Professional Documents
Culture Documents
M I C R O S O F T
L E A R N I N G
P R O D U C T
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2011 Microsoft Corporation. All rights reserved. Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module 1
Introducing Active Directory Domain Services
Contents:
Lesson 1: Overview of Active Directory, Identity, and Access Lesson 2: Active Directory Components and Concepts Lesson 3: Install Active Directory Domain Services Module Reviews and Takeaways Lab Review Questions and Answers 8 10 14 16 18
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Information Protection
Microsoft Identity and Access Solutions
Authorization
Logon and Authentication Technologies Authorization and Access Control Technologies
10
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
11
4.
5.
12
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Active Directory Data Store
You will learn more about the partitions of Active Directory and about SYSVOL throughout this course. DNS is a focus of Module 11, and the PAS is examined in detail in Module 13. The contents of SYSVOL are explored in Module 6 and the objects stored in the Configuration are covered in Module 13. The objects in the Domain partition are covered in Modules 3-6 and database maintenance and administration tasks are detailed in Modules 10 and 14.
Domain Controllers
Domain Controllers are discussed throughout this course, but Modules 11 and 12 are focused specifically on domain controller administration and placement. Module 10 discusses RODCs.
Organizational Units
Modules 6 and 8 of this course examine the purpose, management, and design of organizational units.
Domain
You will learn more about domains throughout this course, and Module 15 focuses on the design considerations related to how many domains you should have in your enterprise.
Forest
The concepts and design of a multidomain forest are discussed in Module 15.
Tree
The concepts and design of a multidomain forest are discussed in Module 15.
Replication
Active Directory Replication is detailed in Module 12. SYSVOL replication is discussed in Module 10.
Sites
Active Directory site and subnet objects are the focus of Module 13.
Global Catalog
The global catalog is explored in detail in Module 12.
Functional Levels
Functional levels are detailed in Module 15.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
13
Trust Relationships
Trust relationships are discussed in Module 15.
14
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 3
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
15
Additional Reading
Prepare to Create a New Forest with Windows Server 2008 R2
This list comprises the settings that you will be prompted to configure when creating a domain controller. There are a number of additional considerations regarding the deployment of AD DS in an enterprise setting. See the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkID=214181 for more information.
16
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Answer: Because the domain controllers in your domain will not contain information about objects in other domains, you must rely on the global catalog, which has the indexed, partial attribute set for all objects in other domains. 3. Which tools can you use to install AD DS?
Answer: First, you must use Server Manager to install the AD DS role, and then, you should run dcpromo to make the server a domain controller*.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
17
Tools
Tool Server Manager Initial Configuration Tasks Use to Adding AD DS role Performing post-installation tasks on Windows Server 2008 R2 Installing Active Directory Domain Services and making the server a domain controller Where to find it Administrative Tools Type Oobe.exe in the Run window Type dcromo.exe in the Run window or use Server Manager to run the tool
Dcpromo.exe
18
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
19
Module 2
Administering Active Directory Securely and Efficiently
Contents:
Lesson 1: Work with Active Directory Administration Tools Lesson 2: Custom Consoles and Least Privilege Lesson 3: Find Objects in Active Directory Lesson 4: Use Windows PowerShell to Administer Active Directory Module Reviews and Takeaways Lab Review Questions and Answers 20 22 26 30 33 34
20
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
21
Additional Reading
Active Directory Administration Snap-ins
Active Directory Domain Services Managing Active Directory from MMC Install the Active Directory Schema snap-in
22
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
23
2. 3. 4. 5. 6. 7. 8. 9.
10. Click OK to close the Add Or Remove Snap-ins dialog box. 11. Click File, click Save, and save the console as C:\AdminTools\ADConsole.msc. Be sure to save the console to a new folder. In the next demo, you will open the console with a different user account that will not have access to your Desktop or Document folders. 12. Close MMC.
Demonstration: Secure Administration with User Account Control and Run As Administrator Detailed demonstration steps
1. 2. 3. 4. Log off from NYC-DC1. Log on with user-level credentials: CONTOSO\Pat.Coleman, with the password, Pa$$w0rd. Open the C:\AdminTools folder you created in the previous demonstration. Right-click the ADConsole.msc console and click Run as administrator.
24
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
5. 6. 7.
Enter the credentials of your administrative account, CONTOSO\Pat.Coleman_Admin, with the password, Pa$$w0rd. Click Yes. Optionally, open Task Manager and click Show processes from all users. Enter the same credentials: CONTOSO\Pat.Coleman_Admin; Pa$$w0rd. The administrator account (Pat.Coleman_Admin) may not have immediate access to the Desktop, Documents, or other folders that the user account (Pat.Coleman) has access to. If Pat.Coleman (user) saves the console to a location accessible only to that account, and starts it from there, the moment the process is elevated to the administrator (Pat.Coleman_Admin) account, it can no longer access the console.
8.
At the end of the demo, log off from NYC-DC1 and log back on as Contoso\Pat.Coleman_Admin, with the password, Pa$$w0rd.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
25
Additional Reading
Demonstration: Create a Custom MMC Console for Administering Active Directory
Add, Remove, and Organize Snap-ins and Extensions in MMC 3.0
Secure Administration with Least Privilege, Run As Administrator, and User Account Control
Using Run as
Demonstration: Secure Administration with User Account Control and Run As Administrator
Using Run as
26
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 3
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
27
Add a user to the Instructors group by using the Add To Group command of the user. 1. 2. 3. Browse to the User Accounts\Employees OU. Right-click Pat Coleman and click Add to a group. Type Instrand click Check Names. This demonstrates the resolution of a group. Note that Computers are not included by default. Click OK. Set up the scenario: You want to deploy Microsoft Office Visio to NYC-CL1. It is licensed per computer, not per user, so the deployment of Visio should be targeted to a computer object (like most software). You have a group that represents the computers that should have Visio. Open the APP_Visio group from the Groups\Application OU. On the Members tab, try to add NYC-CL1. Point out that it fails. Try again. This time, click the Object Types button and select Computers.
4. 5. 6.
Note that saved queries can virtualize your view of your Active Directory: It doesn't matter where an object is located (for example, in the Employees, Contractors, or Admin Identities OUs), just that it meets search criteria. Create a saved query called Non-Expiring Passwords that returns user objects with passwords that do not expire. 1. 2. 3. Right-click Saved Queries, point to New, and then click Query In the New Query dialog box, type Non-Expiring Passwords in the Name box. Click Define Query. Select the Non expiring passwords check box. Click OK twice.
28
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Note that all users in the sample domain are set to non-expiring passwords for the purpose of the course only.
Demonstration: Find Objects by Using Active Directory Administrative Center Detailed demonstration steps
If not already started, start 6425C-NYC-DC1 and log on to NYC-DC1 as Pat.Coleman_Admin, with the password, Pa$$w0rd. Create a saved query called Global Catalog servers that returns all Global Catalog Servers in the domain. 1. 2. 3. 4. 5. 6. In Active Directory Administrative Center, in the left-hand pane, click Global Search. In the Global Search pane, click Add criteria. Select the check box next to Computers running as a given domain controller type. Click Add. Click the Any domain controllers link and then choose Global catalogs. Click Search. Note that any domain controller that is configured as a Global Catalog is displayed. 7. 8. 9. Click the Save button. In the text box, type Global Catalog Servers, and then click OK. Click the Queries button to view the saved query.
