Beruflich Dokumente
Kultur Dokumente
NT1330
Client-Server Networking II
Onsite Course
INSTRUCTOR GUIDE
-1-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Updated Section
Change Description
10/08/2011
All
New curriculum
08/06/2013
-2-
Implementation
Quarter
December
2011
Immediately
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Table of Contents
COURSE OVERVIEW............................................................................................................................5
Course Summary....................................................................................................................................... 5
Critical Considerations .............................................................................................................................. 5
INSTRUCTIONAL RESOURCES ..............................................................................................................6
Required Resources .................................................................................................................................. 6
Additional Resources ................................................................................................................................ 6
COURSE MANAGEMENT .....................................................................................................................9
Technical Requirements ........................................................................................................................... 9
Test Administration and Processing ....................................................................................................... 10
Replacement of Learning Assignments .................................................................................................. 11
Communication and Student Support .................................................................................................... 11
Academic Integrity .................................................................................................................................. 11
GRADING ......................................................................................................................................... 12
COURSE DELIVERY ............................................................................................................................ 14
Instructional Approach ........................................................................................................................... 14
Methodology .......................................................................................................................................... 14
Facilitation Strategies ............................................................................................................................. 15
UNIT PLANS ..................................................................................................................................... 17
Unit 1: Introduction to Networking Concepts ........................................................................................ 17
Unit 2: Configuring and Maintaining the DHCP and DNS Server Roles .................................................. 27
Unit 3: Overview of Active Directory Domain Services, Implementing Active Directory ....................... 39
Unit 4: Working with Active Directory Sites ........................................................................................... 48
Unit 5: Global Catalog and Flexible Single Master Operations (FSMO) Roles ........................................ 56
Unit 6: Active Directory Administration ................................................................................................. 63
Unit 7: Security Planning and Administrative Delegation ...................................................................... 71
-3-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Unit 8: Introduction to Group Policy & Configuring the User & Computer Environment Using Group
Policy....................................................................................................................................................... 78
Unit 9: Performing Software Installation with Group Policy and Planning a Group Policy Management
and Implementation Strategy................................................................................................................. 87
Unit 10: Active Directory Maintenance, Troubleshooting and Disaster Recovery ................................. 96
-4-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Course Overview
Course Summary
The typical network server operating system and its functions are the focus of this course. Areas of study
include installation, configuration, maintenance and routine administrative tasks of the network services
provided by the server in relation to its clients and other servers.
Critical Considerations
The instructor for this course should have extensive networking and teaching experience.
-5-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Instructional Resources
Required Resources
For the course textbook(s) and other required materials, review the Course Syllabus.
Additional Resources
Internal
Curriculum Database:
http://myportal.itt-tech.edu/faculty/cdb/Pages/default.aspx.
Periodicals:
Periodicals > ProQuest
BlueCat networks; BlueCat networks sets new industry standard with five-hour on-site
repair for IP address management, DNS and DHCP hardware appliances. (2011).
Computers, Networks & Communications, 172.
Active directory domain migration assistance sought by commerce department. (2011,
Jun 01). Targeted News Service.
Periodicals > LexisNexis Academic
Glanz, J. and Markoff, J. (December 5, 2010).Vast hacking by a China fearful of the web.
The New York Times.
Brodkin, J. (2011). Microsoft: Next level of virtualization unlocks server OS, applications.
-6-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Wiley Portal:
o Wiley Student Companion Site
Wiley offers a Student Companion Site for the courses required texts.
For the Microsoft Official Academic Course: Exam 70-640, Students can log on to:
http://bcs.wiley.com/he-bcs/Books?action=index&itemId=0470874988&bcsId=5816.
For the Microsoft Official Academic Course: Exam 70-642, Students can log on to:
http://bcs.wiley.com/he-bcs/Books?action=index&itemId=0470875011&bcsId=5829.
(Note: Do not use the lab manual worksheets from these sites. Your custom
worksheets are located on the Instructor Companion Site)
Periodicals:
Solid passwords, PC firewalls stop ID thieves. (2011, Jun 25). Chattanooga Times Free
Press, pp. C.1.
Parui, U. (2010, Installing client tools on a SQL server 2008 failover cluster. SQL Server
Magazine, 12(2), 9-9.
PR, N. (2011, April 7). Facebook Launches Open Compute Project to Share CustomEngineered, Highly Efficient Server and Data Center Technology With the World. PR
Newswire US.
Saran, C. (2008). Microsoft revamps certification for Server 2008. Computer Weekly, 32.
Retrieved from EBSCOhost.
Romero, D., & Molina, A. (2011). Collaborative networked organisations and customer
communities: value co-creation and co-innovation in the networking era. Production
Planning & Control, 22(5/6), 447-472.
-7-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
NOTE: All links to Web references are subject to change without prior notice.
-8-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Course Management
Technical Requirements
Recommended Classroom Setup
In addition to the typical classroom equipment such as the whiteboard, podium, student seats, etc., the
theory classroom must be equipped with the following (either stationary or mobile):
A computer for instructional demo purposes with the following recommended configurations:
o
DVD Drive
Internet connectivity
Current version of the most popular productivity software (such as Microsoft Office)
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
3. You may be prompted to select the edition of Windows Server 2008 that you want to evaluate.
Select the edition you want to install.
4. When you are prompted, read the evaluation terms in the Microsoft Software License Terms, and
then accept the terms.
5. When the Windows Server 2008 Setup program is finished, your initial 60-day evaluation period
starts. To check the time that is left on your current evaluation period, run the slmgr.vbs script
that is in the System32 folder. Use the dli switch to run this script. The slmgr.vbs dli
command displays the number of days that are left in the current 60-day evaluation period.
How to Re-arm the Evaluation Period
When the initial 60-day evaluation period nears its end, you can run the slmgr.vbs script to rest the
evaluation period. To do this, follow these steps:
1. Click Start, and then click Command Prompt.
2. Type slmge.vbs dli, and then press the Enter key to check the current status of your
evaluation period.
3. To reset the evaluation period, type slmgr.vbs rearm, and then press the Enter key.
4. Restart the computer.
This resets the evaluation period to 60 days.
Tests/examinations for the onsite courses are proctored by instructors in the classroom following
the schedule at the local campus. The final examination is to be conducted in the last week of
the quarter with the first half of the class time allocated to the course review and the second half
of the class time allocated to the examination. If a lab practicum is part of the final examination,
the lab practicum is to be scheduled in the lab time of the last class meeting.
It is against the academic integrity and violation of the institutional policy to reveal the content of
the tests/examinations to students in any format prior to the actual time scheduled for the
test/examination. Every instructor is required to exercise diligence in protecting all testing
materials from being compromised in any form.
Grades for the course must be closed at the scheduled time mandated by the institution.
All quizzes, tests and examinations for the online courses are administered through the online
learning management system (LMS) at scheduled times.
When appropriate, the Formula Sheet provided in the Assessment document must be distributed
to students prior to unit-based, mid-term, or final examinations.
-10-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Tests/Examinations The instructor may add up to 20% of the items to the prescribed set without
altering the grade weight for the category. No substitution is allowed for any of the prescribed
items.
Quizzes In some cases, standardized quizzes are provided. If there are no quizzes provided,
the instructor is encouraged to construct just-in-time items for this category. Do not alter the
grade weights allocated to this category.
Instructors are expected to proactively engage students in the learning of the course through
active guidance, monitoring and follow-ups.
Instructors must remind students to retain all deliverables and reference documentation related to
the course assignments for the duration of the course because assignments of the later units are
built on the work completed earlier in the course.
Onsite instructors must respond to students emails and/or phone calls within 48 hours. Graded
assignments must be returned to students by the next class meeting in most cases.
Online instructors are expected to respond to students Ask the Instructor messages within 24
hours of receipt. Written assignments must be graded within 72 hours. Discussion forums must
be graded within 72 hours after the last day posts are due.
Academic Integrity
All students must comply with the policies that regulate all forms of academic dishonesty, or academic
misconduct, including plagiarism, self-plagiarism, fabrication, deception, cheating, and sabotage. For
more information on the academic honesty policies, refer to the Student Handbook. Check policies and
the Faculty Handbook.
-11-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Grading
The following template is required for setting up the course grade book in the ITT Technical Institute
student assessment system. Titles are to be entered as written below to enable aggregate analysis of
student learning activities.
Grading Category
Assignment
Exercise
Category
Weight
20%
30%
Graded Deliverable
Weight
2%
2%
2%
2%
3%
3%
3%
3%
2%
2%
2%
2%
2%
2%
3%
3%
3%
Environment: Research
-12-
08/06/2013
Client-Server Networking II
Grading Category
INSTRUCTOR GUIDE
Category
Weight
Graded Deliverable
Weight
3%
3%
40%
4%
4%
4%
4%
4%
4%
4%
4%
Policy
Exam
10%
4%
Final Exam
10%
-13-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Course Delivery
Instructional Approach
ITT Technical Institute promotes the principles and methods of Applied Learning grounded into the
following theoretical constructs:
Merrills Principles of Instruction suggesting that the most effective learning products or
environments are those that are problem-centered and involve the student in: a) activation of prior
experience, b) demonstration and application of skills, and c) integration of those skills into realworld activities
Kellers ARCS Model addressing critical factors of learner motivation and engagement
The Applied Learning approach emphasizes contextualized learning experience, which empowers and
motivates students, while assisting them to develop key competencies required for employment, further
education and professional development, and active participation in their communities.
Methodology
The course design utilizes the ITT/ESI proprietary Explore-Practice-Apply model that allows students to
gradually build their knowledge and skills while engaging in meaningful and context-relevant interactions
with their peers.
Engage students in analysis of complex situations and
development of solutions required by learning tasks
grounded in real-life/workplace contexts
APPLY
Competency
acquisition
path
PRACTICE
-14-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
EXPLORE
For example, if an instructors goal is to help students understand that not all websites are equally
credible, in the Explore phase, the instructor might offer several options of advice-givers students may
encounter in their lives and ask which advisors are the most credible and why. Its possible that Mom is
more credible than the postman, for example. They might generate a list of criteria upon which to judge
reliability. Students would begin to consider what makes data trustworthy.
In the Practice phase, students begin to operate in the world of the professional, but with many
opportunities for low-stakes failure and with a coach nearby. It is here they do labs, hands-on exercises,
or problem sets that give them the idea of how practitioners in this area work. For example, students
investigating website reliability might be asked to visit several sites and look for specific criteria that the
instructor suggests they find based on their brainstormed lists from the Explore activity.
In the Apply phase, students do the work of the professional. This phase provides the opportunity for
students to demonstrate learning; they should not experience much failure. The Practice phase should
be rich with activity so that the student will be confident and competent in the Apply phase. Students
working on website reliability might now develop their own websites in this section, including appropriate
references to make it easy for others to validate the site as being a reliable and accurate source of
information.
Facilitation guidance and teaching tips are accompanied by tools and handouts found in the Course
Support Package. Examples of the Course Support Tools include: presentation slides, worksheets,
illustrations, video files, handouts, checklists and other similar instructional materials. Each tool is
assigned an identification number that allows for easy search within the Course Support Package
accompanying this Instructor Guide.
Facilitation Strategies
The following facilitation strategies are recommended for delivering this course:
Promote cognitive realism by engaging students into instructional tasks that have real-world
relevance and match the activities of professionals in practice.
-15-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Engage students in learning situations where they are challenged by complex problems requiring
analytical thinking, critical reading, and systematic interaction with peers.
Provide opportunities for performing scientific inquiry and reflection on individual and group work.
Implement assessments of student learning focused on knowledge transfer into daily professional
practice.
-16-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Unit Plans
Unit 1: Introduction to Networking Concepts
Course Objectives Covered by this Unit
CO1. Install and configure a Microsoft Server 2008 server and a Widows 7 client.
CO2. Configure the Windows Server 2008 machine as a DHCP server.
Unit Learning Outcomes
Explain IP address components.
Contrast classful and classless IP addressing.
