6424A Fundamentals of WS2008 Active Directory 2007

OFFICIAL MICROSOFT LEARNING PRODUCT
6424A
Fundamentals of Windows Server
2008 Active Directory
Be sure to access the extended learning content on your

Course Companion CD enclosed on the back cover of the book.
BETA COURSEWARE. EXPIRES 4/30/2008

ii Fundamentals of Windows Server 2008 Active Directory
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
2007 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Excel, Internet Explorer, MSDN, MS-DOS, Outlook, PowerPoint, Excel,
SharePoint, SQL Server, Visio, Windows, Windows NT, Windows PowerShell, Windows Server, and
Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
All other trademarks are property of their respective owners.
Technical Reviewer: Ronald Bigras
Product Number: 6424A

Part Number : N/A
Released: 11/2008

MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS COURSEWARE
BLENDED LEARNING COURSE - STUDENT EDITION
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the licensed content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
updates,
supplements,
Internet-based services, and
support services
for this licensed content, unless other terms accompany those items. If so, those terms apply.
By using the licensed content, you accept these terms. If you do not accept them, do not use
the licensed content.
If you comply with these license terms, you have the rights below.
1. OVERVIEW.
Licensed Content. The licensed content includes software, printed materials, academic materials
(online and electronic), and associated media.
License Model. The licensed content is licensed on a per copy per device basis.
2. INSTALLATION AND USE RIGHTS.
a. Licensed Device. The licensed device is the device on which you use the licensed content. You
may install and use one copy of the licensed content on the licensed device.
b. Portable Device. You may install another copy on a portable device for use by the single
primary user of the licensed device.
c. Separation of Components. The components of the licensed content are licensed as a single
unit. You may not separate the components and install them on different devices.
d. Third Party Programs. The licensed content may contain third party programs. These license
terms will apply to your use of those third party programs, unless other terms accompany those
programs.
3. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Media Elements and Templates. You may use images, clip art, animations, sounds, music,
shapes, video clips and templates provided with the licensed content solely for your personal
training use. If you wish to use these media elements or templates for any other purpose, go to
www.microsoft.com/permission to learn whether that use is allowed.
b. Academic Materials. If the licensed content contains academic materials (such as white papers,
labs, tests, datasheets and FAQs), you may copy and use the academic materials. You may not
make any modifications to the academic materials and you may not print any book (either

electronic or print version) in its entirety. If you reproduce any academic materials, you agree
that:
The use of the academic materials will be only for your personal reference or training use
You will not republish or post the academic materials on any network computer or broadcast in
any media;
You will include the academic materials original copyright notice, or a copyright notice to
Microsofts benefit in the format provided below:
Form of Notice:
2007 Reprinted for personal reference use only with permission by
Microsoft Corporation. All rights reserved.
Microsoft and Windows are either registered trademarks or trademarks of
Microsoft Corporation in the US and/or other countries. Other product and
company names mentioned herein may be the trademarks of their respective
owners.
c. Distributable Code. The licensed content may contain code that you are permitted to distribute
in programs you develop if you comply with the terms below.
i. Right to Use and Distribute. The code and text files listed below are Distributable Code.
REDIST.TXT Files. You may copy and distribute the object code form of code listed in
REDIST.TXT files.
Sample Code. You may modify, copy, and distribute the source and object code form of
code marked as sample.
Third Party Distribution. You may permit distributors of your programs to copy and
distribute the Distributable Code as part of those programs.
ii. Distribution Requirements. For any Distributable Code you distribute, you must
add significant primary functionality to it in your programs;
require distributors and external end users to agree to terms that protect it at least as
much as this agreement;
display your valid copyright notice on your programs; and
indemnify, defend, and hold harmless Microsoft from any claims, including attorneys fees,
related to the distribution or use of your programs.

iii. Distribution Restrictions. You may not
alter any copyright, trademark or patent notice in the Distributable Code;
use Microsofts trademarks in your programs names or in a way that suggests your
programs come from or are endorsed by Microsoft;
distribute Distributable Code to run on a platform other than the Windows platform;
include Distributable Code in malicious, deceptive or unlawful programs; or
modify or distribute the source code of any Distributable Code so that any part of it
becomes subject to an Excluded License. An Excluded License is one that requires, as a
condition of use, modification or distribution, that
the code be disclosed or distributed in source code form; or
others have the right to modify it.
4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the licensed
content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone elses use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
5. SCOPE OF LICENSE. The licensed content is licensed, not sold. This agreement only gives you some
rights to use the licensed content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the licensed content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the licensed content that
only allow you to use it in certain ways. You may not
disclose the results of any benchmark tests of the licensed content to any third party without
Microsofts prior written approval;
work around any technical limitations in the licensed content;
reverse engineer, decompile or disassemble the licensed content, except and only to the extent
that applicable law expressly permits, despite this limitation;
make more copies of the licensed content than specified in this agreement or allowed by
applicable law, despite this limitation;
publish the licensed content for others to copy;
rent, lease or lend the licensed content; or
use the licensed content for commercial licensed content hosting services.
Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
6. BACKUP COPY. You may make one backup copy of the licensed content. You may use it only to
reinstall the licensed content.
7. TRANSFER TO ANOTHER DEVICE. You may uninstall the licensed content and install it on another
device for your use. You may not do so to share this license between devices.
8. TRANSFER TO A THIRD PARTY. The first user of the licensed content may transfer it and this
agreement directly to a third party. Before the transfer, that party must agree that this agreement

applies to the transfer and use of the licensed content. The first user must uninstall the licensed
content before transferring it separately from the device. The first user may not retain any copies.
9. EXPORT RESTRICTIONS. The licensed content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that
apply to the licensed content. These laws include restrictions on destinations, end users and end use.
For additional information, see www.microsoft.com/exporting.
10. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or licensed
content marked as NFR or Not for Resale.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if
you fail to comply with the terms and conditions of these license terms. Upon any termination of this
agreement, you must destroy all copies of the licensed content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based
services and support services that you use, are the entire agreement for the licensed content and
support services.
13. APPLICABLE LAW.
a. United States. If you acquired the licensed content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the licensed content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
licensed content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED AS-IS. YOU BEAR
THE RISK OF USING IT. MICROSOFT GIVES NO EXPRESS WARRANTIES, GUARANTEES OR
CONDITIONS. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL
LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER
YOUR LOCAL LAWS, MICROSOFT EXCLUDES THE IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER
FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU
CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS,
SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
anything related to the licensed content, software, services, content (including code) on third party
Internet sites, or third party programs; and
claims for breach of contract, breach of warranty, guarantee or condition, strict liability,
negligence, or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion
or limitation of incidental, consequential or other damages.
Please note: As this licensed content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des
clauses dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel .
Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune
autre garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la
protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit
locale, les garanties implicites de qualit marchande, dadquation un usage particulier et dabsence de
contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation
pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de
bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel
dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus
ne sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres
droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les
lois de votre pays si celles-ci ne le permettent pas.

Fundamentals of Windows Server 2008 Active Directory ix
Contents
Module 1: Exploring Windows Server 2008 Active Directory Roles
Lesson 1: Overview of Active Directory Domain Services 1-3
Lesson 2: Overview of AD LDS 1-8
Lesson 3: Overview of Active Directory Certificate Services 1-14
Lesson 4: Overview of AD RMS 1-24
Lesson 5: Overview of AD FS 1-31
Lab: Exploring Windows Server 2008 Active Directory Server Roles 1-37
Module 2: Introduction to Active Directory Domain Services

Lesson 2: Overview of AD DS Logical Components 2-11
Lesson 3: Overview of AD DS Physical Components 2-22
Lab: Exploring AD DS Components and Tools 2-32
Module 3: Introduction to Active Directory Lightweight Directory Services

Lesson 1: Active Directory Lightweight Directory Services Overview 3-3
Lesson 2: Implementing and Administering AD LDS 3-8
Lesson 3: Implementing AD LDS Replication 3-16
Lesson 4: Comparing AD DS and AD LDS 3-22
Lab: Exploring Configuring AD LDS 3-26
Module 4: Introduction to Active Directory Certificate Services

Lesson 2: Understanding Active Directory Certificate Services Certificates 4-10
Lesson 3: Implementing Certificate Enrollment and Revocation 4-16
Lab: Exploring Active Directory Certificate Services 4-25

x Fundamentals of Windows Server 2008 Active Directory
Module 5: Introduction to Active Directory Rights Management Services

Lesson 1: AD RMS Overview 5-3
Lesson 2: Understanding AD RMS 5-7
Lesson 3: Managing AD RMS 5-16
Lab: Exploring Active Directory Rights Management Services 5-23
Module 6: Introduction to Active Directory Federation Services

Lesson 1: AD FS Overview 6-3
Lesson 2: AD FS Deployment Scenarios 6-10
Lesson 3: Configuring AD FS Components 6-20
Lab: Exploring Active Directory Federation Services 6-29
Module 7: Creating Active Directory Domain Services User and Computer

Objects
Lesson 1: Managing User Accounts 7-3
Lesson 2: Creating Computer Accounts 7-12
Lesson 3: Using Queries to Locate Objects in Active Directory 7-19
Lab: Creating AD DS User and Computer Accounts 7-25
Module 8: Creating Active Directory Domain Services Groups and

Organizational Units
Lesson 1: Introduction to AD DS Groups 8-3
Lesson 2: Managing Group Accounts 8-15
Lesson 3: Creating Organizational Units 8-21
Lab: Creating an OU Infrastructure 8-28
Module 9: Managing Access to Resources

Lesson 1: Managing Access Overview 9-3
Lesson 2: Assigning Permissions to Shared Resources 9-12
Lesson 3: Managing NTFS File and Folder Permissions 9-21
Lesson 4: Determining Effective Permission 9-28
Lab: Managing Access to Resources 9-38

About This Course i
About This Course

This section provides you with a brief description of the course, audience,
suggested prerequisites, and course objectives.
Course Description
The purpose of this 3-day course is to provide Active Directory Technology
Specialists with an introduction to Active Directory server roles in Windows
Server 2008. The course is intended for entry level students who want to get
familiar with the Active Directory server roles and their basic functionality. This
course provides an overview of all of the Active Directory server roles, and provides
additional information for configuring Active Directory Domain Services.
Audience
This course is intended for any IT Professional (for example, DSTs, SA,
Generalists) who is new to Active Directory and wants to become familiar with
Active Directory concepts. The audience is interested in basic concepts and does
not want to get too deep into Active Directory services and configuration.
Student Prerequisites
This course requires that you meet the following prerequisites:
Basic understanding of networking. For example, how TCP/IP functions,
addressing, name resolution (DNS/WINS), and connection methods (wired,
wireless, VPN), NET+ or equivalent knowledge (WIS foundation (6420) or
equivalent).
Basic understanding of network operating systems. For example, Windows
2000, Windows XP, Windows Server 2003 etc.
Basic knowledge of server hardware. A+ or equivalent knowledge (Not
required but expected).
Course Objectives
After completing this course, students will be able to:
Understand how the Active Directory server roles are used in an enterprise
environment and how AD DS integrates with other AD DS roles.
Describe the reasons for deploying AD DS and describe the AD DS
components.

ii About This Course
Describe how AD LDS works and configure AD LDS components.

Describe how AD CS works and implement AD CS certificate enrollment.
Describe how AD RMS works and configure AD RMS settings.
Describe how AD FS works and how to configure AD FS components.
Configure AD DS user and computer accounts.
Configure AD DS group accounts and organizational units.
Manage access to shared resources in an AD DS environment.
Course Outline
This section provides an outline of the course:
Module 1: Explains how the Active Directory server roles are used in an enterprise
environment and how AD DS integrates with other AD DS roles.
Module 2: Describes the reasons for deploying AD DS and describes AD DS
components.
Module 3: Describes how AD LDS works and how to configure AD LDS
components.
Module 4: Describes how AD CS works and how to implement AD CS certificate
enrollment.
Module 5: Describes how AD RMS works and how to configure AD RMS settings.
Module 6: Describes how AD FS works and how to configure AD FS components.
Module 7: Explains how to configure AD DS user and computer accounts.
Module 8: Explains how to configure AD DS group accounts and organizational
units.
Module 9: Explains how to manage access to shared resources in an AD DS
environment

About This Course iii
Course Materials
The following materials are included with your kit:
Course handbook. The Course handbook contains the material covered in class.
It is meant to be used in conjunction with the Course Companion CD.
Course Companion CD. The Course Companion CD contains the full course
content, including expanded content for each topic pages, full lab exercises
and answer keys, topical and categorized resources and Web links. It is meant
to be used both inside and outside the class.
Note: To access the full course content, insert the Course Companion CD into the
CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.
Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to

support@mscourseware.com. To inquire about the Microsoft Certification
Program, send e-mail to mcphelp@microsoft.com.

iv About This Course
Virtual Machine Environment

This section provides the information for setting up the classroom environment to
support the business scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Virtual Server 2005 to perform the labs.
Important: At the end of each lab, you must close the virtual machine and must not
save any changes. To close a virtual machine without saving the changes, perform
the following steps: 1. On the host computer, click Start, point to All Programs,
point to Microsoft Virtual Server, and then click Virtual Server Administration
Website. 2. Under Navigation, click Master Status. For each virtual machine that is
running, point to the virtual machine name, and, in the context menu, click Turn off
Virtual Machine and Discard Undo Disks. Click OK.
The following table shows the role of each virtual machine that this course uses:
Virtual machine Role

6424A-NYC-DC1 Domain controller in the WoodgroveBank.com
domain
6424A-NYC-CL1 Client computer in the WoodgroveBank.com domain
6424A-LON-DC1 Domain controller in the EMEA.WoodgroveBank.com

domain
6424A-NYC-SRV1 Member server in the WoodgroveBank.com domain

Additional Active Directory server roles installed
6424A-CHI-DC1 Domain controller in the NorthwindTraders.com

domain

About This Course v
Software Configuration
The following software is installed on each virtual machine:
Windows Server 2008 Enterprise; Windows Vista
Classroom Setup
Each classroom computer will have the same virtual machine configured in the
same way.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a
minimum equipment configuration for trainer and student computers in all
Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which
Official Microsoft Learning Product courseware are taught. This course requires a
computer that meets or exceeds hardware level 5, which specifies a 2.4gigahertz
(minimum) Pentium 4 or equivalent CPU, at least 2 gigabytes (GB) of RAM, 16
megabytes (MB) of video RAM, and a 7200 RPM 40-GB hard disk.

Exploring Windows Server 2008 Active Directory Roles 1-1
Module 1
Exploring Windows Server 2008 Active
Directory Roles
Contents:
Lesson 2: Overview of AD LDS 1-8
Lesson 4: Overview of AD RMS 1-24
Lesson 5: Overview of AD FS 1-31
Lab: Exploring Windows Server 2008 Active Directory Server Roles 1-37

1-2 Fundamentals of Windows Server 2008 Active Directory
Module Overview
Windows Server 2008 provides a rich platform for five Active Directory server
roles. This module describes the fundamental concepts of these five server roles.

Lesson 1
Overview of Active Directory Domain Services
AD DS provides a directory service that uses a centralized management and

authentication service for a network. AD DS provides the core services for all of the
other Active Directory server roles. This lesson provides an overview of how AD DS
provides this functionality.

What is a Directory Service?
Key Points
A network directory service:
Provides information about user objects, computers and services (such as an e-
mail address).
Stores this information in a secure database and provides the tools for
managing and searching the directory.
Allows you to manage all network user accounts and resources in single
location and apply policies to the directory objects to ensure that all are
managed consistently.
Additional Reading
Deciding Between Workgroups and Domains

What is AD DS?
Key Points
Active Directory Domain Services (AD DS) is a centralized directory for user and
computer management and authentication. It provides authentication services for a
Windows Server 2008 network. The directory contains user objects, group objects,
computer objects as well as service information. This allows the service to provide
information about these objects as well as provide authentication and managing
access to network resources.
Additional Reading
Deciding Between Workgroups and Domains

How Does AD DS Work?
Key Points
AD DS provides the following for a Windows Server 2008 network:
Stores user and computer objects
Authenticates user and computer objects
Stores group information

AD DS Integration with other Active Directory Server Roles
Key Points
Many of the other Windows Server 2008 server roles integrate with AD DS. Server
roles, such as the following, rely on AD DS:
Active Directory Federation Services (AD FS)
Active Directory Rights Management Services (AD RMS)
Active Directory Certificate Services (AD CS)

Lesson 2
Overview of AD LDS
Active Directory Lightweight Directory Services (AD LDS) is an Active Directory

Server role that provides Lightweight Directory Access Protocol (LDAP) compliant
directory and services. When you configure AD LDS, you are able to use it to
provide authentication and directory services for custom written, third-party and
other enterprise applications. This lesson provides an overview of LDAP and AD
LDS.

What is LDAP?
Key Points
Lightweight Directory Access Protocol (LDAP) is a standardized client/server
TCP/IP based protocol that has been in use for over 15 years and is leveraged by a
large number of applications and solutions.
The LDAP standards define consistent ways for naming and storing directory
objects. LDAP also provides methods for accessing, searching, and modifying
information that is stored in a directory.

Additional Reading
MSDN section on LDAP
RFCs that address LDAP:
"X.500 Lightweight Directory Access Protocol" (made obsolete by RFC
1777)
"A String Representation of LDAP Search Filters" (made obsolete by RFC
1960)
"Lightweight Directory Access Protocol"
"The String Representation of Standard Attribute Syntaxes"
"String Representation of Distinguished Names"
"An LDAP URL Format" (made obsolete by RFC 2255)
"A String Representation of LDAP Search Filters" (made obsolete by RFC
2254

What is AD LDS?
Key Points
Active Directory Lightweight Directory Services (AD LDS) is an LDAP directory
service.
Usage
AD LDS is used:
For applications that cannot or should not use AD DS.
To address scenarios where access to AD DS is not recommended due to
security concerns.

Flexibility
AD LDS does not have the restrictions of AD DS.
You can run multiple instances on a single computer.
It does not require a DNS infrastructure.
It is easily modified to meet application needs.
Additional Reading
Windows Server 2008 Future Resources
Windows Server 2003 Active Directory Application Mode

AD LDS Implementation Examples
Key Points
Many applications require user authentication and lookup, but do not require the
overhead or complexity of running AD DS. These applications can leverage AD
LDS to store and retrieve this information.
AD LDS can store:
User information
Application configuration information
Additional Reading
Active Directory Lightweight Directory Services

Lesson 3
Overview of Active Directory Certificate
Services
One of the most common ways to provide security in the enterprise and on the
Internet is to use digital certificates. Digital certificates provide security in many
scenarios, including securing Web sites and e-mail. Active Directory Certificate
Services (AD CS) enables the distribution and management of digital certificates.
This lesson explains digital certificates, public key infrastructure and
implementation scenarios for AD CS.

Discussion: What Are Digital Certificates Used For?
Key Points
Digital certificates are used to encrypt information for many different purposes.
They are also used to authenticate users and computers in different ways. Consider
the different ways that digital certificates are used for encryption and
authentication. Also, consider the different applications that would support the
use of certificates.

What is a Public Key Infrastructure (PKI)?
Key Points
A Public Key Infrastructure (PKI) enables an organization to distribute digital
certificates to users and computers.
Components
A PKI consists of several interrelated objects, applications, and services.
Certification authorities (CA). Issues and manages certificates to users,
computers, and services. Each certificate issued by the CA is signed with the
digital certificate of the CA.
Certificate revocation lists. A list of certificates that have been revoked or
removed from the CA before its expiration period.

Certificate and CA management tools. Provide both Graphical User Interface

(GUI) and command-line tools to manage issued certificates, publish CA
certificates and Certificate Revocation Lists (CRLs), configure CAs, import and
export certificates and keys, and recover archived private keys.
Digital certificates. Digital certificates are electronic credentials associated
with a public key and a private key that are used to authenticate users.

What Is AD CS?
Key Points
Active Directory Certificate Services (AD CS) is the Microsoft implementation of a
PKI. AD CS provides a fully functional PKI for a Windows Server network. These
services can also be extended to non-Windows-based devices. AD CS provides all
of the basic PKI services such as tools for management and revocation services.
Additional Reading
Active Directory Certificate Services

AD CS Implementation Examples
Key Points
AD CS can be used for a variety of scenarios including the following:
SSL certificates for internal Web sites. By using SSL with an internal Web
site, you can ensure that all client authentication traffic and all access to the
Web site are encrypted.
Smartcards with certificates issued from the AD CS Certification Authority
for domain authentication. Smartcards provide a second level for
authentication security by providing two-factor authentication.
Encrypting File System (EFS) certificates for domain joined computers. By
using EFS certificates, users can encrypt files on their hard disks while
enabling administrators to centrally manage the certificates.

