04-Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

3/11/2014
Configuring and Troubleshooting

Windows Server 2008
Active Directory Domain
Services
Microsoft Certification Program
Exam number
and title
70-640: TS: Windows Server
2008 Active Directory,
Configuring
Core exam for the following

track
Microsoft Certified Systems
Engineer: Windows Server 2008
Application Platform
Configuration
http://www.microsoft.com/learning/
3/11/2014
Course Outline
Module 1: Introducing Active Directory Domain Services
Module 2: Secure and Efficient Administration of Active
Directory
Module 3: Manage Users
Module 4: Manage Groups
Module 5: Support Computer Accounts
Module 6: Implement a Group Policy Infrastructure
Module 7: Manage Enterprise Security and Configuration
with Group Policy Settings

Module 8: Secure Administration
Course Outline (continued)

Module 9: Improve the Security of Authentication in an
Active Directory Domain Services Domain

Module 10: Configure Domain Name System
Module 11: Administer Active Directory Domain Services
Domain Controllers
Module 12: Manage Sites and Active Directory Replication
Module 13: Directory Service Continuity
Module 14: Manage Multiple Domains and Forests
3/11/2014
Module 1
Introducing Active
Directory Domain
Services (AD DS)
Module Overview
Introducing Active Directory, Identity, and Access
Active Directory Components and Concepts
Install Active Directory Domain Services
Extend IDA with Active Directory Services
3/11/2014
Lesson 1: Introducing Active Directory, Identity,

and Access
Information Protection in a Nutshell
Identity and Access (IDA)
Authentication and Authorization
Authentication
Access Tokens
Security Descriptors, ACLs and ACEs
Authorization
Stand-alone (Workgroup) Authentication
Active Directory Domains: Trusted Identity Store
Active Directory, Identity, and Access
Information Protection in a Nutshell
Its all about connecting users to the information they require
SECURELY!
IDA: Identity and Access
AAA: Authentication, Authorization, Accounting
CIA: Confidentiality, Integrity, Availability ( & Authenticity)
3/11/2014
Identity and Access (IDA)
Identity: user account
Resource: Shared Folder
Saved in an identity store
Secured with a security
(directory database)
Security principal
Represented uniquely by
the security identifier (SID)
descriptor
Discretionary access control
list (DACL or ACL)

Access control entries (ACEs
or permissions)
Authentication and Authorization

A user presents
credentials that are
authenticated using the
information stored with
the users
identity
The system creates a

security token that
represents the user with
the users SID and all
related group SIDs
A resources is secured
with an access control
list (ACL): permissions
that pair a SID with a
level of access
The users security

token is compared with
the ACL of the resource
to authorize a requested
level of access
3/11/2014
Authentication
Authentication is the process that verifies a users identity
Credentials: at least two components required

Username
Secret, for example, password
Two types of authentication

Local (interactive) Logon
authentication for logon to the
local computer
Remote (network) logon

authentication for access to
resources on another
computer
Access Tokens
Users Access Token

User SID
Member Group
SIDs
Privileges
(user rights)
Other access
information
3/11/2014
Security Descriptors, ACLs and ACEs
Security Descriptor
System ACL
(SACL)
Discretionary ACL
(DACL or ACL)
ACE
Trustee (SID)
Access Mask
ACE
Trustee (SID)
Access Mask
Authorization
Authorization is the process that determines whether to grant
or deny a user a requested level of access to a resource
Three components required for authorization

Resource
Users Access Token

User SID
Group SID
Access Request
System finds first
ACE in the ACL that
allows or denies the
requested access
level for any SID in
the users token
Security Token
Security Descriptor
System ACL
(SACL)
Discretionary ACL
(DACL or ACL)
List of user
rights
ACE
Trustee (SID)
Access Mask
Other access
information
ACE
Trustee (SID)
Access Mask
3/11/2014
Stand-alone (Workgroup) Authentication

The identity store is the security accounts manager (SAM)
database on the Windows system

No shared identity store
Multiple user accounts
Management of passwords is challenging
Active Directory Domains: Trusted Identity Store

Centralized identity store
trusted by all domain

members
Centralized authentication
service
Hosted by a server
performing the role of an

Services (AD DS) domain
controller
3/11/2014
Active Directory, Identity, and Access

An IDA infrastructure should
Store information about users, groups, computers and other

identities
Authenticate an identity
Kerberos authentication used in Active Directory provides

single sign-on. Users are authenticated only once.
Control access
Provide an audit trail
Active Directory services

Active Directory Domain Services (AD DS)
Active Directory Lightweight Directory Services (AD LDS)
Active Directory Certificate Services (AD CS)
Active Directory Rights Management Services (AD RMS)
Active Directory Federation Services (AD FS)
Lesson 2: Active Directory Components and Concepts

Active Directory as a Database
Demonstration: Active Directory Schema
Organizational Units
Policy-Based Management
The Active Directory Data Store
Domain Controllers
Domain
Replication
Sites
Tree
Forest
The Global Catalog
Functional Level
DNS and Application Partitions
Trust Relationships
3/11/2014
Active Directory As a Database

Active Directory is a database
Each record is an object
Each field is an attribute
Users, groups, computers,
Logon name, SID, password, description, membership,
Identities (security principals or accounts)
Services: Kerberos, DNS, replication, etc.

AD DS is, in the end, a database
and the services that support or use that database
Accessing the database
Windows tools, user interfaces, and components
APIs (.NET, VBScript, Windows PowerShell)
Lightweight Directory Access Protocol (LDAP)
Demonstration: Active Directory Schema

In this demonstration, we will
Discover how the Schema acts as a blueprint for Active
Directory by defining Attributes
objectSID
sAMAccountName
unicodePwd
member
Description
and Object classes
User
Group
10
3/11/2014
Notes Page Over-flow Slide. Do Not Print Slide.

See Notes pane.
Containers
Users
Computers
Containers that also support

the management and
configuration of objects
using Group Policy
Create OUs to
Delegate administrative
permissions
Apply Group Policy
11
3/11/2014
Policy-Based Management
Active Directory provides a single point of management for
security and configuration through policies

Group Policy
Domain password and lockout policy
Audit policy
Configuration
Applied to users or computers by scoping a GPO containing

configuration settings
Fine-grained password and lockout policies
The Active Directory Data Store

%systemroot%\NTDS\ntds.dit
Logical partitions
Domain naming context
Schema
Configuration
Global catalog (aka Partial Attribute Set)
DNS (application partitions)
Schema
SYSVOL
%systemroot%\SYSVOL
Logon scripts
Policies
NTDS.DIT
Configuration
*Domain*
DNS
PAS
12
3/11/2014
Domain Controllers
Servers that perform the AD DS role
Host the Active Directory database (NTDS.DIT) and SYSVOL
Replicated between domain controllers
Kerberos Key Distribution Center (KDC) service: authentication
Other Active Directory services
Best practices
Available: at least two in a domain
Secure: Server Core, Read-only domain controllers (RODCs)
Domain
Made up of one or more DCs
All DCs replicate the Domain naming
context (Domain NC)

The domain is the context within which

Users, Groups, Computers, and so on are
created
Replication boundary
Trusted identity source: Any DC can
authenticate any logon in the domain

The domain is the maximum scope
(boundary) for certain administrative

policies
Password
Lockout
13
3/11/2014
Replication
Multimaster replication
Objects and attributes in the database
Contents of SYSVOL are replicated
Several components work to create an efficient and robust
replication topology and to replicate granular changes to AD

The Configuration partition of the database stores
information about sites, network topology, and replication

DC1
DC3
DC2
Sites
An Active Directory object that represents a well-
connected portion of your network

Associated with subnet objects representing IP subnets
Intrasite vs. intersite replication

Replication within a site occurs very quickly (15-45 seconds)
Replication between sites can be managed
Service localization
Log on to a DC in your site

Site B
Site A
14
3/11/2014
Tree
One or more domains in a single instance of AD DS that
share contiguous DNS namespace
treyresearch.net
proseware.com
antarctica.treyresearch.net
Forest
A collection of one or more Active Directory domain trees
First domain is the forest root domain
Single configuration and schema
replicated to all DCs in the forest

A security and replication boundary
15
3/11/2014
The Global Catalog

Partial Attribute Set or
Global Catalog
Domain A
Contains every object in
PAS
every domain in the

forest
Contains only selected
attributes
A type of index
Domain B
Can be searched from
any domain
PAS
Very important for
many applications
Functional Level
Domain functional levels
Forest functional levels
New functionality requires that domain controllers are
running a particular version of Windows

Windows 2000
Windows Server 2003
Windows Server 2008
Cannot raise functional level
while DCs are running previous

versions of Windows
Cannot add DCs running
previous versions of Windows

after raising functional level
16
3/11/2014
DNS and Application Partitions

Active Directory and DNS are tightly
integrated
One-to-one relationship between the DNS
domain name and the logical domain unit

of Active Directory
Complete reliance on DNS to locate
computers and services in the domain

A domain controller acting as a DNS
server can store the zone data in Active

Directory itselfin an application partition
Schema
Configuration
Domain
DNS
PAS
Trust Relationships
Extends concept of trusted identity store to another domain
Trusting domain (with the resource) trusts the identity store
and authentication services of the trusted domain

A trusted user can authenticate to, and be given access to
resources in, the trusting domain

Within a forest, each domain trusts all other domains
Trust relationships can be established with external domains
Trusted domain
Trusting domain
17
3/11/2014
Lesson 3: Install Active Directory Domain Services

Install Windows Server 2008
Server Manager and Role-Based Configuration of Windows
Server 2008
Prepare to Create a New Forest with Windows Server 2008
Install and Configure a Domain Controller
Install Windows Server 2008

Boot with installation media (DVD)
Follow prompts and select the operating system to install
18
3/11/2014
Server Manager and Role-Based Configuration of

Windows Server 2008
Windows Server 2008 has minimal footprint
Functionality is added as roles or features
Server Manager: role and feature configuration along with
the common administrative snap-ins for the server
Prepare to Create a New Forest with

Windows Server 2008
Domains DNS name (contoso.com)
Domains NetBIOS name (contoso)
Whether the new forest will need to support DCs running
previous versions of Windows (affects choice of functional level)

Details about how DNS will be implemented to support AD DS
Default: Creating domain controller adds DNS Server role as well
IP configuration for the DC

IPv4 and, optionally, IPv6
Username and password of an account in the servers
Administrators group. Account must have a password.

Location for data store (ntds.dit) and SYSVOL
Default: %systemroot% (c:\windows)
19
3/11/2014
Install and Configure a Domain Controller
the Active Directory Domain Services role

1 Install
using the Server Manager
Run the Active Directory Domain Services
2 Installation Wizard
3 Choose the deployment configuration

4 Select the additional domain controller features
Select the location for the database, log files, and
5 SYSVOL folder
Configure the Directory Services Restore
6 Mode Administrator Password
Lab A: Install an AD DS DC to Create a Single

Domain Forest
Exercise 1: Perform Post-Installation Configuration Tasks
Exercise 2: Install a New Windows Server 2008 Forest with
the Windows Interface
Estimated time: 15 minutes
20
3/11/2014
Lab Scenario
You have been hired to improve identity and access at
Contoso, Ltd. The company currently has one server in a

workgroup configuration. Employees connect to the server
from their personal client computers. In anticipation of
near-term growth, you have been tasked with improving
the manageability and security of the companys
resources. You decide to implement an AD DS domain and
forest by promoting the server to a domain controller. You
have just finished installing Windows Server 2008 from the
installation DVD.
Lab Review
After this lab you will have:
Performed post installation tasks in naming a server
HQDC01, configuring the correct time zone, with display

resolution of at least 1024 x 768 and specifying its IP
address information
Configured a single-domain forest named contoso.com
with a single domain controller named HQDC01
21
3/11/2014
Lesson 4: Extend IDA with Active Directory

Services
Active Directory Lightweight Directory Services (AD LDS)
Active Directory rights Management Services (AD RMS)
Active Directory Lightweight Directory Services

(AD LDS)
Standalone version of Active Directory
Used to support applications that require a directory store
Allow customization without impact to production Active

Directory
Characteristics
A subset of AD DS functionality, sharing the same code
Schema, Configuration, and Application partitions
Replication
Not dependent upon AD DS
Can use AD DS to authenticate Windows security principals
Can run multiple instances on a single server
22
3/11/2014

Extends the concept of trust
A certificate from a trusted certificate authority (CA) proves identity
Trust can be extended beyond the boundaries of your enterprise, as

long as clients trust the CA of the certificates you present
Creates a public key infrastructure (PKI)

Confidentiality, Integrity, Authenticity, Non-Repudiation
Many uses
Internal-only or external
Secure Web sites (SSL)
VPN
Wireless authentication and encryption
Smart card authentication
Integration with AD DS powerful, but not required

See Notes pane.
23
3/11/2014
Active Directory Rights Management Services

(AD RMS)
Ensures the integrity of information
Traditional model: ACL defines access. No restriction on use.
AD RMS: Ensures access is limited and defines use.
Examples
Limit access to specified individuals
View e-mail but do not forward or print
View and print document but cannot change or e-mail
Requires
AD RMS
IIS, Database (SQL Server or Windows Internal Database)
AD DS
RMS enabled applications including Microsoft Office

applications, Internet Explorer

Extends the authority of AD DS to authenticate users
Traditional trust
Two Windows domains
Numerous TCP ports open in firewalls
Everyone from trusted domain is trusted
AD FS uses Web services technologies to implement trust

One AD DS/LDS directory; other side can be Active Directory or

other platforms
Port 443: transactions are secure and encrypted
Rules specifying which users from trusted domain are trusted
Uses
Business-to-business: partnership
Single sign-on
24
3/11/2014
Module 2
Secure and Efficient
Administration of
Active Directory

See Notes pane.
25
3/11/2014
Module Overview
Work with Active Directory Snap-Ins
Custom Consoles and Least Privilege
Find Objects in Active Directory
Use DS Commands to Administer Active Directory
Lesson 1: Work with Active Directory Snap-ins

The MMC Console
Active Directory Administration Snap-ins
Find Active Directory Snap-ins
Demonstration: Basic Administration with Active Directory
Users and Computers
26
3/11/2014
The MMC Console

Show/Hide
Console
Tree
Console
Tree
Show/Hide
Actions
Pane
Details
Pane
Actions
Pane
Active Directory Administration Snap-ins

Active Directory Users and Computers
Manage most common day-to-day objects, including users,

groups, computers, printers, and shared folders
Active Directory Sites and Services

Manage replication, network topology, and related services
Active Directory Domains and Trusts

Configure and maintain trust relationships and the domain and

forest functional level
Active Directory Schema

Administer the Schema
27
3/11/2014
Find Active Directory Snap-ins

Active Directory snap-ins are installed on a domain
controller
Server Manager: Users and Computers, Sites and Services
Administrative Tools folder
Install the RSAT on a member client or server

Windows Server 2008
Server Manager Features Add Feature Remote

Server Administration Tools
Windows Vista SP1, Windows 7
Download RSAT from www.microsoft.com/downloads
Double-click the file, then follow the instructions in the

Setup Wizard.
Control Panel Programs And Features Turn Windows

Features On Or Off Remote Server Administration Tools
Demonstration: Basic Administration with Active

Directory Users and Computers
In this demonstration, you will learn:
How to view objects in Active

How to refresh the view
How to create objects
How to configure object attributes
How to view all object attributes
28
3/11/2014

See Notes pane.
Lesson 2:Custom Consoles and Least Privilege

Demonstration: Create a Custom MMC Console for
Administering Active Directory

Secure Administration with Least Privilege, Run As
Administrator, and User Account Control

Demonstration: Secure Administration with User Account
Control and Run As Administrator

Demonstration: Super Consoles
29
3/11/2014
Demonstration: Create a Custom MMC Console

for Administering Active Directory
How to create a custom MMC console with multiple
snap-ins
How to register the Active Directory Schema snap-in
Where to save a custom console
Secure Administration with Least Privilege,

Run As Administrator, and User Account Control
Maintain at least two accounts
A standard user account
An account with administrative

privileges
Log on to your computer as a
standard user
Do not log on to your computer

with administrative credentials
Launch administrative consoles
with Run As Administrator

1.Right-click
the console and click

Run As Administrator
2.Click
Use another account
3.Enter
the username and password

for your administrative account
30
3/11/2014
Demonstration: Secure Administration with User

Account Control and Run As Administrator
How to run a custom console as an administrator
Why it is important to save a custom console to a shared
location
Demonstration: Super Consoles

How to add a view of a file share to a custom console
View uses the (elevated) credentials used to launch the console
How to create an administrative launch pad

Open external tools with the (elevated) credentials of the console
31
3/11/2014
Notes Page Overflow Slide. Do Not Print Slide.

See Notes pane.
Lab A: Create and Run a Custom Administrative

Console
Exercise 1: Perform Basic Administrative Tasks Using the
Active Directory Users and Computers Snap-in

Exercise 2: Create a Custom Active Directory
Administrative Console
Exercise 3: Perform Administrative Tasks with Least
Privilege, Run As Administrator, and User Account Control

Exercise 4 (Advanced Optional): Advanced MMC
Customization and Remote Administration

Logon information
32
3/11/2014

See Notes pane.
Lab Scenario
In this exercise, you are Pat Coleman, an Active Directory
administrator at Contoso, Ltd. You are responsible for a

variety of Active Directory support tasks, and you have
found yourself constantly opening multiple consoles from
the Administrative Tools folder in Control Panel. You have
decided to build a single console that contains all of the
snap-ins you require to do your work. Additionally,
Contosos IT security policy is changing, and you will no
longer be permitted to log on to a system with credentials
that have administrative privileges, unless there is an
emergency. Instead, you are required to log on with nonprivileged credentials.
33
3/11/2014
Lab Review
Which snap-in are you most likely to use on a day-to-day
basis to administer Active Directory?

When you build a custom MMC console for administration
in your enterprise, what snap-ins will you add?
Lesson 3: Find Objects in Active Directory

Demonstration: Use the Select users, Contacts,
Computers, or Groups Dialog Box

Options for Locating Objects in Active Directory Users and
Computers
Demonstration: Control the View of Objects in Active

Demonstration: Use the Find Command
Determine Where an Object Is Located
Demonstration: Use Saved Queries
34
3/11/2014

When you assign permissions to a folder or file
Select the group or user to which permissions are assigned
When you add members to a group

Select the user or group that will be added as a member
When you configure a linked attribute such as Managed By

Select the user or group that will be displayed

on the Managed By tab
When you need to administer a user, group, or computer

Perform a search to locate the object in Active Directory,

instead of browsing for the object
Demonstration: Use the Select Users, Contacts,

Computers, or Groups Dialog Box
How to select users with the Select dialog box
35
3/11/2014
Options for Locating Objects in Active Directory

Users and Computers
Sorting: Use
column headings
in Active
Directory Users
and Computers
to find the
objects based on
the columns
Searching:
Provide the
criteria for which
you want to
search
Demonstration: Control the View of Objects in

How to add or remove columns in the details pane
How to sort objects based on columns in the details pane
36
3/11/2014
Demonstration: Use the Find Command

How to search for objects in Active Directory using the
Find command
Determine Where an Object is Located

1. Ensure that Advanced Features is selected in the
View menu of the MMC console

2. Find the object
3. Open its Properties dialog box
4. Click the Object tab
5. View the Canonical name of object
or
In the Find dialog box, View Choose Columns and

add the Published At column
37
3/11/2014
Demonstration: Use Saved Queries

How to create a saved query
How to distribute a saved query
Why saved queries are an efficient and effective tool for
administration

See Notes pane.
38
3/11/2014
Lab B: Find Objects in Active Directory

Exercise 1: Find Objects in Active Directory
Exercise 2: Use Saved Queries
Exercise 3 (Advanced Optional): Explore Saved Queries
Lab Scenario
Contoso now spans five geographic sites around the world,
with over 1000 employees. As your domain has become

populated with so many objects, it has become more
difficult to locate objects by browsing. You are tasked with
defining best practices for locating objects in Active
Directory for the rest of the team of administrators. You
are also asked to monitor the health of certain types of
accounts.
39
3/11/2014
Lab Review
In your work, what scenarios require you to search Active
Directory?
What types of saved queries could you create to help you
perform your administrative tasks more efficiently?
Lesson 4: Use DS Commands to Administer

Active Directory
DNs, RDNs, and CNs
The DS Commands
Find Objects with DSQuery
Retrieve Object Attributes with DSGet
Pipe NDs to Other DS Commands
Modify Object Attributes with DSMod
Delete an Object with DSRm
Move an Object with DSMove
Add an Object with DSAdd
Administration without the GUI
40
3/11/2014
DNs, RDNs, and CNs

Common Name (CN)
Distinguished Name (DN)
cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com

Relative Distinguished Name (RDN)
ou=Employees,ou=User Accounts,dc=contoso,dc=com
Distinguished Name (DN)
DN must be completely unique
RDN must therefore be unique within the parent container
The DS Commands
DSQuery. Performs a query based on parameters
provided at the command line and returns a list of

matching objects
DSGet. Returns specified attributes of an object
DSMod. Modifies specified attributes of an object
DSMove. Moves an object to a new container or OU
DSAdd. Creates an object in the directory
DSRm. Removes an object, all objects in the subtree
beneath a container object, or both
DScommand /?
For example: dsquery /?
41
3/11/2014

dsquery objectType
objectType: user, computer, group, ou
By default, search scope is the entire domain
-limit switch to specify number of results
100 is default
0 means return all results
dsquery objectType attribute criteria

attribute is objectType specific: dsquery objectType /?
Examples for user: -name, -samid, -office, -desc
criteria in quotes if there is a space. Wildcards (*) allowed
dsquery objectType BaseDN
scope {subtree|onelevel|base}
Specify search start and scope
42
3/11/2014
Retrieve Object Attributes with DSGet

dsget objectType objectDN -attribute
Common syntax for many DS commands
dsget user "cn=Jeff Ford,ou=Employees,ou=User

Accounts,dc=contoso,dc=com" -email
What is the difference between DSGet and DSQuery?
Pipe DNs to Other DS Commands

