70-640 Notes

9/24/2008
Welcome to Train Signal

Train Signal, Inc. Coach Culbertson
Video 1 Welcome to Windows Server 2008 Active Directory

Your Host: Coach Culbertson MCT, MCITP, MCTS, MCSA, MCDBA, and several other random IT certifications
Welcome to Windows Server 2008 Active Directory

In this video:
About Your Instructor and Train

Signal Overall Scope of the Course Whats Covered in this Course The Globomantics Scenario What Well Build in this Course
About Your Instructor and Train Signal

About Benjamin Coach Culbertson
MCITP: Server Administrator, MCTS: SharePoint Server
2007, MCSA, MCDBA, MCT, A+, Net+, CIW, and a few others 2 Year Tour of Duty as an Inner City High School Teacher in Chicago Launched a couple hundred careers
About Train Signal
Casual Training Method that teaches real skills first Scenario-Based Training to answer the question "Why does
this change my life?"
9/24/2008
Whats Covered in this Course

Whats on the hit parade for this one, Coach? Can we dance to it?
2. What is Active Directory? 3. The First Two Domain Controllers 4. Setting Up Remote Desktop on Your Personal Vista Client 5. Creating Organizational Units, User and Computer Accounts, and Groups 6. Sharing Stuff On Servers 7. Get Your Control Freak On! 8. How to Make Your Boss Mad and then Fix it Really Fast

9. Make Your Life Easier with Computer Policies and Preferences 10.How to Push Software Onto a Lot of Machines Without Getting Up From Your Desk 11. Whats My P@ssw0rd again? 12.Passing the Buck 13.Creating Backup Solutions BEFORE Stuff Blows Up

14.Reducing Single Points of Failure 15.Monitoring , Auditing, and Defragging 16.Creating the Chicago Location 17.How To Give People Access to Stuff Thats 790 Miles Away 18.Creating The Dallas Branch Office 19.Bringing an OU and Users Back from the Dead
9/24/2008

20. What Do You Do When A Domain Controller Blows Up? 21. Get Your Old Domain Controllers Up To Date 22. Connecting the Continents 23. Certification: Its Really Not That Scary 24.DNS Stuff 25.Active Directory Certificate Services 101 26.Active Directory Lightweight Directory Services 101 27.Active Directory Rights Management 101
The Globomantics Scenario

Heres the story about a man named Hank You are the newly hired Systems Administrator for a new startup company called Globomantics, a stock brokerage. Hank Richards, our Founder and CEO, is a rough and tumble Texan who isnt the most tech savvy individual, but knows the value of having good people who know the ropes when it comes to computers. Youll have the rare opportunity to build out the corporate network, specifically Active Directory, for Globomantics, including: The Main Office in New York The Chicago Office The Dallas Branch Office And melding networks with a small company in Tokyo, Verde Petra, which Hank will buy out.
What Well Build in this Course

Well start with this
9/24/2008
What Well Build in this Course

and end up with this!
Yeah, its a lot but well take it a step at a time!
So How About It?

Are You Ready? Cmon, Lets Go!

Video 2 What is Active Directory?

And Why You Need To Care
9/24/2008
What is Active Directory?

In this video:
What is Active Directory and Why

Should I Care? What is a Domain Controller? What is a Domain? What is a Server Role? What is DNS?
What is Active Directory and Why Should I Care?

Okay, time for the secret
Active Directory is the Brain of a Windows Server Network. Its a database that keeps track of a huge amount of stuff and gives us a
centralized way to manage all our network machines, users, and resources. Services (i.e. Email, etc.) Users and Groups
We say that these items are Objects in the Active Directory Database
Resources (Printers, Shared Folders, etc.)
What is Active Directory and Why Should I Care?

As a matter of fact.
Every time you log in to a corporate network, youre using Active Directory Hold up, let me check the Active Directory Database to see if you get access!
Domain Controller
Ok, I see your User Account, its valid, and it has these permissions. Here ya go!
Active Directory Database
9/24/2008
What is a Domain Controller?

Big Boss Machine comin at ya!
A Domain Controller is a Windows Server Machine that

runs Active Directory Domain Services.
Think of it as the Boss of your network. You may have multiple Domain Controllers that all have
copies of the same Active Directory database.
Domain Controller Domain Controller Domain Controller
What is a Domain?
Big word: Namespace
A Windows Server domain is a logical group of computers running versions of

the Microsoft Windows operating system that share a central directory database. The machines are all named with part of a Domain name like globomantics.com (also called a suffix) and are registered in the Active Directory Database so they can be managed.
CL1.globomantics.com
CL2.globomantics.com Globomantics.com Domain Controller NY-DC1.globomantics.com
CL2.globomantics.com
What is a Domain?
Youll often see Domains represented like this:
globomantics.com
(Forest Root)
Na.globomantics.com
A Forest is comprised of ALL the Domains in your Enterprise. Your Forest may only have one domain!
9/24/2008
What is a Domain?
Dont forget about users!
Users are also part of the namespace. Example: Your email address is part of a domain
namespace: hrichardson@globomantics.com Note: Email-like logins are also called User Principle Names when used to log into a Server 2008 network.
What is a Server Role?

Everybody needs a jobeven servers!
Servers need jobs, too. A Server Role is a major job that a Server can perform. Its recommended that a Server not have too many Roles
A Domain Controller usually has only two Roles: Active Directory Domain Services DNS
What is DNS?
Domain Name Services are your friend
DNS is a service provided by a Server that allows you

to find other computers in your network.
DNS allows you to type in a friendly name of a

machine instead of its IP Address, allowing your client to get the IP address from the DNS server and go find the resource. Without DNS, Active Directory will not work. Period. In Server 2008, its recommended that you integrate DNS with Active Directory to make your IT life easier.
9/24/2008
What We Covered
After watching this video, you should be able to:
Define briefly what Active Directory is Describe what three primary types of Objects that
Active Directory provides
Describe what happens when you log in to an

Active Directory network
Define what a Domain Controller is Describe a Forest Describe a Domain Define briefly what a Server Role is

Video 3 The First Two Domain Controllers:

Installing Server 2008 and Active Directory
The First Two Domain Controllers

In this video:
Building the Brain of the Globomantics Network Quick Server 2008 Requirements and Editions Check The Bare Metal Installation Process The Initial Configuration Task List Installation of Active Directory Domain Services Setting up a Second Domain Controller Can We Talk? Replication Testing
9/24/2008
Building the Brain of the Globomantics Network

This is how we begin

Your mission should you choose to accept it: build 2 Domain Controllers to start the Globomantics network at the New York headquarters. Heres your hardware and what were going to build. Internet T-1 connection Computer Name: NY-DC1-2K8 IP: 192.168.5.2 3GHz 64-bit CPU 4GB RAM 2 120GB HDDs Gigabit NIC This Domain Controller will create the Domain globomantics.com Network Switch Computer Name: NY-DC2-2K8 IP:192.168.5.3 3GHz 64-bit CPU 4GB RAM 2 120GB HDDs Gigabit NIC
This Domain Controller will join the Domain globomantics.com
Were setting up two almost identical DCs for fault tolerance and better performance. If one crashes, we have another!

Once we set up these two DCs, well have this:
Because its the very first domain
globomantics.com
Forest Root Domain
New York Site NY-DC1-2K8 IP:192.168.5.2 NY-DC2-2K8 IP:192.168.5.3
The Big Picture

globomantics.com New York Site
na.globomantics.com Chicago Site
asia.globomantics.com Tokyo Site
9/24/2008
Quick Server 2008 Editions and Requirements Check

Hardware Requirements:
http://www.microsoft.com/windowsserver2008/en/us/system-requirements.aspx
Component
Requirement
Minimum: 1 GHz (x86 processor) or 1.4 GHz (x64 processor) Recommended: 2 GHz or faster Note: An Intel Itanium 2 processor is required for Windows Server 2008 for Itanium-Based Systems Minimum: 512 MB RAM just to install Recommended: 2 GB RAM or greater Coach Says: As much as you can get!
Processor
Memory
Minimum: 10 GB Available Disk Recommended: 40 GB or greater Space Note: Computers with more than BFO: Blinding Flash of the Obvious16 GB of RAM will require more disk space for paging, hibernation, and dump files DVD-ROM drive Other BFO Stuff Super VGA (800 600) or higher resolution monitor Keyboard and Microsoft Mouse or compatible pointing device, NIC

Which Edition of Server 2K8 should we use for our first two DCs?
http://www.microsoft.com/windowsserver2008/en/us/editions.aspx
Edition Description Price Max. Ram for 32-bit 4 GB 64GB 64GB 4GB N/A Max. Ram for 64-bit 32GB 2TB 2TB 32GB 2TB When to use
Standard Enterprise Datacenter Web Server Itanium
Does almost everything Does it all All that and a bag of chips Just a Web Server (IIS 7.0) For high-end web/application servers
$999 w/5 CALs $3999 w/25 CALs $2999 PER PROCESSOR $469 $2,999
Small to medium environments, File and Print Servers, less intensive applications Large environments, clustering For massive environments includes unlimited virtualization licenses! You dont need me to explain this. Really, you dont. When you need to run super powered databases or high end applications. Only has Application Server Role.

And the winner for Globomantics Edition for the first 2 DCs is...
Enterprise Edition 64-bit!

We select Enterprise 64-bit for its ability to handle up to 2TB of Memory and complete set of features for future growth (and we have the $$$). Each of our machines which we will be setting up as DCs have: 4GB of RAM, 2 120GB hard drives installed A 3GHz 64-bit Quad-Core Intel processors Gigabit network cards This will easily handle the Enterprise edition (at least at first).
10
9/24/2008
The Bare Metal Installation Process

What do we mean by bare metal?
Two types of Server 2008 installations:

Bare Metal No existing Operating System on the HDD UpgradeInstalling over Server 2003 that is already installed on the HDD. Bare Metal is the simplest installation possible (and is recommended by Microsoft as the preferred method) pop in the DVD and boot up! For Globomantics, well be doing two bare metal installations of Server 2008 64-bit Enterprise edition. Well start by installing 2K8 on the first machine. Our hardware is set up and plugged in to the power and the network switch, so lets go!
The Initial Configuration Task List

Back to the basics
The Initial Task Configuration list is sheer hedonistic convenience. It groups together all the common tasks that you have to set up in one convenient place. We will need to:
Configure Time Zone info Configure the network settings for 192.168.5.2 and an initial DNS server. Rename the computer to NYDC1-2K8 and reboot Configure Automatic Updates and Feedback Configure Remote Desktop (Optional) Turn off the ICT from coming back because its annoying after set-up.
Installation of Active Directory Domain Services

Now were ready to set this machine up as a DC
Setting up a Domain Controller has two basic parts:

1. Installing the AD DS Role. 2. Running DCPromo.exe. Installing the AD DS Role is done from Server Manager using Add Roles. Dcpromo can be ran from the link provided in Server Manager after AD DS installation or from the Search box.
11
9/24/2008

Passwords
Its a good idea to change the name of your Domain Administrator account and its password for security,
When you create a domain on your first Server, the Local Administrator Password becomes the Domain Administrator Password for all the machines in your domain!
globomantics.com
Forest Root Domain The first password you create is the Local Administrator only for this one Server!
NY-DC1-2K8 IP:192.168.5.2 New York Site

So we now have a functional DC and Domain!
globomantics.com
Forest Root Domain
NY-DC1-2K8 IP:192.168.5.2
New York Site
NY-DC2-2K8 IP:192.168.5.3
Setting Up Our Second Domain Controller

Everything weve just done again, only faster this time

Computer Name: NY-DC1-2K8 IP: 192.168.5.2 3GHz 64-bit CPU 4GB RAM 2 120GB HDDs Gigabit NIC This Domain Controller will create the Domain globomantics.com Internet T-1 connection Computer Name: NY-DC2-2K8 IP:192.168.5.3 3GHz 64-bit CPU 4GB RAM 2 120GB HDDs Gigabit NIC Network Switch This Domain Controller will join the Domain globomantics.com
We now need to set up our second DC, so here we go again:
1. Install Server 2K8 Bare Metal. 2. Configure the basic stuff using the ICT. 3. Install the AD DS Role. 4. Run DCPromo
12
9/24/2008
Setting Up Our Second Domain Controller

Everything weve just done again, only faster this time

Computer Name: NY-DC1-2K8 IP: 192.168.5.2 3GHz 64-bit CPU 4GB RAM 2 120GB HDDs Gigabit NIC This Domain Controller will create the Domain globomantics.com Internet T-1 connection Computer Name: NY-DC2-2K8 IP:192.168.5.3 3GHz 64-bit CPU 4GB RAM 2 120GB HDDs Gigabit NIC Network Switch This Domain Controller will join the Domain globomantics.com
We now need to set up our second DC, so here we go again:
When we run DCPromo this time, we will be adding a Domain Controller to the domain we just
created, globomantics.com.
1. Install Server 2K8 Bare Metal. 2. Configure the basic stuff using the ICT. 3. Install the AD DS Role binaries. 4. Run DCPromo
Replication: Can we talk?

Our new DCs need to be friends
DCs need to be able to talk and keep duplicate records in their respective
databases. When something changes in the domain, those changes have to be communicated and recorded. Hey, the admin just added three OUs, four user accounts, and renamed one of the old user accounts.
Great, Ill record your changes, too.
Got it, Ill record those changed in my copy of the Active Directory database. Heres the changes Ive received.
NY-DC1-2K8 Network Switch NY-DC2-2K8
Replication: Can we talk?