Explain the function of DNS.
Explain the function of DHCP.
Install Windows 2008 Server.
Prepare a virtual workstation image.
Key Concepts
Reading
Windows 7 Configuration MOAC 70-642
Lesson 1 Introducing to Networking Concepts
Lesson 2 Installing Windows 2008 Server
Keywords
Use the following keywords to search for additional materials to support your work:
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
Description
NOTE: The knowledge of this section is already covered in the prerequisite / corequisite tree for
this course (NT1210 Introduction to Networking). However, it is still necessary to review the
important concepts to be directly applied to the Windows networking environment covered in this
course. For a comprehensive review of the networking concepts, please refer to NT120
Introduction to Networking.
Explain to students the following:
In order for two human beings to successfully communicate (share information), they must both
agree upon and understand the rules for communication (language). Similarly, for two or more
computer systems to communicate with one another (share information), they must use an
agreed-upon set of rules that all of the systems understand. In computer networking, these rules
are called protocols. The TCP/IP protocol suite is one such set of rules and is in fact the most
common networking protocol in use today.
TCP/IP stands for transmission control protocol/Internet protocol and represents a suite of
protocols (TCP, IP, UDP, etc) that facilitate transmission of data in a network environment.
In TCP/IP terminology, a host represents a network endpoint (a device that sends and/or receives
information on a network), e.g., a computer, printer or any other device configured with a network
interface).
In TCP/IP terminology, a network represents a logical grouping of hosts configured to send and/or
receive information with one another.
Every host on a TCP/IP network must have a unique identifier in order to send and receive data:
an IP address.
An IP address consists of two components: host and network address.
The host portion is the unique portion of the address assigned to a specific host.
The network portion is the same for all hosts on a given network.
The subnet mask is used to identify which part of the IP address is host and which part is
network.
Activity:
-18-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Have students research the various components of the TCP/IP suite, identifying some common protocols
and where they reside in the suite (i.e., HTTP is a transport-layer protocol utilizing TCP.)
Unit Learning Outcome(s) attached to this activity:
Explain IP address components.
Course Objective(s) supported by this activity:
Install and configure a Microsoft Server 2008 server and a Widows 7 client.
Description:
Explain the following:
TPC/IP was has been around for many years and, like most technologies, has undergone
changes and revisions. The most popular version of TCP/IP in use today is IPv4 (Internet
Protocol version 4). IPv6 (Internet Protocol version 6) is gaining acceptance and has been
redesigned to meet the demands of current network environments.
An IPv4 address is made of 32 bits, divided into four eight-bit (eight bits equals one byte) parts
called octets, often represented in dotted-decimal format:
o 32 bit address: 11000000000000010000000000000011
o The same address broken into octets: 11000000.00000001.00000000.00000011
o The same address written in dotted decimal: 192.1.0.3
32
An IPv4 address can represent a finite number of unique options for network/host address: 2
possible addresses.
When IPv4 was first introduced, the first 8 bits (first octet) was used for the network portion and
8
the remaining 24 bits (three octets) were used for hosts. This limited the number of networks to 2
or 254, which was inadequate.
The next revision of IPv4 address allocation defined classes of address, each class having a
different number of bits allocated to network. This is called classful addressing:
o Class A: The most significant or leftmost bit in a class-A network is 0, using the remaining
7 bits of the first octet for the network portion and the remaining bits for hosts.
o Class B: The most significant or leftmost two bits in a class-B network are 10, using the
remaining 14 bits of the first two octets for the network portion and the remaining bits for
hosts.
o Class C: The most significant or leftmost three bits in a class-C network are 110, using
the remaining 21 bits of the first three octets for the network potion and the remaining bits
for hosts.
o Class D: Multicast
-19-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
o Class E: Reserved/Experimental
Classful addressing greatly expanded the flexibility of the original IPv4 addressing design but still
proved inadequate to meet the demands of ever-growing TCP/IP network environments.
The next evolution in IPv4 addressing is called CIDR Classless Inter-Domain Routing. CIDR is
a hierarchical structure, much like the previously described classful addressing but allowing for
any logical division of the available 32-bit address space into network/host. This is accomplished
by including the division in the written address, aka CIDR Notation:
o 10.0.0.0/8 = This is CIDR notation for a network using the first eight bits for network (thus
the /8) and the remaining 24 bits for host.
o The /8 represents a bitmask (subnet mask) to delineate the network/host portion of an
IPv4 address, eg 255.0.0.0
See Tables 1-1, 1-2 and 1-3 in MOAC 70-642
Activity:
Have students discuss what IP-address ranges they use at home, in the classroom, at work? Are they
classful? What class are they?
Estimated Time: 20 minutes
Unit Learning Outcome(s) attached to this activity:
Explain IP address components.
Contrast classful and classless IP addressing.
Course Objective(s) supported by this activity:
Installation and configure a Microsoft Server 2008 server and a Widows 7 client.
Description:
Explain the following:
32
When IPv4 was first implemented, 2 seemed like an abundant address space (about 4 billion).
With the explosion of corporate networks and the Internet, this address space is quickly being
exhausted, necessitating the development of IPv6.
IPv6 has been developed to address many of the shortcomings of IPv4, chiefly address
exhaustion. IPv6 uses 128-bit address space, allowing for about 340 billion addresses.
IPv6 addresses have are written in hexadecimal format. Sequential zeroes can be suppressed by
using a single zero per group or double colon for all contiguous zeroes, thus these all represent
valid ways to write the same address:
o 2001:0000:0000:0000:0000:0000:0000:7334
-20-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
o 2001:0:0:0:0:0:0:7334
o 2001::7334
Although IPv6 has been supported since Windows 2003, Windows Vista, Windows 7 and
Windows 2008 include IPv6 support natively and it is enabled by default.
There are many additional enhancements to IPv6, including native support for IPSec, etc.
Activity:
Search the Internet for information on IPv4 address exhaustion and the adoption of IPv6, such as can be
found at the link below:
http://technet.microsoft.com/en-us/network/bb530961
Discuss the ramifications.
Estimated Time: 20 minutes
Unit Learning Outcome(s) attached to this activity:
Explain IP address components.
Course Objective(s) supported by this activity:
Installation and configure a Microsoft Server 2008 server and a Widows 7 client.
Description:
Explain the following:
Windows 2008 Server provides a platform for delivery and management of most networking
services, including Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP),
Routing and Remote Access Service (RRAS), Network Access Protection (NAP) and many
others.
Domain Name System (DNS):
o As learned previously, all hosts on a TCP/IP network must have a unique address, eg
192.168.0.1 or 2001:0:0:0:0:0:0:7334.
o When sharing resources on a network, often the resource must be designated by the
name of the host providing the resource.
o DNS provides a mechanism to make it easier for a human being to access a resource on
another system by assigning it a convenient name.
-21-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
For example, if a user wants to access a website hosted on a system with the address of
192.168.111.23, by using DNS the user could just type sales.mycompany.com into their
web browser.
o In this example, the user would need to know the name: sales.mycompany.com and
DNS would resolve (name resolution) this name to an IP address, providing this
information to the web browser to make the request for the resource.
o To allow for scalability (ease of use in small to very large environments), DNS has a
hierarchical naming convention broken into root-level, top-level, second-level and
subdomains.
Root is represented by a .
Top-level is to the right of the .
Second-level is to the left of the .
Subdomains are to the left of the second-level
o For example: Redmond.microsoft.com
The right-most period represents the root
com represents the top-level
Microsoft represents the second-level
Redmond represents the subdomain
o Thus redmon.microsoft.com represents a fully qualified domain name (FQDN), mapping
a specific host to an IP address relative subdomain and company.
DHCP (Dynamic Host Configuration Protocol)
o As learned previously, all hosts on a TCP/IP network must have a unique address, (i.e.,
192.168.0.1 or 2001:0:0:0:0:0:0:7334.)
o Assigning these addresses is an insignificant task if you have two or three computers in
your network, but imagine assigning and managing this task for 500 or 1,000 computers!
o DHCP provides a mechanism for easily assigning addresses to systems dynamically.
o Manually assigning an address to a given host is called static IP address assignment,
which is practical and required in some situations but quickly becomes unmanageable in
large environments.
o DHCP allows for a centrally managed pool of addresses to be configured, including
additional parameters like Gateway and DNS, and dynamically allocated to hosts upon
request.
o When a host is configured as a DHCP client, upon boot it will send a broadcast request
looking for a DHCP server. The DHCP server will respond and allocate an IP address to
the host, as well as additional parameters that may have been configured.
o If a Windows host is configured as a DHCP client and does not receive a response from
a DHCP server, APIPA (automatic private IP addressing), a function of Windows, will
automatically assign itself an address.
RRAS (Routing and Remote Access Service)
o The transmission of data across a network from one LAN to another LAN is called
routing.
o RRAS allows Windows 2008 to act as a router, facilitating transmission of data between
two LANs.
o RRAS requires two network interfaces in a Windows 2008 Server, one connected to each
LAN.
-22-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Routing can be as simple as facilitating data transfer between two LANs or as complex
as routing traffic from one side of the world to the other. RRAS in a Windows 2008
environment is designed to facilitate routing in a small-business environment. More
complex environments generally require dedicated routing hardware.
NAP (Network Access Protection)
o Network security is an increasingly critical concern in todays network environments. In
many corporate networks, any computer can be plugged into any available network jack
and effectively have access to the corporate network.
o NAP is a new feature in Windows 2008 that allows configuration of administrative policies
to define criteria for any given system to access the corporate network, such as requiring
up-to-date antivirus software or proper firewall configuration prior to access.
o A system that does not meet the NAP configured policies can be placed in quarantine,
disallowed from network access until policy requirements are met.
Activity:
Have students discuss IT-management overhead in reference to DNS and DHCP, with the following
question in mind: How many hosts does it take to justify the time and effort to setup a centrally managed
solution for name resolution and address allocation? (In other words, is it worth setting up DHCP for two
computers, how about five, how about 25?)
Ask students to write a 1-page report summarizing IT-management overhead in reference to DNS and
DHCP.
Estimated Time: 20 minutes
Unit Learning Outcome(s) attached to this activity:
Explain the function of DNS.
Explain the function of DHCP.
Course Objective(s) supported by this activity:
Installation and configure a Microsoft Server 2008 server and a Widows 7 client.
Configure the Windows Server 2008 machine as a DHCP server.
LAB PORTION
Key Concept: Windows 2008 Server Installation
Explore Activity 5: Installing Windows 2008
In-class Activity, Ungraded
Description:
-23-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Prior to installation of Windows 2008, some decisions must be made. What type of hardware
(physical, virtual, etc) will be used? Will a clean installation be done (installation to new hardware
or completely reinitialized hardware), or will Windows 2008 be installed on a system with existing
data? Which version of Windows 2008 will be installed (full or Server Core)?
When installing Windows 2008, you will be presented with many of the above choices.
Performing a clean install is recommended.
The first step in the actual installation of Windows 2008 is booting your machine to the Windows
installation media, following which you will be presented with an installation wizard to guide you
through the steps, including language preferences, product key, type of installation, location (hard
drive partition) of installation, etc.
Following installation, you will be presented with the Initial Configuration Tasks wizard, which will
guide you through some remaining configuration steps:
o Configuring Networking: This allows configuration of the unique host IP address,
Gateway, DNS servers, etc.
o Configure Windows Firewall: The Windows Firewall is on by default. You have the
options of turning it off, allowing exceptions through the firewall, and changing the
network location, eg from Home to Work to Public. These network locations define some
general characteristics of the firewall functionality, with Public being the most restrictive.
Server Manager is a tool allowing you to manage and configure your server through a single
console.
Via Server Manager, you can add and remove functionality from your Windows 2008 Server
installation. This functionality is broken down into roles, such as the DHCP Server role or the
DNS Server role.
In addition to adding and removing roles, Server Manager allows the addition and removal of
Windows 2008 Server Features, such as Windows Server Backup or Remote Server
Administration Tools.
