Professional Documents
Culture Documents
Mcitp 000001
Mcitp 000001
MCITP
Microsoft Certified IT Professional Training Notes Windows Server 2008 Active Directory Exam Code 70-640
MCITP
Lecture No 1
MCITP
Lecture Outline: 1. 2. 3. 4. 5. 6. What is active directory What is domain controller User login process Windows server 2008 Namespace Windows forest concept Server roles
Domain Controller:
A domain controller is a server in the network which holds the active directory.
MCITP
MCITP
Server Roles:
In windows server 2008 roles are used to define which services it will be going to provide to the network users like DNS, AD, FTP, Web, DHCP etc.
MCITP
Lecture No 2
MCITP
Lecture Outline: 1. 2. 3. 4. Server 2008 installation methods Server 2008 hardware requirements and editions Installation of active directory on DC1 and DC2 Replication between two domain controllers
Note:
MCITP
The scenario for installation of active directory on DC1 and DC2 is shown above
Note:
For installation of active directory the following items should be configured 1. All the servers should have static IP address 2. The domain administrator account should be renamed and its password should be complex. 3. Both the servers should have connectivity Steps for installing active directory domain services MCITP Windows Server 2008 Active Directory 70-640
9 1. Open Server Manager by clicking the icon in the Quick Launch toolbar, or from the Administrative Tools folder. 2. Wait till it finishes loading, then click on Roles > Add Roles link.
4. In the Select Server Roles window, click to select Active Directory Domain Services and then click next.
MCITP
10
5. In the Active Directory Domain Services window read the provided information if you want to, and then click Next.
6. In the Confirm Installation Selections, read the provided information if you want to, and then click Next. MCITP Windows Server 2008 Active Directory 70-640
11
8. When it ends, click Close. MCITP Windows Server 2008 Active Directory 70-640
12
9. Going back to Server Manager, click on the Active Directory Domain Services link, and note
that there's no information linked to it, because the DCPROMO command has not been run yet.
10. Now you can click on the DCPROMO link, or read on.
MCITP
13 a. To run DCPROMO, enter the command in the Run command, or click on the DCPROMO link from Server Manager > Roles > Active Directory Domain Services.
b. Depending upon the question if AD-DS was previously installed or not, the Active Directory Domain Services Installation Wizard will appear immediately or after a short while. Click Next.
MCITP
14
c. In the Operating System Compatibility window, read the provided information and click next.
d. In the Choosing Deployment Configuration window, click on "Create a new domain in a new forest" and click next.
MCITP
15 e. Enter an appropriate name for the new domain. Make sure you pick the right domain name, as renaming domains is a task you will not wish to perform on a daily basis. Click Next.
Note:
Do NOT use single label domain names such as "mydomain" or similar. You MUST pick a full domain name such as "mydomain.local" or "mydomain.com" and so on. The wizard will perform checks to see if the domain name is not already in use on the local network.
MCITP
16
f. Pick the right forest function level. Windows 2000 mode is the default, and it allows the addition of Windows 2000, Windows Server 2003 and Windows Server 2008 Domain Controllers to the forest you're creating.
MCITP
17
g. The wizard will perform checks to see if DNS is properly configured on the local network. In this case, no DNS server has been configured, therefore, the wizard will offer to automatically install DNS on this server.
Note:
The first DCs must also be a Global Catalog. Also, the first DCs in a forest cannot be a Read Only Domain controller. h. It's most likely that you'll get a warning telling you that the server has one or more dynamic IP Addresses. Running IPCONFIG /all will show that this is not the case, MCITP Windows Server 2008 Active Directory 70-640
18 because as you can clearly see, I have given the server a static IP Address. So, where did this come from? The answer is IPv6. I did not manually configure the IPv6 Address, hence the warning. In a network where IPv6 is not used, you can safely ignore this warning.
i. You'll probably get a warning about DNS delegation. Since no DNS has been configured yet, you can ignore the message and click Yes.
