Professional Documents
Culture Documents
MCITP
MCITP
MCITP
Microsoft Certified IT Professional
Training Notes
Windows Server 2008 Active Directory
Exam Code 70-640
Lecture No 1
Lecture Outline:
Domain Controller:
A domain controller is a server in the network which holds the active directory.
Within a deployment, objects are grouped into domains. The objects for a single domain are
stored in a single database (which can be replicated). Domains are identified by their DNS name
structure, the namespace.
A tree is a collection of one or more domains and domain trees in a contiguous namespace,
linked in a transitive trust hierarchy.
At the top of the structure is the forest. A forest is a collection of trees that share a common
global catalog, directory schema, logical structure, and directory configuration. The forest
represents the security boundary within which users, computers, groups, and other objects are
accessible.
Server Roles:
In windows server 2008 roles are used to define which services it will be going to provide to the
network users like DNS, AD, FTP, Web, DHCP etc.
Lecture No 2
Lecture Outline:
Bare metal installation is used to install server 2008 on hard disk on which no
operating system is installed.
2. Upgrade Installation
Upgrade installation is used to upgrade from server 2003 to server 2008 operating
system.
Note:
Server 2000 cannot be upgraded to server 2008 operating system.
For the installation of server 2008 the following hardware requirements the shown in the chart
given below
The scenario for installation of active directory on DC1 and DC2 is shown above
Note:
For installation of active directory the following items should be configured
1. Open Server Manager by clicking the icon in the Quick Launch toolbar, or from the
Administrative Tools folder.
2. Wait till it finishes loading, then click on Roles > Add Roles link.
4. In the Select Server Roles window, click to select Active Directory Domain Services
and then click next.
5. In the Active Directory Domain Services window read the provided information if you
want to, and then click Next.
6. In the Confirm Installation Selections, read the provided information if you want to, and
then click Next.
9. Going back to Server Manager, click on the Active Directory Domain Services link, and note
that there's no information linked to it, because the DCPROMO command has not been run yet.
10. Now you can click on the DCPROMO link, or read on.
a. To run DCPROMO, enter the command in the Run command, or click on the
DCPROMO link from Server Manager > Roles > Active Directory Domain
Services.
b. Depending upon the question if AD-DS was previously installed or not, the Active
Directory Domain Services Installation Wizard will appear immediately or after a
short while. Click Next.
c. In the Operating System Compatibility window, read the provided information and
click next.
e. Enter an appropriate name for the new domain. Make sure you pick the right domain
name, as renaming domains is a task you will not wish to perform on a daily basis.
Click Next.
Note:
Do NOT use single label domain names such as "mydomain" or similar. You MUST pick
a full domain name such as "mydomain.local" or "mydomain.com" and so on.
The wizard will perform checks to see if the domain name is not already in use on the
local network.
f. Pick the right forest function level. Windows 2000 mode is the default, and it allows
the addition of Windows 2000, Windows Server 2003 and Windows Server 2008
Domain Controllers to the forest you're creating.
g. The wizard will perform checks to see if DNS is properly configured on the local
network. In this case, no DNS server has been configured, therefore, the wizard will
offer to automatically install DNS on this server.
Note:
The first DCs must also be a Global Catalog. Also, the first DCs in a forest cannot be a Read
Only Domain controller.
h. It's most likely that you'll get a warning telling you that the server has one or more
dynamic IP Addresses. Running IPCONFIG /all will show that this is not the case,
because as you can clearly see, I have given the server a static IP Address. So, where
did this come from? The answer is IPv6. I did not manually configure the IPv6
Address, hence the warning. In a network where IPv6 is not used, you can safely
ignore this warning.
i. You'll probably get a warning about DNS delegation. Since no DNS has been
configured yet, you can ignore the message and click Yes.
j. Next, change the paths for the AD database, log files and SYSVOL folder. For large
deployments, carefully plan your DC configuration to get the maximum performance.
When satisfied, click Next.
k. Enter the password for the Active Directory Recovery Mode. This password must be
kept confidential, and because it stays constant while regular domain user passwords
expire (based upon the password policy configured for the domain, the default is 42
days), it does not. This password should be complex and at least 7 characters long. I
strongly suggest that you do NOT use the regular administrator's password, and that
you write it down and securely store it. Click Next.