Storage can be managed via the Server Manager (Storage, Disk Management) option, allowing
the configuration of additional storage following Windows 2008 Server installation. Windows 2008
Server support both basic and dynamic disks:
o Basic disks provide legacy support for older operating systems and do not support
advanced functions, like striped or spanned volumes. All disks in a Windows 2008 Server
environment begin as basic disks and can be converted to dynamic disks thereafter.
o Dynamic disks support volumes (a logical unit of disk space on one or more physical
disks), spanned volumes (free space from multiple disks), striped volumes, mirrored
volumes, etc.
o Both MBR (Master Boot Record) and GPD (GUID Partition Tables) are supported. MBR
provides legacy support. GPD is recommended for disks larger than 2 TB and/or for use
with Itanium based systems.
Activity:
Ask students to get in groups and discuss Windows 2008 Server Core functionality. Each group should
come up with two use-cases for Server Core.
-24-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
You are an IT Administrator for a newly founded company and have been tasked with designing an IP
addressing scheme and a plan for allocation and management of IP addresses.
The company will currently have a single, physical location with approximately 145 hosts (computers,
printers, etc). IT plans should accommodate 50% growth within the next two years.
-25-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Unit Summary:
This unit reviewed TCP/IP concepts, discussed how IPv4 and IPv6 addresses are managed and
configured, and provided an introductory look at some of the networking services offered by Windows
Server 2008, which will be discussed in greater detail in later units. In addition, this unit covered the
installation of Windows Server 2008.
-26-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Unit 2: Configuring and Maintaining the DHCP and DNS Server Roles
Course Objectives Covered by this Unit
CO2. Configure the Windows Server 2008 machine as a DHCP server.
CO3. Configure Active Directory.
Configure DNS.
Configure DHCP.
Key Concepts
Reading
Windows Server 2008 Network Infrastructure Configuration MOAC 70-642
Lesson 3 Configuring and Managing the DHCP Server Role
Lesson 4 Configuring and Managing the DNS Server Role
Keywords
Use the following keywords to search for additional materials to support your work:
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
-28-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
Description:
As we learned in Unit 1, in order for hosts to communication with one another on a TCP/IP
network, they must each have a unique IP address assigned. This can be accomplished manually
via static IP address assignment, which is practical in special cases or small environments, or
dynamically through Dynamic Host Configuration Protocol (DHCP) which is extensible to
accommodate even the largest networks.
In addition to the basic requirement of a unique IP address for each host, other parameters are
practically required, such as Gateway (required for a host to communicate with another host on a
separate subnet) and DNS servers (required for hosts to translate IP addresses into friendly
names).
The DHCP Server Role in Windows Server 2008 provides a centrally administered tool for
allocating available IP addresses dynamically to hosts, in addition to providing additional
configuration parameters such as Gateway and DNS Servers.
The DHCP Server Role tracks all assigned IP addresses, allows centralized changes, such as
updating a DNS Server address which is automatically propagated to DHCP Clients, and is
extremely flexible and scalable (works in small to large environments).
Activity:
Have students discuss possible situations where static IP address assignment might be beneficial and/or
required.
Estimated Time: 15 minutes
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Description:
The key function of DHCP is dynamic address assignment and relies heavily on the User
Datagram Protocol (UDP) to accomplish this.
UDP is a TCP/IP Transport Layer Protocol. DHCP utilizes ports 67 (server) and 68 (client).
The key components of a DHCP infrastructure include DHCP Servers (a computer that provides
DHCP configuration to multiple clients); DHCP clients (computers that obtain DHCP configuration
information from DHCP servers); and DHCP leases (the length of time a DHCP server assigns
configuration information to a DHCP client).
The process of a client obtaining DHCP configuration information from a client involves four
steps:
o DHCPDISCOVER: The client sends a broadcast message to discover a DHCP server.
o DHCPOFFER: In response to receipt of a DHCPDISCOVER message, DHCP Servers
respond with a DHCPOFFER message containing the address of the DHCP Server, the
MAC address of the requesting client, an IP address for the client with subnet mask and
lease duration.
o DHCPREQUEST: In response to a DHCPOFFER message, the client sends a broadcast
DHCPREQUEST message to the IP Address of the DHCP Server, including the clientrequested IP address and requested parameters (DNS servers, WINS servers, etc).
o DHCPACK: In response to a DHCPREQUEST message, the DHCP Server sends a
DHCPACK (acknowledgement) message containing a valid IP address lease.
Because DHCP IP address lease assignment is finite (8 days by default), DHCP clients
periodically attempt to renew their DHCP lease:
o First attempt is when half of the lease tie has passed (known as T1).
o Second attempt (if first attempt fails) occurs at 87.5% of the lease time (known as T2).
If the T2 fails, the client will release the IP address at the end of the lease duration.
Description:
-30-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
In Windows Server 2008, the Server Manager provides an easy wizard for installation of the
DHCP Server Role:
o From Server Manager, double-click Roles.
o Click Add Role.
o Click Next then place a checkmark next to the DHCP Server role.
o Click Next and Next.
o Fill in the appropriate DNS Server information and click Next.
o Fill in the appropriate WINS Server information and click Next.
o Click Add to create a DHCP Scope (range of addresses to be allocated from this server).
o Place a checkmark next to the Activate this Scope and Ok.
o Select Enable DHCPv6 Stateless Mode and click Next.
o Select Skip Authorization of this DHCP Server in AD DS and click Next.
o Click Install on the Confirm Installation Page.
Because the DHCP Server role provides a critical network service, the DHCP Server must be
authorized in an Active Directory environment before allocating configuration information to
clients.
DHCP Servers that are active and unauthorized are called rogue DHCP servers.
To authorize a DHCP Server in an Active Directory environment, launch the DHCP Administrative
Console:
o Go to Start, Administrative Tools, DCHP.
o Right-click DHCP and click Manage Authorized Servers.
o Select Authorize and enter the name or IP Address of the DHCP Server to be authorized.
o Click Ok and Ok.
The next steps are configuring a DHCP Scope, DHCP Reservations and DHCP Options.
Description:
After installation and authorization of the DHCP Server Role in a Windows Server 2008
environment, an address scope must be configured with appropriate options for the environment.
Optionally, address reservations may also be configured.
Configuring a DHCP scope defines the address range that a DHCP Server can allocate to clients.
A DHCP Server may have one or many defined scopes. When defining an address scope, you
-31-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
can configure a range of addresses that should not be allocated to clients. This is called an
exclusion range. A scope, less exclusions range/s is called an available address pool.
o Go to Start, Administrative Tools, DHCP and drill down to the DHCP Server name.
o Right-click on IPv4 under the server name and select New Scope, click Next.
o Enter a name and description for the new scope and click Next.
o Enter the starting and ending IP address and subnet mask.
o Add exclusions if desired/necessary.
o Change the lease duration or accept the default and click Next.
o Choose whether or not to configure DHCP Options and click Next.
o Enter the Router (default gateway) address and click Add then Next.
o Enter the DNS server and DNS domain name and click Next.
o Enter the WINS server and click Next.
o Click Yes, I want to activate the scope now and click Next.
o Click Finish.
DHCP Reservations provide administrators a way to assign a permanent IP address to a DHCP
client without having to manually assign a static IP.
A DHCP Reservation might be used for a network-attached printer which is configured to
automatically receive an IP address from a DHCP Server but requires the same IP address
permanently so that clients can easily locate it on the network.
To Configure a DHCP Reservation:
o Go to Start, Administrative Tools, DHCP and drill down to the appropriate IPv4 scope.
o Beneath the IPv4, go to Reservations, right-click and click New Reservation.
o Enter a name for the reservation (eg HR Network Printer) and the desired IP address.
o Enter the MAC address for the host, click Add and Close.
Description:
The concept of Domain Name System (DNS) is very simple: map a name to an IP address for
easier communication between network devices in a TCP/IP network environment.
The Internet relies on DNS to allow users to easily find their favorite websites by name instead of
having to remember an IP address for each Web Server, eg www.myfavoritesite.com instead of
12.34.56.78.
-32-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
The process of mapping names to IP addresses is called name resolution and, though simple in
concept, is complex in practice and design.
In order to scale to the largest networks in the world, DNS uses a hierarchical (ranked or tiered)
namespace structure:
o At the very top of the hierarchy is root, represented by .
o Immediately under root are the top-level domains (.com, .net, .org, etc).
o Second-level domains are below top-level domains and are typically registered to
individuals or organizations, like mycompany.com or myschool.edu.
DNS uses a fully qualified domain name (FQDN) to map a name to an IP address.
Description:
In a Windows Server 2008 environment, the DNS Server role is classified based on the type of
host name to IP address mappings it will store. These types are called zones, which represent a
collection of address mappings for a contiguous portion of the DNS namespace.
A DNS Server can host primary or secondary zones or both. A DNS Server that does not host
any zone is called a caching-only server.
In Windows Serve 2008 DNS zone information is stored either in a text file (standard zones) or in
Active Directory (Active-Directory integrated zones) and can contain be either a forward
(responds to queries to map an IP address to a known name) or a reverse lookup zone (responds
to queries to map a known IP address to a name).
Standard zone types include primary, secondary and stub:
o Standard Primary zones host a read/write copy of a DNS zone, only one server can host
the master copy and can accept dynamic updates.
o Standard secondary zones host a read-only copy of the zone to provide fault tolerance
and to balance the work load.
o Standard stub zones host only those records necessary to identify the authoritative DNS
Servers for the zone.
There are significant benefits to Active-Directory integrated DNS Zones, including fault tolerance,
enhanced security, multi-master zones and efficient replication.
To install the DNS Server Role, launch Server Manager, click Roles, Add Roles, click Next and
place a checkmark next to the DNS Server role. Click Next and Install. Upon completion click
Close.
-33-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
To add a standard primary zone to your newly created DNS Server, go to Administrative Tools,
DNS. Drill down to Forward Lookup Zones, right click and click New Zone. Choose Primary Zone
and click Next. Enter the zone name, eg contoso.com, and click Next. Select Create a New File
and click Next. Select Do Not Allow Dynamic Updates and click Next, then Finish.
Zone transfers represent complete or partial of the data in a zone. This allows secondary zones
to receive current records from the primary zone. When changes occur, the primary zone
replicates the changes to the secondary zones.
Windows Server 2008 DNS now supports both full and incremental (only changes since the last
replication are sent) zone transfers.
DNS Servers can contain many types of records, with the most common being:
o Start of Authority (SOA): This represents the original point of authority for a zone.
o Host (A): This maps a FQDN to an IP Address.
o Host (AAAA): Sometimes called a quad-A record, this maps a FQDN to an IPv6
Address.
o Name Server (NS): This record identifies a DNS Server that is authoritative for a zone.
o Mail Exchange (MX): This record designates an email server for a domain.
o Canonical Name Record (CNAME): This record contains an alias for a FQDN.
o Service Locator (SRV): These records identify servers that provide a specific network
service. Active Directory relies heavily on SRV records to identify Domain Controllers in
an Active Directory Domain.
-34-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
A request from a client to a DNS Server is called a query. The client software making the query is
called a DNS Resolver. A DNS resolver request contains the FQDN in question, as well as the
resource record type (A or MX, etc). The DNS Server receiving the query can respond with a
positive answer, which can be authoritative (this is a positive answer from a server with direct
authority for the zone in question) or non-authoritative, a referral (containing a helpful reference to
resource records not specifically requested in the query), or a negative answer indicating that the
queried name does not exist or that the record type requested for the queried name does not
exist).
Queries from a client to a server can be one of two types: iterative or recursive. An iterative query
is when a client asks a DNS Server to respond with the best information that it has available,
without checking with other DNS Servers. Recursion is the process of a DNS Server querying
other DNS Servers until it finds the answer to a query.
DNS Servers in a Windows Server 2008 environment can be configured to either support or
disallow recursive queries.
