NT1330 Ig

ITT TECHNICAL INSTITUTE
NT1330
Client-Server Networking II
Onsite Course
INSTRUCTOR GUIDE
-1-
08/06/2013
INSTRUCTOR GUIDE
Course Revision Table

Change Date
Updated Section
Change Description
10/08/2011
All
New curriculum
08/06/2013
Page 9: Coursespecific Lab

Setup
Added explicit instructions on how to perform

keyless installation and how to perform rearm procedures to extend the trial period for
the installed Server 2008 virtual machine
-2-
Implementation
Quarter
December
2011
Immediately
08/06/2013
INSTRUCTOR GUIDE
Table of Contents
COURSE OVERVIEW............................................................................................................................5
Course Summary....................................................................................................................................... 5
Critical Considerations .............................................................................................................................. 5
INSTRUCTIONAL RESOURCES ..............................................................................................................6
Required Resources .................................................................................................................................. 6
Additional Resources ................................................................................................................................ 6
COURSE MANAGEMENT .....................................................................................................................9
Technical Requirements ........................................................................................................................... 9
Test Administration and Processing ....................................................................................................... 10
Replacement of Learning Assignments .................................................................................................. 11
Communication and Student Support .................................................................................................... 11
Academic Integrity .................................................................................................................................. 11
GRADING ......................................................................................................................................... 12
COURSE DELIVERY ............................................................................................................................ 14
Instructional Approach ........................................................................................................................... 14
Methodology .......................................................................................................................................... 14
Facilitation Strategies ............................................................................................................................. 15
UNIT PLANS ..................................................................................................................................... 17
Unit 1: Introduction to Networking Concepts ........................................................................................ 17
Unit 2: Configuring and Maintaining the DHCP and DNS Server Roles .................................................. 27
Unit 3: Overview of Active Directory Domain Services, Implementing Active Directory ....................... 39
Unit 4: Working with Active Directory Sites ........................................................................................... 48
Unit 5: Global Catalog and Flexible Single Master Operations (FSMO) Roles ........................................ 56
Unit 6: Active Directory Administration ................................................................................................. 63
Unit 7: Security Planning and Administrative Delegation ...................................................................... 71
-3-
08/06/2013
INSTRUCTOR GUIDE
Unit 8: Introduction to Group Policy & Configuring the User & Computer Environment Using Group
Policy....................................................................................................................................................... 78
Unit 9: Performing Software Installation with Group Policy and Planning a Group Policy Management
and Implementation Strategy................................................................................................................. 87
Unit 10: Active Directory Maintenance, Troubleshooting and Disaster Recovery ................................. 96
-4-
08/06/2013
INSTRUCTOR GUIDE
Course Overview
Course Summary
The typical network server operating system and its functions are the focus of this course. Areas of study
include installation, configuration, maintenance and routine administrative tasks of the network services
provided by the server in relation to its clients and other servers.
Critical Considerations
The instructor for this course should have extensive networking and teaching experience.
-5-
08/06/2013
INSTRUCTOR GUIDE
Instructional Resources
Required Resources
For the course textbook(s) and other required materials, review the Course Syllabus.
Additional Resources
Internal
ITT Tech Virtual Library:

http://myportal.itt-tech.edu/library/Pages/HomePage.aspx.
Faculty Collaboration Portals: http://myportal.itttech.edu/employee/dept/curriculum/FC/default.aspx.
Curriculum Database:
http://myportal.itt-tech.edu/faculty/cdb/Pages/default.aspx.
ITT Tech Library:

Books
Books > Books24x7
Hannifin, D. (2008). Microsoft windows server 2008 R2 administrators reference: The
administrators essential reference. Syngress Publishing.
Reimer, S., Kezema, C. Mulcare, M. Wright, B. & Microsoft Active Directory Team (2008).
Windows server 2008 active directory resource kit. Microsoft Press.
Rommel, Florian. (2008). Active directory disaster recovery.
Shapiro, J. (2008). Windows server 2008 bible. Hoboken, NJ: John Wiley and Sons, Inc.
Tittle, E. and Koriec, J. (2008). Windows server 2008 for dummies. Hoboken, NJ: John
Wiley and Sons, Inc.
Periodicals:
Periodicals > ProQuest
BlueCat networks; BlueCat networks sets new industry standard with five-hour on-site
repair for IP address management, DNS and DHCP hardware appliances. (2011).
Computers, Networks & Communications, 172.
Active directory domain migration assistance sought by commerce department. (2011,
Jun 01). Targeted News Service.
Periodicals > LexisNexis Academic
Glanz, J. and Markoff, J. (December 5, 2010).Vast hacking by a China fearful of the web.
The New York Times.
Brodkin, J. (2011). Microsoft: Next level of virtualization unlocks server OS, applications.
-6-
08/06/2013
INSTRUCTOR GUIDE
Network World (Online).

External
Wiley Portal:
o Wiley Student Companion Site
Wiley offers a Student Companion Site for the courses required texts.
For the Microsoft Official Academic Course: Exam 70-640, Students can log on to:
http://bcs.wiley.com/he-bcs/Books?action=index&itemId=0470874988&bcsId=5816.
For the Microsoft Official Academic Course: Exam 70-642, Students can log on to:
http://bcs.wiley.com/he-bcs/Books?action=index&itemId=0470875011&bcsId=5829.
(Note: Do not use the lab manual worksheets from these sites. Your custom
worksheets are located on the Instructor Companion Site)
Wiley Instructor Companion Site (as Course Support Package)

You can access the instructor resources for this course on the John Wiley Web site. Log
on to the Web site http://www.wiley.com/college/itt and click on the appropriate content
areas on the left hand side of the screen. Next, click on the appropriate course number
and you will be brought to the cover image of the textbook used in this course. Click the
Instructor Companion Site link located under the book title and log on using the following
details:
Username: wiley@itt-tech.edu
Password: wileyitt
Periodicals:
8 security considerations for IPv6 deployment. (2011). Network World (Online).
Solid passwords, PC firewalls stop ID thieves. (2011, Jun 25). Chattanooga Times Free
Press, pp. C.1.
Kaufmann, M. and Beaumont, L. (2205) Content networking: Architecture, protocols, and

practice. Amsterdam, Boston Elsevier, 2005.
Parui, U. (2010, Installing client tools on a SQL server 2008 failover cluster. SQL Server
Magazine, 12(2), 9-9.
PR, N. (2011, April 7). Facebook Launches Open Compute Project to Share CustomEngineered, Highly Efficient Server and Data Center Technology With the World. PR
Newswire US.
Saran, C. (2008). Microsoft revamps certification for Server 2008. Computer Weekly, 32.
Retrieved from EBSCOhost.
Romero, D., & Molina, A. (2011). Collaborative networked organisations and customer
communities: value co-creation and co-innovation in the networking era. Production
Planning & Control, 22(5/6), 447-472.
-7-
08/06/2013
INSTRUCTOR GUIDE
NOTE: All links to Web references are subject to change without prior notice.
-8-
08/06/2013
INSTRUCTOR GUIDE
Course Management
Technical Requirements
Recommended Classroom Setup
In addition to the typical classroom equipment such as the whiteboard, podium, student seats, etc., the
theory classroom must be equipped with the following (either stationary or mobile):
A projection system that can display images onto the wall
A computer for instructional demo purposes with the following recommended configurations:
o
CPU 1.6GHz minimum
RAM 2GB minimum
Hard Drive 20GB minimum free space
DVD Drive
Internet connectivity
Current version of the most popular operating system
Current version of a most popular Web browser
Current version of media players required by the curriculum
Current version of the most popular productivity software (such as Microsoft Office)
Any other additional software required by the curriculum
Standard Computer Lab Setup

For the standard computer lab setup, refer to the requirements provided in the current Course Catalog.
Course-Specific Lab Setup

Each student must use the USB external hard drive to store the virtual machine(s) installed in this course
for use in the entire course.
Installing and Re-arming Windows Server 2008

The Windows Server 2008 Evaluation Edition may be installed without activation, and it may be evaluated
for 60 days. Additionally, the 60-day evaluation period may be reset (re-armed) three times. This action
extends the original 60-day evaluation period by up to 180 days for a total possible evaluation time of 240
days.
How to Install Windows Server 2008 without Activating It
1. Run the Windows Server 2008 Setup program.
2. When you are prompted to enter the product key for activation, do not enter a key. Click No when
Setup asks you to confirm your selection.
-9-
08/06/2013
INSTRUCTOR GUIDE
3. You may be prompted to select the edition of Windows Server 2008 that you want to evaluate.
Select the edition you want to install.
4. When you are prompted, read the evaluation terms in the Microsoft Software License Terms, and
then accept the terms.
5. When the Windows Server 2008 Setup program is finished, your initial 60-day evaluation period
starts. To check the time that is left on your current evaluation period, run the slmgr.vbs script
that is in the System32 folder. Use the dli switch to run this script. The slmgr.vbs dli
command displays the number of days that are left in the current 60-day evaluation period.
How to Re-arm the Evaluation Period
When the initial 60-day evaluation period nears its end, you can run the slmgr.vbs script to rest the
evaluation period. To do this, follow these steps:
1. Click Start, and then click Command Prompt.
2. Type slmge.vbs dli, and then press the Enter key to check the current status of your
evaluation period.
3. To reset the evaluation period, type slmgr.vbs rearm, and then press the Enter key.
4. Restart the computer.
This resets the evaluation period to 60 days.
Test Administration and Processing
Tests/examinations for the onsite courses are proctored by instructors in the classroom following
the schedule at the local campus. The final examination is to be conducted in the last week of
the quarter with the first half of the class time allocated to the course review and the second half
of the class time allocated to the examination. If a lab practicum is part of the final examination,
the lab practicum is to be scheduled in the lab time of the last class meeting.
It is against the academic integrity and violation of the institutional policy to reveal the content of
the tests/examinations to students in any format prior to the actual time scheduled for the
test/examination. Every instructor is required to exercise diligence in protecting all testing
materials from being compromised in any form.
Grades for the course must be closed at the scheduled time mandated by the institution.
All quizzes, tests and examinations for the online courses are administered through the online
learning management system (LMS) at scheduled times.
When appropriate, the Formula Sheet provided in the Assessment document must be distributed
to students prior to unit-based, mid-term, or final examinations.
-10-
08/06/2013
INSTRUCTOR GUIDE
Replacement of Learning Assignments
Tests/Examinations The instructor may add up to 20% of the items to the prescribed set without
altering the grade weight for the category. No substitution is allowed for any of the prescribed
items.
Quizzes In some cases, standardized quizzes are provided. If there are no quizzes provided,
the instructor is encouraged to construct just-in-time items for this category. Do not alter the
grade weights allocated to this category.
Assignments/Discussions/Projects Wherever deemed necessary, the instructor may choose to

substitute prescribed items with his or her own version without altering the grade weights
allocated to the category. The substitution items must address the same objectives as the
original items at similar levels of scope and rigor with reasonable rubrics.
Communication and Student Support
Instructors are expected to proactively engage students in the learning of the course through
active guidance, monitoring and follow-ups.
Instructors must remind students to retain all deliverables and reference documentation related to
the course assignments for the duration of the course because assignments of the later units are
built on the work completed earlier in the course.
Onsite instructors must respond to students emails and/or phone calls within 48 hours. Graded
assignments must be returned to students by the next class meeting in most cases.
Online instructors are expected to respond to students Ask the Instructor messages within 24
hours of receipt. Written assignments must be graded within 72 hours. Discussion forums must
be graded within 72 hours after the last day posts are due.
Academic Integrity
All students must comply with the policies that regulate all forms of academic dishonesty, or academic
misconduct, including plagiarism, self-plagiarism, fabrication, deception, cheating, and sabotage. For
more information on the academic honesty policies, refer to the Student Handbook. Check policies and
the Faculty Handbook.
-11-
08/06/2013
INSTRUCTOR GUIDE
Grading
The following template is required for setting up the course grade book in the ITT Technical Institute
student assessment system. Titles are to be entered as written below to enable aggregate analysis of
student learning activities.
Grading Category
Assignment
Exercise
Category
Weight
20%
30%
Graded Deliverable
Weight
Unit 1. Assignment 1. Windows 2008 Network

Services
Unit 2. Assignment 1. DHCP Troubleshooting
2%
Unit 3. Assignment 1. Active Directory Design

Scenario
Unit 4. Assignment 1. AD Design Replication
Scenario
Unit 5. Assignment 1. AD Design Scenario: FSMO
Role & GC Placement
Unit 6. Assignment 1. AD User/Group Design
Scenario
Unit 7. Assignment 1. AD Password Policy Planning
2%
Unit 8. Assignment 1. Administrative Control versus

Trust: Research/Scenario
Unit 9. Assignment 1. GPO Planning Scenario
2%
Unit 10. Assignment 1. AD Disaster Recovery

Planning Scenario
Unit 1. Exercise 1. IP Addressing Scenario
2%
Unit 2. Exercise 1. DNS Scenario
3%
Unit 3. Exercise 1. Company Merger Scenario
3%
Unit 4. Exercise 1. Site-to-Site Connectivity Scenario
3%
Unit 5. Exercise 1. AD FSMO Role Management
3%
2%
2%
2%
2%
2%
2%
3%
Research: Alternate Methods

3%
Unit 6. Exercise 1. AD User and Group Account

Creation
Unit 7. Exercise 1. AD OU Planning Scenario
3%
Unit 8. Exercise 1. Group Policy in a Mixed Client OS
3%
Environment: Research
-12-
08/06/2013
Grading Category
INSTRUCTOR GUIDE
Category
Weight
Graded Deliverable
Weight
3%
Unit 9. Exercise 1. Research Software Deployment

Options
3%
Unit 10. Exercise 1. AD Troubleshooting Scenario:

Troubleshooting Tools
Lab
40%
Unit 1. Lab 1. Preparing a Virtual Workstation Image
4%
Unit 2. Lab 1. Configuring DNS and DHCP
4%
Unit 3. Lab 1. Creating a Replica Domain Controller
4%
Unit 4. Lab 1. Working with Active Directory Sites
4%
Unit 5. Lab 1. Global Catalog and Flexible Single
4%
Master Operations (FSMO) Roles

4%
Unit 6. Lab 1. Creating and Managing Users and

Groups
Unit 7. Lab 1. Employing Security Concepts
4%
Unit 8. Lab 1. Exploring Group Policy Administration
4%
Unit 9. Lab 1. Software Distribution and Controlling Group
4%
Policy
Exam
10%
Unit 10. Lab 1. Disaster Recovery and Maintenance
4%
Final Exam
10%
-13-
08/06/2013
INSTRUCTOR GUIDE
Course Delivery
Instructional Approach
ITT Technical Institute promotes the principles and methods of Applied Learning grounded into the
following theoretical constructs:
Merrills Principles of Instruction suggesting that the most effective learning products or
environments are those that are problem-centered and involve the student in: a) activation of prior
experience, b) demonstration and application of skills, and c) integration of those skills into realworld activities
Gagns Taxonomy of Learned Capabilities that represent progression of competency

development from lower level operational skills to high-level intellectual capacity for solving
unknown, complex, ill-structured problems through application or generation of rules
Bloom/Krathwohls Taxonomy of Educational Objectives that determines: a) selection of specific

instructional tasks and associated outcomes, and b) assessment of learning outcomes
Kellers ARCS Model addressing critical factors of learner motivation and engagement
The Applied Learning approach emphasizes contextualized learning experience, which empowers and
motivates students, while assisting them to develop key competencies required for employment, further
education and professional development, and active participation in their communities.
Methodology
The course design utilizes the ITT/ESI proprietary Explore-Practice-Apply model that allows students to
gradually build their knowledge and skills while engaging in meaningful and context-relevant interactions
with their peers.
Engage students in analysis of complex situations and
development of solutions required by learning tasks
grounded in real-life/workplace contexts
APPLY
Competency
acquisition
path
PRACTICE
Engage students in applying new concepts in the process of

developing and testing new skills through hands-on exercises,
labs, role playing and modeling
Facilitate student discovery learning, activation of prior knowledge
and building connections between new concepts and existing cognitive
frameworks through interactive learning activities
-14-
08/06/2013
INSTRUCTOR GUIDE
EXPLORE
For example, if an instructors goal is to help students understand that not all websites are equally
credible, in the Explore phase, the instructor might offer several options of advice-givers students may
encounter in their lives and ask which advisors are the most credible and why. Its possible that Mom is
more credible than the postman, for example. They might generate a list of criteria upon which to judge
reliability. Students would begin to consider what makes data trustworthy.
In the Practice phase, students begin to operate in the world of the professional, but with many
opportunities for low-stakes failure and with a coach nearby. It is here they do labs, hands-on exercises,
or problem sets that give them the idea of how practitioners in this area work. For example, students
investigating website reliability might be asked to visit several sites and look for specific criteria that the
instructor suggests they find based on their brainstormed lists from the Explore activity.
In the Apply phase, students do the work of the professional. This phase provides the opportunity for
students to demonstrate learning; they should not experience much failure. The Practice phase should
be rich with activity so that the student will be confident and competent in the Apply phase. Students
working on website reliability might now develop their own websites in this section, including appropriate
references to make it easy for others to validate the site as being a reliable and accurate source of
information.
Facilitation guidance and teaching tips are accompanied by tools and handouts found in the Course
Support Package. Examples of the Course Support Tools include: presentation slides, worksheets,
illustrations, video files, handouts, checklists and other similar instructional materials. Each tool is
assigned an identification number that allows for easy search within the Course Support Package
accompanying this Instructor Guide.
Facilitation Strategies
The following facilitation strategies are recommended for delivering this course:
Engage students into active, experiential learning process.
Gradually increase complexity of instructional tasks dynamically adapted to students current

competency level.
Promote cognitive realism by engaging students into instructional tasks that have real-world
relevance and match the activities of professionals in practice.
-15-
08/06/2013
INSTRUCTOR GUIDE
Engage students in learning situations where they are challenged by complex problems requiring
analytical thinking, critical reading, and systematic interaction with peers.
Provide opportunities for performing scientific inquiry and reflection on individual and group work.
Implement assessments of student learning focused on knowledge transfer into daily professional
practice.
-16-
08/06/2013
INSTRUCTOR GUIDE
Unit Plans
Unit 1: Introduction to Networking Concepts
Course Objectives Covered by this Unit
CO1. Install and configure a Microsoft Server 2008 server and a Widows 7 client.
CO2. Configure the Windows Server 2008 machine as a DHCP server.
Unit Learning Outcomes
Explain IP address components.
Contrast classful and classless IP addressing.
Explain the function of DNS.
Explain the function of DHCP.
Install Windows 2008 Server.
Prepare a virtual workstation image.
Key Concepts
TCP/IP Addressing, Configuration and Management

