the Performance Monitor. 3. Click the green plus sign in the Details pane and the Add Counters screen should come up and start loading a list of counters. 4. Now it’s time to select the counters. We will be setting up counters to help us set up a baseline for the system. To do that the counters we need are Memory-Pages/sec, Physical Disk-Avg. Disk Queue Length, and Processor-%Processor Time. 5. To add Memory-Pages/sec, go down the list of counters and click on Memory. Now go down its list and select Pages/sec and then click Add. Do the same for Physical Disk-Avg. Disk Queue Length and Processor-%Processor Time. Once you’re done adding your counters, click on OK. You may get a message letting you know that one of the counters is already present. That is the %Processor Time. Just click OK. 6. Now you should see the Performance Monitor with the counters you just added, similar to Figure 8.75. Notice that if you highlight any one of the lines on the chart you get the value at that point in time.

www.syngress.com


Figure 8.75 The Performance Monitor with Baseline Counters

The Reliability Monitor The Reliability Monitor provides a system stability overview and information about events that impact reliability. It is great for troubleshooting the root cause associated with any reduced reliability of the system. For instance, we may have a server that is slow to perform read and write requests. By using the Reliability Monitor, we can examine the server’s trend over a period of time and examine failure types with details. The Reliability Monitor calculates the Stability Index which is shown in the System Stability Chart, and helps in diagnosing items that might be impacting the system. An index of 1 means the system is in its least stable stage, whereas an index rating of 10 indicates the system is at its most stable state. The index number is derived from the number of specified failures seen over a historical period. Figure 8.76 shows the System Stability Chart of the server called SIGMA.

www.syngress.com

627

628


Figure 8.76 The System Stability Chart

Notice that this server’s Index seems to have headed toward a downward slope. The current index is 7.24; although it is not the worst it could be, there are obviously some problems that need to be addressed. When you examine any of the System Stability Reports below the chart, you see information such as Failure Type,Version, Failure Detail, and Date. In Figure 8.77, we have opened the latest error that took place; the failure type is “OS Stopped working” and the failure detail is a group of hex values.

www.syngress.com


Figure 8.77 A Windows Failure in the System Stability Report

The failure detail here is one that is shown in a “blue screen” crash. The next thing this administrator should do is look for a file named memory.dmp and then contact Microsoft Product Support Services to have the file examined.

Data Collector Sets A Data Collector Set organizes multiple data collection points into a single component that you can use to review or log performance. It can be created and then recorded separately, grouped with other sets, and incorporated into logs. Data Collector Sets can contain the following types of data collectors: performance counters, event trace data, and system configuration information. There are two types of Data Collector Sets: User Defined and System. User Defined are customized by the user/administrator whereas System Collector Data Sets are predefined and are broken down into Active Directory Diagnostics, LAN Diagnostics, System Diagnostics, and System Performance. Data Collector Sets can be created from templates, existing sets of data collectors in a Performance Monitor view, or by selecting individual Data www.syngress.com

629

630


Collectors and setting each individual option in the Data Collector Set properties. Exercise 8.16 walks you through the process of creating a User Defined Data Collector Set.


A

USER-DEFINED DATA COLLECTOR SET

1. First go into the Reliability and Performance Monitor as you did in the previous exercise. 2. In the console tree, go to Data Collector Sets | User Defined. 3. Right-click on User Defined and select New | Data Collector Set. 4. At the first Create a new Data Collector Set screen type in a descriptive name. For our example, we called ours AD DS Set. Select Create from a template and press Next. 5. In the next screen, you are asked which template you would like to use. Because ours is called AD DS Set, we obviously want to select Active Directory Diagnostics, so we’ll select that and click Next. The Active Directory Diagnostics will collect data on this local server that includes Registry keys, performance counters, and trace events that are helpful in troubleshooting Active Directory Domain Services performance issues. 6. Next we are asked where we would like the data to be saved. Accept the default, which in this case is %systemdrive%\Perflogs\ Admin\AD DS Set, and then click Next. 7. Now we are asked whether we want to create the data collector set. Select the default of Save and Close and click Finish. 8. Now under User Defined beneath Data Collector Sets, you should see the newly created Data Collector Set AD DS Set, as shown in Figure 8.78.

www.syngress.com


Figure 8.78 Newly Created User-Defined Data Collector Set

Reports The last folder in the Windows Reliability and Performance Monitor is Reports. Reports support administrators who need to troubleshoot and analyze system performance and issues. Reports are based on Data Collector Sets and are also broken down into User Defined and System. Once you’ve created the Data Collector Set, its corresponding reports folder is available, as shown in Figure 8.79.

www.syngress.com

631

632


Figure 8.79 A User-Defined Report Automatically Created

www.syngress.com


Summary of Exam Objectives Maintaining an Active Directory environment constitutes 13% of the total exam for 70–640. It covers areas concerning backup and recovery, offline maintenance, and monitoring Active Directory. With the release of Windows Vista, backup and recovery have changed since Windows 2003 and those changes are further evident in Windows Server 2008. No longer is backup performed using ntbackup.exe, but rather through the Windows Server Backup interface or by using the wbadmin command-line tool. One of the changes in the new backup is DVD support. Also, after the first full backup all future jobs automatically run incremental backups by default.You can back up to removable media such as DVD only via the command prompt and not through the GUI. Restoration is also simplified in that administrators no longer have to restore from a multitude of media if the backup was done via an incremental backup. One thing that is no longer supported is the ability to back up to tape. Microsoft has removed this capability. You install Windows Backup in Server 2008 via Server Manager and adding it as a feature. The command-line tools are not installed by default, so you must select them and they must be accompanied by the installation of the Windows PowerShell. Windows Server Backup is more conducive for personnel not heavily savvy in Windows or IT as a whole. The interface is easy to navigate and creating jobs is wizard-based. Specific backups such as only including the system state must be done via the wbadmin command. Full backups scheduled through the GUI do include the system state, but restoring just the system state is only done via the command line, and on a DC the administrator must be in DSRM. DSRM is a special boot mode in Windows Server 2008. If the Active Directory database file (ntds.dit) becomes corrupt, for instance, it is through DSRM that an administrator can restore an uncorrupted version. You can access DSRM via the boot process before loading Windows and just after the BIOS POST. To enter DSRM, you must press F8 during the boot-up procedure and choose Directory Services Restore Mode from the list of options. It is in DSRM that authoritative and nonauthoritative restores are done. Just as in previous versions of Windows Server, both authoritative and nonauthoritative restores are supported. In the case mentioned earlier regarding a corruption in ntds.dit, an administrator would perform a nonauthoritative restore of ntds.dit and any discrepancies between the restored copy and those residing on the other DCs in the domain would be updated or removed via the replication process. In some situations, though—for instance, accidentally removing an object such as a user account in Active Directory—performing a nonauthoritative restore www.syngress.com

633

634


will do nothing to bring back the previously deleted object. This is where performing an authoritative restore is required. An authoritative restore is performed in DSRM and the object being restored is restored at the authoritative restore prompt. After an authoritative restore, the object is then replicated back to all the DCs in the domain. Linked Value Replication is performed when the forest level is at a Windows Server 2003 level or above. LVR replicates individual values of an object—not the entire object or an entire attribute, but just the value that has changed—thus reducing the amount of bandwidth consumed during replication. Backing up a Group Policy Object consists of making a copy of the GPO data to the file system. Backups and restores are performed within the Group Policy Management Console. Another type of GPO that can be backed up is the Starter GPO. These GPOs are not included in the backup of regular GPOs and must be specifically backed up within the GPMC. Offline maintenance has changed under Windows Server 2008. No longer do tasks such as defragging and compacting require booting into DSRM; with the advent of Restartable Active Directory end-user productivity is less affected than before. Restartable Active Directory runs as a service known as Active Directory Domain Service and is seen in the Services console in Windows Server 2008. Services such as DHCP and file/print are unaffected by stopping the Active Directory Domain Service. Stopping the Active Directory Domain Service, though, will stop services such as the Kerberos Key Distribution Center (KDC), intersite messaging, DNS server, and DFS replication. Restarting the Active Directory Domain Service does restart those services as well. To defrag the ntds.dit file just stop the Active Directory Domain Service and run the ntdsutil command, activate the ntds instance, pull up the File Maintenance prompt, and then type the compact command. Once finished, there is no need to reboot the server; just restart the Active Directory Domain Service. Making sure that objects and attributes are up-to-date and consistent among DCs is a key in monitoring Active Directory. Tools such as the Network Monitor (netmon), Event Viewer, Replication Monitor (replmon), and Replication Administrator (repadmin) are key. Performance of DCs is also of concern and tools such as the Task Manager, Windows System Resource Manager, Windows Reliability and Performance Monitor, and Event Viewer are used to monitor them.

www.syngress.com


Exam Objectives Fast Track Backup and Recovery ˛ Windows Server 2008 backup uses block-level images and .vhd files. ˛ Tape is no longer supported. ˛ Windows Server Backup is the new GUI for backup in Windows

Server 2008. ˛ Backups can be scheduled more than once a day and at specific times. ˛ Wbadmin.exe is the new command-line interface for backup. ˛ Backup and restore of just the system state must be done using wbadmin.exe. ˛ Directory Services Restore Mode (DSRM) is used to perform authoritative

and nonauthoritative restores. ˛ Authoritative restores should be performed after an object in Active

Directory has been accidentally deleted and replication to the other DCs has taken place. ˛ Nonauthoritative restores are good for lost updates such as a password for

a user account and corruption found in the ntds.dit file. ˛ Linked Value Replication (LVR) is used when changes in group membership

occur and only the individual member(s) is replicated and not the entire membership group as a whole. ˛ GPOs and Startup GPOs are backed up separately.

Offline Maintenance ˛ Active Directory Domain Services runs as a service under Windows Server

2008 and can be started and stopped at will but can never be paused. ˛ Because of restartable Active Directory Domain Services routine tasks can

be performed without affecting other services such as DHCP and file/ print services. ˛ The three states that a Windows Server 2008 DC runs in are AD DS

Started, AD DS Stopped, and Domain Services Restore Mode (DSRM). ˛ Offline defrag and compaction shrink the size of ntds.dit, thus saving

disk space. www.syngress.com

635

636


˛ If ntds.dit and its logs are located on the same partition, free space should

be at least 20% of the combined database file and logs or 1 GB, whichever is greater.

Monitoring Active Directory ˛ Tools used to monitor Active Directory are the Network Monitor, Event

Viewer, replmon, and repadmin. ˛ DC performance and stability are monitored using the Task Manager,

Windows System Resource Manager (WSRM), Windows Reliability and Performance Monitor, and Event Viewer. ˛ Network Monitor (netmon) Version 3.0 and later are supported on

Windows Server 2008 and must be downloaded to install. ˛ Netmon is very useful in verifying that traffic is flowing as it’s supposed to

along with making sure name resolution is occurring correctly. ˛ The Task Manager is ideal for immediate viewing of resources being used

on a server. ˛ The Event Viewer is typically the first place to start troubleshooting anything

that has to do with the server or Active Directory. ˛ The Event Viewer is now based on XML. ˛ Replmon (Replication Monitor) is a GUI tool used to examine replication

among DCs and view the replication topology. ˛ RepAdmin (Replication Administrator) is a command-line version of

Replmon. ˛ The Windows System Resource Manager (WSRM) allows an administrator

to configure how processor and memory resources are allocated among applications. ˛ The Windows Reliability and Performance Monitor allows administrators

to monitor application and hardware performance in real time.

www.syngress.com


Exam Objectives Frequently Asked Questions Q: Since Windows Server Backup doesn’t read .bkf files, is there any way to restore any information from one in Windows Server 2008?

A: Yes.You can download a version of ntbackup for Windows Server 2008 for the sole purpose of restoring items that were backed up with the old software, but you cannot back up with it.You can download the ntbackup for Windows Server 2008 from http://go.microsoft.com/fwlink/?LinkId=82917.

Q: Does Windows Server Backup support tape? A: No. It supports backing up to disk, removable media such as DVD, and network drives.

Q: Does Windows Server Backup come preinstalled with Windows Server 2008? A: No.You must add it as a feature. Q: Can you back up just the system state with Windows Server Backup? A: No. Windows Server Backup backs up at the volume level and does not include an option for choosing just the system state or a particular directory or file. You can use wbadmin.exe via a command prompt to back up just the system state.

Q: Since Windows Server 2008 supports backing up to DVD, can you also back up to USB-based flash drives as well?

A: Yes. To back up to any removable media such as DVD or USB flash drives, you must do so using the wbadmin.exe command-line tool.

Q: If I forget the Directory Services Restore Mode (DSRM) administrator’s password, can I still get in DSRM?

A: No, but if you change the DSRM Administrator’s password at the ntdsutil prompt in Windows Server 2008, you can.

Q: What is the difference between an authoritative restore and a nonauthoritative restore?

A: An authoritative restore restores a directory object, such as a user account that may have been deleted accidentally, and flags it so that its restoration is www.syngress.com

637

638


replicated among the other DCs. A nonauthoritative restore is useful for when the Active Directory database file (ntds.dit) has become corrupt and you need to restore it. After restoration, directory replication brings it up-to-date with all the other DCs.

Q: Does Windows Server Backup back up GPOs? A: No.You must back up GPOs and Starter GPOs via the Group Policy Management Console (GPMC).

Q: Do you still have to boot into DSRM to perform offline defragging? A: No.You can simply stop Active Directory Domain Services in the Services console and perform it without going into the DSRM. Functions such as DHCP and file/print are unaffected and are still operational.

Q: Can I monitor Active Directory replication using the Network Monitor (netmon)?

A: You cannot see the actual replication itself, but you can verify that the DCs are talking to each other. A better alternative would be to use either the Replication Monitor (replmon) or Replication Administrator (repadmin).

Q: What are some of the new benefits of the Event Viewer? A: The Event Viewer is now XML-based, so it’s even easier to import information from it into different applications.You can create subscriptions, which allows remote servers to forward events to a centrally located server so that they can be examined in one place.

Q: What does the Windows Reliability and Performance Monitor actually do? A: It allows administrators to monitor application and hardware performance in real time as well as customize the data they collect in logs. It’s made up of three primary monitoring tools: the Resource Overview, Performance Monitor, and Reliability Monitor. You can customize the data you log by creating Data Collector Sets which you can examine via Reports in the tool.

www.syngress.com


Self Test 1. You’ve just finished installing a new Windows Server 2008 DC. It is the policy of the IT department to perform a full backup of newly installed DCs. You click on Start | Administrative Tools | Windows Server Backup. When Windows Server Backup loads you see the following screen.