Forwarders and Conditional Forwarders can be used to tell a DNS Server where to send queries
for external DNS names. Conditional Forwarders can specify where to forward requests based
specifically on a domain name.
Activity:
Have the students research root hints.
Estimated Time: 20 minutes
Unit Learning Outcome(s) attached to this activity:
Explain DNS.
Course Objective(s) supported by this activity:
Configure Active Directory.
In addition to the DNS Server MMC console in a Windows Server 2008 environment, you can use
NsLookup and Dnscmd to troubleshoot and manage DNS.
NsLookup is part of the TCP/IP suite and can be very useful in verifying the configuration and
functionality of DNS.
NsLookup can be used as a single command, for example to retrieve the IP address for
www.microsoft.com enter nslookup www.microsoft.com at a command prompt. NsLookup also
supports interactive mode, accepting multiple commands and queries. To enter interactive mode,
just enter nslookup at a command prompt and hit enter.
-35-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
You can easily change which DNS Server to send queries to by entering server x.x.x.x where
x.x.x.x represents the IP address of the DNS Server.
From a command prompt, type nslookup /? to see the options and command syntax, or type
nslookup, hit Enter and type ? and hit Enter again for interactive mode help.
Dnscmd is a component of Windows Server 2008 DNS and can be used to perform most DNS
configuration tasks. This can be particularly useful for scripting DNS tasks.
Using Dnscmd, you can create, delete and view zones and records; clear cache; stop and restart
DNS services, etc.
To see zone information for the local DNS Server, at a command prompt type dnscmd localhost
/enumzones.
LAB PORTION
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
I am working at two branch offices and have been tasked with where to place Active-Directory Integrated
DNS Servers and what type to use.
One of the branch offices is very small (maybe 5 users) and has very slow network connectivity. Do I
need a DNS Server and, if so, which type of zone should it host?
The second branch office is much larger (about 30 users) and has better network connectivity. Does this
office need a DNS Server and, if so, what type of zone would you recommend?
Thank you,
Junior Admin
Unit Summary:
This unit covered the configuration and management of the Dynamic Host Configuration Protocol (DHCP)
server role for Windows Server 2008, as well as the role of Domain Name System (DNS) in an Active
Directory and Windows Server 2008 environment, DNS implementation and configuration.
-38-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Key Concepts
Reading
Windows Server 2008 Active Directory Configuration MOAC 70-640
Lesson 1 Overview of Active Directory Domain Services
Lesson 2 Implementing Active Directory
Keywords
Use the following keywords to search for additional materials to support your work:
-39-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
One of the primary benefits of a computer network is the sharing of resources (data, applications,
services, devices, etc). Particularly in larger environments, the task of administering access and
availability of these shared resources can be onerous. In Windows Server 2008, Active Directory
Domain Services (AD DS) provides a mechanism to centrally, efficiently manage security,
distribution and access to network resources. AD DS scales from small to very large
environments, with the ability to manage AD resources from multiple locations (multimaster
authentication), to create trust relationships with external networks and to replicate information for
fault tolerance and redundancy.
A directory service is somewhat like a phone book for the computer network, providing a
complete listing of people and services, as well as a great deal of additional information about
each entry. In a Windows Server 2008 environment, the directory services (AD DS) is a
repository of information about the people, services and data, which can be centrally, securely
managed.
In Windows Server 2008, there are two different directory services roles: Active Directory Domain
Services (AD DS), which is a full-featured directory services; and Active Directory Lightweight
Directory Services (AD LDS), which as its name implies provides a lightweight, low-overhead
directory service.
In a Windows Server 2008 environment, a Windows Server 2008 computer that is configured with
the AD DS role is called a domain controller, which stores the AD database and authenticates
(verifies who a user or service is and whether or not they are allowed access to a resource)
access to resources.
Because AD DS is a multimaster database, it synchronizes any/all changes made from and to
any/all domain controllers (replication), providing fault tolerance (a copy of the database, ntds.dit,
exists in multiple places), single sign on (authentication can occur with any available domain
controller), and the ability to administer AD DS from any available domain controller.
Activity:
Have students research a Microsoft Workgroup environment and compare and contrast with AD DS.
Estimated Time: 20 minutes
-40-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Some of the benefits of AD DS are that it is hierarchical and very flexible. In order to appropriately
design an AD infrastructure, it is important to understand the components and how they
interrelate.
At the most basic level, AD components fit into one of two categories: container objects (can
contain other container objects or leaf objects) and leaf objects (cannot contain other objects,
usually representing a single resource like a user or a printer).
Container objects include:
o Forest: the largest container (top of the hierarchy), encompassing the fundamental
security boundary in AD.
o Domain Tree: a logical grouping of resources containing one or more domains.
o Domains: a logical grouping of resources designated by an AD domain name/
o Organizational Units (OU): a logical grouping of resources within a domain, usually
containing users or resources with similar security or administrative settings.
To organize data and facilitate efficient replication the AD DS database (ntds.dit) is divided into
multiple parts (partitions), also known as naming contexts (NCs):
o The Schema NC contains the rules and definitions for creating and modifying objects
classes and attributes in AD and is replicated to all DCs in a forest.
o The Configuration NC contains information about the physical topology of the network
and is replicated to all DCs in a forest.
o The Domain NC contains all of the resource objects, such as users and computers, for a
domain and is replicated to all DCs within a domain.
All AD objects have a common set of attributes, including:
o Unique Name: This is an object identifier and is assigned at object creation.
o Globally Unique Identifier (GUID): This is a 128-bit hexadecimal value assigned
automatically to every object in AD when it is created.
o Required Object Attributes: These represent attributes that are required for creation of an
object, eg a user account must have a unique name.
o Optional Object Attributes: These are informational attributes for an object and are not
required.
Naming is a critical component of AD, not only to organize information in a logical and
manageable structure but also to comply to Lightweight Directory Access Protocol (LDAP, an
IETF standard) standards for interoperability.
-41-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Description:
Explain the following:
Ideally all servers in a Windows AD DS environment run the same version of Windows Server.
Unfortunately, this is often impractical, particularly in large, distributed environments. Because of
this AD DS provides levels of interoperability among varying versions of Windows Server and AD
DS, referred to as functional levels.
AD DS supports forest and domain functional levels for backwards compatibility with earlier
versions of AD DS, effectively limiting the functionality of newer versions of AD DS to only support
features supported by all of the DCs in an environment.
The following domain functional levels are supported in Windows Server 2008:
o Windows 2000 Native: Providing backwards compatibility with Windows 2000 DCs, while
also supporting 2003 and 2008.
o Windows Server 2003: Supporting only 2003 and 2008 DCs.
o Windows Server 2008: Only 2008 DCs supported.
-42-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Note: Keep in mind that a Windows Server may be able to support roles in a domain
other than DC, eg a Windows Server 2003 could provide print services in a Windows
Server 2008 domain but not act as a DC.
See Table 1-2 in MOAC 70-640, page 13, for a matrix of domain functional levels.
Forest functional levels work like domain functional levels but, instead of applying just to a
particular domain within a forest, apply to the entire forest.
Once all DCs in a particular domain or an entire forest meet the requirements, you can raise the
domain or forest functional level to support newer AD features, eg raise a domain from Windows
2000 Native to Windows Server 2003 once all DCs are at a minimum of Windows Server 2003.
See Table 1-3 in MOAC 70-640, page 15, for a matrix of forest functional levels.
Activity:
Have the students review the matrices of AD functionality in tables 1-2 and 1-3 in MOAC 70-640 and
discuss the possible business benefits for justifying a move to a higher domain/forest functional level.
Estimated Time: 20 minutes
Unit Learning Outcome(s) attached to this activity:
Explain AD Functional Levels
Description:
Explain the following:
At a high level, implementing AD DS involves the simple process of configuring the AD DS role
on one or more serves in your environment and configuring the workstations to be members of
the AD Domain.
In order to install the AD DS role you must have:
o A version of Windows Server 2008 that supports AD DS: Standard Edition, Enterprise
Edition or Datacenter Edition.
o An account with local administrative privileges for the local machine.
o An NTFS partition to hole the SYSVOL (used for storing Group Policy Objects, login
scripts, etc).
-43-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Activity:
Have the students review the AD size requirements on page 24 of MOAC 70-640 and calculate the space
requirements for an environment with 5,000 security principals, 50 OUs, 15 certificates and 15,000
ACEs.
Estimated Time: 20 minutes
Unit Learning Outcome(s) attached to this activity:
Install Active Directory Domain Services
Description:
-44-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
You are an IT Administrator for a company implementing a new AD DS infrastructure. Develop a list of
business-related questions that you will need answered in order to accurately design a domain hierarchy.
Your job is to determine number of DCs, geographical placement, number of domains/forests and OU
design. What do you need to know to effectively accomplish this?
Unit Learning Outcome(s) attached to this activity:
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
As an IT Administrator, you have been tasked with designing the technical strategy for the merger of your
company with another company. Develop a list of questions that you will need answered to effectively
design a solution for allowing seamless sharing of information resources between the two companies.
Your company has a single, Windows Server 2008 Functional-Level AD DS Forest. The new company
has a directory service but that is all the information you have been given thus far.
Consider trust relationships, compatibility with other directory services (previous versions of Windows,
other operating systems, etc).
Estimated Time: 100 min
Unit Learning Outcome(s) attached to this activity:
Determine the necessary information to design a solution in a merger scenario.
-47-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Key Concepts
Reading
Windows Server 2008 Active Directory Configuration MOAC 70-640
Lesson 3 Working with Active Directory Sites
Keywords
Use the following keywords to search for additional materials to support your work:
Intersite replication
Intersite Topology Generator (ISTG)
DCDiag
Remote Procedure Calls over IP (RPC over IP)
Simple Mail Transfer Protocol (SMTP)
Update Sequence Number (USN)
-48-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
Description:
As discussed in the previous units, some of the benefits of Active Directory are fault-tolerance
and redundancy. One of the mechanisms supporting this in AD is multimaster replication, which
functionally keeps the AD Database (ntds.dit) synchronized between all Domain Controllers
(DCs) in a domain and between domains in a Forest.
When designing, implementing an AD environment, it is important to make a distinction between
the logical and physical components of a Domain/Forest. Servers acting as DCs, Sites (providing
the boundaries and ability to manage replication) and WAN links facilitating data transmission
represent physical components, while domain trees, OUs and forests represent logical
components.
You generally manage the logical components of AD via the Active Directory Users and
Computers console and the physical components via the Active Directory Sites and Services
console.
During the initial installation of AD DS, a single site is automatically created called Default-FirstSite-Name and the first Domain Controller is automatically placed within the servers folder under
this site. You can use the AD Sites & Services console to edit and manage these settings.
Some important characteristics of AD Sites include:
o Sites are defined by IP subnets that are well-connected (fast and reliable intrasite
network connectivity). In most cases an AD Site is synonymous with a single subnet is
synonymous with a single LAN.
o Multiple sites are connected via site links, facilitating intersite replication.
o AD Sites represent physical structure and are independent of AD logical structure, eg a
single site can contain multiple domains.
Understanding sites and how they will replicate is possibly the most fundamental component of
initial AD design. Once a site topology is created, domain controllers can be automatically placed
in the corresponding site based on the IP address it is assigned (the network portion of the
address). This is not a requirement, juts a benefit of site design prior to DC deployment.
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Description:
Explain the following:
AD creates a replication topology to define how domain controllers in a forest and in individual
domains should communicate with one another and what needs to be communicated.
Replication is triggered when an object is added or removed from AD, when the value of an
attribute has changed and when the name of an object is changed.
Because AD is multimaster, changes can be made from any writeable DC. In order to accurately
track changes from anywhere within the AD environment, each DC maintains a local value called
an update sequence number (USN). When a change is made to an AD object or attribute, the
USN is incremented, eg DC1 has a USN of 1000, a change is made to an object name and DC1
increments its USN to 1001, triggering an update to DC2; DC2 receives the update and updates
its record of DC1s USN to 1001 and adds the changes to its copy of ntds.dit.
