Professional Documents
Culture Documents
Moc 6425
Moc 6425
6425A
Configuring and Troubleshooting
Windows Server 2008 Active ®
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
of Microsoft of the site or the products contained therein.
Microsoft, Access, Active Directory, ActiveX, BitLocker, Convergence, Internet Explorer, Jscript,
MSDN, NetMeeting, PowerPoint, SharePoint, SQL Server, Verdana, Visual Basic, Visual Studio, Win32,
Windows, and Windows Vista are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Released: 05/2008
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER
EDITION – Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the Licensed Content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
• updates,
• supplements,
• Internet-based services, and
• support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use
the Licensed Content.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. “Academic Materials” means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the
Licensed Content.
b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions
location, an IT Academy location, or such other entity as Microsoft may designate from time to time.
c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and
conducted at or through Authorized Learning Centers by a Trainer providing training to Students
solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or
“MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions
Courseware). Each Authorized Training Session will provide training on the subject matter of one
(1) Course.
d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning
Center during an Authorized Training Session, each of which provides training on a particular
Microsoft technology subject matter.
e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f. “Licensed Content” means the materials accompanying these license terms. The Licensed
Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student
Content, (iii) classroom setup guide, and (iv) Software. There are different and separate
components of the Licensed Content for each Course.
g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that
may be included with the Licensed Content.
h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.
i. “Student Content” means the learning materials accompanying these license terms that are for
use by Students and Trainers during an Authorized Training Session. Student Content may include
labs, simulations, and courseware files for a Course.
j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer
and b) such other individual as authorized in writing by Microsoft and has been engaged by an
Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its
behalf.
k. “Trainer Content” means the materials accompanying these license terms that are for use by
Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content
may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and
demonstration guides and script files for a Course.
l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as
a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single
computer or other device in order to allow end-users to run multiple operating systems concurrently.
For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.
m. “Virtual Machine” means a virtualized computing experience, created and accessed using
Microsoft® Virtual PC or Microsoft® Virtual Server software that consists of a virtualized hardware
environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the
virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard
Disks will be considered “Trainer Content”.
n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these
license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and
electronic), Trainer Content, Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center
location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for
use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided
that the number of copies in use does not exceed the number of Students enrolled in and the
Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by
classroom Devices and only for use by Students enrolled in and the Trainer delivering the
Authorized Training Session, provided that the number of Devices accessing the Licensed
Content on such server does not exceed the number of Students enrolled in and the Trainer
delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to
use the Licensed Content that you install in accordance with (ii) or (ii) above during such
Authorized Training Session in accordance with these license terms.
i. Separation of Components. The components of the Licensed Content are licensed as a single
unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license
terms will apply to the use of those third party programs, unless other terms accompany those
programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized
Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for
your own personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own
personal training Use and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions
in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not
contain the same information and/or work the way a final version of the Licensed Content will. We
may change it for the final, commercial version. We also may not release a commercial version.
You will clearly and conspicuously inform any Students who participate in each Authorized Training
Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with
any further content, including but not limited to the final released version of the Licensed Content
for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
Microsoft, without charge, the right to use, share and commercialize your feedback in any way and
for any purpose. You also give to third parties, without charge, any patent rights needed for their
products, technologies and services to use or interface with any specific parts of a Microsoft
software, Licensed Content, or service that includes the feedback. You will not give feedback that is
subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features
and documentation that may be included with the Licensed Content, is confidential and proprietary
to Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release,
whichever is first, you may not disclose confidential information to third parties. You may
disclose confidential information only to your employees and consultants who need to know
the information. You must have written agreements with them that protect the confidential
information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or
governmental order. You must first give written notice to Microsoft to allow it to seek a
protective order or otherwise protect the information. Confidential information does not
include information that
• becomes publicly known through no wrongful act;
• you received from a third party who did not breach confidentiality obligations to
Microsoft or its suppliers; or
• you developed independently.
d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs
you is the end date for using the beta version, or (ii) the commercial release of the final release
version of the Licensed Content, whichever is first (“beta term”).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta
term, and will destroy all copies of same in the possession or under your control and/or in the
possession or under the control of any Trainers who have received copies of the pre-released
version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta
version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If
Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you
for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft
Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced
Server and/or other Microsoft products which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft
Learning Lab Launcher, then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the
time indicated on the install of the Virtual Machines (between 30 and 500 days after you
install it). You will not receive notice before it stops running. You may not be able to
access data used or information saved with the Virtual Machines when it stops running and
may be forced to reset these Virtual Machines to their original state. You must remove the
Software from the Devices at the end of each Authorized Training Session and reinstall and
launch it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms
apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk.
Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized
Training Session, you will obtain from Microsoft a product key for the operating system
software for the Virtual Hard Disks and will activate such Software with Microsoft using such
product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with
the terms and conditions of this agreement and the following security
requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or
Devices that are accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session, except those held at Microsoft Certified
Partners for Learning Solutions locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all
classroom Devices at the end of each Authorized Training Session at Microsoft Certified
Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or
downloaded from Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use,
activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents
thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the
Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip
art, animations, sounds, music, shapes, video clips and templates provided with the Licensed
Content solely in an Authorized Training Session. If Trainers have their own copy of the
Licensed Content, they may use Media Elements for their personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as
“Evaluation Software” may be used by Students solely for their personal training outside of the
Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft
PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for
providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree
or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of
obscene or scandalous works, as defined by federal law at the time the work is created; and
(b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training
Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those
portions of the Licensed Content that are logically associated with instruction of the Authorized
Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer
agrees: (a) that any of these customizations or reproductions will only be used for providing an
Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and
use the Academic Materials. You may not make any modifications to the Academic Materials
and you may not print any book (either electronic or print version) in its entirety. If you
reproduce any Academic Materials, you agree that:
• The use of the Academic Materials will be only for your personal reference or training use
• You will not republish or post the Academic Materials on any network computer or
broadcast in any media;
• You will include the Academic Material’s original copyright notice, or a copyright notice to
Microsoft’s benefit in the format provided below:
Form of Notice:
© 2008 Reprinted for personal reference use only with permission by Microsoft
Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the US and/or other countries. Other
product and company names mentioned herein may be the trademarks of their
respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone else’s use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that
only allow you to use it in certain ways. You may not
• install more copies of the Licensed Content on classroom Devices than the number of Students and
the Trainer in the Authorized Training Session;
• allow more classroom Devices to access the server than the number of Students enrolled in and the
Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network
server;
• copy or reproduce the Licensed Content to any server or location for further reproduction or
distribution;
• disclose the results of any benchmark tests of the Licensed Content to any third party without
Microsoft’s prior written approval;
• work around any technical limitations in the Licensed Content;
• reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent
that applicable law expressly permits, despite this limitation;
• make more copies of the Licensed Content than specified in this agreement or allowed by applicable
law, despite this limitation;
• publish the Licensed Content for others to copy;
• transfer the Licensed Content, in whole or in part, to a third party;
• access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not
been authorized by Microsoft to access and use;
• rent, lease or lend the Licensed Content; or
• use the Licensed Content for commercial hosting services or general business purposes.
• Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply
to the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed
Content marked as “NFR” or “Not for Resale.”
10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as
“Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit
www.microsoft.com/education or contact the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of these license terms. In the event your status as an
Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is
terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this
agreement, you must destroy all copies of the Licensed Content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed
Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have
additional consumer rights under your local laws which this agreement cannot change. To
the extent permitted under your local laws, Microsoft excludes the implied warranties of
merchantability, fitness for a particular purpose and non-infringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT
RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
• anything related to the Licensed Content, software, services, content (including code) on third party
Internet sites, or third party programs; and
• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre
garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont
exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation
pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de
bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte,
de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel
dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne
s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de
votre pays si celles-ci ne le permettent pas.
Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services xi
Contents
Module 1: Implementing Active Directory Domain Services
Lesson 1: Installing Active Directory Domain Services 1-3
Lesson 2: Deploying Read-Only Domain Controllers 1-16
Lesson 3: Configuring AD DS Domain Controller Roles 1-25
Lab: Implementing Read-Only Domain Controllers and Managing
Domain Controller Roles 1-32
Course Description
The purpose of this 5-day course is to teach Active Directory® Technology
Specialists how to configure Active Directory® Domain Services (AD DS) in a
distributed environment, implement Group Policy, perform backup and restore,
and monitor and troubleshoot Active Directory related issues. After completing this
course, students will be able to implement and configure Active Directory domain
services in their enterprise environment.
Audience
The primary audience for this course are Active Directory Technology Specialists,
Server Administrators, and Enterprise Administrators who want to learn how to
implement Active Directory in a distributed environment, secure domains using
Group Policy, and perform backup, restore, and monitor and troubleshoot Active
Directory configuration to ensure trouble free operation.
Student Prerequisites
This course requires that you meet the following prerequisites:
• Basic understanding of networking. For example, how TCP/IP functions,
addressing, name resolution (Domain Name System [DNS]/Windows Internet
Name Service [WINS]), and connection methods (wired, wireless, virtual
private network [VPN]), NET+ or equivalent knowledge.
• Intermediate understanding of network operating systems. For example,
Windows® 2000, Windows® XP, Windows® Server 2003 etc, the Windows
Vista® operating system client (nice to have).
• An awareness of security best practices. For example, file system permissions,
authentication methods, workstation and server hardening methods etc.
• Basic knowledge of server hardware. A+ or equivalent knowledge.
xvi About This Course
Course Objectives
After completing this course, students will be able to:
• Implement AD DS.
• Configure DNS for AD DS.
• Configure Active Directory objects and trusts.
• Configure Active Directory sites and replication.
• Create and configure Group Policy.
• Configure user environments using Group Policy.
• Implement security using Group Policy.
• Implement an AD DS monitoring plan.
• Implement an AD DS maintenance plan.
• Troubleshoot Active Directory, DNS, and replication issues.
• Troubleshoot Group Policy issues.
• Implement an AD DS infrastructure.
About This Course xvii
Course Outline
This section provides an outline of the course:
Module 1: This module discusses the prerequisite hardware and software required
for implementing AD DS, as well as the process for installing it. It also defines what
a read-only domain controller (RODC) is and how to install it.
Module 2: This module covers DNS configuration specific to AD DS.
Module 3: This module discusses how to implement and configure AD DS objects
and trusts.
Module 4: This module covers how to create and configure sites to manage
replication.
Module 5: This module covers how Group Policy objects (GPOs) work and how to
create and apply GPOs.
Module 6: This module discusses how to configure user desktop settings by using
Group Policy.
Module 7: This module describes how to configure security settings and apply
them using GPOs.
Module 8: This module describes how to monitor AD DS infrastructure and
services.
Module 9: This module discusses how to perform maintenance, backup, and
recovery of Active Directory servers and objects.
Module 10: This module covers how to troubleshoot and resolve issues related to
AD DS, DNS, and replication.
Module 11: This module describes how to troubleshoot and resolve issues related
to Group Policy.
Module 12: This module is a day-long lab. You are given scenarios that will help
you learn how to create a solution from start to end.
xviii About This Course
Course Materials
The following materials are included with your kit:
• Course handbook. The Course handbook contains the material covered in class.
It is meant to be used in conjunction with the Course Companion CD.
• Course Companion CD. The Course Companion CD contains the full course
content, including expanded content for each topic pages, full lab exercises
and answer keys, topical and categorized resources and Web links. It is meant
to be used both inside and outside the class.
Note: To access the full course content, insert the Course Companion CD into the CD-
ROM drive, and then in the root directory of the CD, double-click StartCD.exe.
• Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.
Important: At the end of each lab, you must close the virtual machine and must not
save any changes. To close a virtual machine without saving the changes, perform
the following steps: 1. For each virtual machine that is running, close the Virtual
Machine Remote Control window. 2. In the Close box, select Turn off machine and
discard changes. Click OK.
About This Course xix
The following table shows the role of each virtual machine that this course uses:
Software Configuration
The following software is installed on each virtual machine:
• Windows Server® 2008 Enterprise; Windows Server® 2003 Enterprise
Windows® Vista SP1
Classroom Setup
Each classroom computer will have the same virtual machine configured in the
same way.
xx About This Course
Module 1
Implementing Active Directory Domain Services
Contents:
Lesson 1: Installing Active Directory Domain Services 1-3
Lesson 2: Deploying Read-Only Domain Controllers 1-16
Lesson 3: Configuring AD DS Domain Controller Roles 1-25
Lab: Implementing Read-Only Domain Controllers and Managing
Domain Controller Roles 1-32
1-2 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module Overview
Active Directory Domain Services (AD DS) is installed as a server role in the
Windows Server®°2008 operating system. You have several choices to make when
you install AD DS and run the Active Directory Domain Services Installation
Wizard. You must choose whether to create a new domain, or add a domain
controller to an existing domain. You also have the option of installing AD DS on a
server running Windows Server 2008 Server Core, or installing read-only domain
controllers. After deploying the domain controllers, you also must manage special
domain controller roles, such as the global catalog and operations masters.
Implementing Active Directory Domain Services 1-3
Lesson 1:
Installing Active Directory Domain Services
Windows Server 2008 provides several ways to install and configure AD DS. This
lesson describes the standard AD DS installation, and also describes some of the
other options that are available when performing the installation.
1-4 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
To install AD DS, the server must meet the following requirements:
• Windows Server 2008 operating system must be is installed. AD DS can only
be installed on the following operating systems:
• The Windows Server® 2008 Standard operating system
• The Windows Server® 2008 Enterprise operating system
• The Windows Server® 2008 Datacenter operating system
Additional Reading
• Active Directory Domain Services Help: Installing Active Directory Domain
Services
• Microsoft Technet article: Requirements for Installing AD DS
Implementing Active Directory Domain Services 1-5
Key Points
In Windows Server 2008, forest and domain functionality provides a way to enable
forest-wide or domain-wide Active Directory features in your network environment.
Different levels of forest and domain functionality are available, depending on
domain and forest functional level.
Additional Reading
• Active Directory Domain Services Help: Set the domain or forest functional
level
• Microsoft Technet article: Appendix of Functional Level Features
1-6 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
AD DS Installation Process
Key Points
To configure a Windows Server 2008 domain controller, you must install the AD
DS server role and run the Active Directory Domain Services Installation Wizard.
Do this using one of the following processes:
• Install the Server role by using Server Manager, and then run the installation
wizard by running DCPromo or the installation wizard from Server Manager.
• Run DCPromo from the Run command or a command prompt. This will
install the AD DS server role and then start the installation wizard.
Implementing Active Directory Domain Services 1-7
Additional Reading
• Active Directory Domain Services Help: Installing Active Directory Domain
Services
• Microsoft Technet article: Installing a New Windows Server 2008 Forest and
Scenarios for Installing AD DS
1-8 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Some of the Active Directory Domain Services Installation Wizard pages appear
only if you select the Use advanced mode installation check box on the Welcome
page of the wizard, or by running DCPromo with the /adv switch. If you do not
run the Installation Wizard in advanced mode, the wizard will use default options
that apply to most configurations.
Question: When would you use the advanced options mode in your organization?
Additional Reading
• Active Directory Domain Services Help: Use advanced mode installation
• Microsoft Technet article: What's New in AD DS Installation and Removal
Implementing Active Directory Domain Services 1-9
Key Points
Before you can use backup media as the source for installing a domain controller,
use Ntdsutil.exe to create the installation media.
Ntdsutil.exe can create four different installation media types.
Question: Which types of installation media will you use in your organization?
Additional Reading
• Microsoft Technet article: Installing AD DS from Media
1-10 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question: What steps would you take if you noticed that the domain controller
installation failed?
Additional Reading
• Microsoft Technet article: Verifying an AD DS Installation
Implementing Active Directory Domain Services 1-11
Key Points
To install a new Windows Server 2008 domain controller in an existing Windows
2000 Server or Windows Server 2003 domain, complete the following steps:
• If the domain controller is the first Windows Server 2008 domain controller in
the forest, you must prepare the forest for Windows Server 2008 by extending
the schema on the schema operations master. To extend the schema, run
adprep /forestprep. The adprep tool is located on the Windows Server 2008
installation media.
• If the domain controller is the first Windows Server 2008 domain controller in
a Windows 2000 Server domain, you must first prepare the domain by
running adprep /domainprep /gpprep on the infrastructure master. The
gpprep switch adds inheritable access control entry (ACEs) to the Group
Policy Objects (GPO) that are located in the SYSVOL shared folder and
synchronizes the SYSVOL shared folder among the controllers in the domain.
1-12 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
• If the domain controller is the first Windows Server 2008 domain controller in
a Windows Server 2003 domain, you must prepare the domain by running
adprep /domainprep on the infrastructure master.
• After you install a writeable domain controller, you can install an RODC in the
Windows Server 2003 forest. Before doing this, you must prepare the forest by
running adprep /rodcprep. You can run adprep /rodcprep on any computer
in the forest. If the RODC will be a global catalog server, then you must run
adprep /domainprep in all domains in the forest, regardless of whether the
domain runs a Windows Server 2008 domain controller. By running adprep
/domainprep in all domains, the RODC can replicate global catalog data from
all domains in the forest and then advertise as a global catalog server.
Additional Reading
• Active Directory Domain Services Help: Installing Active Directory Domain
Services
• Microsoft Technet article: Installing a New Windows Server 2008 Forest
• Microsoft Technet article: Scenarios for Installing AD DS
Implementing Active Directory Domain Services 1-13
Key Points
Additional Reading
• Microsoft Technet article: Installing a New Windows Server 2008 Forest,
Appendix of Unattended Installation Parameters
Implementing Active Directory Domain Services 1-15
Key Points
After installing a domain controller, you may need to perform additional tasks in
your environment. You can access checklists for the following common
configurations for AD DS in Server Manager, under Resources and Support.
Additional Reading
• AD DS Help: Common Configurations for Active Directory Domain Services
1-16 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2:
Deploying Read-Only Domain Controllers
One of the important new features in Windows Server 2008 is the option to use
read-only domain controllers (RODCs). RODCs provide all of the functionality that
clients require while providing additional security for domain controllers deployed
in branch offices. When configuring RODCs, you can specify which user account
passwords will be cached on the server, and configure delegated administrative
permissions for the domain controller. This lesson describes how to install and
configure RODCs.
Implementing Active Directory Domain Services 1-17
Key Points
An RODC is a new type of domain controller that Windows Server 2008 supports.
An RODC hosts read-only partitions of the AD DS database. This means that no
changes can ever be made to the database copy stored by RODC, and all AD DS
replication uses a one-way connection from a domain controller that has a
writeable database copy to the RODC.
Additional Reading
• Microsoft Technet article: AD DS: Read-Only Domain Controllers
1-18 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
See the list on the slide.
Additional Reading
• Microsoft Technet article: AD DS: Read-Only Domain Controllers
• Microsoft Technet article: Step-by-Step Guide for Read-Only Domain
Controller in Windows Server 2008 Beta 3
Implementing Active Directory Domain Services 1-19
Key Points
Before you can install an RODC, you must prepare the AD DS environment by
completing the following steps:
• Configure the domain and forest functional level.
• Plan for Windows Server 2008 domain controller availability.
• Prepare the forest and domain.
1-20 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
• AD DS Help: Delegate read-only domain controller installation and
administration
• Microsoft Technet article: AD DS: Read-Only Domain Controllers
• Microsoft Technet article: Step-by-Step Guide for Read-Only Domain
Controller in Windows Server 2008 Beta 3
Implementing Active Directory Domain Services 1-21
Key Points
The RODC installation is almost identical to the installation of AD DS on a domain
controller with a writeable copy of the database. However there are a few
additional steps.