What do you need to do to ensure that the backup takes place? A. Run DCPROMO B. Install the Windows Server Backup feature C. Go to a command prompt and run wbadmin.exe D. Boot into DSRM and conduct the backup from there

www.syngress.com

639

640


2. You are responsible for performing backups on the DCs on your network. Your boss has requested that you conduct system state backups to DVD. How do you accomplish this? A. Run the Windows Server Backup Wizard, select System State Backup, and set your target to the DVD drive B. Run the Windows Server Backup Wizard, select a local drive as the target, and then copy the system state backup to the DVD drive C. Run the wbadmin.exe command with the start systemstatebackup command and target it to the DVD drive D. Run the wbadmin.exe command with the start systemstatebackup command, set the target to a local fixed drive, and then copy the system state backup to a DVD 3. You are the network administrator for your company. Last night you successfully performed a system state backup of one of your DCs. Do to an unforeseen issue, you now need to perform a system state restore. What do you need to do to conduct a system state restore on a DC? A. Reboot the DC, go into DSRM, and run wbadmin.exe to perform the system state restore B. Log on to the DC as usual and run wbadmin.exe to restore the system state C. Stop Active Directory Domain Services and then run the wbadmin.exe command to restore the system state D. Just restore the system state via the Windows Server Backup Wizard 4. You are the network administrator for your company. You have a scheduled backup job run three times a day: 10:00 a.m., 4:00 p.m., and 11:00 p.m. At 4:50 p.m., you get a call that user Janet Harrell has deleted the company budget on the server. There are no previous versions available. What should you do to restore the company budget? A. Run ntbackup, select the company budget from the list of files backed up, and choose Restore B. Run Windows Server Backup, select Recover from the Actions pane, choose Files and Folders as the recovery type. Select the company budget from the Available items list. Choose Original location for recovery destination, create copies so that you have both versions of the www.syngress.com


file or folder under When the wizard find files and folders in the recovery destination, and choose Restore security settings. C. Go into DSRM, run wbadmin.exe, and conduct a system state recovery D. Stop Active Directory Domain Services, load ntbackup, select the company budget, and choose Restore 5. You are the network administrator at your company. The Active Directory database file on one of your DCs is corrupt. You decide to perform a nonauthoritative restore on the DC. You reboot the server into DSRM and try to log on as the domain administrator but you cannot. You need to get this DC back up and functioning as soon as possible. What can you do to achieve this? A. Log on to the server with another domain administrator’s account B. Log on to the server using the local administrator’s account C. Change the domain administrator’s password from another DC and then log on using the account with the new password D. Log on using the DSRM administrator’s account and password 6. You are the domain admin for your company.You have tasked Susan, a member of the Account Operators group, to delete Amber Chambers’ user account because she quit yesterday. Susan accidentally deletes Andy Chambers’ account. Before she realizes what’s happened the change is replicated to the other DCs. What can you do to bring back Andy Chambers’ user account? A. Reboot the DC into DSRM, restore the system state, and conduct a nonauthoritative restore on Andy Chambers’ user account from the most recent backup using wbadmin.exe B. Reboot the DC into DSRM, restore the system state, and conduct an authoritative restore on Andy Chambers’ user account from the most recent backup using wbadmin.exe C. Log on to the DC in normal mode, stop Active Directory Domain Services, load Windows Server Backup, restore the system state, and perform an authoritative restore of Andy Chambers’ user account D. Log on to the DC in normal mode, stop Active Directory Domain Services, load Windows Server Backup, restore the system state, and perform a nonauthoritative restore of Andy Chambers’ user account 7. You are the domain administrator for your company. Examining one of the DCs, you notice that the file ntds.dit is almost 6 GB in size. You decide that www.syngress.com

641

642


to save disk space and increase performance you will defrag Active Directory Domain Services. How would you accomplish this? A. Log on to the server as an administrator. Perform a system state backup of the DC. Create a new directory on the system drive called C:\defrag. Stop Active Directory Domain Services. Start an instance of ntdsutil and activate Instance ntds. At the ntdsutil prompt pull up the file maintenance prompt and type compact to c:\defrag. Go to the %systemdrive%\Windows\ NTDS directory and delete the old ntds.dit file as well as any .log files. Copy the ntds.dit file in the C:\defrag folder to %systemroot%\Windows\ NTDS, and then restart Active Directory Domain Services. B. Log on to the server as an administrator. Perform a system state backup of the DC. Create a new directory on the system drive called C:\defrag. Start an instance of ntdsutil and activate Instance ntds. At the ntdsutil prompt, pull up the file maintenance prompt and type compact to c:\defrag. Go to the %systemdrive%\Windows\NTDS directory and delete the old ntds.dit file as well as any .log files. Copy the ntds.dit file in the C:\defrag folder to the %systemroot%\Windows\NTDS. C. Log on to the server as an administrator in DSRM. Perform a system state backup of the DC. Create a new directory on the system drive called C:\defrag. Stop Active Directory Domain Services. Start an instance of ntdsutil and activate Instance ntds. At the ntdsutil prompt, pull up the file maintenance prompt and type compact to c:\defrag. Go to the %systemdrive%\Windows\NTDS directory and delete the old ntds.dit file as well as any .log files. Copy the ntds.dit file in the C:\defrag folder to the %systemroot%\Windows\NTDS, and then restart Active Directory Domain Services. D. Log on to the server as an administrator. Perform a system state backup of the DC. Create a new directory on the system drive called C:\defrag. Stop Active Directory Domain Services. Start an instance of ntdsutil and activate Instance ntds. At the ntdsutil prompt, pull up the file maintenance prompt and type compact to c:\defrag. Go to the %systemdrive%\ Windows\NTDS directory and delete the old ntds.dit file as well as any .log files. Copy the ntds.dit file in the C:\defrag folder to %systemdrive%\ Windows\NTDS. 8. You are the domain administrator for your company. Your network consists of three DCs, each running Windows Server 2008. Two are at site A, and the third www.syngress.com


is located at site B. There seems to be a replication problem between the DCs at site A and the DC at site B. What is the best tool to use in troubleshooting directory replication? A. Network Monitor B. Task Manager C. RepAdmin D. Event Viewer 9. You are the domain administrator for your company. Your network consists of multiple DCs at multiple sites. A DC at your local site is having problems with replicating. You need to know when this DC last attempted to perform an inbound replication on the Active Directory partitions. How would you accomplish this? A. Open a command prompt on the DC and run ntdsutil B. Open a command prompt on the DC and run repadmin /replicate C. Open a command prompt on the DC and run repadmin /rodcpwdrepl D. Open a command prompt on the DC and run repadmin /showrepl 10. You are the domain administrator for your company. At your site you have a single DC that also acts as an application server. From 10:00 a.m. to 4:00 p.m., users complain about slow logons to the network and that accessing resources from this DC is incredibly slow during most of the workday. You log on to the DC, pull up the Task Manager, and notice that a process called CustApp.exe is using just more than 90% of the CPU cycles. The application must remain running during the day, but you also need to resolve the slow logon issues. There is no money in the budget for additional hardware. What is the best way to handle this situation? A. Go into the Windows System Resource Manager on the DC, and create a new recurring calendar event to start at 8:00 a.m. and end at 5:00 p.m. daily. Associate the event with the Equal_Per_Process policy. B. Go into the Task Manager and into the Processes tab. Find CustApp.exe and set the priority to Below Normal. C. Go into the Task Manager and into the Process tab. Find CustApp.exe and end the process. D. Purchase a second server to run only the CustApp.exe application

www.syngress.com

643

644



B

6.

2.

D

7. A

B

3. A

8.

C

4.

B

9.

D

5.

D

www.syngress.com

10. A

Appendix

MCTS/MCITP Exam 640 Self Test Appendix

645

646

Appendix • Self Test Appendix

Chapter 1: Configuring Server Roles in Windows 2008 1. You are the administrator for a nationwide company with over 5,000 employees. Your main office has approximately 4,500 employees, while the company’s ten remote offices have 50 users residing in each.You are often unaware of the physical security in place at these offices. However, since there is a fairly sizable amount of users at each office, you must provide them with directory services. What is the BEST option to use for directory services when security is often an unknown? A. Lightweight Directory Services B. Read-only domain controllers C. Active Directory Federation Services D. Active Director Rights Management Services Correct Answer & Explanation: B. This is essentially the ideal scenario for the use of a read-only domain controller, since only the accounts of users authenticating from the remote office will be cached on the server. Incorrect Answers & Explanations: A, C, and D. Answer A is incorrect because LDS is used in situations when all of the features of a full Active Directory are not required. Answers C and D are incorrect because these are used for authentication between domains and document security, respectively. 2.

is a format and application-agnostic technology, which provides services to enable the creation of information-protection solutions. A. Lightweight Directory Services B. Read-only domain controllers C. Active Directory Federation Services D. Active Director Rights Management Services Correct Answer & Explanation: D. Active Directory Rights Management Services, or AD RMS, is a technology now available as part of Windows Server 2008 that protects documents (such as e-mails and spreadsheets) by assigning Active Directory–based credentials to the documents. Incorrect Answers & Explanations: A, B, and C. Answer A is incorrect because LDS is used in situations when all of the features of a full Active Directory

www.syngress.com


are not required. Answer B is incorrect because RODCs are used as a secure Directory Services solution in remote offices, and C is incorrect because AD FS is used for synchronizing external Active Directory domains for authentication purposes. 3. You are the administrator for a nationwide company with over 5,000 employees. Your director tells you your company has just signed into a partnership with another organization, and that you will be responsible for ensuring that authentication can occur between both organizations without the need for additional sign-on accounts. Your boss mentions that the partner has a variety of Directory Services installed throughout their organizations. Which of the following can Active Directory Federation Services NOT connect to? A. Lightweight Directory Services B. Windows Server 2003 Directory Services C. Windows Server 2003 R2 Directory Services D. All of the above Correct Answer & Explanation: B. Active Directory Federation Services was not introduced until the R2 release of Windows Server 2003. Incorrect Answers & Explanations: A, C, and D. Answers A and C are incorrect because AD FS can connect to both LDS and Windows Server 2003 DS. Answer D is incorrect because AD FS can connect to both LDS and Windows Server 2003 R2. 4. You are the administrator for a nationwide company with over 5,000 employees. Your main office has approximately 4,500 employees, while your company’s ten remote offices have 50 users each residing in them. You are often unaware of the physical security in place at these offices. However, since there is a fairly sizable amount of users at each office, you need to provide them with directory services. What is the BEST option to use for directory services when security is often an unknown? A. Lightweight Directory Services B. Read-only domain controllers C. Active Directory Federation Services D. Active Director Rights Management Services

www.syngress.com

647

648


Correct Answer & Explanation: B. This is essentially the ideal scenario for the use of a read-only domain controller since only the accounts of users authenticating from the remote office will be cached on the server. Incorrect Answers & Explanations: A, C, and D. Answer A is incorrect because LDS is used in situations when all of the features of a full Active Directory are not required. Answers C and D are incorrect because these are used for authentication between domains and document security, respectively. 5. The Web development team has requested that you implement a new Web server in a DMZ that will be used for presenting Web sites to customers. Which of the following is NOT a reason for using Windows Server 2008 Core Server? A. A Core installation does not require a Windows Server 2008 license. B. A Core installation does not provide GUIs, which limits console access. C. Core Server installs fewer services than a full installation of Windows Server 2008. D. Core Server uses fewer resources than a full installation of Windows Server 2008. Correct Answer & Explanation: A. Although Core Server looks nothing like the full installation, it still requires the appropriate server license. Incorrect Answers & Explanations: B, C, and D. Answer B is incorrect because Core Server offers absolutely no GUIs by default. Answers C and D are incorrect because there are both fewer services and fewer hardware resources (memory, CPU, and disk space) than a full installation. 6. You have a Windows Server 2003 R2 domain currently running in your organization. You would like to install a read-only domain controller into your Directory Services structure, but you do not want to completely upgrade your domain to Windows Server 2008 Directory Services just yet. What do you need to do in order to add an RODC? A. Change the domain functional level to Windows Server 2008 mixed mode. B. Change the forest functional level to Windows Server 2008 mixed mode. C. Run adprep on a Windows Server 2003 R2 domain controller. D. An RODC cannot be added until the entire domain is a Windows Server 2008 Directory Services domain.

www.syngress.com


Correct Answer & Explanation: C. adprep must be run on a Windows Server 2003 R2 domain controller using Windows Server 2008 media. Incorrect Answers & Explanations: A, B, and D. Answers A and B are incorrect because a Windows 2003 R2 domain and forest would not have an option to raise the functional levels to 2008. Answer D is incorrect because an RODC can be added to a Windows Server 2003 R2 domain. 7. You are looking to upgrade your environment to Windows Server 2008, and you are explaining the new Server Manager console to your boss. Which three of the following answers correctly describe ways that Server Manager can be used? A. Server Manager can be used to add new server roles. B. Server Manager can be used to add new server features. C. Server Manager can be used to configure server failover. D. Server Manager can be used for scripting commands. Correct Answers & Explanation: A, B, and C. These three are functions available via Server Manager. For a more complete list, see Table 1.1. Incorrect Answer & Explanations: D. Answer D is incorrect because scripting is done through command lines and PowerShell. 8. You are attempting to install Directory Services on a Windows Server 2008 Server Core installation. You type dcpromo at the command prompt, but the server fails to install Directory Services. What is the MOST LIKELY reason for this? A. Directory Services are not supported on a Server Core installation, only read-only domain controllers. B. You must use an unattended file to complete the Directory Services installation. C. You must use the Server Manager from another Windows Server 2008 system to complete the installation. D. Your server’s chipset does not support Directory Services in a Server Core installation. Correct Answer & Explanation: B. An unattended file (a text file with information about the planned installation) must be referenced during the installation procedure.

www.syngress.com

649

650


Incorrect Answers & Explanations: A, C, and D. Answer A is incorrect. Directory Services can be installed on a Server Core installation. Answer C is incorrect because Directory Services cannot be installed from another server. Answer D is incorrect because the chipset would not cause Directory Services to fail during installation. 9. Which of the following Directory Services administration tools can be used in a Windows Server 2008 Lightweight Directory Services installation? A. Active Directory Users and Computers B. Active Directory Sites and Services C. Active Directory Domains and Trusts D. Active Directory Licensing Manager Correct Answer & Explanation: B. Active Directory Sites and Services can be used for configuring sites, which is particularly useful in configuring geographically disbursed LDS implementations. Incorrect Answers & Explanations: A, C, and D. Answers A and C are incorrect because these tools are not supported in an LDS implementation. Answer D is incorrect because no such tool exists. 10. BitLocker is a new technology that is available in Windows Server 2008 as well as Windows Vista. Which is NOT an advantage of using BitLocker? A. BitLocker can be used to prevent a hacker from detecting my password. B. BitLocker prevents someone from removing a hard drive from a system and reading it by installing it on another system. C. BitLocker prevents someone from loading another operating system onto the server and reading the contents of the disk using this additional operating system. D. All of the above selections are an advantage of using BitLocker. Correct Answer & Explanation: A. BitLocker does not prevent someone from booting your system normally and cracking your password using brute force. Incorrect Answers & Explanations: B, C, and D. Answer B is incorrect because BitLocker prevents someone from reading an encrypted hard drive on another system. Answer C is incorrect because even if another operating system is loaded onto the server, the encrypted drive can still not be read.

www.syngress.com


Chapter 2: Configuring Network Services 1. You are the administrator for a nationwide company that currently runs Windows Server 2008 DNS and are reviewing the resource records in your Active Directory–integrated DNS zone. You notice there are hostnames that do not meet your company’s naming convention and verify that the computers are not members of your Active Directory domain. What must you do to ensure these hosts cannot create records in your DNS zone? A. Disable DNS and enable DHCP. B. Configure your zone to enable secure dynamic updates. C. Disable dynamic updates in your zone. D. You cannot prevent this from occurring in DNS. Correct Answer & Explanation: B. By enabling secure updates in your AD-integrated zone, only computers that have authenticated with your Active Directory domain can dynamically create and update their DNS records. Incorrect Answers & Explanations: A, C, and D. Answer A is incorrect. DHCP is used for automatic IP address assignment. Answer C is incorrect because this would disable even authorized computers from updating their records. Answer D is incorrect since you can prevent this by using answer B. 2. You are creating a new standard primary zone for the company you work for, Name Resolution University, using the domain nru.corp. You create the zone through the DNS management console, and now you want to view the corresponding DNS zone file, nru.corp.dns. Where do you need to look in order to find this file? A. You cannot view the zone file because it is stored in Active Directory. B. You can look in the %systemroot%\system32\dns folder. C. You cannot view the DNS file except by using the DNS management console. D. The DNS zone file is actually just a key in the Windows Registry. You need to use the Registry Editor if you want to view the file. Correct Answer & Explanation: B. Since this is a standard zone, it is stored in a text-based file. If it was Active Directory–integrated, you would not be able to view or modify the file this way.

www.syngress.com

651

652


Incorrect Answers & Explanations: A, C, and D. Answer A is incorrect since this is a standard (not integrated) zone. Answer C is incorrect because, as we discussed earlier in this chapter, standard DNS files are text-based. Answer D is incorrect because DNS files have nothing to do with the system Registry. 3. You have removed WINS from your environment, but still have at least one legacy PC and application that requires NetBIOS resolution. What solution can you use in place of WINS to address NetBIOS resolution? A. GlobalNames zones. B. Reverse zones. C. Dynamic updates. D. None of the above. You need WINS for NetBIOS. Correct Answer & Explanation: A. The GlobalNames zone GNZ was introduced to help phase out the Windows Internet Naming Service. The GlobalNames zone GNZ requires the creation of a zone named GlobalNames. Incorrect Answers & Explanations: B, C, and D. Answer B is incorrect because reverse lookup zones are used for resolving IP addresses to hostnames. Answer C is incorrect because dynamic updates are used for automatic population of DNS records. Answer D is incorrect because GlobalNames zones can be used in place of WINS. 4. You’ve just created a new zone in DNS on a Windows Server 20083–based computer. You check the zone and notice that the only records in it are the SOA and NS RRs. Checking the configuration, you see that the zone is configured to accept dynamic updates. What should you do next? A. Manually add all RRs for the zone, including A, CNAME, PTR, and SRV records. B. Manually add A records for all hosts that cannot use dynamic updating. C. Manually add A RRs and PTR RRs for all hosts that will be using dynamic updating. D. Manually initiate a zone transfer to replicate all the needed RR to the new zone. Correct Answer & Explanation: B. The example does not mention DHCP support for legacy clients, so we would need to update records for any computer that does not support dynamic updates—typically legacy Windows clients or non-Windows clients. www.syngress.com