10. Log off from NYC-DC1 when you are finished the demonstration.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
29
Additional Reading
Options for Locating Objects
Search Active Directory
30
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
31
3.
To create a new user type the following (Note: by default the user will be created in the Users container if no other option is specified. For this demo, the account is created in the New Users OU.):
4.
5.
To get a group and view its members, type the following command.
get-adgroup -filter "Name -eq 'Domain Admins'" get-adgroup -filter "Name -eq 'Domain Admins'" | get-adgroupmember
6.
7.
To set the password and enable a user account, type the following command.
Set-ADAccountPassword testuser1 -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd1" -Force) get-aduser -filter 'Name -eq "TestUser1"' | enable-adaccount
32
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Windows PowerShell Cmdlets for Active Directory
Active Directory Administration with Windows PowerShell
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
33
Answer: No, it is based upon Windows PowerShell. 3. List some of the tasks that can be performed with Windows PowerShell.
Answer: User, Computer, and Group Management Organizational Unit Management Password Policy Management Object Search and Modification Forest and Domain Management Domain Controller and Operations Master Management Managed Service Account Management
Tools
Tool Active Directory Users and Computers Active Directory Administrative Center Windows PowerShell Use to Where to find it Managing an Active Directory Administrative Tools domain Managing an Active Directory Administrative Tools domain Managing an Active Directory Administrative Tools domain
34
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
35
Module 3
Managing Users and Service Accounts
Contents:
Lesson 1: Create and Administer User Accounts Lesson 2: Configure User Object Attributes Lesson 3: Automate User Account Creation Lesson 4: Create and Configure Managed Service Accounts Module Reviews and Takeaways Lab Review Questions and Answers 36 39 43 45 47 48
36
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
37
9.
Ensure that User must change password at next logon is selected, and then click Next.
38
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Create Users with Windows PowerShell
Creating a user with Windows PowerShell
Name Attributes
Object Names
Account Attributes
User Properties - Account Tab http://go.microsoft.com/fwlink/?LinkID=214193
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
39
Lesson 2
40
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
10. Select Account is disabled. 11. Click Next. 12. Review the summary and click Finish. 13. Right-click _Sales User, and then click Properties. 14. Click the Member Of tab. 15. Click Add. 16. Type Sales and click OK. 17. The Multiple Names Found dialog box appears. Select Sales and click OK. 18. Click the Organization tab. 19. In Department, type Sales. 20. In Company, type Contoso, Ltd. 21. Click the Change button in the Manager section. 22. Type Anibal Sousa and click OK. 23. Click the Account tab. 24. In the Account Expires section, click End Of, and then select the last day of the current year. 25. Click OK. Creating a user from the template 1. 2. 3. Right-click _Sales User, and then click Copy. In First name, type Amy. In Last name, type Strande.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
41
4. 5. 6. 7. 8.
In User logon name, type Amy.Strande. Confirm that the User logon name (pre-Windows 2000) is also Amy.Strande, and click Next. In Password and Confirm password, type Pa$$w0rd. Clear Account is disabled. Click Next, review the summary, then click Finish.
42
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Modify User Attributes by Using Windows PowerShell
Setting a Users Profile Attributes Modifying an Attribute for Several Users at Once
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
43
Lesson 3
44
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Export Users with CSVDE
CSVDE LDAP QuerySyntax
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
45
Lesson 4
46
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Challenges of Using Standard User Accounts for Services
Whats New in Service Accounts in Windows Server 2008 and Windows 7
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
47
Answer: Answers will vary; however, options include Active Directory Users and Computers, Active Directory Administrative Center, or the Active Directory Module for Windows PowerShell. 2. Which user account attributes will be important to use within your network environment?
Answer: Answers will vary, but possible answers should be based upon attributes listed in the user account properties.
48
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
49
Module 4
Managing Groups
Contents:
Lesson 1: Overview of Groups Lesson 2: Administer Groups Lesson 3: Best Practices for Group Management Module Reviews and Takeaways Lab Review Questions and Answers 50 52 57 59 61
50
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
Overview of Groups
Contents:
Additional Reading 51
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
51
Additional Reading
Role-Based Management: Role Groups and Rule Groups
For more information about role-based management, see Windows Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008).
Default Groups
For more information about protected accounts, see: Knowledge Base article 817433 at Knowledge Base article 840001 at If you want to search the Internet for resources, use the keyword, adminSDHolder. Microsoft TechNet provides an exhaustive reference to the default groups in a domain and to the default local groups. For reference information about local and domain groups, go to For reference information about default local groups, go to Default groups Windows Server 2008 Future Resources
52
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2
Administer Groups
Contents:
Detailed Demonstration Steps Additional Reading 53 56
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
53
3.
4.
Type the name of the new group in the Group name box. For the purpose of this demonstration, type ITConsultants for the name of group. Most organizations have naming conventions that specify how group names should be created. Be sure to follow the guidelines of your organization. By default, the name you type is also entered as the Group name (pre-Windows 2000). It is very highly recommended that you keep the two names the same.
5. 6.
Do not change the name in the Group name (pre-Windows 2000) box. Choose the Group type. A Security group is a group that can be given permissions to resources. It can also be configured as an e-mail distribution list.
54
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
A Distribution group is an e-mailenabled group that cannot be given permissions to resources and is therefore used only when a group is an e-mail distribution list that has no possible requirement for access to resources. For this demo, click Security
7.
Select the Group scope. A Global group is typically used to identify users based on criteria such as job function, location, etc. A Domain local group is used to collect users and groups who share similar resource access needs, such as all users who need to be able to modify a project report. A Universal group is typically used to collect users and groups from multiple domains. For this demo, click Global.
8.
Click OK.
Group objects have a number of properties that are useful to configure. These can be specified after the object has been created. Configure Group Properties: 1. 2. Right-click the ITConsultants group, and then click Properties. Enter the properties for the group. Be sure to follow the naming conventions and other standards of your organization. The groups Members and Member Of tabs specify who belongs to the group and what groups the group itself belongs to. The groups Description field, because it is easily visible in the details pane of the Active Directory Users and Computers snap-in, is a good place to summarize the purpose of the group and the contact information for the individual(s) responsible for deciding who is and is not a member of the group. The groups Notes field can be used to provide more detail about the group. The Managed By tab can be used to link to the user or group that is responsible for the group. The contact information on the Managed By tab is populated from the account specified in the Name box. The Managed By tab is typically used for contact information so that if a user wants to join the group, you can decide who in the business should be contacted to authorize the new member. However, if you select the Manager can update membershipList option, the account specified in the Name box will be given permission to add and remove members of the group. This is one method to delegate administrative control over the group. To change the user or group that is referred to on the Managed By tab, click the Change button underneath the Name box. By default, the Select User, Contact, or Group dialog box that appears does not, despite its name, search for groups. To search for groups, you must first click the Object Types button and select Groups. 3. Click OK.