Additional Reading
• AD DS Help: Delegate read-only domain controller installation and
administration
• Microsoft Technet article: Step-by-Step Guide for Read-Only Domain
Controller in Windows Server 2008 Beta 3
1-22 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
You can delegate the installation of an RODC by performing a two stage
installation.
Additional reading
• AD DS Help: Delegate read-only domain controller installation and
administration
• Microsoft Technet article: AD DS: Read-Only Domain Controllers:
• Microsoft Technet article: Step-by-Step Guide for Read-Only Domain
Controllers
Implementing Active Directory Domain Services 1-23
Key Points
When you deploy an RODC, you can configure a Password Replication Policy for
the RODC. The Password Replication Policy acts as an access control list (ACL)
that determines if an RODC is permitted to cache a password.
The Password Replication Policy lists the accounts that you are explicitly allowing
to be cached, and those that you are not. The passwords for any accounts are not
actually cached on the RODC until after the first time the user or computer
account is authenticated through the RODC.
Additional Reading
• AD DS Online Help: Specify Password Replication Policy
1-24 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Questions:
What is an alternative way to configure administrator role separation and
password replication policies?
Your organization has deployed two RODCs. How would you configure the
password replication policy if you wanted the credentials for all user accounts and
computer accounts except for administrators and executives to be cached on both
RODCs?
Additional Reading
• AD DS Help: Specify Password Replication Policy
Implementing Active Directory Domain Services 1-25
Lesson 3:
Configuring AD DS Domain Controller Roles
All domain controllers in a domain are essentially equal, meaning they all contain
the same data and provide the same services. However, you also can assign special
roles to domain controllers to provide additional services, or address scenarios in
which only one domain controller should provide services at any given time. This
lesson describes how to configure and manage global catalog servers and
operations masters.
1-26 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
The global catalog is a partial, read-only replica of all domain directory partitions in
a forest. The global catalog is a partial replica because it includes only a limited set
of attributes for each of the forest’s objects. By including only the attributes that are
searched the most frequently, the database of a single global catalog server can
represent every object in every domain in the forest.
The global catalog server is a domain controller that also hosts the global catalog.
AD DS configures the first domain controller automatically in the forest as a global
catalog server. You can add global catalog functionality to other domain
controllers, or change the default location of the global catalog to another domain
controller.
Additional Reading
• Microsoft Technet article: Domain Controller Roles
Implementing Active Directory Domain Services 1-27
Key Points
Sometimes you may want to customize the global catalog server to include
additional attributes. By default, for every object in the forest, the global catalog
server contains an object’s most common attributes. Applications and users can
query these attributes. For example, you can find a user by first name, last name, e-
mail address, or other common properties.
Additional Reading
• Microsoft Technet article: Domain Controller Roles
1-28 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Questions:
What types of errors or user experiences would lead you to investigate whether
you needed to configure another server as a global catalog server?
What are reasons why you would choose to replicate an attribute to the global
catalog?
Additional Reading
• Microsoft Technet article: To add an attribute to the global catalog
Implementing Active Directory Domain Services 1-29
Key Points
Active Directory is designed as a multimaster replication system. However, for
certain directory operations, only a single authoritative server is required. The
domain controllers that perform specific roles are known as operations masters.
The domain controllers that hold operations master roles are designated to
perform specific tasks to ensure consistency and to eliminate the potential for
conflicting entries in the Active Directory database.
Additional Reading
• Microsoft Technet article: To add an attribute to the global catalog
• Microsoft Technet article: Manage Operations Master Roles
1-30 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Questions:
Under what circumstances might you need to seize an operations master role
immediately rather than wait a few hours for a domain controller currently holding
the role to be repaired?
You are deploying the first domain controller in a new domain that will be a new
domain tree in the WoodgroveBank.com forest. What operations master roles will
this server hold by default?
Additional Reading
• Microsoft Technet article: Manage Operations Master Roles
Implementing Active Directory Domain Services 1-31
Key Points
The Windows Time service, also known as W32Time, synchronizes the date and
time for all computers running on a Windows Server 2008 network. The Windows
Time service uses the Network Time Protocol (NTP) to ensure highly accurate time
settings throughout your network. You also can integrate the Windows Time
service with external time sources.
Additional Reading
• Microsoft Technet article: Windows Time Service Technical Reference
• Microsoft Technet article: Configuring a time source for the forest
1-32 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Scenario
Woodgrove Bank has begun their deployment of Windows Server 2008. The
organization has deployed several domain controllers at the corporate
headquarters and is preparing to deploy domain controllers in several branch
offices. The Enterprise Administrator created a design that requires read-only
domain controllers to be deployed on servers running Windows Server 2008 in all
branch offices. Your task is to deploy a domain controller in a branch office that
meets these requirements.
Implementing Active Directory Domain Services 1-33
Note: Due to the limitations of the virtual lab environment, you will be installing the
RODC in the same site as the existing domain controllers. In a production environment,
you would complete the same steps even if the RODC was in a different site.
f Task 2: Verify that the forest and domain functional level are
compatible with an RODC deployment
1. On NYC-DC1, open Active Directory Users and Computers.
2. View the WoodgroveBank.com properties, and verify that the domain
functional level and the forest functional level are set to Windows Server 2003.
Result: At the end of this exercise you will have verified that the domain and the computer
are ready to install an RODC.
Implementing Active Directory Domain Services 1-35
7. Check the NTDS Settings for TOR-DC1. Confirm that connection objects have
been created.
8. Check the NTDS Settings for NYC-DC1. Confirm that no connection objects
have been created for replication with TOR-DC1.
9. Open Event Viewer. In the Directory Service log, locate and view a message
with an event ID of 1128. This event ID verifies that a replication connection
object has been created between NYC-DC1 and TOR-DC1.
Result: At the end of this exercise, you will have installed an RODC and
configured the RODC password replication policy for the RODC.
1-38 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
f Task 4: Close down all virtual machines and discard any changes
1. For each virtual machine that is running, close the Virtual Machine Remote
Control window.
2. In the Close box, select Turn off machine and discard changes. Click OK.
3. Close the 6425A Lab Launcher.
Result: At the end of this exercise, you will have configured a global catalog
server and configure AD DS domain controller roles.
1-40 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Review Questions
1. You are deploying a domain controller in a branch office. The branch office
does not have a highly secure server room so you are concerned about the
security of the server. What two Windows Server 2008 features can you take
advantage of to enhance the security of the domain controller deployment?
2. You must create a new domain by installing a domain controller in your Active
Directory infrastructure. You are reviewing the inventory list of available
servers for this purpose. Which of the following computers could be used as a
domain controller?
a. Windows Server 2008 Web Edition, NTFS files system, 1 gigabyte (GB)
free hard disk space, TCP/IP.
b. Windows Server 2008 Enterprise Edition, NTFS files system, 500
megabyte (MB) free hard disk space, TCP/IP.
Implementing Active Directory Domain Services 1-41
c. Windows Server 2008 Server Core Enterprise Edition, NTFS files system,
1GB free hard disk space, TCP/IP.
d. Windows Server 2008 Standard Edition, NTFS files system, 500 MB free
hard disk space, TCP/IP.
3. You are deploying an RODC in branch office. You need to ensure that all users
in the branch office can authenticate even if the WAN connection from the
branch office is not available. Only the users who normally log on in the
branch office should be able to do this? How would you configure the
password replication policy?
4. You need to install a domain controller by using the install from media option.
What steps do you need to take to complete this process?
5. Will you be deploying RODCs in your AD DS environment? Describe the
deployment scenario.
6. You are deploying a domain controller in a branch office. The office has a
WAN connection to the main office that has very little available bandwidth and
is not very reliable. Should you configure the branch office domain controller
as a global catalog server?
Considerations
Keep the following considerations in mind when you are implementing RODCs
and managing domain controller roles:
• You can install the AD DS Server role on all Windows Server 2008 editions
except Windows Server 2008 Web Server Edition.
• Consider installing a RODC on a Windows Server 2008 Server Core computer
to provide additional security for your domain environment.
• To install AD DS on a Server Core computer, you must use an unattended
installation.
• Plan the password replication policies carefully in your organization. If you
enable credential caching for most of the accounts in your domain, you will
increase the impact to your organization if the RODC is compromised. If you
do not enable any credential caching, you increase the impact to the branch
office location if the WAN link to the main office is not available.
1-42 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
• In most cases, deploying a global catalog server in a site will improve the logon
experience for users. However, deploying a global catalog in a remote office
also increases the network utilized for replication.
• Operation master roles provide important services on a network but the
services are not usually time critical. Most of the time, if a domain controller
holding an operation master role fails, you do not immediately need to seize
the role to another domain controller if the failed server can be repaired within
a few hours.
Configuring Domain Name Service for Active Directory Domain Services 2-1
Module 2
Configuring Domain Name Service for Active
Directory Domain Services
Contents:
Lesson 1: Overview of Active Directory Domain Services and
DNS Integration 2-3
Lesson 2: Configuring AD DS Integrated Zones 2-11
Lesson 3: Configuring Read-Only DNS Zones 2-19
Lab: Configuring AD DS and DNS Integration 2-23
2-2 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module Overview
Lesson 1:
Overview of Active Directory Domain Services
and DNS Integration
Windows Server 2008 requires that a DNS infrastructure be in place before you
install AD DS. Understanding how DNS and AD DS are integrated, and how client
computers use DNS during logon, will help you resolve problems related to DNS,
such as client logon issues.
2-4 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Domains and computers are represented by resource records in the DNS
namespace, and by Active Directory objects in the Active Directory namespace. All
Active Directory domains must have corresponding DNS domains with identical
domain names. Clients rely on DNS to resolve computer host names to IP
addresses, in order to locate domain controllers and other computers that provide
AD DS and other network services.
Active Directory requires DNS, but not any particular type of DNS server.
Therefore, there may be multiple different type DNS servers.
Question: What is the relationship between Active Directory domain names and
DNS zone names?
Configuring Domain Name Service for Active Directory Domain Services 2-5
Additional Reading:
• Active Directory integration
• DNS integration
2-6 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
For AD DS to function properly, client computers must be able to locate servers
that provide specific services, such as logon requests authentication, and that
provide Telnet or Session Initiated Protocol (SIP) services. AD DS clients and
domain controllers use Service (SRV) resource records to determine the IP
addresses of computers that provide these services. AD DS site-aware applications,
such as Microsoft® Exchange, also use SRV resource records.
Question: In the following example of two SRV resource records. Which record
will be used by a client querying for an SIP service?
Additional Reading
• Managing resource records
• RFC 2782 - A DNS RR for specifying the location of services (DNS SRV)
2-8 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Questions:
What is the benefit of replicating the mscdcs zone to the entire forest?
How could one SRV resource record be given preference over another?
Configuring Domain Name Service for Active Directory Domain Services 2-9
Key Points
Domain client computers use the locator application programming interface (API)
to locate a domain controller by querying DNS. If SRV resource records are not
available to identify domain controllers, logons may fail. All computers, including
workstations such as the Windows® XP Professional operating system and
Windows Vista® operating system, and servers such as the Windows Server®°2003
operating systems and the Windows Server 2008 operating systems, use the same
process to locate domain controllers.
Additional Reading
• How Domain Controllers Are Located in Windows XP
• Domain Controller Location Process
2-10 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
During a search for a domain controller, the Locator attempts to find a domain
controller in the site closest to the client. The domain controller uses the
information stored in Active Directory to determine the closest site. In most cases,
the domain controller that first responds to the client will be in the same site as the
client. But in cases where a computer has physically moved to a different site, or
the domain controller in the local site is unavailable, there is a process to find a
different domain controller.
During Net Logon startup, the Net Logon service on each domain controller
enumerates the site objects in the Configuration container. Net Logon uses the site
information to build an in-memory structure that is used to map IP addresses to
site names.
Additional Reading
• Finding a Domain Controller in the Closest Site
Configuring Domain Name Service for Active Directory Domain Services 2-11
Lesson 2:
Configuring AD DS Integrated Zones
Key Points
One benefit of integrating DNS and AD DS is the ability to integrate DNS zones
into an Active Directory database. A zone is a portion of the domain namespace
that has a logical grouping of resource records, which allows zone transfers of
these records to operate as one unit.
Additional Reading
• Active Directory integration
Configuring Domain Name Service for Active Directory Domain Services 2-13
Key Points
Three major partitions contain AD DS information:
• The schema partition, which replicates schema information to the entire forest.
• The configuration partition, which replicates information about the physical
structure to the entire forest.
• The domain partition, which replicates domain information to all domain
controllers in a given domain.
Additional Reading
• DNS zone replication in Active Directory
2-14 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
You can change the scope of DNS replication any time by using the DNS Microsoft
Management Console (MMC), or the DNSCMD command-line tool. When using
the DNS MMC, you can replicate to the following replication choices:
• To all DNS servers in this forest.
• To all DNS servers in this domain. (This is the default storage location.)
• To all domain controllers in this domain. (This is the domain information
partition.)
• To all domain controllers hosting a particular application partition.
Additional Reading
• DNS zone replication in Active Directory
Configuring Domain Name Service for Active Directory Domain Services 2-15
Key Points
Dynamic updates enable DNS client computers to register and dynamically update
their resource records with a DNS server whenever changes occur. This reduces
the need to administer zone records manually, especially for clients that frequently
move or change locations, and that use Dynamic Host Configuration Protocol
(DHCP) to obtain an IP address.
Additional Reading
• Dynamic update
2-16 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Secure dynamic updates work like dynamic updates, with the following exception:
the authoritative name server accepts updates only from clients and servers that are
authenticated and joined to the Active Directory domain in which the DNS server
is located.
As the slide shows, the client first attempts a non-secure update. If that attempt
fails, the client then attempts to negotiate a secure update. If the client has been
authenticated to AD DS, the update will succeed.
Question: What are the benefits of using Active Directory integrated DNS zones?
Configuring Domain Name Service for Active Directory Domain Services 2-17
Questions:
How could you prevent a computer from registering in the DNS database?
When using secure dynamic updates, how can you control which clients are
allowed to update DNS records?
2-18 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Very large organizations with extremely large zones that store their DNS data in
AD DS sometimes discover that restarting a DNS server can take an hour or more,
while the DNS data is retrieved from the directory service. The result is that the
DNS server is effectively unavailable to service client requests for the entire time
that it takes to load AD DS-based zones.
Additional Reading
• DNS Server Role
Configuring Domain Name Service for Active Directory Domain Services 2-19
Lesson 3:
Configuring Read-Only DNS Zones
You can provide additional security by configuring read-only DNS zones, because
only an administrator can change read-only DNS zones. While unauthorized
personnel will not be able to alter records on the read-only domain controller
(RODC), clients still have the full functionality of the Active Directory name
resolution.
2-20 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
When installing a Windows Server 2008 RODC, you are prompted with DNS
Server installation options. The default option is to install a primary read-only form
of DNS Server locally on the RODC, which replicates the existing AD-integrated
zone for the domain specified, and adds the local IP address as the preferred DNS
server in the local TCP/IP settings. This ensures that the DNS server running on
the RODC has a full read-only copy of any DNS zones.
Additional Reading
• DNS Server Role
Configuring Domain Name Service for Active Directory Domain Services 2-21
Key Points
When a computer becomes an RODC, it replicates a full read-only copy of all
application directory partitions that DNS uses, including the domain partition,
ForestDNSZones, and DomainDNSZones. This ensures that the DNS server
running on the RODC has a full read-only copy of any DNS zones stored on a
centrally located domain controller in those directory partitions. The administrator
of an RODC can view the contents of a primary read-only zone. However, the
administrator can change the contents only by changing the zone on a DNS server
with a writable copy of the DNS database.
Question: How does RODC increase security?
Additional Reading
• DNS Server Role
2-22 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Answer the questions in a classroom discussion.
Additional Reading
• How DNS Works
Configuring Domain Name Service for Active Directory Domain Services 2-23
Scenario
Woodgrove Bank is an enterprise that has offices located in several cities
throughout the world. Woodgrove Bank has business relationships with two other
entities, Fabrikam Inc. and Contoso Inc. Woodgrove Bank has acquired copies of
the DNS zone files for these entities. All employees in the Woodgrove Bank forest
need access to the DNS records for Contoso Inc. Only employees in the
Woodgrove Bank domain need access to the DNS files for Fabrikam Inc. The
branch office of Woodgrove Bank has a read-only domain controller. This domain
controller will be configured to support both the DNS server service, and all forest-
wide and domain-wide DNS zones. The enterprise administrator has created a
design document for the DNS configuration. The design includes configuring AD
DS integrated zones, configuring DNS dynamic updates, and configuring read-only
DNS zones.
2-24 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
f Task 4: Create two new zones based on the zone files for Fabrikam and
Contoso
1. Use Windows Explorer to copy the Contoso.com.dns and the
Fabrikam.com.dns files from D:\6425\Mod02\Labfiles to
C:\Windows\System32\DNS. Leave the Windows Explorer window open.
2. Use the DNS management console to create a new primary standard zone
named Contoso.com using the existing file Contoso.com.dns.
3. Create a new primary standard zone named Fabrikam.com using the existing
file Fabrikam.com.dns.
Result: At the end of this exercise, you will have created Active Directory
integrated DNS zones.
Configuring Domain Name Service for Active Directory Domain Services 2-27
Result: At the end of this exercise, you will have configured the DNS server to
support all domain-wide and forest-wide zones.
Configuring Domain Name Service for Active Directory Domain Services 2-29
Review Questions
1. How does a client computer determine what site it is in?
2. List at least three benefits of Active Directory integrated zones.
3. In the following example of two SRV resource records. Which record will be
used by a client querying for an SIP service?
• _sip._tcp.example.com. 86400 IN SRV 10 60 5060 Lcs1.contoso.com.
• _sip._tcp.example.com. 86400 IN SRV 50 20 5060 Lcs2.contoso.com.
4. What permissions are required to create DNS application directory partitions?
5. What utilities are available to create application partitions?
6. What is the default state of dynamic updates for an Active Directory integrated
zone?
7. What is the default state of dynamic updates for a standard primary zone?
8. What groups have permission to perform secure dynamic updates?
2-30 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Considerations
When configuring AD DS and DNS integration, keep the following considerations
in mind:
• Because of the dependency Windows Server 2008 and Active Directory clients
have on DNS, the first step in troubleshooting Active Directory issues often is
to troubleshoot DNS.
• Service locator records are critical to Active Directory functioning properly.
• Service locator records need to be highly available.
• Windows Server 2008 can operate with any compatible DNS server, but Active
Directory integrated zones provide additional features and security.
• Active Directory integrated zones can be replicated to domain wide or forest
wide, or to specific domain controllers via custom application partitions.
• Internal DNS records should be kept separate from public DNS records.
• Dynamic updates lighten the administrative overhead of maintaining the DNS
zone database.
• Dynamic updates can be limited to Authenticated Users.
• Background zone loading will reduce the time for DNS servers to become
available after a restart.
• You can use read-only DNS in conjunction with read-only domain controllers
to provide security while still providing required client functionality.
Configuring Active Directory Objects and Trusts 3-1
Module 3
Configuring Active Directory Objects and Trusts
Contents:
Lesson 1: Configuring Active Directory Objects 3-3
Lesson 2: Strategies for Using Groups 3-14
Lesson 3: Automating AD DS Object Management 3-20
Lab A: Configuring Active Directory Objects 3-28
Lesson 4: Delegating Administrative Access to AD DS Objects 3-40
Lesson 5: Configuring AD DS Trusts 3-48
Lab B: Configuring Active Directory Delegation and Trusts 3-57
3-2 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module Overview
After the initial deployment of Active Directory® Domain Services (AD DS), the
most common tasks for an AD DS administrator are configuring and managing AD
DS objects. In most organizations, each employee is issued a user account, which is
added to one or more groups in AD DS. The user and group accounts enable
access to Windows Server-based network resources such as Web sites, mailboxes,
and shared folders.