Incorrect Answers & Explanations: A, C, and D. Answer A is incorrect because these records will not assist in the population of the zone. Answer C is incorrect because dynamic update will create records for all hosts that support it. Answer D is incorrect because we said this is a new zone, so there is nothing to replicate from. 5. A DNS server, Aspen, has been successfully resolving queries but with the wrong information.You use the Monitoring function in the DNS Management Console for Aspen and test the simple and recursive queries. Both work fine. What is the most likely cause of the problem? A. Aspen is not authoritative for the zone in which the wrong information is being returned. B. Aspen is not configured to perform iterative queries. C. Some clients do not support dynamic updates, or manually entered RRs have errors. D. The clients that received the wrong information do not support the OPT record type. Correct Answer & Explanation: C. Client IP addresses may have changed and not been updated in DNS, or it is possible static entries have been entered into the DNS database and are incorrect. Incorrect Answers & Explanations: A, B, and D. Answer A is incorrect because authorization has nothing to do with the scenario. Answer B is incorrect because iterative name queries are issued by the client computer and allow the DNS server to return the best answer it can based on its caches. Answer D is incorrect because OPT is related to enhanced DNS resolution. 6. Your company has recently migrated from Windows NT 4.0 to Windows Server 2008 on all of its networked servers, including those running the DHCP and DNS server services. During the migration, you implemented Active Directory–integrated zones. A colleague says you cannot do this because the zones converted from non-AD-aware operating systems will not allow secure updates, creating a significant security risk to the organization. What is your response? A. When any zone is integrated into AD, it takes on the security features of AD. B. If the zone is created outside of the AD, it will be configured for no secure updates and must be re-created to allow for secure updates. C. If the zone is created outside of AD, it will not be configured for secure updates but can be modified via the DNS Management Console. www.syngress.com

653

654


D. When any zone created before Windows 2000 is integrated into AD, it will use whatever update type other zones are configured to use. Correct Answer & Explanation: C. DNS zones can be migrated from legacy DNS servers to Windows Server 2008 servers as primary zones, and then configured to be integrated with Active Directory and enabled for secure updates. Incorrect Answers & Explanations: A, B, and D. Answer A is incorrect because secure zones have nothing to do with the security level of AD. Answer B is incorrect because we can indeed modify the zone. Answer D is incorrect because every zone is configured separately to allow for flexibility. 7. You have been tasked with designing a new Windows Server 2008 Active Directory forest. The network is currently a combination of Windows 2000 Professional, Windows XP, Windows Vista, and Macintosh clients.You want to reduce the administration of IP addresses. Which of the following services would you implement to accomplish this? A. DHCP B. DNS C. WINS D. DDNS Correct Answer & Explanation: A. Implementing DHCP scopes will eliminate the need for most static assignments of IP addresses to client systems. Incorrect Answers & Explanations: B, C, and D. Answer B is incorrect because DNS is needed for name resolution. Answer C is incorrect because WINS is used for legacy NetBIOS name resolution. Answer D is incorrect because DDNS is used for dynamic updates of host records in DNS. 8. Your company has a Windows Server 2008 domain. All of your servers run Windows Server 2008 and all of your workstations run Windows Vista Business. Your DHCP server is configured with the default settings and all of your Windows Vista machines are configured as DHCP clients with the default DHCP client settings.You want to use DNS dynamic updates to automatically register the host record and PTR record for all of your workstations. Which of the following must you do to accomplish your goal? A. None. The default settings are sufficient. B. Configure the DHCP server to always Dynamically Update DNS And PTR Records. www.syngress.com


C. Configure the DHCP server to Dynamically Update DNS And PTR Records Only If Requested By The DHCP Clients. D. Configure the workstation to use dynamic updates. Correct Answer & Explanation: A. Any Windows-based client system that runs Windows 2000, XP, or Vista does not need additional settings in DHCP. Incorrect Answers & Explanations: B, C, and D. Answers B and C are incorrect since these settings do not exist. Answer D is incorrect because Vista clients automatically are set to use dynamic updates. 9. Your network contains a mix of Windows 2003 and Windows Server 2008.You have three domain controllers running Windows Server 2003.Your file server, print server, and Exchange server are running Windows 2000 Server.Your DNS, DHCP, and WINS servers are running Windows Server 2008. All of your clients are running Windows XP Professional with Service Pack 2. All machines, other than the servers that require a static IP address, are configured as DHCP clients with the default settings.Your DNS server has been configured to allow dynamic updates. Which of the following records will be registered in DNS automatically? (Choose all that apply.) A. MX B. Host (A) C. SRV D. PTR Correct Answers & Explanation: B, C, and D. Dynamic updates will create A and PTR records for any 2000, 2003, or 2008 host. Likewise, it will create SRV records for hosts that are providing a particular service. Incorrect Answers & Explanations: A. Answer A is incorrect because Mail Exchanger (MX) records must be created manually, regardless of whether the host IP is set manually or via DHCP. 10. You have implemented DNS on a Windows Server 2008 Core Server installation. You want to list the DNS zones on this server. What command-line utility would you use to accomplish this? A. ocsetup. B. netsh. C. dnscmd.

www.syngress.com

655

656


D. None of the above. You must use the GUI from another Windows Server 2008 host. Correct Answer & Explanation: C. DNS zones can be managed from the command line by using the dnscmd utility. The command syntax would be dnscmd /enumzones. Incorrect Answers & Explanations: A, B, and D. Answer A is incorrect. The ocsetup utility is used to install server roles. Answer B, netsh, is used for a number of network-related commands, including changing local IP information. Answer D is incorrect because dnscmd can, in fact, be used.

Chapter 3: Working with Users, Groups, and Computers 1. You have just installed a Windows Server 2008 domain controller in your environment. Which of the following default containers holds the default groups? A. Users B. Computers C. Built-in D. Default Groups Correct Answer & Explanations: Answer C is correct because the Built-in group contains the default groups. Incorrect Answers & Explanations: Answers A and B are incorrect because the Users container holds the users, while the computer container holds the computer accounts. Answer D is incorrect because the Default Group does not exist. 2. You tried to reset a password, but received a message that your password does not meet the password complexity requirements. What might be the problem? A. The user password is not complex enough. B. The user is accessing a domain from a Windows 98 workstation machine. C. The user is accessing a domain from a Windows MT workstation machine. D. The user is accessing a domain from a Windows NT 4.0 machine. Correct Answer & Explanations: Answer A is correct because it seems that your password is not complex enough according to password security policies. www.syngress.com


Incorrect Answers & Explanations: Answers B, C, and D are incorrect because the message is simple enough, indicating that this is a problem with password characters. Make sure your password does not contain dictionary words, a username, real names, pet names, family member names, or the company’s name. It should be between 7 and 14 characters long and should be different from previous passwords. Best practices state that it should be a combination of uppercase and lowercase letters, numbers, and special characters. An example of a strong password is Sh4$$n0n87r67}D. 3. Your organization has one Active Directory domain in the Active Directory forest. You are responsible for creating accounts for all users in your domain. Your company just bought another company with 5000 user accounts, and you are required to create their new user accounts without using a third-party tool. Which of the following commands should be used to achieve this? A. dsadd B. dsuseradd C. adduser D. adduser.ps Correct Answer & Explanations: Answer A is correct because you can use dsadd in addition to other built-in commands to create user accounts, as per your requirements. Incorrect Answers & Explanations: Answers B, C, and D are incorrect because they don’t exist. 4. You suspect that a user may be able to log on after office hours. From which tab on a user’s Properties dialog box can you set logon hours? A. The Account tab B. The Security tab C. The General tab D. The Profile tab Correct Answer & Explanations: Answer A is correct because when you click the Accounts tab, and then click Logon Hours, you can set the logon hours of any user. Incorrect Answers & Explanations: Answers B, C, and D are incorrect because when you click the Security, General, or Profile tab there is no option to set logon hours. www.syngress.com

657

658


5. You are at a branch office of your company assisting a user on his PC. While assisting the user, you receive a phone call from your boss who wants to know why all the users are required to change their passwords the first time they log on? What would be the best way to answer his question? A. It’s a default Active Directory group and domain policy to enforce user passwords set by the administrator. B. It’s a default Active Directory group policy and cannot be modified. C. This is a new feature in Active Directory 2008 to introduce extra security. D. This is just a check box for user account properties to force users to change the default passwords set by the administrator at the time of the creation of their account. This then forces users to pick their own password. Correct Answer & Explanations: Answer D is correct because selecting User Must Change Password At Next Logon will enforce the user to change his password the next time when he logs on. This way, only the user knows the password. Incorrect Answers & Explanations: Answer A is incorrect because there is no Active Directory group and domain policy to enforce a user password set by an administrator. Answer B is incorrect because no such policies exist in Active Directory. Answer C is incorrect because this is not a new feature or an option. It has been around in Windows operating systems for a while. 6. Lisa works as a branch office administrator for your organization. She receives a call from her manager, Dina, asking which of the following characteristics make up a strong password. Which one is correct? A. Contains a username or pet’s name. B. Contains dictionary words. C. Contains place names. D. Is a combination of letters and numbers. Correct Answer & Explanations: Answer D is correct because strong passwords must not contain usernames, pets’ names, family names, or dictionary words. Ideally, they should be alphanumeric and should be more than eight characters in length. Incorrect Answers & Explanations: Answer A, B, and C are incorrect because strong passwords must not contain usernames, pets’ names, family names, or dictionary words.

www.syngress.com


7. Which of the following options require administrative privileges to change the password? A. User must change password at next logon. B. User cannot change password. C. Password never expires. D. Store password using reversible encryption. Correct Answer & Explanations: Answer B is correct because it makes certain the account’s password can only be changed with Administrator privileges, which means it will prevent the user from creating a new password or altering an existing password. Incorrect Answers & Explanations: Answer A is incorrect because it forces the user to change his or her password the first time they log on. This provides a higher level of security by ensuring that the user is the only person who knows the password. Answer C is incorrect because it forces the user not to change their password periodically. In other words, it does not force any time restrictions on the life of the password—for example, for a domain user account used by Windows Server 2008 services. Answer D is incorrect because using reversible encryption enhances the security of a password. 8

You are attempting to describe the purpose of a template account to a co-worker. What should you tell them? A. A template account exists only for Novell users. B. A template account exists only for Unix users. C. A template account exists only for Windows NT 4.0 users. D. A template account simplifies the creation of a large number of user accounts. In a template, you can define all the account parameters you need to for your users. You can then use this template to create user accounts by simply filling in the Name, Full Name and Description Password, and Confirm Password fields. Correct Answer & Explanations: Answer D is correct because template accounts simplify the creation of a large number of user accounts. Incorrect Answers & Explanations: Answer A, B, and C are incorrect because a template account is not linked with any specific users migrating from other operating systems to a Windows operating system.

www.syngress.com

659

660


9. Joanna is responsible for administering a small Active Directory domain. Recently, your company has acquired a small company where all the computers are installed in a workgroup. Which of the following operations must she perform in order to create the computer accounts? (Choose all that apply.) A. Select Start | Run, and then type in the joinallwks /user:administrator command. B. Select Start | Programs | Administrative Tools | Active Directory Users and Computers, and then right-click the computer container and create the computer objects. C. Rename the existing computers in a workgroup. D. Query for resources. Correct Answer & Explanations: Answer B. You will need to create computer accounts using Active Directory Users and Computers. This is called provisioning. Alternatively, you can create computer accounts at the time of joining computers with the domain. However, you need permissions in Active Directory to perform such an operation. Incorrect Answers & Explanations: Answer A is incorrect because joinallwks does not exist. Answer C is incorrect because there is no need to rename existing computers unless you are looking to follow certain naming conventions. Answer D is incorrect because there is no need to query for resources. 10. What is the purpose of resetting an account? A. Helps you reset a computer password stored in Active Directory so the computer can make a trusted connection with Active Directory. B. Helps you reboot the computer. C. Helps you restart netlogon services. D. Helps you change the authentication protocol from NTML to Kerberos. Correct Answer & Explanations: Answer A is correct because you can use dsadd in addition to other built-in commands to create user accounts, as per your requirements. Incorrect Answers & Explanations: Answer B, C, and D are incorrect because it is not possible to reboot the computer, restart the netlogon services, or change the authentication protocol by resetting the computer account.

www.syngress.com


Chapter 4: Configuring the Active Directory Infrastructure 1. A large company has just merged with yours. This organization has recently converted its internal network from IPv4 addressing to IPv6 to support a number of new network applications that required it. You must now begin to plan for IPv6 support on your own internal network. You are creating training materials for your junior networking staff. Which of the following features is built into IPv6 that was not required in IPv4? A. Classless Inter-Domain Routing (CIDR) B. IP Security through the use of IPSec C. Network address translator (NAT) D. Loopback IP addressing Correct Answer & Explanation: B. Answer B is correct because IPSec is a mandatory component of IPv6, whereas its use is optional in IPv4. Incorrect Answers & Explanations: A, C, and D. Answer A is incorrect because CIDR notation is used to express IP addresses for both IPv4 and IPv6 TCP/IP addresses. Answer C is incorrect because NAT is not a mandatory component of IPv6. Answer D is incorrect because the loopback IP address is available in both IPv4 and IPv6. In IPv4, the loopback address is 127.0.0.1; in IPv6 the loopback address is ::1. 2. Your IT manager wants you to link four divisions of the company through a ring of eight unidirectional cross-forest trusts. He uses this reasoning: If multiple forest trusts are established, authentication requests made in any domain of any forest can pass through multiple forest trusts, hence multiple Kerberos domains, on their way to their destination. Why is he wrong? A. Although each cross-forest trust is transitive at the forest level, where all domains in both forests can authenticate, they are not transitive at the federated forest level as he suggests. The trust path cannot include more than one cross-forest trust. B. Cross-forest trusts are not transitive, and will not allow pass-through authentication. C. To create a mesh trust relationship between four forests, you need only four cross-forest trusts. www.syngress.com

661

662


D. Cross-forest trusts are bidirectional, so only three trusts are needed to link all four forests. Completing the “ring” is not necessary. Correct Answer & Explanation: A. Answer A is correct because cross-forest trusts are transitive only between the source and destination forests. This means that every domain in Forest A will automatically trust every domain in Forest B. This transitivity does not extend to multiple forests: If a cross-forest trust exists between Forest A and Forest B, and a second cross-forest trust exists between Forest B and Forest C, this does not automatically create a trust relationship between Forest A and Forest C. Incorrect Answers & Explanations: B, C, and D. Answer B is incorrect because cross-forest trusts are transitive between the source and domain forests, and will allow pass-through authentication between them. Answer C is incorrect because in order to create a mesh trust relationship between four forests, you would need to create a total of six cross-forest trusts: between Forest A and Forest B, Forest A and Forest C, Forest B and Forest D, Forest C and Forest D, Forest A and Forest D, and Forest B and Forest C. Answer D is incorrect because in order to create a mesh trust relationship between four forests, you would need to create a total of six cross-forest trusts: between Forest A and Forest B, Forest A and Forest C, Forest B and Forest D, Forest C and Forest D, Forest A and Forest D, and Forest B and Forest C. 3. What FSMO roles should exist in a child domain in a Windows Server 2008 forest? (Choose all that apply). A. Schema Master B. Domain Naming Master C. PDC Emulator D. RID Master E. GC F. Infrastructure Master Correct Answers & Explanations: C, D, and F. Answer C is correct because the PDC Emulator FSMO role exists in each domain in an Active Directory forest. Answer D is correct because the RID Master FSMO role exists in each domain in an Active Directory forest. Answer F is correct because the Infrastructure Master FSMO role exists in each domain in an Active Directory forest. Incorrect Answers & Explanations: A, B, and E. Answer A is incorrect because the Schema Master FSMO role exists only in the forest root domain. Answer B www.syngress.com


is incorrect because the Domain Naming Master FSMO role exists only in the forest root domain. Answer E is incorrect because the Global Catalog is not a FSMO role. 4. Your network operations center has identified excessive bandwidth utilization caused by authentication traffic in the root domain subnet, especially between Calico.cats.com and Labs.dogs.com.Your logical network is set up as shown in the diagram. What type of trust or trusts would you set up to alleviate the situation? Question #4 Diagram