Certificates for routers to establish IP security (IPSec) communication. AD

CS can issue the certificates required to implement IPSec - an option for
enabling remote access or virtual private networks.
Certificates for users to encrypt and sign e-mail messages. To encrypt e-
mail, users need to be issued certificates.

How Does AD CS Work?
Key Points
In an auto-enrollment scenario:
1. The user or computer account is authenticated.
2. The CA retrieves the certificate policies from AD DS.
3. If the user has the appropriate permissions and the policies are configured to
allow auto-enrollment, the certificate is generated and stored in AD DS.
When manual enrollment is used:

1. The certificate request is created on a computer and then forwarded to the CA.
2. On the CA, the certificate is put into a pending status until an administrator
reviews and approves the request.
3. Once approved, the certificate can be downloaded and installed on the
appropriate device.

Additional Reading
Best Practices for Implementing a Microsoft Windows Server 2003 Public Key
Infrastructure

AD DS and AD CS Integration
Key Points
Automatically generated certificates

Computers and user objects can have certificates generated from AD CS if the users
and computers have appropriate permissions and the certificate policy is
configured to allow auto-enrollment.
Certificates stored in AD DS
The user or computer certificate is stored with the user account or computer
account. These certificates are then replicated to all of the AD DS servers resulting
in resilient and redundant storage of certificate information.
Certificate policies
Certificate policies that govern how certificates are generated and what settings
these certificates have can also be stored and applied from AD DS.

Lesson 4
Overview of AD RMS
By using Active Directory Rights Management Services (AD RMS) and the AD RMS
client, you can augment an organization's security strategy by protecting
information even after the information has been shared between users. AD RMS
does this through persistent usage policies, which remain with the information, no
matter where it is moved. You can use AD RMS to help prevent sensitive
information (such as financial reports, product specifications, customer data, and
confidential e-mail messages) from intentional or accidental unauthorized use.

What is an Enterprise Rights Management Solution?
Key Points
A rights management solution is used to protect information stored in documents,
e-mail messages and Web sites from unauthorized viewing, modification or use.
Features typically include:
Helping protect sensitive information from being accessed or shared with
unauthorized users. A rights management solution can be used to prevent
users from forwarding or copying content to other unauthorized users.
Helping ensure that data content is protected and tamper-resistant. A rights
management solution uses encryption and digital signatures to protect data
from unauthorized access and modification.
Controlling when data will expire based on time requirements, even when
that information is sent over the Internet to other individuals. This helps to
ensure that the most current information is available.

What is AD RMS?
Key Points
Active Directory Rights Management Services (AD RMS) is the Windows Server
2008 implementation of an enterprise rights management solution.
RMS helps protect information by:
Providing the tools to distribute client certificates to trusted users.
Enforcing content access policies.
Providing centralized management.
Note: RMS-enabled applications are required to use AD RMS.

Additional Reading
Windows Rights Management Services
How It Works: Windows Rights Management Services
Active Directory Rights Management Services Overview

AD RMS Implementation Examples
Key Points
You can deploy AD RMS to protect content sent in an e-mail message.
1. The content creator can apply a security policy to protect the content of the
message.
2. The AD RMS server encrypts the content and applies the permissions assigned
by the content creator.
3. When the content consumer receives the message, the client e-mail software
requests permission from the AD RMS server before the user can view the
message.
4. The client software will receive specific parameters for what the user can do
with the message from the AD RMS server and then will grant the user the
appropriate usage rights.

Additional Reading
Deploying Active Directory Rights Management Services in an Extranet Step-
by-Step Guide

AD DS and AD RMS Integration
Key Points
AD RMS integrates with AD DS in three key areas:
All AD RMS users must have an AD DS user account. Before a user can apply
a RMS policy to content, or before a consumer can access content, they must
be authenticated by AD DS.
AD DS provides the e-mail addresses to obtain rights for content. All users
must be configured with an e-mail address, even if the organization has not
deployed an e-mail server.
AD RMS services are registered as service connection points in AD DS to
enable clients to locate the AD RMS servers. When a RMS aware client tries
to locate an AD RMS server to protect or consume content, the client will
connect to AD DS. The service connection point in AD DS provides the client
with the information regarding the AD RMS server that it should use.

Lesson 5
Overview of AD FS
Active Directory Federation Services (AD FS) enables the extension of AD DS

authentication to other organizations. When you deploy Active Directory
Federation Services, you can enable federated trusts between two organizations so
that the user accounts that have authenticated in one organization will be trusted
to access an application in the other organization. This can provide single sign-on
between the organizations for accessing Web applications. This lesson provides an
overview of how AD FS can be used.

What is AD FS?
Key Points
Enables a trust relationship

Active Directory Federation Services (AD FS) allows you to configure a federated
trust relationship between two organizations.
The account partner organization contains and manages the user accounts.
The resource partner organization maintains a Web based application.
Provides access to applications

After users in the account organization are authenticated by AD DS in their
organization, the account can be used to access applications across the federation
trust.
Provides single sign-on

AD FS can also provide single sign-on (SSO) for separate Web-based applications.

How AD FS Traffic Flows in a B2B Federation Scenario
Key Points
AD FS allows for users in a trusted directory to access a Web-based application in
the partner domain using user credentials from the local directory.
Benefits
Reduces the management overhead for administrators since only one account
has to be administered.
The end users only need to remember one set of user credentials.

How Does AD FS Work?
Key Points
The B2B AD FS authentication scenario follows these basic steps:
1. A client computer connects to a Web application in a different organization.
2. The Web application redirects the Web client to the resource federation server.
3. The resource partner AD FS server responds to the client requesting that it
obtain a security token from the AD FS server in the account partner
organization.
4. The client requests the security token from the account partners AD FS server
and passes the token back to the Web application
5. The client can now gain access to the Web application.

AD DS and AD FS Integration
Key Points
AD FS is integrated with AD DS in the following ways:
AD FS requires a directory service like AD DS or AD LDS to store all user
accounts.
AD FS enables the account partner in the federation trust to manage all user
accounts.
Resource partners may also use AD DS to restrict access to the Web
applications.
AD FS also extends some AD DS functionality to applications located in a
perimeter network.

Summary of the Active Directory Server Roles

Lab: Exploring Windows Server 2008 Active

Directory Server Roles

Exercise 1: Planning Active Directory Server Role

Implementations
Scenario 1
Woodgrove Bank is partnering with Tailspin Toys. Tailspin Toys employees need
to be able to access an online application to complete wire transfers to toy
suppliers. You must identify a solution to provide access for the Tailspin Toys
employees to the Web application.
Scenario 2
Tailspin Toys has recently experienced a situation that caused information about
the companys new projects to be posted on the Internet. The executive team has
mandated that a solution be created to protect confidential data from being e-
mailed or printed so that it can be used outside of the company. You must identify
a solution to meet the new executive requirements.

Scenario 3
Woodgrove Bank has been put under new regulatory restrictions that require all
employees to logon to their computers with two factor authentication. These
regulations also require that all e-mail is encrypted and authenticated. You must
identify a solution to meet these new regulations.
Scenario 4
Tailspin Toys is developing a Web application that will include user accounts from
the corporate directory. The corporate policy forbids the schema changes that are
required for the Web application to function. You must identify a solution to
provide a user directory as well as changes in the schema.

The main tasks for this exercise are as follows:

1. Review each of the scenarios and determine which of the Active Directory
server roles are required for each scenario.
2. Make some basic decisions about Active Directory server placement.
f Task 1: Review the four scenarios and determine which of the Active
Directory Server roles will assist in providing the required solution.
f Task 2: Determine the location where each of the server roles would
be placed.
Result: At the end of this exercise, you will have practiced decision making about
Active Directory server roles and placement.

Exercise 2: Understanding Active Directory Server Role

Integration with AD DS
Scenarios
Please see the above 4 scenarios from Exercise 1.
The main tasks for this exercise are as follows:
1. The student will review each of the scenarios and determine how the server
roles are integrated with Active Directory Domain Service in each scenario.
2. The instructor will then lead a class discussion reviewing the answers provided
by students for both exercises.
f Task 1: How does the selected Active Directory role integrate with AD
DS in each scenario?
f Task 2: What might happen if the AD DS integration stopped

working?
Result: At the end of this exercise, you will have (1) described how the Active
Directory server roles integrate with AD DS, and (2) postulated the results of
integration failure.

Module Review and Takeaways
Review Questions
1. You have been tasked with deploying a solution to provide two-factor
authentication for users on workstations located at your company. Which two
Active Directory server roles would you need to deploy to provide a centrally
managed two-factor authentication solution?
2. In what way does AD CS rely on AD DS?
3. What are some ways that certificates generated by AD CS can be used for
encryption?
4. What are some reasons for deploying AD LDS instead of AD DS?
5. What are some of the basic functions that AD RMS provides?

Introduction to Active Directory Domain Services 2-1
Module 2
Introduction to Active Directory Domain
Services
Contents:
Lesson 2: Overview of AD DS Logical Components 2-11
Lesson 3: Overview of AD DS Physical Components 2-22
Lab: Exploring AD DS Components and Tools 2-32

Module Overview
Windows Server 2008 Active Directory Domain Services (AD DS) is a Microsoft
Windows-based directory service. As a directory service, AD DS stores
information about objects on a network and makes this information available to
users and network administrators. Additionally, AD DS can be used to ensure that
only authorized users have access to network resources.

Lesson 1
Overview of Active Directory Domain
Services
AD DS stores information about objects on a network and makes this information

available to users and network administrators. AD DS also enables network users
to access resources anywhere on the network using a single logon process. AD DS
also provides network administrators with an intuitive, hierarchical view of the
network and a single point of administration for all network objects.

Why Deploy Active Directory Domain Services?
Key Points
The primary reasons for deploying AD DS are as follows:
Centralized directory simplifies network administration by allowing
management of all accounts in a single directory.
Single sign-on access most organizations have multiple servers offering a
variety of services to users. Without some type of common directory service,
each of these servers would require a separate logon for user authentication
and authorization.
Integrated security AD DS works with Windows Server 2008 to check the
security permissions associated with each person. AD DS can accommodate
users logging on from workstations using Windows NT, 98, 2000, XP, and
Vista.

Scalability AD DS can be easily configured to add additional servers and

users within the same building as well as servers and users in other buildings
and regions. Once added, scheduled AD DS replication of user and computer
directory information between various locations will continue to give users
consistent access to servers and applications.
Common management interface The Microsoft Management Console
(MMC) provides network administrators and technicians with consistent user
interface for all tasks related to maintenance and deployment of AD DS, as well
as all other Microsoft Windows Server 2008 services.
Additional reading
Active Directory on a Windows Server 2003 Network

What is Authentication?
Key Points
Authentication simply refers to the process of verifying that a user is who they
claim to be. Authentication, including single sign-on, is a two-part process:
interactive logon and network authentication.
Interactive logon
Interactive logon confirms the users identification on a specific computer by using
either a domain account or a local computer.
Network authentication
Network authentication confirms the user's identification to any network service
that the user is attempting to access.
Additional reading
Logon and Authentication Technologies

What is Authorization?
Key Points
Authorization is the second step in the process of gaining access to network
resources. Authorization, which happens after authentication, is based on the
security token that is granted to the user account when they log on to the network.
Terminology
Terminology Description
Security Identifier (SID) A unique security identifier created with the user account.
Security Token A security token is granted to the user account for a logon
session. The system uses the token to control access to
securable objects.
Discretionary access One type of ACL (Access Control List). Defines which users
control list (DACL) and groups (based on the user or group SID) have access to
the object and defines the level of access granted to the
user or group.

Authorization process
When the user tries to access a network resource, the client computer presents the
security token to the server hosting the resource. The SID stored in the security
token is compared to the security descriptor stored in the DACL. The users
request to access the resource is granted if a match is found between the DACL on
the resource and SIDs in the security token.
Additional reading
Authorization and Access Control Technologies
Security Identifiers
Tools to Manage Security Principals

Using AD DS to Centralize Network Management
Key Points
The largest cost of owning computers is the cost in managing and maintaining
them. If systems were maintained individually, the cost would quickly become
unacceptably high. AD DS provides a way to automate computer management
using centrally applied settings. This allows for the most efficient use of IT
administrative resources.
Additional reading
Group Policies

Overview of AD DS Components
Key Points
When an organization implements AD DS, several physical and logical
components are created. AD DS is composed of both physical and logical
components.
Additional reading
What Are Domains and Forests?

Lesson 2
Overview of AD DS Logical Components
As an AD DS administrator, you will spend most of your time working with the
logical components that make up AD DS. During the implementation of AD DS,
your organization will have configured various AD DS components such as
domains, sites and organizational units. You will be working with these
components as you create and manage user accounts or computer accounts.

What Is the AD DS Schema?
Key Points
The AD DS schema defines every type of object that can be stored in the directory.
Before an object can be created in AD, it must first be defined in the schema. The
schema also enforces a number of rules regarding the creation of objects in the
database. These rules define the information that can be stored with each object
and the data type of that information.
Additional reading
What Is the Active Directory Schema?

What Is a Domain?
Key Points
A domain is a logical grouping of AD DS objects, and the most basic building block
in the AD DS model.
Each domain must have at least one domain controller installed. In fact, you create
a domain by installing the first domain controller in the domain, and you remove a
domain by removing the last domain controller in the domain.
Additional reading

What Are AD DS Trusts?
Key Points
Domains can allow secure access to shared resources outside of their boundaries
using authenticated connections called trusts.
Trusts enable users to:
Access resources in domains other than the domain where their user account
is configured.
Log on to computers that are members of domains other than the domain
where the user account is configured.
Additional reading
Trusts
How Domains and Forests Work

What Is a Domain Tree?
Key Points
A domain tree is a hierarchy of domains in AD DS. The first domain created is the
root domain. As subsequent domains are added to the domain tree, they are
created as child domains under the root domain.
Within a domain tree, all domains share a common or contiguous namespace. For
example, if the root domain is WoodgroveBank.com, the child domains would use
names such as EMEA.WoodgroveBank.com.
Additional reading

What Is a Forest?
Key Points
A forest is a collection of one or more domain trees. All domains and domain trees
exist within an Active Directory forest.
Additional reading

What Is an Organizational Unit?
Key Points
Organizational units (OUs) are Active Directory containers into which you can
place users, groups, computers, and other OUs. OUs are designed to make AD DS
easier to administer.
Additional reading

Discussion: Scenarios for Implementing AD DS Logical

Components
Questions
For each scenario, describe how AD DS logical components (Domain, OUs) could
be deployed in these organizations.
Scenario 1: Contoso Inc. has a single office with 20 employees and a single
business unit. The business owner manages all AD DS administrative tasks.
Scenario 2: NorthWind Traders has a single office. The organization has two
business units which are administered separately but all AD DS management tasks
will be managed by the same administrative team. The organization also needs to
assign different policies to managers and to each business unit as well as to the
computers used by each of these groups.

Scenario 3: Coho Vineyards has two separate business units located in two offices
in different countries. Each office has about 10,000 users. Each office has multiple
departments and all of the departments need different policies applied to them.
Each office also has a separate team of administrators that must be able to manage
all of the user and computer accounts in their office, but should not be able to
manage any objects in the other office. One team of administrators at the head
office should be able to manage all user accounts, computer accounts and servers
in both offices.
Scenario 4: Woodgrove Bank has multiple locations deployed in different
countries around the world. Because of the privacy requirements in the different
countries, the offices in each country must be managed by a different group of
administrators and the administrators must not be able to modify any objects in
other countries. No group of administrators should be able to access objects in
other countries.

What Are AD DS Objects?
Key Points
AD DS objects are entities created on AD DS domain controllers. AD DS objects all
fall into one or more categories, such as resources (e.g.: printers), services (e.g. e-
mail, shared folders) and users (both individuals and groups).
Each category of object has a set of defined attributes which exist in the Active
Directory schema. This makes creating and administering new instances of a
particular type of object very efficient.
Additional reading
Active Directory Users and Computers Help

Demonstration: Tools for Managing the AD DS Logical

Component
Questions
1. What is the basis of the OU organization at Woodgrove Bank?

2. You need to manage an AD DS domain controller from your computer
running Windows Vista, but you do not have the administration tools installed
on the computer. How could you manage the domain controller?

Lesson 3
Overview of AD DS Physical Components
AD DS information is stored in a single database on the domain controllers hard

disk. If a domain or forest has more than one domain controller, the AD DS data is
replicated regularly to each domain controller. This lesson describes the physical
components that make up AD DS and provides an overview of how replication
works.

What Are AD DS Domain Controllers?
Key Points
A domain controller is a server in an AD DS domain that provides directory
services. All domain controllers (except Read Only Domain Controllers) contain a
writable copy of the AD DS database and allow administrators access to manage
user accounts and other network resources. Domain controllers are also involved
in authenticating users and authorizing access to network resources in the domain.
Domain controllers also participate in the replication of the AD DS database where
changes made on the domain controller are replicated to other domain controllers
within their domain.
Additional reading
Domain Controller Roles

Overview of DNS and AD DS
Key Points
AD DS relies entirely on the Domain Name System (DNS) to locate resources on a
network. Therefore, all AD DS domains must be DNS domain names. Without a
reliable DNS infrastructure, domain controllers on your network will not be able to
replicate with each other, workstations will not be able to log on to the network,
and Microsoft Exchange Servers will not be able to send e-mail.

What Are Global Catalog Servers?
Key Points
The global catalog server is a domain controller, as such it stores a full copy of all
objects in the directory for its host domain; but additionally it stores a partial copy
of all objects for all other domains in the forest. That partial catalog of objects used in
other domains is commonly used in search operations. Storing information about
objects in other domains provides users with efficient searches without affecting
network performance and unnecessary referrals to other domain controllers.
Additional reading
What Is the Global Catalog?

What Is the AD DS Data Store?
Key Points
All the data in AD DS is stored in a single file on the domain controller. The
location for this file, named Ntds.dit, can be set during the domain controller
promotion process. The default location for the database and database log files is
%SystemRoot%\Ntds. The AD DS data store contains database files and file
processes that store and manage directory information for users, services, and
applications.
Additional reading
What is a Data Store?

What Is AD DS Replication?
Key Points
AD DS replication refers to the process by which the directory data is synchronized
between domain controllers in a forest. AD DS uses a multi-master replication
model. This means that the AD DS information can be modified on each domain
controller which will then send its most current directory information to other
domain controllers during replication schedules.
Additional reading
What Is the Active Directory Replication Model?

What Are Sites?
Key Points
A site is defined as an area of the network where all domain controllers are
connected by a fast, inexpensive, and reliable network connection. A site is a
specific AD DS organizational entity used to manage network traffic.
You can also use sites to assign group policy settings. If all user or computers in a
company location require the same configuration, you can assign a Group Policy
object at the site level.
Additional reading
Active Directory Sites and Services

Discussion: Scenarios for Implementing AD DS Physical

Components
Questions
Question: For each scenario, describe how AD DS physical components could be

deployed in these organizations.
Scenario 1: Contoso Inc. has a single office with 20 employees and a single
business unit. The business owner manages all AD DS administrative tasks.
Scenario 2: NorthWind Traders has a head office with about 250 workers. The
organization also has a small branch office with 25 users that is connected to the
head office through a slow and unreliable network connection. The organization
has two business units which are administered separately but all AD DS
management tasks will be managed by the same administrative team.

Scenario 3: Coho Vineyards has two separate business units located in two offices
in different countries. Each office has about 10,000 users. The offices are
connected by a high speed and reliable network connection that is not heavily
utilized during business hours.
Scenario 4: Woodgrove Bank has multiple locations deployed in different
countries around the world. In all countries, the company has a single data center
located in a central city. In addition, the company has numerous small branch
offices with 5-100 users. The branch offices are connected to the main office
through a variety of WAN connections.

Demonstration: Tools for Managing the AD DS Physical

Components
Questions
1. You need to determine which site a workstation is located in. How would you
do this?
2. You run the Repadmin /showrepls command and notice several errors
between domain controllers located in different sites. What would you do to
resolve the errors?

Lab: Exploring AD DS Components and Tools
Scenario:
Woodgrove Bank is an enterprise that has offices located in several cities
throughout the world. Woodgrove Bank also has strategic partnerships with other
organizations, including Fabrikam, Inc and NorthWind Traders. Woodgrove Bank
has deployed AD DS.
As the new AD DS administrator, you must install the AD DS management tools on
your Windows Vista workstation and then examine the AD DS environment at
Woodgrove Bank.