MCITP Windows Server 2008 Active Directory 70-640
20
l. In the Summary window review your selections, and if required, save them to an
unattended answer file. When satisfied, click Next.
m. The wizard will begin creating the Active Directory domain, and when finished, you
will need to press Finish and reboot your computer.
Note:
Now join DC2 to the domain you have created on the DC1, after that run dcpromo.exe on DC2
to install the second domain controller.
After the successful creation of both the domain controllers a user name test is created on
the domain controller and that user is also replicated to the additional domain controller
after some time as shown in the above diagram.
Note:
In a case if the replication is not working automatically the following command is used for
replication
Lecture No 3
Lecture Outline:
2. Go to Remote tab.
3. Under Remote Assistance, put a check mark on Allow Remote Assistance connections to
this computer.
4. Click on apply.
2. Enter the Computer Name or IP address of the computer you wish to connect to.
Note:
Here you can save the connection profile, adjust display properties, run specified
programs upon connection, adjust connection bandwidth, etc. For more information on
specific tabs, click on Help.
4. Click on Connect
5. Enter your log in credentials of a user account on the remote computer that is allowed to
do a remote desktop connection.
Lecture No 4
Lecture outline:
Each object represents a single entity whether a user, a computer, a printer, or a group and its
attributes. Certain objects can contain other objects. An object is uniquely identified by its name
and has a set of attributes the characteristics and information that the object represents defined by
a schema, which also determines the kinds of objects that can be stored in Active Directory.
Organizational Units are called container objects since they help to organize the directory and
can contain other objects including other OUs. The basic unit of administration is now
organizational units rather than domains. Organizational units allow the creation of sub
domains which are also called logical domains. Microsoft recommends that there should never
be more than 10 levels or organizational unit nesting.
1. Graphical method
2. Command line method (for bulk creation of users)
1. Graphical Method
b. Next we will open up the Roles section, next to Active Directory Users and
Computers section and finally the Active Directory Users and Computers. You
should now see your domain name.
c. We are going to click on our Users section where we are going to create a new User
Account. To do so, right-click on the blank section, point to New and select User.
d. In this window you need to type in the user’s first name, middle initial and last name.
Next you will need to create a user’s logon name.
In our example we are going to create a user account for Billy Miles and his logon
name will be bmiles. When done, click on the Next button.
e. In the next window you will need to create a password for your new user and select
appropriate options.
In our example we are going to have the user change his password at his next logon.
You can also prevent a user from changing his password, set the password so that it
will never expire or completely disable the account.
When you are done making your selections, click the Next button.
f. And finally, click on the Finish button to complete the creation of new User Account.
ds add user “cn= %1, ou=child ou, ou=parent ou, dc=domain name, dc=com” –fn
%2 –ln %3 –pwd abc123* -mustchpwd yes
1. Copy and paste the first and last names of your users into the Add Users Info Here
sheet
2. Type the Child OU name and Auto fill it down.
3. Type the Parent OU name and Auto fill it down.
4. Go to Mass User Creation Script Source and check to see if the domain name and
suffix are correct. If not, fill in correct value on the first line and Auto fill down.
5. On the Save this sheet as text file sheet, make sure to auto fill for all required user
names.
6. Go to File--> Save As and save the sheet in a convenient place, making sure to select
Formatted Text (Space Delimited) as the file type
7. Take your .prn file rename it to something like .bat
8. Post to your server and run it at the command line.
Lecture No 5
Lecture outline:
1. NTFS permissions
2. NTFS permissions v/s share permissions
3. How to share
4. Mapping network drives
NTFS permissions:
NTFS (New Technology File System) is the standard file system of Windows NT, including its
later versions Windows 2000, Windows XP, Windows Server 2003, Windows Server
2008, Windows Vista, and Windows 7.
NTFS supersedes the FAT file system as the preferred file system for
Microsoft’s Windows operating systems. NTFS has several improvements over FAT and HPFS
(High Performance File System) such as security access control lists (ACL).
Administrators can use the NTFS utility to provide access control for files and folders, containers
and objects on the network as a type of system security. Known as the “Security Descriptor”, this
information controls what kind of access is allowed for individual users and groups of users.