This module describes how to perform many of these administrative tasks, and
options available for delegating or automating these tasks. This module also
describes how to configure and manage Active Directory trusts.
Configuring Active Directory Objects and Trusts 3-3
Lesson 1:
Configuring Active Directory Objects
After the initial deployment of Active Directory® Domain Services (AD DS), the
most common tasks for an AD DS administrator are configuring and managing AD
DS objects. In most organizations, each employee is issued a user account, which is
added to one or more groups in AD DS. The user and group accounts enable
access to Windows Server-based network resources such as Web sites, mailboxes,
and shared folders.
This module describes how to perform many of these administrative tasks, and
options available for delegating or automating these tasks. This module also
describes how to configure and manage Active Directory trusts.
3-4 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Types of AD DS Objects
Key Points
You can create several different objects in Active Directory.
Additional Reading
• Active Directory Users and Computers Help
Configuring Active Directory Objects and Trusts 3-5
Questions:
How would you create several user objects with the same settings for attributes
such as department and office location?
Under what circumstances would you disable a user account rather than delete the
user account?
3-6 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
AD DS Group Types
Key Points
AD DS supports two group types.
Additional Reading
• Active Directory Users and Computers Help
Configuring Active Directory Objects and Trusts 3-7
AD DS Group Scopes
Key Points
Windows Server 2008 supports the group scopes shown on the slide.
Additional Reading
• Active Directory Users and Computers Help: Managing Groups
3-8 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Default AD DS Groups
Key Points
Windows Server 2008 provides many built-in groups, which are created
automatically when you install an Active Directory domain. You can use built-in
groups to manage access to shared resources, and to delegate specific Active
Directory administrative roles. For example, you could put the user account of an
AD DS administrator into the Account Operators’ group to allow the administrator
to create user accounts and groups.
Additional Reading
• Microsoft Technet Default Groups
Configuring Active Directory Objects and Trusts 3-9
AD DS Special Identities
Key Points
Servers running Windows Server 2008 include several special identities, generally
referred to as special groups or special identities. These identities are in addition to
the groups in the Users and Built-in containers.
Additional Reading
• Microsoft Technet article: Special identities of ADM (Administrative Template)
Files in Windows
3-10 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Scenario
Woodgrove Bank has more than 100 servers worldwide. You must determine
whether you can use default groups, or whether you must create groups and then
assign specific user rights or permissions to the groups, to perform the following
Administrative tasks.
You must assign default groups, special identities, or create new groups for the
following tasks. List the name of the default group that has the most restrictive
user rights for performing the following actions, or determine whether you must
create a new group:
1. Backing up and restoring domain controllers
2. Backing up, but not restoring, files on member servers
3. Creating groups in the Sales organizational unit
4. Granting access to a shared folder to which all Woodgrove Bank Employees
need access. Employees are located in two different domains in the same forest
Configuring Active Directory Objects and Trusts 3-11
Questions:
What options are available for changing an AD DS group’s scope and type?
What are the benefits of assigning group managers? Is this a setting that you would
configure in your organization?
Additional Reading
• Active Directory Users and Computers Help: Managing Groups
Configuring Active Directory Objects and Trusts 3-13
Questions:
What are the reasons why you would create organizational units?
What are the benefits and limitations of using printer objects and shared folder
objects in AD DS?
Additional Reading
• Active Directory Users and Computers Help
3-14 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2:
Strategies for Using Groups
Key Points
One of the primary reasons for creating users and groups in AD DS is so that users
can gain access to shared resources, such as shared folders, printers, Windows
SharePoint® Services sites, or applications.
Additional Reading
• Microsoft Technet article: Selecting a Resource Authorization Method
3-16 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
When you use account groups only to assign access to resources, you first add all
user accounts to the groups, and then assign the group a set of access permissions.
For example, an administrator can put all accounting user accounts into a global
group called GG-All Accountants, and then assign this group with permissions to a
shared resource. In a single domain environment, you can use domain local
groups, global groups, or universal groups to assign access to resources.
Additional Reading
• Microsoft Technet article: AG/ACL Method
Configuring Active Directory Objects and Trusts 3-17
Key Points
When you use account groups and resource groups, you first add users with
similar access requirements into account groups, and then add the account groups
as members to a resource group, to which you grant specific resource-access
permissions.
This strategy provides the most flexibility while reducing the complexity of
assigning access permissions to the network. This method is used most commonly
by large organizations for controlling access to resources.
Additional Reading
• Microsoft Technet article: AG/RG Method
3-18 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Read the scenarios, and create a plan for configuring groups and assigning access
to resources in each scenario.
Example 1
Contoso, Ltd has a single domain that is located in Paris, France. Contoso, Ltd
managers need access to the Inventory database to perform their jobs.
Question: What do you do to ensure that the managers have access to the
Inventory database?
Configuring Active Directory Objects and Trusts 3-19
Example 2
Contoso, Ltd has determined that all Accounting division personnel must have full
access to the accounting data. Also, Contoso, Ltd executives must be able to view
the data. Contoso, Ltd wants to create the group structure for the entire
Accounting division, which also includes the Accounts Payable and Accounts
Receivable departments.
Question: What do you do to ensure that the managers have the required access
and that there is a minimum of administration?
Example 3
Contoso, Ltd has expanded to include operations in South America and Asia, and
now contains three domains: the Contoso.com domain, the Asia.contoso.com
domain, and the SA.contoso.com domain. You need to grant all IT managers,
across all domains, access to the Admin_tools shared folder in the Contoso
domain. You also need to grant the IT managers access to other resources in the
future.
Question: How can you achieve the desired result with the least amount of
administrative effort?
3-20 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 3:
Automating AD DS Object Management
Key Points
Windows Server 2008 provides a number of tools that you can use to create or
modify multiple user accounts automatically in AD DS. Some of these tools require
that you use a text file containing information about the user accounts that you
want to create. You also can create Windows® PowerShell scripts to add objects or
make changes to Active Directory objects.
3-22 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Use these command-line tools to configure AD DS objects.
Configuring Active Directory Objects and Trusts 3-23
Key Points
You can use the Ldifde command-line tool to create and make changes to multiple
accounts. When you use the Ldifde tool, you will use a line-separated text file to
provide the command’s input information.
Additional Reading
• Microsoft Technet article: LDIFDE
3-24 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
You can use the Csvde command-line tool to create multiple accounts in AD DS;
however, you only can use the Csvde tool to create accounts, not to change them.
Additional Reading
• Microsoft Technet article: CSVDE
Configuring Active Directory Objects and Trusts 3-25
Key Points
Windows PowerShell is an extensible scripting and command-line technology that
developers and administrators can use to automate tasks in a Windows
environment. Windows PowerShell uses a set of small cmdlets that each performs
a specific task, but can also be combined in multiple cmdlets to perform complex
administrative tasks.
Additional Reading
• Microsoft Support: Windows PowerShell 1.0 Documentation Pack
3-26 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Windows PowerShell is easy to learn because the use of Cmdlets. Pipelining is
consistent across all Cmdlets.
Additional Reading
• Windows PowerShell 1.0 Documentation Pack
Configuring Active Directory Objects and Trusts 3-27
Questions:
What are the advantages and disadvantages of modifying Active Directory objects
by using Windows PowerShell scripts?
Additional Reading
• Windows PowerShell Blog
• Microsoft Technet article: Scripting with Windows PowerShell
3-28 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Scenario
Woodgrove Bank has several requirements for managing Active Directory objects.
The organization frequently hires interns who must have limited permissions, and
whose accounts must be set to expire automatically when the internship is
complete. User accounts also must be configured with a standard configuration
that includes settings such as user profile settings, and mapped drives for home
folders. The organization also requires AD DS groups that will be used to assign
permissions to a variety of network resources. As much as possible, the
organization would like to automate the user and group management tasks.
Configuring Active Directory Objects and Trusts 3-29
Result: At the end of this exercise, you will have configured Active Directory
objects.
3-32 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Folder Contents
ExecData \HeadOffice
\Branch
\Corp
The AD DS planning group has established the following naming scheme for AD
DS groups:
• Three-character location code: NYC, TOR, MIA, LON, and TOK
• For groups that contain accounts from multiple domains, use the location
code WGB.
• For groups that do not have a specific location, include the domain name in
the group name.
3-34 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
ExecData\HeadOfficeReports
ExecData\BranchReports\NYC
ExecData\BranchReports\Toronto
ExecData\BranchReports\Miami
ExecData\BranchReports\London
ExecData\BranchReports\Tokyo
ExecData\Corp
Note: To simplify the implementation process, some of the required groups may already
have been created. In addition, you configure the required groups for only
WoodgroveBank.com and EMEA.WoodgroveBank.com.
1. On NYC-DC1, in Active Directory Users and Computers, verify that all of the
global groups required to assign permission have been created.
2. On LON-DC1, in Active Directory Users and Computers, verify that all of the
global groups required to assign permission have been created.
3. On NYC-DC1, create the required universal groups based on the group
implementation strategy. Create the universal groups in the Executives OU.
4. Create the required domain local groups based on the group implementation
strategy.
Result: At the end of this exercise, you will have implemented a group
implementation strategy.
Configuring Active Directory Objects and Trusts 3-37
Result: At the end of this exercise, you will have examined several options for
automating the management of user objects.
3-40 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 4:
Delegating Administrative Access to AD DS
Objects
Many of the AD DS administration tasks are quite easy to perform, but can be quite
repetitive. One of the options available in Windows Server 2008 AD DS, is to
delegate some of those administrative tasks to other administrators or users. By
delegating control, you can enable these users to perform specific Active Directory
management tasks, without granting them more permissions than they need.
Configuring Active Directory Objects and Trusts 3-41
Key Points
Active Directory object permissions secure resources by enabling you to control
which administrators or users can access individual objects or object attributes,
and to control the type of access they have. You use permissions to assign
administrative privileges for an organizational unit or a hierarchy of organizational
units, to manage Active Directory objects.
Questions:
What are the risks with using special permissions to assign AD DS permissions?
What would permissions would a user have on an object if you granted them full
control permission, and denied the user write access?
3-42 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
• Microsoft Technet article: Access control in Active Directory
• Microsoft Technet article: Assign, change, or remove permissions on Active
Directory objects or attributes
Configuring Active Directory Objects and Trusts 3-43
Questions:
What would happen to an object’s permissions if you moved the object from one
OU to another if the OUs had different permissions applied?
What would happen if you removed all permissions from an OU when you
blocked inheritance and did not assign any new permissions?
Additional Reading
• Microsoft Technet article: Assign, change, or remove permissions on Active
Directory objects or attributes
3-44 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
The Effective Permissions tool helps you to determine the permissions for an
Active Directory object. This tool calculates the permissions that are granted to the
specified user or group, and takes into account the permissions that are in effect
from group memberships and any permissions inherited from parent objects.
Additional Reading
• Microsoft Technet article: Effective Permissions tool
Configuring Active Directory Objects and Trusts 3-45
Key Points
Delegation of control is the ability to assign management responsibility of Active
Directory objects to another user or group.
Delegated administration helps to ease the administrative burden of managing
your network by distributing routine administrative tasks to multiple users. With
delegated administration, you can assign basic administrative tasks to regular users
or groups. For example, you could give supervisors the right to modify group
memberships in their department.
By delegating administration, you give groups in your organization more control of
their local network resources. You also help secure your network from accidental
or malicious damage by limiting the membership of administrator groups.
3-46 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 5:
Configuring AD DS Trusts
Many organizations that deploy AD DS will deploy only one domain. However,
larger organizations, or organizations that need to enable access to resources in
other organizations or business units, may deploy several domains in the same
Active Directory forest or a separate forest. For users to access resources between
the domains, you must configure the domains or forests with trusts. This lesson
describes how to configure and manage trusts in an Active Directory environment.
Configuring Active Directory Objects and Trusts 3-49
Key Points
Trusts allow security principals to traverse their credentials from one domain to
another, and are necessary to allow resource access between domains. When you
configure a trust between domains, a user can be authenticated in their domain,
and their security credentials can then be used to access resources in a different
domain.
3-50 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
AD DS Trust Options
Key Points
The graphic on the slide describes the trust options supported by Windows
Server 2008.
Questions:
If you were going to configure a trust between a Windows Server 2008 domain and
a Windows NT 4.0 domain, what type of trust would you need to configure?
If you need to share resources between domains, but do not want to configure a
trust, how could provide access to the shared resources? A user located in a
different domain in your forest needs permission to create GPOs in your domain.
What is the best way to accomplish this?
Additional Reading
• Active Directory Domains and Trusts Help: Managing Trusts
Configuring Active Directory Objects and Trusts 3-51
Key Points
When you set up trusts between domains either within the same forest, across
forests, or with an external realm, information about these trusts is stored in AD
DS so you can retrieve it when necessary. A trusted domain object (TDO) stores
this information.
The TDO stores information about the trust such as the trust transitivity and type.
Whenever you create a trust, a new TDO is created and stored in the System
container in the trust’s domain.
Additional Reading
• Active Directory Domains and Trusts Help: Managing Trusts
3-52 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Windows Server 2008 supports cross-forest trusts, which allow users in one forest
to access resources in another forest. When a user attempts to access a resource in
a trusted forest, AD DS must first locate the resource. After the resource is located,
the user can be authenticated and allowed to access the resource.
Additional Reading
• Microsoft Technet article: How Domains and Forests Work
Configuring Active Directory Objects and Trusts 3-53
Questions:
When you set up a forest trust, what information will need to be available in DNS
in order for the forest trust to work?
Additional Reading
• Active Directory Domains and Trusts Help: Create a shortcut trust, Create an
external trust, Create a forest trust
3-54 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
A user principal name (UPN) is a logon name that is used only to log on to a
Windows Server 2008 network. There are two parts to a UPN, which are separated
by the @ sign, for example, suzan@WoodgroveBank.com.
• The user principal name prefix, which in this example is suzan.
• The user principal name suffix, which in this example is WoodgroveBank.com.
By default, the suffix is the domain name in which the user account was created.
You can use the other domains in the network, or additional suffixes that you
created, to configure other suffixes for users. For example, you may want to
configure a suffix to create user logon names that match users’ e-mail addresses.
Additional Reading
• Microsoft Technet article: Active Directory naming
Configuring Active Directory Objects and Trusts 3-55
Key Points
Another option for restricting authentication across trusts in a Windows
Server 2008 forest is selective authentication. With selective authentication, you
can restrict which computers in your forest can be accessed by another forest’s
users.
Additional Reading
• Microsoft Technet article: Enable selective authentication over a forest trust
• Microsoft Technet article: Grant the Allowed to Authenticate permission on
computers in the trusting domain or forest
3-56 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Another option for restricting authentication across trusts in a Windows
Server 2008 forest is selective authentication. With selective authentication, you
can restrict which computers in your forest users in another forest can access.
Questions:
What would happen if you configured a new UPN suffix in a forest after a trust had
been configured with another forest that had the same UPN suffix?
Additional Reading
• Microsoft Technet article: Enable selective authentication over a forest trust
• Microsoft Technet article: Grant the Allowed to Authenticate permission on
computers in the trusting domain or forest
Configuring Active Directory Objects and Trusts 3-57
Scenario
To optimize the use of AD DS administrator time, Woodgrove Bank would like to
delegate some administrative tasks to junior administrators. These administrators
will be granted access to manage user and group accounts in different OUs.
Woodgrove Bank also has established a partner relationship with Fabrikam Ltd.
Some users in each organization must be able to access resources in the other
organization. However, the access between organizations must be limited to as few
users and as few servers as possible.
3-58 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Note: This step is included in the lab to enable you to test the delegated permissions. As
a best practice, you should install the administration tools on a Windows workstation
rather than enable Domain Users to log on to domain controllers.
1. On NYC-DC1, start Group Policy Management, and then edit the Default
Domain Controllers Policy.
2. In the Group Policy Management Editor window, access the User Rights
Assignment folder.
3. Double-click Allow log on locally. In the Allow log on locally Properties
dialog box, click Add User or Group.
4. Grant the Domain Users group the log on locally right.
5. Open a command prompt, and type GPUpdate /force and then press ENTER.
3-60 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Result: At the end of this exercise, you will have delegated the administrative
tasks for the Toronto office.
Configuring Active Directory Objects and Trusts 3-61
f Task 2: Configure the Network and DNS Settings to enable the forest
trust
1. On VAN-DC1, modify the Local Area Network properties to change the IP
address to 10.10.0.110, the Default gateway to 10.10.0.1, and the Preferred
DNS server to 10.10.0.110, and then click OK.
2. Synchronize the time on VAN-DC1 with NYC-DC1.
3. In DNS Manager, add a conditional forwarder to forward all queries for
Woodgrovebank.com to 10.10.0.10.
3-62 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
4. In Active Directory Domains and Trusts, raise the domain and forest functional
level to Windows Server 2003.
5. On NYC-DC1, in the DNS Manager console, add a conditional forwarder to
forward all queries for Fabrikam.com to 10.10.0.110.
6. Close the DNS Manager console.
Result: At the end of this exercise, you will have configured trusts based on a
trust configuration design.
3-64 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Review Questions
1. You are responsible for managing accounts and access to resources for your
group’s members. A user in your group leaves the company, and you expect a
replacement for that employee in a few days. What should you do with the
previous user’s account?
2. You need to create several hundred computer accounts in AD DS so that the
accounts can be pre-configured for an unattended installation. What is the best
way to do this?
3. A user reports that she cannot log on to her computer. The error message
indicates that the trust between the computer and the domain is broken. How
will you fix the problem?
4. You have created a global group called Helpdesk, which contains all the help
desk accounts. You want the help desk personnel to be able to perform any
operation on local desktop computers, including taking ownership of files.
Which is the best built-in group to use?
Configuring Active Directory Objects and Trusts 3-65
5. The BranchOffice_Admins group has been granted full control of all user
accounts in the BranchOffice_OU. What permissions would the
BranchOffice_Admins have to a user account that was moved from the
BranchOffice_OU to the HeadOffice_OU?
6. Your organization has a Windows Server 2008 forest environment, but it has
just acquired another organization with a Windows 2000 forest environment
that contains a single domain. Users in both organizations must be able to
access resources in each other’s forest. What type of trust do you create
between the forest root domain of each forest?
Tools
Use the following tools when configuring AD DS objects and trusts:
Module 4
Configuring Active Directory Domain Services Sites and
Replication
Contents:
Lesson 1: Overview of Active Directory Domain Services Replication 4-3
Lesson 2: Overview of AD DS Sites and Replication 4-13
Lesson 3: Configuring and Monitoring AD DS Replication 4-22
Lab: Configuring Active Directory Sites and Replication 4-32
4-2 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module Overview
Lesson 1:
Overview of Active Directory Domain Services
Replication
Key Points
The slide describes how the different components in AD DS replication work.
Additional Reading
• Active Directory Sites and Services Help: Understanding Sites, Subnets, and
Site Links
• Microsoft Technet article: Replication Model Components
• Microsoft Technet article: How the Active Directory Replication Model Works
Configuring Active Directory Domain Services Sites and Replication 4-5
Key Points
Within a single site, a notification from the sending domain controller initiates the
replication process. When a database change is made, the sending computer
notifies a replication partner that changes are available. The replication partner
pulls the changes from the sending domain controller using a remote procedure
call (RPC) connection. After replication is complete, the sending domain controller
waits three seconds and then notifies another replication partner, which also pulls
the changes. By default, a domain controller will wait for 15 seconds after a change
is made, and then begin replicating the changes to other domain controllers in the
same site.