Our new DCs need to be friends
The easiest way to check replication: 1. Create a new Organizational Unit in Active Directory Users and Computers on either DC. 2. Go to the command line and type repadmin /syncall. 3. Check the other DCs Active Directory Users and Computers to see if the Organizational Unit also shows up there as well. If it does, your DCs are now BFFs. You might need to hit F5 to Refresh the screen to see the new items in the Server Manager
Best Friends Forever!
13
9/24/2008

So we now have the brain of the network done
Because its the very first domain
globomantics.com
Forest Root Domain
NY-DC1-2K8 IP:192.168.5.2
New York Site
NY-DC2-2K8 IP:192.168.5.3
Terms You Should Know

Bare Metal InstallationInstalling an OS on a clean hard drive. Upgrade InstallationInstalling Server 2008 on a machine already running
Server 2003.
Initial Configuration Task ListConvenient list of common tasks to set up

Server 2008.
DCPromo.exe The wizard that sets up Active Directory and promotes a

machine to Domain Controller status.

NTDS.ditThe database file for Active Directory. SysvolThe shared folder that stores the server copy of the domain's public
files that must be shared for common access and replication throughout a domain ReplicationThe process of exchanging and recording changes in Active Directory between Domain Controllers.
14
9/24/2008
What We Covered
After viewing this video, you should be able to:

Evaluate hardware to determine whether or not it will support Server 2008. Describe basic differences between versions of Server 2008. Describe what a Bare Metal Installation is. Perform a Bare Metal Installation of Server 2008.
What We Covered
Use the Initial Configuration Task List to: Configure Time and Date Rename a Machine Configure a Static IP Address and DNS for Networking Configure Automatic Updates and Feedback Install Active Directory Domain Services Role. Run the DCPromo Wizard to promote a server to Domain Controller Status for both a first and second domain controller.
What We Covered
Verify if two Domain Controllers are replicating. Force two Domain Controllers to replicate using repadmin /syncall.
Now that our first two DCs are up, in the next video well start adding User Accounts for Globomantics, organizing them according to departments, and more!
15
9/24/2008

Video 4 Setting Up Remote Desktop on Your Personal Vista Client

Because you dont want to have to go into the Server Room every time you need to do something
Setting up Remote Desktop on Your Vista Client

In this video:
The DCs Are Up And

Running...Now What? Why Remote Desktop Is Just Great
The DCs Are Up And Running...Now What?

Time to set up our Vista Client so we can access the servers remotely
You have a Vista machine

that youll be using for everyday tasks, and you can use Remote Desktop to administer Servers without having to be right at the machine. Because we selected the more secure option when we set up Remote Desktop on the Servers, we have to join the Vista client machine to the Globomantics Domain in order to access DC1 and DC2 from the client machine.
16
9/24/2008
Your mission: Add the Client

In order to make all this work...
You first need to rename the client machine

to fit the Globomantics naming convention. The name of the machine needs to become CL-NY-VIS and then rebooted. Then youll join the client to the Globomantics Domain.
Why Remote Desktop Is Just Great

Why get out of your comfy office chair to go do Server stuff when you can do it from your desk?
Once we have Remote

Desktop set up, you can access your Servers just like youre at the machine. Create Remote Desktop Shortcuts and the process is even easier. Youre going to create 2 Remote Desktop shortcuts on the Desktop so you can get to DC1 and DC2 easily.
So now that youre added your client to the domain

This is what our network looks like:
globomantics.com
Forest Root Domain
CL1-NY-VIS DHCP Address
NY-DC1-2K8 IP:192.168.5.2 New York Site
NY-DC2-2K8 IP:192.168.5.3
17
9/24/2008
What We Covered
Join a Vista Client to a Domain Create Remote Desktop Shortcuts Log in to a Server using Remote Desktop

Video 5 Creating Organizational

Units, User and Computer Accounts, and Groups
Creating the Globomantics Active Directory Structure

In this video:
The DCs Are Up and Running...Now What?- Part 2 Whats an OU Again? How About Some Users! Creating a Whole Bunch of Users at Once Give Me Some Computer Accounts! The Difference Between OUs and Groups
18
9/24/2008
The DCs Are Up And Running...Now What?Part 2

Now that we can access DC1 remotely, we populate!
Populate is a fancy word that means put stuff

into a space, i.e. add in Objects to our Active Directory. We have the Brain of the Globomantics network, but its not particularly usable yet. We need to add in Organizational Units, User Accounts, Computer Accounts, and Groups. Well be accessing DC1 via Remote Desktop to add in all of our objects, and let replication add them to DC2.

The Beginning Globomantics AD Structure- Heres what were going build
4 Groups for Users
2 Computer Accounts
(the other 23 are on back order)
The Domain Administrator Account is already created
2 Groups for Computers

And they all live together in one big shoeI mean Domain
NY-DC1-2K8 NY-DC2-2K8
Everything lives in the Active Directory Database on our Domain Controllers
globomantics.com
Forest Root Domain
4 Groups for Users
2 Computer Accounts (the other 23 are on back order) The Domain Administrator Account is already created
19
9/24/2008
Whats an OU Again?
Big Words, Simple Meaning
An Organizational Unit is a container (read: folder) that holds AD Objects like

User Accounts, Computer Accounts, and Groups. User Group
User Account Computer Group Computer Account
OUs help to keep your Objects organized, but also are used to control what
your Users can and cant do (among other things).
You can also pass the buck by delegating control over OUs.
Whats an OU Again?
Two ways to create OUs
The easiest way to create an OU is to use Active Directory Users and

Computers. Right-click on the Domain icon, Select New, and then Organizational Unit. You can also create an OU using the command line with this command: dsadd ou ou=NameOfOU, dc=YourDomain, dc=YourSuffix This is called Ex: dsadd ou ou=SalesUsers, dc=globomantics, dc=com the Distinguished Even better, write a batch script in Notepad: Name 1. Open up Notepad 2. Type: dsadd ou ou=%1, dc=YourDomain, dc=YourSuffix replacing the Domain and Suffix with your domains. 3. Save the file as addou.bat somewhere convenient. 4. Open up a Command Line box, navigate to the directory where you saved it, and type addou WhateverNameYouWant
Whats an OU Again?
Well start off building a few OUs so our User and Computer Accounts will have a place to live
ChildOU
ChildOU
Keep your OUs for Users and OUs for Computers Separate! You can create OUs:
Geographically By Function (Departments, etc.) Keep It Simple, Sysadmin! and a billion other ways! But remember to KISS as much as youre able to!
20
9/24/2008
How About Some Users!

Well, you do want people to log in and use your network, right?
User Accounts allow users to access network resources.

Time to make some money! Give me access to stuff! Yep, I found it, Hold up there, Billy, and its all good. let me see if Im giving you you have an account in Active access to your Directory! stuff now. NY-DC2-2K8 Request to log on sent Access granted Stock Broker Billy logs in with his User Name and Password
Stock Broker Billys User Account

Heres the users were going to add

Hank Richardson, the CEO of Globomantics, has just sent you an Excel Sheet of 25 names of new employees that will be needing User Accounts. Here they are:
Hank Melanie Joshua Bill Steve Frieda William Michael George Jennifer Bradley Caroline Paula Richardson Halal Hartson Altman Singer Smith Switzer Barber Gibbs Owens Stewart Tooley Turk Christina Michael Lance Bill Carol Shirley Jerry Alana Erin Todd Chika Rivena Kim Winger Huntt Binga Mosher Reagan Thomas Watts Childs Rose Booth Briscoll Martin Neff
Are you serious? Are we going to right click for these 25 users?

Introducing....DSADD!
This is called the Dsadd is a command-line option that will allow you to create users with Distinguished
the keyboard.
Heres the basic command:
Name
dsadd user cn=UserName, ou=OUName, dc=YourDomain, dc=YourSuffix Heres what it would look like in real life: dsadd user cn=hrichardson, ou=NYUsers, ou=NewYorkOU,dc=globomantics, dc=com Then we add some switches for First Name, Last Name, Password, and Must Change Password when the user first logs in: dsadd user cn=hrichardson, ou=NYUsers, ou=NewYorkOU,dc=globomantics, dc=com -fn Hank ln Richardson pwd P@ssw0rd mustchpwd yes
21
9/24/2008

Lets Do It Fast And Easy!
Open Up Notepad and Type: dsadd user cn=%1, ou=OUName, dc=YourDomain, dc=YourSuffix fn %2 ln %3 pwd P@ssw0rd mustchpwd yes Save it as addOUName.bat in a convenient place. Open up a command line, navigate to the directory where the script lives, and type: addOUName tmiller Tonia Miller
Replaces %1 Replaces %2 Replaces %3
Creating a Whole Bunch of Users At Once

Dude, there must be a faster way
You can create a Batch Script for mass population using Excel. Its even included with this course! Man, that Coach is a great guy!
Who Let The Computers In Here?

Keeping track of your computers is a really really good idea (and you dont really have a choice)
Computer Accounts allow AD to keep track of and control the

computers in your network. A computer without an Account in AD cant access the networkits a security thing. Computer Accounts live in OUs, which will allow you to install software to all machines in an OU at once! (among other things) When you join a computer to a Domain (youll need Domain Administrator level credentials), a Computer Account is automatically created in AD. After Joining the Domain, youll have to move your Computer Accounts to the appropriate OU. You can create accounts manually, but its not a very good idea.
22
9/24/2008
Who let the Computers In Here?

So....
You have exactly two Vista machines (since all the rest are on backorder) to use to test out your Active Directory. The first one is already joined (CL1-NY-VIS), since its the one that youll be using as your day-to-day machine to access the Servers remotely. Join your other machine to the Domain and then move them to the NYComputers OU. Youll be using it to test the rest of our network functionality as you proceed.
The Difference between OUs and Groups

Hey! Arent our Accounts Already in OUs? Arent they grouped? No. Heres the difference: OUs keep your objects organized and are used to control what users and computers can and cant do. Groups are Active Directory Objects that allow you to provide and deny access to resources like printers and folders en masse. Groups live in OUs.

OUs can be used to control what a User Can Do

Yes, All these users can: Save docs to their desktops Lock or Hide the Taskbar No, these users may not: Change the Desktop Wallpaper Install Software
23
9/24/2008
The Difference Between OUs and Groups

Groups control what a User Has Access To
Shared Ops Folder
Shared Sales Folder
Ops Printer SalesUsersGroup
Sales Printer

How to Create Groups
Create Groups either from Active Directory Users and

Computers (again the whole Right-Click in an OU thing) or from the command line: dsadd group cn=GroupName, ou=OUName, dc=YourDomain, dc=YourSuffix Make it easy: add in a %1 for GroupName, add in a %2 for OUName, save it as a batch script. You know the drill. Join Users to Groups in Active Directory Users and Computers by Control-Clicking on a bunch of Users, right-click on any one of the selected, and select Add to Group.

Globomantics Group Structure
Your user accounts are created and living happily in their OUs. Now, you
need to create Groups to prepare for providing access to different resources. Youll add 4 Groups for Users in the NYUsers OU and 2 Groups for Computers in the NYComputers OU.
User Groups SalesUsers SalesManagers OpsUsers OpsManagers
Computer Groups StandardComputers ITComputers
24
9/24/2008
Globomantics Group Structure

And then..
Based on the original Excel sheet Hank sent

you, youll add the appropriate users to the appropriate groups. Also, youll add your Vista machine, CL1-NYVIS, to the ITComputers Group, and CL2-NYVIS to the StandardComputers Group for testing.

Heres some IT vocabulary you need to know:
User Account An Active Directory Object that allows

Users to access network resources.
Computer AccountAn Active Directory Object that allows

AD to have a security relationship with a computer, and allows you to control what that computer does on the network. Organizational UnitAn Active Directory Object that provides a place for User Accounts, Computer Accounts, and Groups to live. Also provides control over what those computers and users can and cant do. Group- An Active Directory Object that allows or denies access to network resources (like folders and printers) for Users and Computers.

Heres some IT vocabulary you need to know:
Batch ScriptA text file containing commands

that has a .bat as the suffix to the file name. Distinguished NameThe name of an Object as it appears in the Active Directory Database.
25
9/24/2008
So now we have this

This is what our network looks like now
globomantics.com
Forest Root Domain
NY-DC1-2K8
4 Groups for Users
NY-DC2-2K8
2 Computer Accounts The Domain Administrator Account is already created
What We Covered
Create Organizational Units and Groups In Active Directory Users and Groups Create User Accounts : In Active Directory Users and Groups Using the dsadd command line option Using a batch script Create a bunch of User Accounts using a Batch Script made with Coachs Excel Sheet User Batch Script Creator Add a Computer Account by joining a Vista client to the Domain. Manually Create a Computer Account (which is a bad idea).
What We Covered
Add Users and Computers to Groups using Active Directory Users and Computers. Move Active Directory Objects to different OUs Now that we have some OUs, User Accounts and Groups, well start using those OUs and Groups in the next two videos to provide control over your network!
26
9/24/2008

Video 6 Sharing Stuff On Servers

Setting up Shared Folders and Printers, Mapping Drives, and Wrestling with Permissions
Sharing Stuff on Servers

In this video:
Setting up a Member Server Creating Shared Folders NTFS Vs. Share Level Permissions Mapping a Shared Drive Creating and Sharing a Printer
Setting Up A Member Server

Time to add another Server
We set up User Accounts and added them to Groups so that we could control
who had access to what shared folders and printers.
Now we need to create the Shared Folders and Printers for each of the
different departments. Heres what well be building: NEW SERVER! NY-MEM1-2K8 IP: 192.168.5.4 512MB RAM 2 GHz 32-bit CPU 2- 120GB HDDs Gigabit NIC 32-Bit Server 2K8 Standard Edition MEM1 will be joining the Globomantics Domain. SalesDocs Mapped as S: SalesManagers Shared GeneralOps Mapped as O: OpsManagers Shared OpsLaser
SalesLaser
ManagersInkjet
27
9/24/2008
Setting Up A Member Server