In addition to USN, each AD attribute has a version ID to keep track of how many times the
attribute has changed. If the same attribute is modified on two DCs at the same time, AD will use
the version ID as a tie-breaker with the higher value winning.
If the version ID cannot decide a tie breaker, AD will next use the time-stamp when the
modification took place with the later time-stamp winning. This is one reason that time
synchronization is important in an AD environment.
When all DCs in an AD environment agree and have the most up to date information in ntds.dit
the environment is converged. The time it takes to reach this state is called convergence.
As previously described, a site is generally defined as a subnet/LAN with reliable, fast network
connectivity. This makes intersite replication (replication between DCs in the same site) generally
stable, quick and efficient. Because intrasite replication (replication between DCs in different
sites) often traverses WAN links, which are slower and less reliable, intrasite replication requires
more careful design.
To facilitate successful intrasite replication, AD provides a service called the Knowledge
Consistency Checker (KCC), which automates much of the configuration of intrasite replication
and can automatically respond to changes in an AD environment.
The KCC is responsible for managing which DCs replicate with which DCs, automatically
selecting replication partners for each DC, creating one or more connection objects between each
DC and its replication partner/s.
-50-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
The KCC automatically analyzes the AD environment every 15 minutes and attempts to make the
most efficient use of connections, minimizing the delay (latency) in propagation of information
through the AD environment, utilizing dual counter-rotating ring replication paths, creating
additional connection objects whenever needed to insure no more than three hops exist between
DCs for replication, and using change notification to inform other DCs when changes need to be
replicated.
Activity:
Have students open the AD Sites and Services MMC Snap-In and explore the configuration options, view
NTDIS Settings, etc.
Description:
Explain the following:
Since AD Sites represent the physical topology of your environment, it is generally best practices
to name your sites according to physical location.
For site-to-site (intersite) replication to occur, you must create site links (logical, transitive
connections between sites), which mirror routed connections between networks.
The Intersite Topology Generator (ISTG) is a process that is responsible for creating a replication
topology in a multi-site environment, automatically selecting a bridgehead server (the gatekeeper
in each site, responsible for managing site-to-site replication).
Site links have the following characteristics:
o They connect two sites using the same protocol.
o They are defined manually, with the exception of the DEFAULTIPSITELINK created
automatically at AD installation.
o They correspond to WAN links connecting sites.
-51-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
As we learned previously, sites represent a single subnet/LAN that is well-connected. This implies
that intersite connectivity may not be well-connected! As such, one of the chief goals of intersite is
minimizing the use of bandwidth, utilizing compression of data and parameters for controlling
replication, including:
o Cost: An administrator can assign a cost to a site link to give it relative priority to other
site links. The default value is 100, with acceptable values in the range of 1 to 99,999.
The lower the number the higher the priority.
o Schedule: An administrator can determine the schedule that a particular site link is
available for replication.
o Frequency: During scheduled available times, the site links frequency determines how
often replication can occur.
When designing an AD Site Topology, it is important to consider the balance between
performance considerations and convergence.
Activity:
Have the students review the AD size requirements on page 24 of MOAC 70-640 and calculations from
the previous activity in Unit 3 (5,000 security principals, 50 OUs, 15 certificates and 15,000 ACEs),
discussing the relative impact of replication in the proposed environment via ISDN lines versus T1 lines.
Estimated Time: 40 minutes
Unit Learning Outcome(s) attached to this activity:
Configure Active Directory Replication
Course Objective(s) supported by this activity:
Explain intrasite and intersite replication between the Windows Server 2008 machines.
Description:
Explain the following:
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Simple Mail Transfer Protocol (SMTP) provides a solution for replication over very slow or
unreliable intersite links, using asynchronous replication (each transaction does not have to
complete before another can start), providing limited replication functionality (cannot replication
domain directory partitions), cannot be scheduled and requires the use of an Enterprise
Certificate Authority to sign SMTP messages ensuring security.
To minimize impact on intersite links, AD designates a bridgehead server in each site. Imagine a
site in San Francisco with three DCs and another site in New York with five DCs. All DCs in each
site communicate with one another (intrasite replication), but there is no need for all DCs in SF to
communicate with NY. It is only necessary for one DC in each site to communicate with a DC in
the other site. These are called bridgehead servers and are responsible for communicating
between sites and then replicating the site-to-site data within their own site.
The ISTG automatically assigns a bridgehead server in each site, though an administrator can
manually set a preferred bridgehead server/s to accommodate specific situations and needs.
Because intersite replication utilizes compression of data, it is important that bridgehead servers
have adequate physical resources to accomplish compression/decompression.
Any errors that occur during AD replication will be logged to the Directory Services Event Viewer
on each DC. It is important to monitor these Events regularly.
Although replication occurs automatically or on the defined schedule, it can be manually forced to
propagate changes or to troubleshoot issues: go to AD Sites and Services, expand Sites, drilling
down to the site for which you want to force replication, click NTDS Settings in the console tree,
right-click the connection in the details pane and select Replicate Now.
Other than observing object/attribute changes in AD on different DCs, you can monitor replication
using dcdiag and repadmin:
o Dcdiag: A command-line tool which can be used to perform connectivity tests, report
errors and analyze permissions and the state of DCs in a domain.
o Repadmin: A command-line tool that can be used to view the replication topology or
manually configure a replication topology, force replication and view replication metadata.
Activity:
Have the students open a command prompt on a Windows Server 2008 DC and view the command
parameters for dcdiag (dcdiag /?) and repadmin (repadmin /?).
Estimated Time: 20 minutes
Unit Learning Outcome(s) attached to this activity:
Configure Active Directory Replication
Course Objective(s) supported by this activity:
Explain intrasite and intersite replication between the Windows Server 2008 machines.
LAB PORTION
Practice Activity 1: Working with Active Directory Sites
-53-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
See the Lab Manual: Lab 3: Working with Active Directory Sites
Homework, Graded
You are an IT administrator for a company with an existing AD Forest. The company is adding two, new
branch offices and you have been tasked with designing a replication strategy prior to DC deployment.
Branch1 will be connected to the Main Office via a pair of bonded T1 lines and will contain a Call Center
with high employee turnover.
Branch2 will be in a very remote location and will be connected to the Main Office via a 56k POTS line.
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
A junior IT administrator has been tasked with troubleshooting problems with intersite AD replication.
Respond to his inquiry with suggested approach and any recommendations for troubleshooting:
To: IT Admin
I am troubleshooting replication between the Main Office and Branch Office 1. It seems that changes to
user object attributes take a very long time to propagate or do not propagate at all? I am not sure when
replication is supposed to occur and have no idea where to begin testing? Do you have any
recommendations, any suggested steps to help me narrow down the problem? Thank you!
Junior Admin
Estimated Time: 100 min
Unit Learning Outcome(s) attached to this activity:
Suggest a plan of action for troubleshooting replication.
Unit Summary:
This unit introduced Active Directory Sites, their function and how they are created and administered. It
also covered replication, the process and how replication can be managed and monitored.
-55-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Unit 5: Global Catalog and Flexible Single Master Operations (FSMO) Roles
Course Objectives Covered by this Unit
CO3. Configure Active Directory.
CO4. Explain intrasite and intersite replication between the Windows Server 2008 machines.
CO5. Configure Universal Group Membership Caching
CO6. Transfer and seize FSMO roles.
Unit Learning Outcomes
Explain the functions of a Global Catalog Server
Explain the FSMO Roles
Plan FSMO Role Holders
Maintain FSMO Roles
Determine the necessary information for the development of an FSMO/GC implementation plan.
Determine the best tools for determining FSMO roles.
Develop a plan for the failure of a role holder.
Key Concepts
Reading
Windows Server 2008 Active Directory Configuration MOAC 70-640
Lesson 4 Global Catalog and Flexible Single Master Operations (FSMO) Roles
Keywords
Use the following keywords to search for additional materials to support your work:
-56-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
Description:
Explain to students the following:
The Global Catalog (GC) is a key component of Active Directory. By default, the first Domain
Controller (DC) installed in the forest root domain is a GC. A GC acts as a repository for all
objects in the host servers local domain, as well as a partial coy of all objects from other domains
within the same forest (the partial attribute set or PAS).
Any and all DCs in an Active Directory environment can be configured to function as a GC server
depending on the needs of the environment.
The four primary functions of the Global Catalog in Active Directory are:
o Facilitating forest-wide searches: An AD search used TCP port 3268, which is directed to
a GC for response.
o User Principal Name (UPN) resolution: As discussed in previous units, a UPN allows a
user to login with a standardized naming convention, often matching the users email
address (eg jsmith@lucernepublishing.com). A login request using a UPN is processed
by a GC.
o Maintaining Universal Group membership information: Universal Groups can be used to
assign permissions for any resource in the forest, as opposed to domain local or global
group memberships which are stored at the domain level.
o Maintaining a copy of all objects in the domain: A GC server contains a copy of its own
naming context (NC AD partition), as well as the PAS for every other NC in the forest.
Particularly in distributed sites, performance load and network bandwidth utilization are key
considerations for where to place GC Servers. To improve performance and minimize bandwidth
utilization, Windows Server 2003 and 2008 support Universal Group Membership Caching. When
a user logs on at a site without a GC Server, the GC is queried, following which the users group
membership information is cached at the local site DC, eliminating the need for communication
with GC the next time the user logs in.
-57-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Description:
Explain the following:
As previously discussed, Active Director is a multimaster database, meaning that changes can be
made from any writeable DC in the environment, following which all changes are replicated
throughout the environment, ensuring a consistent and up-to-date AD topology. Although AD
utilizes multiple methods to avoid conflicts (timestamps, version IDs), there are some critical AD
functions that require an extra measure of protection against possible duplication/error, more
suited to a single-master model. AD uses Flexible Single Master Operations (FSMO) roles to
handle these functions.
In a smaller environment, all FSMO roles can reside on a single DC. In larger environments, they
can be distributed to multiple DCs.
There are five FSMO roles, two of which support forest-wide functionality, three of which support
domain-wide functionality:
o Relative Identifier (RID) Master: This domain-specific role is responsible for providing
relative identifiers to DCs in a domain. A DC allocates a RID when a new object is
created. If a DC runs out of RIDs and no RID Master is available, new objects cannot be
created on that DC.
o Infrastructure Master: This domain-specific role is responsible for reference updates from
its domain objects to other domains.
o Primary Domain Controller (PDC) Emulator: This domain-specific role provides
backwards compatibility with Microsoft NT 4.0 domains and manages password changes,
account lockout and time synchronization.
o Domain Naming Master: This forest-wide role has the authority to create and delete
domains, domain trees, and application data partitions.
o Schema Master: This forest-wide role is responsible for managing AD schema changes.
As the name implies (Flexible Single-Master Operations Roles), there can be only one DC per
domain/forest functioning in each of the FSMO roles.
Activity:
Have students discuss the relative impact of any of the FSMO roles becoming unavailable in an AD
environment.
-58-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Description:
Explain the following:
When the first DC is installed in a new forest, it must contain all five FSMO roles in addition to
functioning as a Global Catalog Server. As the forest grows and additional DCs are installed,
some of these roles can be transferred to other DCs to distribute the performance load and
provide some fault tolerance.
When creating a new child domain within an existing forest, the first DC in the child domain must
contain the three domain-specific FSMO roles (PDC Emulator, RID Master and Infrastructure
Master).
Some considerations for placement of FSMO roles include:
o Schema Master should be placed on a highly available DC as all schema changes
require the availability of this role.
o Domain Naming Master can co-exist with the Schema Master Role and a Global Catalog
Server, which would be suitable for a smaller environment.
o PDC Emulator should be place on a highly available DC as it supports critical processes,
including login of down-level clients, time synch, etc. Best practices are to separate this
role from the Global Catalog Server functionality.
o RID Master should be placed in proximity to the DCs where most AD objects are created,
as these DCs will be the largest consumers of RIDs. Best practices are to combine this
role with the PDC Emulator role.
o Infrastructure Master is perhaps the least critical FSMO Role. Best practices to place this
on a DC that is not a GC Server but to place it in the same site as a GC Server.