MCITP
19
j. Next, change the paths for the AD database, log files and SYSVOL folder. For large deployments, carefully plan your DC configuration to get the maximum performance. When satisfied, click Next.
k. Enter the password for the Active Directory Recovery Mode. This password must be kept confidential, and because it stays constant while regular domain user passwords expire (based upon the password policy configured for the domain, the default is 42 days), it does not. This password should be complex and at least 7 characters long. I strongly suggest that you do NOT use the regular administrator's password, and that you write it down and securely store it. Click Next. MCITP Windows Server 2008 Active Directory 70-640
20
l. In the Summary window review your selections, and if required, save them to an unattended answer file. When satisfied, click Next.
MCITP
21
m. The wizard will begin creating the Active Directory domain, and when finished, you will need to press Finish and reboot your computer.
MCITP
22
Note:
Now join DC2 to the domain you have created on the DC1, after that run dcpromo.exe on DC2 to install the second domain controller.
After the successful creation of both the domain controllers a user name test is created on the domain controller and that user is also replicated to the additional domain controller after some time as shown in the above diagram.
Note:
In a case if the replication is not working automatically the following command is used for replication Open the command prompt and type the following command C :\> repadmin /syncall
MCITP
23
Lecture No 3
MCITP
24 Lecture Outline: 1. Configuration of remote desktop connection on client side operating system
Server 2008
2. Go to Remote tab. 3. Under Remote Assistance, put a check mark on Allow Remote Assistance connections to this computer. MCITP Windows Server 2008 Active Directory 70-640
25 4. Click on apply.
2. Enter the Computer Name or IP address of the computer you wish to connect to.
MCITP
26
Note:
Here you can save the connection profile, adjust display properties, run specified programs upon connection, adjust connection bandwidth, etc. For more information on specific tabs, click on Help.
4. Click on Connect 5. Enter your log in credentials of a user account on the remote computer that is allowed to do a remote desktop connection.
MCITP
27
Lecture No 4
MCITP
28 Lecture outline: 1. 2. 3. 4. 5. Active directory objects Users, Groups and Organizational Units How to create OUs in AD How to create groups in AD How to create users in AD
MCITP
29
MCITP
30
MCITP
31 b. Next we will open up the Roles section, next to Active Directory Users and Computers section and finally the Active Directory Users and Computers. You should now see your domain name.
c. We are going to click on our Users section where we are going to create a new User Account. To do so, right-click on the blank section, point to New and select User.
MCITP
32 d. In this window you need to type in the users first name, middle initial and last name. Next you will need to create a users logon name. In our example we are going to create a user account for Billy Miles and his logon name will be bmiles. When done, click on the Next button.
e. In the next window you will need to create a password for your new user and select appropriate options. In our example we are going to have the user change his password at his next logon. You can also prevent a user from changing his password, set the password so that it will never expire or completely disable the account. When you are done making your selections, click the Next button.
MCITP
33
f. And finally, click on the Finish button to complete the creation of new User Account.
2. Command line method For bulk creation of users in AD a dos command is used add users 1. Open the notepad and type the following command MCITP Windows Server 2008 Active Directory 70-640
34
ds add user cn= %1, ou=child ou, ou=parent ou, dc=domain name, dc=com fn %2 ln %3 pwd abc123* -mustchpwd yes 2. 3. 4. 5. Save the file adduset.bat Now open the command prompt and go to the directory where this file is saved Type adduser.bat user login name user first name user last name Users will be added to the AD
Creating a bunch of users at once 1. Copy and paste the first and last names of your users into the Add Users Info Here sheet 2. Type the Child OU name and Auto fill it down. 3. Type the Parent OU name and Auto fill it down. 4. Go to Mass User Creation Script Source and check to see if the domain name and suffix are correct. If not, fill in correct value on the first line and Auto fill down. 5. On the Save this sheet as text file sheet, make sure to auto fill for all required user names. 6. Go to File--> Save As and save the sheet in a convenient place, making sure to select Formatted Text (Space Delimited) as the file type 7. Take your .prn file rename it to something like .bat 8. Post to your server and run it at the command line.