First, we build another Server
Its best practice not to share

folders for everyday work on a Domain Controllerit already has enough work to do. On our new Server, well be preparing the second HDD for File and Folder sharing by formatting and partitioning our second HDD into two 60GB partitions, one for Ops, one for Sales. Well also need to ensure that File Sharing is enabled on MEM1 as well.
NY-MEM1-2K8 IP: 192.168.5.4 512MB RAM 2 GHz 32-bit CPU 2- 120GB HDDs Gigabit NIC 32-Bit Server 2K8 Standard Edition MEM1 will be joining the Globomantics Domain.
Creating Shared Folders

Next up: Making the actual Folders

You can create and share Folders using Windows Explorer, but theres a new Share and Storage Management MMC that gives us a more comprehensive experience.
Heres the folders well create: SalesDocs On E:
SalesManagers On E:
GeneralOps On F:
OpsManagers On F:

We can set up Share Level Permissions while were creating the folders
Full ControlDo I really need to

explain this?
ChangeAble to add files, delete files,

add folders, and delete folders all in the parent Folder, but cant change the Folder itself. Read A user cant add or delete anything in the Folder, just read whats there. You can Deny or Allow these three types of Share Permissions. Permissions can be set for whole Groups or for individual User Accounts Deny is always Strongest!!!! Use sparingly!
28
9/24/2008

Share PermissionsFolder Level Only

Share Level Permissions only work at the Folder Level. All files in the Folder inherit the permissions from the Folder. SalesDocs
All Sales staff get Full Control over All Files in SalesDocs
Share Permissions: Full Control to all members of SalesUsers and SalesManagers

Heres the Permissions to set on the individual Folders that youll be creating on MEM1:
SalesDocs On E: Read and Change for SalesUsers and Sales Managers Read-Only for OpsUsers and OpsManagers SalesManagers On E: Read and Change for only SalesManagers Deny all for Sales Users Deny All for Ops Users Read Only for OpsManagers OpsManagers On F: Read and Change for only Ops Managers Deny All for OpsUsers and SalesUsers Read-Only for SalesManagers
GeneralOps On F: Change and Read for OpsUsers and OpsManagers Read-Only for SalesUsers and SalesManagers

A Good Idea That Could Go Very Wrong
We want SalesManagers to have access to everything the SalesUsers do, but

not vice versa.
We can make the SalesManagers group a member of the SalesUsers Groups.

SalesDocs folder Mapped as S: SalesManagers folder Shared
SalesUsers Group
The SalesManagers as a Member of the SalesUsers has access to SalesDocs. But SalesUsers will NOT have access to the SalesManagers folder. SalesManagers Group
29
9/24/2008
Share Level VS. NTFS Permissions

Be careful not to block access from other Groups that need it!
If we Deny Access to SalesUsers and SalesManagers is a member of the

SalesUsers Group, then SalesManagers is also Denied Access.
Sometimes making Groups members of other Groups is a good idea,

sometimes its not. SalesDocs folder Mapped as S: SalesManagers folder SalesUsers Denied Access
SalesUsers Group
SalesManagers Group
Because SalesManagers is a member of SalesUsers, if SalesUsers is denied access, SalesManagers will be, too, as Deny overrides everything else. So this is a bad idea this time!

Lets control access to individual Files now.
We can use NTFS Permissions on individual Files and Folders inside the Shared
Folder SalesDocs: Handbook Sales Budget Sales Training Sales Reports PowerPoint Folder
SalesUsers can have NTFS Read-Only Permissions to these three files and this one folder.... ...but Read and Change Share Permissions on all the rest of the files in SalesDocs Coachs Suggestion: Always start out with the least restrictive Share Level Permissions and then get more restrictive inside the folder with NTFS Permissions
Share (SMB) Permissions: Read and Change Permissions to all members of SalesUsers and SalesManagers

Lets Talk Inheritance (and no, youre getting any money on this one)
When you create Files and Folders inside of Folders (Parent Folder), those new
Files and Folders initially inherit the permissions from the Parent folder. Parent Folder Read and Change Permissions to all members of SalesUsers and SalesManagers
ChildFolder
File (Child)
Read and Change Permissions to all members of SalesUsers and SalesManagers
Read and Change Permissions to all members of SalesUsers and SalesManagers
30
9/24/2008

But you can Block Inheritance of Permissions with NTFS Permissions for Folders AND Files for really specific control of who gets to do what inside that folder!
Parent Folder Read and Change Permissions to all members of SalesUsers and SalesManagers
ChildFolder
File (Child)
Read Only Permissions for SalesUsers Full Control for SalesManagers
Read Only Permissions for SalesUsers Full Control for SalesManagers

Hanks Files and the Sales Reports Folder
Hank has emailed you three files that SalesManagers

will need Full Control over, but SalesUsers should have Read-Only Access to. Youve put them in the SalesDocs folder already, but now you need to apply appropriate NTFS permissions to the files so that SalesUsers cant change them. Hank also wants a SalesReports folder that members of SalesManagers have Full Control over, but SalesUsers can also Read-Only. Make it all happen with NTFS Permissions. (Hint: Block Inheritance and Use Inheritance!)

Heres the Rules you need to remember
Share Level Permissions work at the folder level. NTFS Permissions work at the Folder AND at the File Level. Documents inside Shared Folders inherit the
Permissions (Share Level or NTFS!) of the Folder unless you stop the inheritance directly and apply new Permissions. When you move Shared folders, you lose the Share Level Permissions When you move Folders and Files that have NTFS Permissions, they may keep their Permissions OR inherit Permissions of a folder they go live in.
31
9/24/2008
Mapping a Shared Drive

Making Stuff Easier to Find
Most Shared Drives or Mapped Drives are just Shared

Folders that we assign a Drive Letter to so theyre easier to find. Youll map your two main department folders as below:
SalesDocs Mapped as S: GeneralOps Mapped as O:
Make sure that Hanks account can access both Mapped

Drives
Creating and Sharing Printers

The Difference Between Printers and Print Devices
A Printer is software. A Print Device is hardware. You need to have a Printer in order to use a
Print Device.
Once you have Printers, you can use them

to control who has access to which Print Device
Creating and Sharing Printers

Heres What Youre Going to Build Next
You have three print devices- two Laser and one Inkjet. You will create a Printer for each of the devices, and then
assign Permissions as displayed below:
SalesLaser
OpsLaser
ManagersInkjet
SalesUsers can Print SalesManagers can Print and Manage Ops Groups cant access
OpsUsers can Print OpsManagers can Print and Manage Sales Groups cant access
SalesManagers can Print OpsManagers can Print Users Groups cant access Only SuperCoach can manage
32
9/24/2008
What Globomantics.com looks like now

globomantics.com
Forest Root Domain
NY-DC1-2K8 NY-DC2-2K8
4 Groups for Users
2 Computer Accounts SuperCoach Administrator SalesDocs Mapped as S: SalesManagers Shared 2 Groups for Computers SalesLaser
OpsLaser
CL1-NY-VIS NY-MEM1-2K8
GeneralOps Mapped as O: OpsManagers Shared ManagersInkjet
CL2-NY-VIS
Terms You Need To Know

Heres the Critical Jargon from this video:
Member ServerA Server that is not a Domain Controller

but is joined to the domain and has a particular job/Role
Share PermissionsPermissions that only apply at the

Folder level and are inherited by all the files inside (unless NTFS permissions are applied!) NTFS PermissionsPermissions that apply to both Folders AND Files. PartitionA section of a Hard Drive SMBServer Message BlockA Protocol used for Share Permissions on a Folder Mapped DriveUsually a Shared Folder that has been assigned a Drive Letter so that it can be found easily.
What We Covered
Partition and format a Hard Drive on Server 2K8

via Disk Management
Create Shared Folders and assign Share

Permissions to Groups via the Share and Storage Management MMC. Describe the differences between Share and NTFS Permissions. Assign NTFS Permissions to Files and Folders Map Shared Drives Create and Assign Share Permissions to Printers
33
9/24/2008
Coming Up Next
In the next video, well start using our OUs to apply Group Policy in order to make sure our users cant break stuff (or, at least, less stuff)!

Video 7 Get Your Control Freak On!

Starting to Control What Your Users Can and Cant Do Through Group Policy
Get Your Control Freak On!

In this video:
What are we building today,

Coach? What is Group Policy? Setting Up Coachs Fave Four Policies
34
9/24/2008
What Are We Building Today, Coach?

Were locking down the Desktops! Good news! The other 23 desktop machines finally came in and your new assistant Jamie has set them all up and joined them all to the domain. Now, we need to start thinking about locking down what users can and cant do on their desktop machines. You want to ensure that: All desktop wallpaper is the same on every machine Users cannot access the Display Control Panel Users cannot install software Users cannot attach Removable Drives (USB sticks, MP3 players, etc.) In order to make this happen efficiently, well use Group Policy Objects in Active Directory to make this happen.
Whats a Group Policy Object?

Group Policy Objects give you control over what Users and Computers can do, but a lot more!
A Group Policy Object

(GPO) contains Settings that can be configured to control whats happening with Users and Computers. There are literally thousands of different Settings that can be configured inside of each GPO. GPOs are used with Containers (Domains, Sites, and OUs), but are not applied to Groups (but Groups can play a part!) Then why is it called Group Policy?????
Whats a Group Policy Object

Local Vs. Domain
Every Windows computer has a Local Group Policy to control what can be done
on it and what is restricted, but you dont want to go around to all the computers in your Domain and configure all the settings manually. Youll want to join the rest of the world and administer Group Policy from Active Directory. ...or configure all your machines at once from the comfort of your desk!
You can configure each computer separately using Local Policy...
Because theres nothing like going to 25 separate machines and making 26 modifications on each one (ugh!)
35
9/24/2008
Whats a Group Policy Object?

Creating and Linking GPOs
We can create a Group Policy Object easily, but then we have to link it to the
appropriate Container (usually an OU) before it takes effect on the Users and/or Computers. A single GPO can be linked to multiple Containers so you can re-use it over and over.
Links are Active Directory Objects, too!
What is a Group Policy Object?

GPOs can be linked at different levels

At the Domain Level, everything in the Domain is affected
At the OU level, everything in the OU is affected
We normally dont apply GPOs at the Site level, but we can.

...and for two different kinds of objects
Group Policy has two sides: Users and Computers. While you can configure settings for both sides in any one GPO, we
generally dont (this is why we separate Users and Computers into separate OUs. Each side of Group Policy has Policies and *NEW* Preferences Generally, we create separate GPOs for Users and Computers
36
9/24/2008

All you GPOs, get in the right order!
Group Policy Settings are applied in a very specific order:

Local Computer Policy Site Policy Domain Policy OU Policy
Remember it this way: L-S-D-OU Also: The Last One Wins
Setting Up Coachs Fave Four Policies

Here we go...
You need to ensure that User Accounts are restricted in the

following fashion: All desktop wallpaper is the same on every machine and cannot be changed Users cannot access the Display Control Panel Users cannot install software Users cannot attach Removable Drives (USB sticks, MP3 players, etc.) Youll create a single Group Policy Object with these settings on the User side, apply it to the NYUsers OU, and then test it out with the LBinga account

And now, Vocabulary!
Group Policy ObjectAn Active Directory Object that allows you, the
Administrator, to control what Users can do on computers via Settings (or Policies). A.K.A: GPO LinkAn Active Directory Object that allows a GPO to affect a particular Container (like an entire Domain or just an OU) L-S-D-OUThe Processing Order in which GPOs are applied GPMCThe Group Policy Management Console, where we do all the Group Policy work. Local Computer PolicyThe Group Policy that resides on a local Computer that only affects that particular computer.
37
9/24/2008
What We Covered
After Watching This Video, You Should Be Able To:
Create and Link a Group Policy Object to an OU Apply Settings in a GPO to lock down the Users ability to:
Change the Desktop (i.e. set the Wallpaper and make sure the User cant change it) Use the Display Control Panel Attach a USB drive or other Removable Storage Device Install Software (remember: UAC for Vista!) Describe the order in which Group Policy Objects are processed in. Describe what Containers you can Link a GPO to

Video 8 How to Make Your Boss Mad and then Fix it Really Fast
Setting up your Organizational Units for Better Group Policy Implementation, Security Filtering for GPOs using Groups, and Making Your Boss Happy Again.
How to Make Your Boss Mad and then Fix it Really Fast
In this video:
What Are We Building Today,

Coach? Hank is ANGRY! A Little Reorganization
38
9/24/2008

Our Active Directory Structure from our last episode...

L i n k
5 Groups for Users
25 Computer Accounts SuperCoach Administrator StandardComputers
ITComputers

...and how it will look after this one!