Typing DNs is difficult!
dsget user "cn=Jeff Ford,ou=Employees,ou=User

Accounts,dc=contoso,dc=com" -email
DSQuery returns DNs
dsquery user -name "Jeff Ford"

> "cn=Jeff Ford,ou=Employees,ou=User
Accounts,dc=contoso,dc=com"
Pipe (send) the DNs from DSQuery to DSGet with |
dsquery user -name "Jeff Ford" | dsget user email
Or multiple results:
dsquery user -name "Dan*" | dsget user email
DSGet can return DNs from some attributes as well
dsget group groupDN -members | dsget user -samid
43
3/11/2014
Modify Object Attributes with DSMod
dsmod objectType "objectDN" -attribute "new value"
dsmod user "cn=Jeff Ford,ou=Employees,ou=User

Accounts,dc=contoso,dc=com" -dept "Information
Technology"
dsquery user "ou=Admins,dc=contoso,dc=com" | dsmod

user -department "Information Technology"
Delete an Object with DSRm

dsrm objectDN
Note that DSRm does not take an objectType
dsrm "cn=DESKTOP234,ou=Client
Computers,dc=contoso,dc=com"
dsquery computer -stalepwd 90 | dsrm
44
3/11/2014
Move an Object with DSMove

dsmove objectDN newparent targetOUDN
objectDN: object to be moved
targetOUDN: target (destination) OU
dsmove objectDN newname newName
objectDN: object to be moved

newName: new name for object (used in the RDN)
Add an Object with DSAdd

dsadd objectType objectDN -attribute "value"
objectType: class of object to add
objectDN: OU in which to create object
-attribute "value": attributes to populate
Each object class has required attributes
dsadd ou "ou=Lab,dc=contoso,dc=com"
45
3/11/2014
Administration Without the GUI

Command Prompt
DS commands
csvde.exe and ldifde.exe
LDAP
ldp.exe
Windows PowerShell
Scripting
Windows PowerShell scripts
VBScript
Lab C: Use DS Commands to Administer

Active Directory
Exercise 1: Use DS Commands to Administer Active
Directory
Logon information
Virtual machine
6425B-HQDC01-A
Logon user name
Pat.Coleman
Administrative user name
Pat.Coleman_Admin
Password
Pa$$w0rd
46
3/11/2014
Lab Scenario
Contoso is growing, and changes need to be made to
objects in Active Directory. You are an administrator of AD

DS, and you know that it can be easier to create, delete,
and modify objects using the command prompt than using
Active Directory Users and Computers.
Lab Review
What can you do to avoid typing distinguished names of
users, groups, or computers into DSGet, and other DS

commands?
How are wildcard searches with DSQuery different than
searches performed with the Find command in Active

Directory Users and Computers? In other words, what kind
of search have you performed in this lab that would not
have been possible using the basic interface of the Find
command?
47
3/11/2014
Module 3
Manage Users

See Notes pane.
48
3/11/2014
Module Overview
Create and Administer User Accounts
Configure User Object Attributes
Automate User Account Creation
Lesson 1: Create and Administer User Accounts

User Account
Demonstration: Create a User Object
Create Users with DSAdd
Name Attributes
Rename a User Account
Account Attributes
Reset a Users Password
Unlock a User Account
Disable and Enable a User Account
Delete a User Account
Move a User Account
49
3/11/2014
User Account
A user account is an object that
Enables authentication of a user with attributes, including a

user logon name and password
Is a security principal with a security identifier (SID) that can

be assigned permissions to resources
A user account can be stored

In Active Directory, where it enables logon to the domain

and can be assigned permissions to resources anywhere in the
domain
Domain user accounts are administered with Active

Directory snap-ins and commands
In the local security accounts manager (SAM) database of a

member computer, where it enables logon to the local
computer and can be assigned permissions to local resources
Local user accounts are administered with the Local Users

and Groups snap-in and the net local user command

See Notes pane.
50
3/11/2014
Demonstration: Create a User Object

How to create a user
How to configure the properties of a user object
Create Users with DSAdd

dsadd user "UserDN" samid pre-Windows 2000 logon name
pwd { password | * } mustchpwd yes

UserDN. Distinguished name of user to create
-samid. Required for new account
-pwd password. The desired initial password
Pre-Windows 2000 logon name. The downlevel logon

name that can be used in the logon format
domain\username and that becomes %username%
Asterisk (*) will prompt you to enter it at the command

prompt, so that the plain text password is not entered with
the command
-mustchpwd { yes | no }. User must change password at

next logon
Lots of optional attributes, including

Can use $username$ token to represent the
-email
value of samid; for example,
-profile \\server01\users\$username$\profile
-hmdir & -profile
51
3/11/2014
Name Attributes
User logon name (pre-Windows 2000): sAMAccountName
Unique in domain
20-character limit
CONTOSO\Tony.Krijnen
User logon name: userPrincipalName (UPN)

Name + @ + UPN suffix
Unique in forest
Tony.Krijnen@contoso.com
Name or Full Name: cn (common name)

Tony Krijnen
Unique in OU so that the relative distinguished name (RDN) is

unique in the OU, so that, in turn, the objects distinguished
name (distinguishedName attribute) is unique in the forest
Display name: displayName

Krijnen, Tony
Exchange global address list (GAL)
Best if unique, but not technically required to be unique

See Notes pane.
52
3/11/2014

See Notes pane.
Rename a User Account

In Active Directory Users and Computers:
1.
Right-click the user, and then click Rename.
2.
Type the new common name (CN), and press Enter.
3.
Type the Full Name (which maps to cn and name)
4.
Type the First Name and Last Name.
5.
Type the Display Name.
6.
User Logon Name and User Logon Name (Pre-Windows

2000).
dsmod user UserDN [-upn UPN][-fn FirstName][-mi
Initial][-ln LastName]
[-dn DisplayName][-email EmailAddress]
You cannot change the user logon names or CN with DSMod
dsmove user UserDN -newname "New CN"
53
3/11/2014
Account Attributes
Logon Hours: logonHours
Log On To: userWorkstations
User must change password at next logon
User cannot change password
Password never expires
Account is disabled
Store password using reversible encryption
Smart Card is required for interactive logon
Account is trusted for delegation
Account expires
Reset a Users Password

A user forgets his or her password and attempts to log on
In Active Directory Users and Computers, right-click the
user object and click Reset Password
Best practices
Assign a temporary, unique, strong password to the user
Select User must change password at next logon
Communicate the password to the user in a secure manner
dsmod user UserDN pwd NewPassword -mustchpwd yes
54
3/11/2014
Unlock a User Account

In Active Directory Users and
Computers, right-click the user

object and click Properties.
Click the Account tab, and then
select Unlock Account.
In the Reset Password dialog
box, select Unlock the users

account.
Watch out for drives mapped
with alternate credentials. A

leading cause of account
lockout is when the alternate
credentials password changes.
Disable and Enable a User Account

user object and click Disable Account or Enable

Account
dsmod user UserDN disabled {yes|no}
55
3/11/2014
Delete a User Account

In Active Directory Users and Computers, select the user
and press Delete or right-click the user object and click

Delete
dsrm UserDN
When you delete an account, you lose

The group memberships
The security identifier (SID)
Common practice
Disable the account and move it to an OU for disabled objects
After a period of time, delete the account
Move a User Account

user and then click Move

or
drag the user object and drop it onto the destination OU
dsmove UserDN newparent TargetOUDN
56
3/11/2014
Lab A: Create and Administer User Accounts

Exercise 1: Create User Accounts
Exercise 2: Administer User Accounts
Exercise 3 (Advanced Optional): Explore User Account
Name Attributes
Lab Scenario
You are the administrator of Contoso, Ltd., an online university for
adult education. Two new employees have been hired: Chris Mayo
and Amy Strande. You must create accounts for these users. As
time passes, Chris Mayo leaves the organization, and his account
must be administered according to the company policy for user
account lifecycle management.
57
3/11/2014
Lab Review
In this lab, which attribute(s) can be modified when you
are creating a user account with the command prompt

that cannot be modified when creating a user account with
Active Directory Users and Computers?
What happens when you create a user account that has a
password that does not meet the requirements of the

domain?
Lesson 2: Configure User Object Attributes

Demonstration: A Tour of User Attributes
View All Attributes
Modify Attributes of Multiple Users
Modify User Attributes with DSMod and DSGet
Demonstration: Create Users with Templates
Create Users with Templates
58
3/11/2014
Demonstration: A Tour of User Attributes

How to access the properties of a user
The role of each tab in the user Properties dialog box
View All Attributes

The Attribute Editor
In Active Directory Users and
Computers, click the View

menu, then select Advanced
Features
59
3/11/2014
Modify Attributes of Multiple Users

How to do it
Select multiple users (for example, by using CTRL+click)
Right-click any one of the selected users, and then click

Properties
Attributes that can be modified

General: Description, Office, Telephone Number, Fax, Web

Page, E-mail
Account: UPN Suffix, Logon Hours, Computer Restrictions

(logon workstations), all Account Options, Account Expires
Address: Street, P.O. Box, City, State/Province, ZIP/Postal

Code, Country/Region
Profile: Profile Path, Logon Script, Home Folder
Organization: Title, Department, Company, Manager
Manage User Attributes with DSMod and DSGet

DSMod modifies the attributes of object(s)
dsmod user UserDN [-parameter value ]
UserDN . distinguishedName of the user(s) to modify
Parameter. Attribute to modify. dsmod user /?
Often does not map to the same name as LDAP

(dsmod dept vs. LDAP department)
DSGet gets (returns) the value of attributes of object(s)

dsget user UserDN [-parameter ]
dsget user /?
DSQuery can return objects based on search criteria
and pipe those objects to DSGet and DSMod

dsquery user -desc "Marketing Task Force" | dsget

user -email
60
3/11/2014
Demonstration: Create Users with Templates

In this demonstration you will learn:
What a template user account is, and why it is useful
How to create a template user account
How to copy a template user account

See Notes pane.
61
3/11/2014
Create Users with Templates

General tab. No properties are copied
Address tab. P.O. box, city, state or province,
ZIP or postal code, and country or region

are copied
Note that the street address itself is not copied
Account tab. Logon hours, logon workstations, account
options, and account expiration

Profile tab. Profile path, logon script, home drive, and
home folder path

Organization tab. Department, company, and manager
Member Of tab. Group membership and primary group
Lab B: Configure User Object Attributes

Exercise 1: Examine User Object Attributes
Exercise 2: Manage User Object Attributes
Exercise 3: Create Users from a Template
Exercise 4 (Advanced Optional): Create Users with a Batch
File
Logon information
Virtual machine
6425B-HQDC01-A
Logon user name
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
62
3/11/2014
Lab Scenario
You are the administrator of Contoso, Ltd., an online
university for adult education. Changes in the Sales

department require you to modify attributes of Sales
users. Additionally, you decide to make it easier to create
new accounts for salespeople by preparing a user account
template.
Lab Review
What options have you learned for modifying attributes of
new and existing users?

What are the advantages and disadvantages of each?
63
3/11/2014
Lesson 3: Automate User Account Creation

Export Users with CSVDE
Import Users with CSVDE
Import Users with LDIFDE
Export Users with CSVDE

Export
CSVDE.exe
Active Directory
filename.ldf
Import
CSV (comma-separated value, or comma-delimited text)

Can be edited with simple text editors (Notepad) or Microsoft

Office Excel
CSVDE.exe
csvde -f filename -d RootDN -p SearchScope -r Filter

-l ListOfAttributes
RootDN. Start of export (default = domain)
SearchScope. Scope of export (Base,OneLevel,Subtree)
Filter. Filter within the scope (LDAP query language)
ListOfAttributes. Use the LDAP name
64
3/11/2014
Import Users with CSVDE

Export
CSVDE.exe
Active Directory
filename.ldf
Import
CSVDE.exe
csvde i -f filename [-k]
i. Import default mode is export
k. Continue past errors (such as Object Already Exists)
Cannot import passwords, so users are created as disabled

Cannot modify existing users
Import Users with LDIFDE

Export
LDIFDE.exe
Active Directory
filename.ldf
Import
LDAP Data Interchange Format (LDIF)

LDIFDE.exe
ldifde [-i] [-f filename] [-k]
i. Import default mode is export
k. Continue past errors (such as Object Already Exists)
Cannot import passwords, so users are created as disabled

Can modify or remove existing users
65
3/11/2014
Lab C: Automate User Account Creation

Exercise 1: Export and Import Users with CSVDE
Exercise 2: Import Users with LDIFDE
Logon information
Virtual machine
6425B-HQDC01-A
Logon user name
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
university for adult education. You are hiring several new

employees. The Human Resources department has
provided you with extracts from their database, in both
comma-delimited text format and in LDIF format. You
want to import those data files to create user accounts for
the new hires.
66
3/11/2014
Lab Review
What scenarios lend themselves to importing users with
CSVDE and LDIFDE?
Module 4
Manage Groups
67
3/11/2014

See Notes pane.

See Notes pane.
68
3/11/2014

See Notes pane.
Module Overview
Manage an Enterprise with Groups
Administer Groups
Best Practices for Group Management
69
3/11/2014
Lesson 1: Manage an Enterprise with Groups

Demonstration: Create a Group Object
Access Management Without Groups
Groups Add Manageability
Groups Add Scalability
One Type of Group Is Not Enough
Role-Based Management: Role Groups and Rule Groups
Define Group Naming Conventions
Group Type
Group Scope
Local Groups
Global Groups
Universal Groups
Group Scope Possibilities Summarized
Manage Group Membership
Develop a Group Management Strategy (IGDLA)
Role-Based Management and Windows Group Management Strategy
Demonstration: Create a Group Object

In this demonstration, you will learn
How to create a group
How to configure the properties of a group object
70
3/11/2014
Access Management Without Groups
Identity
Access Management
Resource
Groups Add Manageability
Identity
Group
Resource
Access Management
71
3/11/2014
Groups Add Scalability
Identity
Group
Resource
Access Management
One Type of Group Is Not Enough
Identity
Group
Access Management
Resource
72
3/11/2014
Role-Based Management: Role Groups and Rule Groups
Identity
Role Group
Rule Group
Resource
Access Management

See Notes pane.
73
3/11/2014
Define Group Naming Conventions

Name properties
Group name. cn and name of group -- unique within OU
Group name (pre-Windows 2000). sAMAccountName of group -unique in domain
Use the same name (unique in the domain) for both properties
Naming conventions
Role groups. Simple, unique name, such as Sales or Consultants
Management groups. For example, ACL_Sales Folders_Read
Prefix. Management purpose of group, such as ACL
Resource identifier. What is managed, such as Sales Folders
Suffix. Access level, such as Read
Delimiter. Separates name components, such as underscore (_)
Group Type
Distribution groups
Used only with e-mail applications
Not security-enabled (no SID);
cannot be given permissions
Security groups
Security principal with a SID;
can be given permissions
Can also be e-mail enabled
74
3/11/2014
Group Scope
Four group scopes
Local
Global
Domain Local
Universal
Characteristics that distinguish each scope

Replication. Where are the group and its membership stored?
Membership. What types of objects, from which domains,

can be members of the group?
Availability (Scope). Where can the group be used? In what

scopes of groups can the group be a member? Can the group
be added to an ACL?
Local Groups
Replication
Defined in the security accounts manager (SAM) of a domain

member or workgroup computer
Membership not replicated to any other system
Membership: Local group can include as members

Any security principals from the domain: users (U), computers

(C), global groups (GG), or domain local groups (DLG)
U, C, GG from any domain in the forest
U, C, GG from any trusted domain
Universal groups (UG) defined in any domain in the forest
Availability/scope
Limited to the machine on which the group is defined; can be

used for ACLs on the local machine only
Cannot be a member of any other group
75
3/11/2014
Domain Local Groups

Replication
Defined in the domain naming context
Group and membership replicated to every DC in domain
Membership: Domain local group can include as members

Any security principals from the domain: U, C, GG, DLG
U, C, GG from any domain in the forest
U, C, GG from any trusted domain
UG defined in any domain in the forest
Availability/scope
Can be on ACLs on any resource on any domain member
Can be a member of other domain local groups or of machine

local groups
Well suited for defining business management rules
Global Groups
Replication
Defined in the domain naming context
Group and membership is replicated to every DC in domain
Membership: Global group can include as members

Only security principals from the same domain: U, C, GG, DLG
Availability/scope
Available for use by all domain members, all other domains in

the forest, and all trusting external domains
Can be on ACLs on any resource on any computer in any of

those domains
Can be a member of any DLG or UG in the forest, and of any

DLG in a trusting external domain
Well suited for defining roles
76
3/11/2014
Universal Groups
Replication
Defined in a single domain in the forest
Replicated to the global catalog (forestwide)
Membership: Universal group can include as members

U, C, GG, and UG from any domain in the forest
Availability/scope
Available to every domain and domain member in the forest
Can be on ACLs on any resource on any system in the forest
Can be a member of other UGs or DLGs anywhere in the forest
Useful in multidomain forests

Defining roles that include members from multiple domains
Defining business management rules that manage resources in

multiple domains in the forest
Group Scope Possibilities Summarized
Group Scope
Members from
Same Domain
Members
from Domain
in Same
Forest
Members
from Trusted
External
Domain
Can be
Assigned
Permissions to
Resources
Local
U, C,
GG, DLG, UG
and local users
U, C,
GG, UG
U, C,
GG
On the local
computer only
Domain Local
U, C,
GG, DLG, UG
U, C,
GG, UG
U, C,
GG
Anywhere in the
domain
Universal
U, C,
GG, UG
U, C,
GG, UG
N/A
Anywhere in the
forest
Global
U, C,
GG
N/A
N/A
Anywhere in the
domain or a
trusted domain
U
C
GG
DLG
UG
User
Computer
Global Group
Domain Local Group
Universal Group
77
3/11/2014
Manage Group Membership

Methods
The group's Members tab (Add/Remove)
The member's Member Of tab (Add/Remove)
The member's Add to a group command (Add)
You are always changing the member attribute

memberOf is a backlink attribute updated by Active Directory
Changes to membership do not take effect immediately

Requires logon (for a user) or startup (for a computer)
Token built with SIDs of member groups at those times
Account for replication of membership change to the user or

computer's domain controller
Tip: Change group membership on a DC in the user's site
Develop a Group Management Strategy (IGDLA)

Identities (users or computers)
are members of
Global groups
that collect members based

on those members' roles
which are members of
Domain Local groups
that provide
management
of some kind, such
as management of
resource access
which are
Assigned Access to a resource (for example, on an ACL)
Multi-domain forest: IGUDLA
78
3/11/2014
Role-Based Management and

Windows Group Management Strategy
Access Management
Identity
Role Group
Rule Group
Resource
Identity
Global
Domain Local
Access
Lesson 2: Administer Groups

Create Groups with DSAdd
Import Groups with CSVDE
Import Groups with LDIFDE
Convert Group Type and Scope
Modify Group Membership with DSMod
Modify Group Membership with LDIFDE
Retrieve Group Membership with DSGet
Copy Group Membership
Move and Rename Groups
Delete Groups
79
3/11/2014
Create Groups with DSAdd

dsadd group GroupDN secgrp {yes|no}
scope {g | l | u}
GroupDN. Distinguished name of group to create
-secgrp. Security-enabled (yes=security; no=distribution)
-scope. Scope (global, domain local, universal)
-samid. sAMAccountName (not necessary; defaults to cn)
-desc Description. description attribute
-member MemberDN . Space-separated list of members to

add when creating the group
-memberof GroupDN . Space-separated list of groups to

add this group to
dsadd group "CN=Marketing,OU=Role,OU=Groups,

DC=contoso,DC=com"
samid Marketing secgrp yes scope g
Import Groups with CSVDE

Comma-separated values (csv) file format
Comma-separated list of attributes
Groups to create, one per line, with all attributes listed
on the first line
Example
objectClass,sAMAccountName,DN,member
group,Marketing,"CN=Marketing,OU=Role,OU=Groups,
DC=contoso,DC=com",
"CN=Linda Mitchell,OU=Employees,OU=User Accounts,
DC=contoso,DC=com;CN=Scott Mitchell,OU=Employees,
OU=User Accounts,DC=contoso,DC=com"
csvde -i -f "filename" [-k]

-i. Import; default mode is export
-f. File name
-k. Continue on error, such as object already exists
CSVDE can create groups, not modify existing groups
80
3/11/2014
Import Groups with LDIFDE

Lightweight Directory Access Protocol Data Interchange
Format (LDIF) file

DN: CN=Finance,OU=Role,OU=Groups,DC=contoso,DC=com
changeType: add
CN: Finance
description: Finance Users
objectClass: group
sAMAccountName: Finance
DN: CN=Research,OU=Role,OU=Groups,DC=contoso,DC=com
changeType: add
CN: Research
description: Research Users
objectClass: group
sAMAccountName: Research
Ldifde -i -f "filename" [-k]

-i. Import (default mode is export)
-f. File name
-k. Continue on error, such as object already exists
Convert Group Type and Scope

In Active Directory Users and Computers, you can change
group type:
Security to distribution (* lose permissions assigned to group)
Distribution to security
In Active Directory Users and Computers, you can change
the group scope:

Global to universal
Domain local to universal
Universal to global
Universal to domain local
You cannot change DL G or G DL directly, but you can

change DL U G or G U DL.
Change prevented if memberships are invalidfix, then retry
dsmod group GroupDN secgrp { yes | no }
scope { l | g | u }
81
3/11/2014
Modify Group Membership with DSMod

dsmod group "GroupDN" [options]
-addmbr "Member DN"
-rmmbr "Member DN"
dsmod group "CN=Research,OU=Role,OU=Groups,

DC=contoso,DC=com" -addmbr "CN=Mike Danseglio,
OU=Employees,OU=User Accounts,DC=contoso,DC=com"
Modify Group Membership with LDIFDE

LDIF file
dn: CN=Finance,OU=Role,OU=Groups,DC=contoso,DC=com
changetype: modify
add: member
member: CN=April Stewart,OU=Employees,OU=User Accounts,
dc=contoso,dc=com
member: CN=Mike Fitzmaurice,OU=Employees,OU=User Accounts,
dc=contoso,dc=com
-
changetype: modify
Third line: What type of change? Add a value to member
To delete a member, just change to delete: member
Change operation is terminated with line containing only
82
3/11/2014
Retrieve Group Membership with DSGet