Windows 2008 Server Networking Services
Windows 2008 Server Installation
Reading
Windows 7 Configuration MOAC 70-642
Lesson 1 Introducing to Networking Concepts
Lesson 2 Installing Windows 2008 Server
Keywords
Use the following keywords to search for additional materials to support your work:
APIPA (Automatic Private IP Addressing)

CIDR Notation
DHCP
FQDN
DNS
GPT (GUID Partition Table)
Dynamic Disks
Repair Mode
Server Core
-17-
08/06/2013
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
Key Concept: TCP/IP Addressing, Configuration and Management

Explore Activity 1 TCP/IP Addressing
In-class Activity, Ungraded
Description
NOTE: The knowledge of this section is already covered in the prerequisite / corequisite tree for
this course (NT1210 Introduction to Networking). However, it is still necessary to review the
important concepts to be directly applied to the Windows networking environment covered in this
course. For a comprehensive review of the networking concepts, please refer to NT120
Introduction to Networking.
Explain to students the following:
In order for two human beings to successfully communicate (share information), they must both
agree upon and understand the rules for communication (language). Similarly, for two or more
computer systems to communicate with one another (share information), they must use an
agreed-upon set of rules that all of the systems understand. In computer networking, these rules
are called protocols. The TCP/IP protocol suite is one such set of rules and is in fact the most
common networking protocol in use today.
TCP/IP stands for transmission control protocol/Internet protocol and represents a suite of
protocols (TCP, IP, UDP, etc) that facilitate transmission of data in a network environment.
In TCP/IP terminology, a host represents a network endpoint (a device that sends and/or receives
information on a network), e.g., a computer, printer or any other device configured with a network
interface).
In TCP/IP terminology, a network represents a logical grouping of hosts configured to send and/or
receive information with one another.
Every host on a TCP/IP network must have a unique identifier in order to send and receive data:
an IP address.
An IP address consists of two components: host and network address.
The host portion is the unique portion of the address assigned to a specific host.
The network portion is the same for all hosts on a given network.
The subnet mask is used to identify which part of the IP address is host and which part is
network.
Activity:
-18-
08/06/2013
INSTRUCTOR GUIDE
Have students research the various components of the TCP/IP suite, identifying some common protocols
and where they reside in the suite (i.e., HTTP is a transport-layer protocol utilizing TCP.)
Unit Learning Outcome(s) attached to this activity:
Course Objective(s) supported by this activity:
Install and configure a Microsoft Server 2008 server and a Widows 7 client.
Estimated Time: 20 minutes
Explore Activity 2: IP Addressing

Description:
Explain the following:
TPC/IP was has been around for many years and, like most technologies, has undergone
changes and revisions. The most popular version of TCP/IP in use today is IPv4 (Internet
Protocol version 4). IPv6 (Internet Protocol version 6) is gaining acceptance and has been
redesigned to meet the demands of current network environments.
An IPv4 address is made of 32 bits, divided into four eight-bit (eight bits equals one byte) parts
called octets, often represented in dotted-decimal format:
o 32 bit address: 11000000000000010000000000000011
o The same address broken into octets: 11000000.00000001.00000000.00000011
o The same address written in dotted decimal: 192.1.0.3
32
An IPv4 address can represent a finite number of unique options for network/host address: 2
possible addresses.
When IPv4 was first introduced, the first 8 bits (first octet) was used for the network portion and
8
the remaining 24 bits (three octets) were used for hosts. This limited the number of networks to 2
or 254, which was inadequate.
The next revision of IPv4 address allocation defined classes of address, each class having a
different number of bits allocated to network. This is called classful addressing:
o Class A: The most significant or leftmost bit in a class-A network is 0, using the remaining
7 bits of the first octet for the network portion and the remaining bits for hosts.
o Class B: The most significant or leftmost two bits in a class-B network are 10, using the
remaining 14 bits of the first two octets for the network portion and the remaining bits for
hosts.
o Class C: The most significant or leftmost three bits in a class-C network are 110, using
the remaining 21 bits of the first three octets for the network potion and the remaining bits
for hosts.
o Class D: Multicast
-19-
08/06/2013
INSTRUCTOR GUIDE
o Class E: Reserved/Experimental
Classful addressing greatly expanded the flexibility of the original IPv4 addressing design but still
proved inadequate to meet the demands of ever-growing TCP/IP network environments.
The next evolution in IPv4 addressing is called CIDR Classless Inter-Domain Routing. CIDR is
a hierarchical structure, much like the previously described classful addressing but allowing for
any logical division of the available 32-bit address space into network/host. This is accomplished
by including the division in the written address, aka CIDR Notation:
o 10.0.0.0/8 = This is CIDR notation for a network using the first eight bits for network (thus
the /8) and the remaining 24 bits for host.
o The /8 represents a bitmask (subnet mask) to delineate the network/host portion of an
IPv4 address, eg 255.0.0.0
See Tables 1-1, 1-2 and 1-3 in MOAC 70-642
Activity:
Have students discuss what IP-address ranges they use at home, in the classroom, at work? Are they
classful? What class are they?
Installation and configure a Microsoft Server 2008 server and a Widows 7 client.
Explore Activity 3: Introducing IPv6

Description:
32
When IPv4 was first implemented, 2 seemed like an abundant address space (about 4 billion).
With the explosion of corporate networks and the Internet, this address space is quickly being
exhausted, necessitating the development of IPv6.
IPv6 has been developed to address many of the shortcomings of IPv4, chiefly address
exhaustion. IPv6 uses 128-bit address space, allowing for about 340 billion addresses.
IPv6 addresses have are written in hexadecimal format. Sequential zeroes can be suppressed by
using a single zero per group or double colon for all contiguous zeroes, thus these all represent
valid ways to write the same address:
o 2001:0000:0000:0000:0000:0000:0000:7334
-20-
08/06/2013
INSTRUCTOR GUIDE
o 2001:0:0:0:0:0:0:7334
o 2001::7334
Although IPv6 has been supported since Windows 2003, Windows Vista, Windows 7 and
Windows 2008 include IPv6 support natively and it is enabled by default.
There are many additional enhancements to IPv6, including native support for IPSec, etc.
Activity:
Search the Internet for information on IPv4 address exhaustion and the adoption of IPv6, such as can be
found at the link below:
http://technet.microsoft.com/en-us/network/bb530961
Discuss the ramifications.
Key Concept: Windows 2008 Server Networking Services

Explore Activity 4 Introduction to Windows 2008 Network Services
In-class and Homework Activity, Graded
Description:
Windows 2008 Server provides a platform for delivery and management of most networking
services, including Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP),
Routing and Remote Access Service (RRAS), Network Access Protection (NAP) and many
others.
Domain Name System (DNS):
o As learned previously, all hosts on a TCP/IP network must have a unique address, eg
192.168.0.1 or 2001:0:0:0:0:0:0:7334.
o When sharing resources on a network, often the resource must be designated by the
name of the host providing the resource.
o DNS provides a mechanism to make it easier for a human being to access a resource on
another system by assigning it a convenient name.
-21-
08/06/2013
INSTRUCTOR GUIDE
For example, if a user wants to access a website hosted on a system with the address of
192.168.111.23, by using DNS the user could just type sales.mycompany.com into their
web browser.
o In this example, the user would need to know the name: sales.mycompany.com and
DNS would resolve (name resolution) this name to an IP address, providing this
information to the web browser to make the request for the resource.
o To allow for scalability (ease of use in small to very large environments), DNS has a
hierarchical naming convention broken into root-level, top-level, second-level and
subdomains.
Root is represented by a .
Top-level is to the right of the .
Second-level is to the left of the .
Subdomains are to the left of the second-level
o For example: Redmond.microsoft.com
The right-most period represents the root
com represents the top-level
Microsoft represents the second-level
Redmond represents the subdomain
o Thus redmon.microsoft.com represents a fully qualified domain name (FQDN), mapping
a specific host to an IP address relative subdomain and company.
DHCP (Dynamic Host Configuration Protocol)
o As learned previously, all hosts on a TCP/IP network must have a unique address, (i.e.,
192.168.0.1 or 2001:0:0:0:0:0:0:7334.)
o Assigning these addresses is an insignificant task if you have two or three computers in
your network, but imagine assigning and managing this task for 500 or 1,000 computers!
o DHCP provides a mechanism for easily assigning addresses to systems dynamically.
o Manually assigning an address to a given host is called static IP address assignment,
which is practical and required in some situations but quickly becomes unmanageable in
large environments.
o DHCP allows for a centrally managed pool of addresses to be configured, including
additional parameters like Gateway and DNS, and dynamically allocated to hosts upon
request.
o When a host is configured as a DHCP client, upon boot it will send a broadcast request
looking for a DHCP server. The DHCP server will respond and allocate an IP address to
the host, as well as additional parameters that may have been configured.
o If a Windows host is configured as a DHCP client and does not receive a response from
a DHCP server, APIPA (automatic private IP addressing), a function of Windows, will
automatically assign itself an address.
RRAS (Routing and Remote Access Service)
o The transmission of data across a network from one LAN to another LAN is called
routing.
o RRAS allows Windows 2008 to act as a router, facilitating transmission of data between
two LANs.
o RRAS requires two network interfaces in a Windows 2008 Server, one connected to each
LAN.
-22-
08/06/2013
INSTRUCTOR GUIDE
Routing can be as simple as facilitating data transfer between two LANs or as complex
as routing traffic from one side of the world to the other. RRAS in a Windows 2008
environment is designed to facilitate routing in a small-business environment. More
complex environments generally require dedicated routing hardware.
NAP (Network Access Protection)
o Network security is an increasingly critical concern in todays network environments. In
many corporate networks, any computer can be plugged into any available network jack
and effectively have access to the corporate network.
o NAP is a new feature in Windows 2008 that allows configuration of administrative policies
to define criteria for any given system to access the corporate network, such as requiring
up-to-date antivirus software or proper firewall configuration prior to access.
o A system that does not meet the NAP configured policies can be placed in quarantine,
disallowed from network access until policy requirements are met.
Activity:
Have students discuss IT-management overhead in reference to DNS and DHCP, with the following
question in mind: How many hosts does it take to justify the time and effort to setup a centrally managed
solution for name resolution and address allocation? (In other words, is it worth setting up DHCP for two
computers, how about five, how about 25?)
Ask students to write a 1-page report summarizing IT-management overhead in reference to DNS and
DHCP.
Configure the Windows Server 2008 machine as a DHCP server.
LAB PORTION
Key Concept: Windows 2008 Server Installation
Explore Activity 5: Installing Windows 2008
Description:
-23-
08/06/2013
INSTRUCTOR GUIDE
Prior to installation of Windows 2008, some decisions must be made. What type of hardware
(physical, virtual, etc) will be used? Will a clean installation be done (installation to new hardware
or completely reinitialized hardware), or will Windows 2008 be installed on a system with existing
data? Which version of Windows 2008 will be installed (full or Server Core)?
When installing Windows 2008, you will be presented with many of the above choices.
Performing a clean install is recommended.
The first step in the actual installation of Windows 2008 is booting your machine to the Windows
installation media, following which you will be presented with an installation wizard to guide you
through the steps, including language preferences, product key, type of installation, location (hard
drive partition) of installation, etc.
Following installation, you will be presented with the Initial Configuration Tasks wizard, which will
guide you through some remaining configuration steps:
o Configuring Networking: This allows configuration of the unique host IP address,
Gateway, DNS servers, etc.
o Configure Windows Firewall: The Windows Firewall is on by default. You have the
options of turning it off, allowing exceptions through the firewall, and changing the
network location, eg from Home to Work to Public. These network locations define some
general characteristics of the firewall functionality, with Public being the most restrictive.
Server Manager is a tool allowing you to manage and configure your server through a single
console.
Via Server Manager, you can add and remove functionality from your Windows 2008 Server
installation. This functionality is broken down into roles, such as the DHCP Server role or the
DNS Server role.
In addition to adding and removing roles, Server Manager allows the addition and removal of
Windows 2008 Server Features, such as Windows Server Backup or Remote Server
Administration Tools.
Storage can be managed via the Server Manager (Storage, Disk Management) option, allowing
the configuration of additional storage following Windows 2008 Server installation. Windows 2008
Server support both basic and dynamic disks:
o Basic disks provide legacy support for older operating systems and do not support
advanced functions, like striped or spanned volumes. All disks in a Windows 2008 Server
environment begin as basic disks and can be converted to dynamic disks thereafter.
o Dynamic disks support volumes (a logical unit of disk space on one or more physical
disks), spanned volumes (free space from multiple disks), striped volumes, mirrored
volumes, etc.
o Both MBR (Master Boot Record) and GPD (GUID Partition Tables) are supported. MBR
provides legacy support. GPD is recommended for disks larger than 2 TB and/or for use
with Itanium based systems.
Activity:
Ask students to get in groups and discuss Windows 2008 Server Core functionality. Each group should
come up with two use-cases for Server Core.
-24-
08/06/2013
INSTRUCTOR GUIDE
Estimated Time: 20 min

Practice Activity 1: Preparing a Virtual Workstation Image

Installation of VMWare, Windows 2008 Server installation.

Apply Activity 1: IP Addressing Scenario

Homework, Graded
Students will respond to the following scenario with design considerations and recommendations.
Facilitation
Give students the scenario below asking them to respond in detail, justifying their recommendations.
Encourage particular awareness of future growth and design considerations.
You are an IT Administrator for a newly founded company and have been tasked with designing an IP
addressing scheme and a plan for allocation and management of IP addresses.
The company will currently have a single, physical location with approximately 145 hosts (computers,
printers, etc). IT plans should accommodate 50% growth within the next two years.
-25-
08/06/2013
INSTRUCTOR GUIDE
At a minimum, address these specific questions, in addition to other concerns/considerations:

1. What subnet range/s should be used?
2. Should IP addresses be dynamically or statically assigned?
3. Should one or more network/subnets be used?
If DHCP is used, should a router, firewall or Windows Server be utilized and why?


Unit Summary:
This unit reviewed TCP/IP concepts, discussed how IPv4 and IPv6 addresses are managed and
configured, and provided an introductory look at some of the networking services offered by Windows
Server 2008, which will be discussed in greater detail in later units. In addition, this unit covered the
installation of Windows Server 2008.
-26-
08/06/2013
INSTRUCTOR GUIDE
Unit 2: Configuring and Maintaining the DHCP and DNS Server Roles
CO2. Configure the Windows Server 2008 machine as a DHCP server.
CO3. Configure Active Directory.
Unit Learning Outcomes:
Explain how DHCP works.

Install the DHCP Server role.
Analyze DHCP configuration options.
Explain DNS.
Install the DNS Server role.
Describe DNS Record Types.
Use DNS command-line tools.
Make recommendations about DNS Server.
Configure DNS.
Configure DHCP.
Key Concepts
DHCP for TCP/IP Address Management

DNS Concepts
Configuring DNS and DHCP
Troubleshooting
Reading
Windows Server 2008 Network Infrastructure Configuration MOAC 70-642
Lesson 3 Configuring and Managing the DHCP Server Role
Lesson 4 Configuring and Managing the DNS Server Role
Keywords
DHCP (Dynamic Host Configuration Protocol)

DNS (Domain Name System)
ARP (Address Resolution Protocol)
MAC (Media Access Control)
DHCPDISCOVER
CNAME (Canonical Name Resource Record)
Top-Level Domain
-27-
08/06/2013
INSTRUCTOR GUIDE
Host (A) Record

MX (Mail Exchanger) Resource Record
-28-
08/06/2013
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
Key Concept: Using DHCP for TCP/IP Address Management

Description:
Explore Activity 1: The DHCP Server Role
As we learned in Unit 1, in order for hosts to communication with one another on a TCP/IP
network, they must each have a unique IP address assigned. This can be accomplished manually
via static IP address assignment, which is practical in special cases or small environments, or
dynamically through Dynamic Host Configuration Protocol (DHCP) which is extensible to
accommodate even the largest networks.
In addition to the basic requirement of a unique IP address for each host, other parameters are
practically required, such as Gateway (required for a host to communicate with another host on a
separate subnet) and DNS servers (required for hosts to translate IP addresses into friendly
names).
The DHCP Server Role in Windows Server 2008 provides a centrally administered tool for
allocating available IP addresses dynamically to hosts, in addition to providing additional
configuration parameters such as Gateway and DNS Servers.
The DHCP Server Role tracks all assigned IP addresses, allows centralized changes, such as
updating a DNS Server address which is automatically propagated to DHCP Clients, and is
extremely flexible and scalable (works in small to large environments).
Activity:
Have students discuss possible situations where static IP address assignment might be beneficial and/or
required.