L i n k
ITUsers hrichardson SaleManagers SalesUsers
Executives
OpsUsers
OpsManagers
25 Computer Accounts
StandardComputers
SuperCoach Administrator
ITComputers
Hank is ANGRY!
Uh-Oh...
Hank is really mad that he cant set a picture of his favorite horse as the Desktop Wallpaper, and hes threatening to fire you if you dont get it fixed fast. You need to make sure Hanks user account is exempted from the Desktop Lockdown policy you just set up. Also, your assistant Jamie doesnt like being locked down eitherfix it!
39
9/24/2008
A Little Reorganization
Sometimes we may need to reorganize a bit...
Since GPOs are applied at the OU level,
we may need to separate out Users and/or computers into separate OUs for different rights and restrictions. Since the Globomantics OU structure is very basic, we have some options: We can separate our users into separate OUs and apply different GPOs to each We can separate our users into separate OUs inside of NYUsers and Block Inheritance for certain OUs for a particular Group Policy Object. We can use Security Filtering to exempt certain User Accounts and/or Groups from having a GPO applied to them.
Option 1: We can separate out our Users into Child OUs and Link Separate GPOs to each OU
Link
Each GPO has settings appropriate for each department.
Link
Link
Option 2: We can separate our users into separate OUs inside of NYUsers and Block Inheritance for certain OUs for a particular Group Policy Object.
Inherited! ENFORCED! Link
Inherited!
All Users in Executives will NOT get the settings from DesktopLockdown.... ...unless DesktopLockdown is Enforced Enforced DesktopLockdown Breaks Through!
40
9/24/2008
Option 3: We can use Security Filtering to exempt certain User Accounts and/or Groups from having a GPO applied to them.
Link SalesManagers Group OpsManagers Group
If we use Security Permissions to Deny the Read and Apply Group Policy permissions, these two groups can be exempt from the policyeven if the Policy is Enforced!
SalesUsers Group
OpsUsers Group
ITUsers Group
Executives Group
Well fix it using a combination of techniques
We can still use DesktopLockdown for all our users, but well use Security
Filtering and the Delegation Tab in the GPMC to exempt the Executives and ITUsers Groups from having it applied. In order to use Group Policy more efficiently in the future, we should break our users out into separate OUs.
Deny Read and Apply DesktopLockdown Group Policy
All other users will be affected by DesktopLockdown through Inheritance! ITUsers Group
Deny Read and Apply DesktopLockdown Group Policy
Link
Executives Group

Look, its more vocabulary!
Security FilteringUsing Security Permissions on a Group

Policy Object to determine which Users or Groups in an OU get affected by its settings. EnforceA property of a Group Policy object that breaks through Block Inheritance and overrides any other conflicting GPOs Group Policy InheritanceSimilar to Folder Inheritance, Users and Computers inherit Group Policy settings through OUs.
41
9/24/2008
What We Covered
Rearrange Users, Groups, and Organizational Units. Use the GPMC to apply Security Filtering to include
and exempt Groups from Group Policy
Block Inheritance of Policies for an OU. Use the GPMC to see what Group Policy Objects
are being inherited by an Organizational Unit.
Make your boss happy by ensuring that his/her

account is not locked down, but everyone elses is.

Video 9 Make Your Life Easier with Computer Policies and Preferences
Locking down Machines at the Computer Level and Mapping Drives with Group Policy Preferences
Make Your Life Easier with Computer Policies and Preferences

In this video:
The Computer Side of Group

Policy Mapping Network Drives with Preferences
42
9/24/2008
The Computer Side of Group Policy

Oh, and by the way...
Hank is seriously thinking about implementing the hoteling concept, in which users dont have regular machines. Instead, he wants his sales reps out in the field doing house calls. You need to make sure that all the machines have a standard policy no matter whos at them, with the exception of your machine, Jamies machine, and Hanks machine.

And now for something not so different...

Now that you have set up your User Policies, its time to further lock down the computers themselves. Youll separate out your computers into two OUs, Standard and Privileged, then create a new GPO to apply to only the StandardComputers. Link
CL4 through CL25
CL2-NY-VIS
Well leave CL2 in the Standard OU for testing, but move it later.
Will have no GPO Linked CL1 through CL3

And now time for another BFO!

User Policy follows the user to whatever computer that User logs into. CL3-NY-VIS CL4-NY-VIS CL5-NY-VIS LBinga CL6-NY-VIS
Computer Policy stays with the computer no matter who logs on to it. LBinga hrichardson JOwens CL3-NY-VIS JOwens
43
9/24/2008

And now to add our Policy Settings to ComputerLockdown
Here are the policies well set for the StandardComputers through our new ComputerLockdown GPO: Turn off the Windows Sidebar (because its annoying) Turn off that Welcome screen that keeps popping up (because its annoying, too) User Account Control Really more as a safety Precaution Turn on Loopback Processing to ensure that whoever logs on to the machine always gets this policy applied to them. Ensure that any Local Group Policies do not run (because they may interfere with our Domain/OU policiesagain a precautionary measure)

Loopback Processing- User Vs Computer Policy Showdown!

Heres how it works: I have User Settings, and I travel with Lbinga wherever he logs in! LBinga Oh yeah? Well I have User Loopback Processing! My User Settings override or add to your settings, even though Lbingas account isnt even in the OU Im linked to! Woo-Hoo! I win!
Aw, man! Darn you Loopback Processing!
CL3-NY-VIS
Mapping Network Drives with Preferences

Weve done something old, now time for something new!
Group Policy
Preferences allow us to do a lot of useful tasks that previously required scripts. There are Preferences for both User and Computer sides of a Group Policy Object. Better yet, theyre very easy to set up and use!
44
9/24/2008
Mapping Network Drives with Preferences

Mapping Drives for Users just got a lot easier!
Since we have Network Drives (i.e., Shared Folders) that we want everyone to
have access to, we can map those drives for our Users so that when they log on, theyre already there in My Computer. Well create a new GPO just for the Mapped Drives and link it to the NYUsers OU and let Inheritance push it down to the other Child OUs inside of it.
Link
Inherited!
Inherited! Enforced! (Just in case somebody Blocks Inheritance later) Inherited!
Time to Wrap Up!

So now our Active Directory network looks like this:

SalesUsers
L i n k
ITUsers
SaleManagers
hrichardson
Executives OpsUsers
OpsManagers
ITComputers
SuperCoach Administrator
Link
StandardComputers
Critical Vocabulary
More Big Words!
Enforce A setting on a Group Policy Link that breaks

through Block Inheritance and overrides any conflicting policies. Loopback ProcessingA Group Policy setting that forces the application of a GPO regardless of who is logged in to a computer. Group Policy PreferencesSettings in a Group Policy Object that expand Group Policys ability to map drives for Users, place files and create folders on managed client machines, etc. Mapped DriveA shortcut to a shared folder (or shared hard drive) on the network that shows up in My Computer.
45
9/24/2008
What We Covered
Create new OUs and move appropriate Computer Accounts into

them.
Create and Link a GPO object to an OU ( I know, weve already

done this)
Use the Computer Side of Group Policy to:

Turn off the Vista Sidebar and Welcome screen Set up Loopback Processing on Computers to ensure that Settings applied to Computers replace/merge/override any User settings from other GPOs Ensure that UAC is enabled on Vista Ensure that Local Computer Policies DO NOT run on Vista Machines in our network.
What We Covered
Use Group Policy Preferences on the Users side of a Group

Policy Object to Map Drives (shared folders) for all users
Enforce a Group Policy to ensure that it is applied even if a

Block Inheritance setting is applied to an OU

Video 10 How to Push Software Onto a Lot of Machines Without Getting Up From Your Desk
Using Group Policy Objects to Install Software and Adjusting Group Policy that affects Group Policy at the Domain Level.
46
9/24/2008
How to Push Software Onto a Lot of Machines Without Getting Up From Your Desk
In this video:
You Are Here: A Quick Look at

What Weve Built Create a GPO for Software Installation When does all this Group Policy Stuff actually take effect?
You Are Here: A Quick Look at What Weve Built

Create a GPO For Software Installation

Would you like to view PDFs? Of course you would! So Hank went to a basketball game last night and ended up sitting next to a guy who works for a software company that produces a lightweight PDF reader. Since you havent yet installed any PDF reading software, Hank wants you to install the PDF reader from his new friends company on all the client machines in the Globomantics network. Do you: A. Walk around with a CD or USB stick to every one of your 25 client Do you really have that much time on your hands? machines, log in with administrator account and install it manually? B. Put the software on a Shared folder and provide instructions for all Are you insane? No no no! Users cant install software anyway! employees on installing it when they figure out they need it? C. Post the software on a Shared Folder and then create a Group Policy Object that will install the software the next time the machine restarts?
47
9/24/2008

What you need for a Software Installation GPO
An .msi file for installation

Try to get an .msi version of a software package if at all possible. You cant just install .exe files without repackaging them into .msi. There are several .msi packaging utilities out there if you need them. There is an alternative installation package called a Zap packageI dont recommend it. A Shared folder for the software to live in that all your Users and Computers have at least Read access to. A new GPO linked to the appropriate OU.

You can set up a Software Installation GPO for Users or Computers
If you set it up for specific Users

or User Groups, you can Publish the software so they can install it on demand. You can also Assign the software so it installs on the next client restart. If you set up the GPO on the Computers side, you cant Publishonly Assign Use your best judgment based on who needs the software and when picking which side of a GPO to use for Software Installs.

So what now?
Hanks new buddy has sent you the .msi file that you can use for your Software Installation GPO. You decide to install it on every client computer since PDFs are a universal standard. So now all you have to do is: 1. Create a new Shared folder on NY-MEM1-2K8 named Software. 2. Create a folder inside Software named Foxit and put the Foxit .msi package there. (Note: Always create new folders for each software package to make the process nice and easy! 3. Create a new GPO and link it to the NYComputers OU. Name it FoxitInstall. 4. In the Computers section of the GPO, well go to the Software Settings under Policies to get to the Software Installation settings. 5. Create a new Package by right-clicking and selecting New Package. 6. Select the .msi file and select any Options. 7. Run gpupdate /force from the Server (or wait for the Refresh Interval) 8. Have your users reboot their client machines.
48
9/24/2008
When does all this Group Policy Stuff actually take effect?
The Group Policy for Group Policy!?!?
When a User logs into a machine (client or

server, doesnt matter), Windows checks for and applies any new GPOs from Active Directory. When you run gpupdate /force, the new policy settings are pushed down right then and will either apply immediately or on the next logon, depending on what the settings are in the policy. For software installation GPOs applied on the Computer side of the GPO, the installation happens at the next restart. For other User side GPOs, it depends on what the Group Policy Refresh Interval is set at, and if Background Processing is enabled or disabled. Group Policy Refresh Intervals and Background Processing for Group Policy are usually set at the Default Domain Level Policy.
Where Were At Now

A new policy and a small domain level observation
Group Policy that Controls Group Policy
New Installation Policy
Critical Vocabulary
Time for more big words to impress your friends with!
Group Policy Software Installation (GPSI)

Function of Group Policy that allows installation of software to computers with accounts within the scope of the Group Policy object. MSI Package (.msi) Microsoft Installer Publish (as an option in GPSI) Option to make software available to install on demand Assign (as an option in GPSI) --Option to install software automatically on computer restart.
49
9/24/2008
What We Covered
Create a Software Installation GPO Describe the differences between using a

Software Installation GPO on the Computer side and User side. Correctly select Assign, Publish, or Advanced options for the Software Installation GPO. Set the Group Policy Refresh Interval on the Default Domain Policy. Enable or Disable Background Policy Processing on the Default Domain Policy.

Video 11 Whats My P@ssw0rd again?

Domain Password Policies, Fine Grained Password Policies, and a Little Password Management Thrown In For Good Measure
Whats My P@ssw0rd again?

In this video:
The Default Domain Password Policy Letting Your Boss Use Whatever Password
He/She Wants
A Little Password Management Goes a Long

Way
50
9/24/2008
The Default Domain Password Policy

Passwords and users and securityoh my!
Normally, the Password Policy is set for all users at the Domain level. The default settings are usually good enough. Complexity requirements are enforced when passwords are changed or created.
Password Complexity Requirements:

Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %)
Letting Your Boss Use Whatever Password He/She Wants

You know Hank Hank doesnt like the fact that he has to use all these newfangled password techniques with symbols and what not, and he doesnt want to have to think up a new password every 30 days. He wants to use the names of his horses. Youll use a technique called Fine Grained Password Policies to exempt Hank and the users that are part of the Executives group from the Default Domain Password Policy Settings that you created, and then reduce the complexity requirements and extend the expiration date so that Hank and any other user placed in the Executives Group will only have to update their passwords every 3 months.
Letting Your Boss Use Whatever Password He/She Wants

Fine Grained PasswordsA Good Idea or Lousy Security?
Normally you only have one

Password Policy Setting in your entire domain, but by creating Password Setting Objects (PSO if youre cool) , you can specify multiple password policies for individual users or for the Groups that users are part of. Your Domain Functional Level must be at a Server 2008 level (all your Domain Controllers must be Server 2008) Well need to go into ADSI Edit to create Password Policy objects, and link them to the User Account or Group theyll apply to (i.e. for Globomantics, the Executives group)
51
9/24/2008
A Little Password Management Goes a Long Way

Everyone forgets passwords be forgiving
Resetting Passwords is really easy:

In AD Users and computers, find the User Account that needs the password reset. Right Click and Select Reset Password. Change to something easy to communicate and then tell the user the new password. Best Practice: Go back into the User Account Properties and force the User to change their password on the next logon. *NEW* --In a Server 2008 environment, when a password is reset, if a user has encrypted a document, the user can STILL access the document!
Critical Vocabulary
Walk the walk and talk the talk
ADSI Edit A low level utility used for editing the Active Directory
Database directly rather than using the GUI tools (i.e. Server Manager, etc.) . Fine Grained Password Policy A feature of Server 2008 that allows an override of the Domain Password Policy requirements. PSO Password Settings ObjectAn Active Directory Object created in ADSI Edit that allows for an alternative password policy to be applied to a user or a group. Server 2008 Functional Level An operating mode which requires that all Domain Controllers in your network to be Server 2008. (Required for Fine Grained Password Policy)
What We Covered
Alter the Default Domain Policy Password Settings to

increase or decrease password requirements and settings.
Locate the Functional Level for a Domain in AD Users and

Computers.
Create a PSO (Password Settings Object) by using ADSI Edit

to override the Domain Password Policy Settings for specific users or groups. Reset a Users password and force the user to change their password on the next logon.
52
9/24/2008

Video 12 Passing the Buck

Providing Permissions to an Account for Administrative Tasks Without Giving Away All Your Thunder
Passing the Buck

In this video:
Giving Someone Else The Ability to Reset

Passwords Adding Users to Built-In Groups That Have Permissions to Do Stuff Installing RSAT to a Vista Client for Easy Server Management
Giving Someone Else The Ability to Reset Passwords