A. Set up a bidirectional transitive parent and child trust between Calico.cats. com and Labs.dogs.com. B. Set up a shortcut trust between Calico.cats.com and the forest root, and set up a second shortcut trust between Labs.dogs.com and the forest root. C. Set up a shortcut trust between Calico.cats.com and Labs.dogs.com. D. Set up two shortcut trusts between Calico.cats.com and Labs.dogs.com. E. Set up a realm trust between Calico.cats.com and Labs.dogs.com. Correct Answer & Explanation: C. Answer C is correct because this solution will allow authentication traffic to pass directly between Calico.cats.com and Labs. dogs.com rather than “walking the tree” through the forest root domain. Incorrect Answers & Explanations: A, B, D, and E. Answer A is incorrect because parent-child trust relationships are created automatically by Active Directory; you cannot manually create one between domains that do not already exist in a www.syngress.com

663

664


parent-child relationship. Answer B is incorrect because this solution will not improve how authentication traffic is transmitted on your network in this situation. Answer D is incorrect because in this scenario, only a single shortcut trust relationship is required, as all authentication requests are being sent in a single direction. Answer E is incorrect because realm trusts are configured between an Active Directory domain and an MIT Kerberos realm, not between two Active Directory domains within a single forest as described in this scenario. 5. Your company, mycompany.com, is merging with the yourcompany.com company. The details of the merger are not yet complete.You need to gain access to the resources in the yourcompany.com company before the merger is completed. What type of trust relationship should you create? A. Forest trust B. Shortcut trust C. External trust D. Tree Root trust Correct Answer & Explanation: C. Answer C is correct because an external trust is a one-way, nontransitive trust that can be configured between separate Active Directory forests, especially if the two-way transitivity of a cross-forest trust relationship is not desired for a particular scenario. Incorrect Answers & Explanations: A, B, and D. Answer A is incorrect because a forest trust is a two-way transitive trust and will likely create more access between the two domains than is desired before the merger is completed. Answer B is incorrect because a shortcut trust is configured between two domains within the same Active Directory forest and is not appropriate for this scenario. Answer D is incorrect. There is no such thing as a tree root trust within Active Directory. 6. Your boss just informed you that your company will be participating in a joint venture with a partner company. He is very concerned about the fact that a trust relationship needs to be established with the partner company. He fears that an administrator in the other company might be able to masquerade as one of your administrators and grant himself privileges to resources.You assure him that your network and its resources can be protected from an elevated privilege attack. Along with the other security precautions that you will take, what will you tell your boss that will help him rest easy about the upcoming scenario?

www.syngress.com


A. The permissions set on the Security Account Manager (SAM) database will prevent the other administrators from being able to make changes. B. The SIDHistory attribute tracks all access from other domains. Their activities can be tracked in the System Monitor. C. The SIDHistory attribute from the partner’s domain attaches the domain SID for identification. If an account from the other domain tries to elevate its own or another user’s privilege, the SID filtering removes the SID in question. D. SID filtering tracks the domain of every user who accesses resources. The SIDHistory records this information and reports the attempts to the Security log in the Event Viewer. Correct Answer & Explanation: C. Answer C is correct because SID filtering can be configured on an Active Directory trust relationship to prevent administrators from one domain from maliciously elevating their privileges within another domain. Incorrect Answers & Explanations: A, B, and D. Answer A is incorrect because without SID filtering, an Active Directory trust relationship is susceptible to elevation of privilege attacks. Answer B is incorrect because SID filtering prevents elevation of privilege attacks between domains, but is not an attribute that can be monitored using System Monitor. Answer D is incorrect because SID filtering prevents elevation of privilege attacks between domains, but does not track user access to resources. 7. You recently completed a merger with yourcompany.com. Corporate decisions have been made to keep the integrity of both of the original companies; however, management has decided to centralize the IT departments.You are now responsible for ensuring that users in both companies have access to the resources in the other company. What type of trust should you create to solve the requirements? A. Forest trust B. Shortcut trust C. External trust D. Tree root trust Correct Answer & Explanation: A. Answer A is correct because a forest trust is a two-way transitive trust, which will allow users in each company to access resources in the other company.

www.syngress.com

665

666


Incorrect Answers & Explanations: B, C, and D. Answer B is incorrect because a shortcut trust is used to shorten the authentication path between domains within a single Active Directory forest. Answer C is incorrect because an external trust is a one-way nontransitive trust that can only be configured between a single domain in each direction; it will not allow transitive access to all resources in both forests. Answer D is incorrect because this term does not describe a type of trust relationship that can be configured within Active Directory. 8. Robin is managing an Active Directory environment of a medium-size company. He is troubleshooting a problem with the Active Directory. One of the administrators made an update to a user object and another reported that he had not seen the changes appear on another DC. It was more than a week since the change was made Robin checks the problem by making a change to another Active Directory object. Within a few hours, the change appears on a few DCs, but not on all of them. Which of the following is a possible cause for this problem? A. Connection objects are not properly configured. B. Robin has configured one of the DCs for manual updates. C. There might be different DCs for different domains. D. Creation of multiple site links between the sites. Correct Answer & Explanation: A. Answer A is correct because if Active Directory connection objects are not configured between DCs, changes on one DC will not be reflected on one or more other DCs in your environment. Incorrect Answers & Explanations: B, C, and D. Answer B is incorrect because Active Directory DCs cannot be configured for manual updates; connection objects must be created to allow DCs to be automatically updated with changes from other DCs. Answer C is incorrect because Active Directory replication can take place between DCs belonging to different domains. Answer D is incorrect because creating multiple site links between sites will not prevent Active Directory replication from taking place. 9. James is a systems administrator for an Active Directory environment that consists of two dozen sites. The physical network environment is not fully routed, and James has disabled automatic site link transitivity. He now wants to set up three site links to be transitive, as they are physically connected to one another.

www.syngress.com


Which of the following Active Directory objects is responsible for representing a transitive relationship between sites? A. Additional sites B. Additional site links C. Bridgehead servers D. Site link bridges Correct Answer & Explanation: D. Answer D is correct because configuring site link bridges will allow specific site links to be considered transitive when automatic site link bridging has been disabled. Incorrect Answers & Explanations: A, B, and C. Answer A is incorrect because configuring additional sites does not affect site link transitivity in a network that is not fully routed. Answer B is incorrect because configuring additional site links does not affect site link transitivity in a network that is not fully routed. Answer C is incorrect because configuring bridgehead servers does not affect site link transitivity in a network that is not fully routed. 10. Steffi is an administrator of a medium-size organization responsible for managing Active Directory replication traffic. She finds an error in the replication configuration. How can she look for specific error messages related to replication? A. Use the Active Directory Sites and Services administrative tool B. Use the Disk Management tool C. View the System log option in the Event Viewer D. View the Directory Service log option in the Event Viewer Correct Answer & Explanation: D. Answer D is correct because error messages related to Active Directory replication appear in the Directory Services log in the Windows Event Viewer. Incorrect Answers & Explanations: A, B, and C. Answer A is incorrect because the Active Directory Sites and Services MMC snap-in does not provide any visibility into any error messages related to Active Directory replication. Answer B is incorrect because the Disk Management MMC snap-in does not provide any visibility into any error messages related to Active Directory replication. Answer C is incorrect because error messages related to Active Directory replication do not appear in the System log in the Windows Event Viewer.

www.syngress.com

667

668


Chapter 5: Understanding Group Policy 1. A Charlotte user who recently transferred into the Accounts Payable department from the Accounts Receivable department in your company submits a help desk ticket complaining that she is not able to access her Control Panel on her computer. Upon further questioning, you discover that the user was able to access her Control Panel the previous week. Upon coming in Monday morning, she logged on to her workstation and it reportedly took longer than usual to get to the desktop. Her Group Policy infrastructure is depicted in the following figure. Charlotte User’s Accounting Hierarchy

What is the most probable cause for the missing Control Panel on the user’s workstation? A. The user is logged on with cached credentials. She must log off and back on again to download the proper policy. B. The user requires local Administrator rights on her machine to view the Control Panel. www.syngress.com


C. The user account has been moved into the Accounts Payable OU and is now receiving policies that it didn’t before. D. The machine account has been moved into the Accounts Payable OU and is now receiving policies that it didn’t before. Correct Answer & Explanation: C. Because the person just transferred into the Accounts Payable department the user account in Active Directory was moved into the corresponding OU as part of the transfer. Because the Accounts Payable department has an Accounts Payable Security Policy in place, the user account would inherit the policy and apply the settings. It most likely contains a setting to remove the Control Panel. The Accounts Receivable OU has no such policy. Incorrect Answers & Explanations: A, B, D. Answer A is incorrect, because cached credentials would potentially prevent Group Policies from refreshing, and this is a situation where a new policy is in effect. Logging on and off of a computer will not change the policies affecting the user account. Answer B is incorrect, because local Administrator rights are not required to view the Control Panel. Regular users have access to the Control Panel by default. Answer D is incorrect, because the machine account would not be affected by the user account being moved in Active Directory, and the way the OU structure is depicted in this example, there would not be a reason to move the machine account. 2. A new requirement has come down from The 3 Bears, Inc. headquarters that requires all users to have a home page of www.the3bears.org. You create a new policy and configure the Internet Explorer Maintenance Setting which will set the IE home page. What would be the best approach to take in applying this new policy? A. Link the policy to the OUs in the domain that contain user accounts B. Link the policy to the domain and configure the machine OUs to Block Inheritance C. Link the policy to the domain and configure the policy to Enforce D. Link the policy to the domain Correct Answer & Explanation: C. Linking the policy to the domain is the simplest way to apply the setting to all users. By enforcing the policy you eliminate the risk of a lower-level policy overriding the IE settings. Incorrect Answers & Explanations: A, B, D. Answer A is incorrect, because although this approach may work, it is not the best approach. Linking the www.syngress.com

669

670


policy multiple times in the domain creates additional overhead where it is not required. Also, because you are only linking and not enforcing the policy, there is a chance that the policy may be overwritten by a conflicting policy somewhere else in the domain. Answer B is incorrect, because although linking the policy to the domain level is the right approach, without enforcing the policy there is a chance that the policy may be overwritten by a conflicting policy somewhere else in the domain. Also, Block Inheritance is an unnecessary step. Answer D is incorrect, because although this would also work, it is not the best approach because without enforcing the policy, there is a chance that the policy may be overwritten by a conflicting policy somewhere else in the domain. 3. In your Windows 2008 Active Directory environment, you configure printer mappings via logon scripts. The number of printers and the complexity of managing the scripts are getting difficult to handle as the company grows. You have built multiple Group Policies, each with a logon script for each set of printers. You link the policies to OUs as departments request access to the printers. What is the best way to adjust your administration of printers to reduce configuration issues and lower administrative overhead? A. Create a single Group Policy, apply it at the domain level, and add a single logon script which contains all the printers in the environment B. Create multiple Group Policies, apply them at the OU level for each department, and configure Preferences for each required printer C. Create a single Group Policy and apply it at the domain level. Configure Preferences for each required printer. Use item-level targeting to apply the printers to the server IP addresses. D. Create a single Group Policy and apply it at the domain level. Configure Preferences for each required printer. Use item-level targeting to apply the printers to the departmental security groups. Correct Answer & Explanation: D. A single Group Policy is easier to administrate. By moving printer administration to Preferences, you increase the consistency of printer mapping and can reduce the overhead of logon scripts. Incorrect Answers & Explanations: A, B, C. Answer A is incorrect, because a single logon script for the entire environment would create many unnecessary printers on each workstation. The script would take a very long time to run and the risk of configuration problems increases. Answer B is incorrect, because even though this would work, in the long run the administration of multiple GPOs and linking them all over the enterprise remains the same. The only difference is the use of Preferences which would reduce configuration issues due www.syngress.com


to the scripts. Answer C is incorrect, because utilizing Preferences to configure the printers for servers does not meet the objective of simplifying script-based administration for user-based printers. 4. Darien is a new member of the Web Services team at your company. He is going to be responsible for running and testing scripts for an in-house homegrown application which requires a special application that is deployed via Group Policy. The first time he logs on to the domain he does not receive the software package. You verify that his user account is in the proper OU. What could be causing Darien not to receive the GPO with the software policy? A. Security filtering has been enabled on the GPO and Darien is not a member of the proper group B. WMI Filtering has been enabled on the GPO and Darien is not a member of the proper group C. Darien must be a local administrator on his machine to download a GPO with a software package in it D. Darien’s user account has Block Inheritance configured on it and therefore he cannot download the policy Correct Answer & Explanation: A. Security Filtering utilizes Active Directory user and group objects to filter who is allowed to apply a GPO. If the default of Authenticated User has been removed from the GPO and the Web Services team group has been added, Darien will need to become a member of the Web Services team group to be able to apply the policy and receive the software package. Once he is added to the group he will have to log off and back on again to refresh his logon token. Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because WMI Filtering targets machines, not users. Answer C is incorrect, because Group Policies are processed with System accounts and users do not require any special permission to apply them. Answer D is incorrect, because Block Inheritance is not configured at the user object level. It is configurable at the OU level. 5. What is the difference between Policies and Preferences in a Group Policy? A. Preferences are set, and Policies are enforced B. Preferences can be modified only by administrators, and policies can be modified by anyone, including users C. Preferences are enforced, and Policies are set D. B & C www.syngress.com

671

672


Correct Answer & Explanation: A. Preferences allow you to configure settings on workstations that traditionally were accomplished via scripting and other methods. The values are only set and the user can always adjust the configuration after the policy has applied if desired. Policies are locked down and are enforced. Users will not be able to edit settings configured by policies. They will appear grayed out. Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because Preferences are configurable by users even after configured via a GPO. Policies enforce their configuration and all policy-enforced values will be grayed out. Answer C is incorrect, because Preferences are set, not enforced. All Preferences configured can be edited by users. Policies are not configurable after policy application. Answer D is incorrect, because it included two incorrect answers. 6. Your Active Directory hierarchy is depicted in the following figure. Which policies affecting the San Fran Office OU can have their settings overwritten in the event of a conflict? Active Directory Hierarchy

www.syngress.com


A. Default Domain Policy, Desktop Lockdown Policy B. Desktop Lockdown Policy C. Company Wallpaper Policy, Accounting SW, Accounting Desktop Lockdown Policy D. Accounting SW, Accounting Desktop Lockdown Policy, Default Domain Policy, Desktop Lockdown Policy Correct Answer & Explanation: D. The only policy that doesn’t have a chance to be overwritten is the last one applied. In this case, the Company Wallpaper Policy will be the last one applied, and because it has an Enforce setting it will always win in the event of a conflict. The other policies configured with Enforce will lose if the conflict exists with the Company Wallpaper Policy. Incorrect Answers & Explanations: A, B, C. Answer A is incorrect, because these two policies are at the bottom of the Precedence list. They will be overwritten by any higher policy. Answer B is incorrect, because this policy is at the bottom of the Precedence list and it has the least amount of priority. All other policies in the list will win if a conflict occurs. Answer D is incorrect, because even the Enforce policies can be overwritten by the higher Precedence Enforce. All policies have the chance to be overwritten in a conflict except the very last one applied. 7. Maria is looking for the best method to standardize her GPO creation methods. Currently she prints all the settings in GPOs she would like to duplicate and then manually re-creates the OU. What features in Windows Server 2008 could Maria take advantage of to assist with her GPO creation standardization? A. Filtering B. Starter GPOs C. Security Templates D. A & C E. B & C Correct Answer & Explanation: E. Starter GPOs can be used to create reusable baseline GPOs. Security Templates can be used to create .inf files to be applied to be imported into GPOs with certain needs across the enterprise. Both of these tools would help in standardizing a GPO creation mechanism. Incorrect Answers & Explanations: A, B, C, D. Answer A is incorrect, because Filtering is used to restrict which users and machines can apply a policy. It doesn’t www.syngress.com