As mentioned earlier, shared permissions only apply to shares that you connect to over the
network. As well, share permissions work over NTFS permissions. NTFS permissions apply
both locally and across the network.
1. Read – View folder names and attributes; view file names and attributes; view file data;
execute applications.
2. Change – View, create, delete or change folders, folder names and attributes (except
permissions); view, create, delete or change files, file names and attributes (except
permissions); view, create, delete or change file data; execute applications.
3. Full control – Perform all functions allowed by change permission; edit permissions and
take ownership of files.
How to share:
To share data in the form of folders and newly added console named share and storage
management console is used to open the SSM
1. Go to Start
2. Administrative Tools
4. From the Action pane, choose Provision Share to start the wizard.
5. The first screen of the wizard asks you to specify the location that you would like to
share. Use the Browse button to do so. For this example, I'm sharing the
C:\StorageReports folder.
6. Any time you open up access to a resource, you should limit who can access that resource
to just those that require access. On the NTFS Permissions page of the wizard, you can
opt to keep the default NTFS permissions or change permissions depending on your
needs. In Figure I, note that I've shown both the NTFS Permissions page as well as the
Edit Permissions dialog box to give you a look at how to change permissions. If you want
to change permissions, in the Permissions for dialog box click the Add button, select the
user that should be added to the permissions list and choose the appropriate permissions.
4. The next step of the wizard asks you to choose the protocol(s) allowed to access the share. If
you've opted to install the NFS portion of the File Services role, the NFS option will be
available. If not, just SMB (Server Message Block), the Windows default, is available. The
Share name field is automatically populated with the name of the folder you selected.
5. On the SMB Settings page, provide a description of the share that will show up when people
browse the server. Lower on the page, note the advanced settings area. If you want to
change these settings, click the advanced button. Figure J shows you the advanced options
page. On the Advanced page, note the Enable access-based enumeration checkbox. Access-
based enumeration was introduced in an add-on in previous versions of Windows Server
and brings to Windows the ability to limit user's visibility to just the folders that the user has
rights to see.
6. Next up… SMB permissions. On the SMB Permissions page, decide how you want users to
be able to access the resource over the network. Note that this set of permissions is separate
from the NTFS permissions you worked with previously. The SMB permissions (also called
share permissions) are combined with NTFS permissions and the most restrictive
permissions will apply. I recommend that you simply set SMB permissions
to Administrators have Full Control; all other users and groups have only Read access and
Write access and use just NTFS permissions to limit access.
7. On the review page, review your selections and click the Create button. When you're done,
choose the Shares tab in the main console. You should see your new share listed, as shown
in Figure K.
Lecture No 6
Lecture outline:
Group Policy is a feature of the Microsoft Windows NT family of operating systems. Group
Policy is a set of rules which control the working environment of user accounts and computer
accounts. Group Policy provides the centralized management and configuration of operating
systems, applications and users' settings in an Active Directory environment. In other words,
Group Policy in part controls what users can and cannot do on a computer system. Although
Group Policy is more often seen in use for enterprise environments, it is also common in schools,
smaller businesses and other kinds of smaller organizations. Group Policy is often used to restrict
certain actions that may pose potential security risks, for example: to block access to the Task
Manager, restrict access to certain folders, disable the downloading of executable files and so on.
1. Local Group Policy objects - This applies to any settings in the computer's local policy
(accessed by running gpedit.msc). Previous to Windows Vista, there was only one local
group policy stored per computer. There are now individual group policies settable per
account of a Windows Vista and 7 machine
2. Site - Next the computer processes any group policies that are applied to the site the
computer is currently in. If multiple policies are linked to a site these are processed in the
order set by the administrator using the Linked Group Policy Objects tab, policies with
the lowest link order are processed last and have the highest precedence.
3. Domain - Any policies applied at the domain level (default domain policy) are processed
next. If multiple policies are linked to a domain these are processed in the order set by the
administrator using the Linked Group Policy Objects tab, policies with the lowest link
order are processed last and have the highest precedence.