Exercise 1: Installing the AD DS Management Tools

In this exercise you will install the AD DS management tools on a Windows Vista
computer.
The main tasks are as follows:
1. Start the 6424A-NYC-DC1 virtual machine and log on as Administrator.
2. Start the 6424A-NYC-CL1 virtual machine and log on as Claudia.
3. Start the 6424A-LON-DC1 virtual machine and log on as Administrator.
4. Install the Windows Server 2008 administration tools on Windows Vista.
f Task 1: Start the 6424A-NYC-DC1 virtual machine and log on as

administrator
Start 6424A-NYC-DC1 and log on as Administrator using the password
Pa$$w0rd.
f Task 2: Start the 6424A-NYC-CL1 virtual machine and log on as

Claudia
Start 6424A-NYC-CL1 and log on as Claudia using the password Pa$$w0rd.
f Task 3: Start the 6424A-LON-DC1 virtual machine and log on as

administrator
Start 6424A-LON-DC1 and log on as Administrator using the password
Pa$$w0rd.
f Task 4: Install the Windows Server 2008 administration tools on

Windows Vista
Result: At the end of this exercise, you will have installed the Windows Server 2008
administration tools on Windows Vista.

Exercise 2: Examining the AD DS Logical Components

In this exercise you will use the AD DS management tools to examine the AD DS
logical components.
1. Open Active Directory Users and Computers to examine the logical
components of Woodgrove Bank AD DS.
2. Open Active Directory Domains and Trusts to examine the logical components
of Woodgrove Bank AD DS.
3. In Active Directory Users and Computers, change the domain that you are
administering.
f Task 1: Open Active Directory Users and Computers to examine the

logical components of Woodgrove Bank AD DS.
1. On NYC-CL1, open Active Directory Users and Computers as an
administrator.
2. What domain are you administering?
3. What are the three types of objects listed under the domain? How can you tell
the difference?
4. Expand the NYC OU, and then click BranchManagers. What design was used
to create the OU structure at WoodgroveBank.com?
5. Examine the BranchManagers OU properties. Review the configuration
options that can be configured for an OU.
6. Examine the properties for the NYC_BranchManagersGG group. What is the
group type and scope?
7. Click the Members and Member of tabs and review the information.
8. Double-click Doris Krieger and review the configuration options for a user
account.
9. In the console tree pane, click Computers. In the details pane, double-click
NYC-CL1 and review the configuration options for a computer account.
10. Leave Active Directory Users and Computers open.

f Task 2: Open Active Directory Domains and Trusts to examine the

logical components of Woodgrove Bank AD DS.
1. On NYC-CL1, open Active Directory Domains and Trusts as an
administrator.
2. What domains are listed as child domains in the WoodgroveBank.com forest?
3. Access the Trusts tab on the WoodgroveBank.com Properties. What type of
trust is created between WoodgroveBank.com and
EMEA.WoodgroveBank.com?
4. What type of trust is created between EMEA.WoodgroveBank.com and
WoodgroveBank.com?
5. Close Active Directory Domains and Trusts.
f Task 3: In Active Directory Users and Computers, change the domain

that you are administering.
1. In Active Directory Users and Computers, change the domain to administer
EMEA.WoodgroveBank.com.
2. Verify that you can connect to the EMEA.WoodgroveBank.com domain. Why
can you connect to the domain without providing authentication credentials?
3. Change the domain controller so that you are administering LON-
DC1.EMEA.WoodgroveBank.com and click OK.
4. Verify that you can connect to the LON-DC1.WoodgroveBank.com domain
controller. What domain is displayed in Active Directory Users and
Computers?
5. Close Active Directory Users and Computers
Result: At the end of this exercise, you will have explored the WoodgroveBank.com
AD DS environment by using the AD DS management tools.

Exercise 3: Examining the AD DS Physical Components

In this exercise you will use the AD DS management tools to examine the AD DS
physical components.
1. Enable Remote Desktop connections on NYC-DC1.
2. Connect to NYC-DC1 using Remote Desktop.
3. Use Active Directory Users and Computers to examine the Domain
Controllers in the WoodgroveBank.com domain.
4. Log off from Remote Desktop and shut down all virtual machines.
f Task 1: Enable Remote Desktop connections on NYC-DC1.

1. On NYC-DC1, click Start, and then open Server Manager.
2. In Server Manager, configure Remote Desktop to allow connections only from
computers running Remote Desktop with Network Level Authentication
(more secure). What limitation does this selection place on the remote
desktop connections?
3. Which users have Remote Desktop access by default?
f Task 2: Connect to NYC-DC1 using Remote Desktop.

1. On NYC-CL1, start a Remote Desktop Connection.
2. Connect to NYC-DC1 using Administrator as the User name and Pa$$w0rd
as the password. Click OK.
f Task 3: Use Active Directory Users and Computers to examine the

Domain Controllers in the WoodgroveBank.com domain.
1. In the Remote Desktop connection, open Active Directory Users and
Computers.
2. How many domain controllers are deployed in the domain? What is different
about each domain controller?
3. Close Active Directory Users and Computers.

f Task 4: Use Active Directory Sites and Services to examine the Domain
Controllers in the WoodgroveBank.com domain.
1. In the Remote Desktop connection, open Active Directory Sites and Services.
2. How many sites are listed in the forest? What is the site or sites called?
3. Verify that the same domain controllers are listed in the Default-First-Site-
Name as were listed in Active Directory Users and Computers.
4. Expand NYC-DC1, right-click NTDS Settings, and click Properties. Verify that
NYC-DC1 is configured as global catalog server.
5. On the Connections tab, examine the replication connections on the domain
controller.
f Task 5: Log off Remote Desktop and shut down all virtual machines.
1. In the Remote Desktop connection, click Start, and then click Log off.
2. Shut down all virtual machines and delete changes.
Result: At the end of this exercise, you will have examined the AD DS physical
properties in the WoodgroveBank.com domain.

Review Questions
1. You have just installed a new domain controller in your domain. What two
tools could you use to verify that the domain controller has been added to the
domain?
2. You want to group all of the users in branch office together so that you can
assign permissions to a shared folder to all of the users in the branch office.
What type of AD DS object should you create?
3. What are the differences between a domain, domain tree and forest?
4. What feature makes it easy and fast to search a forest for user phone numbers?
5. What is the relationship between a domain and a site?

Summary of Active Directory Domain Services

AD DS provides a directory service for organizations that enables them to provide
secure access to network resources and centralized administration. AD DS enables
users to be authenticated, and then authorizes the user to access network resources
based on that network authentication.
AD DS is composed of logical and physical components. Logical components such
as domains, forests and OUs are used to group objects together for administrative
purposes. Physical components such as domain controllers and sites are deployed
to provide a consistent experience for users throughout the AD DS environment.

Introduction to Active Directory Lightweight Directory Services 3-1
Module 3
Introduction to Active Directory Lightweight
Directory Services
Contents:
Lesson 1: Active Directory Lightweight Directory Services Overview 3-3
Lesson 2: Implementing and Administering AD LDS 3-8
Lesson 3: Implementing AD LDS Replication 3-16
Lesson 4: Comparing AD DS and AD LDS 3-22
Lab: Exploring Configuring AD LDS 3-26

Module Overview
Windows Server 2008 Active Directory Lightweight Directory Services (AD LDS)
role is a Lightweight Directory Access Protocol (LDAP) directory service. It
provides data storage and retrieval for directory-enabled applications, without the
dependencies that are required for Active Directory Domain Services (AD DS).

Lesson 1
Active Directory Lightweight Directory
Services Overview
Active Directory Lightweight Directory Services (AD LDS) is designed to provide a

directory service for applications. These applications may require a directory
service to provide authentication services, or may be configured to store
application configuration services in an external directory. AD LDS provides a
simple but flexible solution for these situations.

How Active Directory Lightweight Directory Services Works
Key Points
AD LDS provides a hierarchical file-based directory store using the Extensible
Storage Engine (ESE) for file storage. AD LDS stores data, by default in: %Program
Files%\Microsoft ADAM\[AD LDS Instance name]\data\adamntds.dit. This
directory store is then accessed with the TCP/IP-based LDAP protocol by
applications.
Additional Reading
AD LDS Help File
Windows 2008 Active Directory Components (upper left box)

AD LDS Administration Tools
Key Points
There are a variety of administration tools available for AD LDS. The table on the
slide lists the tools and their functions.
Additional Reading
AD LDS Help File

What is the AD LDS Schema?
Key Points
In order for an object type to be created in the directory, it first has to be defined in
the schema. The schema definition includes object classes and attributes.
An object class represents a category of objects that share a set of common
characteristics (e.g., users, printers, or application programs).
An attribute describes one part of an object class. The definition for each
object class contains a list of the attributes that can be used to describe
instances of the class. The list of attributes for a class is divided into mandatory
and optional attributes.
Additional Reading
AD LDS Help File

Demonstration: Modifying the AD LDS Schema
Questions
1. What tools can you use to modify the AD LDS schema?

2. Under what circumstances might you need to change the schema in AD LDS?

Lesson 2
Implementing and Administering AD LDS
Active Directory Lightweight Directory Services (AD LDS) is a server role that is
installed on a Windows Server 2008 computer by using Server Manager. After
installing the server role, you can configure AD LDS by using the Active Directory
Lightweight Directory Services Wizard. Then multiple administrative utilities can
be leveraged to configure AD LDS to work for your implementation.

What is an AD LDS Instance?
Key Points
An AD LDS instance is a single running copy of the AD LDS directory service. An
instance contains all of the essential components needed for running AD LDS (i.e.,
a communication interface, directory service and data store). The data store for
each instance has all three partitions required for AD LDS. Each instance is bound
to separate TCP/IP ports on the server.
Additional Reading
AD LDS Help File

What is an AD LDS Application Partition?
Key Points
The AD LDS application partition is where the applications store data. Unlike the
schema and configuration partitions, the application partition does not store AD
LDS configuration or definition information.

Demonstration: Configuring AD LDS Instances and

Application Partitions
Questions
1. What tool do you use to configure AD LDS instances?

2. What tool do you use to create application partitions?
3. Consider a scenario where you need to install two different copies of the same
application on two different servers. Both applications will use AD LDS on one
server, but the information from the two applications should not be combined.
How would you configure instances and application partitions in AD LDS?

AD LDS Users and Groups
Key Points
A set of four default groups is created when an AD LDS instance is created.
AD LDS also enables the use of Windows security principals for authentication and
access control.
You can use ADSIEdit or LDP to create and modify the users and groups in the
configuration partition and in a specific application partition.
Additional Reading
AD LDS Help File:
"Understanding AD LDS Users and Groups"
"Add or Remove Members to or from an AD LDS Group"

How Does Access Control Work in AD LDS?
Key Points
AD LDS provides access control which:
1. Authenticates the identity of all users. Authentication against AD LDS can be
done with users created in AD LDS as well as Windows local and AD DS
security principals.
2. Uses Access control lists (ACLs) to determine if the user has permissions to
access specific objects. You can use the Dsacles utility to view or modify the
ACLs of a particular object.
Additional Reading
AD LDS Help File: " Working with Authentication and Access Control"

Demonstration: Configuring Users, Groups and Access

Control
Questions
1. Which tools can be used to administer users and groups?

2. Which tool is used to administer access control?
3. Consider a scenario where you have deployed an application that uses AD
LDS. The application requires that all users have read access to the application
data, but only advanced users in the application should be able to modify the
application data. All of the users have accounts in your AD DS domain. How
would you configure permissions?

Additional Reading
AD LDS Help File:
"Disable or Enable an AD LDS User"
"Add an AD LDS User to the Directory"
"Add or Remove Members to or from an AD LDS Group"
"View or Set Permissions on a Directory Object"

Lesson 3
Implementing AD LDS Replication
AD LDS uses replication to provide high availability and load balancing for
directory services. By implementing replication between AD LDS instances, you
can provide copies of the directory information on multiple servers. This lesson
describes the reasons for replicating data, how replication works and how to
configure replication.

How AD LDS Replication Works
Key Points
AD LDS allows multiple replicas of an instance to be created on separate servers.
These servers can be in separate locations. AD LDS uses multimaster replication to
ensure that each of the replicas has the same information.
Additional Reading
AD LDS Help File, " Understanding AD LDS Replication and Configuration
Sets"

Why Implement AD LDS Replication?
Key Points
There are three main reasons that you would use AD LDS replication: high
availability, load balancing and geographic limitations.
High availability. Creating multiple replicas for high availability allows for a
replica to be down for maintenance or updates while other replicas are still
online servicing the application.
Load balancing. You can configure the application to load balance between
replicas when a single server computer is not able to handle all of the requests.
Geographic limitations. When multiple sites host an application where they
use an LDS server in a single office, the application may respond slowly. Using
replicas at each of the sites can improve the application performance.

Demonstration: Configuring AD LDS Replication
Questions
1. What tool do you use to configure replication?

2. Consider a scenario where your organization has two locations and the same
application that uses AD LDS is configured in both locations. The applications
should have access to the same information and the information should be as
current as possible. In one of the locations, another application is also using
AD LDS, but that application information should not be replicated between
office locations. The applications use the same schema. How would you
configure AD LDS replication?

Discussion: Scenarios for Implementing AD LDS
Questions
For each scenario, describe how AD LDS could be deployed in these organizations.
Scenario 1: Woodgrove Bank has deployed a Web application that uses AD LDS to
store user information and preferences. This application is deployed only at the
corporate head office in New York. Customers use the Web application 24 hours
per day, and it is critical that the application is available when users want access.
The bank has deployed 4 load balanced Web servers hosting the application. How
would you configure AD LDS to support this scenario?
Scenario 2: Contoso Inc has deployed a Web based order system that uses AD
LDS for customers. To ensure that network failures do not affect the order system
availability, the organization has deployed servers hosting the application in three
company locations. The available network bandwidth between the company
locations is limited. How would you configure AD LDS to support this scenario?

Scenario 3: NorthWind Traders is deploying several internal applications that use

AD LDS as a directory service. All of the applications include an installation file
that makes schema changes in AD LDS when the application is installed.
NorthWind Traders has 5 company locations, and users in all 5 companies will be
accessing the applications. All servers hosting the applications are installed the
company headquarters at Bangalore. How would you configure AD LDS to
support this scenario?

Lesson 4
Comparing AD DS and AD LDS
AD DS and AD LDS have a number of similarities in both features and usage.

However, there are also some very important differences that make each suitable
for specific tasks. This lesson compares AD DS and AD LDS.

Similarities between AD DS and AD LDS
Key Points
AD LDS and AD DS are similar in the following ways. Both AD DS and AD LDS:
Are LDAP compliant directories that support LDAP client connections.
Use multimaster replication for data distribution.
Support delegating administration to partitions or organizational units (OUs)
by group, role or user.
Use the Extensible Storage Engine (ESE) for the database store.

Differences between AD DS and AD LDS
Key Points
AD DS and AD LDS are each designed for their own specific and unique purpose;
as such, they have several differences. AD DS is meant for enterprise service
authentication and administration whereas AD LDS is meant to provide a robust,
easy to implement foundation for other applications to leverage for authentication
and data storage.

Integrating AD DS and AD LDS
Key Points
Many organizations may want to use the data stored in AD DS for custom
applications. These custom applications may require specific schema attributes to
function, which means that most organizations do not want these applications to
store their schema or configuration information in Active Directory. By integrating
AD DS and AD LDS you can synchronize data between the two directories rather
than extending the schema of AD DS.
Additional Reading
AD LDS Help File:
"Synchronize with Active Directory Domain Services"
"Import the User Classes That Are Supplied with AD LDS"

Lab: Exploring Configuring AD LDS
Scenario:
throughout the world. Woodgrove Bank has deployed AD LDS to implement
directory services for various applications in the organization. You need to
configure the AD LDS server role in preparation for deploying the applications.

Exercise 1: Configuring AD LDS Instances and Application

Partitions
In this exercise you will use the AD LDS Setup Wizard to configure an AD LDS
instance and an application partition.
1. Start the 6424A-NYC-SRV1 virtual machine and log on as administrator.
2. Use Server Manager to add the AD LDS role to the server.
3. Use AD LDS Wizard to create an AD LDS instance named Woodgrove.
4. Use LDP to create an application partition named
CN=Partition2,DC=Woodgrove.
f Task 1: Start the 6424A-NYC-SRV1 virtual machine and log on as

administrator
Start 6424A-NYC-DC1 and log on as administrator using the password
Pa$$w0rd.
f Task 2: Use Server Manager to add the AD LDS role to the server
Add the AD LDS Role using Server Manager.

f Task 3: Use AD LDS Wizard to create and AD LDS instance named

Woodgrove
1. In the content pane under the Advanced Tools section, click AD LDS Setup
Wizard.
2. Create an application partition named Partition1 during the setup process.
3. Select the MS-User.LDF schema to import
f Task 4: Use LDP to create application partition named

CN=Partition2,DC=Woodgrove
Result: At the end of this exercise, you will have configured an AD LDS instance and
an application partition.

Exercise 2: Configuring AD LDS Access Control

In this exercise you will use ADSIEdit to configure user accounts, groups and
configure access control. You will then test access control.
1. Log on to 6424A-NYC-SRV1 as administrator.
2. Open ADSIEdit and connect to the created instance.
3. Create a container with the distinguished name CN=Users,
4. Create User1 in the created container of the application partition.
5. Create Group1 in the Roles container of the application partition and add
User1 into Group1.
6. Use Dsacls to give User1 and Group1 permissions to view the application
partition.
7. Use ADSIEdit to connect to the instance and verify permissions.
f Task 1: Log on to 6424A-NYC-SRV1 as Administrator
f Task 2: Open ADSIEdit and connect to the created instance

Use ADSIEdit and connect to \\NYC-SRV1\ CN=Partition1,DC=Woodgrove.
f Task 3: Create a container with the distinguished name CN=Users,

Use ADSIEdit to create CN=Users, CN=Partition1,DC=Woodgrove
f Task 4: Create User1 in the created container of the application

partition
f Task 5: Create Group1 in the Roles container of the application

partition and add User1 into Group1

f Task 6: Use Dsacls to give User1 and Group1 permissions to view the
application partition
f Task 7: Use ADSIEdit to connect to the instance and verify permissions
Result: At the end of this exercise, you will have configured user accounts, groups
and access control, and tested the access control.

Exercise 3: Configuring AD LDS Replication

In this exercise you will use the AD LDS Setup Wizard to configure a second
replica of an AD LDS application partition. You will then verify replication.
1. Login to 6424A-NYC-DC1 as administrator.
2. Run AD LDS Wizard and create a replica of WoodgroveApp1.
3. Use ADSI Edit to connect to Partition1 on NYC-DC1 and verify data.
4. Use ADSI Edit to connect to Partition1 and create CN=User2,
f Task 1: Login to 6424A-NYC-DC1 as Administrator

Log on as administrator using the password Pa$$w0rd.
f Task 2: Run AD LDS Wizard and create a replica of WoodgroveApp1

Run AD LDS Wizard and create a replica of WoodgroveApp1 from NYC-
SRV1.
f Task 3: Use ADSI Edit to connect to Partition1 on NYC-DC1 and verify

data
Open ADSIEdit on NYC-DC1 and bind to the local replica.

f Task 4: Use ADSI Edit to connect to Partition1 and create CN=User2,

Login to NYC-SRV1 and use ADSIEdit to connect to
f Task 5: Verify replication of new object to NYC-SRV1
Result: At the end of this exercise, you will have configured a second replica of an
AD LDS application partition and verified replication.

Review Questions
1. What are the three core partition types in an AD LDS instance?
2. What ways are AD DS and AD LDS similar?
3. What tools are used to administer AD LDS and what are each used for?
4. What are some reasons for deploying multiple AD LDS replicas?
5. How would you configure AD LDS if two applications required schema
attributes that conflict with each other?

Summary of Active Directory Lightweight Directory Services

Windows Server 2008 Active Directory Lightweight Directory Services (AD LDS)
is a Lightweight Directory Access Protocol (LDAP) directory service. It provides
data storage and retrieval for directory-enabled applications, without the
dependencies that are required for AD DS.
AD LDS can have multiple writable replicas of the data on several servers. Having
multiple writable copies eliminates the single point of failure. Replication provides
high availability, allows for load balancing and better serves geographically
dispersed application access.
AD LDS and AD DS are similar in that they both use an ESE database, allow LDAP
client connections, leverage multimaster replication and allow delegated
administration. They provide different functionality as AD DS is an enterprise
directory for administration and management and AD LDS is a lightweight
customizable solution for applications to use for authentication and data storage.

Introduction to Active Directory Certificate Services 4-1
Module 4
Introduction to Active Directory Certificate
Services
Contents:
Lesson 1: Overview of Active Directory Certificate Services (AD CS) 4-3
Lesson 2: Understanding AD CS Certificates 4-10
Lesson 3: Implementing Certificate Enrollment and Revocation 4-16
Lab: Exploring Active Directory Certificate Services 4-25

Module Overview
One of the most important components in a network security plan is the use of
digital certificates. Digital certificates can be used to secure network traffic, secure
Web sites and secure AD DS authentication. Active Directory Certificate Services
(AD CS) provides the tools and services to create and manage these digital
certificates. Furthermore, the integration of AD CS with AD DS provides
organizations with a cost-effective, efficient, and secure way to manage the
distribution and use of certificates.