When planning for FSMO Role placement, it is important to consider the number of domains in
the forest, the physical structure of the network (sites, site connectivity) and the total number of
DCs in each domain.
-59-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Activity:
Have the students review the table 4-3 in MOAC 70-640 and corrective actions pursuant to each FSMO
Role failure.
Estimated Time: 20 minutes
Unit Learning Outcome(s) attached to this activity:
Planning FSMO Role Holders
Course Objective(s) supported by this activity:
Configure Active Directory.
Explain intrasite and intersite replication between the Windows Server 2008 machines.
Description:
Explain the following:
Whether planned or unplanned, there will invariably be times when an FSMO Role becomes
unavailable, when a DC needs to be decommissioned, site-to-site connectivity fails, the needs of
the organization change, or a DC fails.
As certain functions of AD require these FSMO Roles, when a role becomes unavailable the role
must be transferred or seized:
o Role transfer is the preferred method but requires the availability of the DC currently
holding the role.
o Role seizure is your only choice if the DC currently holding the role is no longer available.
Before moving a role, planned or unplanned, it is important to know where the roles currently
reside. You can view and change (transfer) domain-wide roles via the Active Directory Users and
Computers snap-in (All Tasks, Operations Masters).
To view and change (transfer) the Domain Naming Master Role, open Active Directory Trusts,
right-click AD Domains and Trusts and select Operations Master.
Viewing and changing (transfer) the Schema Master Role requires registering the schmmgmt dll
and opening the AD Schema snap-in, right-click Ad Schema and select Change Operations
Master.
To seize an FSMO Role, you can use the ntdsutil command-line tool. When using this tool,
ntdsutil will first attempt to transfer a role (if the previous role-holder is available), failing this it will
force seizure.
-60-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
LAB PORTION
Practice Activity 1: Lab (TBD)
In-Class Activity, Graded
See the Lab Manual: Lab 5
Estimated Time: 100 minutes
You are an IT consultant for a newly forming company and have been asked to design an Active
Directory Forest implementation. Your immediate task is to designate where the FSMO Roles and Global
Catalog Servers will be placed in the new environment. Develop a list of 5 to 10 questions you will need
answered in order to determine the most appropriate locations for the FSMO Role Holders and GCs.
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Unit Summary:
This unit introduced the Global Catalog Server and its functionality in Active Directory Services. Active
Directory Flexible Single-Master Operations (FSMO) Roles and their functionality were described, as well
as the mechanisms for moving FSMO Roles in an AD environment.
-62-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Key Concepts
Reading
Windows Server 2008 Active Directory Configuration MOAC 70-640
Lesson 5 Active Directory Administration
Keywords
Use the following keywords to search for additional materials to support your work:
-63-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
Description:
User Accounts are perhaps the most basic and useful AD object, used as the primary means for
users (people) to access network resources (computers, data, printers, etc). Defining valid users
and a means by which to verify that a user is who they say they are is the first step in providing
access to resources in the Active Directory environment.
The combination of a valid user account and a known value, commonly a password, serve to
confirm a users identity (authentication). Once a users identity is established, AD can then allow
or deny access to specific resources based on the privileges assigned to the user (authorization).
There are three types of user accounts in Windows Server 2008:
o Local Accounts: These provide access to resources on the local computer and are stored
in the Security Account Manager (SAM) database on the local computer.
o Domain Accounts: These provide access to Active Directory Domain resources and are
stored in the AD database for use throughout the AD environment.
o Built-in User Accounts: These are automatically created and can be local or domain
accounts, depending on whether the server is standalone or part of an AD Domain.
Two examples of built-in accounts are the Administrator and Guest account. The local
Administrator account has full control in the local environment, as the domain Administrator has
full control in the domain environment. The Guest account is used to provide temporary access to
the network for a user, is disabled by default and, if to be used should be renamed.
Some basic, best practices for managing the security of user accounts include:
o Rename the Administrator account: The Administrator account is a built-in account and,
as such, is widely known to exist in a default Windows Server configuration. Because this
account has a high level of privileges and is so commonly known, it is a good idea to
rename the account to something not easily guessed.
o Set a strong password: This is a good practice for any account but particularly for those
with high privileges, such as the Administrator account. The password should be long
(seven characters or more) and complex (using upper and lower case letters, numbers
and special characters).
o Limit knowledge of administrator passwords: Limiting this knowledge limits the risk of
security breaches.
-64-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Do not use the Administrator account for daily, non-administrative tasks: Least privilege is
good practice, meaning grant/use the minimal necessary privileges required to
accomplish a task.
Description:
Explain the following:
In Active Directory, Groups can be used to assign the same set of permissions to multiple users
simultaneously, eg instead of assigning rights to the HR folder to each member of the HR
Department, an HR Group can be created, assigning rights to the group and placing HR Staff in
the Group.
When users authenticate to AD, an access token is created identifying the user and all of the
groups the users account is a member of, collectively granting or denying resource access
(authorization).
Groups can also contain other groups, which is called group nesting.
There are multiple types (how a group can be used in AD) of groups in AD and different scopes
(what types of objects a group can contain):
Group types include distribution groups (non-security groups, commonly used for email
distribution lists) and security groups (security groups for granting resource-access permissions).
Group scopes in AD include:
o Domain Local Groups: Can contain user and computer accounts, global groups and
universal groups from any domain, and domain local groups from the same domain.
Domain Local Groups are used to assign permissions to resources that reside in the
same domain as the group.
o Global Groups: Can contain user and computer accounts and global groups from the
same domain. Global Groups are used to assign permissions to resources anywhere in
the forest.
o Universal Groups: Can contain user and computer accounts, global groups and universal
groups from anywhere in the forest. Universal Groups are used to consolidate groups
and accounts that span multiple domains or an entire forest.
Remember that group scope (domain, global or universal) refers to where the resources are
located as opposed to the members.
-65-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Description:
Explain the following:
Because there are many universally applicable functions in a typical AD environment, Active
Directory includes many default Groups for common tasks/functions. Default Groups vary
somewhat based on the network services installed on a DC, eg the DHCP Users Group is
created when the DHCP Server Role is installed on a DC.
A few examples of default groups include:
o Backup Operators: Able to backup and restore all files on a computer regardless of
specific file permissions.
o Remote Desktop Users: Able to log on to a computer from a remote location.
o Users: Used for general access.
o Domain Admins: Able to perform administrative tasks on any computer in the domain.
See MOAC 70-640 Table 5-1 for a complete listing of Active Directory default groups.
In addition to Default Groups, AD also includes special identity groups. Special ID Group
membership cannot be viewed or manually modified. These provide special functionality in AD.
Some examples of Special ID Groups include the Everyone group, the Local Service group, the
Network group, etc.
See MOAC 70-640 Table 5-2 for a complete listing of Active Directory special identity groups.
In addition to the previously discussed group types, there are also Local Groups, not to be
confused with Domain Local Groups. Local Groups can contain user, computer and group
accounts from AD but are specific to resources on a local computer or server. Local Groups are
not replicated beyond the local computer/server and are contained in the local SAM database
only.
-66-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Description:
Explain the following:
Creating objects in Active Directory is one of the most common administrative tasks. There are
multiple tools via which to accomplish this task, depending upon the specific circumstances of the
object creation.
Generally, local user accounts and groups will be managed via the local computer/server
Administrative Tools, Computer Management snap-in. This tool provides a familiar interface and
is suitable for creation of a limited number of local users and local groups.
Creation of AD uses, computers and groups can be accomplished via batch files, commaseparated value directory exchange (CSVDE), LDAP Data Interchange Format Directory
Exchange (LDIFDE), Windows Script Host (WSH) or the Active Directory Users and Computers
snap-in:
o Batch Files facilitate automation of routine and/or repetitive tasks, combining commandline tools/commands into a single file, usually with the *.bat or *.cmd extension.
o CSVDE is used to import or export AD information in the comma-separated value file
format (*.csv). CSVDE cannot be used to modify or delete existing objects.
o LDIFDE can be used to import or export AD information and can be used to add, delete
or modify AD objects. LDIFDE supports other LDAP compliant directory services.
o WSH functions much like batch files but utilizes Microsoft Visual Basic Scripting Edition
(VBScript) or Jscript.
o AD Users and Computers provides an MMC Snap-In, graphical interface to add, delete or
modify AD objects and is often used for managing a small number of additions or
changes.
Batch files have many and varied application for IT administrative tasks and can be written with
any text editor. The dsadd command can be used to create, delete, view and modify AD objects.
CSVDE uses the common, CSV format, supported by Microsoft Excel for example. CSVDE works
well for importing AD objects that may already exist in a spreadsheet or other CSV-exportable
format. CSVDE is also useful for exporting AD objects to a spreadsheet or other CSV-compatible
application.
LDIFDE is a more flexible option than CSVDE, based on the LDIF standard, allowing
add/modify/delete functionality.
-67-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
WSH is a powerful scripting environment, allowing for a great many administrative functions, not
relegated to AD object creation/modification.
LAB PORTION
Practice Activity 1: Lab: TBD
In-class Activity, Graded
See the Lab Manual: Lab 6.
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
-70-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Key Concepts
Reading
Windows Server 2008 Active Directory Configuration MOAC 70-640
Lesson 6 Security Planning and Administrative Delegation
Keywords
Use the following keywords to search for additional materials to support your work:
-71-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
In an Active Directory environment, the combination of two pieces of information allows or denies
access to network resources: username and password. If these two pieces of information are
compromised, access to the network is compromised. Planning and implementing user-account
security is one of the most fundamental components of securing a network infrastructure.
The first component of designing user-account security is the username, which is often
overlooked in security planning. Usernames generally follow a corporate standard naming
convention, often first initial, last name, eg jsmith. Unfortunately, this particular combination is
extremely easy to guess and/or the corporate information from which the username is derived is
not a closely guarded secret. Many corporate websites contain all of the necessary information to
easily guess usernames.
There are many possible username naming conventions, including a limited character
combination of first and last name with a number appended, eg JSmith123; or last name followed
by first initial followed by a number, eg SmithJ123, etc.
Remember that the username represents 50% of the information needed to gain access to
network resources and should be as carefully planned as the password.
Best practices indicate using something other than just the first name or the first initial last name.
The second component of designing user-account security is the password (an alphanumeric
string used in combination with a username to validate a users identity authentication).
Alternatives to passwords are becoming more common, such as personal identification numbers
(PIN), Smart Cards and biometric devices (thumbprint readers, etc).
Security is always inconvenient and the IT Administrators job is strike the right balance between
security and convenience for the users. We can easily choose extremely secure passwords for all
users, such as Xjhh8&*1!@hhHH, which the users could never remember, forcing them to write
them down for reference, effectively compromising network security.
As an IT Admin, critical components of designing user-account security are an awareness of the
needs of the user in conjunction with the extreme importance of network security. As such,
educating the users is of utmost importance.
Help users to understand some basic guidelines for protecting their passwords:
o If you have to write it down, keep the paper in a secure location.
o Dont give your password to anyone.
o Do not save your password on your computer (auto-login features, cached entries, etc).
-72-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Description:
Explain the following:
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
pneumonics, eg if a user loves to fish they might use a password regarding their favorite lake
(meaningful to them, easy to remember but hard for someone else to guess): Love2Fish@Lake.
Unit Learning Outcome(s) attached to this activity:
Implementing User-Account Security
Course Objective(s) supported by this activity:
CO8. Analyze different techniques to secure Windows Server 2008
Description:
Explain the following:
The principle of least privilege is critical in securing access to network resources: assign and use
the least privileges necessary to accomplish a task.
Because the Administrator accounts, including Domain Admins, Enterprise Admins and Schema
Admins, have such extensive privileges, these accounts should only be used when necessary to
perform an administrative task and should have extra measures of security to protect them.