Why should you have to do all the work? Planning ahead, you realize that as time goes on you wont have all the time in the world to do busy work like resetting passwords or altering permissions on shared folders and such. Fortunately, youve got an assistantJamie! In order to free up your time, youll provide permissions for Jamies account to reset passwords and do other Administrative tasks. Youve got two options: Use the Delegation of Control Wizard Add Jamie to one (or more) of the Built-In Groups so he can do administrative tasks without having to be an Administrator.
53
9/24/2008
Giving Someone Else The Ability to Reset Passwords

Using the Delegation of Control Wizard
Youll use this when you only want a particular User or Group to be able to do one or two simple tasks, like *ahem* resetting passwords.
Adding Users to Built-In Groups That Have Permissions to Do Stuff

Needmorepower
The Delegation Wizard cant provide everything, so youll have to also use some
additional Groups to provide some more permissions to Jamie.
The boys and girls at MS have created Groups that already have specific
permissions in the BuiltIn OU. Heres some of them that are particularly useful:
Permissions/Abilities Administrators Account Operators X X X X X X X X X X X X X X X X X X X Backup Operators Print Operators Server Operators
Create, delete, and manage user and group accounts Read all user information Reset password for user accounts Share directories Create, delete, and manage printers Backup files and directories Restore files and directories Log on locally to the server Shut down the system
X X X X X X X X X
Installing RSAT to a Vista Client for Easy Server Management

Giving Jamie the Remote Control for AD Users and Computers
So now that Jamie actually can do some administrative tasks, lets

make it a little easier for him to get to the Servers without even having to use Remote Desktop. The Remote Server Administration Tools for Vista is a collection of MMC tools that allows you to administer most of the standard Server tasks without having to use Remote Desktop or actually be at the Server. Its super easy to download and install, but you have to go into Control Panel and enable it.
54
9/24/2008
Critical Vocabulary
And now, big fancy words!
Delegation of Control WizardA utility that allows an

administrator to grant busy-work tasks to other user account. Built-In GroupsGroups that come as part of the default Server 2008 installation that provide administrative permissions for more tasks than what the Delegation of Control Wizard can (sheer hedonistic convenience!). RSATRemote Server Administration ToolsA bunch of Microsoft Management Consoles that come in Vista flavor for easy remote management of Servers from your desk.
What Weve Covered

Use the Delegation of Control Wizard to provide

the ability for specific users to do small-scope administrative tasks. Describe the differences between the 5 most useful Built-In Groups. Add a User Account to a Built-In Group for higher level administrative tasks. Install and Configure RSAT for VISTA

Video 13 Creating Backup Solutions BEFORE Stuff Blows Up

How to Use Windows Server Backup, WBADMIN, and NTDSUTIL to Create Backup Media
55
9/24/2008
Creating Backup Solutions BEFORE Stuff Blows Up

In this video:
A Hour of Prevention Prevents an

Ounce of Pink Slip Your Three Built-In Backup Tools The Globomantics Backup Strategy
A Hour of Prevention Prevents an Ounce of Pink Slip

This video is really all about saving your job

So everything in the Globomantics network thus far is up and running smoothly, and its time to seriously think about creating backup solutions before everything blows up. Eventually, youll be able to talk Hank into acquiring a third-party back-up solution that has more power than the built-in tools in Server, but for now youll have to make do with what you have. You have three main tools built into Server 2008 for backup: Windows Server BackupA GUI (Graphical User Interface) tool that creates simple backups (replaces NTBackup). WbadminA command line tool for creating and scheduling backups (also available in Server Core!). NtdsutilAn extremely powerful tool to do advanced backup operations (and a lot more!) specifically for Active Directory files and database.
Your Three Built-In Backup Tools

Windows Server BackupEasy breezy backups, but with a few hitches!
Windows Server Backup is a

Feature that you must install before usingit doesnt install automatically. It only: Backs up to a Shared Folder (Network Attached Storage) or to DVD Backs up entire Volumes Overwrites previous backups if you backup to the same shared folder over and over Its great for simple backups for small organizations
56
9/24/2008

WBADMIN Stronger tools and More Options
WBADMIN is a command line that provides

more power to your backup options: It can run a one-time backup It can schedule regular backups It can back up your System State which includes all the guts of your DC: Registry Boot files System Files AD Directory Services database SYSVOL directory System State data can be restored using WBADMIN or using the graphical Windows Server Backup

NTDSUTIL Super-Powered Utility for lots of operations with a funny name!
NTDSUTIL is specifically for AD, and not so much

backing up your whole Server.
In terms of creating Backup Media, it can create

IFM (Install From Media) media for faster creation (or re-creation, as the case may be) of a Domain Controller. Its an interactive tool, providing different commands depending on what Context its used in. When used in conjunction with media created by Wbadmin or Windows Server Backup, it can allow you to restore Active Directory Objects like entire OUs. It can also take Snapshots of your Active Directory Database so you can see how your AD looks over time!
The Globomantics Backup Strategy

While were waiting on something else
Now that youre familiar with the three built-in backup tools, we need a plan
for backup. 1. Youll use Windows Server Back Up for Nightly Backups to the Second Disk on NY-DC2-2K8 2. then create a System State Backup on a weekly basis for emergency restoration
3. and last but not least an IFM backup as an additional emergency solution and for easy addition of future Domain Controllers as well.
57
9/24/2008
Critical Vocabulary
For your viewing pleasure, some new words to review!
Windows Server BackupThe built-in GUI for doing simple

backups of entire Volumes
WBADMINA command line for doing standard backups and

for creating System State backups
NTDSUTILAn Active Directory-specific interactive command

line tool for doing a lot of different and more powerful maintenance tasks on your Active Directory. In terms of backup, NTDSUTIL creates IFM media IFMInstall From Media can be used to create (and recreate) Domain Controllers quickly System State backupCreated by WBADMIN, it contains only the guts of your AD that are absolutely necessary for faster restoration of a DC.
What We Covered
Schedule a nightly backup of an entire Volume to

an attached disk using Windows Server Backup.
Create a System State Backup of a Domain

Controller using Wbadmin.
Create IFM Media using NTDSUTIL. Describe the differences between the three main
Backup and Maintenance tools in Server 2008.

Video 14 Reducing Single Points of Failure

Changing up the Operations Masters and How to Add a Domain Controller with IFM
58
9/24/2008
Reducing Single Points Of Failure

In this video
A Little Future Planning to Prevent

Major Problems What are Operations Masters? Restructuring the Globomantics DCs a Bit Adding a Domain Controller with IFM
A Little Future Planning to Prevent Major Problems

So here we are
Right now, we only have 2 DCs, both of which are Global Catalogs.
Everything seems fine and rolling right along, but theres a lurking menace that we dont know about just yet! Computer Name: NY-DC2-2K8 We can easily reduce the risk of SPOF issues by giving this guy an additional job or two!
Computer Name: NY-DC1-2K8
Network Switch
If DC1 goes down, we will have major problems due to the fact that we have all of our Operations Masters attached to it!
What are Operations Masters?

One of those hidden little elements that can cause big trouble! Operations Masters (used to be called FSMOs Flexible Single Operations Masters) are specific jobs that a DC can do apart from all the regular day-to-day stuff (any DC can do stuff like authenticating/logging on, adding users, etc., these are special). The Forest Level Operations Masters Domain NamingResponsible for adding and removing Domains from inside your forest. Sits back and drinks coffee most of the time until you need to add or remove a Domain. SchemaHandles all the database definitions. Also on coffee break until you or an application you install needs to change the Active Directory Schema. These two can and should go on the same DC!
59
9/24/2008
What are Operations Masters?

The Domain Level Operations Masters

PDC EmulatorThis is the big one. PDC stands for Primary Domain Controller. It handles password updates, Group Policy Updates, time updates, and acts as the master Browser. Make all your Group Policy Changes on the Server that has the PDC role for best performance! Relative Identifier (RID)Provides Security Identifiers (also known as SIDs) for new Users, Computers, and anything else that gets added to your Active Directory. If the Server with this role goes down, you may not be able to add any Users or Computers to the Domain. SIDa unique identifier for an Object in Active Directory. Infrastructure MasterKeeps track of whos in what Group. Extremely vital if you have multiple Domains in your forest. The Infrastructure Master should be on a Server that is not a Global Catalog, unless every single Domain Controller is also a Global Catalog!
Restructuring the Globomantics DCs a Bit

Lets see if we can add a little more flexibility in our structure
Computer Name: NY-DC1-2K8 Global Catalog Network Switch Domain Naming Schema Master PDC Emulator RID Infrastructure
Computer Name: NY-DC2-2K8 Global Catalog
Critical Vocabulary
Hey, look! Some more big words!
Operations MasterAn assignable role/job for a Domain

Controller that only one Domain Controller at a time can do.
Security Identifier (SID)A unique value assigned to an

object in Active Directory for identification in an Active Directory based network. May be assigned by a Domain Controller, but also may be created by an Operating System in the case of Computer Accounts and simply used by AD.
60
9/24/2008
What We Covered
Describe the five Operations Masters Identify what Server has been assigned
what Operations Master.
Change Operations Masters Create a Domain Controller using IFM

media

Video 15 Stuff To Make Your Active Directory Life Just a Little More Predictable
Monitoring , Auditing, and Maintaining Your Active Directory Database
Monitoring, Auditing, and Defragging

In this video:
Watching Your AD Stuff Your Monitoring Toolbox Watch Whos Doing What To Your
Active Directory Defragging Your AD Database
61
9/24/2008
Watching Your AD Stuff

And now, something else that lands squarely in your job description
Globomantics is ready to launch, and you have taken solid precautions already to ensure that if your Domain Controllers blow up, you have flexible options to get your network back up and running in a short time. Now you need to figure out how to watch your DCs for any impending doom, and maintain your Active Directory database so you get optimum performance. There are a lot of third party tools out there for such things, but for now you need to rely on whats built in to Server 2008.
Your Monitoring Toolbox

Hey, neat! Server 2008 has cool monitoring toys!
Your tools for watching whats going on:

Task ManagerFor real time immediate gratification of observing whats going on in your Server Event ViewerAn easy way to view logs that are created by the various monitoring tools. Performance MonitorA true classic, Performance Monitor allows granular tracking. Reliability MonitorWatches and tracks changes in your system over time Data Collection SetsProbably the easiest way to keep track of whats going on in your system!
Watch Whos Doing What to Your Active Directory

Time to play Big Brother!
Auditing Policies are optional settings in Group Policy for Domain

Controllers that allows you to keep detailed track of changes made to your AD. Not only can it track changes, but also who made the change, what the object was before the change, and what the object is now.
62
9/24/2008
Watch Whos Doing What to Your Active Directory

Theres two steps to setting this up- you cant do one without the other!
To Set Up Auditing: You have to enable an Auditing Policy (specifically Audit Directory Service) on either the Default Domain Controller Policy or on the Default Domain Policy. Then, you have to turn on the Auditing component on the Object(s) you want to Audit.
Defragging Your AD Database

Give your AD Database a tune-up!
Running regular maintenance on the AD Database recaptures disk

space, making the database file more efficient (and sometimes faster!), and checks for any weirdness that might occur. When stuff gets deleted out of your Active Directory Database, the Database file itself doesnt get any smaller. Its time to bust out the NTDSUTIL command again! Heres some crucial commands: Activate Instance NTDS Your beginning command Files The context that makes the following commands available: Compact Defrags the database (and creates a copy of the NTDS.dit file) Integritychecks database integrity Semantic Database AnalysisAn NTDSUTIL tool that analyzes and checks your database for consistency
Critical Vocabulary
Maintain not just your AD, but your lexicon as well!
NTDS.ditThe actual database file that holds your Active

Directory Objects
CompactThe process of recovering disk space by

removing empty space and repositioning data on the disk for optimum read time. (also known as defragging) IntegrityA database is said to have integrity when all of the records hold exactly what theyre supposed to hold.
63
9/24/2008
What We Covered
Use the Task Manager to watch performance in real time. Use the Event Viewer to see whats going on in your
machine.
Use the Reliability Monitor to monitor changes in your DC

over time.
Use the Performance Monitor if you have nothing else

better to do with your time.
Use the Data Collection Sets to track Active Directory and

Domain Controller performance.
Enable Auditing Policies for in the Default Domain

Controller GPO for Object and Account Access
What We Covered
View the Results of your Auditing Policies in Event Viewer. Use NTDSUTIL to defragment your database and check for
integrity and consistency of the AD Database as a whole.
We have set up the New York office AD infrastructure and made plans for disaster recovery. In the next video, were going to expand to Chicago, and set up a child domain for the Chicago office by creating some more DCs!

Video 16 Creating the Chicago Location

Adding a Child Domain, Creating Sites and Subnets, and Configuring Replication with the Mother Ship
64
9/24/2008
Creating the Chicago Location

In this video:
All You Need Is LovI mean a DC! Adding a Site and Subnet Before
Jumping In Creating the Child Domain Making Sure Chicago Can Talk To New York
All You Need Is LovI mean a DC!

Its time to expand! In order to keep tabs on the Chicago stock exchange, Hank has decided to open up an office in downtown Chicago. To keep things more manageable, you decide that the best way to keep the Globomantics network a little more manageable for future growth is to separate out the Chicago office into its own child domain (sometimes called a subdomain). Theres good reason to break out Chicago into its own child domain: Less Network Traffic to suck up your bandwidth between Chicago and New York De-centralized management will allow you to delegate control over Chicago to an administrator (yet to be hiredor maybe well send Jamie!) thats actually in Chicago. Having a location-centric Active Directory structure can allow for easier tracking of stuff between locations.
All You Need Is LovI mean a DC!