Lesson 1
Overview of Active Directory Certificate
Services (AD CS)
Many network security components require the digital certificates that are issued
by a certification authority (CA). When you implement a CA, you have several
options for how to design and configure the CA. This lesson describes some of
these options when deploying a CA such as AD CS.

What is a Certification Authority?
Key Points
The certification authority (CA) is the entity entrusted to issue certificates to
individuals, computers, or organizations.
The CA performs the following functions:
Verifies the identity of the certificate requestor.
Issues certificates to requesting users, computers and services.
Manages certificate revocation.
Additional reading
Public Key Infrastructure

How CA Hierarchies Work
Key Points
Certification authorities can be chained together in hierarchies. A hierarchy is
created when one CA trusts another. The root CA is the one that is trusted by all the
other CAs in the hierarchy. The subordinate CAs are those that trust the root CA. A
trust is created when a subordinate server is issued a certificate from a server
higher in the hierarchy.
Additional reading
Active Directory Certificate Services Help File: Public Key Infrastructures

Options for Implementing Certification Authorities
Key Points
You can configure a certification authority for your company using an internal
private CA such as AD CS, or you can leverage an external third-party CA.
Additional reading
Certification Authority Trust Model:

Options for Integrating AD CS and AD DS
Key Points
As with other Active Directory server roles, AD CS can be tightly integrated with
AD DS. There are two main types of servers running AD CS, stand-alone and
enterprise.
Stand-alone CAs
Stand-alone CAs can be installed on a server that is either joined to an Active
Directory domain or even in a workgroup. Stand-alone CAs do not depend on the
use of AD DS.
Enterprise CAs
Enterprise CAs must be:
Installed on a domain joined server
Integrated with AD DS.

Additional reading
Active Directory Certificate Services Help File:
Enterprise Certification Authorities
Stand-Alone Certification Authorities

Demonstration: Tools for Managing AD CS
Questions
1. Which tools should be used to manage the CA settings?

2. You need to determine which certificates have been issued to your user
account while using a particular computer. How would you do this?

Lesson 2
Understanding AD CS Certificates
The digital certificates issues by AD CS CAs are distributed to network clients.

These certificates are then used by a variety of applications to provide security. This
lesson describes what certificates are, how they are used, and how to use certificate
templates to generate certificates.

What are Digital Certificates?
Key Points
The public key is able to be distributed to all clients that request it. The public
keys provide:
Information about the subject of the certificate
Information about the validity of the certificate
Information about the applications and services that can use the certificate
A way to identify the holder of the certificate
The private key is usually only stored on the computer from which the original
certificate request was made.
Additional reading
X.509 Technical Supplement

How Public Keys and Private Keys Work
Key Points
The public key and the private key are a mathematically matched pair of numbers.
When one of the keys is used to encrypt the data the other key is used to decrypt
the data. The key that encrypts that data cannot be used to decrypt the data; this is
an asymmetrical key process. Both keys are required to complete an encryption or
authorization process.
Additional reading
How Encrypting File System Works

Demonstration: Using Certificates to Secure Data
Questions
1. In order to encrypt a file, what must a user already have?

2. In this case, what was used to encrypt the file?

What are Certificate Templates?
Key Points
Certificate templates are used by AD CS enterprise CAs to define what type of
certificates can be issued by the CAs.
Default templates
When you install AD CS, several default templates are created. Some of the default
certificate templates are:
Basic Encrypting File System (EFS)
Key Recovery Agent (for a user that can recover special private keys)
Router (for encryption of router communications)
Smart card log on (certificates used for smart card log on)
Web Server for Secure Sockets Layer (SSL)

Additional reading
Active Directory Certificate Services Help:
Default Certificate Templates
Managing Certificate Templates

Lesson 3
Implementing Certificate Enrollment and
Revocation
When you deploy AD CS, one of the primary issues that you need to address is
how you will distribute and revoke certificates. This lesson describes what
certificate enrollment is and how to administer and automate the enrollment
process. This lesson also discusses certificate revocation, why it is important and
how to revoke certificates.

Options for Implementing Certificate Enrollment
Key Points
AD CS provides three main options for enrolling or creating certificates. These
options are: using the built-in Web site on the CA, manual enrollment or auto-
enrollment.
Web enrollment
If Internet Information Services (IIS) is installed on the AD CS CA, you can enable
a Web site on the CA, through which users can obtain certificates. This method is
good for issuing certificates when auto-enrollment cannot be used.
Manual enrollment
Manual or offline enrollment is used when the requestor cannot communicate
directly with the CA or if the device does not support auto-enrollment.

Auto-enrollment
Auto-enrollment is used for AD DS domain joined machines. The auto-enrollment
process allows an administrator to define permissions and configuration of a
certificate template so that the requestor can automatically request, retrieve and
renew certificates without having any end user interaction.

Demonstration: Using Web Enrollment to Obtain

Certificates
Questions
1. In what ways can the certificate request be generated?

2. In this demonstration, what did the CA use to determine whether the
certificate request should be approved?

Administering Certificate Enrollment
Key Points
Regardless of whether you use Web enrollment, offline or auto-enrollment, there
are four basic steps (outlined in the slide) of the enrollment process. The auto-
enrollment process takes each of the steps without any user or administrative
interaction.

Demonstration: Administering Certificate Requests
Questions
1. When was the private key generated for the Web server?
2. Why does Web enrollment require an administrator to approve the certificate
requests?

Options for Automating Certificate Enrollment
Key Points
Auto-enrollment enables organizations to automatically deploy certificates to users
and computers. The auto-enrollment feature allows organizations to manage all
aspects of the certificate life cycle, including certificate enrollment, certificate
renewal, and certificate revocation.

What is Certificate Revocation?
Key Points
Certificate revocation is when a certificate is invalidated before the expiration
period. You would need to revoke a certificate before its expiration if:
The certificate was no longer needed.
The computer where the private key was stored on or the CA was
compromised and no longer secure.
A new certificate was generated.
Additional reading
Active Directory Certificate Services Help:
Creating a Revocation Configuration

Demonstration: Revoking Certificates
Question
Other than the CA MMC, where would you be able to tell if a certificate is valid?

Lab: Exploring Active Directory Certificate

Services
Scenario:
throughout the world. Woodgrove Bank has implemented Windows Server 2008
and is planning on using AD CS to issue certificates for internal network users,
computers and servers. The AD CS Server role has been deployed. Your task is to
ensure that the Web enrollment and manual processes for managing certificates
are working.

Exercise 1: Requesting Certificates Using Web Enrollment

In this exercise you will request a certificate for a user account using Web
enrollment. You will view the certificate in the Certificates snap-in and verify the
certificate has been issued by using the CA management tool. You will then use the
certificate to encrypt data using EFS.
1. Start the 6424A-NYC-DC1 virtual machine and log on as Administrator.
2. Open Internet Explorer, go to https://NYC-SRV1/CertSrv/Default.asp, and
then generate a user certificate for Administrator.
3. Using the Certificates snap-in, verify that the user certificate was successfully
installed.
4. Use the Certification Authority Console to verify the certificate was created.

Administrator
1. Open the Virtual Server Remote Control Client and then double-click 6424A-
NYC-DC1.
2. In Virtual Server Remote Control Client, double-click 6424A-NYC-SRV1.
3. Log on to 6424A-NYC-SRV1 as Administrator using the password Pa$$w0rd.
f Task 2: Open Internet Explorer, go to https://NYC-

SRV1/CertSrv/Default.asp and generate a user certificate for
Administrator
1. In Internet Explorer, go to https://NYC-DC1/CertSrv/Default.aspx and request
a user certificate.
2. Once the certificate is generated, install the certificate.

f Task 3: Using the Certificates snap-in, verify that the user certificate
was successfully installed
1. Run the mmc.exe command and add the Certificates snap-in associated the
current user account.
2. Click Certificates Current User, click Personal and then click the
Certificates node to verify that the user certificate is installed.
f Task 4: Use the Certification Authority Console to verify the certificate

was created
Verify that the user certificate is located in the Issued Certificates text box of
the Certification Authority console.
Result: At the end of this exercise, you will have requested a certificate using Web
enrollment.

Exercise 2: Managing Certificate Requests and Revocation

In this exercise you will request a certificate for a Web server and then use the CA
management tool to approve the certificate. After verifying the certificate
installation, you will revoke the certificate and publish the revoked certificate. You
will then verify that the certificate has been revoked.
1. Log on to 6424A-NYC-SRV1 as Administrator.
2. Open IIS Manager to create a certificate request.
3. Use Web Enrollment to generate the Web server certificate using the certificate
request.
4. Install the issued certificate on the Web server and verify the certificate is valid.
5. Revoke the NYC-SRV1 certificate using the Certificate Authority snap-in.
6. Using Internet Explorer, verify that the Web certificate has been revoked.
f Task 1: Log on to 6424A-NYC-SRV1 as Administrator

Start 6424A-NYC-SRV1 and log on as Administrator using the password
Pa$$w0rd.
f Task 2: Open IIS Manager to create a certificate request

1. On NYC-SRV1 open Internet Information Services (IIS) Manager.
2. Using the Server Certificates management module, in the Action pane, click
Create Certificate Request.

3. In the request certificate dialog box, type the following information for each
field below:
Common name: NYC-SRV1
Organization: Woodgrove Bank
Organizational Unit: Corporate
City/locality: New York
State: New York
Country/region: US
4. Specify a file name for the certificate request. Type
C:\Users\Administrator\Documents\NYC-SRV.txt and click Finish.
f Task 3: Use Web Enrollment to generate the Web server certificate

using the certificate request
1. On NYC-SRV1 open Internet Explorer and go to https://NYC-
DC1/CertSrv/Default.aspx to request a new certificate.
2. On the Request a Certificate page, click advanced certificate request.
3. Use Notepad to paste the contents of
C:\Users\Administrator\Documents\NYC-SRV.txt into the certificate request.
4. Download the issued certificate to
C:\Users\Administrator\Download\certnew.cer
5. Close Internet Explorer.
f Task 4: Install the issued certificate on the Web server and verify the
certificate is valid
1. On NYC-SRV1 open IIS Manager.
2. Using the Server Certificates management module, in the Action pane, click
Complete Certificate Request.
3. Use the certificate response that was downloaded in the previous step:
C:\Users\Administrator\Download\certnew

4. In the Friendly name text box, type NYC-SRV1 SSL

5. Bind this new certificate to the default Web site.
6. Open Internet Explorer and go to https://NYC-SRV1 to verify that the
certificate is working.
f Task 5: Revoke the NYC-SRV1 certificate using the Certificate

Authority snap-in
1. Open the Certification Authority console on NYC-DC1 and revoke the Web
server certificate.
2. Publish the certification revocation list.
f Task 6: Using Internet Explorer, verify that the Web certificate has
been revoked
Use Internet Explorer, go to https://NYC-SRV1 and verify that the certificate
has been revoked.
Result: At the end of this exercise, you will have requested and approved a
certificate for a Web server. You will have also revoked the certificate, published the
revoked certificate and verified that the certificate has been revoked.

Review Questions
1. What are some reasons that a certificate would need to be revoked?
2. What types of enrollment can be done with NDES?
3. Which editions of Windows Server 2008 support the advanced integration
features of AD CS and AD DS?
4. In order to enable auto-enrollment what must be true of the client computers
AD DS configuration?

Summary of Active Directory Certificate Services

Active Directory Certificate Services (AD CS) provides customizable services for
creating and managing public key certificates used in software security systems
that employ public key technologies. It gives organizations a cost-effective, efficient,
and secure way to manage the distribution and use of certificates.
Digital certificates have two main parts the public and the private key. These two
keys are used in the asymmetrical encryption and decryption process. Since the
public key should be easily obtained and both keys are required for the process, it
is extremely important to protect the private key.
AD CS certification authorities can be arranged in a hierarchy to improve security,
redundancy or flexibility. It also has templates that can be configured to define
how certificates are enrolled and what options the certificates have when they are
created. Certificates can be requested automatically through an auto-enrollment
process on domain joined computers, or certificates can be manually requested
using the CA Enrollment Web site or the CA MMC.

Introduction to Active Directory Rights Management Services 5-1
Module 5
Introduction to Active Directory Rights
Management Services
Contents:
Lesson 1: AD RMS Overview 5-3
Lesson 2: Understanding AD RMS 5-7
Lesson 3: Managing AD RMS 5-16
Lab: Exploring Active Directory Rights Management Services 5-23

Module Overview
In the Windows Server 2008 operating system, you can restrict access to digital
information by configuring shared folders or Web sites with shared folders.
However, these features do not protect or restrict what users can do with content
to which they have access. In recent years, helping to protect digital information
from theft and improper use has become a priority in many enterprises. Active
Directory Rights Management Services (AD RMS) provides a method for helping
to protect documents from improper use by establishing and enforcing persistent
use rights for documents. AD RMS can be used to protect content even after it is
distributed to other people.

Lesson 1
AD RMS Overview
An enterprise can benefit in a number of ways from deploying Active Directory

Rights Management Services (AD RMS). In order to benefit fully from a
deployment, you need to understand how AD RMS works and options for using
AD RMS. This lesson describes some of these benefits and the options for
deploying AD RMS.

Overview of AD RMS
Key Points
Active Directory Rights Management Services (AD RMS) is an information
protection technology that works with AD RMS-enabled applications to help
safeguard digital information from unauthorized use. There are compelling reasons
to invest in rights management to protect an enterprises intellectual property, to
address new governmental regulations, or to better track and control access to
company data.

How AD RMS Works
Key Points
AD RMS has three main functions:
Creation of rights-protected content
Licensing and distributing these rights-protected resources
Consuming the rights-protected resources
Additional Reading
Windows Server 2008 Component Posters (download Windows Server 2008
Active Directory Components.pdf )

Options for Using AD RMS
Key Points
A number of enterprise-level options are available for rights-protected content.
Using the options will largely depend on what type of data the company needs to
protect.

Lesson 2
Understanding AD RMS
AD RMS requires a number of components to be in place before you can use it to

help protect content. This lesson discusses the major components of AD RMS and
also provides more detail on how AD RMS helps you to secure your content.

AD RMS Components
Key Points
There are a number of components that interact when using AD RMS. It is
important to have a clear understanding of each of the components:
Author. The user or service that generates the rights-protected document.
AD RMS-enabled applications. Specific applications are enabled for and can
interact with AD RMS. These applications can be used by the author to create
and help protect content. They can be used by recipients to read protected
content and apply the appropriate rights to them.
Recipient. The user or service that accesses the rights-protected document.
AD RMS Server. The server that has the AD RMS server role installed on it.
This server is responsible for providing the licenses to control access to
content. When the first AD RMS server is installed, an AD RMS root cluster is
created. Other AD RMS servers can be added to the cluster.

Database server. AD RMS requires a database service. This service can be

provided by the Windows Internal Database feature deployed on the same
server as the AD RMS server. The database service can also be provided by
Microsoft SQL Server installed on another computer. The database is used to
store configuration and other AD RMS related information.
Active Directory Domain Services. This is used to authenticate both the
authors and the recipients so that the appropriate rights are applied to the
content.

AD RMS Certificates and Licenses
Key Points
AD RMS uses certificates and licenses to authenticate and authorize users to assign
permissions and to view protected content.
Additional Reading
About Active Directory Rights Management Services
Active Directory Rights Management Services Overview

How AD RMS Protects Content
Key Points
The AD RMS components interact as described below to generate the rights-
protected content.
1. The first time a user tries to rights-protect content using AD RMS, the client
application will request a rights account certificate (RAC) and client licensor
certificate (CLC) from the AD RMS server.
2. The author now creates content using an AD RMS-enabled application. The
author can create the file and then specify user rights. At this time, the policy
license containing the user policies is generated.
3. The application now generates the content key and encrypts the content with
it.
4. The rights-protected content can now be sent to the content recipient.

Additional Reading
Windows Server 2008 Component Posters (download Windows Server 2008
Active Directory Components.pdf")

How AD RMS Restricts Access to Data
Key Points
The process for consuming the protected content is as follows:
1. The recipient receives the file and opens it using an AD RMS-enabled
application or browser. If no account certificate is stored on the current
computer for the recipient, the client application requests a certificate, and the
AD RMS cluster will issue one. If this is the first time that a user accesses
rights-protected content on the computer, a RAC is also issued to the user.
2. The application sends a request for a use license to the AD RMS cluster that
issued the publishing license. However, if the file was published offline a
request is sent to the server that issued the CLC. The request includes both the
RAC and the publishing license for file.

3. The AD RMS cluster confirms or denies that the recipient is authorized. If the
user is authorized the cluster checks for a named user, and then creates a use
license for the user. The cluster then decrypts the content key using private
key of the cluster and re-encrypts the content key with the public key of the
recipient and then adds the encrypted session key to the use license. This
ensures that only the intended recipient can access the file.
4. The AD RMS cluster then sends the generated use license to the recipients
computer.
5. The application examines both the license and the recipients account
certificate to determine whether any certificate in either chain of trust requires
a revocation list. The user is then granted access as specified by the content
author.

Demonstration: How AD RMS Works?
Questions
1. At what point in the demonstration was the policy license created?

2. What would happen in the demonstration if the content consumer did not
have any permissions assigned to the content?

Lesson 3
Managing AD RMS
Managing AD RMS includes installing the AD RMS role and creating policies and
templates. This lesson provides an overview of installing AD RMS as well as
managing the policies and templates that control how AD RMS functions.

AD RMS Server Role Installation Overview
Key Points
Installing the AD RMS role requires completion of some preliminary tasks for the
installation to be successful.
Additional Reading
Windows Server Active Directory Rights Management Services Step-by-Step
Guide
AD RMS Help File: Installing an AD RMS Cluster

Demonstration: AD RMS Management Console
Question
When AD RMS management console is opened on one of the AD RMS servers in

the cluster, what will be configured from the console?

What are Exclusion Policies?
Key Points
Exclusion polices can be configured to:
Exclude specific users from viewing rights-protected content.
To exclude certain versions of Microsoft Windows, lockboxes or applications
that are known to have compatibility or security issues.

Demonstration: Configuring Exclusion Policies
Questions
1. When might an administrator choose to exclude a specific lockbox version?

2. What customization can be done for the versions of Windows that can be
excluded?

What are Rights Policy Templates?
Key Points
Rights policy templates provide a manageable way for organizations to establish
different rules for protecting different types of information. For example, an
organization might create rights policy templates for their employees that assign
separate usage rights and conditions for company confidential, classified, and
private data. AD RMS-enabled applications can use these templates, providing a
simple, consistent way for workers to apply predefined policies to information.

Demonstration: Configuring Rights Policy Templates
Question
What is the difference between content expiration and use license expiration?

Lab: Exploring Active Directory Rights

Managements Services
Scenario:
throughout the world. Woodgrove Bank has implemented Windows Server 2008
and is planning on using AD RMS to help provide enhanced content security for e-
mails and documents distributed within the organization. The AD RMS server role
has been deployed. Your task is to ensure that AD RMS is working and to ensure
that the AD RMS configuration can be modified if required.