No option to show fully enumerated group memberships in

DSGet allows full enumeration (including nested members)
dsget group "GroupDN" members [-expand]
Shows members of group (GroupDN), optionally including

nested members (-expand)
dsget {user|computer} "ObjectDN" memberof
[-expand]
Shows membership of user or computer (ObjectDN),
optionally including nested group memberships (-expand)
Copy Group Membership

Copy members from one group to another
dsget group "CN=Sales,OU=Role,OU=Groups,DC=contoso,DC=com" members |
dsmod group "CN=Marketing,OU=Role,OU=Groups,DC=contoso,DC=com" addmbr
Copy memberships of one user to another

dsget user "SourceUserDN" memberof |
dsmod group addmbr "TargetUserDN"
83
3/11/2014
Move and Rename Groups

Right-click group, then click Move or Rename
DSMove command
dsmove ObjectDN [-newname NewName]

[-newparent TargetOUDN]
ObjectDN is the DN of the group
-newparent TargetOUDN moves the group to a new OU
-newname NewName changes the cn of the group

- Must use DSMod Group to change the sAMAccountName
dsmove "CN=Public Relations,OU=Role,OU=Groups,DC=contoso,DC=com"

newparent "OU=Marketing,DC=contoso,DC=com"
dsmove "CN=Marketing,OU=Role,OU=Groups,DC=contoso,DC=com"
newname "Public Relations"
dsmod group "CN=Public Relations,OU=Role,OU=Groups,DC=contoso,DC=com"
-samid "Public Relations"
Delete Groups
Active Directory Users and Computers: Right-click, Delete
DSRm command
dsrm ObjectDN ... [-subtree [-exclude]] [-noprompt]

[-c]
-noprompt prevents prompting to confirm each deletion
-c continues if an error occurs (such as access denied)
-subtree deletes the object and all child objects
-subtree -exclude deletes all child objects but not the

object itself
dsrm "CN=Public Relations,OU=Role,OU=Groups,

DC=contoso,DC=com"
Deleting a security group has significant impact
SID is lost and cannot be re-established by re-creating group
Tip: First, record all members and delete all members for a
test period, to evaluate any unintended side effects
84
3/11/2014
Lab A: Administer Groups

Exercise 1: Implement Role-Based Management Using
Groups
Exercise 2: Manage Group Membership from the
Command Prompt
Exercise 3 (Advanced Optional): Explore Group
Membership Reporting Tools

Exercise 4 (Advanced Optional): Understand "Account
Unknown" Permissions
Logon information
Virtual machine
6425B-HQDC01-A
Logon user name
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
In order to improve the manageability of resource access
at Contoso, Ltd., you have decided to implement rolebased management. The first application of role-based
management will be to manage who can access the folders
containing Sales information. You must create groups that
manage access to that sensitive information. Business
rules are that Sales and Marketing employees, as well as a
team of Consultants, should be able to read the Sales
folders. Additionally, Bobby Moore requires Read access.
Finally, you have been asked to discover a way to produce
a list of group members, including those who are in nested
groups; and a list of a user's group membership, including
indirect or nested membership.
85
3/11/2014
Lab Review
Describe the purpose of global groups in terms of role-
based management.
What types of objects can be members of global groups?
Describe the purpose of domain local groups in terms of
role-based management of resource access.

What types of objects can be members of domain local
groups?
If you have implemented role-based management and are
asked to report who can read the Sales folders, what

command would you use to do so?
Lesson 3: Best Practices for Group Management

Best Practices for Group Documentation
Protect Groups from Accidental Deletion
Delegate Membership Management with the Managed By
Tab
Default Groups
Special Identities
86
3/11/2014
Best Practices for Group Documentation

Why document groups?
Easier to find them when you need them
Easier to understand how and when to use a

group
Establish and adhere to a strict naming
convention
Prefix, for example, helps distinguish

APP_Budget from ACL_Budget_Edit
Prefix helps you find the group in the Select

dialog box
Summarize a group's purpose with its
description
Appears in Active Directory Users and

Computers details pane
Detail a group's purpose in its Notes field
Protect Groups from Accidental Deletion

1. In the Active Directory Users and Computers snap-in,
click the View menu and make sure that Advanced

Features is selected.
2. Open the Properties dialog box for a group.
3. On the Object tab, select the Protect Object From
Accidental Deletion check box.

4. Click OK.
87
3/11/2014
Delegate Membership Management with the

Managed By Tab
The Managed By tab serves two purposes:
Provide contact information for who manages the group
Allow specified user (or group) to modify group membership if

Manager Can Update Membership List is selected
Tips
Must click OK (not just Apply)

to change the ACL on the group
To set a group in the Name box,

click Change, then click
Object Types, and then click Groups
Default Groups
Default local groups in the BUILTIN and Users containers
Enterprise Admins, Schema Admins, Administrators, Domain

Admins, Server Operators, Account Operators, Backup
Operators, Print Operators
Reference to their rights and privileges in Student Manual

Know these rights for the certification exams
Problems with these groups

Highly overdelegated
Account Operators, for example, can log on to a DC
Protected
Users who are members of these groups become protected

and are not un-protected when removed
Best practice: Keep these groups empty and create
custom groups with the rights and privileges you require
88
3/11/2014
Special Identities
Membership is controlled by Windows:
Cannot be viewed, edited, or added to other groups
Can be used on ACLs
Examples
Anonymous Logon. Represents connections to a computer

without a username and password
Authenticated Users. Represents identities that have been

authenticated, but does not include the Guest identity
Everyone. Includes Authenticated Users and Guest (but not

Anonymous Logon by default in Windows Server 2003/2008)
Interactive. Users logged on locally or with Remote Desktop
Network. Users accessing a resource over the network
Lab B: Best Practices for Group Management

Exercise 1: Implement best practices for group
management
89
3/11/2014
Lab Scenario
Your implementation of role-based management at
Contoso has been highly successful. As the number of

groups in the domain has increased, you've come to
realize that it is important to document groups thoroughly
and to prevent administrators from accidentally deleting a
group. Finally, you want to allow the business owners of
resources to manage access to those resources by
delegating to those owners the right to modify the
membership of appropriate groups.
Lab Review
What are some benefits of using the Description and Notes
fields of a group?
What are the advantages and disadvantages of delegating
group membership?
90
3/11/2014
Module 5
Support Computer
Accounts

See Notes pane.
91
3/11/2014
Module Overview
Create Computers and Join the Domain
Administer Computer Objects and Accounts
Lesson 1: Create Computers and Join the Domain

Workgroups, Domains, and Trusts
Requirements for Joining a Computer to the Domain
The Computers Container and Organizational Units (OUs)
Prestage a Computer Account
Join a Computer to the Domain
Secure Computer Creation and Joins
Automate Computer Account Creation
Import Computers with CSVDE
Import Computers with LDIFDE
Create Computers with DSAdd
Create and Join Computers with NetDom
92
3/11/2014
Workgroups, Domains, and Trusts

Workgroup: Authority is Security Accounts Manager (SAM)
Identity is local to each computer
Domain: Authority
is Active Directory
Computers have
"trust relationship"
with the domain

See Notes pane.
93
3/11/2014
Requirements for Joining a Computer to the

Domain
A computer object must exist in the directory service
You must have permissions to the computer object that
allow you to join a computer to it

You must be a member of the local Administrators group
on the computer to change its domain or workgroup

membership
The Computers Container and Organizational

Units (OUs)
The default Computers container is a container,
not an organizationalUnit object

Cannot link Group Policy objects (GPOs) to a container
Cannot create sub-OUs in a container
Best practice is to create OUs for computer objects

Servers
Typically subdivided by server role
Client computers
Divide OUs based first on administration,
then to facilitate configuration with Group Policy
94
3/11/2014
Prestage a Computer Account

Prestage (pre-create) a computer in the correct OU
Right-click the OU and choose New Computer
Computer Name and Computer Name (Pre-Windows 2000)
should be the same

User Or Group box delegates permissions to the specified
account to join the computer to the domain
Join a Computer to the Domain

From the System Properties dialog box or window
Prompted for domain credentials
Requires restart
95
3/11/2014
Secure Computer Creation and Joins

Prestage computer objects in the correct OUs
Computer is in correct OU and does not require moving
Group Policy applies to the computer immediately after joining

the domain
Tighter security of computer OU and Computers container
Configure the default computer container

redircmp "DN of OU for new computer objects"
Restrict the ability of users to create computers

By default, any user can join 10 machines to the domain
Requires no prestaging
Change the ms-DS-MachineAccountQuota value to 0
Delegate to appropriate groups the permission to create
computer objects in the appropriate OUs
Automate Computer Account Creation

Comma Separated Value Directory Exchange (CSVDE)
Import (create) or export computer accounts
Lightweight Directory Access Protocol (LDAP) Data
Interchange Format Directory Exchange (LDIFDE)

Import (create), modify, or export computer accounts
DSAdd
Create computer accounts and set initial properties
NetDom
Create computer accounts
Join machines to domain
96
3/11/2014
Import Computers with CSVDE

Export
CSVDE.exe
Active Directory
filename.ldf
Import
CSVDE.exe
csvde i -f filename [-k]
-i: Import (default mode is export)
-k: Continue past errors (such as Object Already Exists)
Include userAccountControl column (set to 4096) and
sAMAccountName column (set to computername$)
Import Computers with LDIFDE

Export
LDIFDE.exe
Active Directory
filename.ldf
Import
Lightweight Directory Access Protocol Data Interchange
Format (LDIF)
LDIFDE.exe
ldifde [-i] [-f filename] [-k]
-i: Import
Default mode is export
-k: Continue past errors
Object already exists
dn: CN=FILE25,OU=File, OU=Servers,

DC=contoso,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: FILE25
userAccountControl: 4096
sAMAccountName: FILE25$
97
3/11/2014
Create Computers with DSAdd

DSAdd creates objects in Active Directory
dsadd computer ComputerDN
ComputerDN: The distinguished name (DN) of the computer

Multiple values can be provided by:
Separating ComputerDN ComputerDN with a space
Leaving ComputerDN empty, then entering DNs

one at a time followed by ENTER,
with CTRL+Z and then ENTER after the last DN
Piping a list of DNs from another command, such as

DSQuery
Optional options
-samid ComputerName
-desc Description
-loc Location
Create and Join Computers with NetDom

Create account
netdom add ComputerName /domain:DomainName

[/ou:"OUDN"]
[/ UserD:DomainUsername /PasswordD:DomainPassword]
Join the domain (and, if necessary, create account)

netdom join MachineName /Domain:DomainName

[/OU:"OUDN"]
[/UserD:DomainUsername]
[/PasswordD:{DomainPassword|*} ]
[/UserO:LocalUsername]
[/PasswordO:{LocalPassword|*} ]
[/SecurePasswordPrompt]
[/REBoot[:TimeInSeconds]]
98
3/11/2014
Lab A: Create Computers and Join the Domain

Exercise 1: Join a Computer to the Domain with the
Windows Interface
Exercise 2: Secure Computer Joins
Exercise 3: Manage Computer Account Creation with Best
Practices
Logon information
Virtual machine
6425B-HQDC01-A
Logon user name
Pat.Coleman
6425B-SERVER01-B
Pat.Coleman_Admin
Administrator
Password
Pa$$w0rd
Pa$$w0rd
Scenario
You are an administrator for Contoso, Ltd. During a
security audit, it was identified that there is no control

over the creation of new computer accounts: both clients
and servers are being added to the domain with no
assurance that process is being followed. In fact, a number
of computer accounts were discovered in the Computers
container. These computer objects were for active
computer accounts, but the computers had not been
created in or moved to the correct OUs within the Client
Computers or Servers OUs according to standard
procedures. Youve been tasked with improving the
procedures.
99
3/11/2014
Lab Review
What did you learn about the pros and cons of various
approaches to creating computer accounts in an AD DS

domain?
What are the two credentials that are necessary for any
computer to join a domain?
Lesson 2: Administer Computer Objects and Accounts

Configure Computer Attributes
Move a Computer
Computer Accounts and Secure Channel
Recognize Computer Account Problems
Reset a Computer Account
Rename a Computer
Disable and Enable a Computer
Delete and Recycle Computer Accounts
100
3/11/2014
Configure Computer Attributes

Useful attributes
Description
Location
US\WA\SEA\HQ\Building33\Floor3\Q04\1531
Used by location-aware applications such as

Search For Printers
Managed By
Link to user who is the primary user of the computer
Link to group that is responsible for the computer (servers)
Member Of
Groups: Group Policy filtering, software deployment
dsmod computer "ComputerDN" [-desc "Description"] [loc "Location"]
Move a Computer
Using Active Directory Users and Computers
Drag and drop
Right-click the computer, and then click Move
dsmove ObjectDN [-newname NewName] [-newparent
ParentDN]
-newname NewName: Used to rename a computer
-newparent ParentDN: Used to move a computer to the OU

specified by ParentDN
101
3/11/2014
Computer Account and Secure Channel

Computers have accounts
sAMAccountName and password
Used to create a secure channel between the computer and a

domain controller
Secure channel can be broken

Reinstalling computer, even with same name, generates new

SID and password
Restoring a computer from an old backup, or rolling back a

computer to an old snapshot
Computer and domain disagree about what the password is
Recognize Computer Account Problems

Logon messages
Event log errors, including key words such as

Password
Trust
Secure channel
Relationships with the domain or domain controllers
A computer account is missing in Active Directory
102
3/11/2014
Reset a Computer Account

Do not simply remove computer from domain and rejoin
Creates new account: new SID, lost group memberships
Reset the secure channel

Active Directory Users and Computers*
Right-click the computer, and then click Reset Account
DSMod*
dsmod computer "ComputerDN" reset
NetDom
netdom reset MachineName /domain DomainName
/UserO UserName /PasswordO {Password | *}
NLTest
nltest /server:ServerName
/sc_reset:DOMAIN\DomainController
* = requires rejoining domain and rebooting
Rename a Computer
Use System Properties of computer itself to rename computer
and its account correctly
NetDom
netdom renamecomputer MachineName /NewName:NewName

[/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ]
[/UserD:DomainUsername] [/PasswordD:{DomainPassword|*} ]
[/SecurePasswordPrompt] [/REBoot[:TimeInSeconds] ]
Be cautious of impact that rename can have on services and on
certificates associated with computer's name
103
3/11/2014
Disable and Enable a Computer

Disable computer if it will be offline for extended time
Similar to disabling a user who is on a leave of absence
Prevents secure channel from being established, so users who

do not have cached credentials on the computer cannot log on

Right-click computer, and then click Enable Account

or Disable Account
DSMod
dsmod computer ComputerDN -disabled yes

dsmod computer ComputerDN -disabled no
Delete and Recycle Computer Accounts

Delete a computer with Active Directory Users and
Computers
Right-click the computer, and then click Delete
Delete a computer with DSRm

dsrm ObjectDN
Delete destroys SID and group memberships

If replacing or reinstalling a computer, if computer will play

same role, reset computer account instead of deleting it
Preserves all attributes of computer, including SID and group

memberships
You can rename object if computer is being renamed during

reinstallation/upgrade
This "recycles" the computer account
104
3/11/2014
Lab B: Administer Computer Objects and Accounts

Exercise 1: Administer Computer Objects Through Their
Life cycle
Exercise 2: Administer and Troubleshooting Computer
Accounts
Logon information
Virtual machine
6425B-HQDC01-A
Logon user name
Pat.Coleman
6425B-SERVER01-B
Pat.Coleman
Pat.Coleman_Admin
Administrator
Password
Pa$$w0rd
Pa$$w0rd
Scenario
You are an administrator for Contoso, Ltd. During a
security audit, it was identified that there is no control

over the creation of new computers accounts: both clients
and servers are being added to the domain with no
assurance that process is being followed. In fact, a number
of computer accounts were discovered in the Computers
container. These computer objects were for active
computer accounts, but the computers had not been
created in or moved to the correct OUs within the Client
Computers or Servers OUs according to standard
procedures. Youve been tasked with improving the
management of computer accounts, and identifying best
practices for administering the entire life cycle of a
computer account.
105
3/11/2014
Lab Review
What did you learn about the "pros" and "cons" of various
approaches to creating computer accounts in an AD DS

domain?
What are the two credentials that are necessary for any
computer to join a domain?
Module 6
Implement a Group Policy
Infrastructure
106
3/11/2014

See Notes pane.
Module Overview
Understand Group Policy
Implement GPOs
A Deeper Look at Settings and GPOs
Manage Group Policy Scope
Group Policy Processing
Troubleshoot Policy Application
107
3/11/2014
Lesson 1: Understand Group Policy

What is Configuration Management?
Policy Settings (Also Known as Policies)
Group Policy Objects
GPO Scope
Group Policy Client and Client-Side Extensions
Group Policy Refresh
Resultant Set of Policy
Review and Discuss the Components of Group Policy
What Is Configuration Management?

A centralized approach to applying one or more changes to
one or more users or computers

Setting: Definition of a change or configuration
Scope: Definition of the user(s) or computer(s) to which
the change applies

Application: A mechanism that applies the setting to users
and computers within the scope

Group Policy: The framework for configuration
management in an AD DS domain
Setting
Scope
Application
Tools for management, configuration, and troubleshooting
108
3/11/2014
Policy Settings (Also Known as Policies)

The granular definition of a change or configuration
Prevent access to registry-editing tools
Rename the Administrator account
Divided between
User Configuration ("user policies")
Computer Configuration
("computer policies")
Define a setting
Not configured (default)
Enabled
Disabled
Read explanatory text

Test all settings
Group Policy Objects

The container for one or more policy settings
Managed with the Group Policy Management console
(GPMC)
Group Policy Objects container
Edited with the Group Policy Management Editor
(GPME)
109
3/11/2014
GPO Scope
Scope. Definition of objects (users or computers) to which
GPO applies
GPO link. GPO can be linked to site, domain, or
organizational unit (OU) (SDOU)

GPO can be linked to multiple site(s) or OU(s)
GPO link(s) define maximum scope of GPO
Security group filtering

Apply or deny application of GPO to members of global

security group
Filter application of scope of GPO within its link scope
WMI filtering
Refine scope of GPO within link based on WMI query
Preference targeting
Group Policy Client and Client-Side Extensions

How GPOs and their settings are applied
Group Policy Client retrieves ordered list of GPOs
GPOs are downloaded (then cached)
Components called client-side extensions (CSEs) process
the settings to apply the changes

One for each major category of policy settings: security,

registry, script, software installation, mapped drive
preferences, etc.
Most CSEs apply settings only if GPO (as a whole) has

changed
Improves performance
Security CSE applies changes every 16 hours
GPO application is client driven ("pull")
110
3/11/2014
Group Policy Refresh

When GPOs and their settings are applied
Computer Configuration
Startup
Every 90-120 minutes
Triggered: GPUpdate command
User Configuration
Logon
Every 90-120 minutes
Triggered: GPUpdate command

The "cumulative" effect of Group Policy
A user or computer is usually within the scope of many GPOs
Potentially conflicting settings: precedence
Tools to report the settings that were applied and
which GPO "won" in the case of conflicting settings

Tools to model the effects of changes to the Group Policy
infrastructure or to the location of objects in Active

Directory
111
3/11/2014
Review and Discuss the Components of Group Policy

Setting
Scope
Application
Tools
Lesson 2: Implement GPOs

Local GPOs
Domain-Based GPOs
Demonstration: Create, Link, and Edit GPOs
GPO Storage
Demonstration: Policy Settings
112
3/11/2014
Local GPOs
Apply before domain-based GPOs
Any setting specified by a domain-based GPO will override the

setting specified by the local GPOs.
Local GPO
One local GPO in Windows 2000, Windows XP, Windows

Server 2003
Multiple local GPOs in Windows Vista and later
Local GPO: Computer settings and settings for all users
Administrators GPO: Settings for users in Administrators
Non-administrators GPO: Settings for users not in Admins
Per-user GPO: Settings for a specific user
If domain members can be centrally managed using
domain-linked GPOs, in what scenarios might local GPOs

be used?
Domain-Based GPOs
Created in Active Directory, stored on domain controllers
Two default GPOs
Default Domain Policy
Define account policies for the domain: Password, account

lockout, and Kerberos policies
Default Domain Controllers Policy
Define auditing policies for domain controllers and Active

Directory
113
3/11/2014
Demonstration: Create, Link, and Edit GPOs

In this demonstration, we will:
Delete a GPO
Create a GPO
Link a GPO
Open a GPO for editing
Delegate the management of GPOs
Creation
Linking
Editing
Discuss the default connection to the PDC Emulator

See Notes pane.
114
3/11/2014
GPO Storage
Group Policy Container (GPC)
Group Policy Object (GPO)
Stored in AD DS
Friendly name, globally unique
identifier (GUID)
Version
Group Policy Template (GPT)
What we call a GPO is actually

two things, stored in two places
Separate replication
mechanisms
GPOTool
Stored in SYSVOL on domain

controllers (DCs)
Contains all files required to
define and apply settings
.ini file contains Version
Microsoft Downloads Center
Demonstration: Policy Settings

In this demonstration, we will explore some of the
thousands of settings in a Group Policy object
115
3/11/2014
Lab A: Implement Group Policy

Exercise 1: Create, Edit, and Link Group Policy Objects
Logon information
Virtual machine
6425B-HQDC01-A
6425B-Desktop101-A
Logon user name
Pat.Coleman
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
Pa$$w0rd
Lab Scenario
You are responsible for managing change and
configuration at Contoso, Ltd. Contoso corporate IT

security policies specify that computers cannot be left
unattended and logged onto for more than 10 minutes.
You will therefore configure the screen-saver timeout and
password-protected screen-saver policy settings.
Additionally, you will lock down access to registry editing
tools.
116
3/11/2014
Lab Review
What policy settings are already being deployed using
Group Policy in your organization?