Explore Activity 2: Understanding DHCP
-29-
08/06/2013
INSTRUCTOR GUIDE
Description:
The key function of DHCP is dynamic address assignment and relies heavily on the User
Datagram Protocol (UDP) to accomplish this.
UDP is a TCP/IP Transport Layer Protocol. DHCP utilizes ports 67 (server) and 68 (client).
The key components of a DHCP infrastructure include DHCP Servers (a computer that provides
DHCP configuration to multiple clients); DHCP clients (computers that obtain DHCP configuration
information from DHCP servers); and DHCP leases (the length of time a DHCP server assigns
configuration information to a DHCP client).
The process of a client obtaining DHCP configuration information from a client involves four
steps:
o DHCPDISCOVER: The client sends a broadcast message to discover a DHCP server.
o DHCPOFFER: In response to receipt of a DHCPDISCOVER message, DHCP Servers
respond with a DHCPOFFER message containing the address of the DHCP Server, the
MAC address of the requesting client, an IP address for the client with subnet mask and
lease duration.
o DHCPREQUEST: In response to a DHCPOFFER message, the client sends a broadcast
DHCPREQUEST message to the IP Address of the DHCP Server, including the clientrequested IP address and requested parameters (DNS servers, WINS servers, etc).
o DHCPACK: In response to a DHCPREQUEST message, the DHCP Server sends a
DHCPACK (acknowledgement) message containing a valid IP address lease.
Because DHCP IP address lease assignment is finite (8 days by default), DHCP clients
periodically attempt to renew their DHCP lease:
o First attempt is when half of the lease tie has passed (known as T1).
o Second attempt (if first attempt fails) occurs at 87.5% of the lease time (known as T2).
If the T2 fails, the client will release the IP address at the end of the lease duration.

Explore Activity 3: Installing the DHCP Server Role

Description:
-30-
08/06/2013
INSTRUCTOR GUIDE
In Windows Server 2008, the Server Manager provides an easy wizard for installation of the
DHCP Server Role:
o From Server Manager, double-click Roles.
o Click Add Role.
o Click Next then place a checkmark next to the DHCP Server role.
o Click Next and Next.
o Fill in the appropriate DNS Server information and click Next.
o Fill in the appropriate WINS Server information and click Next.
o Click Add to create a DHCP Scope (range of addresses to be allocated from this server).
o Place a checkmark next to the Activate this Scope and Ok.
o Select Enable DHCPv6 Stateless Mode and click Next.
o Select Skip Authorization of this DHCP Server in AD DS and click Next.
o Click Install on the Confirm Installation Page.
Because the DHCP Server role provides a critical network service, the DHCP Server must be
authorized in an Active Directory environment before allocating configuration information to
clients.
DHCP Servers that are active and unauthorized are called rogue DHCP servers.
To authorize a DHCP Server in an Active Directory environment, launch the DHCP Administrative
Console:
o Go to Start, Administrative Tools, DCHP.
o Right-click DHCP and click Manage Authorized Servers.
o Select Authorize and enter the name or IP Address of the DHCP Server to be authorized.
o Click Ok and Ok.
The next steps are configuring a DHCP Scope, DHCP Reservations and DHCP Options.

Explore Activity 4: Configuring the DHCP Server Role
Description:
After installation and authorization of the DHCP Server Role in a Windows Server 2008
environment, an address scope must be configured with appropriate options for the environment.
Optionally, address reservations may also be configured.
Configuring a DHCP scope defines the address range that a DHCP Server can allocate to clients.
A DHCP Server may have one or many defined scopes. When defining an address scope, you
-31-
08/06/2013
INSTRUCTOR GUIDE
can configure a range of addresses that should not be allocated to clients. This is called an
exclusion range. A scope, less exclusions range/s is called an available address pool.
o Go to Start, Administrative Tools, DHCP and drill down to the DHCP Server name.
o Right-click on IPv4 under the server name and select New Scope, click Next.
o Enter a name and description for the new scope and click Next.
o Enter the starting and ending IP address and subnet mask.
o Add exclusions if desired/necessary.
o Change the lease duration or accept the default and click Next.
o Choose whether or not to configure DHCP Options and click Next.
o Enter the Router (default gateway) address and click Add then Next.
o Enter the DNS server and DNS domain name and click Next.
o Enter the WINS server and click Next.
o Click Yes, I want to activate the scope now and click Next.
o Click Finish.
DHCP Reservations provide administrators a way to assign a permanent IP address to a DHCP
client without having to manually assign a static IP.
A DHCP Reservation might be used for a network-attached printer which is configured to
automatically receive an IP address from a DHCP Server but requires the same IP address
permanently so that clients can easily locate it on the network.
To Configure a DHCP Reservation:
o Go to Start, Administrative Tools, DHCP and drill down to the appropriate IPv4 scope.
o Beneath the IPv4, go to Reservations, right-click and click New Reservation.
o Enter a name for the reservation (eg HR Network Printer) and the desired IP address.
o Enter the MAC address for the host, click Add and Close.


Key Concept: DNS Concepts
Explore Activity 5: Understanding DNS
Description:
The concept of Domain Name System (DNS) is very simple: map a name to an IP address for
easier communication between network devices in a TCP/IP network environment.
The Internet relies on DNS to allow users to easily find their favorite websites by name instead of
having to remember an IP address for each Web Server, eg www.myfavoritesite.com instead of
12.34.56.78.
-32-
08/06/2013
INSTRUCTOR GUIDE
The process of mapping names to IP addresses is called name resolution and, though simple in
concept, is complex in practice and design.
In order to scale to the largest networks in the world, DNS uses a hierarchical (ranked or tiered)
namespace structure:
o At the very top of the hierarchy is root, represented by .
o Immediately under root are the top-level domains (.com, .net, .org, etc).
o Second-level domains are below top-level domains and are typically registered to
individuals or organizations, like mycompany.com or myschool.edu.
DNS uses a fully qualified domain name (FQDN) to map a name to an IP address.

Configure Active Directory.
Explore Activity 6: Installing & Configuring the DNS Server Role
Description:
In a Windows Server 2008 environment, the DNS Server role is classified based on the type of
host name to IP address mappings it will store. These types are called zones, which represent a
collection of address mappings for a contiguous portion of the DNS namespace.
A DNS Server can host primary or secondary zones or both. A DNS Server that does not host
any zone is called a caching-only server.
In Windows Serve 2008 DNS zone information is stored either in a text file (standard zones) or in
Active Directory (Active-Directory integrated zones) and can contain be either a forward
(responds to queries to map an IP address to a known name) or a reverse lookup zone (responds
to queries to map a known IP address to a name).
Standard zone types include primary, secondary and stub:
o Standard Primary zones host a read/write copy of a DNS zone, only one server can host
the master copy and can accept dynamic updates.
o Standard secondary zones host a read-only copy of the zone to provide fault tolerance
and to balance the work load.
o Standard stub zones host only those records necessary to identify the authoritative DNS
Servers for the zone.
There are significant benefits to Active-Directory integrated DNS Zones, including fault tolerance,
enhanced security, multi-master zones and efficient replication.
To install the DNS Server Role, launch Server Manager, click Roles, Add Roles, click Next and
place a checkmark next to the DNS Server role. Click Next and Install. Upon completion click
Close.
-33-
08/06/2013
INSTRUCTOR GUIDE
To add a standard primary zone to your newly created DNS Server, go to Administrative Tools,
DNS. Drill down to Forward Lookup Zones, right click and click New Zone. Choose Primary Zone
and click Next. Enter the zone name, eg contoso.com, and click Next. Select Create a New File
and click Next. Select Do Not Allow Dynamic Updates and click Next, then Finish.

Explore Activity 7: Understanding DNS Zone Transfers and Record Types
Zone transfers represent complete or partial of the data in a zone. This allows secondary zones
to receive current records from the primary zone. When changes occur, the primary zone
replicates the changes to the secondary zones.
Windows Server 2008 DNS now supports both full and incremental (only changes since the last
replication are sent) zone transfers.
DNS Servers can contain many types of records, with the most common being:
o Start of Authority (SOA): This represents the original point of authority for a zone.
o Host (A): This maps a FQDN to an IP Address.
o Host (AAAA): Sometimes called a quad-A record, this maps a FQDN to an IPv6
Address.
o Name Server (NS): This record identifies a DNS Server that is authoritative for a zone.
o Mail Exchange (MX): This record designates an email server for a domain.
o Canonical Name Record (CNAME): This record contains an alias for a FQDN.
o Service Locator (SRV): These records identify servers that provide a specific network
service. Active Directory relies heavily on SRV records to identify Domain Controllers in
an Active Directory Domain.

Describe DNS Record Types.
-34-
08/06/2013
INSTRUCTOR GUIDE
Explore Activity 8: DNS Queries
A request from a client to a DNS Server is called a query. The client software making the query is
called a DNS Resolver. A DNS resolver request contains the FQDN in question, as well as the
resource record type (A or MX, etc). The DNS Server receiving the query can respond with a
positive answer, which can be authoritative (this is a positive answer from a server with direct
authority for the zone in question) or non-authoritative, a referral (containing a helpful reference to
resource records not specifically requested in the query), or a negative answer indicating that the
queried name does not exist or that the record type requested for the queried name does not
exist).
Queries from a client to a server can be one of two types: iterative or recursive. An iterative query
is when a client asks a DNS Server to respond with the best information that it has available,
without checking with other DNS Servers. Recursion is the process of a DNS Server querying
other DNS Servers until it finds the answer to a query.
DNS Servers in a Windows Server 2008 environment can be configured to either support or
disallow recursive queries.
Forwarders and Conditional Forwarders can be used to tell a DNS Server where to send queries
for external DNS names. Conditional Forwarders can specify where to forward requests based
specifically on a domain name.
Activity:
Have the students research root hints.
Explain DNS.
Explore Activity 9: DNS Command-Line Tools
In addition to the DNS Server MMC console in a Windows Server 2008 environment, you can use
NsLookup and Dnscmd to troubleshoot and manage DNS.
NsLookup is part of the TCP/IP suite and can be very useful in verifying the configuration and
functionality of DNS.
NsLookup can be used as a single command, for example to retrieve the IP address for
www.microsoft.com enter nslookup www.microsoft.com at a command prompt. NsLookup also
supports interactive mode, accepting multiple commands and queries. To enter interactive mode,
just enter nslookup at a command prompt and hit enter.
-35-
08/06/2013
INSTRUCTOR GUIDE
You can easily change which DNS Server to send queries to by entering server x.x.x.x where
x.x.x.x represents the IP address of the DNS Server.
From a command prompt, type nslookup /? to see the options and command syntax, or type
nslookup, hit Enter and type ? and hit Enter again for interactive mode help.
Dnscmd is a component of Windows Server 2008 DNS and can be used to perform most DNS
configuration tasks. This can be particularly useful for scripting DNS tasks.
Using Dnscmd, you can create, delete and view zones and records; clear cache; stop and restart
DNS services, etc.
To see zone information for the local DNS Server, at a command prompt type dnscmd localhost
/enumzones.

LAB PORTION
Key Concept: Configuring DNS and DHCP
In-Class and Homework, Graded

Practice Activity 1: Lab 1: Configuring DNS and DHCP
See the Lab Manual for Lab 2: Configuring DNS and DHCP.
Key Concept: Troubleshooting

-36-
08/06/2013
INSTRUCTOR GUIDE
Apply Activity 1: DHCP Troubleshooting

Homework, Graded
Students will respond to the following technical support email from a junior IT admin with further questions
and considerations.
Facilitation
Give students the scenario below asking them to respond in detail with clarifying questions, suggested
approaches and/or possible solutions.
Dear IT Admin:
I am working at a branch office and have been tasked with changing out the DHCP scope to match the
overall corporate IP address scheme. The main office assigned me an IP address range of 192.168.0.200
through 192.168.0.225. I changed the scope on Friday afternoon and came in on Monday morning to
discover that only some of the workstations had picked up new leases from the new DHCP scope. Any
ideas as to what may be happening, what I might check or adjust?
Thank you,
Junior Admin

Apply Activity 2: DNS Scenario

Homework, Graded
Students will respond to the following technical support email from a junior IT admin with further questions
and considerations.
Facilitation
Give students the scenario below asking them to respond in detail with clarifying questions,
recommendations and/or considerations.
Dear IT Admin:
-37-
08/06/2013
INSTRUCTOR GUIDE
I am working at two branch offices and have been tasked with where to place Active-Directory Integrated
DNS Servers and what type to use.
One of the branch offices is very small (maybe 5 users) and has very slow network connectivity. Do I
need a DNS Server and, if so, which type of zone should it host?
The second branch office is much larger (about 30 users) and has better network connectivity. Does this
office need a DNS Server and, if so, what type of zone would you recommend?
Thank you,
Junior Admin

Explain DNS.
Unit Summary:
This unit covered the configuration and management of the Dynamic Host Configuration Protocol (DHCP)
server role for Windows Server 2008, as well as the role of Domain Name System (DNS) in an Active
Directory and Windows Server 2008 environment, DNS implementation and configuration.
-38-
08/06/2013
INSTRUCTOR GUIDE
Unit 3: Overview of Active Directory Domain Services, Implementing Active

Directory
Explain Active Directory (AD) Services
Describe AD Components
Explain AD Functional Levels
Install Active Directory Domain Services
Configure Active Directory Domain Services
Determine necessary information for the design of a domain hierarchy.
Determine the necessary information to design a solution in a merger scenario.
Create a replica domain controller.
Key Concepts
Active Directory Functions and Benefits

Configuring Active Directory
Reading
Windows Server 2008 Active Directory Configuration MOAC 70-640
Lesson 1 Overview of Active Directory Domain Services
Lesson 2 Implementing Active Directory
Keywords
Active Directory Domain Services (AD DS)

Organizational Unit (OU)
Domain Controller (DC)
Domain Name System (DNS)
Lightweight Directory Access Protocol (LDAP)
Flexible Single Master Operations (FSMO)
Object Identifier (OID)
SYSVOL
User Principle Name (UPN)
-39-
08/06/2013
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
Key Concept: Active Directory Functions and Benefits

Explore Activity 1: Active Directory Functions and Benefits
Description:
One of the primary benefits of a computer network is the sharing of resources (data, applications,
services, devices, etc). Particularly in larger environments, the task of administering access and
availability of these shared resources can be onerous. In Windows Server 2008, Active Directory
Domain Services (AD DS) provides a mechanism to centrally, efficiently manage security,
distribution and access to network resources. AD DS scales from small to very large
environments, with the ability to manage AD resources from multiple locations (multimaster
authentication), to create trust relationships with external networks and to replicate information for
fault tolerance and redundancy.
A directory service is somewhat like a phone book for the computer network, providing a
complete listing of people and services, as well as a great deal of additional information about
each entry. In a Windows Server 2008 environment, the directory services (AD DS) is a
repository of information about the people, services and data, which can be centrally, securely
managed.
In Windows Server 2008, there are two different directory services roles: Active Directory Domain
Services (AD DS), which is a full-featured directory services; and Active Directory Lightweight
Directory Services (AD LDS), which as its name implies provides a lightweight, low-overhead
directory service.
In a Windows Server 2008 environment, a Windows Server 2008 computer that is configured with
the AD DS role is called a domain controller, which stores the AD database and authenticates
(verifies who a user or service is and whether or not they are allowed access to a resource)
access to resources.
Because AD DS is a multimaster database, it synchronizes any/all changes made from and to
any/all domain controllers (replication), providing fault tolerance (a copy of the database, ntds.dit,
exists in multiple places), single sign on (authentication can occur with any available domain
controller), and the ability to administer AD DS from any available domain controller.
Activity:
Have students research a Microsoft Workgroup environment and compare and contrast with AD DS.
-40-
08/06/2013
INSTRUCTOR GUIDE

Explain Active Directory Services

Explore Activity 2: Understanding Active Directory Components
Description:
Some of the benefits of AD DS are that it is hierarchical and very flexible. In order to appropriately
design an AD infrastructure, it is important to understand the components and how they
interrelate.
At the most basic level, AD components fit into one of two categories: container objects (can
contain other container objects or leaf objects) and leaf objects (cannot contain other objects,
usually representing a single resource like a user or a printer).
Container objects include:
o Forest: the largest container (top of the hierarchy), encompassing the fundamental
security boundary in AD.
o Domain Tree: a logical grouping of resources containing one or more domains.
o Domains: a logical grouping of resources designated by an AD domain name/
o Organizational Units (OU): a logical grouping of resources within a domain, usually
containing users or resources with similar security or administrative settings.
To organize data and facilitate efficient replication the AD DS database (ntds.dit) is divided into
multiple parts (partitions), also known as naming contexts (NCs):
o The Schema NC contains the rules and definitions for creating and modifying objects
classes and attributes in AD and is replicated to all DCs in a forest.
o The Configuration NC contains information about the physical topology of the network
and is replicated to all DCs in a forest.
o The Domain NC contains all of the resource objects, such as users and computers, for a
domain and is replicated to all DCs within a domain.
All AD objects have a common set of attributes, including:
o Unique Name: This is an object identifier and is assigned at object creation.
o Globally Unique Identifier (GUID): This is a 128-bit hexadecimal value assigned
automatically to every object in AD when it is created.
o Required Object Attributes: These represent attributes that are required for creation of an
object, eg a user account must have a unique name.
o Optional Object Attributes: These are informational attributes for an object and are not
required.
Naming is a critical component of AD, not only to organize information in a logical and
manageable structure but also to comply to Lightweight Directory Access Protocol (LDAP, an
IETF standard) standards for interoperability.
-41-
08/06/2013
INSTRUCTOR GUIDE
Queries and modifications in AD function almost exclusively via LDAP.

LDAP and AD refer to objects via their distinguished name (DN) to accurately and uniquely
identify them. DN uses the entire hierarchical path to an object, starting with the object itself and
including all parent objects to the root of the domain, eg a user named John Smith who exists in
the LucernePublishing.com domain, within the Sales Organizational Unit would have a DN of
cn=JSmith, ou=sales, dc=lucernepublishing, dc=com.
CN = common name; OU = organizational unit; DC = domain component, one for each part of a
domain name.
In addition to DN, Windows Serve 2008 AD DS supports User Principal Names (UPNs), which
are somewhat easier to use. They follow the format of username@domain.com, often correlating
with a users domain email account.
As discussed in the previous unit, DNS is an integral component in AD DS, representing the AD
mechanism for name resolution.
In addition to the normal name to IP-address mapping function that we learned about in the
previous unit, AD relies upon DNS to help clients locate AD services via SRV records. If DNS is
not appropriately integrated with AD and a client cannot resolve an SRV record it cannot
authenticate and gain access to network resources.