Additional Reading
• Active Directory Sites and Services Help: Understanding Sites, Subnets, and
Site Links
• Microsoft Technet article: How the Active Directory Replication Model Works
4-6 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
There are three types of conflicts:
• Simultaneously modifying the same attribute value on an object on two
domain controllers.
• Adding or modifying an object on one domain controller at the same time that
the container object for the object is deleted on another domain controller.
• Adding objects with the same relative distinguished name into the same
container.
Additional Reading
• Microsoft Technet article: How the Active Directory Replication Model Works
Configuring Active Directory Domain Services Sites and Replication 4-7
Optimizing Replication
Key Points
During replication, domain controllers may use multiple paths for sending and
receiving updates. Although using multiple paths provides both fault tolerance and
improved performance, it can result in updates being replicated to the same
domain controller more than once along different replication paths. To prevent
these repeated replications, AD DS replication uses propagation dampening.
Propagation dampening is the process of reducing the amount of unnecessary data
traveling from one domain controller to another.
Additional Reading
• Microsoft Technet article: How the Active Directory Replication Model Works
4-8 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
The AD DS database is separated logically into directory partitions: a schema
partition, a configuration partition, domain partitions, and application partitions.
Each partition is a unit of replication, and each partition has its own replication
topology.
Additional Reading
• Microsoft Technet article: How the Data Store Works (Directory Partition
section)
• How the Active Directory Replication Model Works
Configuring Active Directory Domain Services Sites and Replication 4-9
Key Points
The replication topology is the route by which replication data travels throughout a
network. To create a replication topology, AD DS must determine which domain
controllers replicate data with other domain controllers.
Additional Reading
• Microsoft Technet article: What Is Active Directory Replication Topology?
4-10 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Replication of the schema and configuration partitions follows the same process as
all other directory partitions. However, because these partitions are forest-wide
rather than domain-wide, you can create the connection objects for these partitions
between any two domain controllers, regardless of the domain controller’s domain.
All domain controllers in the forest are included in the replication topology for
these partitions.
Additional Reading
• Microsoft Technet article: What Is Active Directory Replication Topology?
Configuring Active Directory Domain Services Sites and Replication 4-11
Key Points
When you add domain controllers to a site, AD DS uses the Knowledge
Consistency Checker (KCC) to establish a replication path between domain
controllers.
Additional Reading
• Microsoft Technet article: How the Active Directory Replication Model Works
4-12 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2:
Overview of AD DS Sites and Replication
Key Points
You use sites to control replication traffic, logon traffic, and client computer
requests to the global catalog server.
Additional Reading
• Active Directory Sites and Services Help: Understanding Sites, Subnets, and
Site Links
Configuring Active Directory Domain Services Sites and Replication 4-15
Additional Reading
• Active Directory Sites and Services Help: Understanding Sites, Subnets, and
Site Links
4-16 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Questions:
What would happen to the replication topology if you moved a domain controller
from one site to another site?
You move a domain controller to a new site by using Active Directory Sites and
Services. Six hours later you determine that the domain controller is not replicating
with any other domain controller. What should you check?
Additional Reading
• Active Directory Sites and Services Help: Create a Site, Create a Subnet
Configuring Active Directory Domain Services Sites and Replication 4-17
Key Points
Within a site, you have very little control over the AD DS replication process. When
you implement multiple sites in an AD DS forest, you also can configure AD DS
replication to ensure optimal network utilization.
4-18 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
See the slide for comparisons.
Additional Reading
• Active Directory Sites and Services Help: Understanding Replication Between
Sites
• Microsoft Technet article: What Is Active Directory Replication Topology?
Configuring Active Directory Domain Services Sites and Replication 4-19
Questions:
If all of the locations in your organization are connected by a wide area network
that has the same available bandwidth, do you need to create additional site links?
Your organization has two sites and a single domain. Can you use SMTP as the
replication protocol between the two sites?
Additional Reading
• Active Directory Sites and Services Help: Create a Site Link
4-20 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
The KCC on one domain controller in the site is designated as the site’s Inter-Site
Topology Generator (ISTG). There is only one ISTG per site, regardless of how
many domains or other directory partitions the site has. ISTG is responsible for
calculating the site’s ideal replication topology.
Additional Reading
• Microsoft Technet article: How the Active Directory Replication Model Works
Configuring Active Directory Domain Services Sites and Replication 4-21
Key Points
Because no changes are written directly to the read-only domain controller
(RODC), no changes originate at the RODC. Accordingly, writable domain
controllers that are replication partners do not have to pull changes from the
RODC. This means that any changes or corruption that a malicious user might
make at branch locations cannot replicate from the RODC to the forest. This also
reduces the hub’s bridgehead servers workload, and the effort required to monitor
replication.
Additional Reading
• Microsoft Technet article: AD DS: Read-Only Domain Controllers
4-22 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 3:
Configuring and Monitoring AD DS Replication
Once you have configured the sites and site links for your AD DS environment, you
can configure AD DS replication. AD DS in Windows Server 2008 provides several
options that you can use to manage how replication will flow between sites.
Because AD DS replication is so critical to your environment, you also need to
know how to monitor AD DS replication.
Configuring Active Directory Domain Services Sites and Replication 4-23
Key Points
The bridgehead server in an AD DS replication topology is the single domain
controller in each site that is responsible for exchanging replicated data with other
sites. The bridgehead server from the originating site collects all of the replication
changes in its site, and then sends them to the receiving site’s bridgehead server,
which replicates the changes to all of the site’s domain controllers.
By default, the ISTG identifies one domain controller in each site as the bridgehead
server for each site link. If that bridgehead server becomes unavailable, the ISTG
identifies another domain controller as the bridgehead server.
Additional Reading
• Microsoft Technet article: How the Active Directory Replication Model Works
4-24 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question:
Your organization has two sites and two domains in the same forest with domain
controllers for both domains in both sites. You configure one domain controller in
each site as the preferred bridgehead server. Some time later you notice that the
domain controllers for one of the domains are not replicating across the site link.
What do you need to do to fix this?
Additional Reading
• Microsoft Technet article: Managing Intersite Replication
Configuring Active Directory Domain Services Sites and Replication 4-25
Questions:
You configure site links between the New York site and the Toronto site, and
between the New York site and the London site. The New York-Toronto site link is
available from 2 am to 5 am EST. The New York-London site link is available from
8 pm to 11 pm EST. You create a new user in Toronto. When will the new user
appear in AD DS on a domain controller in London?
Your organization has 4 sites. All of your sites are included in the
DefaultIPSiteLink. You would like to modify the replication schedule for all of the
sites so that replication between sites happens every 15 minutes. What should you
do?
4-26 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
• Active Directory Sites and Services Help: Configure Intersite Replication
Configuring Active Directory Domain Services Sites and Replication 4-27
Key Points
By default, all AD DS site links are transitive or bridged. That means that if site A
has a common site link with site B, site B also has a common site link with site C,
and the two site links are bridged. Domain controllers in site A can then replicate
directly with domain controllers in site C, even though there is no site link between
sites A and C.
You can modify the default site link bridging configuration by disabling site-link
bridging, and then configuring site link bridging only for those site links that
should be transitive.
Additional Reading
• Microsoft Technet article: How the Active Directory Replication Model Works
4-28 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question:
Your organization has five sites. Four of the sites are connected by Wide Area
Network (WAN) links with surplus network bandwidth, while one of the sites is
connected to the other sites by a WAN link with very little available bandwidth.
You disable site link bridging in your organization, and then realize that it is taking
much longer than usual to replicate AD DS changes between sites. What should
you do to optimize replication between the four sites with available bandwidth
while minimizing the network utilization to the site with less available bandwidth?
Additional Reading
• Microsoft Technet article: Managing Intersite Replication
Configuring Active Directory Domain Services Sites and Replication 4-29
Key Points
One of the issues that you may need to address when configuring AD DS
replication is whether to deploy global catalog servers in each site. Because global
catalog servers are required when users log on to the domain, deploying a global
catalog server in each site optimizes the user experience. However, deploying a
global catalog server in a site results in additional replication traffic, which may be
an issue if the network connection between AD DS sites has limited bandwidth. In
these scenarios, you can deploy domain controllers running Windows Server
2008, and then enable universal group membership caching for the site.
Additional Reading
• Microsoft Technet article: Planning Global Catalog Server Placement
4-30 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
• Microsoft Technet article: Cache universal group memberships
Configuring Active Directory Domain Services Sites and Replication 4-31
Questions:
Under what circumstance might you want to know which domain controller is the
ISTG in a site?
What information is available in the command line tools that is not available
through the GUI tools?
4-32 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Scenario
Woodgrove Bank has multiple offices throughout the world. To optimize client
logon traffic and manage AD DS replication, the enterprise administrator has
created a new design for configuring AD DS sites, and for configuring replication
between sites. You need to create AD DS sites and configure replication based on
the enterprise administrator’s design, monitor site replication, and ensure that all
components required for replication are functional.
The current site design at Woodgrove Bank has not been modified from the
default. Other than the default site, no AD DS sites or site links are configured.
The enterprise administrator has created the following site design:
• New York has a 1.544 megabits per second (Mbps) wide area network (WAN)
connection to London, which has 50% available bandwidth. New York and
Tokyo also are connected by a 1.544 Mbps WAN connection that has 50%
available bandwidth. Any changes made to AD DS in any of these three
locations should be replicated to the other locations within one hour.
Configuring Active Directory Domain Services Sites and Replication 4-33
• Miami is connected to New York through a 256 kilobits per second (Kbps)
WAN connection, which has less than 20% available bandwidth during regular
business hours. Changes made to AD DS in any site in the organization should
not be replicated to Miami during regular business hours.
• The domain controller in Miami should receive updates only from a New York
domain controller. Domain controllers in New York, Tokyo, and London can
receive updates from any domain controller in one of these three sites.
• The domain controller in Miami is not configured as a global catalog server
because of concerns with global catalog replication. To minimize the network
traffic required for authentication, you should enable universal group
membership caching for the Miami site.
• You should configure each company location as a separate site, with a site
name of CityName-Site.
• You should name site links using the following format: CityName-CityName-
Site-Link.
• The network-address configurations for each company location are as follows:
• New York – 10.10.0.0/16
• London – 10.20.0.0/16
• Miami – 10.30.0.0/16
• Tokyo – 10.40.0.0/16
Note: Due to the virtual lab limitations, you will be configuring the sites only for the New
York, London, and Miami locations.
Note: The following lab requires that four virtual machines be running at one time. We
recommend that the student computers be configured with an additional one GB of
RAM (for a total of 3 GB) to improve the virtual machine performance in this lab.
4-34 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Result: At the end of this exercise, you will configure AD DS sites and subnets
and linked the subnets to the appropriate sites.
4-36 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Note: There will be replication errors listed because NYC-DC2 and TOK-DC1 are not
running and replication has been attempted.
f Task 5: Shut down all virtual machines, and delete all changes
1. For each virtual machine that is running, close the Virtual Machine Remote
Control window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6425A Lab Launcher.
Result: At the end of this exercise, you will have verified that AD DS replication is
working.
Configuring Active Directory Domain Services Sites and Replication 4-41
Review Questions
1. How can you minimize the chances of creating a replication conflict in your
organization?
2. You have deployed nine domain controllers in the same domain. Five of these
domain controllers are in one site, while four are in a different site. You have
not modified the default-replication frequency for intra-site and intersite
replication. You create a user account on one domain controller. What is the
maximum amount of time it will take for that user account to be replicated to
all of the domain’s controllers?
3. You add a new domain controller to an existing domain in your forest. Which
AD DS partitions will be modified as a result?
4-42 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
4. Your organization has one domain with three sites: a head-office site, and two
branch-office sites. Domain controllers in the branch-office sites can
communicate with domain controllers at the head office, but cannot
communicate directly with domain controllers in the other branch office due
to firewall restrictions. How can you configure the site-link architecture in AD
DS to integrate the firewall, and ensure that the KCC will not automatically
create a connection between the branch-office sites?
5. Your organization has a head office and 20 branch offices. Each office is
configured as a separate site. You have three domain controllers deployed at
the head office. One of the domain controllers at the head office has a faster
processor and more memory than the other two. You want to ensure that the
AD DS replication workload is assigned to the more powerful computer. What
should you do?
Tools
Use the following tools when configuring AD DS sites and replication:
Active Directory Creating and configuring sites, Click Start, and then point to
Sites and Services subnets, moving domain Administrative Tools. Click
controllers between sites, and Active Directory Users and
forcing replication. Computers.
Module 5
Creating and Configuring Group Policy
Contents:
Lesson 1: Overview of Group Policy 5-3
Lesson 2: Configuring the Scope of Group Policy Objects 5-16
Lesson 3: Evaluating the Application of Group Policy Objects 5-28
Lesson 4: Managing Group Policy Objects 5-33
Lesson 5: Delegating Administrative Control of Group Policy 5-40
Lab: Creating and Configuring GPOs 5-44
5-2 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module Overview
Lesson 1:
Overview of Group Policy
This lesson introduces you to how to use Group Policy to simplify managing
computers and users in an Active Directory environment. You will learn how
Group Policy Objects (GPOs) are structured and applied, and about some of the
exceptions of how GPOs are applied.
This lesson also discusses Group Policy features that are included with Windows
Server 2008, which also will help simplify computer and user management.
5-4 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Group Policy is a Microsoft® technology that supports one-to-many management of
computers and users in an Active Directory environment. By editing Group Policy
settings and targeting a Group Policy Object (GPO) at the intended users or
computers, you can centrally manage specific configuration parameters. In this
way, you can manage potentially thousands of computers or users by changing a
single GPO.
A Group Policy object is the collection of settings that are applied to selected users
and computers.
Group Policy can control many aspects of a target object’s environment, including
the registry, NTFS file system security, audit and security policy, software
installation and restriction, desktop environment, logon/logoff scripts, and so on.
Creating and Configuring Group Policy 5-5
One GPO can be associated with multiple containers in AD DS, through linking.
Conversely, multiple GPOs may link to one container.
Additional Reading
• Microsoft Technet article: Windows Server Group Policy
5-6 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Group Policy has thousands of configurable settings (approximately 2,400). These
settings can affect nearly every area of the computing environment. You cannot
apply all of the settings to all versions of Windows operating systems. For example,
many of the new settings that came with the Windows® XP Professional operating
system, Service Pack (SP) 2, such as software restriction policies, only applied to
that operating system. Equally, many of the hundreds of new settings only apply to
the Windows°Vista® operating system and Windows Server 2008. If a computer
has a setting applied that it cannot process, it simply ignores it.
Question: Which of the new features will you find the most useful in your
environment?
Creating and Configuring Group Policy 5-7
Additional Reading
• Microsoft Technet article: Summary of New or Expanded Group Policy
Settings
• Microsoft Technet article: What's New in Group Policy in Windows Vista and
Windows Server 2008?
5-8 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Clients initiate Group Policy application by requesting GPOs from AD DS. When
Group Policy is applied to a user or computer, the client component interprets the
policy, and then makes the appropriate environment changes. These components
are known as Group Policy client-side extensions. As GPOs are processed, the
Winlogon process passes the list of GPOs that must be processed to each Group
Policy client-side extension. The extension then uses the list to process the
appropriate policy, when applicable.
Additional Reading
• Microsoft Technet article: Windows Server Group Policy
Creating and Configuring Group Policy 5-9
Key Points
Different factors can change the normal Group Policy processing behavior, such as
logging on using a slow connection. Also, different types of connections or
operating systems handle Group Policy processing differently.
Additional Reading
• Controlling Client-Side Extensions by Using Group Policy
5-10 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
You can use Group Policy templates to create and configure Group Policy settings,
which are stored by the GPOs. The GPOs in turn are stored in the System Volume
(SYSVOL) container in AD DS. The SYSVOL container acts as a central repository
for the GPOs. In this way, one policy may be associated with multiple Active
Directory containers through linking. Conversely, multiple policies may link to one
container.
Group Policy has three major components.
• Group Policy templates
• Group Policy container
• Group Policy objects
Creating and Configuring Group Policy 5-11
Key Points
ADM Files
Traditionally, ADM files have been used to define the settings the administrator
can configure through Group Policy. Each successive Windows operating system
and service pack has included a newer version of these files. ADM files use their
own markup language. Because of this, it is difficult to customize ADM files. The
ADM templates are located in the %SystemRoot%\Inf folder.
ADMX Files
Windows Vista and Windows Server 2008 introduce a new format for displaying
registry-based policy settings. Registry-based policy settings are defined using a
standards-based XML file format known as ADMX files. These new files replace
ADM files. Group Policy tools on Windows Vista and Server 2008 will continue to
recognize custom ADM files you have in your existing environment, but will ignore
any ADM file that ADMX files have superseded.
5-12 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question: How could you tell if a GPO was created or edited using ADM or ADMX
files?
Additional Reading
• Microsoft Technet article: Managing Group Policy ADMX Files Step-by-Step
Guide
• Microsoft Support: Location of ADM (Administrative Template) Files in
Windows
Creating and Configuring Group Policy 5-13
Key Points
For domain-based enterprises, administrators can create a central store location of
ADMX files that is accessible by anyone with permission to create or edit GPOs.
The GPO Editor on Windows Vista and Windows Server 2008 automatically reads
and displays Administrative Template policy settings from ADMX files that the
central store caches, and ignores the ones stored locally. If the domain controller is
not available, then the local store is used.
You must create the central store, and then update it manually on a domain
controller. The use of ADMX files is dependant on the computer’s operating
system where you are creating or editing the GPO. Therefore, the domain
controller can be a server with Windows 2000, Windows Server®°2003, or
Windows Server 2008. The File Replication Service (FRS) will replicate the domain
controller to that domain’s other controllers.
5-14 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question: What would be the advantage of creating the central store on the PDC
emulator?
Additional Reading
• Microsoft Support: How to create a Central Store for Group Policy
Administrative Templates in Window Vista
Creating and Configuring Group Policy 5-15
Question: When you open the GPMC on your Windows XP computer, you do not
see the new Windows Vista settings in the Group Policy Object Editor. Why not?
5-16 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2:
Configuring the Scope of Group Policy Objects
Key Points
The GPOs that apply to a user or computer do not all have the same precedence.
GPOs are applied in a particular order. This order means that settings that are
processed first may be overwritten by settings that are processed later. For
example, a policy that restricts access to Control Panel applied at the domain level
could be reversed by a policy applied at the OU level for that particular OU.
Question: Your organization has multiple domains spread over multiple sites. You
want to apply a Group Policy to all users in two different domains. What is the best
way to accomplish this?
Additional Reading
• Microsoft Technet article: Group Policy processing and precedence
5-18 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
In Microsoft operating systems prior to Windows Vista, there was only one user
configuration available in the local Group Policy. That configuration was applied to
all users logged on from the local computer. This is still true, but Windows Vista
and Windows Server 2008 have an added feature. In Windows Vista and Windows
Server 2008, it now is possible to have different user settings for different local
users, although there remains only one computer configuration available that
affects all users.
Question: When would multiple local Group Policy objects be useful in a domain
environment?
Additional Reading
• Microsoft Technet article: Step-by-Step Guide to Managing Multiple Local
Group Policy Objects
Creating and Configuring Group Policy 5-19
Key Points
There may be occasions when the normal behavior of Group Policy is not
desirable. For example, certain users or groups may need to be exempt from
restrictive Group Policy settings, or a GPO should be applied only to computers
with certain hardware or software characteristics. By default, all Group Policy
settings apply to the Authenticated Users group in a given container. However, you
can modify that behavior through various methods.
Question:
You have created a restrictive desktop policy and linked it to the Finance OU. The
Finance OU has several child OUs that have separate GPOs that reverse some of
your desktop restrictions. How would you ensure that all users in the Finance
department receive your desktop policy?