In order to create the Chicago child domain, all we need is another DC!
Globomantics.com
Computer Name: NYDC1-2K8 Network Switch Computer Name: NYDC2-2K8
Na.globomantics.com
Computer Name: NA-DC1-2K8 Global Catalog DNS
65
9/24/2008
Adding a Site and Subnet Before Jumping In

Before we begin
Sites in AD represent the physical structure, or topology, of your network. Right now, we have only one Site defined in Globomantics.com, New York. We
first need to create the Chicago site in Active Directory Sites and Services.
In order to allow Active Directory the ability to track our machines by location,
well also create a Subnet Object as well, and assign that Subnet Object to Chicago. Once thats done, we can use the Location Attribute in Active Directory to track and find machines according to their IP address. Heres what we have and what were going to create: NY-DC1 NY-DC2 NY-DC3
NA-DC1 Subnet Object
Critical Vocabulary
Some words of wisdomor at least some words that will help
Child DomainA Subdomain that is part of the

main Forest useful for delegation of management, location-based management, and saving bandwidth over WAN links. SiteAn Active Directory Object that represents the major components of the physical topology of a network. Subnet ObjectAn Active Directory Object that allows AD to track machines based on IP Address.
What We Covered
Create a new Site in Active Directory Create a new Subnet object in Active Directory Assign a Subnet Object to a Site Use DCPromo to create a new Child Domain in an
existing Forest
Configure Replication between Domain

Controllers
66
9/24/2008

Video 17 How To Give People Access to Stuff Thats 790 Miles Away
Creating Universal Groups, the AGUDLP Strategy, and Making Sure Your People Can Log In Anywhere In Your Enterprise
Giving People Access to Stuff 790 Miles Away

In this video:
Time For Some More Users! The Types of Groups Setting Up Your Groups for Access Between
Domains
Making Sure Your Users Can Log In

Anywhere in Your Enterprise
Time for some more users!

Break out that Excel Script Maker again! Hank has sent you another 20 users to add to the Chicago office, so its time to make them quickly and easily with the Excel sheet script maker. Youll also create some OUs and Groups as well, similar to what you did with New York.
67
9/24/2008
The Types of Groups

What kind of Groups do we create?
There are two core types of Groups
Security Groups allow you to grant Permissions to resources There are Three Scopes of Security Groups :
Distribution Groups are basically Email lists, and arent used very often
Usable in any trusted Domain in your Forest Users can only come from the home Domain
Usable in any trusted Domain in your Forest Users can only come from ANY Domain
Usable in the Domain it lives in ONLY Users can only come from the home Domain
Setting Up Your Groups for Access Between Domains

AGUDLP Alphabet Soup anyone?
Now that we have multiple domains, we also have the challenge of making
sure that we can easily provide access to resources between them.
AGUDLP is a strategy that we can use to grant access in a more reusable way. Heres how it works:
Accounts go into Global Groups The Global Group becomes a member of a Universal Group The Universal Group becomes a member of a Domain Local Group
Permissions are then granted to the Domain Local Group to network resources
Setting Up Your Groups for Access Between Domains

And now, heres what were going to do for our Globomantics Sales Team
The Sales team will need access to the Sales docs folder, as the sales program
will be pretty much the same throughout the company. Heres what well do to get them access to the SalesDocs folder over in New York:
In the na.globomantics domain, all the Chicago Sales User Accounts go into a Global Group called ChicagoSales Well create a Universal Group in the NA domain called AllSales and make ChicagoSales a member of AllSales In Globomantics.com (the New York domain), well create a Domain Local Group called SalesDocs and make AllSales a member of it.
On the NY-MEM1-2K8 File Server, well grant Permissions to the Domain Local Group SalesDocsAccess to the SalesDocs Folder
68
9/24/2008
Making Sure Your Users Can Log In Anywhere in Your Enterprise

We got us a Global Catalog to check out!
Hank is going to be bouncing back and forth between locations,

and you need to make sure that he and anyone else whos visiting either office can log in.
As long as theres a Global Catalog at a Site, your users can log in with an email address style login, like JOwens@globomantics.com. If theres not a Global Catalog, youll need to enable Universal Group Caching on the Site. (Its a check box super easy!)
Globomantics.com
Global Catalog Server
Na.globomantics.com
Global Catalog Server
Critical Vocabulary
Important Words
Security GroupGroup Object in Active Directory that allows you to

provide access to resources on the network.
Distribution GroupGroup Object in Active Directory that acts as an

email distribution list.
Global GroupA Group usable in any trusted Domain in your forest.

Users can only come from the home Domain. Can be a member of a Universal Group. Universal GroupA Group usable in any trusted Domain in your Forest. Users can only come from ANY Domain. Can be a member of Domain Local. Domain LocalA Group usable only in the Domain it lives in. Users can only be from the Domain it lives in, but Universal Groups can be Members of the Domain Local.
What We Covered
Distinguish between Global, Universal, and

Domain Local Groups. Distinguish between Security and Distribution Groups. Utilize AGUDLP to provide access to resources across Domains. Ensure that Users can log in to another Domain by either providing a Global Catalog at a Site or using the Universal Site Caching setting on a Site.
69
9/24/2008

Video 18 Creating The Dallas Branch Office

Building a Read-Only Domain Controller for a Less Secure Location
Creating the Dallas Branch Office

In this video:
Hanks Says There Will Be a Dallas Office The Dallas OU and Site Structure What is an Read Only Domain
Controller? Building an RODC for Dallas
Hanks Says There Will Be a Dallas Office

And if Hanks says it Dallas is Hanks hometown. He has a ranch just outside of Dallas, and he doesnt want to have to fly out to New York or Chicago to do work. Thats not a problem, but he also wants a staff of 5 people in the not-yet created Dallas location. Hes already rented a little office 5 miles from his ranch, and theres basically a closet that if you ask really nicely you might be able to use it to hold the router and any servers. You decide that due to the lack of security in the office that using a Read Only Domain Controller is going to be the best option. But before we can build the RODC, we need to create an OU Structure for Dallas.
70
9/24/2008
The Dallas OU and Site Structure

Lets keep it simple still
We first need to have

some OUs for our Dallas User Accounts to live in. Then, we need to add a Dallas site so we can have a physical representation of our network.
What is an Read Only Domain Controller?

For low-security locations with few users, an RODC is a happy thing.
An RODC allows Users that the Administrator allows to log in to a

particular location.
The RODC downloads only the User Account information that it

needsit does not upload anything to the writeable (or Full) Domain Controllers. You dont need to have a Global Catalog on the RODCyou can use Universal Group Caching to cut down on replication traffic. Better yet, you can use the Server Core Installation to provide two important advantages: You dont need a super-duper box to run it. You can remotely administrate the Server Core functions using MMCs.
Building an RODC for Dallas

And now, heres what were going to build Computer Name: RODC-DAL-2K8 2GHz Single Core Processor 512MB RAM 1 Gigabit NIC 1- 120 GB HDD Server Core Server 2008 32-bit Version With Active Directory Domain ServicesRODC DNS Server DHCP for the Dallas office will be configured at the Router
71
9/24/2008
So heres what weve built so far

New York, Chicago, DallasWhats next? Tokyo?
Zooming in on Dallas
Users from New York (like Hank) can still log in with their email-style login, more commonly known as a UPN (User Principle Name) with the presence of a Global Catalog OR by enabling Universal Group Caching and putting Users that you want into a Universal Group.
Critical Vocabulary
More words! More words!
RODCRead Only Domain Controllera Domain

Controller that only caches User Account information for only a small amount of users for a particular location. Server CoreA version of Server 2008 that only has a command line interface and lesser operating requirements that supports only 9 Server Roles UPNUser Principle NameAn email-style login name that can be used to login across Domains when a Global Catalog is present at the Site OR when the User is part of a Universal Group and Universal Group Caching is enabled on a Site.
72
9/24/2008
What We Covered
Install Server 2008 as a Server Core installation. Use a configuration script to configure basic settings for your
Server Core Installation.
Install Active Directory Domain Services Role with the RODC

option.
Attach an MMC to a Server Core installation for management. Configure Universal Group Caching for a Site so you dont
have to provide a Global Catalog for that Site.
Setup which users can log in at that location Pre-Populate Passwords for Users that will be logging in at
the location for a faster login experience.

Video 19 Bringing an OU and Users Back from the Dead

How to Restore Individual Organizational Units and User Accounts AFTER Theyve Been Deleted
Bringing an OU and Users Back From The Dead

In this video:
Okay, Who Killed Off The Ops Department? The Two Types of Restorations
Use Windows Server Backup to do a NonAuthoritative Restoration Use NTDSUTIL and WBADMIN to do an Authoritative Restoration How to Put Resurrected Users Back Into Groups Using Backlinks
73
9/24/2008
Okay, Who Killed Off The Ops Department?

Ummm.whoops? Things are going well, until on a Tuesday morning the entire New York Ops department can no longer log in. When you go to see whats happening, you notice that the New York Ops OU isgone. Aced, no trace, nada, not there, here or anywhere. When you check your Security log, you see that the account BSamson, an account belonging to one of your new IT staff who had been given Account Operator permissions, successfully deleted the entire OU last night at 1AM. Brock did not report in this morning due to the fact that hes in police custody for *ahem* other chemically-related issues. Fortunately, at midnight, a System State back-up of your entire Domain Controller was successfully completed. You need to restore the Ops OU for New York due to Brocks drug-induced mayhem.
The Two Types of Restorations

Oh, the choices, the choices! (Okay, theres only 2)
There are two options for doing restoration of an

OU: Non-Authoritative Restore: Most often done using Windows Server Backup, you can restore the entire Domain Controller. Authoritative Restore: Using WBADMIN and NTDSUTIL, you can restore an OU, an individual User Account, or any other AD Object after doing a System State Restore and mark it as Authoritative. What makes a Restore Authoritative? The Update Sequence Number in the AD Database is increased by 10,000 so other Domain Controllers know that the restored object is the most recent.
The Two Types of Restorations

And now, the secrets of how to do both
To run a non-authoritative restore, just go to Windows Server Backup and click

Recover. Use the most recent backup file set that was created before the deletion. Youre done (sort of-you may have problems with this type of restore).
To run an authoritative restore:

1. Restart the DC into Domain Recovery Mode (hit F8 on the keyboard during reboot to get this option) 2. Login with ./Administrator and the Domain Recovery Mode password you set up when you ran DCPromo 3. Type wbadmin get versions backuptarget backuplocation, where backuplocation is the location where your back up files live 4. Figure out which version you want to restore. 5. Type wbadmin start systemstaterecovery version:ID backuptarget: backuplocation 6. After the restore, type ntdsutil activate instance NTDS 7. Type authoritative restore to get into the right NTDSUTIL Context 8. Type restore object distinguishedName for a single account or restore subtree distinguishedName if youre restoring an entire OU. 9. Reboot normally.
74
9/24/2008
How to Put Resurrected Users Back Into Groups Using Backlinks

If for some strange reason your Server 2008 DC is running under a Server 2000 Functional Level Domain
In a Server 2003 and Server 2008 Functional Domain/Forest NTDSUTIL uses what we
When you do an authoritative restore in a Server 2000 Functional Level Domain, you
call Linked Value Replication to restore Group Membership to restored Accounts (you can ignore this whole slide if youre in a Server 2K3/2K8 Functional Level.)
end up losing Group memberships on your User Accounts. Of course, you could go back and recreate them manually.(no, you cant, you dont have that kind of time on your hands) During the authoritative restore, at least one file called an LDIF file is created. You can use this file to restore group membership to all the users you restored quickly by using what are called Backlinks from the LDIF file. To restore group membership using backlinks: 1. After the Authoritative Restore is complete and the DC has been restarted normally, open a command prompt and type repadmin /syncall DCNAME /a /d /A/P /q where DCNAME is the name of your Domain Controller that you just restored. 2. Change to the Directory where your LDIF files ended up. 3. Type ldifde i-k-f filename where filename is the name of the LDIF file you need. 4. Rinse and repeat Step 3 for each file that was created by the NTDSUTIL restore process.
Critical Vocabulary
Just a few really big words
Authoritative RestoreA process in which objects or an entire

Directory can be restored and marked as authoritative by increasing the Update Sequence Number by 10,000 to let all other DCs know to use this object in replication. Non-Authoritative RestoreA simple restoration process that can be accomplished either from Windows Server Backup or by using Directory Restore Mode and WBADMIN (if you really want to) Update Sequence NumberA value in an Active Directory Object that helps Domain Controllers know which objects need to be updated in the Directory during replication. Linked Value Replication (LVR) A magical process available in a Server 2003 or 2008 Functional Level Domain that restores Group Membership back to restored accounts automatically.
What We Covered
Perform an Non-Authoritative Restore using

Windows Server Backup on a DC Perform an Authoritative Restore using Directory Services Restore Mode, WBADMIN, and NTDSUTIL. Restore Group Membership from Backlinks using ldifde (if for some weird reason youre not running a Server 2003 or Server 2008 Domain Functional Level)
75
9/24/2008

Video 20 What Do You Do When A Domain Controller Blows Up?

Strategies to Use When Recreating a Dead Domain Controller
What Do You Do When A Domain Controller Blows Up?