Describe AD Components
Explore Activity 3: AD Functional Levels

Description:
Ideally all servers in a Windows AD DS environment run the same version of Windows Server.
Unfortunately, this is often impractical, particularly in large, distributed environments. Because of
this AD DS provides levels of interoperability among varying versions of Windows Server and AD
DS, referred to as functional levels.
AD DS supports forest and domain functional levels for backwards compatibility with earlier
versions of AD DS, effectively limiting the functionality of newer versions of AD DS to only support
features supported by all of the DCs in an environment.
The following domain functional levels are supported in Windows Server 2008:
o Windows 2000 Native: Providing backwards compatibility with Windows 2000 DCs, while
also supporting 2003 and 2008.
o Windows Server 2003: Supporting only 2003 and 2008 DCs.
o Windows Server 2008: Only 2008 DCs supported.
-42-
08/06/2013
INSTRUCTOR GUIDE
Note: Keep in mind that a Windows Server may be able to support roles in a domain
other than DC, eg a Windows Server 2003 could provide print services in a Windows
Server 2008 domain but not act as a DC.
See Table 1-2 in MOAC 70-640, page 13, for a matrix of domain functional levels.
Forest functional levels work like domain functional levels but, instead of applying just to a
particular domain within a forest, apply to the entire forest.
Once all DCs in a particular domain or an entire forest meet the requirements, you can raise the
domain or forest functional level to support newer AD features, eg raise a domain from Windows
2000 Native to Windows Server 2003 once all DCs are at a minimum of Windows Server 2003.
See Table 1-3 in MOAC 70-640, page 15, for a matrix of forest functional levels.
Activity:
Have the students review the matrices of AD functionality in tables 1-2 and 1-3 in MOAC 70-640 and
discuss the possible business benefits for justifying a move to a higher domain/forest functional level.

Key Concept: Configuring Active Directory
Explore Activity 4: AD Implementation

Description:
At a high level, implementing AD DS involves the simple process of configuring the AD DS role
on one or more serves in your environment and configuring the workstations to be members of
the AD Domain.
In order to install the AD DS role you must have:
o A version of Windows Server 2008 that supports AD DS: Standard Edition, Enterprise
Edition or Datacenter Edition.
o An account with local administrative privileges for the local machine.
o An NTFS partition to hole the SYSVOL (used for storing Group Policy Objects, login
scripts, etc).
-43-
08/06/2013
INSTRUCTOR GUIDE
o A minimum of 200 MB of space for ntds.dit.

o A minimum of 50 MB of space for the AD DS transaction log files.
o Properly configured TCP/IP.
o A DNS server supporting SRV Records.
To properly design and configure an AD DS implementation, it is important to know as much as
you can about the proposed environment combined with the AD components to accurately
determine space and performance requirements, eg a user object in AD requires 3,600 bytes and
an OU 1,100 bytes.
Some critical pieces of information are required to appropriately install AD DS:
o Local administrative credentials
o Domain controller type
o Domain name
o Locations for the database, log files and SYSVOL
o DNS information
o Directory Services Restore Mode (DSRM) password, used for disaster recovery.
o Installation media.
AD DS can be installed via the Server Manager: Start, Server Manager, Roles, Add Roles.
Choosing Active Directory Domain Services installs the role, following which you must use Server
Manager or the dcpromo command to complete configuration of AD DS, which walks you
choosing the type of DC to configure, the domain name, DNS options and folder locations.
Following AD DS installation and configuration, you should verify that AD was installed and
configured properly, particularly directory partitions and DNS functions.
Activity:
Have the students review the AD size requirements on page 24 of MOAC 70-640 and calculate the space
requirements for an environment with 5,000 security principals, 50 OUs, 15 certificates and 15,000
ACEs.
Explore Activity 5: Configuring AD

Description:
-44-
08/06/2013
INSTRUCTOR GUIDE
Some of the configuration tasks in managing and AD DS environment include raising

domain/forest functional levels, removing AD DS from a DC, installation and configuring of ReadOnly Domain Controllers (RODC), managing the AD Schema and establishing Trust
Relationships.
Following careful planning to insure all DCs in an environment support a higher functional level,
you can raise the domain and/or forest functional level to support the additional features of newer
versions of AD DS. This task is accomplished via the AD Domains and Trusts Administrative
Tool. Right-click a domain and select Raise Domain Functional Level, choosing the appropriate
level. A warning will pop up reminding you that this is an irreversible action!
Removing AD from a DC can be accomplished using the dcpromo command (Start, type dcpromo
in the search box and hit Enter). When you remove AD from a DC you are demoting it to a
member server.
RODC are, as the name implies, read-only, thus no changes can be written directly from the
RODC. This allows for greater security particularly in a distributed environment, such as a branch
office where no admin is present.
The process of installing an RODC is initially the same as installing AD DS, until the point where
you are prompted to choose the DC type. Select RODC, configure the appropriate password
replication policy, delegation of authority and installation media.
As previously described, the AD Schema contains information about all of the available objects
and their attributes for your AD environment. Over the lifetime of your AD DS implementation,
schema updates may become available to support new object types or new attributes. You may
also be called upon to implement customized schema objects to support unique organizational
objects.
To manage the AD Schema, you must first install the Schema Management Snap-In: from a
command prompt, type rgsvr32 schmmgmt.dll to register the DLL, following which you can open
an MMC and Add the Active Directory Schema snap-in.
In AD, the ability to share resources across domains or forests is facilitated by Trust
Relationships allowing for mutual authentication, loosely based on the notion that if I trust Bob
and Bob trusts you, I can trust you. The trust types include:
o Shortcut Trusts: These simplify the tree-walking process for frequently access
resources across a forest.
o Cross-Forest Trusts: Two-way transitive (transitive describes the trust relationship
between you and I via Bob!) trusts between forests.
o External Trusts: One-way, non-transitive (just because Bob trusts you doesnt mean I do!)
trusts.
o Realm Trusts: AD trusts with a UNIX Kerberos environment.


-45-
08/06/2013
INSTRUCTOR GUIDE
Apply Activity 1: Active Directory Design Scenario

Homework, Graded
Facilitation
Encourage students that their job is to translate business requirements into technical
answers/specifications.
You are an IT Administrator for a company implementing a new AD DS infrastructure. Develop a list of
business-related questions that you will need answered in order to accurately design a domain hierarchy.
Your job is to determine number of DCs, geographical placement, number of domains/forests and OU
design. What do you need to know to effectively accomplish this?

Explain Active Directory Services
Understand AD Components
Practice Activity 1: Company Merger Scenario

Homework, Graded
Students will respond to the following scenario with a list of detailed questions.
Facilitation
Encourage students that their job is to translate business requirements into technical
answers/specifications.
-46-
08/06/2013
INSTRUCTOR GUIDE
As an IT Administrator, you have been tasked with designing the technical strategy for the merger of your
company with another company. Develop a list of questions that you will need answered to effectively
design a solution for allowing seamless sharing of information resources between the two companies.
Your company has a single, Windows Server 2008 Functional-Level AD DS Forest. The new company
has a directory service but that is all the information you have been given thus far.
Consider trust relationships, compatibility with other directory services (previous versions of Windows,
other operating systems, etc).
Determine the necessary information to design a solution in a merger scenario.

LAB PORTION
In-Class and Homework, Graded

Practice Activity 2: Creating a Replica Domain Controller
See the Lab Manual: Lab 3: Creating a Replica Domain Controller
Unit Summary:
This unit introduced the functions and associated benefits of Active Directory Domain Services and
covered the installation and configuration of an AD DS environment, including AD components and
common managerial tasks.
-47-
08/06/2013
INSTRUCTOR GUIDE
Unit 4: Working with Active Directory Sites

CO4. Explain intrasite and intersite replication between the Windows Server 2008 machines.
Explain Active Directory Sites
Explain Active Directory Replication
Configure Active Directory Replication
Make recommendations in an AD Design Replication scenario.
Suggest a plan of action for troubleshooting replication.
Key Concepts
Understanding AD Sites and Replication

Configuring Replication
Managing Replication
Reading
Lesson 3 Working with Active Directory Sites
Keywords
Intersite replication
Intersite Topology Generator (ISTG)
DCDiag
Remote Procedure Calls over IP (RPC over IP)
Simple Mail Transfer Protocol (SMTP)
Update Sequence Number (USN)
-48-
08/06/2013
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
Key Concept: Understanding AD Sites and Replication

Explore Activity 1: Introduction to AD Sites
Description:
As discussed in the previous units, some of the benefits of Active Directory are fault-tolerance
and redundancy. One of the mechanisms supporting this in AD is multimaster replication, which
functionally keeps the AD Database (ntds.dit) synchronized between all Domain Controllers
(DCs) in a domain and between domains in a Forest.
When designing, implementing an AD environment, it is important to make a distinction between
the logical and physical components of a Domain/Forest. Servers acting as DCs, Sites (providing
the boundaries and ability to manage replication) and WAN links facilitating data transmission
represent physical components, while domain trees, OUs and forests represent logical
components.
You generally manage the logical components of AD via the Active Directory Users and
Computers console and the physical components via the Active Directory Sites and Services
console.
During the initial installation of AD DS, a single site is automatically created called Default-FirstSite-Name and the first Domain Controller is automatically placed within the servers folder under
this site. You can use the AD Sites & Services console to edit and manage these settings.
Some important characteristics of AD Sites include:
o Sites are defined by IP subnets that are well-connected (fast and reliable intrasite
network connectivity). In most cases an AD Site is synonymous with a single subnet is
synonymous with a single LAN.
o Multiple sites are connected via site links, facilitating intersite replication.
o AD Sites represent physical structure and are independent of AD logical structure, eg a
single site can contain multiple domains.
Understanding sites and how they will replicate is possibly the most fundamental component of
initial AD design. Once a site topology is created, domain controllers can be automatically placed
in the corresponding site based on the IP address it is assigned (the network portion of the
address). This is not a requirement, juts a benefit of site design prior to DC deployment.

-49-
08/06/2013
INSTRUCTOR GUIDE
Explain Active Directory Sites

Explain intrasite and intersite replication between the Windows Server 2008 machines.
Explore Activity 2: Understanding AD Replication

Description:
AD creates a replication topology to define how domain controllers in a forest and in individual
domains should communicate with one another and what needs to be communicated.
Replication is triggered when an object is added or removed from AD, when the value of an
attribute has changed and when the name of an object is changed.
Because AD is multimaster, changes can be made from any writeable DC. In order to accurately
track changes from anywhere within the AD environment, each DC maintains a local value called
an update sequence number (USN). When a change is made to an AD object or attribute, the
USN is incremented, eg DC1 has a USN of 1000, a change is made to an object name and DC1
increments its USN to 1001, triggering an update to DC2; DC2 receives the update and updates
its record of DC1s USN to 1001 and adds the changes to its copy of ntds.dit.
In addition to USN, each AD attribute has a version ID to keep track of how many times the
attribute has changed. If the same attribute is modified on two DCs at the same time, AD will use
the version ID as a tie-breaker with the higher value winning.
If the version ID cannot decide a tie breaker, AD will next use the time-stamp when the
modification took place with the later time-stamp winning. This is one reason that time
synchronization is important in an AD environment.
When all DCs in an AD environment agree and have the most up to date information in ntds.dit
the environment is converged. The time it takes to reach this state is called convergence.
As previously described, a site is generally defined as a subnet/LAN with reliable, fast network
connectivity. This makes intersite replication (replication between DCs in the same site) generally
stable, quick and efficient. Because intrasite replication (replication between DCs in different
sites) often traverses WAN links, which are slower and less reliable, intrasite replication requires
more careful design.
To facilitate successful intrasite replication, AD provides a service called the Knowledge
Consistency Checker (KCC), which automates much of the configuration of intrasite replication
and can automatically respond to changes in an AD environment.
The KCC is responsible for managing which DCs replicate with which DCs, automatically
selecting replication partners for each DC, creating one or more connection objects between each
DC and its replication partner/s.
-50-
08/06/2013
INSTRUCTOR GUIDE
The KCC automatically analyzes the AD environment every 15 minutes and attempts to make the
most efficient use of connections, minimizing the delay (latency) in propagation of information
through the AD environment, utilizing dual counter-rotating ring replication paths, creating
additional connection objects whenever needed to insure no more than three hops exist between
DCs for replication, and using change notification to inform other DCs when changes need to be
replicated.
Activity:
Have students open the AD Sites and Services MMC Snap-In and explore the configuration options, view
NTDIS Settings, etc.

Explain Active Directory Replication
Key Concept: Configuring Replication

Explore Activity 3: Configuring AD Intersite Replication
Description:
Since AD Sites represent the physical topology of your environment, it is generally best practices
to name your sites according to physical location.
For site-to-site (intersite) replication to occur, you must create site links (logical, transitive
connections between sites), which mirror routed connections between networks.
The Intersite Topology Generator (ISTG) is a process that is responsible for creating a replication
topology in a multi-site environment, automatically selecting a bridgehead server (the gatekeeper
in each site, responsible for managing site-to-site replication).
Site links have the following characteristics:
o They connect two sites using the same protocol.
o They are defined manually, with the exception of the DEFAULTIPSITELINK created
automatically at AD installation.
o They correspond to WAN links connecting sites.
-51-
08/06/2013
INSTRUCTOR GUIDE
As we learned previously, sites represent a single subnet/LAN that is well-connected. This implies
that intersite connectivity may not be well-connected! As such, one of the chief goals of intersite is
minimizing the use of bandwidth, utilizing compression of data and parameters for controlling
replication, including:
o Cost: An administrator can assign a cost to a site link to give it relative priority to other
site links. The default value is 100, with acceptable values in the range of 1 to 99,999.
The lower the number the higher the priority.
o Schedule: An administrator can determine the schedule that a particular site link is
available for replication.
o Frequency: During scheduled available times, the site links frequency determines how
often replication can occur.
When designing an AD Site Topology, it is important to consider the balance between
performance considerations and convergence.
Activity:
Have the students review the AD size requirements on page 24 of MOAC 70-640 and calculations from
the previous activity in Unit 3 (5,000 security principals, 50 OUs, 15 certificates and 15,000 ACEs),
discussing the relative impact of replication in the proposed environment via ISDN lines versus T1 lines.
Key Concept: Managing Replication
Explore Activity 4: Managing AD Replication

Description:
AD replication supports two different protocols: RPC over IP and SMTP.

Remote Procedure Calls (RPC) over IP is the default for intra and intersite replication. The RPC
component is widely used for communication between network services, with IP handing
addressing and routing.
-52-
08/06/2013
INSTRUCTOR GUIDE
Simple Mail Transfer Protocol (SMTP) provides a solution for replication over very slow or
unreliable intersite links, using asynchronous replication (each transaction does not have to
complete before another can start), providing limited replication functionality (cannot replication
domain directory partitions), cannot be scheduled and requires the use of an Enterprise
Certificate Authority to sign SMTP messages ensuring security.
To minimize impact on intersite links, AD designates a bridgehead server in each site. Imagine a
site in San Francisco with three DCs and another site in New York with five DCs. All DCs in each
site communicate with one another (intrasite replication), but there is no need for all DCs in SF to
communicate with NY. It is only necessary for one DC in each site to communicate with a DC in
the other site. These are called bridgehead servers and are responsible for communicating
between sites and then replicating the site-to-site data within their own site.
The ISTG automatically assigns a bridgehead server in each site, though an administrator can
manually set a preferred bridgehead server/s to accommodate specific situations and needs.
Because intersite replication utilizes compression of data, it is important that bridgehead servers
have adequate physical resources to accomplish compression/decompression.
Any errors that occur during AD replication will be logged to the Directory Services Event Viewer
on each DC. It is important to monitor these Events regularly.
Although replication occurs automatically or on the defined schedule, it can be manually forced to
propagate changes or to troubleshoot issues: go to AD Sites and Services, expand Sites, drilling
down to the site for which you want to force replication, click NTDS Settings in the console tree,
right-click the connection in the details pane and select Replicate Now.
Other than observing object/attribute changes in AD on different DCs, you can monitor replication
using dcdiag and repadmin:
o Dcdiag: A command-line tool which can be used to perform connectivity tests, report
errors and analyze permissions and the state of DCs in a domain.
o Repadmin: A command-line tool that can be used to view the replication topology or
manually configure a replication topology, force replication and view replication metadata.
Activity:
Have the students open a command prompt on a Windows Server 2008 DC and view the command
parameters for dcdiag (dcdiag /?) and repadmin (repadmin /?).
LAB PORTION
Practice Activity 1: Working with Active Directory Sites
-53-
08/06/2013
INSTRUCTOR GUIDE
See the Lab Manual: Lab 3: Working with Active Directory Sites
Homework, Graded
Apply Activity 1: AD Design Replication Scenario

Homework, Graded
Facilitation
Give students the scenario below asking them to respond in detail with recommendations for site-link
protocols and replication schedule/frequency, as well as the possibility of recommending/justifying
redundant links to each branch.
You are an IT administrator for a company with an existing AD Forest. The company is adding two, new
branch offices and you have been tasked with designing a replication strategy prior to DC deployment.
Branch1 will be connected to the Main Office via a pair of bonded T1 lines and will contain a Call Center
with high employee turnover.
Branch2 will be in a very remote location and will be connected to the Main Office via a 56k POTS line.

Make recommendations in an AD Design Replication scenario.