Exercise 1: Verifying AD RMS Functionality

In this exercise you will configure two user accounts with e-mail addresses. You
will then use one of the user accounts to protect a document that is stored on a
shared folder. And then you will log on as the other user account and verify that
the restrictions applied to the document are enforced.
1. Start the 6424A-NYC-DC1 virtual computer and log on as Administrator.
2. Start the 6424A-NYC-SVR1 virtual computer and log on as Administrator.
3. Start the 6424A-NYC-CL1 virtual computer.
4. Open Active Directory Users and Computers and assign e-mail addresses for
Dana Birkby, Manish Gupta, Byarne Riis and the NYC_MarketingGG global
group.
5. Log on as Dana and create and protect a Word document.
6. Log on as Manish and ensure that the Word document has restrictions
assigned.
7. Log on as Bjarne and ensure that the Word document has restrictions
assigned.
f Task 1: Start the 6424A-NYC-DC1 virtual computer and log on as

Administrator
Log on to 6424A-NYC-DC1 as Administrator using the password Pa$$w0rd.
f Task 2: Start the 6424A-NYC-SVR1 virtual computer and log on as

Administrator
Log on to 6424A-NYC-SVR1 as Administrator using the password Pa$$w0rd.
f Task 3: Start the 6424A-NYC-CL1 virtual computer

Start the 6424A-NYC-CL1 virtual computer.

f Task 4: Open Active Directory Users and Computers and assign e-mail
addresses for Dana Birkby, Manish Gupta, Byarne Riis and the
NYC_MarketingGG global group
1. Locate the following users in the Marketing OU inside the NYC OU and assign
the indicated e-mail addresses:
Dana Birkby: Dana@woodgrovebank.com
Manish Gupta: Manish@woodgrovebank.com
Byarne Riis: Byarne@woodgrovebank.com
2. Modify the properties of the NYC_MarketingGG group to assign an e-mail
address of NYCMarketingGG@woodgrovebank.com.
f Task 5: Log on as Dana and create and protect a Word document

1. Log on to 6424A-NYC-SRV1 as Dana using the password Pa$$w0rd.
2. Create a new document with the text "This is a protected document" and save
it as C:\Users\Public\Public Documents\Confidential.
3. Protect the document using the Restricted Access. Assign change permission to
Manish and Read and Print access to Everyone.
4. Save the document.
5. Close Word.
f Task 6: Log on as Manish and ensure that the Office Word document
has restrictions assigned
1. Log on to 6424A-NYC-SRV1 as Manish using the password Pa$$w0rd.
2. Open C:\Users\Public\Public Documents\Confidential in Microsoft Office
Word 2007.
3. Click View Permission in the Information bar.
4. In the My Permission window, verify that the user you are logged on as has
permissions to View, Edit, Copy and Save this document.
5. Close Word and log off

f Task 7: Log on as Bjarne and ensure that the Word document has
restrictions assigned
1. Log on to 6424A-NYC-SRV1 as Bjarne using the password Pa$$w0rd.
2. Open C:\Users\Public\Public Documents\Confidential in Word.
3. Click View Permission in the Information bar.
4. In the My Permission window, verify that the user you are logged on as has
permissions to View and Print this document.
5. Close Word and log off
Result: At the end of this exercise, you will have configured three user accounts with
e-mail addresses and used one of the user accounts to protect a document that is
stored on a shared folder. You will have also verified that the restrictions applied to
the document were enforced.

Exercise 2: Customizing the AD RMS Configuration

In this exercise you will modify the AD RMS configuration by configuring an
exclusion policy and by creating a custom rights policy template for the Marketing
department. You will then verify that these modifications were implemented
correctly.
1. Create an AD RMS rights policy templates shared folder.
2. Open Active Directory Rights Management Console and create an additional
rights management template called Marketing Projects.
3. Create an exemption to prohibit Recipient 1 from opening content created
with the Marketing Template.
4. Protect the Word document with the Marketing rights template.
5. Attempt to open the rights-protected Word document with the excluded user
f Task 1: Create an AD RMS rights policy templates shared folder

1. On NYC-SVR1, create a new folder named C:\ADRMSTemplates.
2. Share the folder, granting modify permissions to the ADRMSService account
and read permission to Domain Users.
f Task 2: Open Active Directory Rights Management Console and create

an additional rights management template called Marketing Projects
1. On NYC-SVR1, enable the export of AD RMS templates using the \\NYC-
SVR1\ADRMSTemplates shared folder.
2. Create a rights management template with the following information:
Name: Marketing Project
Description: Woodgrove Bank Marketing Department
Expires after the following duration (days): 14
NYCMarketingGG@woodgrovebank.com should have Edit permissions.
The Anyone special group should have View permissions.

f Task 3: Create an exemption to prohibit Manish from opening AD

RMS protected content
1. Enable User Exclusion.
2. Add Manish@woodgrovebank.com as an exclusion.
f Task 4: Protect an Office Word document with the Marketing rights

template
1. Log on to 6424A-NYC-CL1 as Dana using the password Pa$$w0rd.
2. Open the Registry editor and expand the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM
3. Create a new Expandable String Value, with the name AdminTemplatePath.
4. Assign the value \\NYC-SVR1\ADRMSTemplates to AdminTemplatePath.
5. Create a new document with the text "This is a Marketing protected document"
and save it as C:\Users\Public\Public Documents\MktgConfidential
6. Protect the content using the Marketing Project template.
7. In the Information bar, click View Permission.
8. Save the document.
9. Log off of NYC-SVR1.

f Task 5: Attempt to open the protected Word document with the

excluded user
1. Log on to 6424A-NYC-SVR1 as Manish using the password Pa$$w0rd.
2. Open C:\Users\Public\Public Documents\MktgConfidential in Word.
3. Verify that you cannot open this document.
Result: At the end of this exercise, you will have modified the AD RMS configuration
by configuring an exclusion policy and by creating a custom rights policy template
for the Marketing department. You will have also verified that these modifications
were implemented correctly.

Review Questions
1 When might an administrator choose to exclude a specific user or group?
2. What is the difference between an exclusion list and a revocation list?
3. When is a SQL Server required to be deployed to support AD RMS?
4. When must AD RMS be installed in relation to the configuration of AD FS if it
is to be used to access AD RMS content?
5. What is the difference between the online and offline publishing process?

Summary of Active Directory Rights Management Services

An enterprise can benefit in a number of ways from deploying AD RMS. AD RMS
can be used to restrict access to an organization intellectual property, limit actions
that can be taken on content and limit the risk of content being taken outside of
the organization. This functionality is available in various client applications such
as Word, Outlook, Excel spreadsheet software and Internet Explorer. From within
these AD RMS-enabled applications, AD RMS can restrict the ability to print, e-mail,
or modify the content.
AD RMS leverages certificates and licenses to help protect content. The author
creates the content and configures the rights that will be given for the content
based on the templates created on the AD RMS cluster. The AD RMS cluster
provides the certificates and licensing needed for the client applications to properly
rights-protect content. The recipient of the content obtains appropriate licenses
and certificates in order to consume the content.
With AD RMS you can customize the rights policy templates and exclusion
policies. The rights policy templates allow for customizing what authors and
recipients are allowed to do with protected content. The exclusion policies are for
excluding specific users, groups, or lockbox and Windows versions from being
able to receive certificates from the AD RMS server. Exclusion policies are helpful
when one of these groups needs to be excluded from accessing content due to
possible security issues, such as a group already given access that must now be
denied access to content.

Introduction to Active Directory Federation Services 6-1
Module 6
Introduction to Active Directory Federation
Services
Contents:
Lesson 1: AD FS Overview 6-3
Lesson 2: AD FS Deployment Scenarios 6-10
Lesson 3: Configuring AD FS Components 6-20
Lab: Exploring Active Directory Federation Services 6-29

Module Overview
In many organizations, online transactions have replaced traditional paper-based

transactions as the primary method of doing business. However, securing access to
the Web sites that host the online transactions can be difficult. Active Directory
Federation Services (AD FS) provides one solution to this issue. AD FS can be used
to provide browser-based clients (internal or external to your network) with
seamless, single sign-on access to Internet-facing applications, even when the user
accounts and applications are located in completely different networks or
organizations.

Lesson 1
AD FS Overview
An organization can benefit in a number of ways from deploying AD FS. In order to

benefit fully from a deployment, you need to understand identify federation and
the scenarios supported by AD FS. This lesson describes some of these benefits
and the options for deploying AD FS.

What Is Identity Federation?
Key Points
Identity federation is a means by which organizations can enable user access to
resources between different organizations or between different server platforms.
One of the goals of an identity federation solution is to allow companies to manage
their own directories while still securely exchanging authentication and
authorization information between organizations.
Example scenario of an identity federation

An identity federation could exist where a sales representative updates an internal
forecast by pulling information from a supplier's database that is hosted on the
supplier's network.

Responsibilities would be assigned in the following ways:

The administrator of the domain for the sales representative is responsible for
ensuring that the appropriate sales representatives are members of the group
needing access to the suppliers database.
The administrator of the database is responsible for ensuring that the partners
employees only have access to the data they require.

What are the Identity Federation Scenarios?
Key Points
AD FS has been designed to meet the needs of several common scenarios. The
main scenarios are as follows.
Federation for business-to-business

This design allows a business to provide single sign-on (SSO) to a Web-based
application for a business partner or other business unit that has a separate forest.
Users can be authenticated within the partner organization, and use that
authentication to gain the right level of access to the Web application.
Federation for business-to-consumer or business-to-employee in a Web single

sign-on scenario
In this scenario, organizations might create information portals to provide
consolidated information to external users by integrating different back-end
systems.

Federation within an organization across multiple Web applications

One organization may have several Web applications running on different servers
and located on both the internal and perimeter networks. By using AD FS, you can
reduce the number of times a user must log on across Web applications.
Additional reading
ADFS Help File: Understanding Federation Designs

Benefits of Deploying AD FS
Key Points
Leveraging AD FS in an enterprise benefits both administrators and users in the
following ways.
Security and control over authentication

You can implement policies to control which users are allowed to authenticate
across the federated trust. This provides more control than an Active Directory
forest trust, since all user accounts can authenticate anywhere in either forest even
if they do not have access to resources.
Regulatory compliance
AD FS enables application access to business partners or Internet users but does so
in such a way that both organizations still maintain strict control over all data.

Interoperability with heterogeneous systems

AD FS is based on the Web Services model, which presumes that enterprise
systems are written in different languages with different programming models and
accessed from many different types of devices. AD FS employs the federation
specification of WS-*, called WS-Federation. WS-Federation makes it possible for
environments that do not use the Windows identity model to federate with
Windows environments.
Works with AD DS or AD LDS

AD FS in Windows Server 2008 can use both Active Directory Domain Services
(AD DS) and Active Directory Lightweight Directory Services (AD LDS) as its
directory.
Extends AD DS to the Internet

AD FS provides an extension of AD DS infrastructure by extending AD DS to
provide access to resources that are offered by trusted partners across the Internet.

Lesson 2
AD FS Deployment Scenarios
As mentioned earlier AD FS was designed to meet the requirements of various

scenarios. This lesson discusses how these scenarios function as well as the
components that make up the scenarios.

What Is a Federation Trust?
Key Points
A federation trust is a relationship created between two organizations within AD
FS. This relationship allows for accounts to be authenticated in one organization,
and used to access resources in the other organization.
Account Partner
An account partner is the organizational partner in the trust relationship that hosts
and manages the user accounts used in the relationship.
Resource Partner
The resource partner physically houses the Web servers that host one or more
Web-based applications. The resource partner trusts the account partner to
authenticate users. Therefore, when it makes authorization decisions, the resource
partner accepts security tokens that are produced by the account partner.

Additional reading
AD FS Help:
Understanding Federation Trusts
Understanding AF FS Terminology

What are the AD FS Components?
Key Points
AD FS has six main components that provide the functionality.
Additional reading
AD FS Help:
Understanding AD FS Terminology
Understanding AD FS Role Services

How AD FS Provides Identity Federation in a B2B Scenario
Key Points
The AD FS Federated Web business-to-business (B2B) scenario involves secure
communication that often spans multiple firewalls, perimeter networks, and name
resolution servers, in addition to the entire Internet routing infrastructure.
An example scenario
An online retailer and manufacturing company could deploy AD FS using a B2B
scenario. The online retailer, as the resource partner, would install a Web server
with the AD FS Web agent installed, the resource federation proxy and the
resource federation service. The manufacturing company, as the account partner,
would install and configure an account federation server to use the internal AD DS
domain and an account federation proxy so that the account federation server
would not need to be directly exposed to the Internet. The federation trust would
then be created from the online retailer to the manufacturer. Once this solution is
installed and configured, users at the manufacturer can log on to the retailers Web
site.

Additional reading
AD FS Help:
Understanding Federation Trusts
Understanding AF FS Terminology

How AD FS Traffic Flows in a B2B Federation Scenario
Key Points
The following steps describe the flow of communication in a B2B scenario.
1. The employee uses their Web browser to open the application on the Web
server using an SSL/TLS session.
2. Since the Web browser does not have a token to present to the Web server, the
Web browser is redirected to the default logon URL at the resource Federation
Server. The resource Federation Server determines the users home
organization.

3. The Web browser is redirected to the logon page for the Federation Server at
the users home organization (in this case, the account partner Federation
Server). The office employee authenticates by using his currently logged-on
desktop session credentials through Windows integrated authentication or by
being asked to provide credentials by their Federation Server. The account
Federation Service and the Active Directory account information are used to
validate the office employee's credentials and obtain attributes for building a
Security Assertion Markup Language (SAML) security token. The security
token is stored as a cookie in the Web browser.
4. The Web browser is redirected to the Federation Server at the resource
partner. The Web browser presents the security token to the resource
Federation Server. The Federation Server checks the security token, and then
issues a security token that can be used to access the Web server.
5. The Web browser is redirected to the Web server where it presents the security
token issued by the resource Federation Server. The Web server evaluates the
security token, and if acceptable, it creates an authentication token that is
written to the browser and then used to access the application.
Additional reading
AD FS Help: Understanding Federation Designs

How AD FS Provides Web Single Sign-On
Key Points
In the Web single sign-on scenario, an organization deploys a Web application in a
perimeter network. This Web application may need to be available to the following
different groups of people.
Employees who are on the internal network.
Employees who are outside the office and accessing the application through
the Internet.
Non-employees who are accessing the application from the Internet.
Additional reading
AD FS Help: Understanding Federation Designs

Integrating AD FS and AD RMS
Key Points
By integrating AD FS with Active Directory Rights Management Services (AD RMS),
enterprises can leverage their established federated trust relationships to extend
the AD RMS functionality outside the organization. For example, an organization
that is planning to deploy AD RMS can set up a federation trust with another
organization by using AD FS. The organizations can then leverage this relationship
to share rights-protected content across the two organizations without requiring a
deployment of AD RMS in both organizations.

Lesson 3
Configuring AD FS Components
The previous lesson discussed the overall design of an AD FS solution and the
components that are used to construct the solution. This lesson provides an
overview of configuring the AD FS components as well as managing trust policies
and Web agents.

AD FS Server Role Implementation Overview
Key Points
In order to implement the Federation Service, Federation Service Proxy and AD FS
Web Agent Roles, the requirements listed on the slide must be met.
Additional reading
AD FS Help: Requirements for AD FS

Federation Service Configuration Options
Key Points
To configure the Federation Service or federation server farm you use the AD FS
Microsoft Management Console (MMC) snap-in, which is installed when you
install the Federation Service server role. You can also use the snap-in to manage
the trust policy that is associated with your Federation Service.
Additional reading
AD FS Help: Add a resource partner

What are AD FS Trust Policies?
Key Points
Trust policies are the configuration settings that define the federated trust and how
the federated trust works.
When configuring the resource partner trust policy, you need to configure the
following options:
Token Lifetime. This defines how long a Security Assertion Markup Language
(SAML) token will stay valid. The default value is 600 minutes (10 hours); the
minimum value is one minute.
Federation Service URI. This is a case sensitive string that uniquely identifies a
Federation Service. This URI also identifies the federation server farm
membership of the federation server.
Federation Service endpoint URL. This is the single location, or "public URL,"
that is used to contact all federation servers in a server farm.
Use Windows trust relationship for this partner. This option is used when an
Active Directory forest trust is in place and should be used.

When configuring the account partner trust policy, configure the same options as
above plus the following:
Location for a certificate to verify the resource partner. This is the location on
the file system that the certificate is stored. This certificate is used to verify that
the resource partner is valid.
How resource accounts are created.

Demonstration: Configuring the Federation Services for an

Account Partner
Questions
1. What types of account stores can be defined to an account partner?

2. When using multiple account stores, how would you configure a specific store
to be queried as the primary source and the other accounts stores to be used
only if the first one does not return a positive result?

AD FS Web Proxy Agent Configuration Options
Key Points
The AD FS Web Agent consumes security tokens and then either allows or denies a
user access to a Web application. Authorization to use the Web application
requires a relationship between the AD FS Web Agent and a resource Federation
Service so that it can direct the user to the Federation Service as needed.
Once the Web server is properly configured with the prerequisite applications and
certificates, the AD FS Web Agents role services can be installed. You can install the
Web agents by installing the AD FS server role and choosing to install either the
claims-aware agent or the Windows token-based agent.
Additional reading
Claims-aware Applications
Windows NT token-based applications

Demonstration: Configuring the Web Proxy Agent
Question
After configuring the Web Proxy Agent in IIS Manager what else needs to be done
to allow the application to use AD FS?

What are AD FS Claims?
Key Points
An AD FS claim is a statement made about a user that is understood by both
partners in an AD FS federation scenario. This statement may be, for example, the
name, identity, group membership, privilege, or capability of the user and is
provided for authorization purposes in an application. The claims are transferred
between federation partners to properly authenticate and authorize users.

Lab: Exploring Active Directory Federation

Services
Scenario:
throughout the world. Woodgrove Bank has established a strategic partnership
with Contoso Inc. Users at Woodgrove Bank must be able to access an application
located at Contoso Inc. For security reasons, the organizations cannot implement a
trust between the company domains. The organizations have decided to deploy AD
FS to provide the required access to the application. You must configure the AD FS
servers at Woodgrove Bank to enable access to the application. Administrators at
Contoso Inc. will be responsible for configuring their servers.

Exercise 1: Implementing the AD FS Components

(Discussion)
This is a discussion based lab exercise. In this exercise, you will be provided with a
network diagram. During the discussion, you will add labels to the diagram to
describe where each of the AD FS components must be deployed. You will also
add some basic configuration information for each component to the diagram.
f Task 1: Identify each organization on the network diagram below.

Which organization will be the account partner and which
organization will be the resource partner?

f Task 2: Identify the following components on the network diagram:

Account Federation Server
AD FS-enabled Web Server
Resource Federation Server
AD DS
f Task 3: Identify the direction of the federation trust
Result: At the end of this exercise, you will have made decisions on the placement of
AD FS components. You will have also determined some basic configuration
information for each component.

Exercise 2: Configuring the AD FS Resource Partner

Organization
In this exercise you will configure the AD FS components for the resource partner.
Start 6424A-NYC-SRV1 and 6424A-RED-SRV1 and then log on as
Administrator using the password Pa$$w0rd
On the RED-SRV1, configure the trust policy for the Federation Service in
Contoso Inc.
Create a group claim named Woodgrove App Claim for the claims-aware
application.
Add and enable an AD DS account store.
Add, enable and configure a claims-aware application.
Add, enable and configure an account partner.
Create an incoming group claim named ClaimAppMapping with the
Woodgrove App Claim as the organization group claim for the claims-aware
application.
f Task 1: Start 6424A-NYC-SRV1 and 6424A-RED-SRV1 and then log on

as Administrator using the password Pa$$w0rd
1. Start 6424A-NYC-SRV1
2. Start 6424A-RED-SRV1 and log on as Administrator using the password
Pa$$w0rd.
f Task 2: On the RED-SRV1, configure the trust policy for the Federation
Service in Contoso Inc
Display name: Contoso Inc
Federation Service URI: urn:federation:contosoinc
Federation Service endpoint: https://adfsresource.contoso.com/adfs/ls/

f Task 3: Create a group claim named Woodgrove App Claim for the
claims-aware application
f Task 4: Add and enable an AD DS account store
f Task 5: Add, enable and configure a claims-aware application

Display name: Claims-aware Application
Application URL: https://adfsweb.contoso.com/claimapp/
Accepted Identity Claims: User principal name (UPN)
f Task 6: Add, enable and configure an account partner

Display name: Woodgrove
In Federation Service URI: urn:federation:woodgrove
In Federation Service endpoint URL:
https://adfsaccount.woodgrove.com/adfs/ls/
Account Partner Verification Certificate page was exported from the
Woodgrove Federation Servers and named C:\certificates\ Woodgrove.cer
Set the federation Scenario to: Federated Web SSO
Set the Account Partner Identity Claims to: UPN Claim
Set the accepted UPN Suffixes to: woodgrove.com
f Task 7: Create an incoming group claim named ClaimAppMapping

with the Woodgrove App Claim as the organization group claim for
the claims-aware application
Result: At the end of this exercise, you will have configured the AD FS components
for the resource partner.

Review Questions
1. After defining a Web application in the AD FS Management tool what also
must be done to have an application begin to authenticate AD FS tokens?
2. Where are certificates used in an AD FS deployment?
3. Why would a Federation Service Proxy role server be needed?
4. Can the Web Proxy agent be installed on an older version of Windows Server?

Summary of Active Directory Federation Services

The AD FS server role can be used to create a highly extensible, Internet-scalable,
and secured identity access solution that can operate across multiple platforms,
including both Windows and non-Windows environments. It can be used to
provide browser-based clients (internal or external to your network) with seamless,
single sign-on access to one or more protected Internet-facing applications, even
when the user accounts and applications are located in completely different
networks or organizations.
Several standard scenarios are addressed with AD FS. Federation for B2B which
allows a business to provide single sign on (SSO) for a business partner or other
business unit that has a separate domain. Also, federation for business-to-
consumer or business-to-employee in a Web single sign-on scenario which allows a
business that has a perimeter network domain to provide authentication for
internal user accounts. The last scenario is federation within an organization across
multiple Web applications.