673

674


apply to policy creation. Answer B is incorrect, because although it represents part of the solution it is not the complete answer. Answer D is incorrect, because although it represents part of the solution it is not the complete answer. 8. SueyDog Enterprises will soon be deploying Microsoft Office Communicator into its environment. All of its DCs are running Windows Server 2008. Their administrator, Matthew, is attempting to prepare for the new product by creating a GPO and exploring the available settings. He creates a new policy and proceeds to expand each section of the policy, looking for the section containing the Microsoft Office Communicator settings. He can’t seem to locate the settings for Microsoft Office Communicator. What should Matthew do to gain the settings he seeks? A. Download the appropriate .adm file and import it into the new GPO B. Install Microsoft Office Communicator on the DC to make the setting available C. Download the appropriate .admx file and import it into the new GPO D. Download the appropriate .adm file and place it in the Central Store Correct Answer & Explanation: A. By default, Group Policies hold mostly operating system settings. They can be customized with the use of either .adm or .admx files. The .adm file format is imported directly into a GPO, and the .admx file format is placed into a Central Store that exists on SYSVOL. Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because installing a product does not make the settings for the product available in Group Policy. Answer C is incorrect, because although .admx files could be utilized to gain access to the application’s settings, these files are not imported into a GPO. They are placed in the Central Store and the Group Policy tools discover them there. Answer D is incorrect, because .admx files belong in the Central Store, not .adm files. 9. Joey is going to be migrating his Lotus Notes environment into his newly established Windows Server 2008 forest. He has guidance on what he will require for Group Policy settings for the different teams and departments. He has not yet created his OU structure. How should Joey proceed in creating the required GPOs? A. Create stand-alone GPOs B. Create the GPOs at the Domain level www.syngress.com


C. Create the GPOs at the Site level D. Wait to create the GPOs until the OU structure is in place Correct Answer & Explanation: A. Stand-alone GPOs are a way of staging GPOs so that when you are ready to link them they are ready to go. The advantage of a stand-alone GPO is that is it not in use until linked, so the settings can be readily changed on the fly without impacting users or computers. Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because linking the GPOs at the Domain level would apply all the settings to all users and machines. The GPOs have specific target groups and linking all the policies at the domain would defeat their function. Answer C is incorrect, because linking at the Site is typically not recommended. Also, at this stage the Site structure might not be completed and to minimize the risk of the wrong user receiving a policy they should not be linked at the Site. Answer D is incorrect, because although the administrator can wait to create the GPOs until the OU structure is in place, there isn’t any reason to do so. Stand-alone GPOs will fill the need for GPO creation. 10. You work for a large hospital. The main users in the hospital are nurses and doctors. Because they are always on the go, you set up kiosk stations throughout the hospital for them to log on to and check Web mail or access applications. The kiosks share one user logon and the nurses and doctors use their personal accounts to gain access to resources via a browser interface which prompts them for credentials. One morning a nurse logs onto a kiosk machine and is greeted by extremely offensive wallpaper. How would you utilize Group Policy to prevent this from happening in the future? A. Create a Group Policy and apply it to the nurses’ and doctors’ user accounts. Disable Display Settings. B. Create a Group Policy and apply it to the nurses’ and doctors’ user accounts. Configure Loopback Processing in Replace mode. C. Create a Group Policy and apply it to the kiosk machines. Configure the wallpaper to the company logo and disable Display Settings. D. Create a Group Policy and apply it to the kiosk machines. Configure Loopback Processing in Replace mode. Correct Answer & Explanation: D. Loopback processing mode will not allow user-specific settings to remain. Each time a user logs on to the machine, the user configuration from the machine policy is applied to the computer. In Replace mode, the user account’s policies are ignored. www.syngress.com

675

676


Incorrect Answers & Explanations: A, B, C. Answer A is incorrect, because applying the GPO to the nurses and doctors would affect them when they log on locally with their own accounts. The kiosk machines have a shared user account for local logon. Answer B is incorrect, because applying the GPO to the nurses and doctors would affect them when they log on locally with their own accounts. The kiosk machines have a shared user account for local logon. Also, Loopback Processing is a computer configuration setting. Answer C is incorrect, because locking down just wallpaper settings doesn’t prevent people from creating other offensive settings, such as a default Web page with an offensive target for, instance.

Chapter 6: Configuring Group Policy 1. The CIO has asked you to configure a GPO that will ensure that antivirus software is installed on every computer in the company. You are the most senior administrator in the company and have full access to every computer, and to Active Directory. Your company has a single domain and site. Which one of the following actions do you take? A. You configure a GPO at the domain level, and publish the application to all computers B. You configure a GPO at the site level, and assign the application to all computers C. You create a GPO with the required settings and link it into all OUs that have computer accounts in it.You set the options to assign the application to computers. D. You tell him it cannot be done. Correct Answer & Explanation: D. The CIO has asked for the application to be installed on all computers, but group policy cannot be used to install software on DCs. Incorrect Answers & Explanations: A, B, C. Answer A is incorrect. In addition to the fact that you cannot use group policy to install software on DCs, you also cannot publish applications to computers. Answers B and C are also incorrect. If DCs had been excluded from the CIO’s request, either of these answers would have met the requirements. 2. You’ve just taken over the domain-level administration for a mid-size company. The previous administrator did not use group policy software deployment. www.syngress.com


You have just configured and tested your first published application to users. The application was designed to be used by all users in the accounting department.You created the software distribution point and copied the installation files over to it.You then created the GPO and linked it to the AcctgUsers OU, which contains all user accounts for the department. When the users log on to their computers, the application is visible in Control Panel | Add or Remove Programs, but when users attempt the installation it fails. When you log on from a computer in accounting, you are able to access the installation files and run them manually. Which one of the following is most likely the problem? A. The application files are corrupt B. The permissions on the software distribution point are configured incorrectly C. The GPO is corrupt D. The GPO is linked to the wrong place within Active Directory Correct Answer & Explanation: B. The most likely reason is that the installation files are not accessible, and the only answer that addresses why this might be the case is B. Incorrect Answers & Explanations: A, C, D. Answer A is unlikely because you are able to manually install from the same files being used to deploy the software using group policy. Answers C and D are also unlikely because the users are seeing the application displayed in Add or Remove Programs. This is handled by group policy, so it appears to be functioning and linked to an appropriate level of Active Directory for them. 3. You’ve been asked by a senior administrator to deploy an update to an existing application that is assigned to users. The senior administrator created and tested the upgrade, and has given you all information required, including in which GPO to configure the upgrade package. You create the package in the GPO, right-click on it, and attempt to configure the update, but the current version is not listed for selection. Which of the following should you do next? A. Notify the senior administrator that the application failed to detect that it was an upgrade to an existing version B. Manually enter the name of the package for the existing version and check the Required upgrade for existing packages box C. Deploy the upgrade as a new software installation instead of an upgrade D. Ask the senior administrator which GPO the existing version’s package is located in, browse to it, and select it www.syngress.com

677

678


Correct Answer & Explanation: D. When the current package doesn’t appear in the Package to upgrade box on the Add Upgrade Package dialog, it’s usually because it is located in another GPO. The most expedient thing for you to do is ask where it is located, and then browse to and select it. Incorrect Answers & Explanations: A, B, C. It is tempting to think that answer A is correct; however, a quick check of the GPO in which you’ve been assigned to configure the update should reveal that the original version’s package is not there. Because you know the upgrade was tested, it is likely that it exists somewhere within Active Directory. Answer B is also incorrect.You cannot manually enter the name of a package. Finally, answer C is incorrect because you have been explicitly told that it is an upgrade. Configuring the deployment as a new software install could cause serious problems for current users of the application. 4. Microsoft has released a new service pack for Microsoft Word, along with the necessary MSI file for deploying it via group policy. You’ve copied the files over to the correct software distribution point and verified their permissions. The application is assigned to all workstation computers in the company via a domain-level GPO. After configuring the files, you selected the redeployment option for the Microsoft Word software deployment package. Only some computers seem to be getting the service pack. The computers are a mix of Windows XP and Vista. Which of the following is the most likely cause? A. All computers have not been rebooted since the redeployment B. Redeployment does not work with operating systems earlier than Windows Vista C. Service packs should be treated as upgrades, not reinstallations D. All users have not logged off and back on since the redeployment Correct Answer & Explanation: A. When software is assigned at the computer level, redeployment occurs at the next computer startup. Because some computers are getting the update and others aren’t, it is likely that not all computers have been rebooted since the redeployment. Incorrect Answers & Explanations: B, C, D. Answer B is incorrect. Redeployment works with Windows 2000, XP, and Vista. Answer C is also incorrect because, unless a version upgrade occurs at the same time, service packs should be considered reinstallations, not upgrades. Finally, answer D would be correct if the application was assigned or published to users; however, it was assigned to computers. www.syngress.com


5. Your company decided not to renew the license agreement for its contact management software. The software is deployed on systems across many client computers in the company. A single GPO was configured to install the software, and was linked into multiple places in the Active Directory hierarchy to accommodate the various user groups that needed the program. You’ve gone into the GPO and removed the published object for the software. Now, the object is gone from the GPO but the application is still installed on the client computers. Which one of the following most likely explains what happened? A. You left the default option for removal enabled B. You selected the option to make the removal optional C. You selected the option to force removal D. You deleted the software object from the GPO but forgot to select the uninstall options first Correct Answer & Explanation: B. The most likely answer is that you selected the option to leave the application in place, rather than force its removal. Incorrect Answers & Explanations: A, C, D. Answers A and C are identical. The default option is to force removal of the software. Because the software remained on the client systems, this option was most likely not selected. Answer D is also incorrect. The only way to remove the object from the Software installation settings is to request forced or optional removal of the software. 6. The application testing team at your company has given you the approval to deploy an upgrade to an existing software package. The team testing it has revealed that the upgrade works best when the software is installed over the existing software. They ask you if it is possible to upgrade the software using group policy in a way which meets their recommendations, or if they should write a script to push out the installation. Which one of the following do you tell them? A. You tell them that the default in group policy is to install over the previous version of the software B. You tell them that group policy requires the previous version of the software to be removed C. You tell them that it is an optional configuration setting, but that it is possible D. You recommend a script, saying that you don’t trust group policy for such a complex deployment scenario www.syngress.com

679

680


Correct Answer & Explanation: C. The Package can upgrade over the existing package is an optional setting that can be configured to ensure that a software upgrade is installed over an existing version of the application. Incorrect Answers & Explanations: A, B, D. Answer A is incorrect. The default setting, Uninstall the existing package, then install the upgrade package, removes the previous software version before beginning the installation. Answer B is also incorrect; group policy does not require removal of existing applications prior to an upgrade. Answer D is incorrect because group policy is highly reliable for software deployment, management, maintenance, and removal. 7. This morning you deployed an application by assigning it to computers, and then many of the applications failed. On some systems the application installed just fine, on others it only partially installed, and on still others it failed very early in the process. You figured out what went wrong, and have modified the MSI file. Which one of the following should you do to correct the problem? A. You should do a forced removal of the software B. You should delete and re-create the deployment object in group policy C. You should redeploy the software D. You should begin manually troubleshooting the workstations that had problems Correct Answer & Explanation: C. When a deployment fails and leaves installations in inconsistent states the first attempted fix should be to redeploy the software. Incorrect Answers & Explanations: A, B, D. Answer A is incorrect. Forced removal of software that did not get fully installed will not be effective. Answer B is also incorrect. Deleting the deployment package in Active Directory leaves you with no ability to further manage the botched installation using group policy. Answer D is incorrect. Although it may ultimately be necessary to troubleshoot workstations one at a time, the first thing to try is redeployment. 8. You are a mid-level administrator for a large multinational company. Each major company office has its own domain. The technical services manager at your office is tired of receiving complaints from the VP-level employees who work at your location. She has asked you to allow passwords to be as short as four characters, and to be all lowercase letters. Which of the following do you do? (Select all that apply.) www.syngress.com


A. You tell her that the Default Domain Password Policy supports these settings by default B. You tell her that you will create a custom GPO and link it in to the OU containing the VP’s user accounts C. You tell her that you will disable the Passwords must meet complexity requirements option D. You tell her that you will set the Minimum password length option to 4 Correct Answer & Explanation: C, D. Though it is not recommended to erode these settings, your manager’s request can be fulfilled by disabling the Passwords must meet complexity requirements option, and setting the Minimum password length option to 4 in the Default Domain Password Policy. Incorrect Answers & Explanations: A, B. Answer A is incorrect. The Default Domain Password Policy supports seven characters, complex passwords by default. Answer B is also incorrect. Group policy Password Policy and Account Lockout Policy settings can be applied only at the domain level, unless fine-grain password policy is used. A GPO linked to an OU or site with different settings will be ignored. 9. Recently the security for your network was taken over by the firewall and UNIX administrator. He has requested that you increase your password history setting from the Windows Server 2008 default setting to remember the maximum number of passwords. Which one of the following do you tell him? A. You tell him that you will increase the Enforce password history setting to 48 B. You tell him that you will increase the Enforce password history setting to 24 C. You tell him that the default setting is the maximum D. You tell him that there is no maximum setting, and ask him to provide a specific value Correct Answer & Explanation: C. When Active Directory is installed the default value for the Enforce password history option is set to the maximum, 24. Incorrect Answers & Explanations: A, B, D. Answer A is incorrect; the maximum value of the Enforce password history option is 24. Answer B is also incorrect. By default, the Enforce password history is set to the maximum value, 24, at installation. Answer D is incorrect, because 24 is the maximum value. www.syngress.com

681

682


10. You work for a small accounting firm. Recently your boss, the owner of the company, read an article about weaknesses in password security. He’s asked that you require everyone in the company to change his or her password every 30 days, and to have to use at least 12 different passwords per year. Which of the following settings do you configure in the Default Domain Policy? (Select all that apply.) A. You set the Maximum password age option to 30 B. You set the Enforce password history option to 12 C. You set the Minimum password age option to 15 D. You disable the Passwords must meet complexity requirements option Correct Answer & Explanation: A. C. Setting the Maximum password age option to 30 ensures that users must change their passwords every 30 days. Setting the Minimum password age option to 15 prevents users from changing their passwords until 15 days after their last change. When combined with the default Enforce password history of 24, this ensures that users will be required to use at least 12 unique passwords per year. Incorrect Answers & Explanations: B, D. Answer B is incorrect. Setting the Enforce password history to 12, in conjunction with answers A and C, would allow users to only use six unique passwords per year, because they could change their password twice a month. Answer D is also incorrect. Passwords must meet complexity requirements does not affect how often users must change their passwords or how many passwords the system remembers.