Practice Activity 2: Site-to-Site Connectivity Scenario
Homework, Graded
Students will respond to the following scenario with practical steps and/or a recommended approach to
the problem.
Facilitation
-54-
08/06/2013
INSTRUCTOR GUIDE
A junior IT administrator has been tasked with troubleshooting problems with intersite AD replication.
Respond to his inquiry with suggested approach and any recommendations for troubleshooting:
To: IT Admin
I am troubleshooting replication between the Main Office and Branch Office 1. It seems that changes to
user object attributes take a very long time to propagate or do not propagate at all? I am not sure when
replication is supposed to occur and have no idea where to begin testing? Do you have any
recommendations, any suggested steps to help me narrow down the problem? Thank you!
Junior Admin
Suggest a plan of action for troubleshooting replication.

Unit Summary:
This unit introduced Active Directory Sites, their function and how they are created and administered. It
also covered replication, the process and how replication can be managed and monitored.
-55-
08/06/2013
INSTRUCTOR GUIDE
Unit 5: Global Catalog and Flexible Single Master Operations (FSMO) Roles
CO4. Explain intrasite and intersite replication between the Windows Server 2008 machines.
CO5. Configure Universal Group Membership Caching
CO6. Transfer and seize FSMO roles.
Explain the functions of a Global Catalog Server
Explain the FSMO Roles
Plan FSMO Role Holders
Maintain FSMO Roles
Determine the necessary information for the development of an FSMO/GC implementation plan.
Determine the best tools for determining FSMO roles.
Develop a plan for the failure of a role holder.
Key Concepts
The Global Catalog

Understanding FSMO Roles
Configuring FSMO Roles
Transferring/Seizing FSMO Roles
Reading
Lesson 4 Global Catalog and Flexible Single Master Operations (FSMO) Roles
Keywords
Domain Naming Master

Primary Domain Controller (PDC) Emulator
Relative Identifier (RID)
Universal Group Membership Caching
Security Identifier (SID)
-56-
08/06/2013
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
Key Concept: The Global Catalog

Explore Activity 1: Introduction to the Global Catalog
Description:
The Global Catalog (GC) is a key component of Active Directory. By default, the first Domain
Controller (DC) installed in the forest root domain is a GC. A GC acts as a repository for all
objects in the host servers local domain, as well as a partial coy of all objects from other domains
within the same forest (the partial attribute set or PAS).
Any and all DCs in an Active Directory environment can be configured to function as a GC server
depending on the needs of the environment.
The four primary functions of the Global Catalog in Active Directory are:
o Facilitating forest-wide searches: An AD search used TCP port 3268, which is directed to
a GC for response.
o User Principal Name (UPN) resolution: As discussed in previous units, a UPN allows a
user to login with a standardized naming convention, often matching the users email
address (eg jsmith@lucernepublishing.com). A login request using a UPN is processed
by a GC.
o Maintaining Universal Group membership information: Universal Groups can be used to
assign permissions for any resource in the forest, as opposed to domain local or global
group memberships which are stored at the domain level.
o Maintaining a copy of all objects in the domain: A GC server contains a copy of its own
naming context (NC AD partition), as well as the PAS for every other NC in the forest.
Particularly in distributed sites, performance load and network bandwidth utilization are key
considerations for where to place GC Servers. To improve performance and minimize bandwidth
utilization, Windows Server 2003 and 2008 support Universal Group Membership Caching. When
a user logs on at a site without a GC Server, the GC is queried, following which the users group
membership information is cached at the local site DC, eliminating the need for communication
with GC the next time the user logs in.

Explain the functions of a Global Catalog Server
-57-
08/06/2013
INSTRUCTOR GUIDE

Key Concept: Understanding FSMO Roles
Explore Activity 2: Introduction to Flexible Single Master Operations (FSMO) Roles

Description:
As previously discussed, Active Director is a multimaster database, meaning that changes can be
made from any writeable DC in the environment, following which all changes are replicated
throughout the environment, ensuring a consistent and up-to-date AD topology. Although AD
utilizes multiple methods to avoid conflicts (timestamps, version IDs), there are some critical AD
functions that require an extra measure of protection against possible duplication/error, more
suited to a single-master model. AD uses Flexible Single Master Operations (FSMO) roles to
handle these functions.
In a smaller environment, all FSMO roles can reside on a single DC. In larger environments, they
can be distributed to multiple DCs.
There are five FSMO roles, two of which support forest-wide functionality, three of which support
domain-wide functionality:
o Relative Identifier (RID) Master: This domain-specific role is responsible for providing
relative identifiers to DCs in a domain. A DC allocates a RID when a new object is
created. If a DC runs out of RIDs and no RID Master is available, new objects cannot be
created on that DC.
o Infrastructure Master: This domain-specific role is responsible for reference updates from
its domain objects to other domains.
o Primary Domain Controller (PDC) Emulator: This domain-specific role provides
backwards compatibility with Microsoft NT 4.0 domains and manages password changes,
account lockout and time synchronization.
o Domain Naming Master: This forest-wide role has the authority to create and delete
domains, domain trees, and application data partitions.
o Schema Master: This forest-wide role is responsible for managing AD schema changes.
As the name implies (Flexible Single-Master Operations Roles), there can be only one DC per
domain/forest functioning in each of the FSMO roles.
Activity:
Have students discuss the relative impact of any of the FSMO roles becoming unavailable in an AD
environment.
-58-
08/06/2013
INSTRUCTOR GUIDE

Explain the FSMO Roles
Key Concept: Configuring FSMO Roles
Explore Activity 3: Understanding FSMO Role Placement

Description:
When the first DC is installed in a new forest, it must contain all five FSMO roles in addition to
functioning as a Global Catalog Server. As the forest grows and additional DCs are installed,
some of these roles can be transferred to other DCs to distribute the performance load and
provide some fault tolerance.
When creating a new child domain within an existing forest, the first DC in the child domain must
contain the three domain-specific FSMO roles (PDC Emulator, RID Master and Infrastructure
Master).
Some considerations for placement of FSMO roles include:
o Schema Master should be placed on a highly available DC as all schema changes
require the availability of this role.
o Domain Naming Master can co-exist with the Schema Master Role and a Global Catalog
Server, which would be suitable for a smaller environment.
o PDC Emulator should be place on a highly available DC as it supports critical processes,
including login of down-level clients, time synch, etc. Best practices are to separate this
role from the Global Catalog Server functionality.
o RID Master should be placed in proximity to the DCs where most AD objects are created,
as these DCs will be the largest consumers of RIDs. Best practices are to combine this
role with the PDC Emulator role.
o Infrastructure Master is perhaps the least critical FSMO Role. Best practices to place this
on a DC that is not a GC Server but to place it in the same site as a GC Server.
When planning for FSMO Role placement, it is important to consider the number of domains in
the forest, the physical structure of the network (sites, site connectivity) and the total number of
DCs in each domain.
-59-
08/06/2013
INSTRUCTOR GUIDE
Activity:
Have the students review the table 4-3 in MOAC 70-640 and corrective actions pursuant to each FSMO
Role failure.
Planning FSMO Role Holders
Key Concept: Transferring/Seizing FSMO Roles
Explore Activity 4: Managing FSMO Roles

Description:
Whether planned or unplanned, there will invariably be times when an FSMO Role becomes
unavailable, when a DC needs to be decommissioned, site-to-site connectivity fails, the needs of
the organization change, or a DC fails.
As certain functions of AD require these FSMO Roles, when a role becomes unavailable the role
must be transferred or seized:
o Role transfer is the preferred method but requires the availability of the DC currently
holding the role.
o Role seizure is your only choice if the DC currently holding the role is no longer available.
Before moving a role, planned or unplanned, it is important to know where the roles currently
reside. You can view and change (transfer) domain-wide roles via the Active Directory Users and
Computers snap-in (All Tasks, Operations Masters).
To view and change (transfer) the Domain Naming Master Role, open Active Directory Trusts,
right-click AD Domains and Trusts and select Operations Master.
Viewing and changing (transfer) the Schema Master Role requires registering the schmmgmt dll
and opening the AD Schema snap-in, right-click Ad Schema and select Change Operations
Master.
To seize an FSMO Role, you can use the ntdsutil command-line tool. When using this tool,
ntdsutil will first attempt to transfer a role (if the previous role-holder is available), failing this it will
force seizure.
-60-
08/06/2013
INSTRUCTOR GUIDE

Maintaining FSMO Roles
Transfer and seize FSMO roles.
LAB PORTION
Practice Activity 1: Lab (TBD)
In-Class Activity, Graded
See the Lab Manual: Lab 5
Apply Activity 1: AD Design Scenario - FSMO Role & GC Placement

Homework, Graded
Students will respond to the following scenario with a list of 5 to 10 questions.
Facilitation
Give students the scenario below asking them to consider what information they would need to develop
an FSMO/GC implementation plan for a new AD Forest.
You are an IT consultant for a newly forming company and have been asked to design an Active
Directory Forest implementation. Your immediate task is to designate where the FSMO Roles and Global
Catalog Servers will be placed in the new environment. Develop a list of 5 to 10 questions you will need
answered in order to determine the most appropriate locations for the FSMO Role Holders and GCs.

Determine the necessary information for the development of an FSMO/GC implementation plan.
Configure Universal Group Membership Caching
-61-
08/06/2013
INSTRUCTOR GUIDE
Practice Activity 2: AD FSMO Role Management Research: Alternate Methods

Homework, Graded
the problem.
Facilitation
A junior IT administrator has been tasked with documenting current FSMO Role Holders and GC Servers,
as well as documenting procedures for responding to FSMO Role unavailability:
To: IT Admin
I need to determine which DCs currently hold which roles and determine which DCs are Global Catalog
Servers. I also need to develop a plan for failure of a role holder. I know there are multiple ways to
accomplish this task but Im not sure the best tools for any given scenario? Would you use ntdsutil or
MMC Snap-ins? What about dcdiag? Any advice or suggestions would be appreciated!
Junior Admin
Determine the best tools for determining FSMO roles.
Develop a plan for the failure of a role holder.

Unit Summary:
This unit introduced the Global Catalog Server and its functionality in Active Directory Services. Active
Directory Flexible Single-Master Operations (FSMO) Roles and their functionality were described, as well
as the mechanisms for moving FSMO Roles in an AD environment.
-62-
08/06/2013
INSTRUCTOR GUIDE
Unit 6: Active Directory Administration

CO9. Use different methods to maintain and troubleshoot Active Directory servers.
Explain user account types and functions
Analyze group types and scopes
Explain default and special ID groups
Create users, computers and groups
Recommend a strategy for creating groups.
Recommend as strategy for creating user accounts.
Key Concepts
User and Group Accounts

Built-in and Special identity Groups
Creating AD Objects
Reading
Lesson 5 Active Directory Administration
Keywords
Comma-Separated Value Directory Exchange (CSVDE)

Global Group
Local Group
LDAP Data Interchange Format (LDIF)
Security Account Manager (SAM)
Windows Script Host (WSH)
-63-
08/06/2013
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
Key Concept: User and Group Accounts

Explore Activity 1: Understanding User Accounts in AD
Description:
User Accounts are perhaps the most basic and useful AD object, used as the primary means for
users (people) to access network resources (computers, data, printers, etc). Defining valid users
and a means by which to verify that a user is who they say they are is the first step in providing
access to resources in the Active Directory environment.
The combination of a valid user account and a known value, commonly a password, serve to
confirm a users identity (authentication). Once a users identity is established, AD can then allow
or deny access to specific resources based on the privileges assigned to the user (authorization).
There are three types of user accounts in Windows Server 2008:
o Local Accounts: These provide access to resources on the local computer and are stored
in the Security Account Manager (SAM) database on the local computer.
o Domain Accounts: These provide access to Active Directory Domain resources and are
stored in the AD database for use throughout the AD environment.
o Built-in User Accounts: These are automatically created and can be local or domain
accounts, depending on whether the server is standalone or part of an AD Domain.
Two examples of built-in accounts are the Administrator and Guest account. The local
Administrator account has full control in the local environment, as the domain Administrator has
full control in the domain environment. The Guest account is used to provide temporary access to
the network for a user, is disabled by default and, if to be used should be renamed.
Some basic, best practices for managing the security of user accounts include:
o Rename the Administrator account: The Administrator account is a built-in account and,
as such, is widely known to exist in a default Windows Server configuration. Because this
account has a high level of privileges and is so commonly known, it is a good idea to
rename the account to something not easily guessed.
o Set a strong password: This is a good practice for any account but particularly for those
with high privileges, such as the Administrator account. The password should be long
(seven characters or more) and complex (using upper and lower case letters, numbers
and special characters).
o Limit knowledge of administrator passwords: Limiting this knowledge limits the risk of
security breaches.
-64-
08/06/2013
INSTRUCTOR GUIDE
Do not use the Administrator account for daily, non-administrative tasks: Least privilege is
good practice, meaning grant/use the minimal necessary privileges required to
accomplish a task.

Explain User Account types and functions

Explore Activity 2: Understanding Group Accounts in AD

Description:
In Active Directory, Groups can be used to assign the same set of permissions to multiple users
simultaneously, eg instead of assigning rights to the HR folder to each member of the HR
Department, an HR Group can be created, assigning rights to the group and placing HR Staff in
the Group.
When users authenticate to AD, an access token is created identifying the user and all of the
groups the users account is a member of, collectively granting or denying resource access
(authorization).
Groups can also contain other groups, which is called group nesting.
There are multiple types (how a group can be used in AD) of groups in AD and different scopes
(what types of objects a group can contain):
Group types include distribution groups (non-security groups, commonly used for email
distribution lists) and security groups (security groups for granting resource-access permissions).
Group scopes in AD include:
o Domain Local Groups: Can contain user and computer accounts, global groups and
universal groups from any domain, and domain local groups from the same domain.
Domain Local Groups are used to assign permissions to resources that reside in the
same domain as the group.
o Global Groups: Can contain user and computer accounts and global groups from the
same domain. Global Groups are used to assign permissions to resources anywhere in
the forest.
o Universal Groups: Can contain user and computer accounts, global groups and universal
groups from anywhere in the forest. Universal Groups are used to consolidate groups
and accounts that span multiple domains or an entire forest.
Remember that group scope (domain, global or universal) refers to where the resources are
located as opposed to the members.
-65-
08/06/2013
INSTRUCTOR GUIDE

Explain Group types and scopes
Key Concept: Built-in and Special identity Groups
Explore Activity 3: Understanding Default and Special Identity Groups

Description:
Because there are many universally applicable functions in a typical AD environment, Active
Directory includes many default Groups for common tasks/functions. Default Groups vary
somewhat based on the network services installed on a DC, eg the DHCP Users Group is
created when the DHCP Server Role is installed on a DC.
A few examples of default groups include:
o Backup Operators: Able to backup and restore all files on a computer regardless of
specific file permissions.
o Remote Desktop Users: Able to log on to a computer from a remote location.
o Users: Used for general access.
o Domain Admins: Able to perform administrative tasks on any computer in the domain.
See MOAC 70-640 Table 5-1 for a complete listing of Active Directory default groups.
In addition to Default Groups, AD also includes special identity groups. Special ID Group
membership cannot be viewed or manually modified. These provide special functionality in AD.
Some examples of Special ID Groups include the Everyone group, the Local Service group, the
Network group, etc.
See MOAC 70-640 Table 5-2 for a complete listing of Active Directory special identity groups.
In addition to the previously discussed group types, there are also Local Groups, not to be
confused with Domain Local Groups. Local Groups can contain user, computer and group
accounts from AD but are specific to resources on a local computer or server. Local Groups are
not replicated beyond the local computer/server and are contained in the local SAM database
only.

Explain default and specialty ID groups
-66-
08/06/2013
INSTRUCTOR GUIDE

Use different methods to maintain and troubleshoot Active Directory servers.
Key Concept: Creating Active Directory Objects
Explore Activity 4: Creating Users, Computers and Groups

Description:
Creating objects in Active Directory is one of the most common administrative tasks. There are
multiple tools via which to accomplish this task, depending upon the specific circumstances of the
object creation.
Generally, local user accounts and groups will be managed via the local computer/server
Administrative Tools, Computer Management snap-in. This tool provides a familiar interface and
is suitable for creation of a limited number of local users and local groups.
Creation of AD uses, computers and groups can be accomplished via batch files, commaseparated value directory exchange (CSVDE), LDAP Data Interchange Format Directory
Exchange (LDIFDE), Windows Script Host (WSH) or the Active Directory Users and Computers
snap-in:
o Batch Files facilitate automation of routine and/or repetitive tasks, combining commandline tools/commands into a single file, usually with the *.bat or *.cmd extension.
o CSVDE is used to import or export AD information in the comma-separated value file
format (*.csv). CSVDE cannot be used to modify or delete existing objects.
o LDIFDE can be used to import or export AD information and can be used to add, delete
or modify AD objects. LDIFDE supports other LDAP compliant directory services.
o WSH functions much like batch files but utilizes Microsoft Visual Basic Scripting Edition
(VBScript) or Jscript.
o AD Users and Computers provides an MMC Snap-In, graphical interface to add, delete or
modify AD objects and is often used for managing a small number of additions or
changes.
Batch files have many and varied application for IT administrative tasks and can be written with
any text editor. The dsadd command can be used to create, delete, view and modify AD objects.
CSVDE uses the common, CSV format, supported by Microsoft Excel for example. CSVDE works
well for importing AD objects that may already exist in a spreadsheet or other CSV-exportable
format. CSVDE is also useful for exporting AD objects to a spreadsheet or other CSV-compatible
application.
LDIFDE is a more flexible option than CSVDE, based on the LDIF standard, allowing
add/modify/delete functionality.
-67-
08/06/2013
INSTRUCTOR GUIDE
WSH is a powerful scripting environment, allowing for a great many administrative functions, not
relegated to AD object creation/modification.