What policy settings did you discover that you might want
to implement in your organization?
Lesson 3: A Deeper Look at Settings and GPOs

Registry Policies in the Administrative Templates Node
Managed Settings, Unmanaged Settings, and Preferences
Administrative Templates
The Central Store
Demonstration: Work with Settings and the GPOs
Managed GPOs and their Settings
117
3/11/2014
Registry Policies in the Administrative Templates Node

Policy settings in the Administrative Templates node make
changes to the registry

HKCU\Software\Microsoft\
Windows\CurrentVersion\
Policies\System
DisableRegeditMode
1 Regedit UI tool only
2 Also disable regedit /s
Managed Settings, Unmanaged Settings, and

Preferences
Administrative templates
Managed policy setting
User interface (UI) is locked; user cannot make a change

to the setting
Changes are made in one of four reserved registry keys
Change and UI lock are "released" when the user/computer

falls out of scope
Unmanaged policy setting
UI not locked
Makes a change that is persistent; "tattoos" the registry
Only managed setting shown by default
Set Filter Options to view unmanaged settings
Preferences
Effects vary
118
3/11/2014
Administrative Templates
.ADMX
.ADML
Registry
The Central Store

.ADM files
Stored in the GPT
Leads to version control and GPO bloat problems
.ADMX/.ADML files

Retrieved from the client

Problematic if the client doesn't have the appropriate files
Central Store
Create a folder called PolicyDefinitions on a DC
Remotely: \\contoso.com\SYSVOL\contoso.com\Policies\
PolicyDefinitions
Locally: %SystemRoot%\SYSVOL\contoso.com\
Policies\PolicyDefinitions
Copy .ADMX files from your %SystemRoot%\PolicyDefinitions
Copy .ADML file from language-specific subfolders (such as en-us)
119
3/11/2014
Demonstration: Work with Settings and GPOs

Use Filter Options to locate policies in Administrative
Templates
Add comments to a policy setting
Add comments to a GPO
Create a new GPO from a starter GPO
Create a new GPO by copying an existing GPO
Create a new GPO by importing settings that were
exported from another GPO

See Notes pane.
120
3/11/2014

See Notes pane.
Manage GPOs and Their Settings

Copy (and Paste into a Group Policy Objects container)
Create a new "copy" GPO and modify it
Transfer a GPO to a trusted domain, such as test-toproduction
Back Up all settings, objects, links, permissions (access
control lists [ACLs])

Restore into same domain as backup
Import Settings into a new GPO in same or any domain
Migration table for source-to-destination mapping of UNC

paths and security group names
Replaces all settings in the GPO not a "merge"
Save Report
Delete
Rename
121
3/11/2014
Lab B: Manage Settings and GPOs

Exercise 1: Use Filtering and Commenting
Exercise 2: Manage Administrative Templates
Logon information
Virtual machine
6425B-HQDC01-A
Logon user name
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
You were recently hired as the domain administrator for
Contoso, Ltd., replacing the previous administrator, who

retired. You are not certain what policy settings have been
configured, so you decide to locate and document GPOs
and policy settings. You also discover that the company
has not leveraged either the functionality or the
manageability of administrative templates.
122
3/11/2014
Lab Review
Describe the relationship between administrative template
files (both .ADMX and .ADML files) and the GPME.

When does an enterprise get a central store? What
benefits does it provide?

What are the advantages of managing Group Policy from a
client running the latest version of Windows? Do settings

you manage apply to previous versions of Windows?
Lesson 4: Manage Group Policy Scope

GPO Links
GOP Inheritance and Precedence
Group Policy Processing Order
Use Security Filtering to Modify GPO Scope
WMI Filters
Enable or Disable GPOs and GPO Nodes
Target Preferences
Loopback Policy Processing
123
3/11/2014
GPO Links
GPO link
Causes policy settings in GPO to apply to users or computers

within that container
Links GPO to site, domain, or OU (SDOU)
Must enable sites in the GPM console
GPO can be linked to multiple sites or OUs
Link can exist but be disabled
Link can be deleted, but GPO remains
GPO Inheritance and Precedence

The application of GPOs linked to each container results in
a cumulative effect called inheritance

Default Precedence: Local Site Domain OU OU

(LSDOU)
Seen on the Group Policy Inheritance tab
Link order (attribute of GPO Link)

Lower number Higher on list Precedent
Block Inheritance (attribute of OU)

Blocks the processing of GPOs from above
Enforced (attribute of GPO Link)

Enforced GPOs blast through Block Inheritance
Enforced GPO settings win over conflicting settings in lower

GPOs
124
3/11/2014
Group Policy Processing Order

GPO1
Local Group
GPO2
Site
GPO3
GPO4
Domain
GPO5
OU
OU
Computer D
User D
OU
Domain
Business
OU
Computer B
User B
Computer
User E
Employees
Computer C
User C
Groups
Clients
Computer D+B+C
User D+B+E
125
3/11/2014
Computer D
User D
Domain
Block
Inheritance
Business
OU
Computer B
User B
Computer
User E
Employees
Computer C
User C
Groups
Clients
Computer B+C
User B+E
Security
Computer D
Computer S
User D
User S
Domain
Block
Inheritance
Business
OU
Enforced
Computer B
User B
Computer
User E
Employees
Computer C
User C
Groups
Clients
Computer B+C+S
User B+E+S
126
3/11/2014
Use Security Filtering to Modify GPO Scope

Apply Group Policy permission
GPO has an ACL (Delegation tab Advanced)
Default: Authenticated Users have Allow Apply Group Policy
Scope only to users in selected global group(s)

Remove Authenticated Users
Add appropriate global groups
Must be global groups (GPOs dont scope to domain local)
Scope to users except for those in selected group(s)

On Delegation tab, click Advanced
Add appropriate global groups
Deny Apply Group Policy permission
Does not appear on Delegation tab or in filtering section
WMI Filters
Windows Management Instrumentation (WMI)
WMI Query Language (WQL)
Similar to T-SQL
Select * FROM Win32_OperatingSystem WHERE

Caption="Microsoft Windows XP Professional" AND
CSDVersion="Service Pack 3"
Create a WMI filter

Use the filter for one or more GPOs
127
3/11/2014
Enable or Disable GPOs and GPO Nodes

GPO Details tab GPO Status drop-down list
Enabled: Both Computer Configuration and User
Configuration settings will be applied by CSEs

All settings disabled: CSEs will not process the GPO
Computer Configuration settings disabled: CSEs will not
process settings in Computer Configuration

User Configuration settings disabled: CSEs will not process
settings in User Configuration
Target Preferences
Targeting within a GPO
Scope =
scope of GPO
x
scope of targeting
Only possible with

preferences
Many, many options

Test effect
Test performance
impact
128
3/11/2014
Loopback Policy Processing

At user logon, user settings from GPOs scoped to
computer object are applied

Create a consistent user experience on a computer
Conference rooms, kiosks, computer labs, VDI, RDS/TS, etc.
Computer Configuration\Policies\Administrative
Templates\System\Group Policy
User Group Policy loopback processing mode
Replace mode
The user gets none of the User settings that are scoped to the
user only the User settings that are scoped to computer.
Merge mode
The user gets the User settings scoped to the user, but those
settings are overlaid with User settings scoped to the
computer. The computer wins.
Business
OU
Computer
User E
Employees
Computer B
User B
Loopback
Computer K
User K
Computer C
User
Groups
Clients
Computer B+C
User B+E
Replace
Computer B+K
User B+K
Kiosks
Merge
Computer B+K
User E+B+K
129
3/11/2014
Lab C: Manage Group Policy Scope

Exercise 1: Configure GPO Scope with Links
Exercise 2: Configure GPO Scope with Filtering
Exercise 3: Configure Loopback Processing
Logon information
Virtual machine
6425B-HQDC01-A
6425B-DESKTOP101-A
Logon user name
Pat.Coleman
Do not Logon
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
You are an administrator of the contoso.com domain. The
CONTOSO Standards GPO, linked to the domain, configures a

policy setting that requires a ten-minute screen saver timeout. An
engineer reports that a critical application that performs lengthy
calculations crashes when the screens saver starts, and the
engineer has asked you to prevent the setting from applying to the
team of engineers that uses the application every day. You have
also been asked to configure conference room computers to use a
45-minute timeout, so that the screen saver does not launch during
a meeting.
130
3/11/2014
Lab Review
Many organizations rely heavily on security group filtering
to scope GPOs, rather than linking GPOs to specific OUs.

In these organizations, GPOs are typically linked very high
in the Active Directory logical structure: to the domain
itself or to a first-level OU. What advantages are gained by
using security group filtering rather than GPO links to
manage the scope of the GPO?
Why might it be useful to create an exemption groupa
group that is denied the Apply Group Policy permission

for every GPO that you create?
Do you use loopback policy processing in your
organization? In what scenarios and for what policy

settings can loopback policy processing add value?
Lesson 5: Group Policy Processing

A Detailed Review of Group Policy Processing
Slow Links and Disconnected Systems
Understand When Settings Take Effect
131
3/11/2014
A Detailed Review of Group Policy Processing

Computer starts; Remote Procedure Call System Service
(RPCSS) and Multiple Universal Naming Convention

Provider (MUP) are started
Group Policy Client starts and obtains an ordered list of
GPOs that are scoped to the computer

Local Site Domain OU Enforced GPOs
GPC processes each GPO in order

Should it be applied? (enabled/disabled/permission/WMI filter)
CSEs are triggered to process settings in GPO
Settings configured as Enabled or Disabled are processed
User logs on
Process repeats for user settings
Every 90-120 minutes after startup, computer refresh
Every 90-120 minutes after logon, user refresh
Slow Links and Disconnected Systems

Group Policy Client determines whether link to domain
should be considered slow link

By default, less than 500 kilobits per second (kbps)
Each CSE can use determination of slow link to decide whether

it should process or not
Software CSE, for example, does not process
Disconnected
Settings previously applied will continue to take effect
Exceptions include startup, logon, logoff, and shutdown scripts
Connected
Windows Vista and later operating systems detect new

connection and perform Group Policy refresh if refresh window
was missed while disconnected
132
3/11/2014
Understand When Settings Take Effect

GPO replication must happen
GPC and GPT must replicate
Group changes must be incorporated

Logoff/logon for user; restart for computer
Group Policy refresh must occur

Windows XP, Windows Vista, and Windows 7 clients
Always wait for network at startup and logon
Settings may require logoff/logon (user) or restart
(computer) to take effect

Manually refresh: GPUpdate [/force] [/logoff] [/boot]
Most CSEs do not re-apply settings if GPO has not changed
Configure in Computer\Admin Templates\System\Group Policy
Lesson 6: Troubleshoot Policy Application

Generate RSoP Reports
Perform What-If Analyses with the Group Policy Modeling
Wizard
Examine Policy Event Logs
133
3/11/2014

Inheritance, filters, loopback, and other policy scope and
precedence factors are complex!

RSoP
The "end result" of policy application
Tools to help evaluate, model, and troubleshoot the

application of Group Policy settings
RSoP analysis
The Group Policy Results Wizard
The Group Policy Modeling Wizard
GPResult.exe
Generate RSoP Reports

Group Policy Results Wizard
Queries WMI to report actual Group Policy application
Requirements
Administrative credentials on the target computer
Access to WMI (firewall)
User must have logged on at least once
RSoP report
Can be saved
View in Advanced mode
Shows some settings that do not show in the HTML report
View Group Policy processing events
GPResult.exe /s ComputerName /h filename
134
3/11/2014
Perform What-If Analyses with the Group Policy

Modeling Wizard
Group Policy Modeling Wizard
Emulates Group Policy application to report anticipated RSoP
Examine Policy Event Logs

System log
High-level information about Group Policy
Errors elsewhere in the system that could impact Group Policy
Application log
Events recorded by CSEs
Group Policy Operational log

Detailed trace of Group Policy application
135
3/11/2014
Lab D: Troubleshoot Policy Application

Exercise 1: Perform RSoP Analysis
Exercise 2: Use the Group Policy Modeling Wizard
Exercise 3: View Policy Events
Logon information
Virtual machine
6425B-HQDC01-A
6425B-DESKTOP101-A
Logon user name
Pat.Coleman
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
Pa$$w0rd
Lab Scenario
You are responsible for administering and troubleshooting
the Group Policy infrastructure at Contoso, Ltd. You want

to evaluate the resultant set of policies for users in your
environment in order to ensure that the Group Policy
infrastructure is healthy, and that all policies are applied
as they were intended.
136
3/11/2014
Lab Review
In what situations have you used RSoP reports to
troubleshoot Group Policy application in your organization?

In what situations have you used, or could you anticipate
using, Group Policy modeling?

Have you ever diagnosed a Group Policy application
problem based on events in one of the event logs?
Module 7
Manage Enterprise Security
and Configuration with
Group Policy Settings
137
3/11/2014

See Notes pane.
Module Overview
Delegate the Support of Computers
Manage Security Settings
Manage Software with GPSI
Auditing
138
3/11/2014
Lesson 1: Delegate the Support of Computers

Understand the Support of Computers
Demonstration: Delegate Administration by Using
Restricted Groups Policies

Define Group Membership with Group Policy Preferences
Understand Restricted Groups Policies

Restricted Groups policies enable you to manage the
membership of groups.
Member Of
Policy is for a domain group
Specify its membership in a
local group
Cumulative
Members
Policy is for a local group
Specify its members
(groups and users)
Authoritative
139
3/11/2014
Demonstration: Delegate Administration by Using

Restricted Groups Policies
Add a domain support group to the local Administrators
group of client computers

Define the authoritative membership of the local
Administrators group of client computers.

See Notes pane.
140
3/11/2014
Define Group Membership with Group Policy

Preferences
Create, delete, or replace a local group
Rename a local group
Change the Description
Modify group membership
Local Group preferences
are available in both

Computer Configuration and
User Configuration
Lab A: Delegate the Support of Computers

Exercise 1: Configure the Membership of Administrators by
Using Restricted Groups Policies
Logon information
Virtual machine
6425B-HQDC01-A
6425B-DESKTOP101-A
Logon user name
Pat.Coleman
Do not Logon
Administrative user
name
Pat.Coleman_Admin
Password
Pa$$w0rd
141
3/11/2014
Lab Scenario
You have been asked by the corporate security team to lock down
the membership of the Administrators group on client computers.

However, you need to provide the centralized help desk with the
ability to perform support tasks for users throughout the
organization. Additionally, you must empower the local site desktop
support team to perform administrative tasks for client computers in
that site.
Lab Review
If you wanted to ensure that the only members of the local
Administrators group on a client computer were the Help K1

Desk in the site-specific Support group, and to remove any
other members from the local Administrators group, how
would you achieve that using only restricted groups
policies?
142
Slide 284
K1
Help Desk sb lowercase per style sheet?

Kathleen, 10/16/2009
3/11/2014
Lesson 2: Manage Security Settings

What Is Security Policy Management?
Configure the Local Security Policy
Manage Security Configuration with Security templates
Demonstration: Create and Deploy Security Templates
Use Security Configuration and Analysis
The Security Configuration Wizard
Settings, Templates, Policies, and GPOs
What Is Security Policy Management?

Enterprise IT Security Policy
security configuration
settings
Manage security configuration
Create the security policy
Apply the security policy to one or more systems
Analyze security settings against the policy
Update the policy, or correct the discrepancies on the system
Tools
Local Group Policy and Domain Group Policy
Security Templates snap-in
Security Configuration and Analysis snap-in
Security Configuration Wizard
143
3/11/2014
Configure the Local Security Policy
Local Security Policy
Domain Group Policy
Manage Security Configuration

with Security Templates
Settings are a subset of domain GPO settings
but different than local GPO

Security Templates
Plain text files
Can be applied directly to a computer
Security Configuration & Analysis
Secedit.exe
Can be deployed with Group Policy
Can be used to analyze a computer's

current security settings against the
security template's
144
3/11/2014
Demonstration: Create and Deploy Security Templates

Build a custom MMC with the Security Templates snap-in
Create a security template
Import the template into the Security Settings node
of a Group Policy object
Use Security Configuration and Analysis

Build-your-own MMC
Modify
Database
Create a database
Import template(s)
Import
Template
Use the database

Analyze computer
Correct discrepancies
Configure computer
Export as template
Secedit.exe
Export
Template
Analyze
Computer
Import
Policy
Group
Policy
145
3/11/2014
The Security Configuration Wizard

Security policy: .xml file that configures
Role-based service configuration
Network security, including firewall rules
Registry values
Audit policy
Can incorporate a security template (.inf)
Create the policy

Edit the policy
Apply the policy
Roll back the policy
Transform the policy into a Group Policy object
scwcmd transform /p:"MySecurity.xml" /g:"My New GPO"
Settings, Templates, Policies, and GPOs

Direct configuration of security-related settings
Local Security Policy
Security templates
.inf files that define a wide variety of security settings
Security Templates, Security Configuration and Analysis
Import into a Group Policy object
Security policies
.xml files that define role-based service startup, firewall rules,

audit policies, and registry settings
Can include security templates
Security Configuration Wizard or scwcmd.exe
Transform into a GPO using scwcmd
Modify Group Policy object
146
3/11/2014
Lab B: Manage Security Settings

Exercise 1: Manage Local Security Settings
Exercise 2: Create a Security Template
Exercise 3: Use Security Configuration and Analysis
Exercise 4: Use the Security Configuration Wizard
Logon information
Virtual machine
6425B-HQDC01-A
Logon user name
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
You are an administrator of the contoso.com domain. As part of
your effort to secure the directory service, you want to establish a

security configuration to apply to domain controllers that, among
other things, specifies who can log on to domain controllers using
Remote Desktop to perform administrative tasks.
147
3/11/2014
Lab Review
Describe the relationship between security settings on a
server, Local Group Policy, security templates, the

database used in Security Configuration And Analysis, the
security policy created by the Security Configuration
Wizard, and domain-based Group Policy.
Lesson 3: Manage Software with GPSI

Understand Group Policy Software Installation (GPSI)
Demonstration: Create a Software Distribution Point
Maintain Software Deployed with GPO
GPSI and Slow Links
148
3/11/2014
Understand Group Policy Software Installation (GPSI)

Client-side extension (CSE)
Installs supported packages
Windows Installer packages (.msi)
Optionally modified by Transform (.mst) or patches (.msp)
GPSI automatically installs with elevated privileges
Downlevel application package (.zap)
Supported by publish option only
Requires user has admin privileges
SCCM and other deployment tools can support a wider variety

of installation and configuration packages
No feedback
No centralized indication of success or failure
No built-in metering, auditing, license management
Understand Group Policy Software Installation

(GPSI) (continued)
Software deployment options
Assign application to users
Start menu shortcuts appear

- Install-on-demand
File associations made (optional Auto Install)

- Install-on-document invocation
Optionally, configure to install at logon
Publish application to users
Advertised in Programs And Features (Control Panel)

- Install-on-request
Assign to computers
Install at startup
149
3/11/2014
Demonstration: Create a Software Distribution Point

Create a software distribution point

See Notes pane.
150
3/11/2014

See Notes pane.
Create and Scope a Software Deployment GPO

Computer [or User] Configuration \ Policies \ Software
Settings \ Software Installation

Right-click New Package
Browse to .msi file through network path (\\server\share)
Choose deployment option

recommend: Advanced
Managing the scope of a
software deployment GPO

Typically easiest to manage with

security group filtering
Create an app group, for example

APP_XML Notepad
Put users into the group: allows users to access software

share in the event that repairs or reinstalls are necessary
Put computers into the group if assigning to computers
151
3/11/2014
Maintain Software Deployed with GPSI

Redeploy application
After successful install, client will not attempt to reinstall app
You might make a change to the package
Package All Tasks Redeploy Application
Upgrade application
Create new package in same or different GPO.
Advanced Upgrades Select package to upgrade
Uninstall old version first; or install over old version
Remove application
Package All Tasks Remove
Uninstall immediately (forced removal) or

Prevent new installations (optional removal)
Dont delete or unlink GPO until all clients have applied setting
GPSI and Slow Links

The Group Policy Client determines whether the domain
controller providing GPOs is on the other side of a slow link

< 500 kbps by default
Each CSE uses the slow link determination to decide
whether to process
By default, GPSI does not process over a slow link
You can change slow link processing behavior of each CSE

Computer Configuration\Policies\Administrative Templates\

System\Group Policy
You can change the slow link threshold

Computer [or User] Configuration\Policies\Administrative

Templates\System\Group Policy
152
3/11/2014
Lab C: Manage Software with GPSI

Exercise 1: Deploy Software with GPSI
Exercise 2: Upgrade Applications with GPSI
Logon information
Virtual machine
6425B-HQDC01-A
6425B-DESKTOP101-A 6425B-SERVER01-A
Logon user name
Pat.Coleman
Pat.Coleman
Administrative user
name
Pat.Coleman_Admin
Password
Pa$$w0rd
Do not Logon
Pa$$w0rd
Lab Scenario
You are an administrator at Contoso, Ltd. Your developers
require XML Notepad to edit XML files, and you want to

automate the deployment and life cycle management of
the application. You decide to use Group Policy Software
Installation. Most applications are licensed per computer,
so you will deploy XML Notepad to the developers'
computers, rather than associating the application with
their user accounts.
153
3/11/2014
Lab Review
Consider the NTFS permissions you applied to the
Software and XML Notepad folders on SERVER01. Explain

why these least privilege permissions are preferred to the
default permissions.
Consider the methods used to scope the deployment of
XML Notepad: Assigning the application to computers,

filtering the GPO to apply to the APP_XML Notepad group
that contains only computers, and linking the GPO to the
Client Computers OU. Why is this approach advantageous
for deploying most software? What would be the
disadvantage of scoping software deployment to users
rather than to computers?
Lesson 4: Auditing
An Overview of Audit Policies
Specify Auditing Settings on a File or Folder
Enable Audit Policy
Evaluate Events in the Security Log
154
3/11/2014
An Overview of Audit Policies

Audit events in a category
of activities
Access to NTFS files/folders
Account or object changes in

Active Directory
Logon
Assignment or use of
user rights
By default, DCs audit success events for most categories

Goal: Align audit policies with corporate security policies
and reality
Over-auditing: logs are too big to find the events that matter
Under-auditing: important events are not logged
Tools that help you consolidate and crunch logs can be helpful
Specify Auditing Settings on a File or Folder

Modify the system access control list (SACL)
Properties
Advanced
Auditing
Edit
155
3/11/2014
Enable Audit Policy

Enable auditing for Object Access: Success and/or Failure
GPO must be scoped to the server
Success/Failure policy setting must match auditing
settings (success/failure)
Evaluate Events in the Security Log

Security Log
Summary
Audit Object Access policy must be enabled to audit Success

or Failure
GPO must be scoped to the server
SACL must be configured to audit successful or failed access
Security Log must be examined
156
3/11/2014
Lab D: Auditing File System Access

Exercise 1: Configure Permissions and Audit Settings
Exercise 2: Configure Audit Policy
Exercise 3: Examine Audit Events
Logon information
Virtual machine
6425B-HQDC01-A
6425B-DESKTOP101-A 6425B-SERVER01-A
Logon user name
Pat.Coleman
Pat.Coleman and
Mike.Danseglio
Administrative user
name
Pat.Coleman_Admin
Password
Pa$$w0rd
Pat.Coleman
Pat.Coleman_Admin
Pa$$w0rd
Pa$$w0rd
Lab Scenario
In this Lab, you will configure auditing settings, enable
audit policies for object access, and filter for specific

events in the Security log. The business objective is to
monitor a folder containing confidential data that should
not be accessed by users in the Consultants group.
157
3/11/2014
Lab Review
What are the three major steps required to configure
auditing of file system and other object access?