Change Group Scope using Windows PowerShell with Active Directory Module: 1. Open Windows PowerShell with Active Directory Module from Administrative Tools in Start Menu. Be sure to open as administrator.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
55
2. 3.
When command line environment is opened, type the following command, and then press ENTER. Set-ADGroup -Identity ITConsultants GroupScope Universal Open Active Directory Users and Computers console and check if the group scope is changed from Global to Universal.
56
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Demonstration: Create a Group Object
Create a New Group
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
57
Lesson 3
58
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Protect Groups from Accidental Deletion
For more information about recovering deleted groups and their memberships, go to: Knowledge Base article 840001
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
59
Answer: In this situation, you can create a group with domain local scope and assign it permission to access the printer. Put the Sales user accounts in a group with global scope, and then add this group to the group having domain local scope. When you want to give the Sales users access to a new printer, assign the group with domain local scope permission to access the new printer. All members of the group with global scope automatically receive access to the new printer. 2. You are responsible for managing accounts and access to resources for your group members. A user in your group transfers into another department within the company. What should you do with the users account?
Answer: Although your company may have an HR representative with AD DS permissions to move user accounts, the best solution involves having the user account moved into the appropriate OU of the new department. In this manner, the Group Policies associated with the new department will be enforced. If applying the correct Group Policies is important, the users account should be disabled until somebody with appropriate security permissions can move it into the new OU. 3. Which group scope can be assigned permissions in any domain or forest?
Answer: Universal groups scope can be assigned permission in any domain or forest.
Answer: Create a new global security group. Add the project members to the group. Create a new OU outside your departments OU. Assign full control of the OU to the project manager. Add the global group to the new OU. Add resources to the OU, such as shared files and printers. Keep track of the project, and delete the global group when the work finishes. You can keep the OU if another project requires it. However, you should delete it if there is no immediate need for it.
60
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Tools
Tool Active Directory Users and Computers Windows Power Shell with Active Directory Module DS utilities Use Manage groups Manage groups Manage groups Where to find it Administrative Tools Installed as Windows Feature Command line
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
61
62
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module 5
Managing Computer Accounts
Contents:
Lesson 1: Create Computers and Join the Domain Lesson 3: Offline Domain Join Module Reviews and Takeaways Lab Review Questions and Answers 63 65 68 70
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
63
Lesson 1
64
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
65
Lesson 3
66
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
67
68
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Answer: You should reset a computer account when the computer is no longer able to authenticate to the domain. That can happen if the operating system is reinstalled, the computer is restored from backup, or the password is out of sync interval. If you just disjoin the computer from a domain and rejoin it instead of resetting the computer account, you risk losing the computer account altogether, which results in the computers SID being lost, and more importantly, its group memberships. When you rejoin the domain, even though the computer has the same name, the account has a new SID, and all the group memberships of the previous computer object must be re-created. 3. In an Offline Domain Join, what should you do after you provision a new computer account to the domain by using the djoin.exe utility?
Answer: After a new computer account is provisioned, you should transfer the blob text file, with the domain and computer account information, to the destination computer that should be joined to the domain. Then, you should run djoin.exe with /the requestODJ switch.
Group Policy is not applied to the computer after it is joined to the domain. The Offline Domain Join is not working as expected.
Check if the computer account is still in the Computers container. You cannot link GPOs to this container.
Check if the name of the provisioned computer account is the same as the name of the computer being joined to the domain. Make sure that you do not use the /localos switch if you are mounting a drive from the destination computer.
Answer: The best way to do this will be to first provision the computer accounts to AD DS by using the djoin utility with the /provision switch, and after that to use an unattended setup to perform the installation. By using a utility such as Windows System Image Manager, you can perform an unattended
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
69
domain join during an operating system installation by providing information that is relevant to the domain join in an Unattend.xml file.
Tools
Tool Windows PowerShell with Active Directory Module CSVDE,LDIFDE Djoin.exe Use Computer account management Importing computer accounts in AD DS Offline domain join Where to find it Administrative Tools Windows Server 2008 command prompt Windows Server 2008 command prompt
70
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
71
Module 6
Implementing a Group Policy Infrastructure
Contents:
Lesson 1: Understand Group Policy Lesson 2: Implement GPOs Lesson 3: Manage Group Policy Scope Lesson 4: Group Policy Processing Module Reviews and Takeaways Lab Review Questions and Answers 72 75 79 81 83 85
72
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
73
74
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Review the Components of Group Policy
TechNet contains detailed technical and operational guides to Group Policy, including the following: Windows Server Group Policy How Core Group Policy Works Deploying Group Policy Using Windows Vista Summary of New or Expanded Group Policy Settings What's New in Group Policy in Windows Vista
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
75
Lesson 2
Implement GPOs
Contents:
Detailed Demonstration Steps Additional Reading 76 78
76
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Open a GPO for editing 1. In the details pane of the Group Policy Management console (GPMC), right-click the CONTOSO Standards GPO, and then click Edit. The Group Policy Management Editor (GPME) appears. 2. Close the GPME.
Link a GPO 1. 2. In the GPMC console tree, right-click the contoso.com domain, and then click Link an Existing GPO. Select CONTOSO Standards and click OK.
Delegate the management of GPOs 1. 2. 3. 4. 5. 6. 7. 8. 9. In the GPMC console tree, click the contoso.com domain. In the details pane, click the Delegation tab. Review the default delegation. In the GPMC console tree, expand the Group Policy Objects container, and then click the CONTOSO Standards GPO. In the details pane, click the Delegation tab. Review the default delegation. Run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. In the console tree, click the Users container. In the details pane, double-click the Group Policy Creator Owners group, and then click the Members tab.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
77
1. 2.
In the GPMC console tree, in the Group Policy Objects container, right-click the CONTOSO Standards GPO, and then click Delete. Click No.
Discuss the default connection to the PDC Emulator 1. 2. In the GPMC console tree, right-click the contoso.com domain, and then click Change Domain Controller. Review the default settings.
78
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Local GPOs
Multiple Local Group Policy objects Step-by-Step Guide to Managing Multiple Local Group Policy Objects
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
79
Lesson 3
80
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
WMI Filters
For more information on WMI and for examples of WMI filters, go to: WMI filtering using GPMC Windows Management Instrumentation (WMI) software development kit (SDK)
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
81
Lesson 4
82
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Slow Links and Disconnected Systems
How Core Group Policy Works
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
83
Answer: Security permissions might be a problem. If some users do not have read access to shared network folder where scripts are stored, they will not be able to apply policy. Also, security filtering on GPO might be the cause for this problem. 2. What GPO settings are applied across slow links by default?
Answer: Registry policy and Security policy are always applied even when a slow link is detected. This setting cannot be changed. 3. You need to ensure that a domain level policy is enforced, but the Managers global group needs to be exempt from the policy. How would you accomplish this?