5-20 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
• Microsoft Technet article: Controlling the Scope of Group Policy Objects using
GPMC
Creating and Configuring Group Policy 5-21
Question: Your domain has two domain-level policies, GPO1 and GPO2. You need
to ensure that all OUs receive GPO1, but GPO2 should not affect two of the OUs.
How could you accomplish this?
Creating and Configuring Group Policy 5-23
Question: You want to ensure that a specific policy linked to an OU will only affect
the members of the Managers global group. How would you accomplish this?
5-24 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
User policy settings are normally derived entirely from the GPOs associated with
the user account, based on its AD DS location. However, Loopback processing
directs the system to apply an alternate set of user settings for the computer to any
user who logs on to a computer affected by this policy. Loopback processing is
intended for special-use computers where you must modify the user policy based
on the computer being used, such as the computers in public areas or classrooms.
When you apply loopback, it will affect all users except local ones.
Loopback operates using the following two modes:
• Merge mode
• Replace mode
Additional Reading
• Microsoft Technet article: Loopback processing with merge or replace
• Microsoft Technet article: Loopback processing of Group Policy
5-26 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Scenario
Use the following scenario information for your discussion.
Physical structure
Woodgrove bank has a single domain that spans two sites, Head Office and
Toronto. The Toronto site is connected to the Head Office site across a high-speed
link. Within the Head Office site, there is a branch office in Winnipeg. This office is
connected to Head Office across a slow link. There are five users in the Winnipeg
office. There is no domain controller in the Winnipeg office, but there is a SQL
server.
This organization has deployed both Windows XP Professional and Windows
Vista computers.
Creating and Configuring Group Policy 5-27
Requirements
All domain computers that have Windows XP Professional installed will have a
small software application distributed through Group Policy.
Domain users should not have access to the desktop display properties. The
Administrators group will be exempt from this restriction.
Both the Winnipeg and Toronto branch users will have further desktop restrictions
applied.
Both branches will have a kiosk computer available in the lobby for public Internet
access. This computer needs to be locked down so that the user cannot change any
settings. Their computer accounts are located in their respective branches’ OU.
The computer accounts for all servers other than domain controllers will be
located in the server’s OU or in a nested OU inside the Servers OU. All servers
must have baseline security settings applied.
SQL servers must have additional security settings applied.
Question: How would you construct a Group Policy scheme to satisfy the
requirements?
5-28 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 3:
Evaluating the Application of Group Policy
Objects
System administrators need to know how Group Policy settings affect computers
and users in a managed environment. This information is essential when planning
Group Policy for a network, and when debugging existing GPOs. Obtaining the
information can be a complex task when you consider the many combinations of
sites, domains, and organizational units that are possible, and the many types of
Group Policy settings that can exist. Further complicating the task are security-
group filtering, and GPO inheritance, blocking, and enforcement. The Group
Policy Results (GPResult.exe) command-line tool and the GPMC provide
reporting features to simplify these tasks.
Creating and Configuring Group Policy 5-29
Key Points
Group Policy Reporting is a feature of Group Policy that makes implementation
and troubleshooting easier. Two main troubleshooting tools are the GPResult.exe
command-line tool, and the Group Policy Results Wizard in the GPMC. The Group
Policy Results feature allows administrators to determine the resultant policy set
that was applied to a given computer and/or user that logged on to that computer.
Although these tools are similar, they each provide different information.
Question: You want to know which domain controller delivered Group Policy to a
client. Which utility would you use to find that out?
Additional Reading
• Microsoft resources: Gpresult
• Microsoft Technet article: Group Policy Results (Administering Group Policy
with Group Policy Management Console)
5-30 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Another method for testing Group Policy is to use the Group Policy Modeling
Wizard in the GPMC to model environment changes before you actually make
them. The Group Policy Modeling Wizard calculates the simulated net effect of
GPOs. Group Policy Modeling also simulates such things as security group
membership, WMI filter evaluation, and the effects of moving user or computer
objects to a different OU or site. You also can specify slow-link detection, loopback
processing, or both when using the Group Policy Modeling Wizard.
The Group Policy Modeling process actually runs on a domain controller in your
Active Directory domain. Because the wizard never queries the client computer, it
cannot take local policies into account.
Creating and Configuring Group Policy 5-31
Question: What simulations can be performed with the Group Policy Modeling
Wizard? Choose all that apply.
a. Loopback processing
b. Moving a user to a different domain in the same forest.
c. Security group filtering
d. Slow link detection
e. WMI filtering
f. All of the above
Additional Reading
• Microsoft Technet article: Using Group Policy Modeling and Group Policy
Results to Evaluate Group Policy Settings
5-32 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question: A user reports that they are unable to access Control Panel. Other users
in the department can access Control Panel. What tools might you use to
troubleshoot the problem?
Creating and Configuring Group Policy 5-33
Lesson 4:
Managing Group Policy Objects
GPMC provides mechanisms for backing up, restoring, migrating, and copying
existing GPOs. This is very important for maintaining your Group Policy
deployments in the event of error or disaster. It helps you avoid manually
recreating lost or damaged GPOs, and having to again go through the planning,
testing, and deployment phases. Part of your ongoing Group Policy operations
plan should include regular backups of all GPOs.
GPMC also provides for copying and importing GPOs, both from the same domain
and across domains.
5-34 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Like critical data and Active Directory-related resources, you must back up GPOs to
protect the integrity of AD DS and GPOs. The GPMC provides the basic backup
and restore options, but also provides additional control over GPOs for
administrative purposes.
Additional Reading
• Windows Server Library: Backing up, Restoring, Migrating, and Copying GPOs
• Microsoft Technet article: Import using GPMC
Creating and Configuring Group Policy 5-35
Key Points
Starter GPOs store a collection of Administrative Template policy settings in a
single object. Starter GPOs only contain Administrative Templates. You can import
and export Starter GPOs to distribute them to other areas of your enterprise.
When you create a new GPO from a Starter GPO, the new GPO has all the
Administrative Template settings that the Starter GPO defined. In this way, Starter
GPOs act as templates for creating GPOs, which helps provide consistency in
distributed environments.
Individual Starter GPOs can be exported into .Cab files for easy distribution. You
then can import these cab files back into the GPMC. The GPMC stores Starter
GPOs in a folder named StarterGPOs, which is located in SYSVOL.
Additional Reading
• Help Topics: Working with Starter GPOs
5-36 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
The ADMX Migrator allows you to convert custom ADM templates into ADMX
templates. The associated ADML file is also created. Converted files are saved into
the user’s documents folder by default. Once you create the new files, copy the
ADMX file into the PolicyDefinitions folder, or the central store, and copy the
ADML file into the appropriate subfolder. The new Administrative Templates then
become available in the GPMC.
Additional Reading
• Microsoft Web site: ADMX Migrator
5-40 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 5:
Delegating Administrative Control of Group
Policy
Key Points
Delegation allows the administrative workload to be distributed across the
enterprise. One group could be tasked with creating and editing GPOs, while
another group performs reporting and analysis duties. A separate group might be
in charge of WMI filters.
The following Group Policy tasks can be independently delegated:
• Creating GPOs
• Editing GPOs
• Managing Group Policy links for a site, domain, or OU
• Performing Group Policy Modeling analyses on a given domain or OU
• Reading Group Policy Results data for objects in a given domain or OU
• Creating WMI filters in a domain
5-42 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
• Microsoft Technet article: Delegating Group Policy
Creating and Configuring Group Policy 5-43
Scenario
The Woodgrove Bank has decided to implement Group Policy to manage user
desktops and to configure computer security. The organization already
implemented an OU configuration that includes top-level OUs by location, with
additional OUs within each location OU for different departments. User accounts
are in the same container as their workstation computer accounts. Server computer
accounts are spread throughout various OUs.
The enterprise administrator has created a GPO deployment plan. You have been
asked to create GPOs so that certain policies can be applied to all domain objects.
Some policies are considered mandatory. You also want to create policy settings
that will apply only to subsets of the domain’s objects, and you want to have
separate policies for computer settings and user settings. You must delegate GPO
administration to administrators within each company location.
Creating and Configuring Group Policy 5-45
Note: Some of the tasks in this lab are designed to illustrate GPO management
techniques and settings and may not always follow best practices.
Result: At the end of this exercise, you will have created and configured GPOs.
5-48 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Result: At the end of this exercise, you will have configured the scope of GPO
settings.
5-50 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
f Task 2: Verify that a Miami branch user is receiving the correct policy
1. Log on to NYC-CL1 as Anton with the password Pa$$w0rd.
2. Ensure that there is no link to the Run menu in the Accessories folder on the
Start Menu.
3. Ensure that there is no link to Control Panel on the Start Menu.
4. Log off.
Creating and Configuring Group Policy 5-51
Hint: When you attempt to access display settings you will receive a message
informing you that this has been disabled.
5. Log off.
5-52 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Result: At the end of this exercise, you will have tested and verified a GPO
application.
Creating and Configuring Group Policy 5-53
Result: At the end of this exercise, you will have backed up, restored, and
imported GPOs.
Creating and Configuring Group Policy 5-55
Note: This step is included in the lab to enable you to test the delegated permissions. As
a best practice, you should install the administration tools on a Windows workstation
rather than enable Domain Users to log on to domain controllers.
1. On NYC-DC1, start Group Policy Management, and then edit the Default
Domain Controllers Policy.
2. In the Group Policy Management Editor window, access the User Rights
Assignment folder.
3. Double-click Allow log on locally. In the Allow log on locally Properties
dialog box, click Add User or Group.
4. Grant the Domain Users group the log on locally right.
5. Open a command prompt, type GPUpdate /force, and then press ENTER.
6. Right-click the Executives OU, and link the Test GPO to it. This operation will
succeed.
7. Right-click the Admin Favorites policy, and attempt to edit it. This operation
is not possible.
8. Close the GPMC.
Result: At the end of this exercise, you will have backed up, restored, and
imported GPOs.
5-58 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Considerations
Keep the following considerations in mind when creating and configuring Group
Policy:
• Multiple local Group Policy objects
• ADMX and ADML files replace ADM files
• Methods to control Group Policy, inheritance, filtering, enforcement
• Group Policy tools and reporting
Creating and Configuring Group Policy 5-59
Review Questions
1. You want to force the application of certain Group Policy settings across a slow
link. What can you do?
2. You need to ensure that a domain level policy is enforced, but the Managers
global group needs to be exempt form the policy. How would you accomplish
this?
3. You want all GPOs that contain user settings to have certain Administrative
Templates enabled. You need to be able to send those policies to other
administrators in the enterprise. What is the best approach?
4. You want to control access to removable storage devices on all client
workstations through Group Policy. Can you use Group Policy to do this?
Configuring User Environments Using Group Policy 6-1
Module 6
Configuring User Environments Using Group
Policy
Contents:
Lesson 1: Configuring Group Policy Settings 6-3
Lesson 2: Configuring Scripts and Folder Redirection Using
Group Policy 6-7
Lesson 3: Configuring Administrative Templates 6-15
Lesson 4: Configuring Group Policy Preferences 6-22
Lesson 5: Deploying Software Using Group Policy 6-28
Lab: Configuring User Environments Using Group Policy 6-38
6-2 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module Overview
This module introduces the job function of configuring the user environment
using Group Policy. Specifically, this module provides the skills and knowledge
that you need to use Group Policy to configure Folder Redirection, as well as how
to use scripts. You also will learn how Administrative Templates affect Windows
Vista® and Windows Server®°2008, and how to deploy software using Group
Policy.
Configuring User Environments Using Group Policy 6-3
Lesson 1:
Configuring Group Policy Settings
Group Policy can deliver many different types of settings. Some setting are simply a
matter of “turning them on”, while others are more complex to configure. This
lesson will describe how to configure the various Group Policy settings.
6-4 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
For a Group Policy setting to have an effect, you must configure it. Most Group
Policy settings have three states. They are:
• Enabled
• Disabled
• Not Configured
You also must configure values for some Group Policy settings. For example, you
need to configure restricted group-membership needs values for the groups and
users.
Question: A domain level policy restricts access to the Control Panel. You want the
users in the Admin organizational unit (OU) to have access to the Control Panel,
but you do not want to block inheritance. How could you accomplish this?
Configuring User Environments Using Group Policy 6-5
Additional Reading
• Microsoft Technet article: How Core Group Policy Works
6-6 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question: How could you prevent a lower-level policy from reversing the setting of
a higher-level policy?
Configuring User Environments Using Group Policy 6-7
Lesson 2:
Configuring Scripts and Folder Redirection
Using Group Policy
Windows Server 2008 enables you to use Group Policy to deploy scripts to users
and computers. You can also redirect folders that the user’s profile includes, from
the user’s local hard disks to a central server.
6-8 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
You can use Group Policy scripts to perform any number of tasks. There may be
actions that you need performed every time a computer starts or shuts down, or
when users log off or on. For example, you can use scripts to clean up desktops
when users log off and shut down computers, or delete the contents of temporary
directories, or clear the pagefile to make the environment more secure.
Question: You keep logon scripts in a shared folder on the network. How could
you ensure that the scripts will always be available to users from all locations?
Configuring User Environments Using Group Policy 6-9
Additional Reading
• Microsoft Technet article: The Two Sides of Group Policy Script Extension
Processing
• Microsoft Technet article: The Two Sides of Group Policy Script Extension
Processing (Part2)
• Microsoft Support: Overview of Logon, Logoff, Startup, and Shutdown Scripts
in Windows 2000
6-10 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question: What other method could you use to assign logon scripts to users?
Configuring User Environments Using Group Policy 6-11
Key Points
When you redirect folders, you change the folder’s storage location from the user’s
computer local hard disk to a shared folder on a network file server. After you
redirect a folder to a file server, it still appears to the user as if it is stored on the
local hard disk.
Folder Redirection makes it easier for you to manage and back up data. By
redirecting folders, you can ensure user access to data regardless of the computers
to which they log on.
Additional Reading
• Microsoft Technet article: Folder Redirection Feature in Windows
• MSDN: IE7 in Vista: Folder Redirection for Favorites on the Same Machine
• Microsoft Download: Managing Roaming User Data Deployment Guide
6-12 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
There are three available settings for Folder Redirection: none, basic, and
advanced. Basic folder redirection is for users who must redirect their folders to a
common area or users who need their data to be private. Advanced redirection
allows you to specify different network locations for different Active Directory
security groups.
Question: Users in the same department often log on to different computers. They
need access to their My Documents folder. They also need the data to be private.
What folder redirection setting would you choose?
Additional Reading
• Microsoft Technet article: Recommendations for Folder Redirection
Configuring User Environments Using Group Policy 6-13
Key Points
While you must manually create a shared network folder in which to store the
redirected folders, Folder Redirection can create the user’s redirected folders for
you. When you use this option, the correct permissions are set automatically. If
you manually create folders, you must know the correct permissions.
Question: What steps could you take to protect the data while it is in transit
between the client and the server?
Additional Reading
• Microsoft Support: Folder Redirection feature in Windows
• Windows Server Library: Security Considerations when Configuring Folder
Redirection
6-14 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question: Users in the same department want to have each others Internet
favorites available to everyone in the department. What folder redirection options
would you choose?
Configuring User Environments Using Group Policy 6-15
Lesson 3:
Configuring Administrative Templates
The Administrative Template files provide the majority of available policy settings,
which are designed to modify specific registry keys. This is known as registry-based
policy. For many applications, the use of registry-based policy that the
Administrative Template files deliver is the simplest and best way to support
centralized management of policy settings. In this lesson, you will learn how to
configure Administrative Templates.
6-16 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Administrative Templates allow you to control the environment of the operating
system and user experience. There are two sets of Administrative Templates: one
for users, and one for computers.
Administrative Templates are the primary means of configuring the client
computer’s registry settings through Group Policy. Administrative Templates are a
repository of registry-based changes. By using the administrative template sections
of the GPO, you can deploy hundreds of modifications to the computer (the
HKEY_LOCAL_MACHINE hive in the registry,) and user (the
HKEY_CURRENT_USER hive in the registry) portions of the Registry.
Question: What sections of the Administrative Templates will you find most useful
in your environment?
Configuring User Environments Using Group Policy 6-17
Additional Reading
• Microsoft Technet article: Using Administrative Template Files with Registry-
Based Group Policy
• Microsoft Technet article: Administrative Templates Extension Technical
Reference
6-18 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question: You need to ensure that Windows Messenger is never allowed to run on
a particular computer. How could you use Administrative Templates to implement
this?
Configuring User Environments Using Group Policy 6-19
Key Points
Because ADMX files are XML based, you can use any text editor to edit or create
new ADMX files. However, there also are programs that are XML-aware, (such as
Microsoft Visual Studio,) that administrators or developers can use to create or
modify ADMX files.
Once you have a valid ADMX file, you need only to place it in the Policy
Definitions folder, or in the Central Store, if one exists.
Additional Reading
• Microsoft Technet article: Creating a Custom Base ADMX File
• Microsoft Downloads: Group Policy Sample ADMX Files
6-20 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question: Can you still use custom ADM files to deliver Group Policy settings in
Windows Server 2008?
Configuring User Environments Using Group Policy 6-21
Lesson 4:
Configuring Group Policy Preferences
Many common settings that affect the user and computer environment could not
be delivered through Group Policy, for example, mapped drives. These settings
were usually delivered through logon scripts or imaging solutions. Windows
Server 2008 includes the new Group Policy preferences built-in to the Group
Policy Management Console (GPMC). Additionally, administrators can configure
preferences by installing the Remote Server Administration Tools (RSAT) on a
computer running Windows Vista Service Pack 1 (SP1). This allows many
common settings to be delivered through Group Policy.
Configuring User Environments Using Group Policy 6-23
Key Points
Group Policy preference extensions are more than twenty Group Policy extensions
that expand the range of configurable settings within a GPO. The main difference
between policy settings and preference settings is that preference settings are not
enforced. This means the end user can change any preference setting that is
applied through Group Policy, but policy settings prevent users from changing
them.
6-24 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
The key difference between preferences and Group Policy settings is enforcement.
Configuring User Environments Using Group Policy 6-25
Key Points
Most Group Policy preference extensions support the following actions for each
preference item
• Create. Create a new item on the targeted computer.
• Delete. Remove an existing item from the targeted computer.
• Replace. Delete and recreate an item on the targeted computer. The result is
that Group Policy preferences replace all existing settings and files associated
with the preference item.
• Update. Modify an existing item on the targeted computer.
6-26 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Group Policy preferences do not require you to install any services on servers.
Windows Server 2008 includes Group Policy preferences by default as part of the
Group Policy Management Console (GPMC). Administrators can configure and
deploy Group Policy preferences in a Windows Server 2003 environment by
installing the RSAT on a computer running Windows Vista with SP1.
Configuring User Environments Using Group Policy 6-27
Question: You have deployed a number of Group Policy preferences. Users report
that they are unable to modify some of those settings. What would you suspect is
the problem?
6-28 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 5
Deploying Software Using Group Policy
Key Points
The software life cycle consists of four phases: preparation, deployment,
maintenance, and removal. You can apply Group Policy settings to users or
computers in a site, domain, or an organizational unit to automatically: install,
upgrade, or remove software. By applying Group Policy settings to software, you
can manage the various phases of software deployment without deploying software
on each computer individually.
Question: What types of applications would you deploy via Group Policy in your
environment?
6-30 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
• Microsoft Support: How to use Group Policy to install software remotely in
Windows 2000
• Microsoft Technet article: Use Group Policy Software Installation to deploy the
2007 Office system
Configuring User Environments Using Group Policy 6-31
Key Points
To enable Group Policy to deploy and manage software, Windows Server 2008
uses the Windows Installer service. This component automates the installation and
removal of applications by applying a set of centrally defined setup rules during
the installation process.