Windows Server 2008 provides the runas feature to easily elevate privileges to perform
administrative tasks. Runas can be used from a command line to specify a logon account to use
to perform a task. Run as administrator can also be used in some situations from the graphical
user interface (GUI) in Windows Server 2008.
Runas functions as follows:
o Maintains your primary logon (the account you used to log into Windows), creating a
secondary logon for administrative access.
o The secondary logon is only valid while using the tool/program you launched via the
runas command.
o Runas does not support all Windows functionality, such as an operating system upgrade
or configuration of system parameters.
o Runas requires the secondary logon service.
o Runas and run as administrator can be used to start two separate instances of a
secondary logon to elevate privileges.
o Runas can be used for secondary logon for any available account, not just admin
accounts.
Run as administrator can be accessed by navigating to the desired application, pressing and
holding down the Shift key, right-clicking the application and selecting run as administrator.
Runas can be accessed by opening a command prompt and typing the runas command, followed
by appropriate command-line options.
-74-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Description:
Explain the following:
Organizational Units (OUs) are objects in Active Directory that can contain other OUs, users,
computers and groups and can be used to manage users and computers via Group Policy
Objects. Generally, OUs are designed hierarchically in an AD environment to group resources
and users/computers to mirror your organizational structure.
OUs are often designed to match the functional structure of your organization, eg OUs
representing the departments in the organization, such as HR, Sales, Marketing.
OUs may also be designed to match the geographical structure of your organization, eg based on
physical locations such as SFO, NYC, etc.
Another strategy for OU design is a combination of both functional and geographical, eg an SFO
OU with a nested OU for HR and Sales, and another OU for NYC with nested Marketing and
Management OUs.
One of the distinct benefits of Organizational Units is the ability within Active Directory to give
limited control for certain administrative tasks (delegation) to OUs and the resources it contains,
including other OUs. For example, you might want to allow the Manager of the Call Center in SFO
to be able to create and delete User accounts in their respective OU due to high staff turn-over.
AD provides a tool called the Delegation of Control Wizard, which walks you through delegating
permissions to domains, OUs or containers, allowing you to choose Users and the tasks they
should be able to perform.
OUs can also be used to provide consistent user, computer and member server configurations
via Group Policy Objects (GPOs). GPOs provide powerful policies for controlling many aspects of
computer, server and user configuration.
Keeping all of these factors and functions in mind will help you design an effective OU structure
and, as your organization grows and changes you can easily move objects around in AD from OU
to OU, even moving OUs via familiar, Windows drag-and-drop functionality in AD Users and
Computers.
-75-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
LAB PORTION
Practice Activity 1: Lab 1: Employing Security Concepts
In-class Activity, Graded
See the Lab Manual: Lab 7.
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Homework, Graded
Students will respond to the following scenario with a list of questions to obtain the appropriate
information to successfully complete their assigned task.
Facilitation
As an IT Administrator, you have been tasked with designing an Active Directory Domain Organizational
Unit Structure for a new AD implementation at an existing organization. You are scheduled to meet with
the management team and need to formulate a list of questions you will need answered in order to
recommend an OU Structure appropriate to the organization.
Develop a list of 5-10 questions to guide your design plan.
Estimated Time: 100 min
Unit Learning Outcome(s) attached to this activity:
Determine the necessary information for recommending an OU Structure.
-77-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Unit 8: Introduction to Group Policy & Configuring the User & Computer
Environment Using Group Policy
Course Objectives Covered by this Unit
CO3. Configure Active Directory.
CO7. Analyze Group Policy applications
CO8. Analyze different techniques to secure Windows Server 2008
CO9. Use different methods to maintain and troubleshoot Active Directory servers.
Unit Learning Outcomes
Describe Group Policy.
Implement Group Policy.
Configuring Group Policy to install and manage software on the Windows 7 client machine.
Manage and Maintain Group Policy.
Configure Group Policies in a Mixed Client OS environment.
Contrast Group Policies supported by different operating systems.
Recommend policies to control user/computer configuration.
Use advanced Group Policy management tools to control Group Policy application.
Key Concepts
Explaining Group Policy
Planning and Implementing Group Policy
Configuring Security Policies with GPOs
Configuring User Settings with GPOs
Maintaining Group Policy
Reading
Windows Server 2008 Active Directory Configuration MOAC 70-640
Lesson 7 Introduction to Group Policy
Lesson 8 Configuring the User and Computer Environment Using Group Policy
Keywords
Use the following keywords to search for additional materials to support your work:
ADMX
Domain GPO
Group Policy Management Console (GPMC)
Loopback Processing
Windows Deployment Serves (WDS)
Account Lockout Policies
Fine-Grained Password Policies (FGPP)
Key Distribution Center (KDC)
-78-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Group Policies in a Windows Server 2008 Active Directory environment provide a powerful set of
tools to apply computer and user settings throughout the network for any systems running
Windows 2000 and newer (older versions of Windows do not support all of the features of Group
Policy that newer versions support).
The settings that can be managed via Group Policy are numerous but include the following major
categories:
o Registry-based policies: This is a broad category based on Windows registry changes,
such as Desktop settings and environment variables.
o Software installation policies: These can be used to distribute software, from complete
application installation to updates.
o Folder redirection: These policies allow common folder locations to be redirected to
network locations, eg redirecting My Documents to a centralized user share on the
network for backup and accessibility.
o Offline file storage: These settings can be used to make network files available on a
system even when not connected to the network (caches local copies and synchronizes
to the network when attached).
o Scripts: These policies can be used to apply logon, logoff, startup and shutdown scripts
for configuring the user environment.
o Windows Deployment Services (WDS): These policies aide in installation and repair of a
Windows.
These categories cumulatively allow fine-grained control of everything from installing a Microsoft
Word patch to a standard corporate Desktop wallpaper to mapped drives and uniformed Desktop
shortcuts, as well as security policies such as password length, complexity, etc.
Group Policies are applied through Group Policy Objects (GPOs). A GPO can contain just a few
or many configuration settings for users and/or computers, as appropriate to your environment.
GPOs are applied (linked) to OUs, domains or sites, applying to the objects they contain. Security
group filtering allows configuration of exclusions for items within the OU, domain or site that you
do not want the GPO to apply to.
Consider a network environment with 200 computers. Without Group Policy, if the users required
there My Documents redirected to a network location and offline files enabled, an administrator
would have to physically configure each computer! With Group Policy, these settings can be
configured, tested and applied centrally, saving a great deal of time, reducing risk of error via
-79-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
uniformed configuration settings and easily accommodating policy changes in the future. These
benefits represent just one example of the return on investment (ROI tangible benefits to the
organization) of Group Policy, practically reducing the total cost of ownership (TCO) of
workstation and server management in an Active Directory environment.
Unit Learning Outcome(s) attached to this activity:
Describe Group Policy.
Course Objective(s) supported by this activity:
CO7. Analyze Group Policy applications
Key Concept: Planning & Implementing Group Policy
Explore Activity 2: Implementing Group Policy
In-class Activity, Ungraded
Description:
Explain the following:
Because of the power and myriad options available via Group Policy, as well as the hierarchical
way GPOs are applied, it is important to approach the design of Group Policy Objects (GPOs)
thoughtfully and methodically. Although security filtering can be used to exclude objects from
receiving GPO settings, best practices are to design GPOs to broadly apply to all objects within
the OU, domain and/or site to which they are applied.
It is important to understand that there are three distinct types of GPO:
o Local: Stored on the local computer, these GPOs have fewer configuration options and
cannot be used to redirect folders or install software.
o Domain: Created in Active Directory and linked to OUs, domains and/or sites, these are
stored in both the Group Policy Container (GPC an AD object storing GPO properties)
and Group Policy Templates (GPTs located in the policies subfolder of the SYSVOL
share).
o Starter: These are new to Windows Server 2008 and can be used as a starting point
(template) for creation of a new GPO.
Domain and local GPOs can be used in concert. If conflicting settings exist between local and
domain GPOs, domain GPOs take precedence.
The Group Policy Container (GPC) can be viewed via the Active Directory Users and Computers
console.
Group Policy Templates (GPTs) can be viewed by navigating to the SYSVOL share on a DC, eg
C:\Windows\Sysvol\Sysvol\mydomain.local\Policies. GPTs are represented by GUIDs, eg
{6AC178C-016F-11D2-945F-00C04FB984F9}.
Unit Learning Outcome(s) attached to this activity:
Implement Group Policy.
Course Objective(s) supported by this activity:
CO3. Configure Active Directory.
CO7. Analyze Group Policy applications
-80-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Security Options: Allows configuration of digital signing, driver installation, floppy/CDRom access, etc.
Under Computer Configuration, Windows Settings, Security Settings, you will also find:
o Restricted Groups, which allows configuration of group-membership lists (who belongs to
which group, eg Local Administrators or Backup Operators).
o System Services, which allows configuration of startup and security settings for services
running on the computer.
-83-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Under User Configuration, Policies, Administrative Templates, System, you can administratively
control the amount of storage space can be used for user data (disk quotas). Quotas can be
configured to log disk-use overage, warn the user and/or enforce disk-usage limitations.
LAB PORTION
-84-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
-85-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
You are an IT consultant and receive the following email from a client. Respond with recommendations
and considerations to the following questions:
To: IT Consultant
We have an existing network consisting of approximately 40 workstations in a Windows Workgroup
environment. We do not currently take advantage of local policies to control user/computer configuration,
as it is too cumbersome to manage on each individual computer. We are implementing an Active
Directory Domain and are excited about the possibility of being able to control user and computer settings
particularly from a security perspective.
We understand that there are hundreds and hundreds of options for things we can control and are hoping
you can help us by recommending the most important initial policies? Users have had complete control of
their desktops up to this point, so we would like to strike a balance between trust and control!
Thank you,
Business Manager
Unit Learning Outcome(s) attached to this activity:
Recommend policies to control user/computer configuration.
Course Objective(s) supported by this activity:
CO7. Analyze Group Policy applications
Unit Summary:
This unit covered Group Policy, the function and value of Group Policy Objects, and how some of the
computer and user settings can be configured and applied. Policy processing, refresh intervals and
maintenance were also covered.
-86-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Unit 9: Performing Software Installation with Group Policy and Planning a Group
Policy Management and Implementation Strategy
Course Objectives Covered by this Unit
CO3. Configure Active Directory.
CO7. Analyze Group Policy applications
CO8. Analyze different techniques to secure Windows Server 2008
CO9. Use different methods to maintain and troubleshoot Active Directory servers.
Unit Learning Outcomes
Manage Software through Group Policy.
Install Software with Group Policy.
Manage Group Policy.
Filter Group Policy Scope.
Test and Troubleshoot GPO Results.
Perform software installation with Group Policy.
Determine information needed to develop an implementation scenario.
Recommend an approach for installing software.
Key Concepts
Managing Software with Group Policy
Implementing Software with Group Policy
Restricting Software with Group Policy
Managing Group Policy
Filtering Group Policy Scope
Testing GPO Results
Reading
Windows Server 2008 Active Directory Configuration MOAC 70-640
Lesson 9 Performing Software Installation with Group Policy
Lesson 10 Planning a Group Policy Management and Installation Strategy
Keywords
Use the following keywords to search for additional materials to support your work:
Distribution Share
Hash Algorithm
.msi File
System Development Life Cycle (SDLC)
.zap File
Common Information Management Object Model (CIMOM)
GPResult
Resultant Set of Policy (RSoP).
Windows Management Instrumentation (WMI)
-87-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
-88-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
Key Concept: Managing Software with Group Policy
Explore Activity 1 Understanding Group Policy Software Management
In-class Activity, Ungraded
Description:
Explain to students the following:
One of the most onerous tasks of administering a computer network is installation, maintenance
and management of software applications. Group Policy provides tools to dramatically increase
the efficiency and control of installing, upgrading, patching and removing software from domain
computers.