4. Organizational Unit - Last group policies assigned to the organizational unit that
contains the computer or user are processed. If multiple policies are linked to an
organizational unit these are processed in the order set by the administrator using the
Linked Group Policy Objects tab, policies with the lowest link order are processed last
and have the highest precedence.
1. To open the GPMC, click Start, click Administrative Tools, and then click Group
Policy Management.
2. In the GPMC console tree, expand Group Policy Objects in the forest and domain
containing the GPO that you want to edit.
3. Right-click the GPO that you want to edit, and then click Edit.
4. Select the appropriate policy which you want to apply to an OU.
5. Link the newly created GPO to the OU.
6. Open command prompt and use the following to update the group policy settings to all
the domain users
Lecture No 7
Lecture outline:
1. Open the Group Policy Object that you want to apply an exception and then click on the
“Delegation” tab and then click on the “Advanced” button.
2. Click on the “Add” button and select the group (recommended) that you want to exclude
from having this policy applied.
3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select
this group in the “Group or user names” list and then scroll down the permission and tick the
“Deny” option against the “Apply Group Policy” permission.
Lecture No 8
Lecture outline:
If Loopback processing of Group Policy is not enabled and our User logs on to our Computer,
the following is true:
As we can see from the picture, the User gets Computer Configuration 2 and User Configuration
1. This is absolutely standard situation, where policies are applied according to the belonging to
the OU. User belongs to the Red OU, he gets the Red User configuration 1accordingly.
Now let’s enable the Loopback processing of Group Policy for the Green OU. In this case if the
User logs on to the Computer, the policies applied in the following way:
As we can see, now the User is getting User Configuration 2 despite of the fact that he belongs to
the Red OU. So, what has happened in this scenario, the User Configuration 1 was replaced with
the User Configuration 2, i.e. with the configuration applied to the Computer account.
As you have probably noticed, the picture above says “Loopback in replace mode”. I have to
mention that the Loopback processing of Group Policy has two different modes, Replace and
Merge. It is obvious that Replace mode replaces User Configuration with the one applied to the
Computer, whereas Merge mode merges two User Configurations.
In Merge mode, if there is a conflict, for example two policies provide different values for the
same configuration setting, the Computer’s policy has more privilege. For example in our
scenario, in case of the conflict the User Configuration 2 would be enforced.
In the real work environment Loopback processing of Group Policy is usually used on Terminal
Servers. For example you have users with enabled folder redirection settings, but you do not
want these folder redirection to work when the users log on to the Terminal Server, in this case
we enable Loopback processing of Group Policy in the Policy linked to the Terminal Server’s
Computer account and do not enable the folder redirection settings. In this case, once the User
logged on to the Terminal Server his folder redirection policy will not be applied.
Newly created Group Policy objects apply to all authenticated users. The drive map preference
items contained in the GPO inherits the scope of the GPO; leaving us to simply configure the
preference item and link the GPO. We start by configuring the drive map preference item by
choosing the Action of the item. Drive map actions include Create, Replace, Update, and
Delete. These are the actions commonly found in most preference
items. Create and Delete actions are self-explanatory. The compelling difference
between Replace and Update is that Replace deletes the mapped drive and then creates a new
mapped drive with the configured settings. Update does NOT delete the mapped drive-- it only
modifies the mapped drive with the new settings. Group Policy Drive Maps use the drive letter to
determine if a specific drive exists. The preceding image shows a Drive Map preference item
configure with the Replace action. The configured location is a network share named data;
hosted by a computer named hq-con-srv-01. The configured drive letter is the G drive. All other
options are left at their defaults. This GPO is linked at the contoso.com domain.
Configuring the first part of an inclusive drive mapping preference item does not make it
inclusive; it does the work of mapping the drive. We must take advantage of item-level targeting
to ensure the drive mapping items works only for users who are members of the group. We can
configure item level targeting by clicking the Targeting button, which is located on the
Common tab of the drive mapping item. The targeting editor provides over 20 different types of
targeting items. We're specifically using the Security Group targeting item.
Using the Browse button allows us to pick a specific group in which to target the drive mapping
preference item. Security Group targeting items accomplishes its targeting by comparing security
identifiers of the specified group against the list of security identifiers with the security
principal's (user or computer) token. Therefore, always use the Browse button when selecting a
group; typing the group name does not resolve the name to a security identifier.