Additional Reading
• Microsoft Support: How to use Group Policy to install software remotely in
Windows 2000
6-32 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
There are two deployment types available for delivering software to clients.
Administrators can either install software for users or computers in advance, or
give users the option to install the software when they require it. Users do not
share deployed applications, meaning an application you install for one user
through Group Policy will not be available to that computer’s other users. All users
need their own instance of the application.
Additional Reading
• Microsoft Technet article: Group Policy Software Installation overview
Configuring User Environments Using Group Policy 6-33
Key Points
Software Installation in Group Policy includes options for configuring deployed
software. You can categorize programs that are published in Control Panel and
associate file name extensions with applications. You also can add modifications to
deployed software.
Additional Reading
• Microsoft Technet article: Specify categories for applications to be managed
• Microsoft Technet article: Best practices for Group Policy Software Installation,
Specify automatic installation options based on file name extension section
• Microsoft Technet article: Add or remove modifications for an application
package
Configuring User Environments Using Group Policy 6-35
Key Points
Occasionally a software package will need to be upgraded to a newer version. The
Upgrades tab allows you to upgrade a package using the GPO. You also may
redeploy a package if the original Windows Installer file has been modified. You
can remove software packages if they were delivered originally using Group Policy.
Removal can be mandatory or optional.
Additional Reading
• Microsoft Technet article: Set Group Policy Software Installation defaults
Configuring User Environments Using Group Policy 6-37
Scenario
Woodgrove Bank has decided to implement Group Policy to manage user
desktops. The organization has already implemented an organizational unit (OU)
configuration that includes top-level OUs grouped by location, with additional
OUs within each location for different departments. User accounts are located in
the same container as their workstation computer accounts. Server computer
accounts are spread throughout various OUs.
The enterprise administrator has created a GPO design that will be used to manage
the user desktop environment. You have been asked to configure Group Policy
objects so that specific settings are applied to user desktops and computers.
Note: Some of the tasks in this lab are designed to illustrate GPO management
techniques and settings, but may not always follow best practices.
Configuring User Environments Using Group Policy 6-39
f Task 3: Use Group Policy to copy the script to the NetLogon share,
and then assign the script to the appropriate OUs
1. Open a Windows Explorer window, copy C:\map.bat to the clipboard and
then close Windows Explorer.
2. Launch the GPMC, and then create a new Group Policy named Logon Script.
3. Edit the policy by expanding User Configuration, expanding Windows
Settings, and then clicking Scripts (Logon/Logoff).
4. Open the Properties of the Logon Script GPO, click Show Files, right-click,
click Paste, to copy the script from the clipboard to the scripts folder, and then
close Explorer.
5. In the Logon Properties dialog box, click Add.
6. In the Add a Script dialog box, click Browse.
7. In the Browse dialog box, select the Map.bat file.
8. Close the Group Policy Management editor.
9. Link the Logon Script policy to the Miami, NYC, and Toronto OUs.
8. Remove all users and groups except Creator Owner, and System.
9. Add the Executives_WoodgroveGG, and then assign List folder/Read data
and Create Folders/Append data permissions to This Folder only.
10 Close the properties, and then close Windows Explorer.
Result: At the end of this exercise, you will have configured scripts and folders
redirection.
6-42 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Computers in the Miami, Toronto, and NYC OUs will prevent the installation of
removable devices.
Computers in the Executive OU will have offline files encrypted.
All domain users will have the following settings applied:
• The registry editing tools will be prohibited.
• The clock will be removed from the taskbar.
Additionally, users in the Miami, Toronto, and NYC OUs will have the following
settings applied:
• Profiles will be limited to 1gigbyte (GB).
• Windows Sidebar will be turned off.
f Task 1: Modify the Default Domain Policy to contain the settings for
all computers
1. In the GPMC, edit the Default Domain Policy: expand Computer
Configuration, expand Policies, expand Administrative Templates, expand
Network, expand Network Connections, expand Windows Firewall, and
then expand Domain Profile. In the details pane, double-click Windows
Firewall: Allow inbound remote administration exception.
2. Enable the policy for the localsubnet in the Allow unsolicited incoming
messages from these IP addresses:.
3. Expand Computer Configuration, expand Administrative Templates,
expand System, and then expand Group Policy.
4. Enable Group Policy slow link detection to be 800kps.
f Task 3: Create and assign a GPO to encrypt offline files for executive
computers
1. Create a new GPO named Encrypt Offline Files.
2. Edit the policy by expanding Computer Configuration, expanding
Administrative Templates, expanding Network, and then expanding Offline
Files.
3. Enable the Encrypt the Offline Files cache.
4. Link the GPO to the Executives OU.
6-44 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
f Task 4: Create and assign a domain level GPO for all domain users
1. Create a new GPO named All Users Policy.
2. Expand User Configuration, expand Policies, expand Administrative
Templates, and then expand System.
3. Enable the Prevent access to registry editing tools setting.
4. Click Start Menu and Taskbar.
5. Enable the Remove Clock from the system notification area.
6. Link the GPO to the Woodgrovebank.com domain.
f Task 5: Create and assign a policy to limit profile size and turn off
Windows Sidebar for branch users
1. Create a new GPO named Branch Users Policy.
2. Edit the GPO by expanding User Configuration, expanding Policies,
expanding Administrative Templates, expanding System, and then
expanding User Profiles.
3. Enable the Limit profile size with a value of 1000000.
4. Expand User Configuration, expand Administrative Templates, expand
Windows Components, and then expand Windows Sidebar.
5. Enable the Turn off Windows Sidebar setting.
6. Link the Branch Users Policy GPO to the Miami, NYC, and Toronto OUs.
Result: At the end of this exercise, you will have configured Administrative
Templates.
Configuring User Environments Using Group Policy 6-45
Result: At the end of this exercise, you will have configured preferences.
Configuring User Environments Using Group Policy 6-47
Result: At the end of this exercise, you will have verified a GPO application.
6-50 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Considerations
When configuring user environments using Group Policy, consider the following:
• Policy settings that are Enabled enforce a setting.
• Policy settings that are Disabled reverse a setting.
• Policy settings that are Not Configured are not affected by Group Policy.
• Scripts can be applied to the user or computer via Group Policy.
• Scripts can be written in multiple languages.
• Storing scripts in the NetLogon share makes them highly available.
• Certain folders can be redirected from the users profile to a shared folder on
the network.
• Different security groups can be redirected to different network locations.
• Administrative Templates apply settings by modifying the registry for the user
and computer.
Configuring User Environments Using Group Policy 6-51
Review Questions
1. You have assigned a logon script to an OU via Group Policy. The script is
located in a shared network folder named Scripts. Some OU users receive the
script while others do not. What might be causing this?
2. What steps could you take to prevent these types of problems from
reoccurring?
3. You have two logon scripts assigned to users -- script1 and script2. Script2
depends on script1 completing successfully. Your users report that script2
never runs. What is the problem and how would you correct it?
Implementing Security Using Group Policy 7-1
Module 7
Implementing Security Using Group Policy
Contents:
Lesson 1: Configuring Security Policies 7-3
Lesson 2: Implementing Fine-Grained Password Policy 7-13
Lesson 3: Restricting Group Membership and Access to Software 7-18
Lesson 4: Managing Security Using Security Templates 7-25
Lab: Implementing Security Using Group Policy 7-33
7-2 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module Overview
Failure to have adequate security policies can lead to many risks for an
organization. A well designed security policy helps to protect an organization’s
investment in business information and internal resources, like hardware and
software. Having a security policy in itself is not enough, however. You must
implement the policy for it to be effective. You can leverage Group Policy to
standardize security to control the environment.
Implementing Security Using Group Policy 7-3
Lesson 1:
Configuring Security Policies
Group Policy provides settings you can use to implement security in your
organization. For example, you can use Group Policy settings to secure passwords,
startup, and permissions for system services.
In this lesson, you will learn the knowledge and skills necessary to configure
security policies.
7-4 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Security policies are rules that protect resources on computers and networks.
Group Policy allows you to configure many of these rules as Group Policy settings.
For example, you can configure password policies as part of Group Policy.
Group Policy has a large security section to configure security for both users and
computers. This way, you can apply security consistently across organizational
units (OUs) in Active Directory® Domain Services (AD DS), by defining security
settings in a Group Policy object that is associated with a site, domain, or OU.
Additional Reading
• Microsoft Technet article: Security Settings
• Microsoft Technet article: Group Policy Security Settings
Implementing Security Using Group Policy 7-5
Key Points
The default domain policy is linked to the domain, and therefore affects all objects
in the domain unless a GPO that you applied at a lower level blocks or overrides
these settings. This policy has very few settings configured by default.
Although the Default Domain Policy has all the settings and capabilities of any
GPO, it is recommended that you use this policy only to deliver Account Policies.
You should create other GPOs to deliver other settings.
Additional Reading
• Microsoft Technet article: Windows Server 2003 Security Guide Chapter 3:
The Domain Policy
7-6 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Account policies protect your organization’s accounts and data by mitigating the
threat of brute force guessing of account passwords. In Windows operating
systems, and many other operating systems, the most common method for
authenticating a user’s identity is to use a secret password. Securing your network
environment requires that all users utilize strong passwords. Password policy
settings control the complexity and lifetime of passwords. You can configure
password policy settings through Group Policy.
Additional Reading
• Microsoft Technet article: Account Passwords and Policies
Implementing Security Using Group Policy 7-7
Key Points
Every Windows°2000 Server or later computer has exactly one Local Group Policy
Object (LGPO). In this object, Group Policy settings are stored on individual
computers, regardless of whether they are part of an Active Directory environment.
The LGPO is stored in a hidden folder named %windir%\system32\Group Policy.
This folder does not exist until you configure an LGPO.
7-8 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Automating client computer configuration settings is an essential step to reduce
the cost of deploying networking security, and minimize support issues that result
from incorrectly configured settings.
Starting with Windows Server 2003, you were able to automate client wireless
configuration using the Wireless Networking Policies settings in Group Policy.
Windows Server 2008 and Windows Vista include new features for network
policies, and Group Policy support for 802.1X authentication settings for wired
and wireless connections.
Implementing Security Using Group Policy 7-9
Additional Reading:
• Microsoft Technet article: Joining a Windows Vista Wired Client to a Domain
• Microsoft Technet article: Chapter 6: Designing the Wireless LAN Security
Using 802.1X
• Microsoft Technet article: Wireless Group Policy Settings for Windows Vista
• Microsoft Technet article: Define Active Directory-based Wireless Network
Policies
7-10 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Windows Vista and Windows Server 2008 include a new and enhanced version of
Windows Firewall. The new Windows Firewall is a stateful host-based firewall that
allows or blocks network traffic according to its configuration.
Additional Reading
• Microsoft Technet article: The New Windows Firewall in Windows Vista and
Windows Longhorn
Implementing Security Using Group Policy 7-11
Question: You need to ensure that a particular service is not allowed to run on any
of your network servers. How would you accomplish this?
7-12 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question: What is the default Group Policy refresh interval for domain
controllers?
Implementing Security Using Group Policy 7-13
Lesson 2:
Implementing Fine-Grained Password Policies
In Windows Server 2008, using fine-grained password policies, you can allow
different password requirements and account lockout policies for different Active
Directory users or groups.
In this lesson, you will learn the knowledge and skills to implement fine-grained
password policies.
7-14 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
In previous versions of AD DS, you could apply only one password and account
lockout policy to all users in the domain. Fine-grained password policies allow you
to have different password requirements and account lockout policies for different
Active Directory users or groups. This is desirable when you want different sets of
users to have different password requirements, but do not want separate domains.
For example, the Domain Admins group may need strict password requirements to
which you do not want to subject ordinary users. If you do not implement fine-
grained passwords, then the normal default domain account policies apply to all
users.
Additional Reading
• Microsoft Technet article: AD DS: Fine-Grained Password Policies
Implementing Security Using Group Policy 7-15
Key Points
To store fine-grained password policies, Windows Server 2008 includes two new
object classes in the Active Directory schema. They are:
• Password Settings Container (PSC)
• Password Settings Object (PSO)
The PSC object class is created by default under the System container in the
domain, which stores that domain’s PSOs. You cannot rename, move, or delete this
container.
Question: How could you view the Password Settings Container in Active
Directory Users and Computers?
Additional Reading
• Microsoft Technet article: AD DS: Fine-Grained Password Policies
7-16 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
There are three major steps involved in implementing fine-grained passwords:
• Create necessary groups, and add the appropriate users.
• Create PSOs for all defined password policies.
• Apply PSOs to the appropriate users or global security groups.
Additional Reading
• Microsoft Technet article: Step by Step Guide for Fine-Grained Password and
Account Lockout Policy Configuration
Implementing Security Using Group Policy 7-17
Question: What utilities can be used to manage PSOs? Choose all that apply.
a. ADSI edit
b. GPMC
c. CSVDE
d. LDIFDE
e. NTDSUtil
f. Active Directory Users and Computers
7-18 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 3:
Restricting Group Membership and Access to
Software
Key Points
In some cases, you may want to control the membership of certain groups in a
domain to prevent addition of other user accounts to those groups, such as the
local administrators group.
You can use the Restricted Groups policy to control group membership. Use the
policy to specify what members are placed in a group. If you define a Restricted
Groups policy and refresh Group Policy, any current member of a group that is not
on the Restricted Groups policy members list is removed. This can include default
members, such as domain administrators.
Although you can control domain groups by assigning Restricted Groups policies
to domain controllers, you should use this setting primarily to configure
membership of critical groups like Enterprise Admins and Schema Admins. You
also can use this setting to control the membership of built-in local groups on
workstations and member servers. For example, you can place the Helpdesk group
into the local Administrators group on all workstations.
7-20 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
You cannot specify local users in a domain GPO. Any local users who currently are
in the local group that the policy controls will be removed. The only exception is
that the local Administrators account will always be in the local Administrators
group.
Question: Your company has five Web servers physically located across North
America. The Web server’s computer accounts are all located in a single OU. You
want to grant all the users in the global group named Web_Backup the right to
backup and restore the web servers. How could you use Group Policy to
accomplish this?
Additional Reading
• Microsoft Technet article: Restricted Groups
• Microsoft Technet article: Group Policy Security Settings
Implementing Security Using Group Policy 7-21
Question: You created a Group Policy that adds the Helpdesk group to the local
Administrators group and you linked the policy to an OU. Now the Domain
Administrators no longer have any administrative authority on the computers in
that OU. What is the most likely problem and how would you solve it?
7-22 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
You may want to restrict access to software to prevent users from running
particular applications or types of applications, like VBscripts. Software restriction
policy provides administrators with a policy-driven mechanism for identifying
software and controlling its ability to run on a client computer.
Additional Reading
• Microsoft Technet article: Using Software Restriction Policies to Protect
Against Unauthorized Software
Implementing Security Using Group Policy 7-23
Key Points
Software Restriction policies use rules to determine whether an application is
allowed to run. When you create a rule, you first identify the application. Next you
identify it as an exception to the default policy setting of Unrestricted or
Disallowed. The enforcement engine queries the rules in the software restriction
policy before allowing a program to run.
Question: You need to restrict access to a certain application no matter into what
directory location the application is installed. What type of rule should you use?
Additional Reading
• Microsoft Technet article: Using Software Restriction Policies to Protect
Against Unauthorized Software
7-24 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question: You want to ensure that only digitally signed Visual Basic scripts are
allowed to run. What type of rule should you use?
Implementing Security Using Group Policy 7-25
Lesson 4:
Managing Security Using Security Templates
Key Points
A security template is a collection of configured security settings. You can use
predefined security templates as a base to create security policies that you
customize to meet your needs, or you can create new templates. You use the
Security Templates snap-in to create or customize templates. After you create a new
template or customize a predefined security template, you can use it to configure
security on an individual computer or thousands of computers. Security templates
contain security settings for all security areas.
Additional Reading
• Microsoft Technet article: Security Templates
Implementing Security Using Group Policy 7-27
Question: You have multiple database servers that are located in different OUs.
What is the easiest way to apply consistent security settings to all of the database
servers?
7-28 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
The Security Configuration Wizard (SCW) is an attack-surface reduction tool that
was introduced with Windows Server 2003 with Service Pack 1 (SP1). SCW assists
administrators in creating security policies, and determines the minimum
functionality that is required for a server’s role or roles, and then disables
functionality that is not required.
SCW guides you through the process of creating, editing, applying, or rolling back
a security policy based on the server’s selected roles. The security policies that you
create with SCW are XML files that, when applied, configure services, network
security, specific registry values, audit policy, and if applicable, Internet
Information Services (IIS).
Additional Reading
• Microsoft Technet Article: Security Templates
• Microsoft Technet Article: Security Configuration Wizard for Windows Server
2003
7-30 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Security policies that you create with the SCW can also include custom security
templates. Some of the settings that you can configure using the SCW partially
overlap the settings that you can configure using security templates alone. Neither
set of configuration changes is completely inclusive of the other. For example, the
SCW includes IIS settings that are not included in any security template.
Conversely, security templates can include such items as Software Restriction
policies, which you cannot configure through SCW.
Additional Reading
• Microsoft Technet article: Security Configuration Wizard Overview
• Microsoft Technet article: Security Watch: The Security Configuration Wizard
7-32 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question: You need to open a port on your Windows Vista client computers for a
custom application. Should you use the SCW or create a security template and use
a GPO?
Implementing Security Using Group Policy 7-33
Scenario
Woodgrove Bank has decided to implement Group Policy to configure security for
users and computers in the organization. The company recently upgraded all
of the workstations to Windows Vista, and all of the servers to Windows
Server 2008. The organization wants to utilize Group Policy to implement
security settings for the workstations, servers, and users. The enterprise
administrator created a design that includes modifications to the default domain
security policy, and additional GPOs for configuring security. The company
wants to have the flexibility to assign different password policies for
specific users. The company also wants to automate the configuration of
security settings as much as possible.
Note: Some of the tasks in this lab are designed to illustrate GPO management
techniques and settings, and may not always follow best practices.
7-34 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
You also will configure a local policy on the Windows Vista client that enables the
local Administrator account, and prohibits access to the Run menu for Non-
Administrators.
Then you will create a wireless network policy for Windows Vista that creates a
profile for the Corp wireless network. This profile will define 802.1x as the
authentication method. This policy also will deny access to a wireless network
named Research.
Finally, you will configure a policy to prevent the Remote Registry service from
running on any domain controller.
The main tasks in this exercise are:
1. Start the virtual machine, and log on as Administrator.
2. Create an account policy for the domain.
3. Configure local policy settings for a Windows Vista client.
4. Create a wireless network GPO for Windows Vista clients.
5. Configure a GPO that prohibits a service on all domain controllers.
Result: At the end of this exercise, you will have configured account and security
policy settings.
Implementing Security Using Group Policy 7-37
You will create a fine-grained password policy to enforce these policies for the IT
Admins global group.
The main tasks are as follows:
1. Create a PSO using ADSI Edit.
2. Assign the ITAdmin PSO to the IT Admins global group.
Result: At the end of this exercise, you will have implemented fine-grained
password policies.
Implementing Security Using Group Policy 7-39
Result: At the end of this exercise, you will have configured restricted groups and
software restriction policies.
Implementing Security Using Group Policy 7-41
f Task 1: Create a security template for the file and print servers
1. Create a new MMC, and then add the snap-in for Security Templates.
2. Expand Security Templates, right-click
C:\Users\Administrators\Documents\Security\Templates, and then click
New Template.
3. Name the template FPSecurity.
4. Navigate to Local Polices, and then Security Options. Define the Accounts:
Rename administrator account with the value FPAdmin.