Chapter 7: Configuring Certificate Services and PKI 1. You have been asked to provide an additional security system for your company’s internet activity. This system should act as an underlying cryptography system. It should enable users or computers that have never been in trusted communication before to validate themselves by referencing an association to a trusted third party (TTP). The method of security the above example is referencing is? A. Certificate Authority (CA) B. Nonrepudiation www.syngress.com


C. Cryptanalysis D. Public Key Infrastructure (PKI) Correct Answer & Explanation: D. Answer D is correct because an underlying cryptography system that enables users or computers that have never been in trusted communication before to validate themselves by referencing an association to a trusted third party (TTP) is called a Public Key Infrastructure (PKI). Incorrect Answers & Explanations: A, B, C. Answer A is incorrect, because Certificate Authority (CA) is a term that refers to the TTP in the PKI transaction. Answer B is incorrect, because it describes only one single goal of PKI. Answer C is incorrect; it refers to the process of decrypting or cracking data, not securing it. 2. You are engaged in an exercise that is meant to demonstrate the Public-Key Cryptography Standards (PKCS).You arrive at a portion of the exercise dealing with encrypting a string with a secret key based on a password. Which of the following PKCS does this exercise address? A. PKCS #5 B. PKCS #1 C. PKCS #8 D. PKCS #9 Correct Answer & Explanation: A. PKCS #5 is correct because it is a Passwordbased Cryptography Standard that deals with the method for encrypting a string with a secret key that is derived from a password. The result of the method is an octet string (a sequence of 8-bit values). Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because PKCS #1deals with RSA Cryptography Standards and outlines the encryption of data using the RSA algorithm. The purpose of the RSA Cryptography Standard is in the development of digital signatures and digital envelopes. Answer C is incorrect, because PKCS #8 is the Private-key Information Syntax Standard and describes a method of communication for private-key information that includes the use of public-key algorithm and additional attributes (similar to PKCS #6). Answer C is incorrect, because PKCS #9 deals with Selected Attribute Types and defines the types of attributes for use in extended certificates (PKCS #6), digitally signed messages (PKCS #7), and private-key information (PKCS #8).

www.syngress.com

683

684


3. You are working in a Windows Server 2008 PKI and going over various user profiles that are subject to deletion due to company policy. The public keys for these users are stored under Documents and Settings\Administrator\System Certificates\My\Certificates and the private keys would be under Documents and Settings\Administrator\Crypto\RSA. You possess copies of the public keys in the registry, and in Active Directory. What effect will the deletion of the user profile have on the private key? A. It will have no effect. B. It will be replaced by the public key that is stored. C. The Private Key will be lost. D. None of the above. Correct Answer & Explanation: C. The private key will be lost if the user profile is deleted. The private keys are vulnerable to deletion and are stored under the user’s profile. Incorrect Answers & Explanations: A, B, D. Answer A is incorrect, because the private keys are vulnerable to deletion and are stored under the user’s profile, so deletion of the user profile will effect the private key. Answer B is incorrect, because the public key can not be used to replace the private key in any instance. Answer D is incorrect, because answer C is the correct answer. 4. Two users, Dave and Dixine, wish to communicate privately. Dave and Dixine each own a key pair consisting of a public key and a private key. If Dave wants Dixine to send him an encrypted message, which of the following security measures occurs first? A. Dave transmits his public key to Dixine. B. Dixine uses Dave’s public key to encrypt the message. C. Nothing occurs the message is simply sent. D. Dixine requests a access to Dave’s private key. Correct Answer & Explanation: A. Dave transmits his public key to Dixine is the correct answer because Dixine must receive Dave’s public key to be able to encrypt the message so that Dave can use his private key to decrypt it. Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because Dave must transmit his public key for Dixine to have access to it. This is the second step in the process not the first. Answer C is incorrect, because the encryption process is not automatic and an exchange of public and private keys must occur www.syngress.com


for communication to be encrypted. Answer D is incorrect because private keys are never transmitted or shared and are used only to decode message encrypted with a matching public key pair. 5. You are browsing your company’s e-commerce site using Internet Explorer 7 and have added a number of products to the shopping cart.You notice that there is a padlock symbol in the browser. By right clicking this symbol you will be able to view information concerning the site’s: A. Private Key. B. Public Key. C. Information Architecture. D. Certificates. Correct Answer & Explanation: C. Certificates is the correct answer because by clicking on the padlock you access the view Certificate information tab. This allows you to verify certain aspects of the certificate. Incorrect Answers & Explanations: A, B, C. Answer A is incorrect, because you can never access another party’s private key. Answer B is incorrect, because the public key has already been transmitted and is not accessible in this manner. Answer C is incorrect because information architecture (IA) of the site has nothing to do with the encryption process or PKI. 6. You are engaged in an exercise that is meant to demonstrate the Public-Key Cryptography Standards (PKCS) used in modern encryption. You arrive at a portion of the exercise which outlines the encryption of data using the RSA algorithm. Which of the following PKCS does this exercise address? A. PKCS #5 B. PKCS #1 C. PKCS #8 D. PKCS #9 Correct Answer & Explanation: B. Answer B is correct, because PKCS #1 deals with RSA Cryptography Standards and outlines the encryption of data using the RSA algorithm. The purpose of the RSA Cryptography Standard is in the development of digital signatures and digital envelopes. Incorrect Answers & Explanations: A, C, D. Answer A is incorrect; PKCS #5 is a Password-based Cryptography Standard that deals with the method for

www.syngress.com

685

686


encrypting a string with a secret key that is derived from a password. The result of the method is an octet string (a sequence of 8-bit values). Answer C is incorrect, because PKCS #8 is the Private-key Information Syntax Standard and describes a method of communication for private-key information that includes the use of public-key algorithm and additional attributes (similar to PKCS #6). Answer D is incorrect, because PKCS #9 deals with Selected Attribute Types and defines the types of attributes for use in extended certificates (PKCS #6), digitally signed messages (PKCS #7), and private-key information (PKCS #8). 7. You are the administrator of your company’s Windows Server 2008-based network and are attempting to enroll a smart card and configure it at an enrollment station. Which of the following certificates must be requested in order to accomplish this action? A. A machine certificate. B. An application certificate. C. A user certificate. D. All of the above. Correct Answer & Explanation: C. Answer C is correct because user certificates are certificates that enable the user to do something that would not be otherwise allowed. The Enrollment Agent certificate is one example of a user certificate. Without it, even an administrator is not able to enroll smart cards and configure them properly at an enrollment station. Incorrect Answers & Explanations: A, B, D. Answer A is incorrect, because machine certificates (as the name implies) give the system—instead of the user— the ability to do something out of the ordinary. The main purpose for machine certificates is authentication, both client-side and server-side. Answer B is incorrect, because the term application certificate refers to any certificate that is used with a specific PKI-enabled application. Examples include IPSec and S/MIME encryption for e-mail. Applications that need certificates are generally configured to automatically request them, and are then placed in a waiting status until the required certificate arrives. Answer D is incorrect because it is generally never required to for all of the listed certificates to be requested from a single action. 8. Dave and Dixine each own a key pair consisting of a public and private key. A public key was used to encrypt a message and the corresponding private key was used to decrypt. Dave wants Dixine to know that a document he www.syngress.com


is responding with was really written by him. How is this possible using the given scenario? A. Dave’s private key can encrypt the document and the matching public key can be used to decrypt it. B. Dave can send Dixine his private key as proof. C. Dixine can allow Dave access to her private key to encrypt the document. D. None of the above. Correct Answer & Explanation: A. Dave’s private key can be used to encrypt the document and the matching public key can be used to decrypt is the correct answer because if a user uses your public key to read the document and they are successful, they can be certain that it was “signed” by your private key and is therefore authentic. Incorrect Answers & Explanations: B, C, D. Answer B and C are incorrect, because private keys should never be shared with other users. Answer D is incorrect, as stated a private key can be used to encrypt a document so that the matching public key can be used to decrypt it. 9. You are administrating a large hierarchal government environment in which a trust model needs to be established. The company does not want external CA’s involved in the verification process. Which of the following is the best trust model deployment for this scenario? A. A hierarchal first party trust model. B. A third party single CA trust model. C. A first party single CA trust Model. D. None of these will meet the needs of the company. Correct Answer & Explanation: A. Choice A is correct because Hierarchical models work well in larger hierarchical environments, such as large government organizations or corporate environments and use multiple levels of subordinate CA’s that are governed by a root CA. First party CA’s are internal and administered by the company deploying them. Incorrect Answers & Explanations: B, C, D. Answer B and C are incorrect, because hierarchal models are better suited for larger hierarchal environments because they offer more layers of verification. Answer D is incorrect, because as stated choice A will meet the needs of this example. www.syngress.com

687

688


10. Two users, Dave and Dixine, wish to communicate privately. Dave and Dixine each own a key pair consisting of a public key and a private key. A public key was used to encrypt a message and the corresponding private key was used to decrypt. What is the major security issue with this scenario? A. Private keys are revealed during the initial transaction. B. Information encrypted with a public key can be decrypted too easily with out the private key. C. An attacker can intercept the data mid-stream, and replace the original signature with his or her own, using his private key. D. None of the Above Correct Answer & Explanation: C. Answer C is correct because there is nothing to prevent an attacker from intercepting the data mid-stream, and replacing the original signature with his or her own, using his private key. The solution to this problem in Windows PKI is the certificate. Incorrect Answers & Explanations: A, B, D. Answer A is incorrect, because private keys arte never accessible to other users. Answer B is incorrect, because while the encryption process is not completely impervious to cracking with out the private key to decrypt the data an attacker would have an incredibly hard time decrypting the transmission. Answer D is incorrect because as stated an attacker can intercept the data mid-stream, and replace the original signature with his or her own, using his private key.

Chapter 8: Maintaining an Active Directory Environment 1. You’ve just finished installing a new Windows Server 2008 DC. It is the policy of the IT department to perform a full backup of newly installed DCs.You click on Start | Administrative Tools | Windows Server Backup. When Windows Server Backup loads you see the following screen.

www.syngress.com


What do you need to do to ensure that the backup takes place? A. Run DCPROMO B. Install the Windows Server Backup feature C. Go to a command prompt and run wbadmin.exe D. Boot into DSRM and conduct the backup from there Correct Answer & Explanation: B. Even though Windows Server Backup appears in the list of Administrative Tools doesn’t mean it’s been installed. Install the feature via Server Manager.

www.syngress.com

689

690


Incorrect Answers & Explanations: A, C, D. Answer A is incorrect, because DCPROMO is used to convert a server into a DC; it has nothing to do with the backup software. Answer C is incorrect, because wbadmin.exe is a part of the Windows Server Backup feature. Simply running it will provide you with the same message popping up. Answer D is incorrect, because with the backup software not being installed you cannot conduct the backup regardless of what mode you’ve booted in on the DC. 2. You are responsible for performing backups on the DCs on your network. Your boss has requested that you conduct system state backups to DVD. How do you accomplish this? A. Run the Windows Server Backup Wizard, select System State Backup, and set your target to the DVD drive B. Run the Windows Server Backup Wizard, select a local drive as the target, and then copy the system state backup to the DVD drive C. Run the wbadmin.exe command with the start systemstatebackup command and target it to the DVD drive D. Run the wbadmin.exe command with the start systemstatebackup command, set the target to a local fixed drive, and then copy the system state backup to a DVD Correct Answer & Explanation: D. System state backups are done using the wbadmin.exe command and must have local drives as targets. To back up to DVD, you must manually copy the system state backup to the DVD drive and burn the backup onto disk. Incorrect Answers & Explanations: A, B, C. Answers A and B are incorrect, because Windows Server Backup cannot specifically back up the system state. You must use the wbadmin.exe command. Answer C is incorrect, because system state backups must have a local drive as the target. 3. You are the network administrator for your company. Last night you successfully performed a system state backup of one of your DCs. Do to an unforeseen issue, you now need to perform a system state restore. What do you need to do to conduct a system state restore on a DC? A. Reboot the DC, go into DSRM, and run wbadmin.exe to perform the system state restore B. Log on to the DC as usual and run wbadmin.exe to restore the system state

www.syngress.com


C. Stop Active Directory Domain Services and then run the wbadmin.exe command to restore the system state D. Just restore the system state via the Windows Server Backup Wizard Correct Answer & Explanation: A. To recover the system state for a DC, you must be in DSRM and then run the wbadmin.exe command. Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because you cannot restore the system state of a DC in normal mode. Answer C is incorrect, because stopping Active Directory Domain Services will not allow you to restore the system state on a DC. Answer D is incorrect, because the Windows Server Backup Wizard does not restore the system state specifically. 4. You are the network administrator for your company. You have a scheduled backup job run three times a day: 10:00 a.m., 4:00 p.m., and 11:00 p.m. At 4:50 p.m., you get a call that user Janet Harrell has deleted the company budget on the server. There are no previous versions available. What should you do to restore the company budget? A. Run ntbackup, select the company budget from the list of files backed up, and choose Restore B. Run Windows Server Backup, select Recover from the Actions pane, choose Files and Folders as the recovery type. Select the company budget from the Available items list. Choose Original location for recovery destination, create copies so that you have both versions of the file or folder under When the wizard find files and folders in the recovery destination, and choose Restore security settings. C. Go into DSRM, run wbadmin.exe, and conduct a system state recovery D. Stop Active Directory Domain Services, load ntbackup, select the company budget, and choose Restore Correct Answer & Explanation: B. You would run through the restore wizard in Windows Server Backup, choose the budget file, and restore to the original location along with the original security settings. Windows Server Backup provides the ability to individually choose which files and/or directories to restore. Incorrect Answers & Explanations: A, C, D. Answers A and D are incorrect, because ntbackup is no longer the backup and restore software that comes with Windows Server 2008. The ntbackup version for Windows Server 2008 that you can download can recover only .bkf files and not the .vhd files that www.syngress.com

691

692


Windows Server Backup creates. Answer C is incorrect, because you do not have to go into DSRM to recover key files. 5. You are the network administrator at your company. The Active Directory database file on one of your DCs is corrupt. You decide to perform a nonauthoritative restore on the DC. You reboot the server into DSRM and try to log on as the domain administrator but you cannot. You need to get this DC back up and functioning as soon as possible. What can you do to achieve this? A. Log on to the server with another domain administrator’s account B. Log on to the server using the local administrator’s account C. Change the domain administrator’s password from another DC and then log on using the account with the new password D. Log on using the DSRM administrator’s account and password Correct Answer & Explanation: D. You must log on using the DSRM administrator’s account and password which you created during the DCPROMO wizard while converting this server into a DC. Incorrect Answers & Explanations: A, B, C. Answer A is incorrect, because you must log on using the DSRM account. A domain admin account cannot log on to the server in DSRM mode. Answer B is incorrect, because you must log on using the DSRM administrator’s account and there are no local administrator accounts on a DC. Answer C is incorrect for the same reasons as answer A. 6. You are the domain admin for your company. You have tasked Susan, a member of the Account Operators group, to delete Amber Chambers’ user account because she quit yesterday. Susan accidentally deletes Andy Chambers’ account. Before she realizes what’s happened the change is replicated to the other DCs. What can you do to bring back Andy Chambers’ user account? A. Reboot the DC into DSRM, restore the system state, and conduct a nonauthoritative restore on Andy Chambers’ user account from the most recent backup using wbadmin.exe B. Reboot the DC into DSRM, restore the system state, and conduct an authoritative restore on Andy Chambers’ user account from the most recent backup using wbadmin.exe C. Log on to the DC in normal mode, stop Active Directory Domain Services, load Windows Server Backup, restore the system state, and perform an authoritative restore of Andy Chambers’ user account www.syngress.com


D. Log on to the DC in normal mode, stop Active Directory Domain Services, load Windows Server Backup, restore the system state, and perform a nonauthoritative restore of Andy Chambers’ user account Correct Answer & Explanation: B. Only an authoritative restore can restore the user account and prevent it from being overwritten by directory replication. To perform an authoritative restore you must boot up into the DSRM, run wbadmin.exe to restore the system state, and then perform an authoritative restore. Incorrect Answers & Explanations: A, C, D. Answer A is incorrect, because a nonauthoritative restore would bring the user account back but it would be deleted once directory replication took place. Answers C and D are incorrect, because you must be in DSRM to restore the user account. Windows Server Backup has no way of performing an authoritative restore via the GUI. 7. You are the domain administrator for your company. Examining one of the DCs, you notice that the file ntds.dit is almost 6 GB in size. You decide that to save disk space and increase performance you will defrag Active Directory Domain Services. How would you accomplish this? A. Log on to the server as an administrator. Perform a system state backup of the DC. Create a new directory on the system drive called C:\defrag. Stop Active Directory Domain Services. Start an instance of ntdsutil and activate Instance ntds. At the ntdsutil prompt pull up the file maintenance prompt and type compact to c:\defrag. Go to the %systemdrive%\Windows\ NTDS directory and delete the old ntds.dit file as well as any .log files. Copy the ntds.dit file in the C:\defrag folder to %systemroot%\Windows\ NTDS, and then restart Active Directory Domain Services. B. Log on to the server as an administrator. Perform a system state backup of the DC. Create a new directory on the system drive called C:\defrag. Start an instance of ntdsutil and activate Instance ntds. At the ntdsutil prompt, pull up the file maintenance prompt and type compact to c:\defrag. Go to the %systemdrive%\Windows\NTDS directory and delete the old ntds.dit file as well as any .log files. Copy the ntds.dit file in the C:\defrag folder to the %systemroot%\Windows\NTDS. C. Log on to the server as an administrator in DSRM. Perform a system state backup of the DC. Create a new directory on the system drive called C:\defrag. Stop Active Directory Domain Services. Start an instance of ntdsutil and activate Instance ntds. At the ntdsutil prompt, pull up the file maintenance www.syngress.com