MCITP
35
Lecture No 5
MCITP
36 Lecture outline: 1. 2. 3. 4. NTFS permissions NTFS permissions v/s share permissions How to share Mapping network drives
NTFS permissions:
NTFS (New Technology File System) is the standard file system of Windows NT, including its later versions Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista, and Windows 7. NTFS supersedes the FAT file system as the preferred file system for Microsofts Windows operating systems. NTFS has several improvements over FAT and HPFS (High Performance File System) such as security access control lists (ACL). Administrators can use the NTFS utility to provide access control for files and folders, containers and objects on the network as a type of system security. Known as the Security Descriptor, this information controls what kind of access is allowed for individual users and groups of users.
How to share:
To share data in the form of folders and newly added console named share and storage management console is used to open the SSM 1. Go to Start 2. Administrative Tools MCITP Windows Server 2008 Active Directory 70-640
4. From the Action pane, choose Provision Share to start the wizard. 5. The first screen of the wizard asks you to specify the location that you would like to share. Use the Browse button to do so. For this example, I'm sharing the C:\StorageReports folder. 6. Any time you open up access to a resource, you should limit who can access that resource to just those that require access. On the NTFS Permissions page of the wizard, you can opt to keep the default NTFS permissions or change permissions depending on your needs. In Figure I, note that I've shown both the NTFS Permissions page as well as the Edit Permissions dialog box to give you a look at how to change permissions. If you want to change permissions, in the Permissions for dialog box click the Add button, select the user that should be added to the permissions list and choose the appropriate permissions.
MCITP
38
4. The next step of the wizard asks you to choose the protocol(s) allowed to access the share. If you've opted to install the NFS portion of the File Services role, the NFS option will be available. If not, just SMB (Server Message Block), the Windows default, is available. The Share name field is automatically populated with the name of the folder you selected. 5. On the SMB Settings page, provide a description of the share that will show up when people browse the server. Lower on the page, note the advanced settings area. If you want to change these settings, click the advanced button. Figure J shows you the advanced options page. On the Advanced page, note the Enable access-based enumeration checkbox. Accessbased enumeration was introduced in an add-on in previous versions of Windows Server and brings to Windows the ability to limit user's visibility to just the folders that the user has rights to see.
MCITP
39
6. Next up SMB permissions. On the SMB Permissions page, decide how you want users to be able to access the resource over the network. Note that this set of permissions is separate from the NTFS permissions you worked with previously. The SMB permissions (also called share permissions) are combined with NTFS permissions and the most restrictive permissions will apply. I recommend that you simply set SMB permissions to Administrators have Full Control; all other users and groups have only Read access and Write access and use just NTFS permissions to limit access. 7. On the review page, review your selections and click the Create button. When you're done, choose the Shares tab in the main console. You should see your new share listed, as shown in Figure K.
MCITP
40
Lecture No 6
MCITP
41 Lecture outline: 1. What is group policy 2. Policy setting order 3. Group policy management console to apply group policy
MCITP
42
MCITP
43
Lecture No 7
MCITP
44 Lecture outline: 1. How to exempt a user or group from the group policy
2. Click on the Add button and select the group (recommended) that you want to exclude from having this policy applied.
MCITP
45
3. In this example I am excluding the Users GPO Exceptions group for this policy. Select this group in the Group or user names list and then scroll down the permission and tick the Deny option against the Apply Group Policy permission.
MCITP
46
Lecture No 8
MCITP
47 Lecture outline: 1. Loop back processing in group policy 2. How to map network drive
MCITP
48 If Loopback processing of Group Policy is not enabled and our User logs on to our Computer, the following is true:
As we can see from the picture, the User gets Computer Configuration 2 and User Configuration 1. This is absolutely standard situation, where policies are applied according to the belonging to the OU. User belongs to the Red OU, he gets the Red User configuration 1accordingly. Now lets enable the Loopback processing of Group Policy for the Green OU. In this case if the User logs on to the Computer, the policies applied in the following way:
MCITP
49 As we can see, now the User is getting User Configuration 2 despite of the fact that he belongs to the Red OU. So, what has happened in this scenario, the User Configuration 1 was replaced with the User Configuration 2, i.e. with the configuration applied to the Computer account. As you have probably noticed, the picture above says Loopback in replace mode. I have to mention that the Loopback processing of Group Policy has two different modes, Replace and Merge. It is obvious that Replace mode replaces User Configuration with the one applied to the Computer, whereas Merge mode merges two User Configurations.
In Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computers policy has more privilege. For example in our scenario, in case of the conflict the User Configuration 2 would be enforced. In the real work environment Loopback processing of Group Policy is usually used on Terminal Servers. For example you have users with enabled folder redirection settings, but you do not want these folder redirection to work when the users log on to the Terminal Server, in this case we enable Loopback processing of Group Policy in the Policy linked to the Terminal Servers Computer account and do not enable the folder redirection settings. In this case, once the User logged on to the Terminal Server his folder redirection policy will not be applied.
MCITP
50 1. Public drive mappings Producing a Group Policy Preference item to create public drive mappings is simple. The GPO containing the preference item is typically linked to higher containers in Active Directory, such as a domain or a parent organizational unit.
Newly created Group Policy objects apply to all authenticated users. The drive map preference items contained in the GPO inherits the scope of the GPO; leaving us to simply configure the preference item and link the GPO. We start by configuring the drive map preference item by choosing the Action of the item. Drive map actions include Create, Replace, Update, and Delete. These are the actions commonly found in most preference items. Create and Delete actions are self-explanatory. The compelling difference between Replace and Update is that Replace deletes the mapped drive and then creates a new mapped drive with the configured settings. Update does NOT delete the mapped drive-- it only modifies the mapped drive with the new settings. Group Policy Drive Maps use the drive letter to determine if a specific drive exists. The preceding image shows a Drive Map preference item configure with the Replace action. The configured location is a network share named data; hosted by a computer named hq-con-srv-01. The configured drive letter is the G drive. All other options are left at their defaults. This GPO is linked at the contoso.com domain.
MCITP
51 2. Inclusive drive mapping Inclusive drive mappings are drives mapped to a user who is a member of (or included) in a specific security group. The most common use for inclusive drive maps is to map remote data shares in common with a specific sub set of users, such as accounting, marketing, or human resources. Configuring an inclusively mapped drive is the same as a public drive mapping, but includes one additional step. The following image shows us configuring the first part of an inclusive drive mapping preference item.
Configuring the first part of an inclusive drive mapping preference item does not make it inclusive; it does the work of mapping the drive. We must take advantage of item-level targeting to ensure the drive mapping items works only for users who are members of the group. We can configure item level targeting by clicking the Targeting button, which is located on the Common tab of the drive mapping item. The targeting editor provides over 20 different types of targeting items. We're specifically using the Security Group targeting item.
MCITP
52
Using the Browse button allows us to pick a specific group in which to target the drive mapping preference item. Security Group targeting items accomplishes its targeting by comparing security identifiers of the specified group against the list of security identifiers with the security principal's (user or computer) token. Therefore, always use the Browse button when selecting a group; typing the group name does not resolve the name to a security identifier.
MCITP
53
The preceding screen shows a properly configured, inclusive targeting item. A properly configured security group targeting item shows both Group and SID fields. The Group field is strictly for administrative use (we humans recognize names better than numbers). The SID field is used by the client side extension to determine group membership. We can determine this is an inclusive targeting item because of the text that represents the item within the list. The word is in the text "the user is a member of the security group CONTOSO\Management." Our new drive map item and the associated inclusive targeting item are now configured. We can now link the hosting Group Policy object to the domain with confidence that only members of the Management security group receive the drive mapping. We can see the result on a client. The following image shows manager Mike Nash's desktop from a Windows Vista computer. We can see that Mike receives two drive mappings: the public drive mapping (G: drive) and the management drive mapping (M: drive).