Creating Users, Computers and Groups
LAB PORTION
Practice Activity 1: Lab: TBD
In-class Activity, Graded
See the Lab Manual: Lab 6.
Apply Activity 1: AD User/Group Design Scenario

Homework, Graded
Students will respond to the following scenario with recommendations and considerations.
Facilitation
A junior IT administrator has been tasked with creation groups for a newly formed division/s. Respond to
the request for help below:
To: IT Admin
I need to provide access to resources throughout our AD environment and am not sure which strategy is
best for each of these situations. Please provide any thoughts or recommendations for group type and
scope! Thank you.
1. Marketing wants to be able to print the company newsletter to printers in each department
throughout all domains in the forest?
2. HR wants users from anywhere in the forest to be able to print vacation requests to the printer in
the HR Department?
3. Research and Development wants to have administrative access to their workstations and the
member server in their department but wants to make certain that these permissions are specific
to their local machines, not distributed anywhere else?
Junior Admin
-68-
08/06/2013
INSTRUCTOR GUIDE


Practice Activity 1: AD User and Group Account Creation
Homework, Graded
the problem.
Facilitation
A junior IT administrator has been tasked with the following AD administrative tasks. Respond with
recommendations and considerations:
To: IT Admin
As you may know, we recently acquired a new company and I have been given responsibility to
accomplish the following tasks! I would appreciate any input on the best tool to use for each. Thank you!
1. The acquired company currently uses a Novell Netware Directory Service. I need to create
user accounts for all of the existing employees, probably about 150!
2. The acquired company uses an email application I have never heard of and will continue to
use this program for the foreseeable future. I need to provide them a list of users (first and
last name and email address) for all users in our company so they can create a contact list in
their email application.
3. I need to create a handful of Groups, maybe 5 to 10, to assign printer resources to each of
the divisions in the newly acquired company?
Junior Admin
Recommend as strategy for creating user accounts.
-69-
08/06/2013
INSTRUCTOR GUIDE

Unit Summary:
This unit covers user and group accounts and the most common Active Directory administrative tasks
associated with these, including the various tools available for administering user and group accounts.
-70-
08/06/2013
INSTRUCTOR GUIDE
Unit 7: Security Planning and Administrative Delegation

CO8. Analyze different techniques to secure Windows Server 2008
Plan user-account security
Implement user-account security
Secure access to active directory
Plan organizational unit structure
Recommend a password policy.
Determine the necessary information for recommending an OU Structure.
Key Concepts
Planning User-Account Security

Implementing User-Account Security
Securing Active-Directory Access
Creating Active Directory Objects
Reading
Lesson 6 Security Planning and Administrative Delegation
Keywords
Active Directory Migration Tool (ADMT)

Dictionary Attack
DSMove
Password Cracking
Runas
Secondary Logon
-71-
08/06/2013
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
Key Concept: Planning User-Account Security

Explore Activity 1: Understanding User Account Security
Description:
In an Active Directory environment, the combination of two pieces of information allows or denies
access to network resources: username and password. If these two pieces of information are
compromised, access to the network is compromised. Planning and implementing user-account
security is one of the most fundamental components of securing a network infrastructure.
The first component of designing user-account security is the username, which is often
overlooked in security planning. Usernames generally follow a corporate standard naming
convention, often first initial, last name, eg jsmith. Unfortunately, this particular combination is
extremely easy to guess and/or the corporate information from which the username is derived is
not a closely guarded secret. Many corporate websites contain all of the necessary information to
easily guess usernames.
There are many possible username naming conventions, including a limited character
combination of first and last name with a number appended, eg JSmith123; or last name followed
by first initial followed by a number, eg SmithJ123, etc.
Remember that the username represents 50% of the information needed to gain access to
network resources and should be as carefully planned as the password.
Best practices indicate using something other than just the first name or the first initial last name.
The second component of designing user-account security is the password (an alphanumeric
string used in combination with a username to validate a users identity authentication).
Alternatives to passwords are becoming more common, such as personal identification numbers
(PIN), Smart Cards and biometric devices (thumbprint readers, etc).
Security is always inconvenient and the IT Administrators job is strike the right balance between
security and convenience for the users. We can easily choose extremely secure passwords for all
users, such as Xjhh8&*1!@hhHH, which the users could never remember, forcing them to write
them down for reference, effectively compromising network security.
As an IT Admin, critical components of designing user-account security are an awareness of the
needs of the user in conjunction with the extreme importance of network security. As such,
educating the users is of utmost importance.
Help users to understand some basic guidelines for protecting their passwords:
o If you have to write it down, keep the paper in a secure location.
o Dont give your password to anyone.
o Do not save your password on your computer (auto-login features, cached entries, etc).
-72-
08/06/2013
INSTRUCTOR GUIDE
Always use a strong password.

Plan user-account security

Analyze different techniques to secure Windows Server 2008
Key Concept: Implementing User-Account Security
Explore Activity 2: Implementing User-Account Security

Description:
By definition, a strong password is a password that is difficult to compromise.

Examples of weak passwords include words from the dictionary, names of relatives or pets, wellknown personal dates like an anniversary or street address. Statistically one of the most common
passwords used is password.
Methods for compromising passwords are numerous and varied, including social engineering
(manipulating someone into unintentionally giving information needed to discern a password) and
password cracking. Password cracking is an attempt to discover a users password generally
using a software tool. Types of password cracking include brute force attacks (using a software
tool to go through every possible combination of characters until the password is discovered) and
dictionary attack s(using a set of predefined words or character combinations to discover a
password).
As an IT Administrator, it is important to develop a password policy that aligns with the needs of
the organization, eg the password policy for a Department of Defense Contractor should be more
stringent than the password policy for ABC Comics.
Designing a password policy comes down to these decisions:
o How long should the passwords be?
o What character sets should they contain (upper/lower case alpha, numeric and/or special
characters)?
o What character sets should passwords NOT contain (username, dictionary words, etc)?
o How often should passwords be changed?
Best practices for a strong password include 8 characters in length, combination of all character
sets (upper/lower alpha, numbers and special symbols).
These best practices can be technically enforced via Windows Server 2008 security settings, but
it is important to help users understand the requirement and to encourage creative strategies to
make passwords easy to remember but hard to guess, such as the use of phrases or
-73-
08/06/2013
INSTRUCTOR GUIDE
pneumonics, eg if a user loves to fish they might use a password regarding their favorite lake
(meaningful to them, easy to remember but hard for someone else to guess): Love2Fish@Lake.
Implementing User-Account Security
Key Concept: Securing Access to Active Directory
Explore Activity 3: Securing Admin Access to AD

Description:
The principle of least privilege is critical in securing access to network resources: assign and use
the least privileges necessary to accomplish a task.
Because the Administrator accounts, including Domain Admins, Enterprise Admins and Schema
Admins, have such extensive privileges, these accounts should only be used when necessary to
perform an administrative task and should have extra measures of security to protect them.
Windows Server 2008 provides the runas feature to easily elevate privileges to perform
administrative tasks. Runas can be used from a command line to specify a logon account to use
to perform a task. Run as administrator can also be used in some situations from the graphical
user interface (GUI) in Windows Server 2008.
Runas functions as follows:
o Maintains your primary logon (the account you used to log into Windows), creating a
secondary logon for administrative access.
o The secondary logon is only valid while using the tool/program you launched via the
runas command.
o Runas does not support all Windows functionality, such as an operating system upgrade
or configuration of system parameters.
o Runas requires the secondary logon service.
o Runas and run as administrator can be used to start two separate instances of a
secondary logon to elevate privileges.
o Runas can be used for secondary logon for any available account, not just admin
accounts.
Run as administrator can be accessed by navigating to the desired application, pressing and
holding down the Shift key, right-clicking the application and selecting run as administrator.
Runas can be accessed by opening a command prompt and typing the runas command, followed
by appropriate command-line options.
-74-
08/06/2013
INSTRUCTOR GUIDE

Secure Access to Active Directory
Key Concept: Creating Active Directory Objects
Explore Activity 4: Understanding Organizational Unit Strategies

Description:
Organizational Units (OUs) are objects in Active Directory that can contain other OUs, users,
computers and groups and can be used to manage users and computers via Group Policy
Objects. Generally, OUs are designed hierarchically in an AD environment to group resources
and users/computers to mirror your organizational structure.
OUs are often designed to match the functional structure of your organization, eg OUs
representing the departments in the organization, such as HR, Sales, Marketing.
OUs may also be designed to match the geographical structure of your organization, eg based on
physical locations such as SFO, NYC, etc.
Another strategy for OU design is a combination of both functional and geographical, eg an SFO
OU with a nested OU for HR and Sales, and another OU for NYC with nested Marketing and
Management OUs.
One of the distinct benefits of Organizational Units is the ability within Active Directory to give
limited control for certain administrative tasks (delegation) to OUs and the resources it contains,
including other OUs. For example, you might want to allow the Manager of the Call Center in SFO
to be able to create and delete User accounts in their respective OU due to high staff turn-over.
AD provides a tool called the Delegation of Control Wizard, which walks you through delegating
permissions to domains, OUs or containers, allowing you to choose Users and the tasks they
should be able to perform.
OUs can also be used to provide consistent user, computer and member server configurations
via Group Policy Objects (GPOs). GPOs provide powerful policies for controlling many aspects of
computer, server and user configuration.
Keeping all of these factors and functions in mind will help you design an effective OU structure
and, as your organization grows and changes you can easily move objects around in AD from OU
to OU, even moving OUs via familiar, Windows drag-and-drop functionality in AD Users and
Computers.
-75-
08/06/2013
INSTRUCTOR GUIDE

Plan Organizational Unit Structure
LAB PORTION
Practice Activity 1: Lab 1: Employing Security Concepts
Apply Activity 1: AD Password Policy Planning Scenario

Homework, Graded
Facilitation
You are an IT consultant and receive the following email from a client. Respond with recommendations
and considerations to the following questions:
To: IT Consultant
A competitor recently got hacked and our board of directors is suddenly concerned about information
security! However, as a business manager, I am concerned about employee productivity! I dont want
staff to have to jump through 17 security hoops before getting to work every morning. Can you please
give me your opinion regarding what a strong password is and why, as a business manager, I should
care? What would you consider a reasonable approach?
Thank you,
Business Manager
Recommend a password policy.

Practice Activity 1: AD OU Planning Scenario

-76-
08/06/2013
INSTRUCTOR GUIDE
Homework, Graded
Students will respond to the following scenario with a list of questions to obtain the appropriate
information to successfully complete their assigned task.
Facilitation
As an IT Administrator, you have been tasked with designing an Active Directory Domain Organizational
Unit Structure for a new AD implementation at an existing organization. You are scheduled to meet with
the management team and need to formulate a list of questions you will need answered in order to
recommend an OU Structure appropriate to the organization.
Develop a list of 5-10 questions to guide your design plan.
Determine the necessary information for recommending an OU Structure.

Unit Summary:
This unit covered considerations and recommendations for security planning for Users and Groups in an
Active Directory environment, as well as considerations for securing access to Active Directory. This unit
also covered how to plan an Organizational Unit structure to help effectively manage resource access
and AD object management.
-77-
08/06/2013
INSTRUCTOR GUIDE
Unit 8: Introduction to Group Policy & Configuring the User & Computer
Environment Using Group Policy
CO7. Analyze Group Policy applications
Describe Group Policy.
Implement Group Policy.
Configuring Group Policy to install and manage software on the Windows 7 client machine.
Manage and Maintain Group Policy.
Configure Group Policies in a Mixed Client OS environment.
Contrast Group Policies supported by different operating systems.
Recommend policies to control user/computer configuration.
Use advanced Group Policy management tools to control Group Policy application.
Key Concepts
Explaining Group Policy
Planning and Implementing Group Policy
Configuring Security Policies with GPOs
Configuring User Settings with GPOs
Maintaining Group Policy
Reading
Lesson 7 Introduction to Group Policy
Lesson 8 Configuring the User and Computer Environment Using Group Policy
Keywords
ADMX
Domain GPO
Group Policy Management Console (GPMC)
Loopback Processing
Windows Deployment Serves (WDS)
Account Lockout Policies
Fine-Grained Password Policies (FGPP)
Key Distribution Center (KDC)
-78-
08/06/2013
INSTRUCTOR GUIDE
Password Settings Object (PSO)

Learning Activities
THEORY PORTION
Key Concept: Explaining Group Policy
Explore Activity 1 Introduction to Group Policy
Description:
Group Policies in a Windows Server 2008 Active Directory environment provide a powerful set of
tools to apply computer and user settings throughout the network for any systems running
Windows 2000 and newer (older versions of Windows do not support all of the features of Group
Policy that newer versions support).
The settings that can be managed via Group Policy are numerous but include the following major
categories:
o Registry-based policies: This is a broad category based on Windows registry changes,
such as Desktop settings and environment variables.
o Software installation policies: These can be used to distribute software, from complete
application installation to updates.
o Folder redirection: These policies allow common folder locations to be redirected to
network locations, eg redirecting My Documents to a centralized user share on the
network for backup and accessibility.
o Offline file storage: These settings can be used to make network files available on a
system even when not connected to the network (caches local copies and synchronizes
to the network when attached).
o Scripts: These policies can be used to apply logon, logoff, startup and shutdown scripts
for configuring the user environment.
o Windows Deployment Services (WDS): These policies aide in installation and repair of a
Windows.
These categories cumulatively allow fine-grained control of everything from installing a Microsoft
Word patch to a standard corporate Desktop wallpaper to mapped drives and uniformed Desktop
shortcuts, as well as security policies such as password length, complexity, etc.
Group Policies are applied through Group Policy Objects (GPOs). A GPO can contain just a few
or many configuration settings for users and/or computers, as appropriate to your environment.
GPOs are applied (linked) to OUs, domains or sites, applying to the objects they contain. Security
group filtering allows configuration of exclusions for items within the OU, domain or site that you
do not want the GPO to apply to.
Consider a network environment with 200 computers. Without Group Policy, if the users required
there My Documents redirected to a network location and offline files enabled, an administrator
would have to physically configure each computer! With Group Policy, these settings can be
configured, tested and applied centrally, saving a great deal of time, reducing risk of error via
-79-
08/06/2013
INSTRUCTOR GUIDE
uniformed configuration settings and easily accommodating policy changes in the future. These
benefits represent just one example of the return on investment (ROI tangible benefits to the
organization) of Group Policy, practically reducing the total cost of ownership (TCO) of
workstation and server management in an Active Directory environment.
Describe Group Policy.
Key Concept: Planning & Implementing Group Policy
Explore Activity 2: Implementing Group Policy
Description:
Because of the power and myriad options available via Group Policy, as well as the hierarchical
way GPOs are applied, it is important to approach the design of Group Policy Objects (GPOs)
thoughtfully and methodically. Although security filtering can be used to exclude objects from
receiving GPO settings, best practices are to design GPOs to broadly apply to all objects within
the OU, domain and/or site to which they are applied.
It is important to understand that there are three distinct types of GPO:
o Local: Stored on the local computer, these GPOs have fewer configuration options and
cannot be used to redirect folders or install software.
o Domain: Created in Active Directory and linked to OUs, domains and/or sites, these are
stored in both the Group Policy Container (GPC an AD object storing GPO properties)
and Group Policy Templates (GPTs located in the policies subfolder of the SYSVOL
share).
o Starter: These are new to Windows Server 2008 and can be used as a starting point
(template) for creation of a new GPO.
Domain and local GPOs can be used in concert. If conflicting settings exist between local and
domain GPOs, domain GPOs take precedence.
The Group Policy Container (GPC) can be viewed via the Active Directory Users and Computers
console.
Group Policy Templates (GPTs) can be viewed by navigating to the SYSVOL share on a DC, eg
C:\Windows\Sysvol\Sysvol\mydomain.local\Policies. GPTs are represented by GUIDs, eg
{6AC178C-016F-11D2-945F-00C04FB984F9}.
Implement Group Policy.
-80-
08/06/2013
INSTRUCTOR GUIDE
Explore Activity 3: Configuring Group Policy Settings

Description:
The Group Policy Management Console is used to create and modify Group Policy Objects
(GPOs). The specific settings within a GPO are edited using the Group Policy Management
Editor.
To implement a GPO, it is necessary to create a GPO, edit settings and link to an OU, domain
and/or site. However, the specific order of these steps depends on your preferred method of
implementation, eg you can create and link in one step or create a new GPO and then link it later.
Remember that GPOs are hierarchical and that, by default when linking a GPO to an OU, domain
or site, the GPO will apply to all child objects of the OU, domain or site.
When editing GPO settings via the Group Policy Management Editor, you will find a Computer
Configuration node as well as a User Configuration node, each with varying settings that apply
specifically to the computer or user. Both the Computer and User nodes contain subnodes:
o Software Settings: Computer settings are applied to anyone who logs onto the computer,
whereas User settings are applied based on the User logging in irrespective of which
computer they are logging into.
o Windows Settings: Contains security settings, scripts, folder redirection options, etc.
Again, Computer settings are applied to the computer irrespective of who logs in,
whereas User settings are applied based on the User login irrespective of which
computer is used.
o Administrative Templates: These contain registry-based policy settings. Over 100 admin
templates are installed by default, based on eXtinsible Markup Language (XML) and
stored in ADMX files.
In some situations, a computer/user will be subject to multiple GPOs, including local and domain
(site, domain and/or OU policies). These policies are processed in the following order: local, site,
domain, OU (LSDOU). It may be helpful to remember that the domain policy located closest to
the object takes precedence.
Although LSDOU describes default processing, exceptions can be configured. GPOs can be
configured with the following options:
o Enforce: Cannot be blocked by any child OU.
o Block Policy Inheritance: Blocks inheritance from a parent OU. Enforce overrides this
setting.
o Loopback Processing: Loopback refers to the GPO processing as normal, following
which the computer settings are reapplied after the user policies have been processed,
providing two options for GPO list processing:
Merge: Settings are appended. In conflicts, the computer policy takes
precedence.
Replace: Reapplied Computer settings overwrite previously applied settings.
-81-
08/06/2013
INSTRUCTOR GUIDE

Key Concept: Configuring Security Policies with GPOs
Explore Activity 4: Implementing GPO Security Policies
Description:
Most of the GPO security settings can be found in the Windows Settings folder under the
Computer node. Everything from password length to event auditing to IPSec policies can be
managed centrally.
Some of the subnodes under the Windows Settings include:
o Account Policies: Password policies, lockout policies, Kerberos policies.
o Local Policies: Local computer policies.
o Event Log Policies: Event viewer log configuration.
o IPSec Policy: Administrative control of mandatory IPSec policies.
Although the security settings are primarily applied via the Computer node, there are two
additional nodes under the User Configuration that control user-specific security policies:
o Public Key Policies: Security certificate settings.
o Software Restriction Policies: Disallow applications.
Fine-Grained Password Policies (FGPP) are new to Windows Server 2008 and allow for multiple
password policies. Previous versions of Windows only allowed for a single, domain-wide
password policy.
Some of the available security configuration options under Computer Configuration, Windows
Settings, Security Settings, Account Policies include:
o Password: Minimum password length, maximum password age, require password
complexity, etc.
o Account Lockout: Lockout duration, lockout threshold, etc (these features control how
many times a password can be entered incorrectly before they are locked out, and
cannot login).
o Kerberos: These settings control AD authentication, whose default mechanism is
Kerberos. Kerberos allows domain access by issuing a ticket via the Key Distribution
Center (KDC). Tickets are only valid for a limited time. Kerberos policies allow
configuration of the period of validity, etc.
Some of the available security configuration options under Computer Configuration, Windows
Settings, Security Settings, Local Policies include:
o Audit Policy: Allows configuration of logging for security events, including successful
and/or failed logon events, account and object access. Auditing for Directory Service
Access and Object Access require the additional step of configuring the objects to be
audited.
o User Rights Assignment: Allows configuration of user rights needed to perform system
tasks.
-82-
08/06/2013
INSTRUCTOR GUIDE
Security Options: Allows configuration of digital signing, driver installation, floppy/CDRom access, etc.
Under Computer Configuration, Windows Settings, Security Settings, you will also find:
o Restricted Groups, which allows configuration of group-membership lists (who belongs to
which group, eg Local Administrators or Backup Operators).
o System Services, which allows configuration of startup and security settings for services
running on the computer.