Answer: Set the link to be enforced at the domain level, and use security group filtering to deny Apply Group Policy permission to the Administrators group.
Tools
Tool Group policy reporting RSoP Use for Reporting information about the current policies being delivered to clients. Where to find it Group Policy Management Console
GPResult
Command-line utility
GPUpdate
Command-line utility
84
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Tool
Where to find it
Dcgpofix
Restoring the default Group Policy objects to their original state after initial installation.
Command-line utility
GPOLogView
Exporting Group Policy- Command-line utility related events from the system and operational logs into text, HTML, or XML files. For use with Windows Vista, Windows 7, and later versions. Sample scripts that perform a number of different troubleshooting and maintenance tasks.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
85
86
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module 7
Managing User Desktop with Group Policy
Contents:
Lesson 1: Implement Administrative Templates Lesson 2: Configure Group Policy Preferences Lesson 3: Manage Software with GPSI Module Reviews and Takeaways Lab Review Questions and Answers 87 91 94 98 100
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
87
Lesson 1
88
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
89
5.
In the Comment section, type Corporate IT Security Policy implemented with this policy in combination with Enable screen saver, and click OK.
Add comments to a GPO 1. 2. 3. In the console tree of the Group Policy Management Editor, right-click the root node, 6425C[NYCDC1.CONTOSO.COM], and then click Properties. Click the Comment tab. Type Contoso corporate standard policies. Settings are scoped to all users and computers in the domain. Person responsible for this GPO: your name. This comment appears on the Details tab of the GPO in the GPMC. 4. Click OK and then close the Group Policy Management Editor.
Create a new GPO from a starter GPO 1. 2. 3. 4. 5. In the console tree of the GPMC, click the Starter GPOs container. In the details pane, click the Create Starter GPOsFolder button. In the console tree, right-click the Starter GPOs container, and then click New. In Name: type CONTOSO Starter GPO, and then click OK. In the details pane, right-click CONTOSO Starter GPO, and then click Edit. The Group Policy Management Editor appears. Review and edit the settings as desired. 6. 7. 8. Close the Group Policy Starter GPO Editor. In the details pane, right-click CONTOSO Starter GPO, and then click New GPO From Starter GPO. In Name: type CONTOSO Desktop, and then click OK.
Create a new GPO by copying an existing GPO 1. 2. 3. In the GPMC console tree, expand the Group Policy Objects container, right-click the CONTOSO Desktop GPO, and then click Copy. Right-click the Group Policy Objects container, click Paste, and then click OK. Click OK.
Create a new GPO by importing settings that were exported from another GPO 1. 2. 3. 4. 5. 6. In the GPMC console tree, expand the Group Policy Objects container, right-click the CONTOSODesktop GPO, and then click Back Up. In Location: type D:\Labfiles\Lab07c, and then click Back Up. When the backup finishes, click OK. In the GPMC console tree, right-click the Group Policy Objects container, and then click New. In Name: type CONTOSO Import, and then click OK. In the GPMC console tree, right-click the CONTOSO Import GPO, and then click Import Settings. The Import Settings Wizard appears. 7. 8. Click Next three times. Select CONTOSO Desktop, and then click Next two times.
90
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
9.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
91
Lesson 2
92
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
10. Under Windows Settings, right click Folders, point to New, and then click Folder. 11. In the New Folder dialog box, select Create from the Action list. 12. In the Path field, type C:\Reports. 13. On the Common tab, select the Item-level targeting check box, and then click Targeting. 14. In the Targeting Editor dialog box, click New Item, and then click Operating System. 15. In the Product list, click Windows Server 2008 R2, and then click OK twice.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
93
Additional Reading
Differences Between Group Policy Preferences and Settings
For an overview of Group Policy preferences, see
94
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 3
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
95
96
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
25. Click OK two times to close the Advanced Security Settings dialog boxes. 26. In the Customize Permissions dialog box, click the Share Permissions tab. 27. Select the Full Control check box. The security management best practice is to configure least privilege permissions in the ACL of the resource, which will apply to users, regardless of how users connect to the resource, at which point you can use the Full Control permission on the SMB shared folder. The resultant access level will be the more restrictive permissions defined in the ACL of the folder. 28. Click OK. 29. Click Finish. 30. Click Finish to close the wizard. 31. Click Start, click Run, type \\NYC-SVR1\c$, and then press Enter. The Connect to NYC-SVR1 dialog box appears. 32. In the User name box, type CONTOSO\Pat.Coleman_Admin. 33. In the Password box, type Pa$$w0rd, and then press Enter. A Windows Explorer window opens, focused on the root of the drive C on NYC-SVR1. 34. Open the Software folder. 35. Click New folder. A new folder is created and is in "rename mode." 36. Type XML Notepad, and then press Enter. 37. Right-click the XML Notepad folder, and then click Properties. 38. Click Security. 39. Click Edit. 40. Click Add. The Select Users, Computers, Service Accounts, or Groups dialog box appears. 41. Type APP_XML Notepad, and then press Enter. The group is given the default, Read & Execute permission. 42. Click OK twice to close all open dialog boxes. 43. Open the XML Notepad folder. 44. Open the D:\Labfiles\Lab07c folder in a new window. 45. Right-click XMLNotepad.msi, and then click Copy. 46. Switch to the Windows Explorer window, displaying \\NYC-SVR1\c$\Software\XML Notepad. 47. Right-click in the empty details pane, and then click Paste. XML Notepad is copied into the folder on NYC-SVR1. 48. Close all open Windows Explorer windows. 49. Close the Computer Management console.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
97
Additional Reading
Software Deployment Options
Group Policy Software Installation overview
98
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Answer: While GPO settings enforce some setting on client side, and disable client interface for modification, Group Policy preferences provide settings but still allows client to modify it. 3. What is the difference between publishing and assigning software through GPSI?
Answer: If you assign software to user or computer it will be installed without asking user if he wants to install it. Publishing software will allow user to decide if software will be installed or not.
Tools
Tool Group policy reporting RSoP Use for Reporting information about the current policies being delivered Where to find it Group Policy Management Console
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
99
Tool
Where to find it
GPResult
A command-line utility that displays RSoP information. Refreshing local and AD DS-based Group Policy settings. Restoring the default Group Policy objects to their original state after initial installation. Exporting Group Policyrelated events from the system and operational logs into text, HTML, or XML files. For use with Windows Vista and later versions.
Command-line utility
GPUpdate
Command-line utility
Dcgpofix
Command-line utility
GPOLogView
Command-line utility
100
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
101
navigate to a specific subfolder to which they have access even if they do not have permission to a parent folder. The least privilege ACLs used in this Lab are a perfect example of the value of this user right. Question: Consider the methods used to scope the deployment of XML Notepad: Assigning the application to computers, filtering the GPO to apply to the APP_XML Notepad group that contains only computers, and linking the GPO to the Client Computers OU. Why is this approach advantageous for deploying most software? What would be the disadvantage of scoping software deployment to users rather than to computers? Answer: Most software is licensed per computer, so it is important to deploy such applications scoped to computers, rather than to users. The result is the samethe application is deployed to the computers of the users who require the application. If you were to deploy an application to users, it would "follow" the users to whichever computers they logged on to. For example, if a user is logged on to a conference room computer or to a colleague's computer, the application would be installed on those computers as well. By scoping to a group of computers, and linking the GPO to a high-level OU (or even to the domain), it gives you maximum flexibility to deploy the application to whichever computers require it.