693

694


prompt and type compact to c:\defrag. Go to the %systemdrive%\ Windows\NTDS directory and delete the old ntds.dit file as well as any .log files. Copy the ntds.dit file in the C:\defrag folder to the %systemroot%\ Windows\NTDS, and then restart Active Directory Domain Services. D. Log on to the server as an administrator. Perform a system state backup of the DC. Create a new directory on the system drive called C:\defrag. Stop Active Directory Domain Services. Start an instance of ntdsutil and activate Instance ntds. At the ntdsutil prompt, pull up the file maintenance prompt and type compact to c:\defrag. Go to the %systemdrive%\ Windows\NTDS directory and delete the old ntds.dit file as well as any .log files. Copy the ntds.dit file in the C:\defrag folder to %systemdrive%\ Windows\NTDS. Correct Answer & Explanation: A. These are the steps in performing a defrag/ compact of the Active Directory Domain Services database file. Although the system state backup is not required, it is highly recommended. Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because you never stopped Active Directory Domain Services. Answer C is incorrect, because you no longer need to boot into DSRM to defrag the database. Answer D is incorrect, because you never restarted Active Directory Domain Services. 8. You are the domain administrator for your company. Your network consists of three DCs, each running Windows Server 2008. Two are at site A, and the third is located at site B. There seems to be a replication problem between the DCs at site A and the DC at site B. What is the best tool to use in troubleshooting directory replication? A. Network Monitor B. Task Manager C. RepAdmin D. Event Viewer Correct Answer & Explanation: C. RepAdmin can be used for monitoring Active Directory replication, topology, and even force replication. Incorrect Answers & Explanation: A, B, D. Answer A is incorrect, because it doesn’t show what’s actually being replicated. It can show that the DCs are communicating, but it cannot truly tell whether replication is taking place. Answer B is incorrect, because the Task Manager is more for administrators to get a real-time view of the performance of the server and not that of directory www.syngress.com


replication. Answer D is incorrect, because it doesn’t show the topology, nor can it initiate replication. It is probably the best place to start, but not to finish. 9. You are the domain administrator for your company. Your network consists of multiple DCs at multiple sites. A DC at your local site is having problems with replicating. You need to know when this DC last attempted to perform an inbound replication on the Active Directory partitions. How would you accomplish this? A. Open a command prompt on the DC and run ntdsutil B. Open a command prompt on the DC and run repadmin /replicate C. Open a command prompt on the DC and run repadmin /rodcpwdrepl D. Open a command prompt on the DC and run repadmin /showrepl Correct Answer & Explanation: D. Running repadmin /showrepl displays the replication status when a specified DC has last attempted to perform inbound replication on Active Directory partitions. Incorrect Answers & Explanations: A, B, C. Answer A is incorrect, because ntdsutil does not provide information about directory replication. Answer B is incorrect, because the /replicate switch triggers immediate replication and does not provide information about when a particular DC last attempted to perform an inbound replication. Answer C is incorrect, because the /rodcpwdrepl switch triggers the replication of passwords for specified users from a source DC to one or more RODCs. 10. You are the domain administrator for your company. At your site you have a single DC that also acts as an application server. From 10:00 a.m. to 4:00 p.m., users complain about slow logons to the network and that accessing resources from this DC is incredibly slow during most of the workday. You log on to the DC, pull up the Task Manager, and notice that a process called CustApp.exe is using just more than 90% of the CPU cycles. The application must remain running during the day, but you also need to resolve the slow logon issues. There is no money in the budget for additional hardware. What is the best way to handle this situation? A. Go into the Windows System Resource Manager on the DC, and create a new recurring calendar event to start at 8:00 a.m. and end at 5:00 p.m. daily. Associate the event with the Equal_Per_Process policy. B. Go into the Task Manager and into the Processes tab. Find CustApp.exe and set the priority to Below Normal. www.syngress.com

695

696


C. Go into the Task Manager and into the Process tab. Find CustApp.exe and end the process. D. Purchase a second server to run only the CustApp.exe application Correct Answer & Explanation: A. The Windows System Resource Manager (WSRM) allows administrators to set policies and thresholds on applications and processes on the number of CPU cycles they can max out at and the amount of memory they are allowed to consume. Setting a calendar policy allows the administrator to allow the application to run at high CPU levels if needed after hours; that way, it doesn’t affect the end-users at work. Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because by setting the priority level to below normal it is possible that the threads within the CustApp.exe will never execute depending on whether there are a large number of threads with higher-priority numbers in the queue. Answer C is incorrect, because it completely stops the CustApp.exe process which may belong to a mission-critical application, thereby affecting productivity in a highly negative manner. Answer D is incorrect, because the scenario clearly states that there is no money in the budget for additional hardware.

www.syngress.com

Index A Account lockout policy, 380–394, 437, 438 Account Policies, configuration of. See Configuration of Account Policies Accounts. See Computer accounts; User accounts Active Directory Application Mode (ADAM), 2, 23 bandwidth and network traffic, 217–218 configuring event logging, 265–266 directory service access, 401–404 Domain Services (ADDS), 2–3, 584–587 Domain Services Role installation, 12–15 editing attributes of objects, 189 Federation Services. See ADFS (Active Directory Federation Services) Lightweight Directory Service. See LDS (Active Directory Lightweight Directory Service) navigation of, 189 records, 85–86 restartable, 584–587 Rights Management Service. See RMS (Active Directory Rights Management Service) Users and Computers administration tool, 126–129 See also Backing up; Computer accounts; Monitoring Active Directory; Offline maintenance; Recovering; User accounts; Users and Computers console AD-integrated zones, 81, 118 ADAM (Active Directory Application Mode), 2, 23 Add Role Wizard, 6–8

ADDS (Active Directory Domain Services), 2–3, 584–587 ADFS (Active Directory Federation Services) configuration, 39–51 description, 3, 37–38 federating with Windows Server 2003 R2 forest, 54 structure, 38 use of, 38 ADLDS (Active Directory Lightweight Directory Service). See LDS (Active Directory Lightweight Directory Service) Adlem, Leonard, 453 ADM (Administrative Template) templates, adding to GPOs, 424–432 Admin logs, 606 Administrative Templates, 420–421 Administrator account, built-in, 130, 189 ADMX (XML-based format) central store, 422–423, 439 files, 421 adprep, 17, 54 ADRMS (Active Directory Rights Management Service). See RMS (Active Directory Rights Management Service) ADSIEdit.msc graphical console, 189 Allocation for Active Directory, 590–591 Analytic logs, 606 Application certificates, 480 Application-push technologies, 81 Application-specific content in Group Policies, 348 Applications, monitoring, 596–597 Applications logs, 606 697

698

Index

Assigning software to computers, 368–369 Assigning software to users, 364–368 Attacks, elevation-of-privilege, 275 Attributes of objects, editing, 189 Audit Policies, configuration of. See Configuration of Audit Policies Auditing changes from ADAM, 23 logon events, 438 in Windows Server 2008, 438 Authentication of UPNs, 212 Authoritative restoring, 568–574, 637–638 Autoenrollment for user certificates, 527 Automatic partner configuration, 105–106 B Backing up CA servers, 489–492 critical volumes, 556–557 description, 534–535 Group Policy objects (GPOs), 575–580, 638 key files, 555 Starter GPOs, 579, 638 system state data, 551–554, 637 Volume Shadow Copy Service (VSS), 551 See also Windows Server Backup Bandwidth and network traffic in Global Catalog (GC), 217–218 BIND servers, 117 BitLocker Drive Encryption, 12 .bkf files, 534–535, 553, 637 Block Inheritance in GPOs, 322–323, 330 Block symmetric algorithms, 453 Bridgehead servers, 259 Brute force password attacks, 437 Bulk data encryption without prior shared secrets, 466–479 www.syngress.com

C Caching, Universal Group, 218–220 Cards, smart, 140, 479, 514, 527–528 CAs (certification authorities) Certificate Practice Statement (CPS), 484–485 certificate requests, 484–489 configuring, 481–482 description, 482 hierarchy, 527 root vs. subordinate, 483–484 standard vs. enterprise, 482–483 Certificate Practice Statement (CPS), 484–485 Certificate requests, 484–489 Certificate revocation lists (CRLs), 499–501, 524, 527 Certificate Services installing, 468–477 See also CAs (certification authorities); Certificate templates; Certificates; Key recovery Certificate templates cryptography, 506–507 custom, 516–519 description, 501–502 general properties, 503–504 issuance requirements, 509–512 key recovery agent, 521–522 permissions model, 519–520 request handling, 505 security settings, 512–513 subject information, 508 types of, 513–516 versioning, 520–521 Certificates application certificates, 480 computer certificates, 514–516 description, 460–463 EFS and overseas travel, 526 formats, 526

Index

machine certificates, 480 needs, analyzing, 480–481 reviewing, 467–468 types of, 513–516 user certificates, 479, 513–514 validity period, 527, 528 visibility, 526 Certification authorities (CAs). See CAs (certification authorities) Client-management technologies, 81 CNG (Cryptography Next Generation), 452 Compaction, 587–590 Computer accounts creating, 161–162 description, 160–161 modifying, 162–167 password storage limit, 190 purpose, 190 resetting, 167–168 Computer certificates, 514–516 Computer configuration in GPOs, 308–309 Confidentiality, 449 Configuration Active Directory event logging, 265–266 ADFS (Active Directory Federation Services), 39–51 CAs (certification authorities), 481–482 DHCP (Dynamic Host Configuration Protocol), 98–99 directory service access in group policy, 405 Directory Services role, 12 directory services role, 12–15 DNS (Domain Name System), 73–76 fine-grain policies, 384–394 LDS (Active Directory Lightweight Directory Service), 23–26 object level auditing, 405–408 replication between sites, 263

resolution of zones, 91 restricting some users, 439 reverse lookup zones, 87–91 RMS (Active Directory Rights Management Service), 30–37 RODC (read-only domain controllers), 16–21 site link costs, 252–254 Universal Group caching, 219 WINS (Windows Internet Naming Service), 103–105, 111, 112–113 WMI (Windows Management Instrumentation) filtering, 331 See also Configuration of Account Policies; Configuration of Audit Policies; Configuration of security-related policies; Software configuration and Group Policies Configuration Manager, System Center, 81 Configuration of Account Policies account lockout policy, 380–394, 437, 438 Default Domain Policy GPO, 378 domain password policy, 379–380, 381–384 fine-grain policies, 384–394 PSO, applying users and groups to, 394–397 Configuration of Audit Policies description, 397–399 directory service access, 401–404 logon events, 399–401 object access, 404–408 other audit policies, 408–409 Configuration of security-related policies ADM (Administrative Template) templates, adding to GPOs, 424–432 Administrative Templates, 420–421 ADMX central store, 422–423 Restricted Groups objects, 415–420 www.syngress.com

699

700

Index

Configuration of security-related policies (Continued) security options, 411–415 users rights, 409–411 Configuration partition, 202 CPS (Certificate Practice Statement), 484–485 Creating GPOs, 314–315, 316–318 CRLs (certificate revocation lists), 499–501, 524, 527 Cryptography algorithms, types of, 453 basics, 459 certificate templates, 506–507 symmetric key, 453 Cryptography Next Generation (CNG), 452 Custom certificate templates, 516–519 Custom Views in Event Viewer, 602–605 D Data Collector Sets, 629–631 Data encryption without prior shared secrets, 466–479 Database files for DNS, 64–65 Database Mounting Tool, 23 DCs (domain controllers) Global Catalog (GC), 210–211 master roles, 220–221 refreshing cache, 219 schema partition, 202 software, not assigning to DCs, 361 UPN authentication, 212 See also RODCs (read-only domain controllers) Debug logs, 606 Default settings, Microsoft, 421 Default trusts, 272 Defragmenting, 587–590, 638 Delegating tasks, 177–183, 191 Delegation of Control Wizard, 178–183 www.syngress.com

Desktop settings for user accounts, 189 Destination disk, labeling, 545 DH (Diffie-Hellman) algorithms, 453–454 DHCP (Dynamic Host Configuration Protocol) configuring, 93–95, 98–99, 102–103 description, 62 design principles, 95–97 DNS (Domain Name System), 102–103 installing, 97 Server Core, 100–102 servers and placement, 96–97 Diffie-Hellman (DH) algorithms, 453–454 Digital certificates, reviewing, 467–468 Digital rights management (DRM) in Vista, 29–30, 54 Digital signatures, 464–465, 526 Directory information search in GC, 212–214 Directory service access, 401–404 Directory Services Restore Mode (DSRM), 565–568, 637 Directory Services role configuring, 12 omitting, 55 Distinguished names (DNs), 202 Distribution groups, 170 DNs (distinguished names), 202 DNS (Domain Name System) BIND and Windows servers, 117 configuration, 63–68, 73–76 database files, 64–65 description, 62 design, 90 DHCP (Dynamic Host Configuration Protocol), 102–103 domain suffixes, 66–67, 117 installation, 72–73 record types, 63–64 Resource Records (RRs), 68–72 root domain (“.”), 118

Index

Server Core, 76–79 WINS (Windows Internet Naming Service), 112–113 zone transfer, 82–83 zones, configuring, 79–82 zones, creating, 83–85 Domain controllers. See DCs (domain controllers) Domain functional levels description, 202 list of, 203 raising, 281 use of, 203–204 Windows 2000, 204 Windows 2003, 204–205 Windows 2008, 205–206 Domain local groups, 171 Domain Name System (DNS). See DNS (Domain Name System) Domain Naming DC, 220 Domain partition, 202 Domain password policy, 379–380, 381–384 Domain Services, Active Directory (ADDS), 2–3, 584–587 Domain user accounts, 189 Domains description, 199–202 sites, relationship with, 234–235 suffixes, 66–67, 117 DRM (digital rights management) in Vista, 29–30, 54 dsadd tool, 190 DSRM (Directory Services Restore Mode), 565–568, 637 DVD, backing up to, 548–551 Dynamic Host Configuration Protocol (DHCP). See DHCP (Dynamic Host Configuration Protocol) Dynamic Updates, Secure, 81

E EAP (Extensible Authentication Protocol), 528 Editing attributes of objects, 189 EFS (Encrypting File System) and overseas travel, 526 Elevation-of-privilege attacks, 275 Encrypting File System (EFS) and overseas travel, 526 Encryption, secret key, 453 Encryption without prior shared secrets, 466–479 Enforcing Group Policies, 318–322, 330 membership of groups, 439 Enterprise CAs (certification authorities), 482–483 Enterprise PKI (PKIView), 451 Event logging in Active Directory, 265–266 Event Viewer Applications and Services logs, 606 Custom Views, 602–605 description, 602 new benefits, 638 subscriptions, 607–611 Windows logs, 605 Exchange Server and Global Catalog (GC), 217 Explicit trusts, 271, 282 Extensible Authentication Protocol (EAP), 528 External trusts, 267, 273–274, 281 F Federating with Windows Server 2003 R2 forest, 54 Federation Services. See ADFS (Active Directory Federation Services) Filtering Group Policy objects (GPOs), 331–333 SIDs (Security Identifiers), 275–276 www.syngress.com

701

702

Index

Filtering (Continued) WMI (Windows Management Instrumentation), 304–305, 330–331 Fine-grain policies, 384–394 Flash drives, backing up to, 548, 637 Flexible Single Manager Operation roles. See FSMO (Flexible Single Manager Operation) roles Forcing replication, 261 Foreign travel and EFS (Encrypting File System), 526 Forest functional levels description, 202 list of, 203 raising, 208–209, 281 Windows 2000, 206–207 Windows 2003, 207–208 Windows 2008, 208 Forest trusts, 272–273 Forests, 199–200 FSMO (Flexible Single Manager Operation) roles description, 220 Domain Naming role, locating and transferring, 227–228 Infrastructure, RID, and PDC Operations Master Roles, locating and transferring, 228–230 master roles, 220–221 master roles, seizing, 230–231 placing in Active Directory environment, 232 role holders, seizing, 223–224 role holders, transferring, 223 Schema Master role, locating and transferring, 224–227 valid authorization levels, 221–222 Functional levels. See Domain functional levels; Forest functional levels www.syngress.com

G GC. See Global Catalog (GC) Global Catalog (GC) attributes, 215–216 bandwidth and network traffic, 217–218 description, 202, 210–212 directory information search, 212–214 Exchange Server, 217 placing GC servers within sites, 216–217 replication, 214–215 server, number of users for, 283 Universal Group membership, 214, 215 UPN authentication, 212 Global groups, 171 GlobalNames zone, 91–93, 117 GPMC (Group Policy Management Console), 638 GPO. See Group Policy objects (GPOs) Group Policies. See Configuration of Account Policies; Group Policy Modeling Wizard; Group Policy objects (GPOs); Group Policy Results Wizard; Software configuration and Group Policies Group Policy Management Console (GPMC), 638 Group Policy Modeling Wizard, 327–330 Group Policy objects (GPOs) ADM (Administrative Template) templates, adding to GPOs, 424–432 application-specific content, 348 backing up, 575–580, 638 Block Inheritance, 322–323, 330 computer configuration, 308–309 creating, 314–315, 316–318 Default Domain Policy GPO, 378 enforcing, 318–322, 330 features, 348 filtering, 331–333 Group Policy description, 348 hierarchy, 309–311