Key Concept: Configuring User Settings with GPOs
Explore Activity 5: Configuring User Policy Settings
Description:
The User Configuration node in a GPO includes functions to control settings specific to the user
account being used for logon.
Under User Configuration, Policies, Windows Settings, you will find these subnodes: Remote
Installation Services, Scripts (logon/logoff), Security Settings, Folder Redirection, Policy-Based
QoS and Internet Explorer Maintenance.
Folder Redirection allows for administrative configuration of redirection of the Documents,
Application Data, Desktop and Start Menu folders to a network location or alternate local location.
The chief benefits of folder redirection are ease of backup and accessibility from outside of the
local computer.
Folder Redirection settings allow for basic redirection (all users receiving this policy setting will be
directed to the same folder location, with individual subfolders) or advanced redirection
(redirection location differs based on user group membership).
As with many GPO settings, Folder Direction can be applied in such a way that the policy is
removed when a user falls outside of the scope of the GPO or it can be configured to leave the
settings in place even after a user is no longer subject to the GPO (tattooing). When a policy is
configured for tattooing, it will not be reversed unless another GPO overwrites the setting.
Offline Files is a separate Group Policy category but is often used in conjunction with Folder
Redirection. It can be found under User Configuration, Policies, Administrative Templates,
Network. As the name implies, Offline Files settings can be used to make network files accessible
to users even when they are disconnected (offline) from the network. The policy settings can
control which files are available offline, how the files are synchronized and cached.
-83-
08/06/2013
INSTRUCTOR GUIDE
Under User Configuration, Policies, Administrative Templates, System, you can administratively
control the amount of storage space can be used for user data (disk quotas). Quotas can be
configured to log disk-use overage, warn the user and/or enforce disk-usage limitations.

Key Concept: Maintaining Group Policy
Explore Activity 6: Maintaining and Optimizing Group Policy
Description:
Following creation of GPOs, it is important to understand how and when the settings are actually
applied to the computers and users within the scope of the policies.
By default, Computer Configuration policies are applied when a computer starts and User
Configuration policies are applied during user logon. These policies are intermittently refreshed
throughout the day, to accommodate changes/updates to GPOs without forcing the users to
restart and logon again.
The GPO refresh intervals can be customized via the Computer Configuration, Policies,
Administrative Templates, System, Group Policy node. Default is 90 minutes with a random offset
of 0 to 30 minutes. DC refresh interval is set to 2 minutes by default. The same policies can be
found under the User Configuration, Policies, Administrative Templates, System, Group Policy for
user policy refresh interval.
There are times when it is beneficial to force a GPO refresh, particularly during testing. Windows
2003 and Server 2008 include the gpupdate.exe command-line tool to accomplish this. From a
command prompt, enter gpupdate /target:user or gpudpate /target:computer to force a refresh of
user/computer policies.
You can increase the performance of GPO processing by disabling processing of either the
computer or user configuration portions of a GPO, if they are not being used. This can be
accomplished via the Group Policy Management Console.
Manage and Maintain Group Policy.
Analyze Group Policy applications
LAB PORTION
-84-
08/06/2013
INSTRUCTOR GUIDE
Practice Activity 1: Lab 1: Exploring Group Policy Administration

Description
Use advanced Group Policy management tools to control Group Policy application.
Analyze different techniques to secure Windows Server 2008
Use different methods to maintain and troubleshoot Active Directory servers
Practice Activity 2: Group Policy in a Mixed Client OS Environment
Homework, Graded
Description
Although Group Policies are compatible with Windows 2000 and newer versions of Windows, some policy
settings are not backwards compatible, eg Remote Desktop settings do not apply to Windows 2000.
Research and identify five policies that are supported by Windows Vista and/or Windows 7 but not with
Windows XP or older.
Contrast Group Policies supported by different operating systems.
Apply Activity 1: Administrative Control versus Trust: Research/Scenario
Homework, Graded
Facilitation
-85-
08/06/2013
INSTRUCTOR GUIDE
You are an IT consultant and receive the following email from a client. Respond with recommendations
and considerations to the following questions:
To: IT Consultant
We have an existing network consisting of approximately 40 workstations in a Windows Workgroup
environment. We do not currently take advantage of local policies to control user/computer configuration,
as it is too cumbersome to manage on each individual computer. We are implementing an Active
Directory Domain and are excited about the possibility of being able to control user and computer settings
particularly from a security perspective.
We understand that there are hundreds and hundreds of options for things we can control and are hoping
you can help us by recommending the most important initial policies? Users have had complete control of
their desktops up to this point, so we would like to strike a balance between trust and control!
Thank you,
Business Manager
Recommend policies to control user/computer configuration.
Unit Summary:
This unit covered Group Policy, the function and value of Group Policy Objects, and how some of the
computer and user settings can be configured and applied. Policy processing, refresh intervals and
maintenance were also covered.
-86-
08/06/2013
INSTRUCTOR GUIDE
Unit 9: Performing Software Installation with Group Policy and Planning a Group
Policy Management and Implementation Strategy
Manage Software through Group Policy.
Install Software with Group Policy.
Manage Group Policy.
Filter Group Policy Scope.
Test and Troubleshoot GPO Results.
Perform software installation with Group Policy.
Determine information needed to develop an implementation scenario.
Recommend an approach for installing software.
Key Concepts
Managing Software with Group Policy
Implementing Software with Group Policy
Restricting Software with Group Policy
Managing Group Policy
Filtering Group Policy Scope
Testing GPO Results
Reading
Lesson 9 Performing Software Installation with Group Policy
Lesson 10 Planning a Group Policy Management and Installation Strategy
Keywords
Distribution Share
Hash Algorithm
.msi File
System Development Life Cycle (SDLC)
.zap File
Common Information Management Object Model (CIMOM)
GPResult
Resultant Set of Policy (RSoP).
Windows Management Instrumentation (WMI)
-87-
08/06/2013
INSTRUCTOR GUIDE
-88-
08/06/2013
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
Key Concept: Managing Software with Group Policy
Explore Activity 1 Understanding Group Policy Software Management
Description:
One of the most onerous tasks of administering a computer network is installation, maintenance
and management of software applications. Group Policy provides tools to dramatically increase
the efficiency and control of installing, upgrading, patching and removing software from domain
computers.
The System Development Life Cycle (SDLC) is an industry standard, structured approach to
development of information systems software, projects and components. The Software Life cycle
is a derivative specific to the life cycle of business applications, from evaluation to deployment to
discontinuation of use. Specific phases of the Software Life Cycle include:
o Planning: Analysis, compatibility, installation methods.
o Implementation: Prep for deployment.
o Maintenance: Tasks required to keep the software application running smoothly.
o Removal: Clean removal in preparation for a new software life cycle.
Group Policy can assist particularly in the last three phases of the Software Life Cycle.
Windows Server 2008 uses the Windows Installer to install and manage an .msi file. An .msi is a
relational database file. The Windows Installer Service on the client-side uses the .msi file to
install, manage, patch and remove the managed application.
Many software applications are available in an .msi package, particularly Microsoft applications,
such as Microsoft Office. However, sometimes the .msi package needs to be customized for a
particularly implementation, in which case an .mst (msi transform) can be created for custom
deployment.
.msp files are patch files, used to apply updates, service packs or hot fixes to installed .msi
applications.
Software applications that are not available in an .msi format, can be repackaged using a thirdparty application (Wyse, Altiris, etc), creating an .msi that supports Group Policy management
and deployment features.
When an application cannot be repackaged as an .msi, a .zap file can be created to publish an
application. A .zap file, much like an .ini file, contains additional package installation information,
but does not fully support all of the Group Policy deployment and management options: can only
be published not assigned; cannot be configured for unattended installation; may require manual
privilege elevation; cannot be automatically removed, etc.

-89-
08/06/2013
INSTRUCTOR GUIDE
Manage Software through Group Policy.

Key Concept: Implementing Software with Group Policy
Explore Activity 2: Understanding Software Distribution with Group Policy
Description:
Software applications distributed with Group Policy can be installed on a computer when the
computer starts, when a user logs on or on demand based on file associations.
When an application is ready for distribution, the installation package must be made accessible to
the computers on which it will be installed. This is accomplished via creation of a distribution
share (software distribution point), which is just a shared folder containing the necessary files,
granting the necessary permissions to users/computers (read permission).
The next step is configuring a GPO to either assign or publish an application:
o Assigning an application to a user makes it available on the users Start Menu.
Installation is triggered when the user clicks the Start Menu shortcut.
o When assigning an application to a computer, the application is installed at start up.
o Publishing an application makes it available to the user for installation via the
Add/Remove Programs option in Control Panel.
o Applications can also be published using file-activated installation: when a user attempts
to open a file associated with a published application, the application is installed.
o Applications cannot be published to computers, only assigned.
Use the Group Policy Management console to create/edit/modify a GPO to distribute an
application.
Some customization options are available directly from the properties of an .msi package (rightclick, properties), including specifying an .mst (.msi transform), deployment options, category
assignment, etc.
Software categories can be used to categorize applications to make them easier for users to
find/understand. Categories allow logical arrangement in Add/Remove Programs, such as by
functionality (Word Processor, Spreadsheets) or organizationally (HR Department, Marketing
Department).
Install Software with Group Policy.
Key Concept: Restrict Software with Group Policy
Explore Activity 3: Securing Software with Group Policy
-90-
08/06/2013
INSTRUCTOR GUIDE

Description:
In addition to distributing and managing software applications in an Active Directory environment,
Group Policy allows administrators to control which software can be installed and by whom via
Software Restriction Policies.
First introduced in Windows Server 2003 and Windows XP, Software Restriction Policies can be
used to create specific restrictions for applications:
o Unrestricted: Allow all applications to run, except those specifically excluded.
o Disallowed: Prevent all applications from running, except those specifically allowed.
o Basic User: Prevents applications from running if they require administrative privileges.
The default security level is Unrestricted.
Software Restriction Policies require a method for identifying software applications in conjunction
with rules for allowed/disallowed usage.
Software Restriction Rules govern application usage by identifying software applications:
o Hash Rule: A hash is a series of bytes with a fixed length, uniquely identifying a program
or file. A hash value is computed by a hash algorithm.
o Certificate Rule: Uses the signing cert of an application.
o Path Rule: Identifies software by specifying the path (directory path where the application
is stored).
o Network Zone Rule: Apply to Windows Installer Packages installed from a trusted area of
the network.
Software Restriction Policies can be powerful tools to secure an environment but require careful
thought, planning and testing.
Installi Software with Group Policy
Key Concept: Manage Group Policy
Explore Activity 4: Understanding Group Policy Management
Description:
Because of the power and flexibility of Group Policy, it is important to understand the options
available for management of Group Policy, including testing, modeling, backup and
troubleshooting.
The Group Policy Management console provides a single interface for creating, editing, applying
and testing Group Policy Objects in an Active Directory environment.
Some of the important administrative tasks available via the Group Policy Management console
include:
-91-
08/06/2013
INSTRUCTOR GUIDE
o Importing and copying GPO settings.

o Backing up and restoring GPOs.
o Modeling Group Policy Results with Resultant Set of Policy (RSoP) queries.
o Viewing HTML reports of GPO settings and RSoP information.
o Searching GPOs.
Installed by default in Windows Server 2008, the Group Policy Management console is under
Administrative Tools.
When highlighting an OU, Domain or Site in the Group Policy Management console, you will see
three tabs in the right pane:
o Linked Group Policy Objects: Displays GPOs linked to the node.
o Group Policy Inheritance: Displays order of precedence for policies linked to the node.
o Delegation: Displays users and groups with administrative permissions to the node.
When managing an individual GPO via the Group Policy Management console, you will see the
following tabs in the right-hand pane:
o Scope: Displays where this policy is linked.
o Details: Displays read-only properties for the policy.
o Settings: Displays an HTML report of policy settings.
o Delegation: Displays users and groups with administrative permissions for the policy

Manage Group Policy.
Key Concept: Filtering Group Policy Scope
Explore Activity 5: Understanding Group Policy Filtering
Description:
As previously discussed, Group Policy is hierarchal and propagation of settings to objects and
nested objects applies downward by default. This can be controlled using Block and Enforce
Policy inheritance options. Additionally, for finer-grained control of policy inheritance, policy
settings can be filtered for specific users and/or groups:
o Security Group Filtering uses the GPO Security tab in the Group Policy Management
console to determine access to a policy.
o WMI Filtering uses WMI queries to define criteria for access to a policy.
For a computer or user to receive GPO settings, the computer/user must have read and apply
group policy permissions for the GPO. Denying these permissions to a specific group or user
effectively filters them from inheriting the GPO settings.
Windows Management Instrumentation (WMI) is a component of Microsoft Windows operating
systems used for management and control. WMI queries can be used to define criteria based on
hardware, software, OS version and services to filter or apply GPO settings (see MOAC 70-640
Table 10-2 for WMI filter examples).
-92-
08/06/2013
INSTRUCTOR GUIDE
An use-case scenario for WMI filtering might be determining hard-drive free space prior to
installation of a large application package or determining OS version before distribution of an OSspecific patch.
WMI Filters are not compatible with Windows 2000-based computers.
It is always advisable to design and implement Group Policy to minimize the need for Security
Group Filtering and WMI filtering, particularly because of the management overhead as well as
the system performance impact of WMI filtering on affected computers.

Filter Group Policy Scope.
Key Concept: Testing GPO Results
Explore Activity 6: Testing and Troubleshooting GPO Propagation
Description:
In a complex Active Directory environment, including many GPOs and intricate inheritance and
filtering, it is important to test and verify propagation of settings. Resultant Set of Policy (RSoP) is
the sum of all applied policies for a user or computer.
The RSoP Wizard provides a tool to test and debug policy inheritance. RSoP functions in two
modes:
o Planning Mode: Simulate the effect of policy settings prior to implementation.
o Logging Mode: Queries existing policies linked to sites, domains, domain controllers and
OUs.
RSoP can be used as a stand-alone MMC or via the Group Policy Management Console.
RSoP relies upon the Common Information Management Object Model (CIMOM) database, an
WMI component containing information gathered at computer startup, including hardware, Group
Policy Software Installation, IE Maintenance settings, scripts, folder redirection and security
settings.
Group Policy Modeling is the process of running RSoP in Planning Mode via the Group Policy
Management Console. Group Policy Modeling queries can be saved, as can query output (HTML
reports).
GPResult is a command-line tool that can be used to generate an RSoP query.
GPResult provides command switches to specify RSoP output for a specific user or computer
and to control verbosity of output, etc.
Test and Troubleshoot GPO Results.
-93-
08/06/2013
INSTRUCTOR GUIDE
LAB PORTION
Practice Activity 1: Lab 1: Software Distribution and Controlling Group Policy
Description
Unit Learning Outcome:
Perform software installation with Group Policy.
Analyze Group Policy applications.
Practice Activity 2: GPO Planning Scenario

Homework, Graded
Description
Students will develop a list of 10 to 15 questions with the goal of obtaining all the information that would
be required to develop a software deployment strategy via Group Policy. Encourage students to consider
assignment versus publishing, application compatibility (hardware and GPO requirements),
exceptions/filtering, etc.
Facilitation
As an IT Administrator, you have been tasked with developing a software deployment strategy for your
companys three, primary business-critical applications. In anticipation of a meeting with management,
develop a list of 10 to 15 questions you will need answered regarding the applications and environment in
order to accurately develop an implementation scenario.
Determine information needed to develop an implementation scenario.
Analyze Group Policy applications,
-94-
08/06/2013
INSTRUCTOR GUIDE
Apply Activity 1: Research Software Deployment Options

Homework, Graded
Students will respond to the following scenario with recommendations and considerations. Encourage
students to be specific about assigning versus publishing applications, customization of application
package, scope filtering, etc.
Facilitation
You are an IT consultant and receive the following email from a client. Respond with a detailed,
recommended approach:
To: IT Consultant
We have an existing Active Directory environment, consisting of 300 computer nodes. We need to install
the latest version of Adobe Acrobat Reader to all compatible computers, with the following requirements:
- The application is not supported on Windows XP.
- We need to have automatic updates turned off within the application.
- We need a silent, automatic installation.
- The Engineering Department needs to be excluded, as they use a proprietary PDF app.
Can we automate this deployment through Group Policy and meet all of the requirements? Please
recommend a course of action.
Thank you,
Business Manager
Recommend an approach for installing software.
Unit Summary:
This unit covered software distribution, management and maintenance via Group Policy Objects, as well
as planning considerations, securing software via Group Policy, and the tools available for testing and
troubleshooting Group Policy Object inheritance.
-95-
08/06/2013
INSTRUCTOR GUIDE
Unit 10: Active Directory Maintenance, Troubleshooting and Disaster Recovery

Explain how to monitor and maintain Active Directory.