The preceding screen shows a properly configured, inclusive targeting item. A properly
configured security group targeting item shows both Group and SID fields. The Group field is
strictly for administrative use (we humans recognize names better than numbers). The SID field
is used by the client side extension to determine group membership. We can determine this is an
inclusive targeting item because of the text that represents the item within the list. The word is in
the text "the user is a member of the security group CONTOSO\Management." Our new drive
map item and the associated inclusive targeting item are now configured. We can now link the
hosting Group Policy object to the domain with confidence that only members of the
Management security group receive the drive mapping. We can see the result on a client. The
following image shows manager Mike Nash's desktop from a Windows Vista computer. We can
see that Mike receives two drive mappings: the public drive mapping (G: drive) and the
management drive mapping (M: drive).
Lecture No 9
Lecture outline:
1. If you set it up for specific Users or User Groups, you can publish the software so they
can install it on demand.
2. You can also assign the software so it installs on the next client restart.
3. If you set up the GPO on the Computers side, you can’t publish only assign
4. Use your best judgment based on who needs the software and when picking which side of
a GPO to use for Software Installs.
Lecture No 10
Lecture outline:
7. In the Create Object dialog box, under Select a class, click msDC-
PasswordSettings, and then click Next.
8. In the Create Object dialog box, enter SpecialAdmins in the Value field, and
then click Next.
11. For the msDS-PasswordHistoryLength value, enter 24, and then click Next
13. For the msDS-MinimumPasswordLength value, enter 12, and then click Next
14. For the msDS-MinimumPasswordAge, enter 1:00:00:00, and then click Next
15. For the msDS-MaximumPasswordAge, enter 30:00:00:00, and then click Next
18. For the msDS-LockoutDuration, enter (never), and then click Next, then
click Finish
Lecture No 11
Lecture outline:
The Delegation Wizard can’t provide everything, so you’ll have to also use some
additional Groups to provide some more permission to a user. The detail of different groups has
been shown in the chart below.
1. So now that user actually can do some administrative tasks, let’s make it a little easier for
him to get to the Servers without even having to use Remote Desktop.
2. The Remote Server Administration Tools for Windows7 is a collection of MMC tools
that allows you to administer most of the standard Server tasks without having to use
Remote Desktop or actually be at the Server.
3. It’s super easy to download and install, but you have to go into Control panel and enable
it.
Lecture No 12
Lecture outline:
1. Creating backup
2. Windows server 2008 built in tools for backup
Creating backup:
In information technology, a backup or the process of backing up is making copies
of data which may be used to restore the original after a data loss event. Backups have two
distinct purposes. The primary purpose is to recover data after its loss, be it by data deletion
or corruption. Data loss is a very common experience of computer users. 67% of internet users
have suffered serious data loss. The secondary purpose of backups is to recover data from an
earlier time, according to a user-defined data retention policy, typically configured within a
backup application for how long copies of data are required.
To install Windows Server Backup go to Server Manager, Add Features and Windows Server
Backup
2. Wbadmin
WBADMIN is a command line that provides more power to your backup options
It can run a one-time backup
It can schedule regular backups
It can back up your System State which includes all the guts of your DC:
o Registry
o Boot files
o System Files
o AD Directory Services database
o SYSVOL directory
System State data can be restored using WBADMIN or using the graphical
Windows Server Backup
3. Ntdsutil
An extremely powerful tool to do advance backup operations (and a lot more)
specifically for Active Directory files and database
NTDSUTIL is specifically for AD, and not so much backing up your whole
Server.
In terms of creating Backup Media, it can create IFM (Install from Media) media
for faster creation (or re-creation, as the case may be) of a Domain Controller.
It’s an interactive tool, providing different commands depending on what Context
it’s used in.
When used in conjunction with media created by Wbadmin or Windows Server
Backup, it can allow you to restore Active Directory Objects like entire OU’s.
It can also take Snapshots of your Active Directory Database so you can see how
your AD looks over
To create an Ntdsutil backup type the following sequence of commands at command prompt
C :\>ntdsutil
Ntdsutil: ifm
Ntdsutil: activate instance ntds
Ifm: create sysvol full D:\ifm