102
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module 8
Managing Enterprise Security and Configuration with Group Policy Settings
Contents:
Lesson 1: Manage Group Membership by Using Group Policy Settings Lesson 2: Manage Security Settings Lesson 4: Software Restriction Policy and AppLocker Module Reviews and Takeaways Lab Review Questions and Answers 103 107 110 113 114
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
103
Lesson 1
104
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
10. Click OK to close the Add Group dialog box. A Properties dialog box appears. 11. Click Add next to the This group is a member of section. 12. Type Administrators, and click OK. The Properties group policy setting should look similar to the dialog box on the left of the side-byside dialog boxes shown earlier. 13. Click OK again to close the Properties dialog box. Delegating the membership of the local Administrators group in this manner adds the group specified in step 9 to that group. It does not remove any existing members of the Administrators group. The Group Policy setting simply tells the client, Make sure this group is a member of the local Administrators group. This allows for the possibility that individual systems could have other users or groups in their local Administrators group. This group policy setting is also cumulative. If multiple GPOs configure different security principals as members of the local Administrators group, all will be added to the group. To take complete control of the local Administrators group, follow these steps:
Demonstration Steps
1. 2. 3. In Group Policy Management Editor, go to Computer Configuration\Windows Settings\SecuritySettings\Restricted Groups. Right-click Restricted Groups, and click Add Group. Type Administrators, and click OK.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
105
A Properties dialog box appears. 4. 5. 6. Click Add next to the Members of this group section. Click Browse and enter the name of the group you want to make the sole member of the Administrators groupfor example, CONTOSO\Help Deskand click OK. Click OK again to close the Add Member dialog box. The group policy setting Properties should look similar to the dialog box on the left of the side-byside dialog boxes shown earlier. 7. Click OK again to close the Properties dialog box. When you use the Members setting of a restricted groups policy, the Members list defines the final membership of the specified group. The steps just listed result in a GPO that authoritatively manages the Administrators group. When a computer applies this GPO, it adds all members specified by the GPO and removes all members not specified by the GPO, including Domain Admins. Only the local Administrator account will not be removed from the Administrators group because Administrator is a permanent and irremovable member of Administrators.
106
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Define Group Membership with Group Policy Preferences
Group Policy Management Console Help, "Local Users and Groups Extension"
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
107
Lesson 2
108
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
10. Right-click C:\Users\Pat.Coleman_Admin\Documents\Security \Templates, and then click New Template. 11. Type DC Remote Desktop, and then click OK. 12. Click Start, point toAdministrative Tools and run Group Policy Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. 13. In the console tree, expand Forest:contoso.com, Domains, and contoso.com, and then click the Group Policy Objects container. 14. In the details pane, right-click the Corporate Help Desk, and then click Edit. The Group Policy Management Editor appears. 15. In the console tree, expand Computer Configuration,Policies,Windows Settings,and then click Security Settings. 16. Right-click Security Settings, and then click Import Policy. 17. Select the DC Remote Desktop template, and then click Open.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
109
Additional Reading
Configure the Local Security Policy
Server Security Policy Settings
110
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
111
10. Click Start, in the Search programs and files box, type cmd, and then press Enter. 11. In the Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy to be updated. Test the AppLocker rule. 1. 2. 3. 4. 5. Start and then log on to the NYC-CL1 as Contoso\Alan.Brewer, with the password, Pa$$w0rd. Click Start, in the Search programs and files box, type cmd, and then press Enter. In the Command Prompt window, type gpupdate /force, and press Enter. Wait for the policy to be updated. Click Start, click All programs, click Accessories, and then click WordPad. Click OK when prompted with a message.
112
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
What Is a Software Restriction Policy?
Using Software Restriction Policies to Protect Against Unauthorized Software
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
113
Answer: AppLocker rules are completely separate from SRP rules and cannot be used to manage preWindows 7 computers. The two policies are also separate. If AppLocker rules have been defined in a GPO, only those rules are applied. Therefore, define AppLocker rules in a separate GPO to ensure interoperability between SRP and AppLocker policies.
114
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question: What systems should have auditing configured? Is there a reason not to audit all systems in your enterprise? What types of access should be audited, and by whom should they be audited? Is there a reason not to audit all access by all users? Answer: Auditing should reflect IT security and usage policies. Auditing not only puts a (small) burden on the performance of a system, but also generates excessive noise that can make finding the important events even harder. What, who, and when auditing is performed should be aligned with why auditing is being performedas driven by your business requirements. Question: How can you permit access to only a specific set of applications for a set of computers in your environment? Answer: Place the computers in an OU, create a GPO, and link it to the OU. In the GPO, configure the default AppLocker rules to block applications. Then, allow the applications you want the computers to have access to.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
115
Module 9
Securing Administration
Contents:
Lesson 1: Delegate Administrative Permissions Lesson 2: Audit Active Directory Administration Module Reviews and Takeaways Lab Review Questions and Answers 116 120 123 125
116
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
117
Demonstration: Delegate Administrative Tasks with the Delegation of Control Wizard Detailed Demonstration Steps
1. On NYC-DC1click Start, point to Administrative Tools and run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. Right-click the node (domain or OU) for which you want to delegate administrative tasks or control, and choose Delegate Control. In this example, select the Employees OU. The Delegation of Control Wizard appears, to guide you through the required steps. 3. Click Next. You will first select the administrative group to which you are granting privileges.
2.
118
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
4.
In the Users or Groups page, click the Add button. a. Use the Select dialog box to select the group, and then click OK. For this example use the Help Desk group.
5.
Click Next. You will next specify the task you wish to assign to that group.
6.
On the Tasks to Delegate page, select the task. In this example, select Reset User Passwords and Force Password Change at Next Logon.
7. 8.
Click Next. Review the summary of the actions that have been performed, and click Finish. The Delegation of Control Wizard applies the ACEs that are required to enable the selected group to perform the specified task.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
119
Additional Reading
Understand Effective Permissions
The best way to manage delegation in Active Directory is through role-based access control. Although this approach will not be covered on the certification exam, it is well worth understanding for real-world implementation of delegation. See the Windows Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008) for more information.
120
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
121
8. 9.
10. Click the Add button and add a user account of your choice here. Click Ok. 11. In Auditing Entry for Global File SACL, place a check mark in Successful and Failed column for List folder/read data and Create files /write data options. Note When you use Advanced Audit Policy Configuration settings, you need to confirm that these settings are not overwritten by basic audit policy settings. The following procedure shows how to prevent conflicts by blocking the application of any basic audit policy settings. To ensure that Advanced Audit Policy Configuration settings are not overwritten: 1. 2. 3. Double-click Security Settings, open Local Policies, and then click Security Options. Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings, and then click Define this policy setting. Click Enabled, and then click OK.