Recommend a backup and restore strategy for Active Directory.
Troubleshoot Active Directory.
Recommend a maintenance schedule.
Backup and restore Active Directory
Key Concepts
Maintain Active Directory

Backup Active Directory
Restore Active Directory
Monitor and Troubleshoot Active Directory
Reading
Lesson 11 Active Directory Maintenance, Troubleshooting and Disaster Recovery
Keywords
ADSIEdit
Authoritative Restore
Boot Configuration Data (BCD)
Dscalcs
Extensible Storage engine (ESE)
LDP
Nltest
Repadmin
Tombstone
Wbadmin
Windows Power Shell
-96-
08/06/2013
INSTRUCTOR GUIDE
Learning Activities
THEORY PORTION
Key Concept: Manage Software with Group Policy

Explore Activity 1 Understanding Active Directory Maintenance
Description:
As you leverage Windows Server 2008 Active Directory technologies in your environment, it
becomes increasingly important to develop a proactive, as opposed to reactive, approach to
managing and maintaining AD components, including monitoring, troubleshooting, backup and
restore.
As previously discussed, Active Directory stores information in a database. The database is
transactional, based on the Extensible Storage Engine (ESE) format. A transaction can contain
more than one change. Requests for modifications occur as follows:
o Ad writes the transaction to a transaction buffer located in memory (RAM).
o AD writes the transaction to the Transaction Log file (edb.log) before writing it to the
database. The edb.log grows to 10 MB by default and then is renamed sequentially,
(edbx.log, eg edb1.log).
o AD writes the transaction from the transaction buffer to the ntds.dit database.
o AD compares the transaction to the edbx.log to ensure it matches.
o AD updates the edb.chk (checkpoint file), which contains references to transaction points
in the log file for use in a recovery scenario.
The aforementioned process allows AD to process multiple transactions before writing them to
the DB.
As changes/modifications occur in the AD database, fragmentation can occur (data becomes
spread inefficiently across the disk). Defragmentation rearranges the data contiguously for
greatest efficiency and performance. AD supports two types of defragmentation:
o Online Defragmentation: A process called garbage collection runs automatically every 12
hours be default on DCs. Online defragmentation runs as part of the garbage collection
process but does not reduce the size of the AD DB. Tombstones (what is left behind after
an object is deleted from AD) are also deleted during garbage collection, as well as
unneeded log files.
o Offline Defragmentation: Running an Offline Defragmentation is a manual process that
requires the AD service to be offline (unavailable to service requests). In previous version
of AD, this required restarting the server in Directory Services Restore Mode (DSRM), but
in Windows Server 2008 AD behaves like a normal, Windows service and can be
stopped and restarted (Restartable Active Directory Domain Services).
-97-
08/06/2013
INSTRUCTOR GUIDE

Explain how to monitor and maintain Active Directory.

Key Concept: Backup Active Directory
Explore Activity 2: Understanding AD Backup

Description:
Like all data in your network environment, Windows Server 2008 and the AD database should be
a part of your backup and recovery plan, planning for the possibility of hardware, Operating
System (OS) or Active Directory failure and how you will recover from a failure.
As previously discussed, Active Directory has a fault-tolerant design and it is always
recommended, in even small environments, to have more than one DC in case one DC fails. In
addition, Windows Server 2008 supports a feature called Windows Server Backup, replacing the
old ntbackup from previous versions.
Windows Server Backup supports backup from command-line, useful for scripting, via Windows
Power Shell (a new task-based scripting technology that is part of Windows Server 2008). It does
not, however, support file-level backup, only volume-level backup.
Windows Server 2008 supports both manual backups (manually initiated by a server
administrator) and scheduled backups (regularly scheduled by a server administrator) via either
the command-line or wbadmin.exe, the GUI for managing Windows Server Backup.
Scheduled backups reformat the volume on the target drive hosting the backup and therefore
must be on a local, physical drive not containing any critical volumes.
In previous versions of Windows Server, it was necessary to backup the System State Data in
order to recover AD. In Windows Server 2008, critical volumes must be backed up, which
includes the following data:
o System Volume: Hosts the boot files: bootmgr.exe, the Windows boot loader; Boot
configuration Data (BCD), which replaces boot.ini and describes boot applications and
settings.
o Boot Volume: Hosts the Windows OS and Registry.
o The Volume hosting the SYSVOL share.
o The Volume hosting the AD database (ntds.dit).
o The Volume hosting the AD DB log files.
In Windows Server 2008, System State data varies depending upon the roles installed on the
Server.
-98-
08/06/2013
INSTRUCTOR GUIDE

Backup and Restore Active Directory

Key Concept: Restore Active Directory
Explore Activity 3: Understanding AD Restoration

Description:
How and when you restore AD depends upon the situation and circumstances. There are multiple
options available, as follows.
Restoration via Normal Replication: Because of Ads fault-tolerant design, including normal
replication of data from one DC to another, you may be able to just reinstall AD Services on a
failed server and let normal replication populate the AD DB.
Nonauthoritative Restore: You can use a previous backup of AD to restore a DC to a known,
good point-in-time. Restoring a single DC in this fashion is known as a nonauthoritative restore.
Following a nonauthoritative restore, normal AD replication brings the restored DC up to date.
Authoritative Restore: If you need to restore AD data that has been deleted, you will need to
perform an authoritative restore (a nonauthoritative restore will allow post-deletion updates to
replicate and re-delete restored data).An authoritative restore is more complex than a
nonauthoritative restore and requires that the AD object be restored, as well as back-links
(references to attributes in another object). The authoritative restore process creates an LDIF file
containing the back-links that must be restored.

Explain how to restore Active Directory

Key Concept: Monitor Active Directory
Explore Activity 4: Understanding AD Monitoring and Troubleshooting

-99-
08/06/2013
INSTRUCTOR GUIDE
Description:
Monitoring AD gives an IT administrator the opportunity to detect problems before they occur,
possibly avoiding service disruption, increasing system reliability and improving performance.
Event Logs are one of the tools available in a Windows Server 2008 environment to observe the
health of Active Directory. When AD is installed, a Directory Services event log is created,
accessible via the Event Viewer. Warnings (indicated by a yellow triangle with exclamation point)
and Stop Errors (indicated by a red circle with an X) should be monitored closely, analyzed and
appropriate actions taken. The Event Viewer allows easy filtering based on event level, so that
warnings and stop errors can be seen.
The Reliability and Performance Monitor can also be a useful tool, allowing you to collect realtime performance data for immediate analysis, baseline and/or historical analysis. There are
numerous system counters that can be monitored, broken down into categories called
performance objects, with individual items called performance counters.
Some important AD performance counters include:
o Directory Replication (DRA) Inbound: Monitors the size of compressed data that was
replicated from other sites.
o DRA Outbound Bytes: Monitors the compressed size of outbound AD data.
o DS Directory Reads/Sec: Monitors the number of directory reads per second.
o NTLM Binds/Sec: Monitors the number of NT LAN Manager (NTLM) authentications per
second processed by a DC.
For a complete list of NTDS Performance Object Counters, see MOAC 70-640 Table 11-1.
For logging in greater detail, diagnostic logging can be enabled via the registry on a Windows
Server 2008 via HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics, changing the
default value of 0 (none) to:
o 1 (Minimal): High-level events are recorded.
o 2 (Basic): More detail than level 1.
o 3 (Extensive): More detail than level 2.
o 4 (Verbose): Significantly more detail than level 3.
o 5 (Internal): Logs all events, including debug strings and config changes.
When adjusting NTDS logging, it is advisable to gradually increase logging detail until the
necessary information is obtained, as opposed to just going directly to level 5.
Other AD diagnostic tools include:
o DCdiag: A command-line tool for analyzing the state of a DC.
o Repadmin: A command-line tool for checking replication.
o ADSIEdit: An MMC console for verifying functional levels and low-level AD editing.

Explain how to monitor and troubleshoot Active Directory

-100-
08/06/2013
INSTRUCTOR GUIDE
LAB PORTION
Practice Activity 1: Lab 1: Disaster Recovery and Maintenance

Description
Unit Learning Outcome:
Troubleshoot Active Directory.
Apply Activity 1: AD Disaster Recovery Planning Scenario

Homework, Graded
Description
students justify their recommendations with explanation of benefit (ROI), etc.
Facilitation
You are an IT consultant and receive the following email from a client. Respond with a detailed,
recommended approach:
To: IT Consultant
We have an existing Active Directory environment, consisting of a main office with two DCs, three branch
offices with one DC each and a fourth, smaller office with a Read-Only DC. We are evaluating our backup
and restore strategy and are wondering which of the following solutions you might recommend for each
individual environment? We want to minimize cost but maximize uptime. Which of the following would you
recommend for any/all locations and, where applicable, what schedule (daily, weekly, etc):
- Fault-tolerant hardware (RAID1, RAID5, etc)?
- Backup of the DC to local disk?
- Backup of the DC to removable storage?
- Additional DC?
-101-
08/06/2013
INSTRUCTOR GUIDE
Thank you,
Business Manager

Recommend a backup and restore strategy for Active Directory.
Practice Activity 1: AD Troubleshooting Scenario: Troubleshooting Tools

Homework, Graded
Description
students to be specific in their recommended tools and frequency of use and to remember backup/restore
planning.
Facilitation
You are an IT Administrator and receive the following request for help from a Junior IT Admin. Respond
with clarifying questions, suggestions and/or recommended approaches:
To: IT Admin
I have been tasked with developing a proactive maintenance schedule for the three DCs in our branch
office and am hoping for your advice and input. What types of things should I be paying attention to on a
regular basis and how often? Im not sure what tools are available and want to be thorough! Can you help
me develop a plan?
Thank you,
Junior IT Admin
Recommend a maintenance schedule.
Unit Summary:
-102-
08/06/2013
INSTRUCTOR GUIDE
This unit covered the tools available to proactively monitor and maintain Active Directory, including
backup and restore tools and strategies, event logs and command-line tools.
-103-
08/06/2013
INSTRUCTOR GUIDE
APPENDIX
Reminder: As a faculty member at ITT Technical Institute, it is your responsibility to securely maintain
and ensure the integrity of standardized assessments, assignments, and their accompanying answers. It
is advisable to grade all exams outside of the classroom to avoid inadvertently leaving the answers
unattended.
Final Exam
Answer Key
Question
Number
Correct
Answer
Course Objective(s) Tested
Blooms Level
Reference with page(s)
70-642: Lesson 1 - Introducing the

Domain Name System (DNS)
70-642: Lesson 1 - Using the Routing
and Remote Access Service (RRAS)
70-642: Lesson 1 - Introducing
Network Access Protection (NAP)
CO1
Knowledge
CO1
Application
CO1
Comprehension
CO1
Analysis
70-642: Lesson 1 - Understanding

TCP/IP Addressing
CO1
Comprehension
CO1
Comprehension
CO1
Synthesis

TCP/IP Addressing
TCP/IP Addressing
70-642: Lesson 2 - Installing the
Software
8
CO1
Evaluation
Software
9
CO1
Comprehension
10
CO1
Analysis
11
CO2
Analysis
Software
Software
70-642: Lesson 3 - Configuring the
DHCP Server Role

-104-
08/06/2013
INSTRUCTOR GUIDE
12
CO2
Analysis
13
CO2
Analysis
DHCP Server Role

DHCP Server Role

14
CO3
Comprehension
15
CO3
Analysis
16
CO3
Synthesis
17
CO3
Comprehension
18
CO3
Comprehension
19
CO3
Comprehension
20
CO3
Comprehension
21
CO3
Application
22
CO3
Comprehension
23
CO3
Analysis
24
CO4
Analysis
25
CO4
Analysis
26
CO4
Comprehension
27
CO5
Comprehension
28
CO5
Synthesis
29
CO6
Comprehension
30
CO8
Comprehension
-105-
Domain Name System (DNS) Service

70-640: Lesson 1 - Introducing Active
Directory Domain Service
70-640: Lesson 2 - Designing an Active
Directory Implementation
Directory Sites
Directory Sites
Directory Sites
70-640: Lesson 4 - Understanding the
Global Catalog
70-640: Lesson 4 - Understanding the
Global Catalog
Flexible Single Master Operations
(FSMO) Roles
User Accounts
08/06/2013
INSTRUCTOR GUIDE
31
CO8
Comprehension
32
CO8
Comprehension
User Accounts
User Accounts
33
CO7
Analysis
70-640: Lesson 6 - Planning and
Implementing Account Security

34
CO7
Application
35
CO7
Synthesis
36
CO7
Synthesis
37
CO7
Synthesis
38
CO7
Application
39
CO8
Analysis
40
CO8
Analysis
41
CO8
Comprehension
42
CO7
Analysis
42
CO7
Comprehension
44
CO7
Comprehension
45
CO7
Analysis
46
CO7
Analysis
47
CO7
Comprehension
48
CO9
Synthesis
-106-

70-640: Lesson 7 - Introducing Group
Policy
Policy
Policy
70-640: Lesson 8 - Configuring
Security Policies Using Group Policy
Objects
Objects
Objects
70-640: Lesson 9 - Managing Software
through Group Policy
70-640: Lesson 10 - Managing Group
Policy
Policy
Policy
70-640: Lesson 11 - Maintaining
08/06/2013
INSTRUCTOR GUIDE
Active Directory
49
CO9
Synthesis
50
CO9
Application
Active Directory
Active Directory
-107-
08/06/2013

NT1330 Ig

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

NT1330 Ig

Hochgeladen von

Copyright:

Verfügbare Formate

ITT TECHNICAL INSTITUTE

Course Revision Table

Page 9: Coursespecific Lab

Added explicit instructions on how to perform

ITT Tech Virtual Library:

Faculty Collaboration Portals: http://myportal.itttech.edu/employee/dept/curriculum/FC/default.aspx.

ITT Tech Library:

Network World (Online).

Wiley Instructor Companion Site (as Course Support Package)

8 security considerations for IPv6 deployment. (2011). Network World (Online).

Kaufmann, M. and Beaumont, L. (2205) Content networking: Architecture, protocols, and

A projection system that can display images onto the wall

CPU 1.6GHz minimum

RAM 2GB minimum

Hard Drive 20GB minimum free space

Current version of the most popular operating system

Current version of a most popular Web browser

Current version of media players required by the curriculum

Any other additional software required by the curriculum

Standard Computer Lab Setup

Course-Specific Lab Setup

Installing and Re-arming Windows Server 2008

Test Administration and Processing

Replacement of Learning Assignments

Assignments/Discussions/Projects Wherever deemed necessary, the instructor may choose to

Communication and Student Support

Unit 1. Assignment 1. Windows 2008 Network

Unit 3. Assignment 1. Active Directory Design

Unit 8. Assignment 1. Administrative Control versus

Unit 10. Assignment 1. AD Disaster Recovery

Unit 2. Exercise 1. DNS Scenario

Unit 3. Exercise 1. Company Merger Scenario

Unit 4. Exercise 1. Site-to-Site Connectivity Scenario

Unit 5. Exercise 1. AD FSMO Role Management

Research: Alternate Methods

Unit 6. Exercise 1. AD User and Group Account

Unit 8. Exercise 1. Group Policy in a Mixed Client OS

Unit 9. Exercise 1. Research Software Deployment

Unit 10. Exercise 1. AD Troubleshooting Scenario:

Unit 1. Lab 1. Preparing a Virtual Workstation Image

Unit 2. Lab 1. Configuring DNS and DHCP

Unit 3. Lab 1. Creating a Replica Domain Controller

Unit 4. Lab 1. Working with Active Directory Sites

Unit 5. Lab 1. Global Catalog and Flexible Single

Master Operations (FSMO) Roles

Unit 6. Lab 1. Creating and Managing Users and

Unit 8. Lab 1. Exploring Group Policy Administration

Unit 9. Lab 1. Software Distribution and Controlling Group

Unit 10. Lab 1. Disaster Recovery and Maintenance

Gagns Taxonomy of Learned Capabilities that represent progression of competency

Bloom/Krathwohls Taxonomy of Educational Objectives that determines: a) selection of specific

Engage students in applying new concepts in the process of

Engage students into active, experiential learning process.

Gradually increase complexity of instructional tasks dynamically adapted to students current

TCP/IP Addressing, Configuration and Management

APIPA (Automatic Private IP Addressing)

Key Concept: TCP/IP Addressing, Configuration and Management

In-class Activity, Ungraded

Estimated Time: 20 minutes

Explore Activity 2: IP Addressing

Explore Activity 3: Introducing IPv6

Key Concept: Windows 2008 Server Networking Services