5. Set the Interactive Logon: Do not display last user name to be Enabled.
6. In the folder pane, right-click FPSecurity, and then click Save.
7. Close the MMC without saving the changes.
7-42 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
f Task 2: Start NYC-SVR1, join the domain, and disable the Windows
Firewall
1. Start NYC-SVR1 and log on as LocalAdmin with the password Pa$$w0rd.
2. Join NYC-SVR1 to the WoodgoveBank.com domain.
3. Restart the computer, and log on as Administrator.
4. Disable the Windows Firewall.
Note: This step is performed to simplify the lab and is not a recommended practice.
14. On the Security Policy File Name screen, type FPPolicy at the end of the
C:\Windows\security\msscw\policies\ path.
15. Click Include Security Templates, and then click Add.
16. Add the Documents\Security\Templates\FPSecurity policy.
17. On the Apply Security Policy screen, click Apply Now, and then click Next.
18. On the Applying Security Policy screen, click Next, and then click Finish.
Result: At the end of this exercise, you will have configured security templates.
7-44 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
f Task 4: Use Group Policy modeling to test the settings on the file and
print server
1. Open the GPMC, and then launch the Group Policy Modeling Wizard.
2. Accept all the defaults except on the User and Computer Selection window.
3. Click Computer, and then type Woodgrovebank\NYC-SVR1.
4. After completing the wizard, observe the policy settings.
7-46 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Result: At the end of this exercise, you will have verified the security
configuration.
Implementing Security Using Group Policy 7-47
• Network security policies can control wired configuration for Windows Vista
and later.
• Windows Firewall supports outbound rules.
• Network awareness can automatically determine your firewall profile.
• Firewall settings and IPsec settings are now integrated.
• Fine-grained passwords allow different users or global groups to have different
account policies.
• Fine-grained policies are not delivered through Group Policy.
• Fine-grained policies must be created using ADSIedit or LDIFDE.
• Both domain and local group membership can be controlled through Group
Policy.
• Access to software can be controlled through Group Policy.
• Local administrators can be exempted from software restrictions.
• There are four rule types to control access to software.
• Security templates can be used to provide a consistent set of security settings.
• The Security Configuration Wizard can be used to assist in creating security
policies.
• Preferences can replace many of the functions of logon scripts.
• Preferences are applied once, but are not enforced and can be modified by
users.
• Preferences can be set to be refreshed on the same schedule as Group Policy.
• Preferences can be targeted to objects.
Implementing Security Using Group Policy 7-49
Review Questions
1. You want to place a software restriction policy on a new type of executable file.
What must you do before you can create a rule for this executable code?
2. What setting must you configure to ensure that users are only allowed 3
invalid logon attempts?
3. You want to provide consistent security settings for all client computers in the
organization. The computer accounts are scattered across multiple OUs. What
is the best way to provide this?
4. An administrator in your organization has accidentally modified the Default
Domain Controller Policy. You need to restore the policy to its original default
settings. How would you accomplish this?
Implementing an Active Directory Domain Services Monitoring Plan 8-1
Module 8
Implementing an Active Directory Domain
Services Monitoring Plan
Contents:
Lesson 1: Monitoring AD DS Using Event Viewer 8-3
Lesson 2: Monitoring Active Directory Domain Servers Using Reliability
and Performance Monitor 8-10
Lesson 3: Configuring AD DS Auditing 8-19
Lab: Monitoring AD DS 8-25
8-2 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module Overview
Lesson 1:
Monitoring AD DS Using Event Viewer
Key Points
One of the first places you should turn to when troubleshooting problems in
Microsoft Windows is the Event Viewer. A number of new features are built into
the Event Viewer for Windows Vista® and Windows Server®°2008.
Event Viewer is rewritten completely with a new user interface that makes it easier
to filter and sort events, and control which events are logged. Additionally, you
now can perform some basic diagnostic tasks from within Event Viewer. Event
Viewer also provides many new logs files.
Additional Reading
• Microsoft Technet article: Event Viewer
• Microsoft Technet article: Online Event Information
Implementing an Active Directory Domain Services Monitoring Plan 8-5
Question: You have an issue with Group Policy. What log should you view for
detailed Group Policy events?
8-6 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
AD DS Logs
Key Points
The System and Application logs still provide general information and log events
from many areas, but the Event Viewer now provides a wide range of application
and service logs. These logs can provide granular information about Active
Directory Domain Services (AD DS), and other services like Group Policy, offline
files, Windows Update client, and many others.
Implementing an Active Directory Domain Services Monitoring Plan 8-7
Key Points
Custom views are filters that are named and saved. After creating and saving a
custom view, you are able to reuse it without recreating its underlying filter. To
reuse a custom view, navigate to the Custom Views category in the console, tree
and select the custom view’s name. By selecting the custom view, you apply the
underlying filter, and the results are displayed. You can import and export custom
views, enabling you to share them between users and computers.
Additional Reading
• Microsoft Technet article: Create a Custom View
8-8 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Event Viewer enables you to view events on a single remote computer. However,
troubleshooting an issue might require you to examine a set of events stored in
multiple logs on multiple computers. Event Viewer provides the ability to collect
copies of events from multiple remote computers, and store them locally. To
specify which events to collect, you create an event subscription. Once a
subscription is active and events are being collected, you can view and manipulate
these forwarded events as you would any other locally stored events.
Additional Reading
• Microsoft Technet article: Event Subscriptions
• Microsoft Technet article: Configure Computers to Forward and Collect Events
Implementing an Active Directory Domain Services Monitoring Plan 8-9
Question: You want to monitor a particular group of events across multiple Web
servers. What is the best way to accomplish this?
8-10 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2:
Monitoring Active Directory Domain Servers
Using Reliability and Performance Monitor
Key Points
The Windows Reliability and Performance Monitor enables you to track the
performance impact of applications and services, and to generate alerts or take
action when user-defined thresholds for optimum performance are exceeded. The
Windows Reliability and Performance Monitor provides the features outlined
below.
• Resource view
• Reliability Monitor
• Data Collector Sets
• Track applications and services performance
• Wizards and templates for creating logs
• Generate alerts and take action when thresholds are reached
• Generate reports
• Access to Reliability and Performance Monitor
8-12 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
• Microsoft Technet article: Windows Reliability and Performance Monitor
Implementing an Active Directory Domain Services Monitoring Plan 8-13
Question: Where can you find real-time information about network activity?
8-14 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Monitoring the distributed AD DS service and the services that it relies upon, helps
maintain consistent directory data and the necessary level of service throughout
the forest. You can monitor important indicators to discover and resolve minor
problems before they develop into potentially lengthy service outages.
In addition to the normal baseline counters that you monitor for all servers, there
are objects and dozens of counters that are specific to AD DS.
Additional Reading
• Microsoft Technet article: Monitoring Active Directory
Implementing an Active Directory Domain Services Monitoring Plan 8-15
Key Points
A computer’s baseline is a measure of specified resource behavior during normal
activity that indicates how the resource, or a collection of system resources,
performs. This information is then compared to later activity, to monitor system
usage and system response to changing conditions.
Additional Reading
• Microsoft Technet article: Deploying Active Directory for Branch Office
Environments, Chapter 9 - Post Deployment Monitoring of Domain
Controllers
8-16 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
A system’s reliability is the measure of how often it deviates from configured,
expected behavior. The Reliability Monitor calculates a System Stability Index that
reflects whether unexpected problems reduced the system’s reliability. A graph of
the Stability Index over time quickly identifies dates when problems began to
occur.
Question: You want to see a historical record of software that has been added or
removed from the computer. Where would you find that information?
Additional Reading
• Microsoft Technet article: Windows Vista Performance and Reliability
Monitoring Step-by-Step Guide
Implementing an Active Directory Domain Services Monitoring Plan 8-17
Key Points
A new feature in Windows Reliability and Performance Monitor is the Data
Collector Set, which groups data collectors into reusable elements for use with
different performance monitoring scenarios.
Question: You want to create an alert to notify you when free disk space is low.
How would you create one?
Additional Reading
• Microsoft Technet article: Creating Data Collector Sets
8-18 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Demonstration: Monitoring AD DS
Question: What is the easiest way to log the same set of data across multiple
computers?
Implementing an Active Directory Domain Services Monitoring Plan 8-19
Lesson 3:
Configuring AD DS Auditing
In any secure environment, you should actively monitor AD DS. As part of your
overall security strategy, you should determine the level of auditing appropriate for
your environment. Auditing should identify actions, either successful or not, that
have modified or attempted to modify, Active Directory objects.
8-20 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
What Is AD DS Auditing?
Key Points
An audit log records an entry whenever users perform certain specified actions. For
example, modifying an object or a policy can trigger an audit entry that shows the
action that was performed, the associated user account, and the date and time of
the action. You can audit both successful and failed attempts at actions.
Before you implement auditing policy, you must decide which event categories you
want to audit. The auditing settings that you choose for the event categories define
your auditing policy. On member servers and workstations that are joined to a
domain, auditing settings for the event categories are by default undefined. On
domain controllers, some auditing is turned on by default.
Implementing an Active Directory Domain Services Monitoring Plan 8-21
Additional Reading
• Microsoft Technet article: Windows Server "Longhorn" Beta 3 Auditing AD DS
Changes Step-by-Step Guide
• Microsoft Support: How to use Group Policy to configure detailed security
auditing settings for Windows Vista-based and Windows Server 2008-based
computers in a Windows Server 2008 domain, in a Windows Server 2003
domain, or in a Windows 2000 domain
• Microsoft Technet article: Auditpol Set
8-22 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
While the Directory Service Access category still provides information about all the
events that occur in the directory, and is enabled by default, more detailed
information can be delivered from the subcategories.
Question: You want to track details about any modifications made to Active
Directory objects for a particular organizational unit (OU) and any child OUs.
Which ACE should you set to capture that information?
Additional Reading
• Microsoft Technet article: Windows Server 2008 Auditing AD DS Changes
Step-by-Step Guide
8-24 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Question: How would enable the tracking of failure events for the directory service
change subcategory?
Implementing an Active Directory Domain Services Monitoring Plan 8-25
Lab: Monitoring AD DS
Scenario
Woodgrove Bank has completed their deployment of AD DS. As the AD DS
administrator, you must monitor AD DS availability and performance. The server
administrator has provided a monitoring plan that includes service availability,
performance, and Event log monitoring components. Using Performance and
Reliability Monitoring, Event Viewer, and other tools, you will monitor AD DS
domain controllers.
8-26 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
f Task 4: Right-click Custom Views and then click Create Custom View
1. Log on to NYC-DC2 as Administrator with the password Pa$$w0rd.
2. Launch Event Viewer from the Administrative Tools folder.
3. Right-click Custom Views, and then click Import Custom View.
4. Import the custom view from \\NYC-DC1\Data\Active Directory.xml.
Note: Actual events may take a few minutes to show up in the Forwarded Events log.
Start and stop the DNS service again if required.
Implementing an Active Directory Domain Services Monitoring Plan 8-29
Note: The message box may be hidden behind the Event Viewer window. Look for it on
the task bar.
Result: At the end of this exercise, you will have monitored AD DS using Event
Viewer.
8-30 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
4. Expand Data Collector Sets, expand User Defined, right-click the Active
Directory data collector set, and then click Start.
8-32 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
5. Expand Reports, expand User Defined, expand Active Directory, and then
click System Monitor Log.blg. The Report Status shows that the log is
collecting data.
6. Right-click the Active Directory data collector set, and then click Stop.
7. Click the System Monitor Log.blg. The chart of the log is displayed in the
details pane.
Result: At the end of this exercise, you will have monitored AD DS using
Performance and Reliability Monitor.
Implementing an Active Directory Domain Services Monitoring Plan 8-33
Result: At the end of this exercise, you will have configured AD DS Auditing.
8-36 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Review Questions
1. What kinds of events are logged in the Setup log?
2. For what event ID would you filter to see deleted user accounts?
3. What service must you enable on computers collecting subscription events
from remote computers?
4. Where can you get up to date information about event IDs?
5. Where can you get historical information about application failures?
6. The NTDS\DRA Pending Replication Synchronizations counter is now
consistently higher than the established baseline value for that counter. What
might this indicate?
7. You want to view all the occurrences of a particular event ID across multiple
logs. What is the best way to accomplish this?
Implementing an Active Directory Domain Services Monitoring Plan 8-37
• The Directory service changes subcategory, provides old and new values when
you modify attributes.
• You must use Auditpol.exe to configure subcategories.
• SACLs must be set on objects to allow auditing before you can collect any
results.
• Directory service changes subcategory provides old and new values when
attributes are modified.
• Auditpol.exe must be used to configure subcategories.
• SACLs must be set on objects to allow auditing before any results can be
collected.
Implementing an Active Directory Domain Services Maintenance Plan 9-1
Module 9
Implementing an Active Directory Domain
Services Maintenance Plan
Contents:
Lesson 1: Maintaining the AD DS Domain Controllers 9-3
Lesson 2: Backing Up Active Directory Domain Services 9-14
Lesson 3: Restoring AD DS 9-18
Lab: Implementing an AD DS Maintenance Plan 9-28
9-2 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module Overview
Lesson 1:
Maintaining the AD DS Domain Controllers
Key Points
The AD DS database engine, ESE, stores all of the AD DS objects. The ESE uses
transactions and log files to ensure the AD DS database’s integrity.
Additional Reading
• Microsoft Technet article: How the Data Store Works
Implementing an Active Directory Domain Services Maintenance Plan 9-5
Key Points
The key points of AD DS data-modification process are as follows:
• A transaction is a set of changes made to the AD DS database and the
associated metadata.
• The basic data modification process consists of six steps:
1. The write request initiates a transaction.
2. AD DS writes the transaction to the transaction buffer in memory.
3. AD DS writes the transaction in the transaction log.
4. AD DS writes the transaction from the memory buffer to the database.
5. AD DS compares the database and log files to ensure that the transaction
was committed to the database.
6. AD DS updates the checkpoint file.
9-6 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Questions:
What other Microsoft services use a transactional model for making database
changes?
Additional Reading
• Microsoft Technet article: How the Data Store Works
Implementing an Active Directory Domain Services Maintenance Plan 9-7
Key Points
Ntdsutil.exe is a command-line tool that you can use to manage AD DS. You can
perform many maintenance tasks that cannot be done in the graphical user
interface (GUI), including offline database defragmentation, moving the database
and its transaction log, removing and restoring deleted objects from AD DS, seizing
operations master (also known as flexible single master operations or FSMO)
roles, and manage snapshots of the database. You also can include these
commands in a batch file.
Question: You have forgotten the directory services restore-mode password for
your domain controller. How can you recover the password?
9-8 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
• NTDSUtil Help
• Data Store Tools and Settings
Implementing an Active Directory Domain Services Maintenance Plan 9-9
Key Points
Over time, fragmentation occurs as records in the AD DS database are deleted and
new records are added or expanded. When records become fragmented, the
computer must search the disk to find and reassemble all pieces each time the
database is opened. If many changes to the AD DS database are made,
fragmentation could slow the performance of it.
Question: How often will you need to perform an offline defragmentation of your
AD DS databases in your environment?
Additional Reading
• Performing offline defragmentation of the AD DS database
• Data Store Tools and Settings
9-10 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
AD DS in Windows Server 2008 can be stopped and restarted while the machine is
booted up. In previous versions, if an administrator wanted to start a domain
controller without loading AD DS, the server had to be rebooted into Active
Directory Restore Mode. This would start the server as a stand-alone server,
without AD DS. You then could perform offline maintenance tasks, such as an
offline defragmentation, or moving the database and log files. With Windows
Server 2008, the directory service can be taken offline while the machine is
running, with minimal disruption to other services.
Additional Reading
• AD DS: Restartable AD DS Domain Services
• Windows Server 2008 Technical Library
Implementing an Active Directory Domain Services Maintenance Plan 9-11
Demonstration steps
To perform these steps, you must be a member of the built-in Administrators
group on the domain controller.
1. Stop AD DS.
2. Open a command prompt.
3. Start ntdstuil.
4. At the ntdsutil: prompt, type Activate Instance NTDS, and then press ENTER.
5. At the ntdsutil: prompt, type files, and then press ENTER.
6. Compact the database, using a temporary directory for the new ntds.dit.
7. Overwrite the old ntds.dit with the new compacted version, and then delete
any log files (*.log) in the %systemroot%\NTDS\ folder.
9-12 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Questions:
Additional Reading
• Compact the directory database file (offline defragmentation)
Implementing an Active Directory Domain Services Maintenance Plan 9-13
Key Points
As part of a comprehensive security plan, you can increase a domain controller’s
security by removing all unnecessary services and features. This reduces both the
attack surface, and improves performance.
Additional Reading
• Security Configuration Wizard Overview
9-14 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 2
Backing Up Active Directory Domain Services
Introduction to Backing Up AD DS
Key Points
You can use Windows Server Backup to back up AD DS. Windows Server Backup
is not installed by default. You must install it using Add Features in Server Manager
before you can use the Wbadmin.exe command-line tool or Backup tool in
Administrative Tools.
Question: What other process could you use to back up the system state data on a
domain controller?
Additional Reading
• Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain
Services Backup and Recovery
9-16 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Windows Server Backup is the new backup utility that Windows Server 2008
provides. To use Windows Server Backup, you must install it as a feature. If you
want to use the Windows Server Backup command-line tools, you also must install
the Windows PowerShell feature.
Additional Reading
• Windows Server 2008 Technical Library
Implementing an Active Directory Domain Services Maintenance Plan 9-17
Demonstration: Backing Up AD DS
Questions:
How often should a full backup be performed? How often should an incremental
or differential backup be performed?
Additional Reading
• Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain
Services Backup and Recovery
9-18 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 3
Restoring AD DS
Overview of Restoring AD DS
Key Points
In Windows Server 2008, you have several options available for restoring AD DS.
The option that you choose depends on the disaster recovery scenario that you
need to address.
Additional Reading
• Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain
Services Backup and Recovery
9-20 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
You can use a backup to perform a nonauthoritative restore of a domain controller.
A nonauthoritative restore returns the directory service to its state at the time that
the backup was created. After the restore operation completes, AD DS replication
updates the domain controller with changes that have occurred since the time that
the backup was created. In this way, the domain controller is recovered to a
current state.
Question: What would happen if you did not enter the second bcdedit command
after restoring the AD DS database?
Additional reading
• Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain
Services Backup and Recovery
Implementing an Active Directory Domain Services Maintenance Plan 9-21
Key Points
An authoritative restore provides a method to recover objects and containers that
have been deleted from AD DS. When an object is marked for authoritative restore,
its version number is changed so that it is higher than the existing version number
of the (deleted) object in the AD DS replication system. This change ensures that
any data that you restore authoritatively is replicated from the restored domain
controller to the forest’s other domain controllers.
Question: What would happen if you did not enter the second bcdedit command
after restoring the AD DS database?
Additional Reading
• Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain
Services Backup and Recovery
• Performing an Authoritative Restore of Active Directory Objects
9-22 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
The Database Mounting Tool (Dsamain.exe) allows administrators to view and
compare data in database snapshots (backups) without having to restore those
backups. This saves on downtime, and speeds the domain-recovery process.
Additional Reading
• AD DS: Database Mounting Tool
• Step-by-Step Guide for Using the Active Directory Database Mounting Tool in
Windows Server 2008 Beta 3
Implementing an Active Directory Domain Services Maintenance Plan 9-23
Demonstration Steps
To perform this procedure, you must be logged on to a domain controller as a
member of either the Enterprise Admins group or the Domain Admins group.