122
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Enable Audit Policy
AD DS Auditing Step-by-Step Guide
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
123
124
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Tools
Tool Group Policy Management Console Delegation of Control Wizard Auditpol Used for Editing security policy Delegating administrative control over OU Configuring auditing Where to find it Administrative Tools Active Directory Users and Computers Command-line utility
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
125
Answer: Lead a discussion that addresses the difficulty of reporting delegation. The user interfaces and command-line tools are neither detailed nor "administrator-friendly" enough to be useful reporting tools. Question: What is the impact of resetting the ACL of an OU back to its schema-defined default? Answer: You don't necessarily know what permissions are applied to the OU unless you find some way to do detail reporting. Moreover, you don't necessarily know why those permissions were assigned to the OU or by whom. There may be good reasons for some custom and explicit permissions, and removing them may cause something in your environment to break. For example, when you install Microsoft Exchange Server, explicit permissions are applied to certain Active Directory objects. Question: What details are captured by Directory Services Changes auditing that are not captured by Directory Service Access auditing? Answer: Directory Services Changes auditing captures important details, including the specific attribute that is changed and the change that was made. Question: Which type of administrative activities would you want to audit by using Directory Services Changes auditing? Answer: Lead a discussion to elicit suggestions from students. Pose the question: Why not audit all changes in Active Directory? Answer: The volume of event log entries would make finding particularly important changes difficult. Guide students to an understanding that the configuration of Directory Services auditing should be driven by the requirements of an organization's IT Security policies and procedures.
126
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module 10
Improving the Security of Authentication in an AD DS Domain
Contents:
Lesson 1: Configure Password and Lockout Policies Lesson 3: Configure Read-Only Domain Controllers Module Reviews and Takeaways Lab Review Questions and Answers 127 132 136 138
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
127
Lesson 1
128
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
In the console tree, expand Computer Configuration, Policies, Windows Settings, Security Settings, and Account Policies, and then click Password Policy. Double-click the following policy settings in the console details pane and configure the settings as indicated: Enforce password history: 20 passwords remembered Maximum password age: 90 Days Minimum password age: 7 days Minimum password length: 8 characters Password must meet complexity requirements: Enabled
7. 8.
Close the Group Policy Management Editor window. Close the Group Policy Management window.
2. 3. 4. 5. 6. 7.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
129
All PSOs are created and stored in the Password Settings Container (PSC). 8. Right-click CN=Password Settings Container, point to New, and then click Object. The Create Object dialog box appears. It prompts you to select the type of object to create. There is only one choice: msDS-PasswordSettingsthe technical name for the object class referred to as a PSO. 9. Click Next. You are then prompted for the value for each attribute of a PSO. The attributes are similar to those found in the domain account policies. 10. Configure each attribute as indicated below. Click Next after each attribute. cn:My Domain Admins PSO. This is the common name of the PSO. msDS-PasswordSettingsPrecedence:1. This PSO has the highest possible precedence. msDS-PasswordReversibleEncryptionEnabled:False. The password is not stored using reversible encryption. msDS-PasswordHistoryLength:30. The user cannot reuse any of the last 30 passwords. msDS-PasswordComplexityEnabled:True. Password complexity rules are enforced. msDS-MinimumPasswordLength:15. Passwords must be at least 15 characters long. msDS-MinimumPasswordAge:1:00:00:00. A user cannot change his or her password within one day of a previous change. The format is d:hh:mm:ss (days, hours, minutes, seconds). msDS-MaximumPasswordAge:45:00:00:00. The password must be changed every 45 days. msDS-LockoutThreshold:5. Five invalid logons within the time frame specified by XXX (the next attribute) will result in account lockout. msDS-LockoutObservationWindow:0:01:00:00. Five invalid logons (specified by the previous attribute) within one hour will result in account lockout. msDS-LockoutDuration:1:00:00:00. An account, if locked out, will remain locked for one day, or until it is unlocked manually. A value of zero will result in the account remaining locked out until an administrator unlocks it.
11. Click Finish and close ADSI Edit. 12. Run Active Directory Users and Computers as before and in the console tree, expand the System container. If you do not see the System container, then click the View menu of the MMC console, and ensure that Advanced Features is selected. 13. In the console tree, click the Password Settings Container. 14. Right-click My Domain Admins PSO, click Properties and then click the Attribute Editor tab. 15. In the Attributes list, select msDS-PSOAppliesTo, and then click Edit. The Multi-valued Distinguished Name With Security Principal Editor dialog box appears. 16. Click Add Windows Account. The Select Users, Computers, or Groups dialog box appears.
130
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
17. Type Domain Admins, and then press Enter. 18. Click OK twice to close the open dialog boxes. 19. In the console tree, expand the contoso.com domain and the Admins OU, and then click the Admin Identities OU. 20. Right-click Pat Coleman (Administrator) and click Properties. 21. Click the Attribute Editor tab. 22. Click the Filter button, and click the Constructed option, so that it is selected. 23. Open the value of the msDS-ResultantPSO attribute.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
131
Additional Reading
Configure the Domain Password and Lockout Policy
Windows Server 2003 Security Guide Chapter 3: The Domain Policy:
132
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 3
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
133
10. On the Delegation of RODC Installation and Administration page, click the Set button. The Select User or Computer dialog box appears. 11. Type Aaron.Painter_Admin, and then press Enter. 12. Click Next. 13. Review your selections on the Summary page, and then click Next. 14. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish. Configure a password replication policy 1. 2. 3. 4. 5. 6. 7. Start 6425C-NYC-DC1 log on as Pat.Coleman with the password Pa$$w0rd. Run Active Directory Users and Computers with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. In the console tree, click the Domain Controllers OU. Right-click BRANCHDC01 and click Properties. Click the Password Replication Policy tab and view the default policy. Click Cancel to close the BRANCHDC01 properties. In the Active Directory Users and Computers console tree, click the Users container.
134
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
8. 9.
Double-click Allowed RODC Password Replication Group. Click the Members tab.
10. Examine the default membership of Allowed RODC Password Replication Group. 11. Click OK. 12. Double-click Denied RODC Password Replication Group. 13. Click the Members tab. 14. Click Cancel to close the Denied RODC Password Replication Group properties.
5. 6. 7. 8. 9.