MCITP
54
Lecture No 9
MCITP
55 Lecture outline: 1. How to install software on more than one computer 2. Steps for software installation
A Shared folder for the software to live in that all your Users and Computers have at least Read access to. A new GPO linked to the appropriate OU. You can set up a Software Installation GPO for Users or Computers 1. If you set it up for specific Users or User Groups, you can publish the software so they can install it on demand. 2. You can also assign the software so it installs on the next client restart. 3. If you set up the GPO on the Computers side, you cant publish only assign 4. Use your best judgment based on who needs the software and when picking which side of a GPO to use for Software Installs.
MCITP
56
Lecture No 10
MCITP
57 Lecture outline: 1. Domain Password Policies 2. Fine Grained Password 3. Steps for configuring fine grained password policies
MCITP
58
7. In the Create Object dialog box, PasswordSettings, and then click Next.
under Select
a class,
click msDC-
MCITP
59 8. In the Create Object dialog box, enter SpecialAdmins in the Value field, and then click Next.
MCITP
60 10. For the msDS-PasswordReversibleEncryptionEnabled value, enter false, and then click Next
11. For the msDS-PasswordHistoryLength value, enter 24, and then click Next
MCITP
61 12. For the msDS-PasswordComplexityEnabled value, click Next enter false, and then
13. For the msDS-MinimumPasswordLength value, enter 12, and then click Next
MCITP
62 14. For the msDS-MinimumPasswordAge, enter 1:00:00:00, and then click Next
15. For the msDS-MaximumPasswordAge, enter 30:00:00:00, and then click Next
MCITP
enter 0:00:30:00,
and
then
MCITP
64 18. For the msDS-LockoutDuration, enter (never), and then click Next, then click Finish
the
console
tree,
and
then
MCITP
65 20. On the CN=SpecialAdmins Properties window, PSOAppliesTo attribute, and then click the Edit button select the msDS-
21. On the Multi-valued Distinguished Name With Security Editor window, click on the Add Windows Account button
Principal
MCITP
66 22. On the Select Users, Computers, or Groups window, enter SpecialAdmins in the Enter the object names to select field, and then click OK
23. Click OK on the Multi-valued Distinguished Name With Security Principal Editor window 24. Click OK on the CN=SpecialAdmins Properties window
MCITP
67
Lecture No 11
MCITP
68 Lecture outline: 1. Providing Permissions to an Account for Administrative Tasks 2. Installation of VSAT on client side
MCITP
69
Lecture No 12
MCITP
70 Lecture outline: 1. Creating backup 2. Windows server 2008 built in tools for backup
Creating backup:
In information technology, a backup or the process of backing up is making copies of data which may be used to restore the original after a data loss event. Backups have two distinct purposes. The primary purpose is to recover data after its loss, be it by data deletion or corruption. Data loss is a very common experience of computer users. 67% of internet users have suffered serious data loss. The secondary purpose of backups is to recover data from an earlier time, according to a user-defined data retention policy, typically configured within a backup application for how long copies of data are required.
71 System State data can be restored using WBADMIN or using the graphical Windows Server Backup
To create a wbadmin backup type the following command at command prompt C:\>wbadmin systemstatebackup backuptarget :Driveletter:
3. Ntdsutil An extremely powerful tool to do advance backup operations (and a lot more) specifically for Active Directory files and database NTDSUTIL is specifically for AD, and not so much backing up your whole Server. In terms of creating Backup Media, it can create IFM (Install from Media) media for faster creation (or re-creation, as the case may be) of a Domain Controller. Its an interactive tool, providing different commands depending on what Context its used in. When used in conjunction with media created by Wbadmin or Windows Server Backup, it can allow you to restore Active Directory Objects like entire OUs. It can also take Snapshots of your Active Directory Database so you can see how your AD looks over To create an Ntdsutil backup type the following sequence of commands at command prompt C :\>ntdsutil Ntdsutil: ifm Ntdsutil: activate instance ntds Ifm: create sysvol full D:\ifm
MCITP