What systems should have auditing configured? Is there a
reason not to audit all systems in your enterprise? What

types of access should be audited, and by whom should
they be audited? Is there a reason not to audit all access
by all users?
Module 8
Secure Administration
158
3/11/2014

See Notes pane.
Module Overview
Delegate Administrative Permissions
Audit Active Directory Administration
159
3/11/2014
Lesson 1: Delegate Administrative Permissions

Understand Delegation
View of the ACL of an Active Directory Object
Property Permissions, Property Sets, Control Access
Rights, and Object Permissions
Demonstration: Assign a Permission by Using the
Advanced Security Settings Dialog Box
Understand and Manage Permissions with Inheritance

Demonstration: Delegate Administrative Tasks with the
Delegation of Control Wizard
Report and View Permissions

Remove or Reset Permissions on an Object
Understand Effective Permissions
Design an OU Structure to Support Delegation
Understand Delegation
Simple example
The help desk needs to be able to reset passwords for users

and force users to change the temporary password at next
logon
The help desk cannot create or delete users: delegation is

specific or granular
The help desk can reset passwords of normal user

accounts, not administrative or service accounts:
delegation has a scope
Every Active Directory object has permissions.

Permissions are called access control entries (ACEs)
ACEs are on the discretionary access control list (DACL)
The DACL is part of the object's access control list (ACL)
The ACL also contains the system access control list (SACL)
The SACL specifies (among other things) auditing settings
160
3/11/2014
View the ACL of an Active Directory Object

Ensure Advanced Features are enabled in the View menu
Properties Security Advanced Edit
Property Permissions, Property Sets, Control

Access Rights, and Object Permissions
Permissions can allow (or deny) changes to a specific
property
Example: Allow Write Mobile Number
Permissions can allow (or deny) changes to a property set

Example: Allow Write Phone and Mail Options
Bundle of properties: Phone and mail properties
One-click management of permissions for related properties
Permissions can allow (or deny) control access rights

Allow Change Password: Must enter old password, then new
Allow Reset Password: Enter new password (do not need old)
Permissions can allow (or deny) changes to the object

Allow Modify Permissions
Allow Create Computer Objects
161
3/11/2014
Demonstration: Assign a Permission by Using the

Advanced Security Settings Dialog Box
In this demonstration, we will delegate the help desk
permission to change the password for Jeff Ford
Understand and Manage Permissions with

Inheritance
Child objects inherit the permissions of the parent
organizational unit or container

Top-level OUs inherit permissions from the domain
By default, each new object is created with the option

Include Inheritable Permissions From This Object's Parent
Not every permission is inheritable.
Inheritance of a permission is scoped.

There are three ways to modify the
effects of inheritance:
Turn off inheritance on child object
Assign an explicit permission
Deselect Include Inheritable Permissions
Explicit permissions override inherited permissions
Change the scope of inheritance on the parent (Apply To)
162
3/11/2014
Demonstration: Delegate Administrative Tasks

with the Delegation Of Control Wizard
In this demonstration, we will use the Delegation Of
Control Wizard to assign permissions to the AD_User

Account_Support group to
Reset passwords
Force users to change passwords at the next logon
on the User Accounts OU.
Report and View Permissions

Use the Advanced Security Settings dialog box
Use DSACLs (dsacls.exe)
dsacls ObjectDN
Example:
dsacls "ou=User Accounts,dc=contoso,dc=com"
163
3/11/2014
Remove or Reset Permissions on an Object

No "undelegate" command
Remove permissions manually in the Advanced Security
Settings and Permission Entry dialog boxes

Reset permissions to default with Active Directory Users
and Computers
Advanced Security Settings dialog box Restore Defaults
Applies default ACL defined in the schema for the object class
Reset permissions to default with DSACLs

dsacls ObjectDN /s /t
Example:
dsacls "ou=User Accounts,dc=contoso,dc=com" /s /t
Understand Effective Permissions

Permissions assigned to you and your groups cumulate
Best practice is to assign permissions to groups, not to

individual users
In the event of conflicts

Deny permissions override Allow permissions
Explicit permissions override Inherited permissions
Explicit Allow overrides Inherited Deny
Evaluating effective permissions

The Effective Permissions tab: helpful but not very granular
Manual analysis
Third-party tools
Role-based management
164
3/11/2014
Design an OU Structure to Support Delegation

OUs perform three functions:
Delegation. Scope permissions for administrative tasks in Active

Directory
Configuration. Scope the application of Group Policy objects

(GPOs)
Presentation. Organize and present objects in a logical manner
Best practice Active Directory OU design:

1.Create
Top/higher-level OUs reflect the administrative model
2.Then
divide those OUs to provide scopes for GPOs.
If there isn't a way to scope a GPO by linking it to an OU in

your design, link the GPO higher and use security group
filtering to manage its scope.
3.Then,
OUs to scope delegation.
if necessary, create sub-OUs to organize and present.
Better yet, use Saved Queries to organize and present.

See Notes pane.
165
3/11/2014

See Notes pane.
Lab A: Delegate Administration

Exercise 1: Delegate permission to create and support
user accounts
Exercise 2: View delegated permissions
Exercise 3: Remove and reset permissions
Logon information
Virtual machine
6425B-HQDC01-A
Logon user name
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
166
3/11/2014
Lab Scenario
The enterprise security team at Contoso has asked you to
lock down the administrative permissions delegated to

support personnel.
Lab Review
How does Active Directory Users and Computers indicate
to you that you do not have permissions to perform a

particular administrative task?
When you evaluated effective permissions for April Meyer
on the User Accounts OU, why didnt you see permissions

such as Reset Password in this list? Why did the
permission appear when you evaluated effective
permissions for Aaron Painter on Aaron Lee's user
account?
Does Windows make it easy to answer the questions,
"Who can reset user passwords?" and "What can XXX do

as an administrator?"
What is the benefit of a two-tiered, role-based
management group structure when assigning permissions

in Active Directory?
What is the danger of resetting the ACL of an OU back to
its schema-defined default?
167
3/11/2014

See Notes pane.
Lesson 2: Audit Active Directory Administration

Enable Audit Policy
Specify Auditing Settings for Directory Service Changes
View Audited Events in the Security Log
168
3/11/2014
Enable Audit Policy

Directory Service Access
Same policy as in Windows Server 2003
By default, configured to audit Success events
Event log entry says "a change was made to this object"
Difficult to identify what attribute was changed
Impossible to know old/new value of attribute
Directory Service Changes

Identifies the object, the attribute, and the old/new values
Not enabled by default
Enable from the Command Prompt:

auditpol /set /subcategory:"directory service
changes" /success:enable
Specify Auditing Settings for Directory Service

Changes
1. Right-click the object Properties Security
Advanced
2. Click the Auditing tab
3. Click Add to add an audit entry
4. Specify the group you want to audit (often, Everyone)
5. Select to audit Success or Failure events for one or
more specific permissions

6. By default, Domain Admins is configured to audit
successful changes to any property by any user

(Everyone)
169
3/11/2014
View Audited Events in the Security Log

Event Viewer Windows Logs Security
Each event shows
Success/Failure
Time
Object accessed
Identity of user who generated the event
Task category
Lab B: Audit Active Directory Changes

Exercise 1: Audit changes to Active Directory by using
default audit policy

Exercise 2: Audit changes to Active Directory by using
Directory Service Changes auditing
Logon information
Virtual machine
6425B-HQDC01-A
Logon user name
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
170
3/11/2014
Lab Scenario
The enterprise security team at Contoso has asked you to
provide detailed reports regarding changes to the

membership of security-sensitive groups, including
Domain Admins. The reports must show the change that
was made, who made the change, and when.
Lab Review
What details are captured by Directory Services Changes
auditing that are not captured by Directory Service Access

auditing?
What types of administrative activities would you want to
audit using Directory Services Changes auditing?
171
3/11/2014
Module 9
Improve the Security of
Authentication in an
Services (AD DS) Domain
Module Overview
Configure Password and Lockout Policies
Audit Authentication
Configure Read-Only Domain Controllers
172
3/11/2014
Lesson 1: Configure Password and Lockout Policies

Understand Password Policies
Understand Account Lockout Policies
Configure the Domain Password and Lockout Policy
Demonstration: Configure Domain Account Policies
Fine-Grained Password and Lockout Policy
Understand Password Settings Objects (PSOs)
Demonstrations: Configure Fine-Grained Password Policy
PSO Precedence and Resultant PSO
Understand Password Policies

Password policies consist of
Enforce password history: 24 passwords
Max password age: 42 days
Min password age: 1 day
Min password length: 7 characters
Complex Password: enabled
Store password using reversible encryption: disabled
173
3/11/2014
Understand Account Lockout Policies

Account lockout policies consist of
Lockout duration: not defined
Lockout threshold: 0 invalid logon attempts
Reset account lockout after: not defined
Help mitigate the threat of brute force attacks on user
accounts
Unlock
A user who is locked out can be unlocked by an administrator
The Reset account lockout policy can specify a "timeout" after

which the account is automatically unlocked
Configure the Domain Password and Lockout Policy

Domain password policies are defined by the precedent
Group Policy Object scoped to domain controllers

The Default Domain Policy GPO, by default
Best practices:
Modify the settings in the Default Domain GPO for password,

lockout, and Kerberos policies
Do not use the Default Domain GPO to deploy any other policy
settings
Do not define password, lockout, or Kerberos settings for the

domain in any other GPO
Policy settings are overridden by options in user account

Password never expires
Store passwords using reversible encryption
174
3/11/2014
Demonstration: Configure Domain Account Policies

In this demonstration, we will configure the domain account
policies for Contoso, Ltd., according to their requirements.
Password Requirements
A minimum of 8 characters long
Comply with Windows default complexity requirements
Users must change their password every 90 days
Users cannot change their own password more than once a

week.
Users cannot reuse a password within a one-year time

See Notes pane.
175
3/11/2014
Fine-Grained Password and Lockout Policy

Fine-grained password and lockout policies allow multiple
password and lockout policies to exist in the same domain
Domain Policy:
Length: 10
Max age: 90
Lockout: 5 in 30 min
Reset: 30 min
Administrative
accounts
Service
Accounts
Length: 15
Max age: 45
Reset: 1 day
Finance users
Password Never Expires

Length: 64
Lockout: None
Length: 15
Max age: 60
Reset: 30 min
Understand Password Settings Objects (PSOs)

A PSO has the following settings available:
Password policies
Account lockout policies
PSO Link
Precedence
Considerations when implementing PSOs:

Password Settings Container (PSC) and Password Setting Objects
The
(PSOs) are new object classes defined by the Schema
Windows Server 2008 domain functional level required
PSOs can be created through ADSI Edit or LDIFDE

PSOs can only be applied to users or global groups
176
3/11/2014
Demonstration: Configure Fine-Grained Password

Policy
In this demonstration, we will configure fine-grained
password policy to enhance the security of accounts in the
Domain Admins group.
Confirm the domain functional level
Create a PSO
Link the PSO to the Domain Admins group
Evaluate Resultant PSO

See Notes pane.
177
3/11/2014

See Notes pane.

See Notes pane.
178
3/11/2014
PSO Precedence and Resultant PSO

A PSO can be linked to more than one group or user
A group or user can have more than one PSO linked to it
Only one PSO "wins"the Resultant PSO
Precedence: lower (closer to 1) has higher precedence
Global group PSO with highest precedence (closest to 1) wins
Any PSOs linked to user override all global group PSOs.

User-linked PSO with highest precedence (closest to 1) wins
msDS-ResultantPSO attribute of user in Attribute Editor

Click the Filter button and ensure Constructed is selected
If there are no PSOs, domain account policies apply

Best practices
Use only group-linked PSOs. Do not link to user objects.
Avoid having two PSOs with the same precedence value
PSOs cannot be "linked" to an OU

Create a shadow group that contains all users in the OU
Lab A: Configure Password and Account

Lockout Policies
Exercise 1: Configure the Domains Password and Lockout
Policies
Exercise 2: Configure Fine-Grained Password Policy
Logon information
Virtual machine
6425B-HQDC01-A
Logon user name
Pat.Coleman
Pat.Coleman_Admin
Password
Pa$$w0rd
179
3/11/2014
Lab Scenario
Contosos security team has tasked you with increasing the
security and monitoring of authentication against the enterprises

AD DS domain. Specifically, you are to enforce a specified
password policy for all user accounts, and a more stringent
password policy for security sensitive, administrative accounts.
Lab Review Questions

Where should you define the default password and account lockout
policies for user accounts in the domain?

What are the best practices for managing PSOs in a domain?
How can you define a unique password policy for all of the service
accounts in the Service Accounts OU?
180
3/11/2014
Lesson 2: Audit Authentication

Account Logon and Logon Events
Configure Authentication-Related Audit Policies
Scoping Audit Policies
View Logon Events
Account Logon and Logon Events

Account logon events
Registered by the system

that authenticates the account
For domain accounts:

domain controllers
For local accounts:

local computer
Account Logon
Event
Logon events
Registered by the machine at

which (or to which) a user
logged on
Interactive logon: user's system
Network logon: server
Logon
Event
Logon
Event
181
3/11/2014
Configure Authentication-Related Audit Policies

Computer Configuration > Windows Settings > Security
Settings > Local Policies > Audit Policy
Windows Server 2008 default
is to audit SUCCESS events

for both account logon and
logon events
Scoping Audit Policies
Default
Domain
Controllers
Policy
Custom
GPO
Logon
Events
Account
Logon
Events
Domain
Controllers
Remote
Desktop
Servers
HR Clients
182
3/11/2014
View Logon Events

Security log of the system that generated the event
The DC that authenticated the user: account logon
Note: Not replicated to other DCs
The system to which the user logged on or connected: logon
Lab B: Audit Authentication

Exercise 1: Audit Authentication
Logon information
Virtual machine
6425B-HQDC01-A
6425B-SERVER01-A
Logon user name
Pat.Coleman
Pat.Coleman
Administrative user
name
Pat.Coleman_Admin
Pat.Coleman_Admin
Password
Pa$$w0rd
Pa$$w0rd
183
3/11/2014
Lab Scenario

AD DS domain. Specifically, you are to create an audit trail of
logons.
Lab Review Questions

What would be the disadvantage of auditing all successful
and failed logons on all machines in your domain?

You have been asked to audit attempts to log on to
desktops and laptops in the Finance division using local

accounts such as Administrator. What type of audit policy
do you set, and in what GPO(s)?
184
3/11/2014
Lesson 3: Configure Read-Only Domain

Controllers
Authentication and Domain Controller Placement in a
Branch Office
Read-Only Domain Controllers
Deploy an RODC
Demonstration: Password Replication Policy
Demonstration: Password RODC Credentials Caching
Administrative Role Separation
Authentication and Domain Controller Placement

in a Branch Office
Data center
Branch
Office
Personnel
Secure facilities
Few, if any, personnel

Less secure facilities
Authentication of branch
users subject to availability
and performance of WAN
Improved authentication
Security: Exposure of AD
database
Directory Service
Integrity: Corruption at
branch replicating to other
DCs
Administration:
Administration requires
domain Administrators
membership
?
185
3/11/2014
Read-Only Domain Controllers
Data Center
Writeable Windows
Server 2008 DC
Password Replication
Policy (PRP)
Specifies which user (and
computer) passwords can
be cached by the RODC
Branch office
RODC
All objects
Subset of attributes
No "secrets"
Not writeable
Users log on
RODC forwards
authentication
Password is cached
If PRP allows
Has a local
Administrators group
Deploy an RODC
1. Ensure the forest functional level is Windows Server 2003 or
higher
All domain controllers running Windows Server 2003 or later
All domains functional level of Windows Server 2003 or higher
Forest functional level set to Windows Server 2003 or higher
2. If the forest has any DCs running Windows Server 2003, run
adprep /rodcprep
Windows Server 2008 CD:\sources\adprep folder
3. Ensure that there is at least one writeable DC running
Windows Server 2008

4. Install the RODC
Active Directory Domain Services Installation Wizard (dcpromo)
Stage delegated installation of an RODC: Domain Controllers OU
186
3/11/2014
Demonstration: Password Replication Policy

View an RODC's PRP
Allow List and Deny List
Deny takes precedence
Configure domain-wide password replication policy

Using the Allowed RODC Password Replication Group

and the Denied RODC Password Replication Group
The groups are added to all new RODCs PRPs by default
Configure RODC-specific password replication policy
Question: What would be the most manageable way to
ensure that users in a branch have their credentials

cached on an RODC?

See Notes pane.
187
3/11/2014
Demonstration: Administer RODC Credentials Caching

In this demonstration, we will see
Policy Usage Reports
Accounts Whose Passwords Are Stored On This Read-Only

Domain Controller
Accounts That Have Been Authenticated To This Read-Only

Domain Controller
Resultant Policy
Prepopulating credentials in the RODC cache

See Notes pane.
188
3/11/2014
Administrative Role Separation

Allows performing local administrative tasks on the RODC
Each RODC maintains a local (SAM) database of groups for
specific administrative purposes

DSMgmt command allows you to manage the local roles
dsmgmt [enter]
local roles [enter]
? [enter] for a list of commands
List roles [enter] for a list of roles
add username administrators [enter]
Lab C: Configure Read-Only Domain Controllers

Exercise 1: Install an RODC
Exercise 2: Configure Password Replication Policy
Exercise 3: Manage Credential Caching
Logon information
Virtual machine
6425B-HQDC01-A
6425B-BRANCHDC01-A
Logon user name
Pat.Coleman
Administrative user
name
Pat.Coleman_Admin
Administrator
Password
Pa$$w0rd
Pa$$w0rd
189
3/11/2014
Lab Scenario

AD DS domain. Specifically, you are to improve the security of
domain controllers in branch offices.
Lab Review
Why should you ensure that the PRP for a branch office
RODC has, in its Allow list, the accounts for the computers
in the branch office as well as the users?
What would be the most manageable way to ensure that
computers in a branch are in the Allow list of the RODC's

PRP?
What are the pros and cons of prepopulating the
credentials for all users and computers in a branch office

to that branch's RODC?
190
3/11/2014
Module 10
Configure Domain Name
System (DNS)

See Notes pane.
191
3/11/2014
Module Overview
Review of DNS Concepts, Components, and Processes
Install and Configure DNS in an AD DS Domain
AD DS, DNS, and Windows
Advanced DNS Configuration and Administration
Lesson 1: Review of DNS Concepts, Components,

and Processes
Why DNS?
The DNS Hierarchy
Zones
Resource Records (RRs)
Resource Record Management
Zone Replication
Subdomains
Placing DNS Servers and Zones
DNS Client (Resolver)
Query to DNS Server
DNS Server Resolution
Recursion
192
3/11/2014
Why DNS?
Computers connect using IP addresses
Humans prefer names
DNS resolves names to IP addresses
technet.microsoft.com?
207.46.16.252
Client
technet.microsoft.com
207.46.16.252
DNS Server
The DNS Hierarchy

Root
.
.uk
.co.uk
.com
contoso.com
microsoft.com
.microsoft.co.uk
193
3/11/2014
Zones
A database stored on a DNS server
Supports resolution for a portion of the DNS namespace
starting with a domain: contoso.com

A server hosting a zone for a domain is authoritative for that
domain
DNS Server
Resource Records (RRs)

Host or Address (A or AAAA) : name-to-IPv4/IPv6 address
Name: hqdc01
Data: 10.0.0.11
Alias or Canonical Name (CNAME) : alias-to-name

Name: ftp
Data: internetserver.contoso.com
Mail Exchange (MX): points to the e-mail server

Data: exchange.contoso.com
Name service (NS): points to a name server

Name: contoso.com
Data: nameserver01.contoso.com
194
3/11/2014
Resource Record Management

Manual
Dynamic
Client registers its own records
Secure dynamic updates: prevents spoofing
Zone Replication
File-based zone
Primary zone: writable copy of the zone

hosted by one (and only one) DNS server
Secondary zone: read-only copy of the zone

hosted by zero or more DNS servers
Zone transfer copies zone data from

primary zone to secondary zones
Requires permission on source server for zone
Traditionally the entire zone (can be quite large) is copied
Active Directory integrated zone

Zone is hosted on domain controllers
Multimaster replication: important in dynamic update environments
Data replicated using efficient Active Directory replication topology

and processes
Incremental updates
195
3/11/2014
Subdomains
A zone supports resolution for a portion of the DNS
namespace, starting with a domain: contoso.com

europe.contoso.com?
Subdomain
Records to support resolution for the subdomain
Delegation
NS records that point to name server(s) for subdomain
List of name server(s) is static and updated manually
Stub zone
NS records that point to name server(s) for subdomain
List of name servers is updated automatically
Requires TCP port 53 to be open between the host (parent)