10. Click Prepopulate Passwords.The Select Users or Computers dialog box appears. 11. Type the name of the account you want to prepopulate (for example, type Chris.Gallagher), and then click OK. 12. Click Yes to confirm that you want to send the credentials to the RODC. The following message typically appears: Passwords for all accounts were successfully prepopulated. Note that for this demonstration the BRANCHDC01 is not running as so an error is observed. Click OK. 13. Click Close.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
135
Additional Reading
Installing an RODC
For details regarding other options for installing an RODC, including delegated installation see
136
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
137
Tools
Tool Used for Editing and managing group policy objects Creating Password Setting Objects Creating and managing domain controllers Where to find it Administrative Tools Group Policy Management console ADSI Edit
Administrative Tools
Dcpromo
Command-line utility
138
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
139
Module 11
Configuring Domain Name System
Contents:
Lesson 2 : Integration of AD DS, DNS, and Windows Lesson 3 : Advanced DNS Configuration and Administration Module Reviews and Takeaways Lab Review Questions and Answers 140 143 145 147
140
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
141
When all the virtual machines are ready, perform the following steps 1. 2. 3. 4. 5. 6. 7. 8. 9. On 6425C-NYC-DC1, run DNS Management with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. In the console tree, expand NYC-DC1, Forward Lookup Zones, and contoso.com, and then click the _tcp node. Examine the SRV records. In the console tree, expand NYC-DC1, Forward Lookup Zones, contoso.com, _sites, Default-FirstSite-Name, and then click the _tcp node. Examine the SRV records. Run Command Prompt with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd. Type nslookup, and then press Enter. Type set type=srv, and then press Enter. Type _ldap._tcp.contoso.com, and then press Enter. Type Exit and then press Enter. Switch to DNS Manager. In the console tree, expand NYC-DC1, Forward Lookup Zones, and contoso.com, and then click the _tcp node.
10. Right-click the SRV records for NYC-DC1.contoso.com, and then click Delete. 11. Switch to Command Prompt. 12. Type net stop netlogon, and then press Enter. 13. Type net start netlogon and then press Enter. 14. Switch to DNS Manager. 15. In the console tree, right-click the _tcp node, and then click Refresh. Examine the SRV records for NYC-DC1.contoso.com.
142
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
16. Click Start, and in the Start Search box, type notepad.exe. Note step. You should run this with administrative credentials to open the netlogon file in the next
17. Click File, click Open, type %systemroot%\system32\config\netlogon.dns in the File Name box, and then press Enter 18. Examine the default SRV records.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
143
Lesson 3
144
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Resolving Single-Label Names
Providing Single-Label DNS Name Resolution Deploying the GlobalNames Zone
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
145
146
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Disable recursion for servers that do not answer client queries or communicate by using forwarders. As DNS servers communicate amongst themselves by using iterative queries, this ensures that the server responds only to queries that are intended for it. Consider the use of secondary zones to assist in off-loading DNS query traffic wherever appropriate. Enter the correct email address of the responsible person for each zone you add to, or manage on, a DNS server. Applications use this field to notify DNS administrators for a variety of reasons. For example, query errors, incorrect data returned in a query, and security problems are a few ways in which this field can be used. Although most Internet email addresses contain the @symbol to represent the word at in email, this symbol must be replaced with a period (.) when entering an email address for this field. For example, instead of administrator@microsoft.com, you would use administrator.microsoft.com.
Tools
Tool DNS Management Console Nslookup Dnscmd Used for DNS administration and management Use to perform query testing of the DNS domain namespace. Use this command-line interface to manage DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks or to perform simple unattended setup and configuration of new DNS servers on your network. Use this command to view and modify IP configuration details that the computer uses. This utility includes additional command-line options to provide help in troubleshooting and supporting DNS clients. Provides several automated tests to verify that DNS servers and resource records are configured properly and pointing to valid services. You can download this command from Microsoft at http://go.microsoft.com/fwlink /?LinkID=214201 Where to find it Administrative Tools Command-line utility Command-line utility
Ipconfig
Command-line utility
DNSlint
Command-line utility
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
147
148
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module 12
Administering AD DS Domain Controllers
Contents:
Lesson 1: Domain Controller Installation Options Lesson 2: Install a Server Core Domain Controller Module Reviews and Takeaways Lab Review Questions and Answers 149 151 153 155
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
149
Lesson 1
150
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Unattended Installation Options and Answer Files
For a complete reference of dcpromo parameters and unattended installation options, see
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
151
Lesson 2
152
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Understand Server Core
Server Core Installation Option What's New in the Server Core Installation Option
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
153
You cannot transfer one or more operation masters roles You cannot install role or feature on Server Core You cannot add additional domain controller to current AD DS infrastructure
154
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Distribute operations masters roles on several servers. Be sure to co-locate compatible roles. Use DFS-R for SYSVOL replication.
Tools
Tool Active Directory Users and Computers Used for Managing operation masters Managing domain functional level Creating and managing AD objects Managing domain and forest functional level Trust management Installation and configuration of Active Directory Domain Services AD DS role installation Managing schema master role You can run it manually Administrative Tools Where to find it Administrative Tools
Dcpromo.exe
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
155
156
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module 13
Managing Sites and Active Directory Replication
Contents:
Lesson 1: Configure Sites and Subnets Lesson 2: Configure Replication Module Reviews and Takeaways Lab Review Questions and Answers 157 159 161 163
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
157
Lesson 1
158
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
How Client Locates Domain Controller
For more information about domain controller location, see
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
159
Lesson 2
Configure Replication
Contents:
Additional Reading 160
160
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Bridgehead Servers
Bridge Server Selection
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
161
Replication between two Domain Controllers in the same site does not work.
162
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Tools
Tool Active Directory Sites and services Used for ADSI Edit Manage site objects Manage site links Manage replication View and manage Active Directory partitions Monitoring and managing replication Administrative Tools Where to find it Administrative Tools
Repadmin
Command-line utility
dcdiag
Reports on the overall health Command-line utility of replication and security for Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
163
164
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module 14
Managing Sites and Active Directory Replication
Contents:
Lesson 1: Monitor Active Directory Lesson 2: Manage the Active Directory Database Lesson 3: Active Directory Recycle Bin Lesson 4: Back Up and Restore AD DS and Domain Controllers Module Reviews and Takeaways Lab Review Questions and Answers 165 168 172 176 179 181
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
165
Lesson 1
166
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Demonstration: Using Active Directory Best Practices Analyzer Detailed demonstration Steps:
1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to 6425C-NYC-DC1 as Contoso\Pat.Coleman_Admin with Password Pa$$w0rd Open Server Manager console In left console pane, expand Roles and click on Active Directory Domain Services role In central pane, scroll down to the Best Practices Analyzer section Click Scan This Role and wait until scanning is completed Review events that showed up in Noncompliant tab. Emphasize that some events have severity Error and some are Warning Right click any event and select Properties Show the detailed description of event. Click Close Right click any event and select Exclude Result. Show that event now appears in Excluded tab
10. Click Compliant tab and show events that appear there. 11. Close Server Manager.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
167
Additional Reading
Performance Monitor
Using Performance Monitor
168
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
169
170
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
To perform an offline defrag of the Advanced Directory database while in an AD DS stopped state: 1. 2. 3. 4. 5. Click Start, click Run, type CMD, and then press Enter. In the command window, type ntdsutil, and then press Enter. Click Yes. At the ntdsutil: prompt, type Activate Instance NTDS, and then press Enter. At the ntdsutil: prompt, type files, and then press Enter. At the file maintenance: prompt, type compact to drive:\ LocalDirectoryPath (where drive:\ LocalDirectoryPath is the path to a location on the local computer), and then press Ctrl+C to break the process. It takes too long to demonstrate. Next, you would copy NTDS.dit to a backup location, along with the logs (*.log), and then you would delete the logs (*.log). Next, check the integrity of the newly compacted database. Type integrity to check the integrity of the newly compacted database, but press Ctrl+C to break the process. To move the AD DS database: 8. In the File Maintenance command window, type move db to pathname, and then press Ctrl+C to break the process. Explain that the NTDS.dit file would be moved to the new location and permissions would be set accordingly To restart AD DS: 9. In the Services MMC, right-click Active Directory Domain Services, and then click Start.