Index

linking, 315–318 Local Group Policies, 293–296 loopback, 334, 349 modeling, 327–330 Multiple Local GPOs (MLGPOs), 293–296 network location awareness, 306–307 non-local, 296–306 Preferences, 303–306 processing priority, 311–314 recovering, 581–585 results, 323–325 Starter GPOs, 341–345, 348, 579 Templates, Administrative, 335–337 Templates, Security, 335–337, 337–341 types, 292–293 user configuration, 307–308 Windows 2008 new features, 348 WMI (Windows Management Instrumentation) filtering, 304–305, 330–331 Group Policy Results Wizard, 323–325 Groups creating by scripts, 176–177 creating by Users and Computers console, 172–173 description, 169 enforcing membership of, 439 managing, 190–191 modifying by Users and Computers console, 173–176 scopes of, 170–171 strategies, 171–172 types of, 170 Guest account, built-in, 131 H Hash function, 453 Hierarchy CAs (certification authorities), 527 Group Policies, 309–311

Hub-and-spoke models for WINS (Windows Internet Naming Service), 109–110 Hybrid replication models for WINS (Windows Internet Naming Service), 110 I IANA (Internet Assigned Numbers Authority), 72 Implicit trusts, 271, 282 Implied trusts, 282 Incoming trusts, 270 Infrastructure Master DC, 220 Installation Certificate Services, 468–477 DHCP (Dynamic Host Configuration Protocol), 97 DNS (Domain Name System), 72–73 Domain Services Role, 12–15 software configuration and Group Policies, 358–361 Windows Server Backup, 535–540 WINS (Windows Internet Naming Service), 111 Internet Assigned Numbers Authority (IANA), 72 Intersite or intrasite replication, 217 IP replication, 262 IPv6, 245–246 K KCC (Knowledge Consistency Checker), 207, 215, 255–258, 282 Key files backing up, 555 recovering, 559–565 Key infrastructure. See PKI (public key infrastructure) Key recovery agent, 521–522 www.syngress.com

703

704

Index

Key recovery (Continued) backing up CA servers, 489–492 restoring CA servers, 492–495 Knowledge Consistency Checker (KCC), 207, 215, 255–258, 282 L Labeling the destination disk, 545 LDS (Active Directory Lightweight Directory Service) configuration, 23–26 description, 2–3 managing, 26–27 running AD internally, 54 use of, 22 Linked value replication (LVR), 575 Linking GPOs, 315–318 LMHOSTS files, static entries in, 110–111 Local Group Policies, 293–296 Local user accounts, 189 Local user profiles, 145 Lockout policy, 380–394, 437, 438 Logon events, auditing, 438 Logs Applications, 606 Services, 606 Windows, 605 Loopback, Group Policy, 334, 349 Loopback address in IPv6, 246 LVR (linked value replication), 575 M Machine certificates, 480 Maintenance, offline. See Offline maintenance Maintenance, software, 370–375 Mandatory profiles, 145, 189 Masks, 244–245 Master roles, FSMO, 220–221 Membership of groups, enforcing, 439 Microsoft default settings, 421 www.syngress.com

MLGPOs (Multiple Local GPOs), 293–296 Modeling, Group Policy, 327–330 Monitoring Active Directory description, 591 Event Viewer, 602–608 Network Monitor (netmon), 591–594 Task Manager, 594–601 See also Windows Reliability and Performance Monitor MS-CHAP protocols, 528 MSI (Windows installer) files, 378 Multiple Local GPOs (MLGPOs), 293–296 N Navigation of Active Directory, 189 Network Device Enrollment Service (NDES), 452 Network location awareness and Group Policies, 306–307 Network Monitor (netmon), 591–594 Network traffic in Global Catalog (GC), 217–218 Networking, monitoring, 599–600 New Zone Wizard, 83–85 Non-local GPOs, 296–306 Nonauthoritative restoring, 575, 637–638 Nonrepudiation, 449 O OCSP (Online Certificate Status Protocol), 452 Offline maintenance defragmenting and compaction, 587–590, 638 restartable Active Directory, 584–587 storage allocation, 590–591 One-way trusts, 269–270 Online Certificate Status Protocol (OCSP), 452 Operational logs, 606 Organizational units (OUs)

Index

Block Inheritance, 322–323 defaults, 128 description, 198 permissions, 178 OU. See Organizational units (OUs) Outgoing trusts, 270 Overseas travel and EFS (Encrypting File System), 526 P Partner configuration, automatic, 105–106 Password Settings objects (PSOs). See PSOs (Password Settings objects) Passwords brute force password attacks, 437 domain password policy, 379–380, 381–384 DSRM (Directory Services Restore Mode), 637 options, 139–141 resetting, 157 storage limit for computer accounts, 190 strength traits, 132, 190, 438 Users and Computers administration tool, 134–135 PDC Emulator DC, 221 Performance, monitoring, 598–599 Performance Monitor, 625–627 PKCS (Public-Key Cryptography Standards), 454–458 PKI (public key infrastructure) application certificates, 480 authentication, 465–466 bulk data encryption without prior shared secrets, 466–479 certificate services, installing, 468–477 components, 450–452 description, 446–449 digital certificates, reviewing, 467–468 digital signatures, 464–465, 526

enhancements in Windows Server 2008, 450–452 function of, 449–450 history of, 452–453 machine certificates, 480 user certificates, 479 See also CAs (certification authorities); Certificate templates; Key recovery PKIView, 451 Preferences for Group Policies, 303–306 Primary zones, 79 Processes, monitoring, 597 Processing priority in Group Policies, 311–314 Profiles mandatory, 189 public and private keys, 457 Terminal Service, 154 types of, 145 Users and Computers administration tool, 144–145 WS-Federation Passive Requestor Profile (WS-F PRP), 37 Protocols for replication, 261–262 PSOs (Password Settings objects) applying users and groups to, 394–397 description, 386 Public-Key Cryptography Standards (PKCS), 454–458 Public key infrastructure. See PKI (public key infrastructure) Publishing software to users, 361–364 Pull partnerships, 107 Push partnerships, 106–107 Push/pull partnerships, 108 R Raising functional levels, 208–210, 281 Read-only domain controllers. See RODCs (read-only domain controllers) Realm trusts, 281 www.syngress.com

705

706

Index

Record types for DNS, 63–64 Recovering authoritative restoring, 568–574, 637–638 .bkf files, 534–535, 553, 637 CA servers, 492–495 description, 534–535 Directory Services Restore Mode (DSRM), 565–568, 637 Group Policy objects (GPOs), 581–585 key files, 559–565 nonauthoritative restoring, 575, 637–638 Recovery, key. See Key recovery Redeploying software, 370–371, 437 Relative ID (RID) Master DC, 221 Reliability and Performance Monitor. See Windows Reliability and Performance Monitor Reliability Monitor, 627–629 Removable media, backing up to, 548–551 Removal RODC (read-only domain controllers), 21–22 software, 375–378 Renaming sites, 242–243, 283 RepAdmin command, 618–621 Replication bridgehead servers, 259 configuring between sites, 263 description, 255–256 forcing, 261 intersite, 217, 258–259 intrasite, 217, 256 monitoring, 638 protocols, 261–262 ring topology, 257 RODCs, 54 scheduling, 260–261 three-hop rule, 258 topology, 262–263 transitive site links, 259 www.syngress.com

troubleshooting, 264–266 Universal Group, 171 Replication and WINS (Windows Internet Naming Service), 105–110 Replication Monitor (Replmon), 611–617 Reports, 631–632 Resource Records (RRs) for DNS, 68–72 Restartable Active Directory, 584–587 Restoring. See Recovering Restricted Groups objects adding, 416–419 deleting, 420 description, 415–416 enforcing membership of groups, 439 modifying, 419–420 Restricting some users, 439 Results, Group Policy, 323–325 Reverse lookup zones configuration, 87–91 description, 80, 86 security considerations, 87 Ring models for WINS (Windows Internet Naming Service), 109 Ring topology for replication, 257 Rivest, Ronald, 453 RMS (Active Directory Rights Management Service) configuration, 30–37 description, 3 digital rights management (DRM) in Vista, 29–30, 54 features, 28–29 Roaming user profiles, 145 RODCs (read-only domain controllers) configuration, 16–21 description, 2, 184, 191 features, 16 mixed-mode (Windows 2003 and 2008) domain, 54 purpose, 15–16

Index

removal, 21–22 replication, 54 Role deployment Add Role Wizard, 6–8 directory services role configuration, 12–15 Server Manager, 55 Windows Server 2008 new roles, 2–3 Root CAs (certification authorities), 483–484 Root domain (“.”) in DNS, 118 RRs (Resource Records) for DNS, 68–72 RSA Labs, 453 S SACL (system access control list), 401 Scheduling replication, 260–261 Schema Master DC, 220 Schema partition, 202 Scripts computer accounts, creating, 167 eased by Web Enrollment, 451–452 groups, creating, 176 logon, 145 role deployment, 9, 55 user accounts, creating, 157–158 Windows PowerShell, 537 Searching Global Catalog (GC), 212–214 Secondary zones, 79 Secret key agreement, 466 Secret key encryption, 453 Secure Dynamic Updates, 81 Security groups, 170 Security options, 411–415 Security principals, 276 Server Backup, Windows. See Windows Server Backup Server Core 32-bit and 64-bit editions, 55 description, 3, 10–12 DHCP (Dynamic Host Configuration Protocol), 100–102

directory services role, configuring, 12–15 DNS (Domain Name System), 76–79 WINS (Windows Internet Naming Service), 111–112 Server Manager description, 3 features, 5 implementing roles, 3–9 role deployment, 55 Services, monitoring, 598 Services logs, 606 Settings, Microsoft default, 421 Shamir, Adi, 453 Shared secret key cryptography, 454 Shortcut trusts, 267, 274–275, 281 SIDs (Security Identifiers) filtering, 275–276, 282 RID Masters, 221 Signatures, digital, 464–465, 526 Site link bridges, 259–260 Site links, transitive, 259–260, 283 Sites associating subnets with, 247–249 creating, 238–242 creating links, 249–252 description, 233–235 domains, relationship with, 234–235 link costs, 252–254 planning, 237–242 renaming, 242–243, 283 servers, 282–283 subnets, 236 Slash notation, 244–245 Smart cards, 140, 479, 514, 527–528 SMTP replication, 261–262 Software, redeploying, 370–371, 437 Software configuration and Group Policies assigning to computers, 368–369 assigning to users, 364–368 deployment, 358, 437 www.syngress.com

707

708

Index

Software configuration and Group Policies (Continued) installation overview, 358–361 maintenance, 370–375 publishing to users, 361–364 redeploying, 370–371, 437 removing, 375–378, 437 software distribution point recommendations, 359, 437 upgrading, 371–375 Software distribution point recommendations, 359, 437 Standard CAs (certification authorities), 482–483 Starter GPOs backing up, 638 description, 341–342, 348 enabling, 342–345 not included in GPOs backup, 579 State data, backing up, 551–554, 637 Static entries in LMHOSTS files, 110–111 Storage allocation for Active Directory, 590–591 Stream symmetric algorithms, 453 Stub zones, 79–81 Subnets associating with sites, 247–249 description, 233, 236 masks and slash notation, 244–245 Subordinate CAs (certification authorities), 483–484 Subscriptions in Event Viewer, 607–611 Suffixes, domain, 66–67, 117 Symmetric algorithms, types of, 453 Symmetric key cryptography, 453 System access control list (SACL), 401 System Center Configuration Manager, 81 System state data backing up, 551–554, 637 recovering, 557–558 www.syngress.com

T Tape, backing up to, 637 Task Manager applications, 596–597 description, 594–596 networking, 599–600 performance, 598–599 processes, 597 services, 598 users, 601 Tasks, delegating, 177–183, 191 Technologies, application-push, 81 Templates, GPO, Administrative, 335–337 Templates, SPO, Security, 335–337, 337–341 Templates for user accounts, 158–159 Temporary user profiles, 145 Terminal Service profile, 154 Three-hop rule of intrasite replication, 258 Thumb drives, backing up to, 548, 637 Topology, replication, 262–263 Transferring zones, 82–83, 91 Transitive site links, 259–260, 283 Travel and EFS (Encrypting File System), 526 Trees description, 199 Troubleshooting replication, 264–266 Trust relationships default trusts, 272 description, 198–199, 266–271 direction and transitivity, 267 external trusts, 267, 273–274, 281 forest trusts, 272–273 implicit or explicit trusts, 271, 282 implied trusts, 282 incoming or outgoing trusts, 270 nontransitive trusts, 268 one-way trusts, 269–270 realm trusts, 281 shortcut trusts, 267, 274–275, 281

Index

transitive trusts, 268–269 two-way trusts, 267–269 Trusted third parties (TTPs), 446 Two-way trusts, 267–269 U Universal Group caching, 218–220 membership, maintaining, 215 membership information, 214 replication impact, 171 Updates, Secure Dynamic, 81 Upgrading software, 371–375 UPNs (user principal names) authenticating, 212 configuring, 159–160 USB-based flash drives, backing up to, 548, 637 User accounts administrator account, built-in, 130, 189 creating by scripts, 157–158 creating by Users and Computers console, 133–136 description, 129 desktop settings, 189 domain and local, 189 guest account, built-in, 131 management actions, 156–157 mandatory profiles, 189 modifying, 136–156 monitoring, 601 restricting, 439 rules and practices, 131–132 templates for, 158–159 types, 129–130 See also Passwords User certificates autoenrollment, 527 description, 479 types of, 513–514

User configuration in GPOs, 307–308 User principal names. See UPNs (user principal names) Users and Computers administration tool, 126–129 ADSIEdit.msc graphical console, 189 profiles, 144–145 PSO, applying users and groups to, 394–397 See also Computer accounts Users and Computers console creating user accounts, 133–136 managing user accounts, 156–157 modifying user accounts, 136–156 V Validity period of certificates, 527, 528 Versioning of certificate templates, 520–521 Views, custom, in Event Viewer, 602–605 Vista digital rights management (DRM), 29–30, 54 Volume Shadow Copy Service (VSS), 551 W wbadmin.exe command, 547–548, 551 WBS Wizard, 551 Web Enrollment, 451–452 Windows File Protection (WFP), 551 Windows installer (MSI) files, 378 Windows Internet Naming Service (WINS). See WINS (Windows Internet Naming Service) Windows logs, 605 Windows Management Instrumentation (WMI) filtering, 304–305, 330–331 Windows PowerShell, 537 Windows Reliability and Performance Monitor Data Collector Sets, 629–631 description, 623–624, 638 www.syngress.com

709

710

Index

Windows Reliability and Performance Monitor (Continued) Performance Monitor, 625–627 Reliability Monitor, 627–629 reports, 631–632 Resource Overview screen, 624–625 Windows Resource Protection (WRP), 551 Windows Server 2003 Active Directory Application Mode (ADAM), 2, 23 Windows Server 2008, new roles in, 2–3 Windows Server Backup critical volumes, backing up, 556–557 destination disk, labeling, 545 installing, 535–540 removable media, 548–551 scheduling, 540–548 tape, 637 wbadmin.exe command, 547–548 Windows System Resource Manager (WSRM), 621–623 WINS (Windows Internet Naming Service) automatic partner configuration, 105–106 configuration, 103–105, 111, 112–113 description, 62 DNS (Domain Name System), 112–113 GlobalNames zone, 91–93, 117 installation, 111

www.syngress.com

phasing out, 91 pull partnerships, 107 push partnerships, 106–107 push/pull partnerships, 108 replication, 105–110 Server Core, 111–112 static entries in LMHOSTS files, 110–111 Wizards Add Role Wizard, 6–8 Delegation of Control Wizard, 178–183 Group Policy Modeling Wizard, 327–330 Group Policy Results Wizard, 323–325 New Zone Wizard, 83–85 WBS Wizard, 551 WMI (Windows Management Instrumentation) filtering, 304–305, 330–331 WRP (Windows Resource Protection), 551 WSRM (Windows System Resource Manager), 621–623 Z Zones configuring in DNS, 79–82 configuring resolution of, 91 creating, 83–85 transferring, 82–83, 91

MCITP Exam 70-640 Prep Kit: Independent and Complete Self-Paced Solutions

MCITP Exam 70-642 Prep Kit: Independent and Complete

MCITP Exam 70-643 Prep Kit: Independent and Complete Self-Paced Solutions

MCITP Exam 70-649 Prep Kit: Independent and Complete Self-Paced Solutions

MCITP Exam 70-620 Prep Kit: Independent and Complete Self-Paced Solutions

MCITP Exam 70-647 Prep Kit: Independent and Complete Self-Paced Solutions