Creating Active Directory Domain Services User and Computer Objects 7-1
Module 7
Creating Active Directory Domain Services User
and Computer Objects
Contents:
Lesson 1: Managing User Accounts 7-3
Lesson 2: Creating Computer Accounts 7-12
Lesson 3: Using Queries to Locate Objects in Active Directory 7-19
Lab: Creating AD DS User and Computer Accounts 7-25

Module Overview
One of your functions as an Active Directory Domain Services (AD DS)

administrator is to manage user and computer accounts. These accounts are AD DS
objects that individuals use to log on to the network and access resources. In this
module, you will learn about modifying user and computer accounts on computers
running the Windows Server 2008 operating system in a networked environment.

Lesson 1
Managing User Accounts
In AD DS for Windows Server 2008, all users that require access to network
resources must be configured with a user account. With this user account, users
can be authenticated to the AD DS domain and granted access to network
resources. As the AD DS administrator, you will need to know how to create and
configure user accounts.

What Is a User Account?
Key Points
A user account is an object that contains all of the information that defines a user
in Windows Server 2008. The account can be either a local or a domain account. A
user account includes the user name and password as well as group memberships.
Usage
With a user account, you can:
Allow users to log on to a computer based on their user account identity.
Grant users access to processes and services for a specific security context.
Manage users access to resources such as AD DS objects and their properties,
shared folders, files, directories, and printer queues.

Names Associated with Domain User Accounts
Key Points
When creating a user account, an administrator types a user logon name. User
logon names must be unique in the domain in which the user account is created.
Names generated by Active Directory

When a user account is created using Active Directory Users and Computers,
Active AD DS also creates:
An LDAP distinguished name
An LDA-relative distinguished name.
A SID and global unique identifier (GUID)
Additional reading
Object Names

User Account Password Options
Key Points
As a systems administrator, you can manage user account password options. These
options can be set when the user account is created or in the Properties dialog box
of a user account.
Additional reading
Microsoft Windows Server 2008 Help

Tools for Configuring User Accounts
Key Points
A number of tools are available for creating and managing user accounts, including
command-line and batch utilities. The most common tools for managing user and
group accounts are Active Directory Users and Computers for managing domain
accounts and User Accounts for managing local accounts on computers running
the Windows Server 2008 or Windows Vista operating system.
Additional reading
Local accounts
Dsadd

Demonstration: Configuring User Accounts
Question
When would you use a tool like DSAdd to create user accounts?
Additional reading
Dsadd

Demonstration: Renaming a User Account
Questions
1. Why are you prompted to change the additional names when you change the
user name?
2. Why would you rename a user name in AD DS when a user changes their
name rather than deleting the account and creating a new account with the
new name?
Additional reading
Rename a User Account

What Is a User Account Template?
Key Points
A user account template is an account that has commonly used settings and
properties already configured. You can use user account templates to simplify the
process of creating domain user accounts.
Additional reading
Copying User Accounts

Demonstration: Creating and Using a User Account

Template
Questions
1. Why are some fields not populated when you create a new user from a
template?
2. How could you make a template account easy to find in AD DS?

Lesson 2
Creating Computer Accounts
In AD DS, computers are security principals, just like users. This means that
computers must have accounts and passwords. To be fully authenticated by
AD DS, a user must have a valid user account, and the user must also log on to the
domain from a computer that has a valid computer account. All computers
running Microsoft Windows NT or later operating systems must have computer
accounts in AD DS.

What Is a Computer Account?
Key Points
Computers access network resources to perform key tasks such as authenticating
user log on, obtaining an IP address, and receiving security policies. To have full
access to these network resources, computers must have valid accounts in AD DS.
The two main functions of a computer account are performing security and
management activities.
Additional reading
Manage computers

Options for Creating Computer Accounts
Key Points
You can create computer accounts in AD DS by joining the computer to the
domain, or by pre-staging computer accounts before joining the computer to the
domain. Both administrators and users can join computers to the domain.
Adding computers to an AD DS domain

If a computer is joined to a domain, the computer account is created in the
Computers container by default. In most organizations, administrators will move
the computer accounts to department specific OUs so that specific software and
operating system configurations can be applied to the computers.

Pre-staging computer accounts

You can ensure that computer accounts are configured in the right AD DS
container by pre-staging computer accounts. When you pre-stage a computer
account, you create the computer in the domain before joining the computer to the
domain. Organizations pre-stage computer accounts in order to automate the
operating system and application installation by using tools such as Windows
Deployment Services.
Additional reading
Join a computer to a domain
Manage computers

Managing Computer Accounts
Key Points
The most commonly used properties for computer accounts in AD DS are the
Location and Managed by properties. To maintain computers, you must find the
physical location of the computers.
The Location property can be used to document the computers physical
location in your network.
The Managed By property lists the individual responsible for the computer.
This information can be useful when you have a data center with servers for
different departments and you need to perform maintenance on the server.
You can call or send e-mail to the person who is responsible for the server
before you perform maintenance on the server.

Additional reading
Manage computers
Computer Policies

Demonstration: Configuring Computer Accounts
Questions
1. A user is taking a two month leave from work. No one else will be using the
users computer, and you want to ensure that no one can log on to the
computer while she is gone. However, you want to minimize the amount of
effort required for the user to start using the computer when she comes back.
How should you configure the computer account?
2. You are prestaging 100 computer accounts for workstations that will be added
to the domain over the next few weeks. You want to ensure that only members
of the desktop support team can add the computers to the domain. What
should you do?

Lesson 3
Using Queries to Locate Objects in Active
Directory
Some large organizations have thousands of user accounts in an AD DS domain.

Even if these accounts are grouped into different OUs, it can still take some time to
find a specific user in the domain. Windows Server 2008 provides several features
in Active Directory Users and Computers that make it easier to locate these users.

Options for Locating Objects in Active Directory
Key Points
There are several options available in the Windows Server 2008 administration
tools that can increase the efficiency of looking for user accounts in domains with
many users.
To sort the order of objects in Active Directory Users and Computers

To sort the order of the objects:
1. View the user accounts in their container in Active Directory Users and
Computers
2. Click any of the column headings to sort the order of the objects (either
ascending or descending).
You can also add more columns to the display and then sort the display based on
the additional column.

To search for objects in Active Directory Users and Computers

Active Directory provides information about all objects on a network, including
people, groups, computers, printers, shared folders, and OUs. It is easy to search
for users, contacts, and groups by using the Find Users, Contacts, and Groups
dialog box
Using a command line

You can use the dsquery command to find users and computers in AD DS that
match the specified search criteria.
Additional reading
Search Active Directory

Demonstration: Searching Active Directory
Questions
1. You need to update the phone number for a user. You have only been given
the users first name and last name and you do not know which OU contains
the object. What is the quickest way to locate the user account?
2. You need to create a new user account and want to check if a user name is
already in use in the domain. How could you do this?

What Is a Saved Query?
Key Points
Active Directory Users and Computers has a Saved Queries folder in which you
can create, edit, save, and organize saved queries. Saved queries use predefined
LDAP strings to search only the specified domain partition allowing you to focus
searches to a single container object. You can also create a customized saved query
that contains an LDAP search filter.
Additional reading
Active Directory Users and Computers Help section

Demonstration: Using a Saved Query
Question
You need to find all user accounts in your AD DS domain that are no longer active.
How would you do this?

Lab: Creating AD DS User and Computer

Accounts
Scenario
throughout the world. Woodgrove Bank has deployed AD DS for Windows
Server 2008. As one of the network administrators, one of your primary tasks will
be to create and manage user and computer accounts.

Exercise 1: Creating and Configuring User Accounts

In this exercise you will create and configure user accounts. You will create a
template and a user account based on the template. Lastly, you will create a saved
query and verify its ability to return expected search results.
1. Start the 6424A-NYC-DC1 virtual computer and log on as Administrator.
2. Start the 6424A-NYC-CL1 virtual computer.
3. Create a new user account.
4. Modify Kerim Hanifs user account properties.
5. Create a template for the New York Customer Service department.
6. Create a new user account based on the customer service template.
7. Modify the user account properties for all customer service representatives in
New York.
8. Modify the user account properties for all Branch Managers.
9. Create a saved query to find all investment users.
f Task 1: Start the 6424A-NYC-DC1 virtual computer and log on as

Administrator
Pa$$w0rd.
f Task 2: Start the 6424A-NYC-CL1 virtual computer

Start 6424A-NYC-CL1. Do not log on.

f Task 3: Create a new user account

1. On NYC-DC1, open Active Directory Users and Computers.
2. In the ITAdmins OU, create a new user with the following parameters:
First name: Kerim
Last name: Hanif
Full name: Kerim Hanif
User logon name: Kerim
Password: Pa$$w0rd
3. On NYC-CL1, verify that you can log on as Kerim, with a password of
Pa$$w0rd. When prompted, change the password to Pa$$w0rd1.
4. Log off from DEN-CL1.
f Task 4: Modify Kerim Hanifs user account properties

1. Modify the user account properties for Kerim Hanifs account as follows:
Telephone number: 204-555-0100
Office: Downtown
E-mail: Kerim@WoodgroveBank.com
Remote Access Permission : Allow access
Logon Hours. 8:00 A.M. and 5:00 P.M
2. Add Kerim to the ITAdmins_WoodgroveGG group.

f Task 5: Create a template for the New York Customer Service

department
In the CustomerService OU, create and configure a user account with the property
settings in the following table:
Property Value
First name CustomerService
Last name Template
Full name CustomerService Template
User logon name _ CustomerServiceTemplate
Password Pa$$w0rd
Description Customer Service Representative
Office New York Main Office
Member Of NYC_CustomerServiceGG
Department Customer Service
Logon Hours 6:00 A.M 6:00 P.M. Monday to Friday
Disable the account

f Task 6: Create a new user account based on the customer service

template
1. Copy the CustomerService Template and create a new user with the following
parameters:
First Name: Sunil
Last Name: Koduri
User Logon Name: Sunil
Password: Pa$$w0rd
2. Enable the account.
3. What values did not transfer from the template?
f Task 7: Modify the user account properties for all customer service
representatives in New York
1. In the CustomerService OU under the NYC OU, select all user accounts.
2. Right-click the highlighted user accounts and click Properties.
3. Fill in the following information:
Description: Customer Service Representative
Office: New York Main Office
Department: Customer Service
4. View the properties of one of the user accounts in the OU to confirm that the
Description, Office and Department attributes have been updated.
f Task 8: Modify the user account properties for all Branch Managers
1. In Active Directory Users and Computers, search the WoodgroveBank.com
domain.
2. Use an advanced search and search for all user accounts that have a job title of
Branch Manager.
3. Select all of the user accounts located by the search, and add them to the
BranchManagersGG group.

f Task 9: Create a saved query to find all investment users

1. In Active Directory Users and Computers, create a new saved query named
Find_Investment_Users that will search for all users with a department
attribute that starts with Investments.
2. Verify that the query displays all the users in the Investment departments in
each city.
Result: At the end of this exercise, you will have created and configured user
accounts. You will have created a template and a user account based on the
template. And you will have created a saved query and verified its ability to return
expected search results.

Exercise 2: Creating and Configuring Computer Accounts

In this exercise you will create and configure computer accounts, delete a
computer account and join a computer to an AD DS domain.
1. Create a computer account by using Active Directory Users and Computers.
2. Delete a computer account in AD DS.
3. Join a computer to an AD DS domain
f Task 1: Create a computer account by using Active Directory Users and

Computers
1. On NYC-DC1, in Active Directory Users and Computers, create a new
computer account named Vista1 in the Computers container.
2. Configure the computer account settings so that Doris Krieger can join the
computer to the domain.
f Task 2: Delete a computer account in AD DS

1. In Active Directory Users and Computers delete the NYC-CL1 computer
account.
2. On NYC-CL1, attempt to log on as Axel with a password of Pa$$w0rd.
f Task 3: Join a computer to an AD DS domain

1. On NYC-CL1, log on as a local Administrator with a password of Pa$$w0rd.
2. Access the System control panel, and click Change settings.
3. Change the computer name to NYC-CL2 and configure the computer to be a
member of a Workgroup called WORKGROUP.
4. Restart the computer.
5. After the computer restarts, log on as Administrator with a password of
Pa$$w0rd.

6. Access the System control panel, and click Change settings.

7. Configure the computer to be a member of the WoodgroveBank.com domain.
8. Use the administrator credentials to join the computer to the domain.
9. Restart the computer.
10. On NYC-DC1, in Active Directory Users and Computers, verify that the NYC-
CL2 account was added to the domain.
11. On NYC-CL1, verify that you can log on as WoodgroveBank\Axel with a
password of Pa$$w0rd.
Result: At the end of this exercise, you will have created and configured computer
accounts, deleted a computer account and joined a computer to an AD DS domain.

Review Questions
1. You are responsible for managing accounts and access to resources for
members of your group. A user in your group leaves the company, and you
expect a replacement for that employee in a few days. What should you do
with the previous users account?
2. A user in your group must create a test lab with 24 computers that will be
joined to the domain but the account must be created in a separate OU. What
is the best way to do this?
3. You are responsible for maintaining the servers in your organization. You want
to enable other administrators in the organization to determine the physical
location of each server without adding any additional administrative tasks or
creating any additional documents. How can you do this?

4. To accelerate the process of creating new accounts when new employees enter
your group, you create a series of account templates that you use to create new
user accounts and groups. You are notified that a user with an account that
was created by using one of the non-manager account templates has been
accessing files that are restricted to the Managers group. What should you do?
5. You are responsible for managing computer accounts for your group. A user
reports that they cannot log on to the domain from a specific computer but
can log on from other computers. What should you do?
6. You have determined the best ways to search for Active Directory objects and
documented your recommended search criteria. However, the administrators
tell you that it is taking too long to create and then run the search. After further
research, you determine that most of the systems administrators are searching
for the same information. What can you do to accelerate the search process?
Considerations for Managing AD DS User and Computer Accounts

When managing AD DS user and computer accounts, consider the following:
If your organization typically creates large numbers of user accounts at the
same time, explore using of LDIFDE, CSVDE or Windows PowerShell scripts
to automate the process of creating the accounts. These tools can save a great
deal of time when adding or modifying multiple accounts.
Consider delegating permissions to create and manage user accounts in your
AD DS domain. You can delegate permissions at the domain or OU level.
At a minimum, you should retain the password complexity requirements in a
Windows Server 2008 domain. Complex passwords are more difficult for
users to remember, but they are also the most important first step in
maintaining AD DS security.

Creating Active Directory Domain Services Groups and Organizational Units 8-1
Module 8
Creating Active Directory Domain Services
Groups and Organizational Units
Contents:
Lesson 1: Introduction to AD DS Groups 8-3
Lesson 2: Managing Group Accounts 8-15
Lesson 3: Creating OUs 8-21
Lab: Creating an OU Infrastructure 8-28

Module Overview
One of the primary functions of a directory service like Active Directory Domain
Services (AD DS) is to provide authorization for access to network resources.
Ultimately, all of this access to network resources is based on the individual user
accounts. However, in most cases, you do not want to administer access to
resources by using individual user accounts. In a large company this would result
in a great deal of administrative effort. Because managing access to network
resources using individual user accounts is unmanageable, you will need to learn
to create group objects to manage large collections of users at one time.
Another option for organizing collections of users is to create organizational units
(OUs). You use an OU to group and organize objects for administrative purposes,
such as delegating administrative rights and assigning policies to a collection of
objects as a single unit.

Lesson 1
Introduction to AD DS Groups
A group is a collection of user or computer accounts. You use groups to efficiently

manage access to domain resources, which helps simplify network maintenance
and administration. You can use groups separately, or you can place one group
within another to further simplify administration. This lesson describes how to use
and configure groups.

What Are Groups?
Key Points
Groups are a logical collection of similar objectsusers, computers, or other groups
in AD DS. Groups can be made up according to their departments, locations and
resources. An important administrative tool for simplifying administration, groups
enable you to assign permissions for resources to multiple users or computers
simultaneously, rather than on an individual basis.
Additional reading
Active Directory Users and Computers Help: Understanding Group Accounts

What Are Global Groups?
Key Points
A global group is a security or distribution group that can contain users, groups,
and computers that are from the same domain as the global group. You can use
global security groups to assign user rights, delegate authority to AD DS objects, or
assign permissions to resources in any domain in the forest or any other trusting
domain in another forest.
Additional reading
Group Scope

What Are Universal Groups?
Key Points
A universal group is a security or distribution group that can contain users, groups,
and computers from any domain in its forest. You can use universal security
groups to assign user rights and permissions to resources in any domain in the
forest.
Additional reading
Group Scope

What Are Domain Local Groups?
Key Points
A domain local group is a security or distribution group that can contain user
accounts from the local domain, any domain in the forest, or any trusted domain.
Domain local groups can also contain universal groups or global groups from any
domain in the forest or any trusted domain, and domain local groups from the
local domain. Groups with domain local scope help you define and manage access
to resources within a single domain.
Additional reading
Group Scope

What Are Local Groups?
Key Points
A local group is a collection of user accounts or domain groups created on a
member server of an AD DS domain or a stand-alone server. You can create local
groups to grant permissions for resources residing on the local computer. Local
groups can contain local or domain user accounts, computers, global groups, and
universal groups.
Local groups cannot be created on domain controllers

You cannot create local groups on AD DS domain controllers. Domain controllers
do not have local users and groups, as the only security database located on a
domain controller is the AD DS database.
Additional reading
Understanding Local Users and Groups

Discussion: Identifying Group Usage
Questions
For each scenario, determine the type and scope of groups that need to be created.
Scenario 1: A. Datum is a large company with locations in five different cities in
Canada. A. Datum has deployed a single Active Directory domain with five sites.
The HR personnel in each office manage the HR responsibilities for that office, but
all HR personnel must be able to access a shared folder at the company main
office. All HR personnel should be able to change files in the HR shared folder, but
only HR managers should be modify files in the HRPolicies folder located in the
HR folder.
Scenario 2: Tailspin Toys has two domains, one for the US and one for Europe.
Both domains are in the same forest. In each domain, a group of administrators
provide help desk support. The help desk support personnel for each domain
must have local administrator permissions on all client computers in the domain.
Also, all help desk personnel must be able to access a Help Desk Web site located
in the Europe domain.

Scenario 3: Trey Research has deployed a single domain. The company has three
locations. Sales personnel frequently travel outside the company offices and must
be able to access an internal Web site as well as shared folders on servers located
in any of the three locations inside the company. Sales personnel use a VPN to get
access to the network. Membership of the Sales group changes frequently.
Scenario 4: A School of Fine Art has a single domain in one location. They want to
ensure students using the learning lab computers can only print to the labs
printer, and not the office printer.
Additional reading

What Is Group Nesting?
Key Points
When using nesting, you add a group as a member of another group. You can use
nesting to consolidate group management. Nesting increases the member accounts
that are affected by a single action and reduces replication traffic caused by the
replication of changes in group membership.

Discussion: Strategies for Nesting AD DS Groups
Questions
Extend the previous discussion to consider the option of nesting groups. How
would the group configuration change if group nesting were used for each
Scenario below?
Scenario 1: A. Datum is a large company with locations in five different cities in
Canada. A. Datum has deployed a single Active Directory domain with five sites.
The HR personnel in each office manage the HR responsibilities for that office, but
all HR personnel must be able to access a shared folder at the company main
office. All HR personnel should be able to change files in the HR shared folder, but
only HR managers should be modify files in the HRPolicies folder located in the
HR folder. How can nested groups be used to simplify management?

Scenario 2: Tailspin Toys has two domains, one for the US and one for Europe.
Both domains are in the same forest. In each domain, a group of administrators
provide help desk support. The help desk support personnel for each domain
must have local administrator permissions on all client computers in the domain.
As well, all help desk personnel must be able to access a Help Desk Web site
located in the Europe domain.
Scenario 3: Trey Research has deployed a single domain. The company has three
locations. Sales personnel frequently travel outside the company offices and must
be able to access an internal Web site as well as shared folders on servers located
in any of the three locations inside the company. Sales personnel use a VPN to get
access to the network. Membership of the Sales group changes frequently.
Members of the Marketing and Finance departments need access to the same
shared folders as the Sales personnel.

AD DS Groups Review
Review questions
1. Why should you use a global group rather than a domain local group for the
users of a sales department in a multi-domain company?
2. How could you provide members of a Sales department that travel frequently
between domains in a multi-city company with access to printers on various
domains, which are managed with domain local groups?

Lesson 2
Managing Group Accounts
As an AD DS administrator, you will spend much of your time creating and

administering groups. The administration tasks could include choosing group
names, creating groups and adding members to groups. This lesson describes how
to perform these tasks.