DNS server and all name servers in the stub domain
Placing DNS Servers and Zones

Accessibility of DNS servers to clients
Administration, replication, and efficiency of resolution
196
3/11/2014
DNS Client (Resolver)

Client application makes request
DNS Client service examines DNS resolver cache
Pre-loaded with HOSTS file at service start or HOSTS file change
Caches query responses (including negative answers!)
ipconfig /flushdns
DNS Client Service
DNS Resolver
Cache
nslookup.exe
Queries the DNS server without

checking the DNS resolver cache
HOSTS File
Query to DNS Server

DNS Client queries primary DNS server
Requests recursive or iterative query
Recursive: DNS server continues performing query for client and

returns a definitive answer
Iterative: DNS server returns only what it knows (best guess)

and client continues query
Queries secondary DNS server only if primary server doesnt respond
If primary server returns negative answer,

secondary server not queried as second opinion
Ensure that each DNS server is able to resolve all client queries
DNS Client Service
DNS Server
197
3/11/2014
DNS Server Resolution

DNS server checks its local zones
Resolution returned as an authoritative response
DNS server checks its cache

Resolution returned as a positive response
If no resolution found

Iterative query: DNS server returns best guess

Recursive query: DNS server performs query
DNS Client
Service
Clients DNS Server
DNS
Server
Cache
Recursion
Iterative query to root DNS servers
Root DNS servers configured in DNS servers root hints
Root DNS server returns referral to .com name servers
Iterative query to .com server

.com returns referral to microsoft.com name servers
Iterative query to microsoft.com server

Cache response
Return to client as positive answer
198
3/11/2014
Lesson 2: Install and Configure DNS in an AD DS

Domain
Install and Manage the DNS Server Role
Create a Zone
Create a Zone: Dynamic Update
Create Resource Records
Configure Redundant DNS Servers
Configure Forwarders
Client Configuration
Install and Manage the DNS Server Role

Methods
Server Manager Roles Add Role
Active Directory Domain Services Installation Wizard
DNS Manager snap-in

Server Manager
DNS Manager console (dnsmgmt.msc)
dnscmd.exe
199
3/11/2014
Create a Zone
Right-click
Forward Lookup Zones

Select zone type
Specify replication
(Active Directory
integrated zones only)
All DNS servers in forest
All DNS servers in domain
All domain controllers

in domain (for compatibility with Windows 2000 DCs)
Enter zone name (DNS domain name)

Manage updates
Create a Zone: Dynamic Update
200
3/11/2014
Create Resource Records

Right-click the zone
Dialog box appears specific to the record type you choose
Configure Redundant DNS Servers

Active Directoryintegrated zone
Add DNS server to another DC
Standard Primary Zone

Add NS records for secondary

servers
Master server
The server from which the zone
will be copied
Need not be the primary server
Allow Zone Transfers
Secondary server
Create a new forward lookup zone
Choose a secondary zone
Configure the master server

201
3/11/2014
Configure Forwarders
Right-click DNS server Properties Forwarders
For all names not in your domain, resolve using your
Internet service providers (ISPs) DNS servers

If forwarders are not available, use root servers based on
root hints
Client Configuration
IP configuration of client
netsh interface ipv4 set dns "Local Area Connection"

static 10.0.0.11 primary
netsh interface ipv4 add dns "Local Area Connection"

10.0.0.12
Dynamic Host Configuration Protocol
(DHCP) scope option 6
202
3/11/2014
Lab A: Install the DNS Service

Exercise 1: Add the DNS Server Role
Exercise 2: Configure Forward Lookup Zones and Resource
Records
Logon information
Virtual machine
6425B-HQDC01-B
6425B-HQDC02-B
Logon user name
Do not log on
Pat.Coleman
Administrative user
name
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
You are an administrator of Contoso, Ltd. You recently
added a second domain controller to your enterprise, and

you want to add redundancy to the DNS server hosting the
domain's zone. Currently, the only DNS server for the
contoso.com zone is HQDC01. You need to ensure that
clients that resolve against the new DNS server, HQDC02,
are able to access Internet Web sites. Additionally, you
have been asked to configure a subdomain to support
name resolution required for the testing of an application
by the development team.
203
3/11/2014
Lab Review
If you did not configure forwarders on HQDC02, what
would be the result for clients who use HQDC02 as their

primary DNS server?
What would happen to clients' ability to resolve names in
the development.contoso.com domain if you had chosen a

stand-alone DNS zone, rather than an Active Directory
integrated zone? Why would this happen? What would you
have to do to solve this problem?
Lesson 3: AD DS, DNS, and Windows

Integrate AD DS and the DNS Namespace
Split-Brain DNS
Create a Delegation for an Active Directory Domain
Active Directory-Integrated Zones
Application Partitions for DNS Zones
DNS Application Partitions
Dynamic Updates
Background Zone Loading
Service Locator (SRV) Records
Demonstration: SRV Resource Records Registered by AD DS
Domain Controllers
Domain Controller Location

Read-Only DNS Zones
204
3/11/2014

An AD DS domain has a DNS domain name
DNS zones can be stored in the Active Directory database
Active Directory can replicate DNS zones to specific
domain controllers
Windows clients can update their own DNS records
Active Directory can load large Active Directoryintegrated
zones in the background

DCs register service locator records in DNS
Clients use these records to locate DCs
Read-Only Domain Controllers (RODCs) can support DNS
even in a dynamic update zone
Integrate AD DS and the DNS Namespace

An Active Directory domain must have a DNS name
Active Directory domain name vs. external DNS namespace
Active Directory uses same domain name
Active Directory uses subdomain of public domain
Active Directory uses separate domain name
contoso.com
contoso.com
ad.contoso.com
contoso.net
205
3/11/2014
Split-Brain DNS
The zone that supports AD DS
Secured from Internet exposure
Dynamic
Fully populated with AD DS client, server, and service records
The zone that supports the external namespace

Secure
Static
Populated with the records related to external resources

Some (manually maintained) duplication of records,
such as www
contoso.com
Create a Delegation for an Active Directory Domain

Necessary if child domain zone hosted on different DNS servers
Create the delegation in the parent DNS domain (zone)

Right-click zone New Delegation

Refer to the server that is/will be the child domain DNS server
Configure DNS client on child domain server

Primary DNS server should be the parent DNS server
Install the DNS role and zone

Server Manager: Add role, then create primary zone
or
DCPromo can install DNS while promoting to a DC
Optional but typical configuration

Reconfigure child DNS client to refer to itself as primary DNS server
Add parent DNS server as a forwarder on the child server
Configure new zone to be Active Directory integrated and secure
dynamic update
206
3/11/2014
Active DirectoryIntegrated Zones

DNS zone data is stored in AD DS
Allows multimaster writes to zone
Replicates DNS zone information using AD DS replication
Leverages efficient replication topology
Uses efficient Active Directory replication processes:

incremental updates
Enables secure dynamic updates

Security: Can delegate zones, domains, RRs
Application Partitions for DNS Zones

Store DNS zones in one of the default application
partitions
Replication scope is the difference
Or create a custom partition and define its scope

To all domain controllers in the
AD DS domain (as in Windows 2000)
Domain
Config
To all domain controllers that are

DNS servers in the AD DS domain
Schema
DomainDNSZone
ForestDNSZones
To all domain controllers that are

DNS servers in the AD DS forest
Custom Partition
To all domain controllers in the
replication scope for the
application partition
207
3/11/2014
DNS Application Partitions

Create an application partition
dnscmd ServerName /CreateDirectoryPartition FQDN
Change zone replication scope

Properties of zone
General Change replication
Dynamic Updates
DHCP Client service registers
records for client
During client startup
If new/changed IP address
(fixed/DHCP) on any network
connection
If ipconfig /registerdns is run
Client sends Start of
1 Authority (SOA) query

2 DNS server returns SOA RR
3
1
Client sends dynamic update

request(s) to identify the
primary DNS server
DNS server responds
4 that it can perform update

sends unsecured
5 Client
update to DNS server
zone permits only secure
6 If
updates, update is refused
DNS Server
Resource
Records
sends secured
7 Client
update to DNS server
208
3/11/2014
Background Zone Loading
When a domain controller with Active Directory-integrated

DNS zones starts, it:
Enumerates all zones to be loaded
Loads root hints from files or AD DS servers
Loads all zones that are stored in files rather than in AD DS
Begins responding to queries and remote procedure
calls (RPCs)
Starts one or more threads to load the zones that are
stored in AD DS
Service Locator (SRV) Records

SRV resource records allow DNS clients to locate TCP/IPbased services. SRV resource records are used when:
A domain controller needs to locate replication partners
A client computer authenticates to AD DS
A user changes his or her password
A Microsoft Exchange server performs a directory lookup
An admin opens Active Directory Users and Computers
SRV record syntax:
protocol.service.name TTL class type priority weight
port target
Example of an SRV record
_ldap._tcp.contoso.com 600 IN SRV 0 100 389 hqdc01.contoso.com
209
3/11/2014
Demonstration: SRV Resource Records

Registered by AD DS Domain Controllers
Look at the service locator (SRV) records registered in
_tcp.contoso.com: all DCs in the domain
_tcp.siteName._sites.contoso.com: all DCs in site siteName
Simulate a clients query to DNS for domain controllers

Learn how to register SRV records dynamically or
statically
View %systemroot%\system32\config\netlogon.dns

See Notes pane.
210
3/11/2014
Local DNS
Server
MIA-DC1
NYC-DC1
Miami Site
NYC Site

1. New client queries for all
5. Client queries for all DCs in
DCs in the domain

Retrieves SRVs from

_tcp.domain
the site
Retrieves SRVs from

_tcp.site._sites.domain
2. Attempts LDAP bind to all
3. First DC to respond
Examines client IP and

subnet definitions
Refers client to a site
Authenticates client
Client forms affinity
8. Subsequently
4. Client stores site in registry

Client binds to affinity DC
DC offline? Client queries for

DCs in registry-stored site
Client moved to another site?

DC refers client to another site
211
3/11/2014
Read-Only DNS Zones

DNS server on an RODC with Active Directoryintegrated
zones
RODC can resolve client queries
Changes not allowed on the read-only DNS zone
Records cannot be added manually
Dynamic updates cannot be made
Dynamic updates are referred to writeable DC

Client attempts update
RODC returns an SOA of a writeable Windows Server 2008

domain controller
RODC performs replicate single object (RSO)

Replicates the updated DNS record for the client it referred

from the DC it referred the client to
Lesson 4: Advanced DNS Configuration and

Administration
Resolving Single-Label Names
Resolve Names Outside Your Domain
Reverse Lookup Zone
DNS Server and Zone Maintenance
Test and Troubleshoot DNS Server
Test and Troubleshoot DNS Client
212
3/11/2014
Resolving Single-Label Names

http://legalapp
Client-side resolution process
1.
Query DNS with fully qualified domain

name (FQDN) created by adding
DNS suffix of client: ad.contoso.com

- Domain name devolution
ad.contoso.com then contoso.com
or
DNS suffix search order
- Manage with Group Policy
2.
WINS
12 seconds = timeout!
Server-side resolution
GlobalNames Zone: Specialized zone with single-label CNAME

RRs
WINS forward lookup: If zone lookup fails, DNS queries WINS
Resolve Names Outside Your Domain

Secondary zone

Create a copy of a zone from another DNS server

Requires permissions from the master DNS server
Forwarders
Send unresolved query as recursive query to other DNS server(s)
Root hints

Begin iterative queries against root, ., name servers

DNS server has list of root servers updated with Windows Update
Conditional forwarders
Send unresolved query for specific domain to other server(s)
Stub zone

Can be for any domain; dynamically updates NS records

Requires TCP Port 53 to be open to all name servers in the domain
213
3/11/2014
Reverse Lookup Zone

Query for IP address, response with host name
IP address is reversed (specifictogeneric) and appended
with in-addr.arpa domain

IP address: 10.0.1.34
Query: 34.1.0.10.in-addr.arpa
Special domain to support this: in-addr.arpa

Pointer (PTR) record with name (IP octet) and data (hostname)
Fixed IP client registers its PTR
DHCP server registers PTR for client
34.1.0.10.in-addr.arpa
file34.contoso.com
Not required, but recommended

Services/applications use
reverse lookup as a
security check: Who is this
request coming from?
Client
DNS Server
DNS Server and Zone Maintenance

Scavenge stale resource records
Important in dynamic environments, particularly for SRV RRs
Server aging and scavenging properties
Defaults for Active Directory-integrated zones
Zone aging and scavenging properties

Active Directory-integrated zone inherits server property or perzone
Primary zone ignores server property; must set per-zone.
Scavenging
Configure automatic scavenging: Server properties Advanced

Manually launch scavenging: Right-click server
Manage the cache

View the cache: View menu Advanced Features

Clear server cache: Right-click server or Cached Lookups node
214
3/11/2014
Test and Troubleshoot DNS Server

Event logs
Visible in DNS Manager, Server Manager, and Event Viewer
Debug logging
Server Properties dialog box
Recursive and iterative query tests

Server Properties dialog box
dcdiag.exe /test:DNS
Performs a wide variety of tests to ensure that AD DS and

DNS are working well together
Network Monitor (packet capture)
Test and Troubleshoot DNS Client

ipconfig /all
NSLookup
set server=IP address [Default: Primary DNS Server]
set type=record type [Default: A]
record
ipconfig /displaydns : display client DNS resolver
cache
ipconfig /flushdns : purge client DNS resolver cache
ipconfig /registerdns : register client DNS records
215
3/11/2014
Lab B: Advanced Configuration of DNS

Exercise 1: Enable Scavenging of DNS Zones
Exercise 2: Create Reverse Lookup Zones
Exercise 3: Explore Domain Controller Location
Exercise 4: Configure Name Resolution for External Domains
Logon information
Virtual
machine
6425B-HQDC01-B
6425B-HQDC02-B
6425B-TSTDC01-A
6425B-BRANCHDC01-B
Logon user
name
Do not Logon
Pat.Coleman
Sara.Davis
Do not Logon
Administrative
user name
Pat.Coleman_Admin Sara.Davis_Admin
Password
Pa$$w0rd
Pa$$w0rd
Lab Scenario
You are the DNS administrator at Contoso, Ltd. You want
to improve the health and efficiency of your DNS

infrastructure by enabling scavenging and by creating a
reverse lookup zone for the domain. You also want to
examine the records that enable clients to locate domain
controllers. Finally, you are asked to configure name
resolution between contoso.com and the domain of a
partner company, tailspintoys.com.
216
3/11/2014
Lab Review
In this lab, you used a stub zone and a conditional
forwarder to provide name resolution between two distinct

domains. What other options might you have chosen to
use?
Module 11
Administer
Active Directory
Domain Services (AD DS)
Domain Controllers (DCs)
217
3/11/2014
Module Overview
Domain Controller Installation Options
Install a Server Core DC
Manage Operations Masters
Configure DFS-R Replication of SYSVOL
Lesson 1: Domain Controller Installation Options

Install a DC with the Windows Interface
Unattended Installation Options and Answer Files
Install a New Windows Server 2008 Forest
Prepare an Existing Domain for Windows Server 2008 DCs
Install an Additional DC in a Domain
Install a New Windows Server 2008 Child Domain
Install a New Domain Tree in a Forest
Stage the Installation of an RODC
Attach a Serve to a Prestaged RODC Account
Install AD DS from Media
Remove a Domain Controller
218
3/11/2014
Install a DC with the Windows Interface

Two major steps
Add the AD DS role
Install and configure AD DS with the Active Directory Domain

Services Installation Wizard
DCPROMO.exe
Installs the AD DS role if it is not already installed
Unattended Installation Options and Answer Files

Options can be specified at the command line
/option:value for example,

/newdnsdomainname:contoso.com
dcpromo.exe /?[:operation] for help
Options can be specified in an answer file
[DCINSTALL]
NewDomainDNSName=contoso.com
And called using

dcpromo.exe /unattend:path to answer file
Options on command line will override answer file

Options not specified will be prompted by wizard
Except in Server Core
Recommendation: use dcpromo.exe on full installation and
export answer file for command line or Server Core
219
3/11/2014
Install a New Windows Server 2008 Forest

[DCINSTALL]
ReplicaOrNewDomain=domain
NewDomain=forest
NewDomainDNSName=fqdn
DomainNetBiosName=name
ForestLevel={0, 2, 3}
DomainLevel={0, 2,3}
InstallDNS=yes
DatabasePath="path"
LogPath="path"
SYSVOLPath="path"
SafeModeAdminPassword=pwd
RebootOnCompletion=yes
dcpromo.exe
/unattend:path
dcpromo.exe /unattend
/installDNS:yes /dnsOnNetwork:yes
/replicaOrNewDomain:domain
/newDomain:forest
/newDomainDnsName:contoso.com
/DomainNetbiosName:contoso
/databasePath:"e:\ntds"
/logPath:"f:\ntdslogs"
/sysvolpath:"g:\sysvol"
/safeModeAdminPassword:password
/forestLevel:3 /domainLevel:3
/rebootOnCompletion:yes
Prepare an Existing Domain for Windows

Server 2008 DCs
ADPrep (adprep.exe) prepares AD DS for the first DC
running a version of Windows newer than current DCs

DVD:\sources folder
adprep /forestprep
Log on to the Schema master (see Lesson 3) as a member of

Enterprise Admins, Schema Admins, and Domain Admins
Run once per forest. Wait for change to replicate.
adprep /domainprep /gpprep

Log on to Infrastructure master (see Lesson 3) as a member

of Domain Admins
Run once per domain. Wait for change to replicate.
adprep /rodcprep
Log on to any computer as a member of Enterprise Admins
Run once per forest. Wait for change to replicate
220
3/11/2014
Install an Additional DC in a Domain

[DCINSTALL]
ReplicaOrNewDomain=replica
ReplicaDomainDNSName=fqdn
UserDomain=fqdn
UserName=DOMAIN\username*
Password=password*
InstallDNS=yes
ConfirmGC=yes
DatabasePath="path"
LogPath="path"
SYSVOLPath="path"
dcpromo.exe
/unattend:path
/replicaOrNewDomain:replica
/replicaDomainDNSName:contoso.com
/installDNS:yes /confirmGC:yes
Install a New Windows Server 2008 Child Domain

dcpromo.exe
/unattend:path
NewDomain=child
ParentDomainDNSName=fqdn
UserDomain=fqdn
UserName= DOMAIN\username*
Password=password*
ChildName=name*
/installDNS:yes
DomainLevel={0,2,3}*
/newDomain:child
InstallDNS=yes
/ParentDomainDNSName:contoso.com
CreateDNSDelegation=yes
/newDomainDnsName:na.contoso.com
DNSDelegationUserName=DOMAIN\user
/childName:subsidiary
name
/DomainNetbiosName:subsidiary
DNSDelegationPassword=password*
DatabasePath="path"
LogPath="path"
SYSVOLPath="path"
/forestLevel:3 /domainLevel:3
[DCINSTALL]
221
3/11/2014
Install a New Domain Tree in a Forest

[DCINSTALL]
dcpromo.exe
/unattend:path
NewDomain=tree
NewDomainDNSName=fqdn
UserDomain=fqdn
Password=password*
/installDNS:yes
DomainLevel={0,2,3}*
InstallDNS=yes
/newDomain:tree
CreateDNSDelegation=yes
/newDomainDnsName:tailspintoys.com
/DomainNetbiosName:tailspintoys
name
DatabasePath="path"
LogPath="path"
SYSVOLPath="path"
/domainLevel:2
Stage the Installation of an RODC

Create the account for the RODC
Right-click the Domain Controllers OU Pre-Create Read-only

Domain Controller Account
Delegation of RODC Installation and Administration
Delegate to a group
Members of the group can join RODC to domain
Members of the group are local Administrators after join
Attach the server to the RODC account

Server must be a member of a workgroup
dcpromo /UseExistingAccount:attach
222
3/11/2014
Attach a Server to a Prestaged RODC Account

dcpromo.exe
/useexistingaccount:attach
/unattend:path
[DCINSTALL]
ReplicaDomainDNSName=fqdn
UserDomain=fqdn
Password=password*
InstallDNS=yes
ConfirmGC=yes
DatabasePath="path"
LogPath="path"
SYSVOLPath="path"
GUI Active Directory
Domain Services Wizard:

dcpromo.exe
/useexistingaccount:attach
/UseExistingAccount:Attach
/ReplicaDomainDNSName:contoso.com
/UserDomain:contoso.com
/UserName:contoso\dan
/password:*
Install AD DS from Media

Install from media (IFM)
Create installation mediaa specialized backup of AD DS
Use installation media for creation of DC
Significantly reduce over-the-network replication
DC will need to replicate changes since backup was made

ntdsutil activate instance ntds ifm
create sysvol full path : media with sysvol for writable DC
create full path : media without sysvol for writable DC
create sysvol rodc path : media with sysvol for read-only DC
create rodc path : media without sysvol for read-only DC
Active Directory Domain Services Installation Wizard,
select Use Advanced Mode

ReplicationSourcePath option/switch
223
3/11/2014
Remove a Domain Controller

dcpromo.exe
/uninstallbinaries
/unattend:path
UserDomain=fqdn
Password=password*
AdministratorPassword=password*
RemoveApplicationPartitions=yes
RemoveDNSDelegation=yes
name
/uninstallbinaries
GUI Active Directory Domain
/UserName:contoso\dan
Services Wizard:
/password:*
dcpromo.exe
/administratorpassword:Pa$$w0rd
Command line:
[DCINSTALL]
dcpromo.exe /uninstallbinaries
If DC cannot contact the domain
dcpromo /forceremoval
Then you must clean up metadata: KB 216498
Lab A: Install Domain Controllers

Exercise 1: Create an Additional DC with the Active
Directory Domain Services Installation Wizard