The System Development Life Cycle (SDLC) is an industry standard, structured approach to
development of information systems software, projects and components. The Software Life cycle
is a derivative specific to the life cycle of business applications, from evaluation to deployment to
discontinuation of use. Specific phases of the Software Life Cycle include:
o Planning: Analysis, compatibility, installation methods.
o Implementation: Prep for deployment.
o Maintenance: Tasks required to keep the software application running smoothly.
o Removal: Clean removal in preparation for a new software life cycle.
Group Policy can assist particularly in the last three phases of the Software Life Cycle.
Windows Server 2008 uses the Windows Installer to install and manage an .msi file. An .msi is a
relational database file. The Windows Installer Service on the client-side uses the .msi file to
install, manage, patch and remove the managed application.
Many software applications are available in an .msi package, particularly Microsoft applications,
such as Microsoft Office. However, sometimes the .msi package needs to be customized for a
particularly implementation, in which case an .mst (msi transform) can be created for custom
deployment.
.msp files are patch files, used to apply updates, service packs or hot fixes to installed .msi
applications.
Software applications that are not available in an .msi format, can be repackaged using a thirdparty application (Wyse, Altiris, etc), creating an .msi that supports Group Policy management
and deployment features.
When an application cannot be repackaged as an .msi, a .zap file can be created to publish an
application. A .zap file, much like an .ini file, contains additional package installation information,
but does not fully support all of the Group Policy deployment and management options: can only
be published not assigned; cannot be configured for unattended installation; may require manual
privilege elevation; cannot be automatically removed, etc.
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
An use-case scenario for WMI filtering might be determining hard-drive free space prior to
installation of a large application package or determining OS version before distribution of an OSspecific patch.
WMI Filters are not compatible with Windows 2000-based computers.
It is always advisable to design and implement Group Policy to minimize the need for Security
Group Filtering and WMI filtering, particularly because of the management overhead as well as
the system performance impact of WMI filtering on affected computers.
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
LAB PORTION
Practice Activity 1: Lab 1: Software Distribution and Controlling Group Policy
In-class Activity, Graded
Description
See the Lab Manual: Lab 9.
Estimated Time: 100 minutes
Unit Learning Outcome:
Perform software installation with Group Policy.
Course Objective(s) supported by this activity:
Analyze Group Policy applications.
-94-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Unit Summary:
This unit covered software distribution, management and maintenance via Group Policy Objects, as well
as planning considerations, securing software via Group Policy, and the tools available for testing and
troubleshooting Group Policy Object inheritance.
-95-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Key Concepts
Reading
Windows Server 2008 Active Directory Configuration MOAC 70-640
Lesson 11 Active Directory Maintenance, Troubleshooting and Disaster Recovery
Keywords
Use the following keywords to search for additional materials to support your work:
ADSIEdit
Authoritative Restore
Boot Configuration Data (BCD)
Dscalcs
Extensible Storage engine (ESE)
LDP
Nltest
Repadmin
Tombstone
Wbadmin
Windows Power Shell
-96-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
As you leverage Windows Server 2008 Active Directory technologies in your environment, it
becomes increasingly important to develop a proactive, as opposed to reactive, approach to
managing and maintaining AD components, including monitoring, troubleshooting, backup and
restore.
As previously discussed, Active Directory stores information in a database. The database is
transactional, based on the Extensible Storage Engine (ESE) format. A transaction can contain
more than one change. Requests for modifications occur as follows:
o Ad writes the transaction to a transaction buffer located in memory (RAM).
o AD writes the transaction to the Transaction Log file (edb.log) before writing it to the
database. The edb.log grows to 10 MB by default and then is renamed sequentially,
(edbx.log, eg edb1.log).
o AD writes the transaction from the transaction buffer to the ntds.dit database.
o AD compares the transaction to the edbx.log to ensure it matches.
o AD updates the edb.chk (checkpoint file), which contains references to transaction points
in the log file for use in a recovery scenario.
The aforementioned process allows AD to process multiple transactions before writing them to
the DB.
As changes/modifications occur in the AD database, fragmentation can occur (data becomes
spread inefficiently across the disk). Defragmentation rearranges the data contiguously for
greatest efficiency and performance. AD supports two types of defragmentation:
o Online Defragmentation: A process called garbage collection runs automatically every 12
hours be default on DCs. Online defragmentation runs as part of the garbage collection
process but does not reduce the size of the AD DB. Tombstones (what is left behind after
an object is deleted from AD) are also deleted during garbage collection, as well as
unneeded log files.
o Offline Defragmentation: Running an Offline Defragmentation is a manual process that
requires the AD service to be offline (unavailable to service requests). In previous version
of AD, this required restarting the server in Directory Services Restore Mode (DSRM), but
in Windows Server 2008 AD behaves like a normal, Windows service and can be
stopped and restarted (Restartable Active Directory Domain Services).
-97-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Description:
Explain the following:
Like all data in your network environment, Windows Server 2008 and the AD database should be
a part of your backup and recovery plan, planning for the possibility of hardware, Operating
System (OS) or Active Directory failure and how you will recover from a failure.
As previously discussed, Active Directory has a fault-tolerant design and it is always
recommended, in even small environments, to have more than one DC in case one DC fails. In
addition, Windows Server 2008 supports a feature called Windows Server Backup, replacing the
old ntbackup from previous versions.
Windows Server Backup supports backup from command-line, useful for scripting, via Windows
Power Shell (a new task-based scripting technology that is part of Windows Server 2008). It does
not, however, support file-level backup, only volume-level backup.
Windows Server 2008 supports both manual backups (manually initiated by a server
administrator) and scheduled backups (regularly scheduled by a server administrator) via either
the command-line or wbadmin.exe, the GUI for managing Windows Server Backup.
Scheduled backups reformat the volume on the target drive hosting the backup and therefore
must be on a local, physical drive not containing any critical volumes.
In previous versions of Windows Server, it was necessary to backup the System State Data in
order to recover AD. In Windows Server 2008, critical volumes must be backed up, which
includes the following data:
o System Volume: Hosts the boot files: bootmgr.exe, the Windows boot loader; Boot
configuration Data (BCD), which replaces boot.ini and describes boot applications and
settings.
o Boot Volume: Hosts the Windows OS and Registry.
o The Volume hosting the SYSVOL share.
o The Volume hosting the AD database (ntds.dit).
o The Volume hosting the AD DB log files.
In Windows Server 2008, System State data varies depending upon the roles installed on the
Server.
-98-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Description:
Explain the following:
How and when you restore AD depends upon the situation and circumstances. There are multiple
options available, as follows.
Restoration via Normal Replication: Because of Ads fault-tolerant design, including normal
replication of data from one DC to another, you may be able to just reinstall AD Services on a
failed server and let normal replication populate the AD DB.
Nonauthoritative Restore: You can use a previous backup of AD to restore a DC to a known,
good point-in-time. Restoring a single DC in this fashion is known as a nonauthoritative restore.
Following a nonauthoritative restore, normal AD replication brings the restored DC up to date.
Authoritative Restore: If you need to restore AD data that has been deleted, you will need to
perform an authoritative restore (a nonauthoritative restore will allow post-deletion updates to
replicate and re-delete restored data).An authoritative restore is more complex than a
nonauthoritative restore and requires that the AD object be restored, as well as back-links
(references to attributes in another object). The authoritative restore process creates an LDIF file
containing the back-links that must be restored.
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Description:
Explain the following:
Monitoring AD gives an IT administrator the opportunity to detect problems before they occur,
possibly avoiding service disruption, increasing system reliability and improving performance.
Event Logs are one of the tools available in a Windows Server 2008 environment to observe the
health of Active Directory. When AD is installed, a Directory Services event log is created,
accessible via the Event Viewer. Warnings (indicated by a yellow triangle with exclamation point)
and Stop Errors (indicated by a red circle with an X) should be monitored closely, analyzed and
appropriate actions taken. The Event Viewer allows easy filtering based on event level, so that
warnings and stop errors can be seen.
The Reliability and Performance Monitor can also be a useful tool, allowing you to collect realtime performance data for immediate analysis, baseline and/or historical analysis. There are
numerous system counters that can be monitored, broken down into categories called
performance objects, with individual items called performance counters.
Some important AD performance counters include:
o Directory Replication (DRA) Inbound: Monitors the size of compressed data that was
replicated from other sites.
o DRA Outbound Bytes: Monitors the compressed size of outbound AD data.
o DS Directory Reads/Sec: Monitors the number of directory reads per second.
o NTLM Binds/Sec: Monitors the number of NT LAN Manager (NTLM) authentications per
second processed by a DC.
For a complete list of NTDS Performance Object Counters, see MOAC 70-640 Table 11-1.
For logging in greater detail, diagnostic logging can be enabled via the registry on a Windows
Server 2008 via HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics, changing the
default value of 0 (none) to:
o 1 (Minimal): High-level events are recorded.
o 2 (Basic): More detail than level 1.
o 3 (Extensive): More detail than level 2.
o 4 (Verbose): Significantly more detail than level 3.
o 5 (Internal): Logs all events, including debug strings and config changes.
When adjusting NTDS logging, it is advisable to gradually increase logging detail until the
necessary information is obtained, as opposed to just going directly to level 5.
Other AD diagnostic tools include:
o DCdiag: A command-line tool for analyzing the state of a DC.
o Repadmin: A command-line tool for checking replication.
o ADSIEdit: An MMC console for verifying functional levels and low-level AD editing.
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
LAB PORTION
Description
Estimated Time: 100 minutes
Unit Learning Outcome:
Troubleshoot Active Directory.
Course Objective(s) supported by this activity:
Use different methods to maintain and troubleshoot Active Directory servers.
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
Thank you,
Business Manager
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
This unit covered the tools available to proactively monitor and maintain Active Directory, including
backup and restore tools and strategies, event logs and command-line tools.
-103-
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
APPENDIX
Reminder: As a faculty member at ITT Technical Institute, it is your responsibility to securely maintain
and ensure the integrity of standardized assessments, assignments, and their accompanying answers. It
is advisable to grade all exams outside of the classroom to avoid inadvertently leaving the answers
unattended.
Final Exam
Answer Key
Question
Number
Correct
Answer
Blooms Level
CO1
Knowledge
CO1
Application
CO1
Comprehension
CO1
Analysis
CO1
Comprehension
CO1
Comprehension
CO1
Synthesis
Software
8
CO1
Evaluation
Software
9
CO1
Comprehension
10
CO1
Analysis
11
CO2
Analysis
Software
70-642: Lesson 2 - Installing the
Software
70-642: Lesson 3 - Configuring the
08/06/2013
Client-Server Networking II
INSTRUCTOR GUIDE
12
CO2
Analysis
13
CO2
Analysis
CO3
Comprehension
15
CO3
Analysis
16
CO3
Synthesis
17
CO3
Comprehension
18
CO3
Comprehension
19
CO3
Comprehension
20
CO3
Comprehension
21
CO3
Application
22
CO3
Comprehension
23
CO3
Analysis
24
CO4
Analysis
25
CO4
Analysis
26
CO4
Comprehension
27
CO5
Comprehension
28
CO5
Synthesis
29
CO6
Comprehension
30
CO8
Comprehension
-105-
Client-Server Networking II
INSTRUCTOR GUIDE
31
CO8
Comprehension
32
CO8
Comprehension
User Accounts
70-640: Lesson 5 - Understanding
User Accounts
33
CO7
Analysis
CO7
Application
35
CO7
Synthesis
36
CO7
Synthesis
37
CO7
Synthesis
38
CO7
Application
39
CO8
Analysis
40
CO8
Analysis
41
CO8
Comprehension
42
CO7
Analysis
42
CO7
Comprehension
44
CO7
Comprehension
45
CO7
Analysis
46
CO7
Analysis
47
CO7
Comprehension
48
CO9
Synthesis
-106-
Client-Server Networking II
INSTRUCTOR GUIDE
Active Directory
49
CO9
Synthesis
50
CO9
Application
Active Directory
70-640: Lesson 11 - Maintaining
Active Directory
-107-
08/06/2013