Considerations for Naming Groups
Key Points
A large organization might have many security and distribution groups. A
standardized naming convention can help you locate and identify groups more
easily. Keeping the names concise, using departmental, geographic, or project
names are all helpful ways to identify groups more easily.

Demonstration: Creating Groups
Questions
1. Your organization requires a group that can be used to send e-mail to users in
multiple domains. The group will not be used to assign permissions. What
type of group should you create?
2. What would be some suitable names for the global group that contains
Woodgrove Banks Toronto-based marketing group?
Additional reading
Active Directory Users and Computers Help: Create a New Group

Demonstration: Adding Members to Groups
Questions
1. What would be an efficient way to add users from all sales OUs to a universal
group?
2. You have a domain local group called ManagerAccessDLG. This group is used
to assign access to all resources for Managers, and the
Managers_WoodgroveGG group has been added the ManagerAccessDLG
group. How would you give users from the Executives_WoodgroveGG group
quick access to the same resources as those accessible to the managers group?

Identifying Group Membership
Key Points
Use Active Directory Users and Computers to determine the membership status of
both users and groups. All user accounts have a Member Of attribute that lists all
of the groups that the user is a member of. All groups have a Members attribute
and a Member Of attribute. The Members attribute lists all user accounts or other
group accounts that are members of the group, while the Member Of tab indicates
into which groups the group has been added, or nested.
Additional reading
Active Directory Users and Computers Help: Finding a Group in Which a User
is a Member

Demonstration: Modifying Group Scope and Type
Question
Why would you need to change a group type or scope? What additional actions
should you take if you are changing a group type or scope?

Lesson 3
Creating OUs
Another option for collecting several user and computer accounts for
administrative purposes is to create OUs. In this lesson, you will learn to create
OUs. You will also learn options for creating OU hierarchies and how to move
objects between OUs.

What Is an OU?
Key Points
An OU is an AD DS object contained in a domain. You can use OUs to organize
hundreds of thousands of objects in the directory into manageable units. OUs are
useful in grouping and organizing objects for administrative purposes, such as
delegating administrative rights and assigning policies to a collection of objects as a
single unit.
Additional reading
Active Directory Users and Computers Help: Understanding Organizational
Units
Reviewing Organizational Unit Design Concepts
Windows Server Glossary

What Is an OU Hierarchy?
Key Points
AD DS OUs are used to create a hierarchical structure within a domain. By creating
an OU structure, you are grouping objects that can be administered as a unit.
An organizational hierarchy should logically represent an organizational structure.
That organization could be based on geographic, functional, resource-based, or
user classifications. Whatever the order, the hierarchy should make it possible to
administer AD DS resources as flexibly and effectively as possible. For example, if
all of the computers used by IT administrators need to be configured in a certain
way, you can group all of the computers in an OU, and assign a policy to manage
the computers in the OU.

OU Hierarchy Examples
Key Points
Organizations may deploy OU hierarchies using several different models.
Geographic OUs
If the organization has multiple locations and network management is
geographically distributed, you should use a location-based hierarchy. For
example, you might decide to create OUs for New York, Toronto and Miami in a
single domain.
Departmental OU
A Departmental OU is based only on the business functions of the organization,
without regard to geographical location or divisional barriers. This approach works
well for small organizations with a single location.

Resource OUs
Resource OUs are designed to manage resource objects (non-users such as client
computers, servers, or printers). This design is most useful when all resources of a
given type are managed in the same way. Resource based OUs can help facilitate
software installations or printer selections based on Group Policies.
Management-based OUs
Management-based OUs reflect the various administrative divisions within the
organization by mirroring the organizations structure in the OU structure.
Responsibilities to manage users and groups, when placed into nested
departmental OUs, can be delegated to managers of those departments.
Additional reading
Design Considerations for Organizational Unit Structure and Use of Group
Policy Objects

Demonstration: Creating OUs
Questions
1. What type of OU hierarchy has been implemented by this organization?

2. Why would you locate user accounts and computer accounts into separate
OUs?
Additional reading
Active Directory Users and Computers Help: Create a New Organizational
Unit

Demonstration: Moving Objects Between OUs
Question
How would members in the Sales and Marketing OUs benefit from being
administered by a member of their own departments?
Additional reading
Active Directory Users and Computers Help: Moving a user account

Lab: Creating an OU Infrastructure
Scenario:
throughout the world. Woodgrove Bank is opening a new subsidiary in Vancouver,
and they need an OU design for the subsidiary. Woodgrove Bank has deployed
Windows Server 2008 Active Directory Domain Services, and one of your primary
tasks will be to create a new OU design and move users from current positions to
the new subsidiary.

Exercise 1: Creating AD DS Groups

In this exercise, you will create three new groups using Active Directory Users and
Computers. You will create one group using Dsadd. You will add users to the
groups and inspect the results.
1. Start the 6424A-NYC-DC1 virtual computer and log on as Administrator
2. Create three groups by using Active Directory Users and Computers
3. Create one group by using a command-line directory service tool Dsadd.
4. Add users to the groups
5. Inspect the results of adding users to groups.
6. Log off from 6424A-NYC-DC1.

administrator
Pa$$w0rd.
f Task 2: Create three new groups by using Active Directory Users and
Computers
1. On NYC-DC1, open Active Directory Users and Computers.
2. In the WoodgroveBank.com domain, create a new group with the following
parameters:
Group Name: Van_BranchManagersGG
Scope: Global
Type: Security
3. Repeat step 2 to create three more groups with the same scope and type. The
two group names are as follows:
Van_CustomerServiceGG
Van_InvestmentsGG

f Task 3: Create a group by using the Dsadd command-line tool

1. Open a command prompt window.
2. Enter the following command:
dsadd group cn=Van_MarketingGG,ou=Vancouver,dc=WoodgroveBank,dc=com

samid Van_MarketingGG secgrp yes scope g
3. Press ENTER
4. Use the Find command to locate the new group in the WoodgroveBank.com
OU.
f Task 4: Add members to the new groups

1. In Active Directory Users and Computers, search the WoodgroveBank.com
domain using the standard Search box to find the workers in the table below.
2. Add each worker to the groups indicated in the table.
Find Add to group:
Neville Burdon Van_BranchManagersGG
Suchitra Mohan Van_BranchManagersGG
Anton Kirilov Van_CustomerServiceGG
Shelley Dyck Van_CustomerServiceGG
Barbara Moreland Van_InvestmentsGG
Nate Sun Van_InvestmentsGG
Yvonne McKay Van_MarketingGG
Monika Buschmann Van_MarketingGG
Bernard Duerr Van_MarketingGG

f Task 5: Inspect the contents of the Vancouver groups

1. In Active Directory Users and Computers, click WoodgroveBank.com. In the
contents view area, right-click Van_BranchManagersGG and view its
properties.
2. Open the Members tab and observe that Neville Burdon, and Suchitra Mohan
are now members.
f Task 6: Log off from 6424A-NYC-DC1

1. In Active Directory Users and Computers, click File, and then click Exit.
2. Click Start, point to the arrow icon, and click Log Off.
Result: At the end of this exercise, you will have created three new groups using
Active Directory Users and Computers. You will have created one group using
Dsadd. You will have added users to the groups and inspected the results.

Exercise 2: Planning an OU Hierarchy (Discussion)

In this exercise you will discuss and determine how to plan an OU hierarchy.
Scenario:
A new subsidiary of Woodgrove Bank is located in Vancouver, Canada. It will have
the following departments:
Management
Customer Service
Marketing
Investments
The OU hierarchy needs to support delegation of administrative tasks to users

within that organizational unit.
Discussion questions:
1. Which approach to extending the organizational hierarchy of
WoodgroveBank.com is the most likely to be applied in the creation of the
new subsidiarys resources: Geographic, Organizational, or Functional? Why?
2. What would be the most logical way to further subdivide the subsidiarys
Organizational Unit (Geographic, Organizational, or Functional)?
3. What does the pattern of naming second level OUs in other centers suggest for
the new Vancouver OU?
4. What would be a simple but effective way of delegating administrative tasks
(such as adding users and computers to the domain, and changing user
properties such as password resets, and employee contact details) to certain
users within a department?
Result: At the end of this exercise, you will have discussed and determined how to
plan an OU hierarchy.

Exercise 3: Creating an OU Hierarchy

In this exercise you will use the output from the previous discussion to create an
OU structure for the new Vancouver subsidiary of WoodgroveBank.com. You will
also move users (see list below) from other subsidiaries into groups, and add
groups to the appropriate OUs. Additionally, you will populate the groups with the
members of the corresponding departments, and update the descriptions of the
users that have been moved into the new subsidiary.
The benefit of having OUs based on administrative units is in delegating
administrative responsibilities to members of those units.
You will create OUs in two different ways:
Active Directory Users and Computers a MMC snap-in.
Directory Service Tools: Dsadd a command-line tool

1. Start the 6424A-NYC-DC1 virtual machine and log on as Administrator
2. Create OUs by using Active Directory Users and Computers
3. Create OUs by using Dsadd.
4. Nest an OU inside another OU.
5. Move groups into Vancouver OUs.
6. Move users from other OUs into those of the new subsidiary
7. Delegate control over an OU using the Delegation of Control Wizard
8. Log off from 6424A-NYC-DC1.

administrator
Pa$$w0rd.

f Task 2: Create OUs by using Active Directory Users and Computers

1. At the root level of WoodgroveBank.com, create a new OU called Vancouver.
2. Inside the Vancouver OU, create three OUs with the following names:
BranchManagers
Investments
Marketing
f Task 3: Create an OU using the Directory Service Tool - Dsadd

1. Click Start, click Run, and then type cmd to open a command-line window.
2. Type the following command at the prompt:
dsadd ou ou= Investments,dc=WoodgroveBank,dc=com -desc Marketing

department -d WoodgroveBank.com -u Administrator -p Pa$$w0rd
3. Press ENTER.
4. In Active Directory Users and Computers, refresh the WoodgroveBank.com
domain object, and note the presence of the new OU.
f Task 4: Nest an OU inside another OU

1. In Active Directory Users and Computers, refresh the object tree.
2. Move the new Investments OU from WoodgroveBank.com domain level into
the Vancouver OU. Click OK to dismiss the warning message.
Note: There is a potential risk associated with the movement of security groups
from one OU into another. Group policies in effect in one OU may no longer be
applied in the new location. By default, AD DS notifies administrators of that risk
whenever a group is moved between OUs.

f Task 5: Move groups created in Exercise 1 into the appropriate OUs

1. In Active Directory Users and Groups, locate the remaining groups created in
Exercise 1 for the new Vancouver subsidiary in the WoodgroveBank.com OU.
2. Move the following groups into the following Vancouver OUs:
Note: There are several ways to move objects between OUs in Active Directory Users
and Computers. You can (1) use the Move command, (2) drag and drop the object
into a new OU, or (3) use the Cut and Paste commands.
Van_MarketingGG group to Vancouver\Marketing OU

Van_BranchManagersGG group to Vancouver\BranchManagers OU
Van_InvestmentsGG group to Vancouver\Investments OU
Van_CustomerServiceGG group to Vancouver\CustomerService OU
f Task 6: Find and move users into the appropriate Vancouver OUs
Use Active Directory Users and Computers to find and move the following
users into the OUs listed below.
Find Move to Vancouver OU:
Neville Burdon BranchManagers
Suchitra Mohan BranchManagers
Anton Kirilov CustomerService
Shelley Dyck CustomerService
Barbara Moreland Investments
Nate Sun Investments
Yvonne McKay Marketing
Monika Buschmann Marketing
Bernard Duerr Marketing

f Task 7: Delegate control over an OU

1. In Active Directory Users and Computers, select the Vancouver\Marketing OU
and open the Delegation of Control wizard.
2. Add Yvonne McKay to the Selected users and groups list, and click Next.
3. Delegate to her the following common tasks:
Create, delete, and manage user accounts
Reset user passwords and force password change at next logon
Create, delete and manage groups
Modify the membership of a group
4. Click Next and then click Finish.
f Task 7: Test user rights by logging on from 6424A-NYC-CL1

1. Using 6424A-NYC-CL1, log on with the account Yvonne McKay and the
password Pa$$w0rd.
2. Start Active Directory Users and Computers
3. Reset the password of Monika Buschmann using the password Pa$$w0rd
again. You should see the following message: Password for Monika Buschmann
has been changed.
4. Attempt to move a user from the Miami BranchManagers OU into the
Vancouver BranchManagers OU. You should see the following message:
Windows cannot move object [user name] because: Access denied.
f Task 8: Log off from 6424A-NYC-DC1

1. In Active Directory Users and Computers, click File, and click Exit.
2. Click Start, point to the arrow icon, and click Log Off.
Result: At the end of this exercise, you will have created OUs using Active Directory
Users and Computers and using Dsadd.

Review Questions
1. You have just installed a new domain controller in your domain. What two
tools could you use to verify that the domain controller has been added to the
domain?
2. You want to group all of the users in branch office together so that you can
assign permissions to a shared folder to all of the users in the branch office.
What type of AD DS object should you create?
3. What are the differences between a domain, domain tree and forest?
4. What feature makes it easy and fast to search a forest for user phone numbers?
5. What is the relationship between a domain and a site?

Summary of Active Directory Domain Services

AD DS provides a directory service for organizations that enables them to provide
secure access to network resources and centralized administration. AD DS enables
users to be authenticated, and then authorizes the user to access network resources
based on that network authentication.
AD DS is composed of logical and physical components. Logical components such
as domains, forests and OUs are used to group objects together for administrative
purposes. Physical components such as domain controllers and sites are deployed
to provide a consistent experience for users throughout the AD DS environment.

Managing Access to Resources 9-1
Module 9
Managing Access to Resources
Contents:
Lesson 1: Managing Access Overview 9-3
Lesson 2: Assigning Permissions to Shared Resources 9-12
Lesson 3: Managing NTFS File and Folder Permissions 9-21
Lesson 4: Determining Effective Permission 9-28
Lab: Managing Access to Resources 9-38

Module Overview
One of the primary reasons for deploying Active Directory Domain Services (AD
DS) is to enable users to access shared resources on the network. The previous
modules introduced users and groups as the primary way to enable access to those
resources. This module describes how to configure shared folders to enable those
users and groups to gain access to the resources.
Specifically, this module helps you learn the skills and knowledge you will need to:
Understand how permissions enable resource access.
Manage access to files and folders by using shared folder permissions, NTFS
permissions, or special permissions.
Manage permissions inheritance.

Lesson 1
Managing Access Overview
In order to manage access to resources, you need to understand how Windows

operating systems use security principals and security tokens to allow access to
resources. Then you need to understand how permissions are applied to resources
such as shared folders. This lesson provides the information you need to manage
access to resources.

What Are Security Principles?
Key Points
A security principal is an AD DS entity that can be authenticated by a Windows
operating system. Security principals include:
User and computer accounts.
A thread or process that runs in the security context of a user or computer
account.
Groups of the above accounts.
Every security principal is automatically assigned a security identifier (SID) when it

is created. A SID is made up of two components:
Domain identifier. The domain identifier is the same for all security principals
created in the domain.
Relative identifier. The relative identifier is unique to each security principal
created in the domain.

Additional reading

What Are Access Tokens?
Key Points
An access token is a protected object that contains information about the identity
and privileges associated with a user account.
How access tokens are created

When a user logs on, if authentication is successful, the logon process returns a
SID for the user and a list of SIDs for the users security groups. The Local Security
Authority (LSA) on the computer uses this information to create an access token
that includes the SIDs and a list of privileges assigned by local security policy to
the user and to the users security groups.
How access tokens are used to verify the users privileges

After LSA creates the primary access token, a copy of the access token is attached
to every process and thread that executes on the users behalf. Whenever a thread
or process interacts with a shared resource or tries to perform a system task that
requires privileges, the operating system checks the access token associated with
the thread to verify the user access to the resource.

Additional reading
Access Tokens Technical Reference

What Are Permissions?
Key Points
Permissions define the type of access that is granted to a security principal for an
object.
When you assign permissions, you can:
Explicitly apply permissions. When you explicitly apply permissions, you
access the shared resource object directly and configure permissions on that
object. You can explicitly apply permissions on folders or files.
Configure permission inheritance. When you configure permissions on a
folder, the permissions are inherited by default on all sub-folders or files in
that folder. You can accept the default permission inheritance or modify the
default behavior by blocking permission inheritance or by assigning explicit
permissions to lower level folders or files.

Accept implicitly applied permissions. If no permissions are explicitly

assigned to an object for a particular user account and no inherited
permissions apply to the user account, the user will be denied access to the
object.
Additional reading

How Access Control Works
Key Points
The process of gaining access to an AD DS resource is called access control and it
is based on the verification of security principals.
All objects in AD DS, and all securable objects on a local computer or on the
network, have security descriptors assigned to them to help control access to the
objects. Security descriptors include information about who owns an object, who
can access it and in what way, and what types of access are audited.
Additional reading
MSDN Glossary

Managing Access Review
Questions
1. What is the role of access control lists (ACL) in granting access to resources in
an AD DS network?
2. How do discretionary access control lists (DACLs) differ from system access
control lists (SACLs)?

Lesson 2
Assigning Permissions to Shared Resources
Shared folders give users access to files and folders over a network. Users can
connect to the shared folder over the network to access the folders and files that
they contain. Shared folders can contain applications, public data, or a users
personal data. Using shared data folders provides a central location for users to
access common files and makes it easier to back up data contained in those files.

What Are Shared Folders?
Key Points
When you share a folder, the folder is made accessible to multiple users
simultaneously over the network. Once granted permission, users can access all of
the files and subfolders in the shared folder.
Most organizations deploy dedicated file servers to host shared folders. You can
store files in shared folders according to categories or functions. For example, you
can place shared files for the Sales department in one shared folder and shared
files for executives in another.

What Are Administrative Shared Folders?
Key Points
Windows Server 2008 automatically creates shared folders on Windows
computers that enable you to perform administrative tasks. These default
administrative shares have a dollar sign ($) at the end of the share name.
Appending the dollar sign at the end of the folder name hides the shared folder
from users who browse the network. Administrators can quickly administer files
and folders on remote servers by using these hidden shared folders.

Shared Folder Permissions
Key Points
Shared folder permissions apply only to users who connect to the folder over the
network. They do not restrict access to users who access the folder at the computer
where the folder is stored. You can grant shared folder permissions to user
accounts, groups, and computer accounts.
Additional reading
Best Practices for Shared Folders

Demonstration: Creating Shared Folders
Key Points
In Windows Server 2008, the only groups that can create shared folders are the
Administrators, Server Operators, and Power Users groups. These groups are built-
in groups that are placed in the Groups folder in Computer Management or the
Built-In container in Active Directory Users and Groups.
Questions
1. How do you apply sharing permissions to a folder?

2. How would you begin to create a new shared folder using the Using Share and
Storage Management MMC?
3. Which tool would you use to create a new shared folder?

Connecting to Shared Folders
Key Points
After you create a shared folder, users can access the folder across the network by
using multiple methods. Users can access a shared folder on another computer via:
The Network window (in Windows Server 2008 or Windows Vista).
My Network Places (in Windows Server 2003 or Windows XP).
The Map Network Drive feature.
Searching AD DS.
The Run command on the Start menu.
Additional reading
Glossary of Registry Terms

Demonstration: Managing Shared Folders
Question
What would happen if the user was editing the file and had not saved the changed
and then an administrator used the Close File feature?

Considerations for Using Shared Folders
Key Points
When managing access to shared folders, consider the following best practices
when granting permissions:
Use the most restrictive permissions possible. Do not grant more
permissions for a shared folder than the users legitimately require. For
example, if a user only needs to read a file, grant Read permission for the file to
the user or group to which the user belongs.
Avoid assigning permissions to individual users. Use groups whenever
possible. Because it is inefficient to maintain user accounts directly, avoid
granting permissions to individual users.

Remember that full control allows users to modify NTFS permissions. Add
groups to the full control permissions group with caution. Each change to
NTFS permissions could potentially affect security,
Use the Authenticated Users or the Domain Users group instead of the
Everyone group (if present) from the shared folders permissions list. Since
members of the Everyone group includes Guests, using the Authenticated or
Domain Users groups limits access to shared folders to only authenticated
users, and prevents users or viruses from accidentally deleting or damaging
data and application files.
Additional reading
Best practices for Shared Folders

Lesson 3
Managing NTFS File and Folder Permissions
In addition to configuring access to shared folders by using shared folder

permissions, you can also assign permissions by using NTFS permissions. The
information in this lesson presents the skills and knowledge that you need to
manage access to files and folders by using NTFS permissions.