Exercise 2: Add a Domain Controller from the Command
Line
Exercise 3: Remove a Domain Controller
Exercise 4: Create a Domain Controller from Installation
Media
Logon information
Virtual machine
6425B-HQDC01-A
6425B-HQDC02-A
Logon user name
Pat.Coleman
Administrator
Pat.Coleman_Admin
Pat.Coleman_Admin
Password
Pa$$w0rd
Pa$$w0rd
224
3/11/2014
Lab Scenario
You have been hired to replace the former administrator at
Contoso, Ltd. The first thing you discover is that the

domain has only one domain controller. You decide to add
a second domain controller to provide fault tolerance for
the directory service. You have already installed a new
server named HQDC02.
Lab Review
Why would you choose to use an answer file, or a
dcpromo.exe command line to install a domain controller

rather than the Active Directory Domain Services
Installation Wizard?
In what situations does it make sense to create a domain
controller using installation media?
225
3/11/2014
Lesson 2: Install a Server Core DC

Understand Server Core
Install Server Core
Server Core Configuration Commands
Understand Server Core

Minimal installation: 3 GB disk space, 256 MB RAM
No GUI: Command-line local UI. Can use GUI tools remotely.
Roles
Features
Active Directory Domain Services
Microsoft Failover Cluster
Active Directory AD LDS
Network Load Balancing
DHCP Server
Subsystem for UNIX applications
DNS Server
Windows Backup
File Services
Multipath I/O
Print Server
Removable Storage Management
Streaming Media Services
Windows Bitlocker Drive Encryption
Web Server: HTML. R2 adds .NET
SNMP
Hyper-V
WINS
Telnet client
Quality of Service (QoS)
226
3/11/2014
Install Server Core

Select the Server Core Installation option in Windows setup
Server Core Configuration Commands

Task
Command
Change the Administrator Password
When you log on with Ctrl+Alt+Delete, you will be

prompted to change the password.
You can also type the following command:
Net user administrator*
Set a static IPv4 Configuration
Netsh interface ipv4
Activate Windows Server
Cscript c:\windows\system32\slmgr.vbs ato
Join a domain
Netdom
Add Server Core roles, components, or

features
Ocsetup.exe package or feature

Note that the package or feature names are case
sensitive
Display installed roles, components, and

features
Oclist.exe
Enable Remote Desktop

Promote a domain controller
Configure DNS
Cscript C:\windows\system32\scregedit.wsf /AF 0

Dcpromo.exe
Dnscmd.exe
Dfscmd.exe
Configure DFS
227
3/11/2014
Lab B: Install a Server Core DC

Exercise 1: Perform Post-Installation Configuration on
Server Core
Exercise 2: Create a Domain Controller with Server Core
Logon information
Virtual machine
6425B-HQDC01-A
6425B-HQDC03-A
Logon user name
Do not log on
Administrator
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
You are a domain administrator for Contoso, Ltd., and you
want to add a domain controller to the AD DS

environment. In order to enhance the security of the new
DC, you plan to use Server Core. You have already
installed Server Core on a new computer, and you are
ready to configure the server as a domain controller.
228
3/11/2014
Lab Review
Did you find the configuration of Server Core to be
particularly difficult?
What are the advantages of using Server Core for domain
controllers?
Lesson 3: Manage Operations Masters

Understand Single Master Operations
Operation Master Roles
Optimize the Placement of Operations Masters
Identify Operations Masters
Transfer Operations Master Roles
Seize Operations Master Roles
229
3/11/2014
Understand Single Master Operations

In any multimaster replication topology, some operations
must be single master

Many terms used for single master operations in AD DS
Operations master (or operations master roles)
Single master roles
Operations tokens
Flexible single master operations (FSMOs)
Roles
Forest
Domain naming
Schema
Domain
Relative identifier (RID)
Infrastructure
PDC Emulator
Operations Master Roles

Forest-wide
Domain naming: adds/removes domains to/from the forest
Schema: makes changes to the schema
Domain-wide
RID: provides pools of RIDs to DCs, which use them for SIDs
Infrastructure: tracks changes to objects in other domains that

are members of groups in this domain
PDC: plays several very important roles
Emulates a Primary Domain Controller (PDC): compatibility
Special password update handling
Default target for Group Policy updates
Master time source for domain
Domain master browser
230
3/11/2014
Optimize the Placement of Operations Masters

Forest root DC (first DC in forest) has all roles by default
Best practice guidance
Co-locate the schema master and domain naming master on a GC
Co-locate the RID master and PDC emulator rules
Place the infrastructure master on a DC that is not a GC*
Have a failover plan
* Real-world enhancements to best-practice guidance

Consider configuring all DCs as GCs
In a single domain forest, it doesnt increase replication traffic
If all DCs are GCs, infrastructure master role is not necessary
Still exists, but does not start on a GC and isnt needed
Identify Operations Masters

User interface tools
PDC Emulator: Active Directory Users And Computers
RID: Active Directory Users And Computers
Infrastructure: Active Directory Users And Computers
Schema: Active Directory Schema
Domain Naming: Active Directory Domains and Trusts
Command line tools

NTDSUtil
DCDiag
netdom query fsmo
231
3/11/2014
Transfer Operations Master Roles

Transfer roles in these scenarios
To distribute roles away from the forest domain root DC
Prior to taking a role holding DC offline for maintenance
Prior to demoting a role holding DC
Procedure
Ensure that the new role holder is up to date with replication

from the current role holder
Open the appropriate administrative snap-in
Connect to the target domain controllers
Open the Operations Master dialog box and click Change
Or use NTDSUtil to change transfer the master
Seize Operations Master Roles

Recognize operations master failures
Typically you notice when you attempt to perform an action

for which the master is responsible, and receive an error
Respond to an operations master failure

Determine whether the DC can be brought online, and when
Evaluate whether the enterprise can continue to function

temporarily without the DC
See Student Manual for specific guidance
Seize the role using NTDSUtil

Refer to procedure in Student Manual
Return a role to its original holder?

Only for PDC and Infrastructure tokens
If Schema, RID, or domain naming have been seized, you

must decommission the failed DC offline, then re-promote it
232
3/11/2014
Lab C: Transfer Operations Master Roles

Exercise 1: Identify Operations Masters
Exercise 2: Transfer Operations Master Roles
Logon information
Virtual machine
6425B-HQDC01-B
6425B-HQDC02-B
Logon user name
Pat.Coleman
Do not log on
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
You are a domain administrator at Contoso, Ltd. One of
the redundant power supplies has failed on HQDC01 and

you must take the server offline for servicing. You want to
ensure that ADDS operations are not interrupted while the
server is offline.
233
3/11/2014
Lab Review
If you transfer all roles before taking a domain controller
offline, is it OK to bring the domain controller back online?

If a domain controller fails and you seize roles to another
domain controller, is it OK to bring the failed domain

controller back online?
Lesson 4: Configure DFS-R Replication of SYSVOL

Raise the Domain Functional Level
Understand Migration Stages
Migrate to DFS-R Replication of Sysvol
234
3/11/2014
Raise the Domain Functional Level

All domain controllers in the domain must be Windows
Server 2008 or greater

DCs in other domains and member server OSs dont matter
Active Directory Domains And Trusts

Right-click domain Raise Domain Functional Level
Understand Migration Stages

Four states (stages)
0 (start): Default state. FRS replicates SYSVOL
1 (prepared)
Copy of SYSVOL called SYSVOL_DFSR, replicated by DFS-R
SYSVOL replicated by FRS and used by clients
2 (redirected)
SYSVOL share redirected to SYSVOL_DFSR for client use.
SYSVOL replicated by FRS (for failback)
3 (eliminated): FRS replication of SYSVOL stopped. Folder remains.
DFSRMig (dfsrmig.exe)
setglobalstate state where state is 0-3. Sets global (desired) state.
getglobalstate reports current global DFSR migration state
getmigrationstate reports migration state of each DC towards state
235
3/11/2014
Migrate to DFS-R Replication of SYSVOL

1. Raise the domain functional level to WS2008
2. dfsrmig /setglobalstate 1
Wait for migration to Prepared state. Can take 15 minutes

to an hour or longer
Use dfsrmig /getmigrationstate to monitor progress
Wait. dfsrmig /getmigrationstate to monitor progress
Wait. Can take 15 minutes to an hour or longer
Use dfsrmig /getmigrationstate to monitor progress
During migration to state 3 (eliminated), any changes to

SYSVOL must be manually made to SYSVOL_DFSR as well
Lab D: Configure DFS Replication of SYSVOL

Exercise 1: Observe the Replication of SYSVOL
Exercise 2: Prepare to Migrate to DFS-R
Exercise 3: Migrate SYSVOL Replication to DFS-R
Exercise 4: Verify DFS-R Replication of SYSVOL
Logon information
Virtual machine
6425B-HQDC01-B
6425B-HQDC02-B
Logon user name
Pat.Coleman
Pat.Coleman
Pat.Coleman_Admin
Pat.Coleman_Admin
Password
Pa$$w0rd
Pa$$w0rd
236
3/11/2014
Lab Scenario
You are an administrator at Tailspin Toys. You have
recently upgraded the last remaining Windows Server

2003 domain controller to Windows Server 2008, and you
want to take advantage of the improved replication of
SYSVOL using DFS-R.
Lab Review
What would you expect to be different between two
enterprises, one which created its domain initially with

Windows 2008 domain controllers, and one that migrated
to Windows Server 2008 from Windows Server 2003?
What must you be aware of while migrating from the
Prepared to the Redirected state?
237
3/11/2014
Module 12
Manage Sites and
Active Directory
Replication

See Notes pane.
238
3/11/2014
Module Overview
Configure Sites and Subnets
Configure the Global Catalog and Application Partitions
Configure Replication
Lesson 1: Configure Sites and Subnets

Understand Sites
Plan Sites
Create Sites
Manage Domain Controllers in Sites
Domain Controller Location: SRV Records
Domain Controller Location: Client
239
3/11/2014
Understand Sites
Loosely related to network sites
A highly connected portion of your enterprise
Active Directory objects that support

Replication
Active Directory changes must be replicated to all DCs
Some DCs might be separated by slow, expensive links
Balance between replication cost & convergence
Service localization
DC (LDAP & Kerberos)
DFS
Active Directoryaware (site aware) apps
Location property searching, for example, printer location
Plan Sites
Active Directory sites may not map one-to-one with
network sites
Two locations, well connected, may be one Active Directory

site
A large enterprise on a highly connected campus (one site)

may be broken into multiple Active Directory sites for service
localization
Criteria
Connection speed: 512 kbps link is a guideline, but as low as

28 kbps is used
Service placement: If no DCs or Active Directoryaware

services, not much point in a site
User population: If the number of users warrants a DC,

consider a site
Directory query traffic by users or applications
Desire to control replication traffic between DCs
240
3/11/2014
Create Sites
Active Directory Sites and Services
Default-First-Site-Name
Should be renamed
Create a site
Assign to site link
Create a subnet
Assign to site
A site can have >1 subnet

A subnet can be associated with
only one site
Manage Domain Controllers in Sites

DCs should be in the correct site
The SERVERS container will show only DCs,

not all server
Add a DC to a site
First DC will be in Default-First-Site-Name
Additional DCs will be added to sites based

on their subnet address
DCPromo prompts you for the site
You can right-click the Servers container of

a site and pre-create the server object
before promoting the DC
Move DC to a new site: right-click DC and choose Move

Delete a DC: right-click DC and choose Delete
241
3/11/2014
Domain Controller Location: SRV Records

Domain controllers register service locator records (SRV)
in DNS in the following locations

_tcp.contoso.com: all DCs in the domain
_tcp.siteName._sites.contoso.com: all DCs in site siteName
Clients query DNS for domain controllers
Domain Controller Location: Client

1. New client queries for all
5. Client queries for all DCs in
DCs in the domain

Retrieves SRVs from

_tcp.domain
the site
Retrieves SRVs from

_tcp.site._sites.domain
Examines client IP and

subnet definitions
Refers client to a site
Authenticates client
Client forms affinity
8. Subsequently
4. Client stores site in registry

Client binds to affinity DC
DC offline? Client queries for

DCs in registry-stored site
Client moved to another site?

DC refers client to another site
242
3/11/2014
Lab A: Configure Sites and Subnets

Exercise 1: Configure the Default Site
Exercise 2: Create Additional Sites
Logon information
Virtual machine 6425B-HQDC01-B
6425-HQDC02-B
6425B-HQDC03-B
6425B-BRANCHDC01-B
Logon user
name
Pat.Coleman
Do not log on
Do not log on
Do not log on
Administrative
user name
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
You are an administrator for Contoso, Ltd. You are preparing to
improve the service localization and Active Directory replication of

your enterprise. The previous administrator made no changes to
the out-of-box configuration of sites and subnets. You want to
begin the process of defining your physical topology in Active
Directory.
243
3/11/2014
Lab Review
If you have a site with 50 subnets, each with a subnet
address of 10.0.x.0/24, and you have no other 10.0.x.0

subnets, what could you do to make it easier to identify
the 50 subnets and associate them with a site?
Why is it important that all subnets are identified and
associated with a site in a multisite enterprise?
Lesson 2: Configure the Global Catalog and

Application Partitions
Review Active Directory Partitions
Understand the Global Catalog
Place Global Catalog Servers
Configure a Global Catalog Server
Universal Group Membership Caching
Understand Application Directory Partitions
244
3/11/2014
Review Active Directory Partitions
Schema
Forest
Definitions and rules for

creating and manipulating
objects and attributes
Information about the
Active Directory structure
Configuration
Information about domainspecific objects
Domain
Domain
Full replica (DC)
Active Directory
Database
Read-only replica (RODC)

Does not include secrets
Replicates passwords per policy
Understand the Global Catalog

Schema
Configuration
Domain A
Global catalog hosts a
partial attribute set (PAS) for

other domains in the forest
Supports queries for objects
throughout the forest

Schema
Configuration
Schema
Domain A
Configuration
Domain B
Domain B
Global Catalog
Server
Schema
Configuration
Domain B
245
3/11/2014
Place Global Catalog Servers

Recommendation: Every DC a GC
In particular
If an application in a site queries the GC (port 3268)
If a site contains an Exchange server
If a connection to a GC in another site is slow/unreliable

Schema
Schema
Configuration
Configuration
Domain A
Domain A
Make a GC?
Domain B
HEADQUARTERS
Domain B
BRANCHA
Configure a Global Catalog Server

Right-click the NTDS Settings node underneath the DC
246
3/11/2014
Universal Group Membership Caching

Universal group membership replicated in the GC
Normal logon: users token built with UGs from GC
GC not available at logon: DC denies authentication
If every DC is a GC, this is never a problem

If connectivity to a GC is not reliable
DCs can cache UG membership for a user when user logs on
GC later not available: user authenticated with cached UGs
In sites with unreliable connectivity to GC: enable UGMC

Right-click NTDS Settings for site Properties
Enables UGMC for all DCs in the site
Understand Application Directory Partitions

Support a specific application
Schema
Configuration
Domain A
DNS
Schema
Targeted to specific DCs

Managed with the admin tool for
the app: e.g. DNS Manager

Consider app partitions before
demoting a DC
Configuration
Schema
Domain A
Configuration
Domain B
Domain B
DNS
Schema
Configuration
Domain B
247
3/11/2014
Lab B: Configure the Global Catalog and

Application Partitions
Exercise 1: Configure a Global Catalog
Exercise 2: Configure Universal Group Membership
Caching
Exercise 3: Examine DNS and Application Directory
Partitions
Logon information
Virtual
machine
6425B-HQDC01-B
6425-HQDC02-B
6425B-HQDC03-B
6425B-BRANCHDC01-B
Logon user
name
Pat.Coleman
Do not log on
Do not log on
Do not log on
Administrative
user name
Pat.Coleman_Admin
Password
Pa$$w0rd
Lab Scenario
You are the administrator of Contoso, Ltd. In your
continued effort to improve the availability and resiliency

of the directory service, you decide to configure additional
global catalog servers and universal group membership
caching. You are also curious about the relationship
between Active Directoryintegrated DNS zones and the
DNS application partitions.
248
3/11/2014
Lab Review
Describe the relationship between the records you viewed
in ADSI Edit and the records you viewed in DNS Manager.

When you examined the DNS records in
_tcp.BRANCHA._sites.contoso.com, what domain controller

was registering service locator records in the site? Explain
why it did so.
Lesson 3: Configure Replication

Understand Active Directory Replication
Intrasite Replication
Site Links
Replication Transport Protocols
Bridgehead Servers
Site Link Transitivity and Bridges
Control Intersite Replication
Monitor and Manage Replication
249
3/11/2014
Understand Active Directory Replication

Multimaster replications balancing act: loose coupling
Accuracy (integrity)
Consistency (convergence)
Performance (keeping replication traffic to a reasonable level)
Key characteristics of Active Directory Replication

Multimaster replication
Pull replication
Store-and-forward
Partitions
Automatic generation of an efficient & robust replication topology
Attribute level replication
Distinct control of intrasite and intersite replication
Collision detection and remediation
Intrasite Replication
Connection object: inbound replication to a DC
Knowledge consistency checker (KCC) creates topology
Efficient (maximum three hop) & robust (two-way) topology
Runs automatically, but you can Check Replication Topology
Few reasons to manually create connection objects
Standby operations masters should have connections to masters
Replication
Notification: DC tells its

downstream partners change
is available (15 seconds)
DC1
DC3
DC2
Polling: DC checks with its

upstream partners (1 hour) for changes
Downstream DC directory replication agent (DRA) replicates changes
Changes to all partitions held by both DCs are replicated
250
3/11/2014
Site Links
Intersite topology generator (ISTG) builds replication
topology between sites

Site links
Contain sites
Within a site link, a connection object can be created between

any two DCs
Not always appropriate given your network topology!
Replication Transport Protocols

Directory Service Remote Procedure Call (DS-RPC)
Appears as IP in Active Directory Sites and Services
The default and preferred protocol for intersite replication
Inter-Site MessagingSimple Mail Transport Protocol
(ISM-SMTP)
Appears as SMTP in Active Directory Sites and Services
Rarely used in the real world
Requires a certificate authority
Cannot replicate the domain naming contextonly schema

and configuration
Any site that uses SMTP to replicate must be in a separate

domain within the forest
251
3/11/2014
Bridgehead Servers
Replicates changes from bridgeheads in all other sites
Polled for changes by bridgeheads in all other sites
Selected automatically by ISTG
Or you can configure preferred bridgehead servers
Firewall considerations
Performance considerations
Site Link Transitivity and Bridges

Site link transitivity (default)
ISTG can create connection objects between site links
Disable transitivity in the properties of the IP transport
Site link bridges

Manually transitive site links
Useful only when transitivity is disabled
252
3/11/2014
Control Intersite Replication

Site link costs
Replication uses the connections with the lowest cost
Replication
Notifications off by default. Bridgeheads do not notify partners
Polling. Downstream bridgehead polls upstream partners
Default: 3 hours
Minimum: 15 minutes
Recommended: 15 minutes
Replication schedules
24 hours a day
Can be scheduled
300
100
Whiteboard: Replication
RODC
BH
Branch
IP Subnet
Site D
IP Subnet
IP Subnet
IP Subnet
BH
IP Subnet
Site B
Site Link Bridge
BH
Site A
IP Subnet
BH
Site C
IP Subnet
253
3/11/2014
Monitor and Manage Replication

RepAdmin
repadmin /showrepl hqdc01.contso.com
repadmin /showconn hqdc01.contoso.com
repadmin /showobjmeta hqdc01 "cn=Linda Miller,ou="
repadmin /kcc
repadmin /replicate hqdc02 hqdc01 dc=contoso,dc=com
repadmin /syncall hqdc01.contoso.com /A /e
DCDiag /test:testName
FrsEvent or DFSREvent
Intersite
KccEvent
Replications
Topology
Lab C: Configure Replication

Exercise 1: Create a Connection Object
Exercise 2: Create Site Links
Exercise 3: Move Domain Controllers into Sites
Exercise 4: Designate a Preferred Bridgehead Server
Exercise 5: Configure Intersite Replication
Logon information
Virtual machine
6425B-HQDC01-B
6425-HQDC02-B
6425B-HQDC03-B
6425B-BRANCHDC01-B
Logon user
name
Pat.Coleman
Do not log on
Do not log on
Do not log on
Administrative
user name
Pat.Coleman_Admin
Password
Pa$$w0rd
254
3/11/2014
Lab Scenario
You are the administrator of Contoso, Ltd. You want to
optimize replication of AD DS by aligning replication with

your network topology and domain controller roles and
placement.
Lab Review
Explain the warning message that appeared when you designated
HQDC02 as a preferred bridgehead server.

What are the advantages of reducing the intersite replication
interval? What are the disadvantages?