In this video:
Uh-Oh Seizing Operations Masters for Quick

Restoration of Functionality Possible Solutions for Restoring Domain Controllers
Uh-Oh
Andthe inevitable happens

NY-DC3 has blown up. Completely. It is a quivering mass of metal that screeches and whines when it tries to start up. The absolute best way to describe the current state of DC3 is this:
Now, you need to decide what to do with the DC. The good news is, you still have two other Domain Controllers running so Users can still log in. The bad news is, DC-3 is (or rather was) your Infrastructure Master. You need to get an Infrastructure Master back online as fast as you can first, and then decide how to get NY-DC3 back.
76
9/24/2008
Seizing Operations Masters for Quick Restoration of Functionality

How to seize an Operations Master Role When The Machine Doesnt Exist Anymore
The GUI:
Try to move an Operations Master from the GUI like you would normally. NTDSUTIL: You can also use NTDSUTIL to seize an Operations Master role with the following operation: 1. Go into NTDSUTIL like normal, and dont forget to type activate instance NTDS as your first command. 2. Type roles to move into the Roles context. 3. Type help to get a list of the commands. To seize the Infrastructure Master, type seize infrastructure master
Possible Solutions for Restoring Domain Controllers

It all depends If the hardware and the Server 2008 Operating System is okay but Active Directory has been trashed, you can just do a System State Restore from the last backup. If your hardware is trashed, build a new Server 2008, install Windows Server Backup, and do a Recovery of the last Full Backup of NY-DC3. (Requires the Backup to be on a DVD or NAS) Last, if you dont have access to a set of backup files (shame, shame!!), since NY-DC3 is more of an auxiliary machine, you can Delete the NY-DC3 Computer Account from the Domain Controllers OU. Build a brand new Server 2008 machine, install AD DS and run DCPromo. Let replication do the job of restoring the Active Directory database. Move the Infrastructure Master back to the new DC-3.
Critical Vocabulary
Hey, wait a minute.
ToastWhat a Domain Controller smells like

when it blows up. Okay, in reality, it smells like burning plastic and metal, but you get the point.
Thats all. No new real words this time that you

havent already seen.
77
9/24/2008
What We Covered
Seize an Operations Master and thereby

transfer the functionality to a live Domain Controller. Identify a methodology to restore a Domain Controller to functional status.

Video 21 Get Your Old Domain Controllers Up To Date

Upgrading a Server 2003 Machine to Server 2008
Get Your Old Domain Controllers Up To Date

In this video:
Hank just bought a companyin Tokyo! Advantages of the Server 2008 Domain
Functional Level The Upgrade Process
78
9/24/2008
Hank just bought a company.in Tokyo!

and now you have to integrate it into your network!
Hanks been on a spending spree, and bought a small brokerage in Tokyo, Japan for the mere sum of $1.5 million. The small company, Verde Petra, Inc. , is a 10-person shop that focuses on the Asian markets. Their network is a simple 1 Domain Controller setup with 10 client machines, an outsourced email solution, and a couple of network printers. However, their Domain Controller is running a 32-bit edition of Server 2003, and needs to be upgraded to Server 2008 to take advantage of all the extras that a Server 2008 Functional Level provides. Before we do anything to integrate, you need to prepare the Verde Petra Domain Controller by upgrading it to Server 2008 Enterprise 32-bit.
Advantages of the Server 2008 Domain Functional Level

When you get a 2008 Functional Level, you also get these nifty bonus items!
Distributed File System Replication Advanced Encryption Standard support for the Kerberos
protocol
Last Interactive Logon Information

GPO Found in Computer Configuration Policies Administrative Templates Windows Components Windows Logon Options Display information about previous logons during user logon Fine-grained password policies
The Upgrade Process

Showtime!
Before you do anything, make sure your

hardware is up to spec.
When Upgrading a Domain Controller, youll

need to grab some scripts off the Server 2008 disc and run adprep /FORESTPREP and adprep /DOMAINPREP The rest of the upgrade process is simpleput in the CD and click on the Upgrade option when it comes up, and install as normal. NOTE: You cannot upgrade Server 2000 to Server 2008. You would have to first upgrade the Server to 2003 and then to 2008.
79
9/24/2008
Critical Vocabulary
Words?
Nope. No new words this round.
What We Covered
Prepare a Server 2003 Domain

Controller for Upgrade to 2008 using adprep Upgrade a Server 2003 DC to Server 2008 Describe the advantages of running a Server 2008 Functional Level

Video 22 Connecting the Continents

How to connect two Active Directory Networks For Fun and Profit (and by using Trusts and DNS)
80
9/24/2008
Connecting the Continents

In this video:
Tokyo is now a Server 2008 network--so now

what?
Our Two Options To Connect Tokyo and New York What You Need for Active Directory Federation
Services
What You Need for a Trust The Globomantics/Verde Petra Solution: Trusts
Tokyo is now a Server 2008 network--so now what?

Time to connect em together!
So youve got Tokyo up to date in terms of the OS and the Domain Functional Level. Now its time to make sure that Verde Petra becomes accessible to Globomantics and vice versa. Hank ponied up for some nifty Virtual Private Network (VPN) technology that allows Tokyo and the New York office to have a direct connection. Eventually, you will want to combine the Verde Petra Domain with the Globomantics domain using the Active Directory Migration Tool, but what you need to do right now is get the two offices connected ASAP so they can share info in ways other than email.
Our Two Options To Connect Tokyo and New York

Actually, theres more than two, but these are a good start.
globomantics
VerdePetra.com
Na. globomantics
So the question is, do we use Active Directory Federation Services or do we set up some Trust Relationships between the two locations?
*NEW* Active Directory Federation Services allows two separate Active

Directory networks to authenticate Users from either Domain for shared folders and resources. It uses Port 443 (The SSL Port) for secure transmissions. We can also create a Trust between the two Forests as well since we have more or less a direct link via VPN between New York and Tokyo.
81
9/24/2008
What You Need for Active Directory Federation Services

Its not as easy as it sounds
AD FS is an SSO (Single Sign-On) method of sharing information between two partner

networks, usually through a Web Site or application like SharePoint Services or SharePoint Server. and HTTPS to transfer info back and forth. It also uses cookies to keep track of authentication. Heres what AD FS requires:
It uses Port 443, the SSL Port,
AD DS Server
DMZ with Federation Proxy Server
Internet
DMZ with Federation Proxy Server
AD DS Server
AD FS Server Web Server (SharePoint) w/ SSL Certificate
AD FS Server
What You Need for a Trust

So much faster to set upfor small environments
A Trust allows Users from different networks to access information on another

network.
As long as theres a secure connection between the two networks (like our
VPN), all we really need is a DC on either side.
Each Domain should be running at least Server 2003 Functional Level, and the
Forest Functional Level has to be at least Server 2003. (Server 2008 Preferred) AD DS Server Running DNS DNS Must Be Configured Correctly on Both To Forward Requests to the Other Domain AD DS Server Running DNS
What You Need For a Trust

The kinds of Trusts
External TrustAllows separate Domains in separate

Forests to trust each others users without trusting every Domain in a Forest. Forest TrustTrusts between two Forest Root Domains that can allow Users from any Domain inside of either Forest to share Resources. Shortcut TrustsSimply allows users to access resources in a different Domain in the same Forest faster. Realm TrustsAllows a Windows Active Directory Network that uses Kerberos to trust a UNIX-based network that also uses Kerberos to share resources.
82
9/24/2008

Trust Directions
Trusts can be one-way, two-way, and transitive
One Way Trust
Network A Trusts Network B. Users from Network B can access allowed resources on A, but Users from A cannot access stuff on Network B

Trust Directions
Two Way Trust

Network A Trusts Network B. Users from either network can access allowed resources on the other.

Trust Directions
Transitive Trusts
If Domain A Trusts Domain B and the trust is transitive, and if C Trusts B, then A and C also have a trust relationship
83
9/24/2008
The Globomantics/Verde Petra Solution: Trusts

So heres what youre actually going to do:

Since Hank has already spent the big dollars buying out Verde Petra, your budget is a little slim. Since AD Federation Services requires so much hardware, plus a SharePoint implementation which you know nothing about, it doesnt make any sense to use Federation. Not to mention in the fact that eventually you will be using the Active Directory Migration Tool to move all the users from Tokyo into Globomantics, and removing the Verde Petra domain altogether and replacing it with tk.globomantics.com. But not today. Youre going to implement the following Trust relationship strategy between Globomantics and Verde Petra in order to get moving fast!

Heres what it will look like!
Youre going to implement a two-way forest trust, as well as an External trust

between Verde Petra and Na.Globomantics so that users will be able to access stuff faster.
Two-Way Forest globomantics Trust VerdePetra.com
Na. globomantics
We really dont need an External Trust, though, because the trust between Verde Petra and Globomantics is Transitive!

Before we do that, though
You need to ensure that the DNS Servers on both Networks are configured to
know about each other.
Both DNS Servers are Active Directory Integrated, but a trust does not make it
so that either DNS server knows about the other one.
You will set up a Stub Zone on each DNS Server, so that any DNS requests for
resources on the other network will be forwarded to the DNS Server in the other network. Globomantics Server Running DNS This request is for Verde Petra. I have a Stub Zone that will tell you which DNS Server to about it. Tokyo Sales Numbers.xls Verde Petra Server Running DNS
Dude, I need the Tokyo Sales Numbers
Mapped Drive
84
9/24/2008
Critical Vocabulary
Yowza! Lots-o-words this time!
Active Directory Federation ServicesA Server Role that allows

partner networks to share information across Domains using Single Sign-On. Most often used to share intranet Web sites and applications like SharePoint. Trusts A relationship between Forests or Domains that allows sharing of resources Stub ZoneA DNS Zone that simply provides information about another Domains DNS servers. Conditional ForwarderAn entry in a DNS server that forwards on a DNS request if the request meets a specific requirement, i.e. the request is for information about a computer in another Domain. External TrustAllows separate Domains in separate Forests to trust each others users without trusting every Domain in a Forest.
Critical Vocabulary
And some more
Forest TrustTrusts between two Forest Root Domains that can

allow Users from any Domain inside of either Forest to share Resources. Shortcut TrustsSimply allows users to access resources in a different Domain faster. Realm TrustsAllows a Windows Active Directory Network that uses Kerberos to trust a UNIX-based network that also uses Kerberos to share resources. Transitive TrustA trust property that allows for trusting of other domains if the domain that is being trusted trusts other domains. Active Directory Migration Tool A free download from Microsoft that allows you to move Active Directory Objects (i.e. User Accounts, etc.) between domains for consolidation.
What We Covered
Define the requirements and describe the use of Active

Directory Federation Services.
Define the types and directions of Trusts. Create Stub Zones in a DNS Server in preparation for a
Trust.
Implement a Two Way Transitive Forest Trust. Add A Universal Group from another Domain to a Domain
Local Group in a home Domain.
85
9/24/2008

Video 23 Certification: Its Really Not That Scary

What it is, what to expect, and how to prepare
Certification: Its Really Not That Scary

In this video:
The New Generation of Certifications

for Server 2008 The Upgrade Paths for MCSAs/MCSEs How to Sign Up for a Microsoft Exam 70-640 Exam Prep Tips
The New Generation of Server 2008 Certifications

New Alphabet Soup for Everyone!
The Three New Server

Certification Blocks for Network Admins MCTS MCITP: Server Administrator MCITP: Enterprise Administrator There is no MCSE 2008 There is no MCSA 2008
86
9/24/2008
The New Generation of Server 2008 Certifications

What you need to take for each Credential MCTS - Take any one exam from a large selection
When you get multiple TS certs, you can build a nifty logo using MSs Logo Builder!
MCITP: Server Administrator Exams (From Scratch - Three Exams)

70-640: TS Active Directory 70-642: TS Network Infrastructure 70-646 Pro: Server Administrator MCITP: Enterprise Administrator (From Scratch - Five Exams) 70-620: Vista 70-640: TS Active Directory 70-642: TS Network Infrastructure 70-643: TS Server 2008 Application Infrastructure, Configuring 70-647 Pro: Enterprise Administrator
The Upgrade Paths for MCSAs/MCSEs

For an MCSA 2003 to Move Up To MCITP: Server Administrator
Take Two Exams

70-648: Provides 2 Additional MCTS Certs 70-646: Provides MCITP

For an MCSA 2003 to Upgrade to MCITP: Enterprise Administrator
Take 4 Tests:
70-648: Provides 2 MCTS 70-620 or 70-624: TS: Vista 70-643: TS: Applications Infrastructure 70-647: MCITP: Enterprise
87
9/24/2008

For an MCSE 2003 to MCTIP: Server Administrator
Take Two Tests:

70-649: Provides 3 MCTS 70-646: MCITP: Server Administrator

For an MCSE 2003 to MCTIP: Enterprise Administrator
Take 3 Exams:
70-649: Provides 3 MCTS 70-620 or 70-624: TS: Vista 70-647: MCITP: Enterprise Administrator
How to Sign Up for a Microsoft Exam

One Web Site To Sign Up For Them All!
Go to Prometric.com
its easy!
Prometric is the
exclusive provider of Microsoft exams. Microsoft periodically offers free Second Shots check the Microsoft site first!
88
9/24/2008
70-640 Exam Prep Tips

Prep
I recommend:
MCTS Self-Paced Training Kit (Exam 70-640): Configuring Windows Server 2008 Active Directory from Microsoft Press
Take the Transcender Practice Exam Several TimesLook up the stuff that you
miss in this Video Course or in the Microsoft Press Book.
Review this course at least twice Get some Virtual Machines and push buttons!

On the day of the test
Do not stay up all night studying get good sleep! When you go in to the test center, leave your cell phone
and anything else in your car.
Bring in only 2 forms of ID and your car keys. You must

have 2 forms of ID!!!
Before taking the test, stop and breathe. Relax. During the test, do not forget to breathe. Mark Questions for Review the first time through if you
have to think too long about any one of them. You can go back at the end of the test and answer them later.