What Are NTFS Permissions?
Key Points
NTFS permissions are used to specify which users, groups, and computers can
access files and folders. NTFS permissions also dictate what users, groups, and
computers can do with the contents of the file or folder.
NTFS file permissions include:
Read. Read the file, attributes, permissions, and view owner.
Write. Write to the file, change attributes, view permissions, and view owner.
Read & Execute. Execute applications plus all Read permissions.
Modify. All the above permissions, plus ability to delete file.
Full Control. All the above permissions plus the ability to change permissions,
and take ownership of the file.

There are six basic NTFS folder permissions:

Read. Read files, folder and subfolders, permissions and view owner.
Write. Create new files and folders, view permissions, and owner, change
folder attributes.
List Folder Contents. View files and subfolders.
Read & Execute. Execute applications plus all permissions of Read and List
Folder Contents.
Modify. All the above permissions, plus ability to delete folder.
Full Control. All the above permissions plus the ability to change permission
on the folder and take ownership.

What Are Standard and Special Permissions?
Key Points
NTFS permissions fall into two categories: standard and special. Standard
permissions are the most frequently assigned permissions. The permissions
described in the previous topic are standard permissions.
Special permissions provide you with a finer degree of control for assigning access
to objects.
Additional reading
Permissions for files and folders

What Is NTFS Permissions Inheritance?
Key Points
By default, permissions that you grant to a parent folder are inherited by the
subfolders and files that are contained in the parent folder.
A security principal that is inheriting permissions can have additional NTFS
permissions assigned, but the inherited permissions cannot be removed until
inheritance is blocked.
Blocking permission inheritance

The folder on which you prevent permissions inheritance becomes the new parent
folder, and the subfolders and files that are contained in it inherit the permissions
assigned to it. Permissions can be inherited only from a direct parent.
Additional reading

Demonstration: Configuring NTFS Permissions
Questions
1. If you deny an NTFS permission to a group for a particular resource while

allowing the same permission to another group for that resource, what will
happen to the permissions of an individual who is a member of both groups?
2. If a group added to a shared folder was given an NTFS permission of Allow for
Write in a shared folder, and a Deny permission for Write in a nested folder,
what would their effective permissions be in the two folders?

Effects on NTFS Permissions When Copying and Moving

Files and Folders
Key Points
When you copy or move a file or folder, the permissions might change, depending
on where you move the file or folder. It is important to understand the changes
that the permissions undergo when being copied or moved.
The following table lists the possible copy and move actions and describes how
Windows Server 2008 handles the permission state of a file or folder.
Action Result
Copy a file or folder within a volume Inherits permission state of the destination folder
Move a file or folder within a volume Retains original permission state of the source
Copy a file or folder between volumes Inherits permission state of the destination folder
Move a file or folder between volumes Inherits permission state of source file or folder

Lesson 4
Determining Effective Permission
You can assign user access to a shared folder by using shared folder permissions or
NTFS permissions. You can also assign permissions to individual user accounts or
group accounts. In order to determine what level of access the user actually has on
the network, you need to understand how effective permissions are determined,
and how you can view effective permissions.

What Are Effective NTFS Permissions?
Key Points
Windows Server 2008 provides a tool (Effective Permissions tool) that shows
effective permissions, which are cumulative permissions based on group
membership.
The following principles determine effective permissions:
Cumulative permissions are the combination of the highest NTFS
permissions granted to the user and all the groups that the user is a
member of. For example, if a user is a member of a group that has Read
permission and a member of a group that has Modify permission, the user has
Modify permission.
Explicit Deny permissions override equivalent Allow permissions.
However, an explicit Allow permission can override an inherited deny
permission. For example, if a user is explicitly denied write access to a folder
but explicitly allowed write access to a subfolder or a particular file, the explicit
Allow would override the inherited Deny.

Permissions can be applied to a user or a group. Assigning permissions to

groups is preferred as it is more efficient than managing the permissions of
many individuals.
NTFS file permissions take priority over folder permissions. For example, if
a user has Modify permission to a folder but only has Read permission to
certain files in that folder, the effective permission for those files will be Read.
Every object is owned in an NTFS volume or in Active Directory. The owner
controls how permissions are set on the object and to whom permissions are
granted. For example, a user can create a file in a folder where the user
normally has Modify permission, but because that user created the file, the
user will have the ability to change the permissions. The user could then grant
himself or herself Full Control over the file.

Discussion: Applying NTFS Permissions
In this discussion, you are presented with a scenario in which you are asked to
apply NTFS permissions. You and your classmates will discuss possible solutions
to the scenario.
Scenario
User1 is a member of the Users group and the Sales group. The graphic on the
slide shows folders and files on the NTFS partition.
1. The Users group has Write permission, and the Sales group has Read
permission for Folder1. What permissions does User1 have for Folder1?
2. The Users group has Read permission for Folder1. The Sales group has Write
permission for Folder2. What permissions does User1 have for File2?
3. The Users group has Modify permission for Folder1. File2 should be
accessible only to the Sales group, and they should only be able to read File2.
What do you do to ensure that the Sales group has only Read permission for
File2?

Demonstration: Evaluating Effective Permissions
Questions
1. After observing the Effective Permissions tool, what do grayed-out permissions

items represent?
2. Suppose you wanted to add/subtract effective permissions from a user. Which
screen would you need to access?
3. After setting the permissions of an individual to Write in the Edit Permissions
screen, a return to the effective permissions tool reveals that the user almost
has full permissions. Why might that be?
Additional reading
Effective Permissions Tool

Effects of Combining Shared Folder and NTFS Permissions
Key Points
When allowing access to network resources on an NTFS volume, it is
recommended that you use the most restrictive NTFS permissions to control
access to folders and files, combined with the most restrictive shared folder
permissions that control network access.

Discussion: Determining Effective NTFS and Shared Folder

Permissions
In this discussion, you will determine effective NTFS and shared folder
permissions.
Scenario
The slide graphic illustrates two shared folders that contain folders or files that
have been assigned NTFS permissions. Look at each example and determine a
users effective permissions.
In the first example, the Users folder has been shared, and the Users group has the
shared folder permission Full Control. User1, User2, and User3 have been granted
the NTFS permission Full Control to only their folder. These users are all members
of the Users group.

1. Do members of the Users group have Full Control to all home folders in the
Users folder once they connect to the Users shared folder?
In the second example, the Data folder has been shared. The Sales group has
been granted the shared folder permission Read for the Data shared folder and
the NTFS permission Full Control for the Sales folder.
2. What are the Sales groups effective permissions when they access the Sales
folder by connecting to the Data shared folder?

Considerations for Implementing NTFS and Shared Folder

Permissions
Key Points
Here are several considerations to make administering permissions more
manageable:
1. Grant permissions to groups instead of users. Groups can always have
individuals added or deleted, while permissions on a case-by-case basis are
difficult to keep track of.
2. Use Deny permissions only when necessary. Because deny permissions are
inherited just like allow permissions, assigning deny permissions to a folder
can result in users not being able to access files lower in the folder structure.
Deny permissions should be assigned in the following situations:
To exclude a subset of a group that has Allow permissions.
To exclude one permission when you have already granted Full Control
permissions to a user or group.

3. Never deny the Everyone group access to an object. If you deny everyone
access to an object, you deny administrators access. Instead, it is
recommended that you remove the Everyone group, as long as you grant
permissions for the object to other users, groups, or computers.
4. Grant permissions to an object that is as high in the folder as possible so
that the security settings are propagated throughout the tree. For example,
rather than bringing groups representing all departments of the company
together into a Read folder, assign Domain Users (which is a default group
for all user accounts on the domain) to the share. In that way, you eliminate
the need to update department groups before new users get the shared folder.
5. Use NTFS permissions rather than shared permissions for fine-grained
access. Configuring both NTFS and shared folder permissions can be
complicated. Consider assigning the most restrictive permissions for a group
containing a large number of users at the shared folder level, and then using
NTFS permissions to assign more specific permissions.

Lab: Managing Access to Resources
Scenario:
throughout the world. Woodgrove Bank has deployed Windows Server 2008
Active Directory Domain Services. They have recently opened a new subsidiary in
Vancouver, British Columbia, Canada. As a network administrators assigned to the
new subsidiary, one of your primary tasks will be to create and manage access to
resources, including the shared folder implementation. For example, groups that
mirror the departmental organization of the bank need shared file storage areas.
There also need to be shared folders to allow files to be shared during special
projects between departments. Lastly, a drop box style folder will be needed for
reports from employees to managers.

Exercise 1: Planning a Shared Folder Implementation

(Discussion)
In this exercise, you will discuss and determine the best solutions for a shared
folder implementation.
1. The Woodgrove Bank Vancouver subsidiary has an organizational hierarchy,
as outlined by its OUs that supports the activities of its four departments:
Marketing, Investments, Management and Customer Service. Each department
has groups populated with the employees in that department. How could you
give each department separate file sharing spaces?
2. All members of the Vancouver subsidiary need to be able to read documents
posted by management regarding topics such as staffing, targets and
projections, and company news. To create a series of folders that will allow
this information to be available to all employees in the subsidiary, as well as
managers from other parts of the Woodgrove Bank, what sorts of groups
would be needed? What sorts of permissions would each require? What sorts
of folder structures might be needed?
3. A task force on reducing the subsidiarys carbon footprint is gathering a variety
of data from various departments. They plan to keep the information private
until they can publish a report. How can individuals from various departments
have contributing status while restricting access to those outside of their
project?
4. The branch managers require weekly reports from each department. These
reports should be stored where they alone can organize and read them.
Department heads should be able to drag/drop their reports onto the shared
folders, although they should not be able to open the shared folders.
Result: At the end of this exercise, you will have discussed and determined solutions
for a shared folder implementation.

Exercise 2: Implementing a Shared Folder Implementation

In this exercise, you will create the shared folder implementation based on the
discussion in the previous exercise.
1. Start Virtual Machines NYC-DC1 and NYC-CL1. Log on to NYC-DC1 as
Administrator.
2. Create a series of folders.
3. Set share permissions for the folders.
4. Create a shared folder for all Domain Users, using Share and Storage
Management MMC.
5. Create a new group and shared folder for an inter-departmental project.
6. Create a drop folder for weekly reports.

administrator
Pa$$w0rd.
Start 6424A-NYC-CL1. Do not log on.
f Task 2: Create four new folders by using Windows Explorer

1. On NYC-DC1, open Windows Explorer.
2. On the D: drive, create folders named:
Marketing
Managers
Investments
CustomerService

f Task 3: Set share properties for the folder

1. Right-click the Marketing folder, click Share
2. In File Sharing dialog box, type Van_MarketingGG.
3. Click Add.
4. Change the permission level to Contribute.
5. Click Share.
6. Repeat the process of creating shares for each of the remaining folders,
assigning the groups and permissions.
f Task 4: Create another shared folder using Share and Storage

Management MMC
1. From the Start menu, in Administrative Tools, click Share and Storage
Management to open.
2. Click Provision Share Wizard.
3. Click the Browse button. In the Browse Folder window, create a new folder
named CompanyNews.
4. Change no other settings, but click Next all the way through to the last screen
of the wizard, and then click Close.
5. In the Shares list of the Share and Storage Management MMC, right-click
CompanyNews and click Properties.
6. In the Permissions tab, click Share Permissions. Add the Domain Users
group, and take note that their permission is set as Read.
7. Also add the Van_BranchManagersGG group, and give them Full Control
permissions.
8. Finish the Permissions settings, and exit Share and Storage Management
MMC.

f Task 5: Create a new group and shared folder for an inter-department

project
1. Open Active Directory Users and Computers MMC.
2. Click the Vancouver OU, and add a new global security group called
Van_SpecialProjectGG. Expand the following Vancouver OUs, and use the
Add to group command to add the following users:
Vancouver OUs: Names:
Investment Barbara Moreland
Marketing Bernard Duerr
Branch Managers Neville Burdon
Customer Service Shelley Dyck
3. Save the changes and close Active Directory Users and Computers.
4. Create a new folder in C:\, and name it SharedProjects.
5. Share the folder, adding the Van_SpecialProjectsGG group with Contribute
permission levels.
6. Click Share.
f Task 6: Create a drop folder for weekly reports

1. Use Active Directory Users and Computers to create the following new global
security groups in the Vancouver OU:
Group Name: Member:

Van_InvestHeadGG Barbara Moreland
Van_CustServHeadGG Shelley Dyck
Van_MarketHeadGG Yvonne McKay
2. Close Active Directory Users and Computers.

3. In Windows Explorer in C:\, create a new folder named DropFolder.

4. Right-click the new folder, and click Properties.

5. Click the Permissions tab and click Edit.
6. Click Add, and type Van_BranchManagersGG, then click OK.
7. In the Permissions dialog box for DropFolder, click
Van_BranchManagersGG, and in the permissions list, in the Full Control
category, click Allow.
8. Add the Van_MarketHeadGG, Van_InvestHeadGG, and
Van_CustServHeadGG groups.
9. In the Permissions for window, give each of these three groups an Allow for
Write permission, clicking Apply after each assignment.
10. Click OK twice to close the standard properties window.
Result: At the end of this exercise, you will have created a shared folder
implementation.

Exercise 3: Evaluating the Shared Folder Implementation

In this exercise, you will verify that the shared folder implementation meets the
security requirements provided in the documentation. You will log on as some of
the users to ensure that they have the required level of access.
1. Log on as Neville. Create a file in Company News. Log off as Neville.
2. Verify Nevilles access to: CompanyNews (read only) and DropFolder (write).
3. Log on as Monika for Special Projects.
4. Verify write permissions by creating a file in the Special Projects folder.
5. Log off as Monika.
6. Log on as Yvonne.
7. Create a document in My Documents folder. Copy/Paste it into Drop Folder.
8. Attempt to open the DropFolder volume.
9. Log off as Yvonne.
10. Log on as Neville (a branch manager).
11. Open DropFolder and view Yvonnes file.
12. Move the file to the Marketing folder.
13. Log off.
14. Log off from NYC-CL1 and NYC-CL1
f Task 1: Log on to NYC-CL1 as Neville.

Log on to NYC-CL1 as Neville, with the password Pa$$w0rd.

f Task 2: Check the permissions for Company News and Drop Folder.
1. Once logged on as Neville, open the Company News volume and create a text
file. Name it News.txt.
2. Create a folder named News, and drag News.txt into it.
3. Close the Company News window.
4. Open the Drop Folder shared folder.
5. Create three folders with the following names:
Marketing
Investments
Customer Service
6. Close the Drop Folder window and log off.
f Task 3: Check permissions of inter-department share Special Projects

1. Log on as Monika with the password Pa$$w0rd.
2. Open the Special Project volume and create a text document.
3. Attempt to open the Drop Folder.
4. Attempt to open Company News. Open the News.txt file inside the News
folder.
5. Log off as Monika.
f Task 4: Check the permissions for drop-box users.

1. Log on as Yvonne using the password Pa$$w0rd.
2. Open the Documents folder, and create a file named Wk19_Marketing.xls.
3. From the My Documents window, copy Wk19_Marketing.xls and paste it into
the Drop Folder icon.
4. Attempt to open the Drop Folder volume. Click OK to the error message.
5. Log off as Yvonne.

f Task 5: Check the contents of the Drop Folder as a manager.

1. Log on as Neville (a branch manager)
2. Open the Drop Folder again, and open the file created by Yvonne.
3. Drag/drop it into the Marketing folder.
4. Log off as Neville.
f Task 6: Close virtual machines 6424A-NYC-DC1 and 6424A-NYC-CL1.

Close both machines, saving no changes.
Result: At the end of this exercise, you will have verified that the shared folder
implementation meets security requirements.

Review Questions
1. What is the role of access control lists (ACL) in granting access to resources on
an AD DS network?
2. How do discretionary access control lists (DACLs) differ from system access
control lists (SACLs)?
3. What happens to the shared folder configuration when you copy or move a
shared folder from one hard disk to another on the same server? What
happens to the shared folder configuration when you copy or move the shared
folder to another server?
4. You need to assign permissions to a shared folder so that all users in your
organization can read the contents of the folder. Which of these approaches
would be the best way to do this: accept the default permissions, assign read
permissions to the folder for the Domain Users group, or add groups
representing whole departments? How would this configuration change if your
organization had multiple domains?

5. How could you remove Write share permissions from a single file that is
located inside a folder that is inheriting Write permissions from shared folder
in which it is located?
6. When moving a folder within an NTFS partition, what permissions are
required over the source file or folder and over the destination folder?
7. What is the best way to create a shared folder between departments of users
who are situated on two different domains?
Considerations for Managing Shared Folders and NTFS Permissions

When managing AD DS shared folders and NTFS permissions, consider the
following:
Consider delegating permissions to create and manage shared folders in your
AD DS domain. You can delegate permissions to groups in the NTFS security
settings of the appropriate level of the shared folder hierarchy.
When allowing access to network resources on an NTFS volume, it is
recommended that you use the most restrictive NTFS permissions to control
access to folders and files, combined with the most restrictive shared folder
permissions that control network access.
Document your shared folder and permissions configuration. The shared
folder configuration can get very complicated over time as users or
departments request new shared folders for a variety of reasons. Without
documentation, it can be difficult to manage and troubleshoot file access
issues.
All shared folders should be part of your regular backup process. The data
stored in the shared folders is often critical to your organization so you need to
ensure that you can recover it in the event of a server failure.

6424A Fundamentals of WS2008 Active Directory 2007

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

6424A Fundamentals of WS2008 Active Directory 2007

Hochgeladen von

Copyright:

Verfügbare Formate

OFFICIAL MICROSOFT LEARNING PRODUCT

2008 Active Directory

Be sure to access the extended learning content on your

BETA COURSEWARE. EXPIRES 4/30/2008

All other trademarks are property of their respective owners.

Technical Reviewer: Ronald Bigras

Product Number: 6424A

BETA COURSEWARE. EXPIRES 4/30/2008

BETA COURSEWARE. EXPIRES 4/30/2008

BETA COURSEWARE. EXPIRES 4/30/2008

BETA COURSEWARE. EXPIRES 4/30/2008

BETA COURSEWARE. EXPIRES 4/30/2008

BETA COURSEWARE. EXPIRES 4/30/2008

Module 2: Introduction to Active Directory Domain Services

Module 3: Introduction to Active Directory Lightweight Directory Services

Module 4: Introduction to Active Directory Certificate Services

BETA COURSEWARE. EXPIRES 4/30/2008

Module 5: Introduction to Active Directory Rights Management Services

Module 6: Introduction to Active Directory Federation Services

Module 7: Creating Active Directory Domain Services User and Computer

Module 8: Creating Active Directory Domain Services Groups and

Module 9: Managing Access to Resources

BETA COURSEWARE. EXPIRES 4/30/2008

About This Course

BETA COURSEWARE. EXPIRES 4/30/2008

Describe how AD LDS works and configure AD LDS components.

BETA COURSEWARE. EXPIRES 4/30/2008

To provide additional comments or feedback on the course, send e-mail to

BETA COURSEWARE. EXPIRES 4/30/2008

Virtual Machine Environment

Virtual Machine Configuration

Virtual machine Role

6424A-NYC-CL1 Client computer in the WoodgroveBank.com domain

6424A-LON-DC1 Domain controller in the EMEA.WoodgroveBank.com

6424A-NYC-SRV1 Member server in the WoodgroveBank.com domain

6424A-CHI-DC1 Domain controller in the NorthwindTraders.com

BETA COURSEWARE. EXPIRES 4/30/2008

Course Hardware Level

BETA COURSEWARE. EXPIRES 4/30/2008

BETA COURSEWARE. EXPIRES 4/30/2008

BETA COURSEWARE. EXPIRES 4/30/2008

AD DS provides a directory service that uses a centralized management and

BETA COURSEWARE. EXPIRES 4/30/2008

What is a Directory Service?

BETA COURSEWARE. EXPIRES 4/30/2008

BETA COURSEWARE. EXPIRES 4/30/2008

How Does AD DS Work?

BETA COURSEWARE. EXPIRES 4/30/2008

AD DS Integration with other Active Directory Server Roles

BETA COURSEWARE. EXPIRES 4/30/2008

Active Directory Lightweight Directory Services (AD LDS) is an Active Directory

BETA COURSEWARE. EXPIRES 4/30/2008

BETA COURSEWARE. EXPIRES 4/30/2008

BETA COURSEWARE. EXPIRES 4/30/2008

BETA COURSEWARE. EXPIRES 4/30/2008

BETA COURSEWARE. EXPIRES 4/30/2008

AD LDS Implementation Examples

BETA COURSEWARE. EXPIRES 4/30/2008

BETA COURSEWARE. EXPIRES 4/30/2008

Discussion: What Are Digital Certificates Used For?

BETA COURSEWARE. EXPIRES 4/30/2008

What is a Public Key Infrastructure (PKI)?

BETA COURSEWARE. EXPIRES 4/30/2008