Is the procedure you performed in Exercise 2 enough to create a
hub-and-spoke replication topology, which ensures that all changes

from branches are replicated to the headquarters before being
replicated to other branches? If not, what must still be done?
255
3/11/2014
Module 13
Directory Service
Continuity
Module Overview
Monitor Active Directory
Manage the Active Directory Database
Back Up and Restore AD DS and Domain Controllers
256
3/11/2014
Lesson 1: Monitor Active Directory

Understand Performance and Bottlenecks
Task Manager
Resource Manager
Event Viewer
Demonstration: Event Viewer
Custom Views
Subscriptions
Demonstration: Configure Custom Views and Subscriptions
Windows Reliability and Performance Monitor (WRPM)
Demonstration: Windows Reliability and Performance Monitor (WRPM)
Reliability Monitor
Performance Monitor
Data Collector Sets
Demonstration: Monitor AD DS
Monitoring Best Practices
Understand Performance and Bottlenecks

Key system resources
CPU
Disk
Memory
Network
Bottleneck: Resource that is currently at peak utilization

Tools
Task Manager
Event Viewer
Resource Monitor
Reliability Monitor
Performance Monitor
System Center Operations Manager
257
3/11/2014
Task Manager
Starting taskmgr.exe
CTRL+SHIFT+ESC
CTRL+ALT+DEL
Right-click taskbar
Start taskmgr.exe
Real-time performance
Applications
Processes
Services
Performance
High-level CPU, network, memory
No disk counters
Logged-on users
Entry point to Resource Monitor
Resource Monitor
Full view of key system components
Click each graph to expand/collapse the component
Launching Resource Monitor

Task Manager Performance Resource Monitor
Start perfmon /res
Home view of Windows Reliability and Performance Monitor

(WRPM) snap-in
258
3/11/2014
Event Viewer
What you see
Many more logs
Summary and custom

views based on crosslog queries
Role-based views in
Server Managers
More detailed events
What you can do

Integrate with Task

Scheduler: E-mails or
actions based on event
Subscribe to events
from other computers
Demonstration: Event Viewer

Explore Event Viewer
Identify the Active Directory logs
Directory Service
Domain Name System (DNS)
Distributed File System Replication (DFSR)
Group Policy Operational log
Discover the new features in the Windows Server 2008
Event Viewer
259
3/11/2014
Custom Views
Aggregate events from multiple logs
Filter
Reuse
Export for import to other computers
Event 1
Security log
Event 2
System log
Event Viewer
Event 3
DFS log
Subscriptions
Collect events from one or
more computers
Store the events locally
Use Windows Remote
Management (WinRM)
Require WinRM exceptions
in firewall
260
3/11/2014
Demonstration: Configure Custom Views

and Subscriptions
Create a custom view, and then add the AD DSspecific
logs to the view

Create a subscription to collect logs from multiple
domain controllers
Windows Reliability and Performance Monitor (WRPM)

Track system changes (Reliability Monitor)
Display real-time or logged performance data
(Performance Monitor)
Generate reports or graphical views of performance
Generate alerts
Take action when thresholds are reached
Collect data (Data Collector Sets and Reports)

Generate reports
Generate graphical views of logged performance
261
3/11/2014
Demonstration: Windows Reliability and

Performance Monitor (WRPM)
In this demonstration we will:
Explore Windows Reliability and Performance Monitor
(WRPM)
Reliability Monitor
Tracks system changes
Software install/uninstall
Application failures
Windows failures
Hardware failures
262
3/11/2014
Performance Monitor
Useful counters in any server baseline
Memory \ Pages/sec
PhysicalDisk \ Avg. Disk Queue Length
Processor \ %Processor Time
Useful counters for monitoring Active Directory

NTDS\ DRA Inbound Bytes Total/sec
NTDS\ DRA Inbound Object
NTDS\ DRA Outbound Bytes Total/sec
NTDS\ DRA Pending Replication Synchronizations
NTDS \ Kerberos Authentications/sec
NTDS\ NTLM Authentications
Data Collector Sets

Collections of data points
Performance counters
Event trace data
System configuration information (registry keys)
Use to
View real-time performance with Performance Monitor
Create a log (manually invoked or scheduled) and then view

Reports
Generate alerts based on thresholds
Use by other applications
Create
Start from a template; role templates added by Windows
Save an existing set of counters in a Performance Monitor view
Manually specify and configure data collectors in a set
Export/import data collector set as XML
263
3/11/2014
Demonstration: Monitor AD DS
Configure AD DS monitoring by using Data Collector Sets
Monitoring Best Practices

1. Monitor early to establish baselines!
Document performance when things are working well
Include server and role-related counters during idle and busy times
2. Monitor often to identify potential problems

Compare to baseline and watch for troublesome deviation
3. Know how to monitor and interpret performance
before a meltdown
Establish Data Collector Sets
Build the skills to interpret performance counters
4. Capture appropriately
Dont overcapture
Degrades performance
Creates noise, making it difficult to identify real problems
264
3/11/2014
Lab A: Monitor Active Directory Events and

Performance
Exercise 1: Monitor Real-Time Performance Using Task
Manager and Resource Monitor

Exercise 2: Use Reliability Monitor and Event Viewer to
Identify Performance-Related Events

Exercise 3: Monitor Events on Remote Computers with
Event Subscriptions
Exercise 4: Attach Tasks to Event Logs and Events
Exercise 5: Monitor AD DS with Performance Monitor
Exercise 6: Work with Data Collector Sets
Logon information
Virtual machine
6425B-HQDC01-B
Logon user name
Pat.Coleman
Pat.Coleman
Pat.Coleman_Admin
Pat.Coleman_Admin
Password
Pa$$w0rd
Pa$$w0rd
6425B-HQDC02-B
Lab Scenario
Last month, the only domain controller in the branch office
failed, causing Contoso's call center to be offline for an

entire day and costing the company a significant amount
of money in lost revenue. You were hired to replace the
administrator who had configured a critical location
without redundant authentication or monitoring. This
week, you are working to configure monitoring to ensure
that performance and reliability can be watched on an
ongoing basis for any signs of trouble.
265
3/11/2014
Lab Review
In what situations do you currently use, or can you
envision using, event subscriptions as a monitoring tool?

To what events or performance counters would you
consider attaching e-mail notifications or actions? Do you

use notifications or actions currently in your enterprise
monitoring?
Lesson 2: Manage the Active Directory Database

Active Directory Database Files
NTDSUtil
Perform Database Maintenance
Demonstration: AD DS Database Maintenance
Active Directory Snapshots
Restore Deleted Objects
Demonstration: Using Snapshots and Object Reanimation
266
3/11/2014
Active Directory Database Files

File
Description
The AD DS database file
NTDS.dit All AD DS partitions and objects on the domain
controller
Default location: systemroot\NTDS
Transaction log
EDB*.log Default transaction log: EDB.log
Overflow logs: Edb000x.log
Checkpoint file
EDB.chk Pointer into transaction log: which transactions
have or have not been committed
ebdres00001.jrs
ebdres00002.jrs
Reserved transaction log files

Used if disk runs out of space, so that
transaction logs do not crash
How the Database Is Modified

EDB.chk
Update the
checkpoint
Write Request
Commit the
transaction
Transaction
is initiated
Write to the
transaction
buffer
Write to the
transaction
log file
Write to the
database
on disk
NTDS.dit on Disk
EDB.log
267
3/11/2014
NTDSUtil
Manage and control single master operations (Module 11)
Perform AD DS database maintenance (Module 13)
Perform offline defragmentation
Create and mount snapshots
Move database files
Clean domain controller metadata

Domain controller removal or demotion while not connected to

domain
Reset Directory Services Restore Mode password

set dsrm
Perform Database Maintenance

Garbage collection
Scavenging: Removing deleted items that have reached their

tombstone lifetime
Defragmentation
Online defrag (part of garbage collection): reclaims unused space
Offline defrag (manual): releases unused space, reduces file size
Use NTDSUtil
Restartable AD DS
You can stop AD DS in Services just like any other service
For applying updates that affect AD DS files
Before performing offline defragmentation
268
3/11/2014
Demonstration: AD DS Database Maintenance

Stop the AD DS service
Simulate compacting the database
Simulate moving the database to a new volume
Restart the AD DS service

Create a snapshot of Active Directory
NTDSUtil
Mount the snapshot to a unique port

NTDSUtil
Expose the snapshot

Right-click the root node of Active Directory Users and

Computers and choose Connect to Domain Controller
Enter serverFQDN:port
View (read-only) snapshot

Cannot directly restore data from the snapshot
Recover data
Manually re-enter data or
Restore a backup from the same date as the snapshot
269
3/11/2014
Restore Deleted Objects

When an object is deleted
Stripped of almost every attribute except
SID, objectGUID, lastKnownParent, sAMAccountName
Moved to Deleted Objects container, marked as isDeleted
You can restore (reanimate) deleted (tombstoned)
objects when
Domain functional level is Windows Server 2003 or greater
Deleted object has not yet been scavenged
Steps
LDP.exe
Modify isDeleted
Provide distinguished name (DN)
Repopulate all other attributes
Demonstration: Using Snapshots and Object

Reanimation
Create a snapshot
Delete a user
Mount the snapshot
Expose the snapshot
Reanimate the tombstoned user object
Repopulate the users attributes
Unmount the snapshot
270
3/11/2014
Lab B: Manage the Active Directory Database

Exercise 1: Perform Database Maintenance
Exercise 2: Work with Snapshots and Recovering a
Deleted User
Logon information
Virtual machine
6425B-HQDC01-B
6425B-HQDC02-B
Logon user name
Pat.Coleman
Pat.Coleman
Pat.Coleman_Admin
Pat.Coleman_Admin
Password
Pa$$w0rd
Pa$$w0rd
Lab Scenario
university. At the end of the semester, 65 days ago, you

deleted 835 user accounts for students who have
graduated or will no longer return to the program. You
now want to compact your Active Directory database to
reclaim the space released by that many deleted objects.
Additionally, you were notified that yesterday, one user
account, Adriana Giorgi, was deleted by accident. You
want to recover that account with a snapshot you have
scheduled to run each night at 1:00 a.m.
271
3/11/2014
Lab Review
In what other situations might it be useful to mount a
snapshot of Active Directory?

What are the disadvantages of restoring a deleted object
with a tool such as LDP?
Lesson 3: Back Up and Restore AD DS and

Domain Controllers
Backup and Recovery Tools
Overview of AD DS and Domain Controller Backup
Demonstration: Backing Up AD DS
Other Backup and Recovery Tools
Active Directory Restore Options
Nonauthoritative Restore
Authoritative Restore
272
3/11/2014
Backup and Recovery Tools

Windows Server Backup snap-in (use locally or remotely)
Back up a full server (all volumes)
Back up selected volume(s)
Back up system state (includes all critical volumes)
Recover volumes, folders, files, or system state
wbadmin.exe
Perform manual or automated backup
Back up to CD/DVD/HDD
No tape!
Use a dedicated HDD for backup: recommended or required
Overview of AD DS and Domain Controller Backup

You must back up all critical volumes
System volume: The volume that contains boot files
Boot volume: The volume that contains the Windows operating

system and the registry
Volume(s) hosting SYSVOL, AD DS database (NTDS.dit), logs
Do not store other data on these volumes as it will increase backup

and restore times
Windows Server Backup (wbadmin.exe)
273
3/11/2014
Demonstration: Backing Up AD DS
In this demonstration we will:
Back up a domain controller
Other Backup and Recovery Tools

PowerShell cmdlets
Windows Recovery Environment
Boot to Windows Server 2008 DVD and choose System

Recovery Options
Install locally as a boot option
Useful for full system recovery
Microsoft System Center Data Protection Manager 2007
274
3/11/2014
Active Directory Restore Options

Nonauthoritative (normal) restore
Restore domain controller to previously known good state of

Active Directory
Domain controller will be updated using standard replication

from up-to-date partners
Authoritative restore
Restore domain controller to previously known good state of

Active Directory
Mark objects that you want to be authoritative
Windows sets the version numbers very high
Domain controller is updated from its up-to-date-partners
Domain controller sends authoritative updates to its partners
Full Server Restore

Typically performed in Windows Recovery Environment
Alternate Location Restore
Nonauthoritative Restore
Restart the domain controller in DSRM
Locally: Press F8 on restart
Remotely using remote desktop:
Configure restart in DSRM: bcdedit /set safeboot dsarepair
Restart: shutdown -t 0 -r
Log on with the Administrator account and the DSRM password

Perform the nonauthoritative restore
Use Windows Server Backup (wbadmin.exe) to restore AD DS
Restart
Set normal restart: bcdedit /deletevalue safeboot dsarepair
Restart: shutdown -t 0 -r
Domain controller replicates all changes since date of backup
from its partners
275
3/11/2014
Authoritative Restore
Restart the domain controller in DSRM
Log on with the Administrator account and the DSRM password
Perform the nonauthoritative restore
Use Windows Server Backup (wbadmin.exe) to restore AD DS
Mark selected objects as authoritative

restore [object|subtree] objectDN"
Authoritative changes have a higher version number than on

partners
Restart
Restored domain controller replicates changes since date of
backup
Partners see authoritative changes with high version numbers
Partners pull the authoritative changes from the restored domain

controller
Lab C: Back Up and Restore Active Directory

Exercise 1: Back up Active Directory
Exercise 2: Restore Active Directory and a Deleted OU
Logon information
Virtual machine
6425B-HQDC01-B
6425B-HQDC02-B
Logon user name
Pat.Coleman
Pat.Coleman
Pat.Coleman_Admin
Pat.Coleman_Admin
Password
Pa$$w0rd
Pa$$w0rd
276
3/11/2014
Lab Scenario
As administrator of Contoso, is your responsibility to
ensure that the directory service is backed up. Today, you

noticed that last night's backup did not run as scheduled.
You therefore decided to perform an interactive backup.
Shortly after the backup, a domain administrator
accidentally deletes the Employees OU. Luckily, you are
able to restore the OU with the backup you just made.
Lab Review
What type of domain controller and directory service
backup plan do you have in place? What do you expect to

put in place after having completed this lesson and this
lab?
When you restore a deleted user (or an OU with user
objects) using authoritative restore, will the objects be

exactly the same as before? What attributes might not be
the same?
277
3/11/2014
Module 14
Manage Multiple Domains
and Forests
Module Overview
Configure Domain and Forest Functional Levels
Manage Multiple Domains and Trust Relationships
278
3/11/2014
Lesson 1: Configure Domain and Forest

Functional Levels
Understand Functional Levels
Domain Functional Levels
Forest Functional Levels
Understand Functional Levels

Domain functional levels
Forest functional levels
New functionality requires that domain controllers (DCs)
are running a particular version of Windows

Windows 2000
Windows Server 2003
Windows Server 2008

Cannot raise functional level
while DCs are running previous

versions of Windows
Cannot add DCs running
previous versions of Windows

after raising functional level
279
3/11/2014
Domain Functional Levels

Windows 2000 Native
Windows Server 2003
Domain controller rename
Default user and computer container redirection
lastLogonTimestamp attribute
Selective authentication on external trust relationships
Windows Server 2008

Distributed File System Replication (DFS-R) of SYSVOL
Last interactive logon information
Fine-grained password policy
Advanced Encryption Services (AES 128 and AES 256) for Kerberos
Forest Functional Levels

Windows 2000
Windows Server 2003
Forest trusts
Domain rename
Linked-value replication
Support for Read-Only domain controllers (RODCs)
Requires adprep /rodcprep and one writeable Windows Server
2008 DC
Improved Knowledge Consistency Checker (KCC) algorithms and
scalability
Conversion of inetOrgPerson objects to user objects
Support for dynamicObject auxilliary class
Support for application basic groups and Lightweight Directory
Access Protocol (LDAP) query groups
Deactivation and redefinition of attributes and object classes
Windows Server 2008
No new features; sets minimum level for all new domains
280
3/11/2014
Lab A: Raise Domain and Forest Functional Levels

Exercise 1: Raise the Domain Functional Level to Windows
Server 2003
Exercise 2: Raise the Forest Functional Level to Windows
Server 2003
Exercise 3: Raise the Domain Functional Level to Windows
Server 2008
Logon information
Virtual machine
6425B-TSTDC01-A
Logon user name
Sara.Davis
Sara.Davis_Admin
Password
Pa$$w0rd
Lab Scenario
You are the domain administrator of Tailspin Toys. A
branch office was the last location with a Windows 2000

domain controller, and you have just upgraded it to
Windows Server 2008. You want to take advantage of
functionality provided by higher domain and forest
functional levels.
281
3/11/2014
Lab Review
Can you raise the domain functional level to Windows
Server 2008 when your Microsoft Exchange server is still

running Windows Server 2003?
Can you raise the domain functional level of a domain to
Windows Server 2008 when other domains contain domain

controllers running Windows Server 2003?
Lesson 2: Manage Multiple Domains and Trust

Relationships
Define Your Forest and Domain Structure
Move Objects Between Domain and Forests
Understand Trust Relationships
Characteristics of Trust Relationships
How Trusts Work Within a Forest
Demonstration: Create a Trust
Shortcut Trusts
External Trusts and Realm Trusts
Forest Trusts
Administer Trust Relationships
Domain Quarantine
Resource Access for Users from Trusted Domains
282
3/11/2014
Define Your Forest and Domain Structure

Dedicated forest root domain
Single-domain forest
Single domain partition, replicated to all DCs
Single Kerberos policy
Single Domain Name System (DNS) namespace
Multiple-domain forest
Increased hardware and administrative cost
Increased security risk
Multiple trees
Multiple forests
Move Objects Between Domains and Forests

Inter-forest migration: Copy objects
Intra-forest migration: Move objects
Active Directory Migration Tool (ADMT)
Console, command line, scriptable APIs
Simulation mode: Test the migration settings and migrate later
Security identifiers, security descriptors, and migration

sIDHistory
Security Translation: NTFS, printers, SMB shares, registry, rights,

profiles, group memberships
Group membership
283
3/11/2014

See Notes pane.
Understand Trust Relationships

Extends concept of trusted identity store to another domain
Trusting domain (with the resource) trusts the identity store
and authentication services of the trusted domain.

A trusted user can authenticate to, and be given access to
resources in, the trusting domain

Within a forest, each domain trusts all other domains
Trust relationships can be established with external domains
TrustingTrusted
DomainDomain
284
3/11/2014
Characteristics of Trust Relationships

Direction
Transitivity
Automatic or Manual
Trusting domain
Trusting Trusted
domain domain
Trusted domain
How Trusts Work Within a Forest
Forest Root
Domain
Tree Root
Domain
tailspintoys.com
wingtiptoys.com
europe.tailspintoys.com
usa.wingtiptoys.com
asia.wingtiptoys.com
285
3/11/2014
Demonstration: Create a Trust

Create a trust using Active Directory Domains and Trusts
and the New Trust Wizard
Shortcut Trusts
tailspintoys.com
wingtiptoys.com
usa.wingtiptoys.com
asia.wingtiptoys.com
286
3/11/2014
External Trusts and Realm Trusts
tailspintoys.com
worldwideimporters.com
asia.tailspintoys.com
sales.worldwideimporters.com
Forest Trusts
tailspintoys.com
worldwideimporters.com
asia.tailspintoys.com
sales.worldwideimporters.com
287
3/11/2014
Administer Trust Relationships

Validate a trust relationship
netdom trust TrustingDomainName

/domain:TrustedDomainName /verify
Remove a manually created trust relationship

netdom trust TrustingDomainName

/domain:TrustedDomainName
/remove [/force] /UserD:User /PasswordD:*
UserD is a user in the Enterprise Admins or Domain Admins

group of the trusted domain
Domain Quarantine
Filters out trusted user SIDs that come from a domain other
than the trusted domain

If a user was migrated into the trusted domain
User account may have SIDs from users previous domain in the
sIDHistory attribute
Those SIDs are included in the users privilege attribute certificate

(PAC) that is part of the Kerberos ticket the user presents to the
trusted domain
These SIDs are discarded
Enabled by default on all new outgoing trusts to external
domains/forests
Disable if necessary
netdom trust TrustingDomainName /domain:TrustedDomainName
/quarantine:[Yes|No]
288
3/11/2014
Resource Access for Users from Trusted Domains

Giving trusted users access to resources
Authenticated Users
Add trusted identities to trusting domains domain local groups
Add trusted identities to ACLs
Selective authentication
Reduces the risk of exposure--for

example, to Authenticated Users
You specify which trusted users are

allowed to authenticate
on a server-by-server (computer-bycomputer) basis
Enable selective authentication in the

properties of the trust
Give users Allowed To Authenticate

permission on the computer object in
Active Directory
Lab B: Administer a Trust Relationship

Exercise 1: Configure DNS
Exercise 2: Create a Trust Relationship
Exercise 3: Validate a Trust Relationship
Exercise 4: Assign Permissions to Trusted Identities
Exercise 5: Implement Selective Authentication
Logon information
Virtual machine
6425B-HQDC01-A
6425B-TSTDC01-A
Logon user name
Pat.Coleman
Sara.Davis
Pat.Coleman_Admin
Sara.Davis_Admin
Password
Pa$$w0rd
Pa$$w0rd
289
3/11/2014
Lab Scenario
Contoso, Ltd. is forming a partnership with Tailspin Toys.
A team of product developers at Tailspin Toys requires

access to a shared folder in the Contoso domain. You must
configure your domain to support this business
requirement. Additionally, the inexperienced domain
administrator at Tailspin Toys requires assistance
configuring the reciprocal side of the trust relationship.
Lab Review
You have given the Research and Development group from
Tailspin Toys Modify permission to the Product Information

folder on HQDC01. However, of the ten users in the group,
only one user (who happens to also be a member of the
Product Team group) has access. The others cannot
access the folder. What must be done?
A user from Contoso attempts to access a shared folder in
the Tailspin Toys domain and receives an Access Denied

error. What must be done to provide access to the user?
290

04-Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

04-Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Hochgeladen von

Copyright:

Verfügbare Formate

3/11/2014

Configuring and Troubleshooting

Microsoft Certification Program

Core exam for the following

with Group Policy Settings

Course Outline (continued)

Active Directory Domain Services Domain

Lesson 1: Introducing Active Directory, Identity,

Information Protection in a Nutshell

Its all about connecting users to the information they require

Identity and Access (IDA)

Identity: user account

Resource: Shared Folder

Saved in an identity store

Secured with a security

the security identifier (SID)

list (DACL or ACL)

Authentication and Authorization

The system creates a

The users security

Credentials: at least two components required

Secret, for example, password

Two types of authentication

Remote (network) logon

Users Access Token

Security Descriptors, ACLs and ACEs

Three components required for authorization

Users Access Token

Stand-alone (Workgroup) Authentication

database on the Windows system

Active Directory Domains: Trusted Identity Store

trusted by all domain

performing the role of an

Active Directory, Identity, and Access

Store information about users, groups, computers and other

Kerberos authentication used in Active Directory provides

Provide an audit trail

Active Directory services

Active Directory Domain Services (AD DS)

Active Directory Lightweight Directory Services (AD LDS)

Active Directory Certificate Services (AD CS)

Active Directory Rights Management Services (AD RMS)

Active Directory Federation Services (AD FS)

Lesson 2: Active Directory Components and Concepts

Active Directory As a Database

Each record is an object

Each field is an attribute

Users, groups, computers,

Logon name, SID, password, description, membership,

Identities (security principals or accounts)

Services: Kerberos, DNS, replication, etc.

Windows tools, user interfaces, and components

APIs (.NET, VBScript, Windows PowerShell)

Lightweight Directory Access Protocol (LDAP)

Demonstration: Active Directory Schema

Directory by defining Attributes

and Object classes

Notes Page Over-flow Slide. Do Not Print Slide.

Containers that also support

Apply Group Policy

security and configuration through policies

Domain password and lockout policy

Applied to users or computers by scoping a GPO containing

Fine-grained password and lockout policies