6. 7.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
171
Additional Reading
Active Directory Database Files
How the Data Store Works
NTDSUtil
Data Store Tools and Settings How to remove data in Active Directory after an unsuccessful domain controller demotion
172
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 3
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
173
4. 5. 6. 7. 8.
Enable-ADOptionalFeature Identity CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=contoso,DC=com Scope ForestOrConfigurationSet Target contoso.com
3. 4.
Type y and press Enter, After command prompt is returned to you, close the PowerShell window,
Delete an object
1. 2. 3. 4. 5. Open the Active Directory Users and Computers console from Administrative Tools. Expand Contoso.com and expand User Accounts and then click the Employees organizational unit. In the central pane, right-click Aaron Lee and select Delete. In the confirmation window, click Yes. Close Active Directory Users and Computers.
174
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
3. 4.
In the Controls dialog box, expand the Load Predefined menu, click Return deleted objects, and then click OK. To verify that the Deleted Objects container is displayed: To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connection, click Connect, click OK, and then under Connection, click Bind, and then click OK. Click View, click Tree, and in BaseDN, type DC=contoso,DC=com, and then click OK In the console tree, double-click the root distinguished name (also known as DN) and locate the CN=Deleted Objects, DC=contoso,DC=com container. Expand that object and ensure that Aaron Lee object appears below it.
5. 6. 7. 8. 9.
Right-click the CN=Aaron Lee,... object, and click Modify In the Edit Entry Attribute box, type isDeleted. Under Operation, click Delete, and then click Enter. In the Edit Entry Attribute box, type distinguishedName. In the Values box, type the original distinguished name, which is CN=Aaron Lee,OU=Employees, OU=User Accounts,DC=contoso,DC=com.
10. Under Operation, click Replace. 11. Ensure that the Extended check box is selected, click Enter, and then click Run. 12. Click Close. 13. From Administrative Tools, open the Active Directory Users and Computers console 14. Expand Contoso.com and expand User Accounts and then click the Employees organizational unit. 15. Ensure that the Aaron Lee user object exists and that all attributes like group membership are retained.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
175
Additional Reading
What Is Active Directory Recycle Bin?
Active Directory Recycle Bin Step-by-Step Guide
176
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 4
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
177
178
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Backup and Recovery Tools
Backup and Recovery Overview for Windows Server 2008 Windows Server Backup Windows Server Backup Step-by-Step Guide for Windows Server 2008 Backing Up Your Server
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
179
180
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Tools
Tool Performance Monitor Used for Monitoring of system objects from performance aspect Monitoring events that affect system stability and reliability Reviewing logged events on server or workstation Active directory administration Management of Active Directory objects Management of Active Directory database Management of forest and domain functional levels and trusts Backup and restore of files and Active Directory Where to find it Administrative Tools
Reliability Monitor
Administrative Tools
Event Viewer
Administrative Tools
Administrative Tools
Ntdsutil
Command-line utility
Administrative Tools
Administrative Tools
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
181
182
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module 15
Managing Multiple Domains and Forests
Contents:
Lesson 2 : Manage Multiple Domains and Trust Relationships Module Reviews and Takeaways Lab Review Questions and Answers 183 187 188
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
183
Lesson 2
184
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
If the domain is in the same forest, the wizard knows it is a shortcut trust. 7. 8. If you are creating a realm trust, you will be prompted to indicate whether the trust is transitive or nontransitive. (Realm trusts are discussed later in this lesson.) On the Direction Of Trust page, select one of the following: 9. Two-Way.This establishes a two-way trust between the domains. One-Way: Incoming. This establishes a one-way trust in which the domain you selected in step 2 is the trusted domain, and the domain you entered in step 5 is the trusting domain. One-Way: Outgoing. This establishes a one-way trust in which the domain you selected in step 2 is the trusting domain, and a domain you entered in step 5 is the trusted domain.
Click Next.
10. On the Sides Of Trust page, select one of the following: Both this domain and the specified domain. This establishes both sides of the trust. This requires that you have permission to create trusts in both domains. This domain Only. This creates the trust relationship in the domain you selected in step 2. An administrator with permission to create trusts in the other domain must repeat this process to complete the trust relationship. The next steps will depend on the options you selected in steps 8 and 10. The steps will involve one of the following:
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
185
If you selected Both this domain and the specified domain, you must enter a user name and password with permissions to create the trust in the domain specified in step 5. If you selected This Domain Only, you must enter a trust password. A trust password is entered by administrators on each side of a trust to establish the trust. The passwords should not be the administrators user account passwords. Instead, each should be a unique password used only for creating this trust. The passwords are used to establish the trust, and then the domains change them immediately.
11. If the trust is an outgoing trust, you are prompted to choose one of the following: Selective Authentication Domain-Wide Authentication or Forest-Wide Authentication, depending on whether the trust type is an external trust or a forest trust, respectively.
12. The New Trust Wizard summarizes your selections on the Trust Selections Complete page. Click Next. The wizard creates the trust. 13. The Trust Creation Complete page appears. Verify the settings, and then click Next. You will then have the opportunity to confirm the trust. This option is useful if you have created both sides of the trust or if you are completing the second side of a trust. If you selected Both this domain and the specified domain in step 8, the process is complete. If you selected This domain only in step 8, the trust relationship will not be complete until an administrator in the other domain completes the process: If the trust relationship you established is a one-way outgoing trust, an administrator in the other domain must create a one-way incoming trust. If the trust relationship you established is a one-way incoming trust, an administrator in the other domain must create a one-way outgoing trust. If the trust relationship you established is a two-way trust, an administrator in the other domain must create a two-way trust.
186
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
Define Your Forest and Domain Structure
For more information about the security considerations related to domain and forest design, see Best Practices for Delegating Active Directory Administration at For more information about planning the architecture of an AD DS enterprise see
Forest Trusts
You can learn about the DNS requirements for a forest trust at
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
187
188
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
189
Courseware Feedback
Send all courseware feedback to support@mscourseware.com. We truly appreciate your time and effort. We review every e-mail received and forward the information on to the appropriate team. Unfortunately, because of volume, we are unable to provide a response but we may use your feedback to improve your future experience with Microsoft Learning products.
Reporting Errors
When providing feedback, include the training product name and number in the subject line of your email. When you provide comments or report bugs, please include the following: 1. 2. 3. Document or CD part number Page number or location Complete description of the error or suggested change
Please provide any details that are necessary to help us verify the issue.
Important All errors and suggestions are evaluated, but only those that are validated are added to the product Knowledge Base article.