The Biggest Tip I Can Give You--
Know the material.
89
9/24/2008
What We Covered
Describe the Requirements for MCTS and the MCITP

Tracks
Describe the Upgrade Paths for MCSAs\MCSEs to

MCITP
Sign up for an Exam on the Prometric Web Site

Video 24 DNS Stuff

A Primer On Domain Name Service and How It Fits In With Active Directory
DNS Stuff
In this video:
A Quick Overview of DNS What Are DNS Zones Really? The Different Kinds of DNS Records Forwarders and Root Hints Global Name Zones: The WINS Killer
(Kind of)
90
9/24/2008
A Quick Overview of DNS

Without DNS, a Domain Controller is a really expensive paperweight
Domain Name Service (DNS) is a Server 2008 Role thats

basically a big phone book allowing users and computers to look up a Hosts IP Address by using a Host Name. The process of locating a computer via an IP address by looking it up by name is called Name Resolution. When Computers (or hosts) get assigned IP Addresses by DHCP or by an Administrator, they register their name and IP address with a DNS Server. That computer can now be found through the process of Name Resolution, and Active Directory can now find Users, Computers, and other Hosts by working in conjunction with the DNS Server.
What Are DNS Zones Really?

Big words for simple concepts
A DNS Zone is basically a Text File or Database that Defines what

machines it knows about in the namespace.
There are 4 basic types of Zones you need to know about:

*RECOMMENDED FOR SERVER 2008* Active Directory Integrated Zone : DNS Database is stored as an Active Directory Object. No need for Secondary Zones if all your DNS Servers are also DCs. Primary: Used in a Standalone DNS Server, it acts as a Master DNS Server that records and reads info. Secondary: A Read Only Copy of a Primary Zone. Must copy Zone Files from a DNS Server that has a Primary Zone. Stub: Only contains information about other DNS Servers.

Why an Active Directory Integrated Zone?
Let Active Directory manage a lot of the DNS stuff

for you! AD Integrated Zones allow for: Zone Transfers during AD Replication Multimaster Replication Secure Dynamic Updates Backwards compatible to Secondary Zones (if you have any in your network)
91
9/24/2008

And some more Zones
Forward Lookup Zones: Looks up a Host IP Address

by name
Reverse Lookup Zones: Looks up a Host Name by

IP AddressUsed mostly for security and error checking. Stub Zones: Remember these from the Connecting Continents Video? Conditional Forwarders: Used in place of Stub Zones to forward DNS requests about other Domains.
The Different Kinds of DNS Records

What lives in a DNS Zone?
A (Host): Name and IP Address of a Host (Computer,

Network Printer, PDA, etc.)
PTR (Pointer): A Record in a Reverse Zone SOA (Start of authority): The Beginning Record of a Zone SRV (Service Locator): For Servers and Service Providing
Hosts
NS (Name Server): A Record that points to a DNS Server. MX (Mail Exchanger): For Email Servers CNAME (Alias): A nickname record that allows for
multiple names for the same machine.
Forwarders and Root Hints

If the DNS Server doesnt know where a host is, it has to call out
Root Hints allow your DNS Server to communicate with

Name Servers on the Internet.
A Forwarder can act in the place of root hints if your

security requirements are higher. You need two DNS Servers for thisOne on the inside of your network perimeter that doesnt use Root Hints and one on the perimeter that does. Internet DNS requests are forwarded out to the Perimeter DNS Server by the internal DNS and then brought back in.
92
9/24/2008
Global Name Zones: The WINS Killer (Kind of)

Can we replace WINS? Sometimes
WINS is an older technology that allows you to use NetBIOS for Name
Resolution.
Most WINS server technology is being replaced by DNS for speed,

reliability, and security.
Global Name Zones are a NEW feature of Server 2008 for Single Label
Name Resolution.
Use it for easy access intranet websites, and a potential replacement

for WINS if you have older network-aware software applications still running that require WINS (Especially if youre rolling over to IPv6!) WINS is still available on Server 2008 as a Feature (not a Role) if you need it.
Global Name Zones: The WINS Killer (Kind of)

To create a Global Name Zone:
On your Primary DNS Server, run this command to prepare

your DNS for Global Names: dnscmd /config /enableglobalnamesupport 1 Then create a new Forward Lookup Zone called GlobalNames. Add CNAME Records for any Web Site or machine you want to have Single Label Resolution for.
Critical Vocabulary
Oh boy, here we go
93
9/24/2008

Video 25 AD Certificate Services 101

A Primer on Active Directory Certificate Services and Public Key Infrastructure
AD Certificate Services 101

In this video:
Lets Talk Security Lions and Tigers and Keys and Certificates,
Oh My!
Respect My Authori-tay! Im Sorry, Dave, I Cant Do That. Your

Certificate Has Been Revoked.
Lets Talk Security

In times such as these
Security in networks is a huge area, but a good place to

start is by using Certificate Services as a way to: Encrypt Data Files Encrypt Remote Communications Secure Email Secure Logons with Smart Cards Secure Servers with Network Access Protection (requires Certificates) Protect Data from Tampering
94
9/24/2008
Lions and Tigers and Keys and Certificates, Oh My!

So, thats neat and all, but what is a Certificate?!?!?
A Certificate is a file that contains

A Public Key for Encryption A Digital Signature for Identity Verification A name, which can refer to a person, a computer or an organization A validity period The location of a revocation center (usually a URL) Its used to both encrypt files and communications as well as prove identity. A Certificate is generated by a Certificate Authority (that s a CA if youre cool) using a Private Key, which part of a whole Public Key Infrastructure
Lions and Tigers and Keys and Certificates, Oh My!

Lets Illustrate The Key Thing
Your Buddies
Public Key Public Key
Public Key
Public Key
Private Key
You
Respect My Authori-tay!
The Certificates have to come from somewhere

Server 2008 Enterprise Certificate Authority (Integrated into Active Directory) Third Party Certificate Authority (i.e. VeriSign, etc.)
Server 2008 Standalone Certificate Authority
Certificate Authority (CA) servers that generate certificates are called root CAs. Certificates are generated from one of these three types of Certificate and then passed on to users, devices, other servers and so on. Certificate Authorities also can provide verification of a Users or Organizations Identity with Online Responder Services.
95
9/24/2008
Multiple Tiers Provide Multiple Levels of Protection Usually youll have more than one machine actually Server 2008 doing Certificate Services Standalone work. Certificate Authority With a Standalone CA, youll create Certificates and then pass them off to Issuing Servers. Then youll take the Standalone offline.
Pretty much all the work is

Server 2008 Subordinate Certificate Issuer Server 2008 Subordinate Certificate Issuer Server 2008 Subordinate Certificate Issuer
done manually with a Standalone CA. You cant just have it autoenroll users.
Enterprise CAs stay online, and need to be highly available
With an Enterprise CA, it

Server 2008 Enterprise Certificate Authority
Server 2008 Subordinate Certificate Issuer
stays online all the time and is integrated with Active Directory. Enterprise CAs can assign certificates automatically to users in AD using Autoenrollment. At least a second tier is still a good idea, and you may have more depending on your security needs.
Im Sorry, Dave, I Cant Do That. Your Certificate Has Been Revoked.

CRLs, NDESs, and ORsCould I vague it up even more?
When a certificate is presented by a user when attempting to

access an encrypted file or whatever has been secured, the certificate is checked against a Certificate Revocation List (RCL) by a Certificate Authority to make sure it hasnt been revoked. An Online Responder (OR) can be used in place of a Certificate Authority server. An Online Responder (*new* in Server 2008) doesnt need to check the certificate against an entire RCL, and instead just checks to see if the certificate is valid. Its much faster and efficient. Network Device Enrollment Service (NDES) allows you to include routers and switches in your PKI hierarchy if you really think you need it.
96
9/24/2008
Quick Summary
AD CS in a Nutshell
AD Certificate Services allow you to secure just about

anything in your network.
You need at least one Root CA to create certificates, and

will probably have other subordinate servers issue them out to protect your Root CA from getting abused. Certificate Revocation Lists allow for validation of certificates by CA severs when theyre used, but the new Online Responder service available in AD CS as of Server 2008 is faster and more efficient. The new Network Device Enrollment Service (NDSE) allows you to include switches and routers in your PKI as well.

Video 26 Active Directory Lightweight Directory Services 101

A Primer on AD LDS
Active Directory Lightweight Directory Services 101

In this video:
What is AD LDS? What might it look like on a

network? What is an Instance of AD LDS?
97
9/24/2008
What is AD LDS?
And why in the world would you ever need it?
Active Directory Lightweight Directory Services

(formerly known as ADAMActive Directory Applications Mode) is a Server Role that provides LDAP services. Youll only need it if youre installing Applications, like network-aware commercial apps and Open Source Web apps that rely on LDAP to authenticate users and provide permissions to aspects of the specific Application. It usually lives on a server separate from your AD DS (sometimes the same server as your Application), and can also be installed on Server Core!
What might it look like on a network?

Oh, maybe something like this:
Domain Controller (AD DS)
Server Running Network Aware Application
AD LDS Server Running an AD LDS Instance
What is an Instance of AD LDS?

Think of it as a Copy in RAM
An Instance of LDS is just a running copy of AD LDS that uses a particular

store of data.
You can have multiple Instances of LDS running on the same AD LDS Server, all
with their own unique Schema definitions.
You could have multiple instances of LDS running for multiple applications, all
instances being customized for the unique application requirements.
Management Tools for LDS:

ADSI Edit Event Viewer Ldp.exe NTDSUTILCommand Line LDIFDECommand Line DSDBUTILCommand Line DSACLSCommand Line
98
9/24/2008
Quick Summary
AD LDS in a Nutshell
Active Directory Lightweight Directory Services is a Server

Role that allows LDAP services.
Youll only need it for applications that require it. You dont need AD DS for it, although it can work with AD
DS.
When you install AD LDS, you need to also create an

Instance of LDS (a running copy)
Most of the tools you would use for AD LDS are command
line based, but theres a few that have a GUI, like ADSI Edit and Ldp.exe.

Video 27 AD Rights Management 101

A Primer on Digital Rights Management in Server 2008
AD Rights Management 101

In this video:
What is Rights
Management? Some Additional Notes About RMS
99
9/24/2008
What is Rights Management?

Heres what happens with AD RMS

1. Bubba receives a client licensor certificate the first time he rights-protect a Word 2007 file hes created. 2. Then Bubba defines a set of usage rights and rules for his file. Word 2007 creates a publishing license and encrypts the file 3. Bubba emails the file or puts it on a share 4. Sergio clicks the file to open. Word 2007 calls to the RMS server which validates the user and issues a use license. 5. Word 2007 opens the file and enforces whatever rights Bubba put on it.
SQL Server
Active Directory
RMS Server
Bubba
Sergio
Some Additional Notes About RMS

Some stuff youll want to know
The application that creates the file must be RMS-aware (Office

2007 is a good example.)
The Rights assigned to the File travel along with the File. If somebody isnt on the list of users who can open a file, they
cant get into the file.
The Certificates that are used in RMS are not dependent on AD

Certificate Servicestheyre created and issued by the RMS Server, not a Certificate Authority. AD RMS in Server 2008 supports AD Federation Services, and it can be used with SharePoint deployments as well. Theres fantastic Reporting Tools built into the AD RMS in Server 2008 for auditing whos accessed the document, who failed to access a document, etc.
Quick Summary
RMS in a Nutshell
Rights Management Service requires an RMS Server, a SQL

Server, and a AD DS Domain Controller, and an RMS-aware application (Office 2007). The Author of a document sets up who gets to do what on a Document, and they do that from inside of the RMSaware App (like Word 2007 or Excel 2007) based on Users and Groups from Active Directory. You dont need a separate AD Certificate Services system for RMS. It works with AD FS and SharePoint. Theres seriously cool tools to audit whos had access to the protected files.
100

70-640 Notes

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

70-640 Notes

Uploaded by

Copyright:

Available Formats

9/24/2008

Welcome to Train Signal

Video 1 Welcome to Windows Server 2008 Active Directory

Welcome to Windows Server 2008 Active Directory

About Your Instructor and Train

About Your Instructor and Train Signal

About Benjamin Coach Culbertson

MCITP: Server Administrator, MCTS: SharePoint Server

About Train Signal

Whats Covered in this Course

Whats Covered in this Course

Whats Covered in this Course

Whats Covered in this Course

The Globomantics Scenario

What Well Build in this Course

Well start with this

What Well Build in this Course

and end up with this!

Yeah, its a lot but well take it a step at a time!

So How About It?

Are You Ready? Cmon, Lets Go!

Welcome to Train Signal

Video 2 What is Active Directory?

What is Active Directory?

What is Active Directory and Why

What is Active Directory and Why Should I Care?

Okay, time for the secret

Resources (Printers, Shared Folders, etc.)

What is Active Directory and Why Should I Care?

Active Directory Database

What is a Domain Controller?

Big Boss Machine comin at ya!

A Domain Controller is a Windows Server Machine that

Active Directory Database

Active Directory Database

Active Directory Database

Big word: Namespace

A Windows Server domain is a logical group of computers running versions of

CL2.globomantics.com Globomantics.com Domain Controller NY-DC1.globomantics.com

Youll often see Domains represented like this:

Dont forget about users!

What is a Server Role?

Everybody needs a jobeven servers!

Domain Name Services are your friend

DNS is a service provided by a Server that allows you

DNS allows you to type in a friendly name of a

After watching this video, you should be able to:

Describe what happens when you log in to an

Welcome to Train Signal

Video 3 The First Two Domain Controllers:

The First Two Domain Controllers

Building the Brain of the Globomantics Network

This is how we begin

This Domain Controller will join the Domain globomantics.com

Building the Brain of the Globomantics Network

Once we set up these two DCs, well have this:

Because its the very first domain

New York Site NY-DC1-2K8 IP:192.168.5.2 NY-DC2-2K8 IP:192.168.5.3

The Big Picture

globomantics.com New York Site

na.globomantics.com Chicago Site

asia.globomantics.com Tokyo Site

Quick Server 2008 Editions and Requirements Check