1. Start a command prompt in administrative privilege.
2. At the command prompt, type ntdsutil and then press ENTER.
3. At the ntdsutil prompt, type snapshot and then press ENTER.
4. At the snapshot prompt, type activate instance ntds and then press ENTER.
5. At the snapshot prompt, type create and then press ENTER. The command
returns the following output: Snapshot set {GUID} generated successfully.
6. At the snapshot prompt, type mount {GUID}. The mounted snapshot will
appear in the file system.
Note: Be sure to include the curly braces in around your GUID number).
9-24 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Questions:
Why is it necessary to specify different LDAP, SSL and GC ports for each mounted
instance of the database?
Implementing an Active Directory Domain Services Maintenance Plan 9-25
Additional Reading
• Step-by-Step Guide for Using the Active Directory Database Mounting Tool in
Windows Server 2008 Beta 3
9-26 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
A tombstoned object is one that is marked as deleted in AD DS. When an
administrator deletes an object, it is converted into a tombstone. The tombstone
remains in the AD DS database in a deactivated state for 180 days (default
Tombstone Lifetime). The tombstone is replicated to the entire domain’s other
controllers and then deleted on each domain controller at the tombstone lifetime’s
end.
When an object is marked as a tombstone, the isDeleted attribute on the object is
set to True and most of the other attributes are deleted. Only a few critical
attributes (SID, ObjectGUID, LastKnownParent, and SAMAccountName) are
retained. This means that even if the administrator reanimates the object, it no
longer has all the information it once had. You must recreate the missing attribute
values manually.
Implementing an Active Directory Domain Services Maintenance Plan 9-27
Note: The Database Mounting Tool can be used to view the attributes for the deleted
object in a snapshot that was made before the object was deleted. This makes it easier to
recover the deleted item.
Additional Reading
• How to restore deleted user accounts and their group memberships in Active
Directory
9-28 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Scenario
Woodgrove Bank has completed its AD DS deployment. To ensure high availability
and performance for the AD DS servers, the organization is implementing a
maintenance plan that includes ongoing AD DS database maintenance and
implementation of a disaster-recovery plan. The server administrator has prepared
a backup plan that includes daily system volume of a domain controller in each
domain. The server administrator also has prepared plans for recovering AD DS
data in several scenarios. You need to implement these plans.
Implementing an Active Directory Domain Services Maintenance Plan 9-29
Result: At the end of this exercise, you will have installed the SCW to lock down
services on an AD DS domain controller, and performed AD DS database
maintenance tasks.
9-32 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Exercise 2 Backing Up AD DS
In this exercise, you will install the Windows Server Backup feature, and then use it
to schedule a backup of the AD DS information. You also will perform an on-
demand backup of the system volume.
The main tasks for this exercise are as follows:
1. Install the Windows Server Backup Features.
2. Create a Scheduled Backup.
3. Complete an On-Demand Backup.
3. The backup will take about 10-15 minutes to complete. When the backup is
complete, close Windows Server Backup.
Result: At the end of this exercise, you will have installed the Windows Server
Backup feature, and used it to schedule a backup of the AD DS information, and
to perform an on-demand backup.
9-34 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Result: At the end of this exercise, you will have performed an authoritative
restore of AD DS information.
9-36 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
f Task 5: View the information for the deleted user account in the
mounted snapshot
1. Click Start, click Run, type LDP, and then click OK.
2. Connect and bind to the localhost, using port 51389.
3. In BaseDN, type dc=woodgrovebank,dc=com.
4. Browse to the ITAdmins OU, and then double-click CN=Axel Delgado. View
the Description, physicalDeliveryOfficeName, and Telephone Number
Attributes. You now can add the information in these attributes to the user
object in Active Directory Users and Computers. Close LDP.exe.
Result: At the end of this exercise, you will have restored a deleted user account
and viewed the restored user properties using the DS Database Mounting tool.
Implementing an Active Directory Domain Services Maintenance Plan 9-39
Review Questions
1. One of your domain controllers is running out of hard-drive space. You modify
the domain controller so that it is no longer a global catalog server, but notice
that the size of the AD DS database does not decrease. What should you do to
reclaim hard-drive space on the server?
2. You are concerned about the amount of disk space that the AD DS database
and log files are using. How do you determine the size of the database and log
files?
3. You install Windows Server Backup on your domain controller. You only have
two drives on the computer, and both are being used for data or system files.
What types of backup should you use to back up your AD DS environment?
4. All of the domain controllers in your domain have failed. You are trying to
rebuild the domain from the AD DS backup on one domain controller. Which
type of restore must you use to rebuild the domain?
5. You accidentally deleted a user account in AD DS. What options do you have
to make the account available again?
9-40 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Tools
Use the following tools when configuring AD DS sites and replication:
Module 10
Troubleshooting AD DS, DNS, and Replication
Issues
Contents:
Lesson 1: Troubleshooting Active Directory Domain Services 10-3
Lesson 2: Troubleshooting DNS Integration with AD DS 10-9
Lesson 3: Troubleshooting AD DS Replication 10-15
Lab: Troubleshooting AD DS, DNS and Replication Issues 10-23
10-2 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module Overview
Lesson 1:
Troubleshooting Active Directory Domain
Services
Introduction to AD DS Troubleshooting
Key Points
AD DS is a distributed system comprised of many different services that it depends
on to function properly. When troubleshooting AD DS issues, you need to identify
the source of the problem, and then resolve the specific issue.
Additional Reading
• Overview of Active Directory Troubleshooting
• Active Directory Product Operations Guide
Troubleshooting AD DS, DNS, and Replication Issues 10-5
Questions:
Key Points
There are many possible reasons why a user cannot access network resources.
These can be divided up into three basic categories.
Troubleshooting AD DS, DNS, and Replication Issues 10-7
Questions:
From your experience, what is the most common reason for user access error in
your organization?
What steps can you take to reduce the number of user access errors while still
maintaining network security?
10-8 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
As a distributed service, AD DS depends on many interdependent services that are
distributed across many devices and many remote locations. As you increase the
size of your network to take advantage of AD DS scalability, domain controller
performance could become an issue.
Additional Reading
• Windows Server 2003 Active Directory Branch Office Guide
• Analyzing performance data
Troubleshooting AD DS, DNS, and Replication Issues 10-9
Lesson 2
Troubleshooting DNS Integration with AD DS
Key Points
One of the most common reasons for AD DS issues is a problem with the DNS
infrastructure. In particular, you should begin DNS troubleshooting when you see
the issues listed in the slide.
Troubleshooting AD DS, DNS, and Replication Issues 10-11
Key Points
To verify that clients can resolve names and records, perform the following steps:
• Verify network connectivity on all computers.
• Use Ipconfig to make sure all computers, including clients, member servers,
domain controllers, and DNS servers, are using a DNS server that is
authoritative for the Active Directory domain. Sometimes computers are
manually misconfigured to use the wrong DNS server, such as an Internet
caching server, or an ISP’s DNS server.
• Use NetDiag to test DNS connectivity.
• Ensure that the DNS server is working correctly. You can perform the Simple
self-test in the DNS server’s properties to verify that the database is
responding. Clear the DNS server’s cache as well, to ensure that the cache is
not polluted, and that it has the latest zone information.
• Use ipconfig /flushdns to clear the client’s DNS resolver cache.
10-12 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
• If the zone seems to be corrupt, restore from backup. If necessary, clear any
dynamic registrations from the DNS zone and rebuild the database.
• Check the DNS Server log in Event Viewer for errors.
• Use DNSLint or NSlookup to see what results the DNS server returns. The
following DNS records are required for proper Active Directory functionality.
Question: What are the most common DNS related issues in your organization?
Additional Reading
• Diagnosing Name Resolution Problems
Troubleshooting AD DS, DNS, and Replication Issues 10-13
Key Points
All servers must have at least an A (host) and possibly PTR (reverse lookup)
records in DNS. In addition, all domain controllers must have their SRV resource
records updated in DNS. The following lists which service is responsible for
dynamically updating DNS:
• A records are updated by the computer’s DNS client service.
• PTR records are manually configured.
• SRV records are updated by the DC’s Netlogon service.
Question: What are PTR records used for? What errors will you see if you do not
have the PTR records registered for domain controllers?
10-14 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Whenever a DNS record is updated, either in a traditional Primary (Master) zone,
or in an AD DS-integrated zone, that update must be replicated in a zone transfer
to all DNS servers that are authoritative for that zone. An administrator may choose
to favor conserving bandwidth during heavy network usage hours by delaying
replication to less busy times. Even so, the record will have to be replicated at some
point, for the DNS database to be consistent.
When DNS-related issues are not consistent for all users, and you can trace the
issues to a specific DNS server, you should consider DNS zone replication as a
possible cause of the problem.
Additional Reading
• Troubleshooting zone problems
Troubleshooting AD DS, DNS, and Replication Issues 10-15
Lesson 3:
Troubleshooting AD DS Replication
AD DS Replication Requirements
Key Points
Refer to the requirements listed on the slide for AD DS replication to occur
successfully.
Troubleshooting AD DS, DNS, and Replication Issues 10-17
Key Points
When you encounter replication problems in AD DS, your first step is to identify
the symptoms and possible causes.
Question: What is the most common reason for replication errors in your
organization?
Additional Reading
• Troubleshooting Active Directory Replication Problems
10-18 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
You use the Repadmin.exe command-line tool to view replication topology from
the perspective of each domain controller. You can also use Repadmin.exe to
manually create the replication topology, force replication events between domain
controllers, and view the replication metadata, which is information about the data,
and the up-to-date state of vectors.
Additional Reading
• Troubleshooting Active Directory Replication Problems
Troubleshooting AD DS, DNS, and Replication Issues 10-19
Key Points
The dcdiag.exe tool performs a series of tests to verify different aspects of the
system. These tests include connectivity, replication, topology integrity, and inter-
site health.
10-20 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
AD DS replication problems can have several different sources. For example, DNS
problems, networking issues, or security problems can all cause AD DS replication
to fail.
You can perform tests by using the Repadmin.exe and DCDiag.exe command-line
tools to determine the root cause of the problem.
Troubleshooting AD DS, DNS, and Replication Issues 10-21
Scenario
Woodgrove Bank has completed its deployment of Windows Server 2008. As the
AD DS administrator, one of your primary tasks now is troubleshooting AD DS
issues that have been escalated to you from the company help desk. You are
responsible for resolving issues related to user access to resources, the integration
of DNS and AD DS, and AD DS replication.
10-24 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Trouble Ticket #2: A Help Desk staff member named Markus Breyer has been
given the task to add new hires to the NYC BranchManagers OU in the
Woodgrovebank.com domain. Markus is a HelpDesk global group member. All
members of the HelpDesk group should be able to manage users accounts from
client workstations by using Remote Desktop. When Markus attempts to add new
hires, he is unsuccessful. The matter has been escalated to you.
1. Log onto NYC-CL1as Markus, with the password Pa$$w0rd.
2. Try to connect to NYC-DC1 by using Remote Desktop. Were you successful?
What, if any, error messages did you receive?
_________________________________________________________________
3. What do you think is the problem?
_________________________________________________________________
10-26 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Result: At the end of this exercise, you will have resolved two trouble tickets with
authentication and authorization issues.
Troubleshooting AD DS, DNS, and Replication Issues 10-27
Result: At the end of this exercise, you will have resolved a trouble ticket with
DNS integration and AD DS issues.
Troubleshooting AD DS, DNS, and Replication Issues 10-29
Trouble Ticket #5: The Help Desk has noticed that when some users in the
WoodgroveBank.com New York branch log on, they are not getting the expected
automatic drive mappings. All users should get a drive mapping that maps the H:
drive to \\NYC-DC1\data. The Help Desk has confirmed that the Group Policy
Object (GPO) is configured correctly. The logon script is called MapDataDir.bat
and is supposed to be located in the Netlogon share.
1. What do you think might be the problem(s)?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
2. What troubleshooting step(s) will you take to resolve the problem(s)?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
3. How will you verify that the problem(s) has been resolved?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
4. Implement your troubleshooting steps. What was the actual problem(s), and
how did you resolve it?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________
Troubleshooting AD DS, DNS, and Replication Issues 10-31
Result: At the end of this exercise, you will have resolved a trouble ticket with AD
DS replication issues.
10-32 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Tools
Use the following tools when troubleshooting AD DS issues:
Active Directory Sites and Creating and configuring Click Start, point to
Services sites, subnets, moving Administrative Tools, and
domain controllers then click Active
between sites, and forcing Directory Users and
replication. Computers.
(continued)
Review Questions
1. A user is able to log on their computer, but whenever the user tries to access a
network resource, the user is prompted for a user name and password. How
would you ensure that the user can access network resources without being
prompted for the user name and password after logon?
2. You need to verify that all of the domain controller SRV records are registered
in DNS. All DNS servers in your organization are using a 3rd party DNS
product rather than using Windows Server 2008 DNS. How can you view the
records in DNS?
Troubleshooting AD DS, DNS, and Replication Issues 10-35
3. Users in a branch office in your organization are experiencing very slow logon
times. You create a domain controller in your main office, and then ship the
domain controller to the branch office. You configure the branch office as a
second site in your forest. You modified the domain controller’s IP address
configuration, have confirmed network connectivity, and confirmed that the
domain controller’s IP address has been updated in DNS. However, some of
the users in the branch office are still experiencing very slow logon times.
What else should you do?
4. Your organization has five office locations, with each location configured as a
separate site in AD DS. At least one domain controller has been deployed in
each office. All user account management is performed in the main office. You
notice that when you create a new user account in the main office, it can take
up to 3 hours before the user can log on using that account in the branch
office. What should you do to make sure the user can log on right after the
account has been created?
Troubleshooting Group Policy Issues 11-1
Module 11
Troubleshooting Group Policy Issues
Contents:
Lesson 1: Introduction to Group Policy Troubleshooting 11-3
Lesson 2: Troubleshooting Group Policy Application 11-10
Lesson 3: Troubleshooting Group Policy Settings 11-17
Lab: Troubleshooting Group Policy Issues 11-25
11-2 Configuring and Troubleshootig Windows Server 2008 Active Directory Domain Services
Module Overview
Lesson 1:
Introduction to Group Policy Troubleshooting
Group Policy can be complex to deploy and manage, and sometimes a setting can
cause unintended consequences for users or computers. This lesson provides
details about Group Policy processing and common problem areas, and describes
some of the troubleshooting tools available.
11-4 Configuring and Troubleshootig Windows Server 2008 Active Directory Domain Services
Additional Reading
• Microsoft Technet article: Group Policy Troubleshooting
Troubleshooting Group Policy Issues 11-5
Key Points
The first step in troubleshooting Group Policy is to determine the source of the
issue. Group Policy issues may be a symptom of other, unrelated issues, such as
network connectivity, authentication problems, domain controller availability, or
Domain Name Service (DNS) configuration errors. For example, the failure of a
router or DNS server could prevent clients contacting a domain controller.
Question: What diagnostic tool could you use to determine lease expiration of a
Dynamic Host Configuration Protocol (DHCP) address issued to a client
computer?
11-6 Configuring and Troubleshootig Windows Server 2008 Active Directory Domain Services
Additional Reading
• Troubleshooting Your Systems with Network Diagnostics
• Using NSlookup.exe
• Microsoft Technet article: Unable to access domain controller
• Kerbtray.exe: Kerberos Tray
Troubleshooting Group Policy Issues 11-7
Key Points
There are a number of diagnostic tools and logs that you can use to verify whether
you can trace a problem to core Group Policy.
Question: What diagnostic tool will quickly display the current Group Policy slow
link threshold?
11-8 Configuring and Troubleshootig Windows Server 2008 Active Directory Domain Services
Additional Reading
• Group Policy Modeling and Results
• How to manually create Default Domain GPOs
• GPOTool (from Win2K Server Resource Kit)
• Microsoft Technet article: Refresh Group Policy settings with GPUpdate.exe
• Fixing Group Policy problems by using log files
Troubleshooting Group Policy Issues 11-9
Question: What steps must you take prior to running Group Policy reporting
RSoP on a remote computer?
11-10 Configuring and Troubleshootig Windows Server 2008 Active Directory Domain Services
Lesson 2
Troubleshooting Group Policy Application
When troubleshooting Group Policy issues, you need a firm understanding of the
interactions between Group Policy and its supporting technologies, and the ways
in which you manage, deploy, and apply Group Policy objects.
Troubleshooting Group Policy Issues 11-11
Key Points
Blocking inheritance will prevent all higher-level settings from affecting the OUs
and their child OUs. You can block inheritance only for entire OUs, not for
individual objects. Blocking inheritance can complicate troubleshooting, because it
counteracts the usual inheritance rules.
Question: Are there scenarios in your organization that would benefit from
blocking inheritance?
Additional Reading
• Microsoft Technet article: Fixing Group Policy problems by using log files
11-12 Configuring and Troubleshootig Windows Server 2008 Active Directory Domain Services
Key Points
Group Policy filtering determines which users and computers will receive the
GPO’s settings. Group Policy object (GPO) filtering is based on two factors:
• The security filtering on the GPO
• Any Windows Management Instrumentation (WMI) filters on the GPO
Question: You have applied security filtering to limit the GPO to apply only to the
Managers group. You did this by setting the following GPO permissions:
Additional Reading
• Microsoft Technet article: Fixing Group Policy scoping issues
11-14 Configuring and Troubleshootig Windows Server 2008 Active Directory Domain Services
Key Points
In a domain that contains more than one domain controller, Group Policy
information takes time to propagate, or replicate, from one domain controller to
another. A GPO consists of two parts; the Group Policy template (GPT) and the
Group Policy container (GPC). Changes to GPOs are tracked using version
numbers. Every change increments the version number of the GPT and the GPC.
Question: What tool can be used to force replication across all domain controllers
in the domain?
Additional Reading
• Troubleshooting File Replication Service
• Microsoft Technet article: Replication of Group Policy settings between
domain controllers fails
Troubleshooting Group Policy Issues 11-15
Key Points
Group Policy refresh refers to a client’s periodic retrieval of GPOs. During Group
Policy refresh, the client contacts an available domain controller. If any GPOs
changed, the domain controller provides a list of all the appropriate GPOs. By
default, GPOs are processed at the computer only if the version number of at least
one GPO has changed on the domain controller that the computer is accessing.
Question: You have implemented folder redirection for a particular OU. Some
users report that their folders are not redirecting to the network share. What is the
first step you should take to resolve the problem?
Additional Reading
• Group Policy does not refresh
11-16 Configuring and Troubleshootig Windows Server 2008 Active Directory Domain Services
Question: One user is getting settings applied that no one else is receiving. What
might be the issue and how would you start troubleshooting?
Troubleshooting Group Policy Issues 11-17
Lesson 3:
Troubleshooting Group Policy Settings
Group Policy settings issues are usually due to slow-link detection or incorrect
configuration. Understanding how the CSEs work, and how slow links are
determined, assists in troubleshooting these issues.
11-18 Configuring and Troubleshootig Windows Server 2008 Active Directory Domain Services
Key Points
CSEs are dynamic-link libraries (DLLs) that perform the actual processing of
Group Policy settings. Policy settings are grouped into different categories, such as
Administrative Templates, Security Settings, Folder Redirection, Disk Quota, and
Software Installation. Each category’s settings require a specific CSE to process
them, and each CSE has its own rules for processing settings. The core Group
Policy process calls the appropriate CSEs to process those settings.
Some CSEs behave differently under different circumstances. For example, a
number of CSEs do not process if a slow link is detected. Security settings and
Administrative Templates always are applied, and you cannot turn them off. You
can control the behavior of other CSEs across slow links.
As Group Policy is processed, the Winlogon process passes the list of GPOs that
must be processed to each Group Policy client-side extension. The extension uses
the list to process the appropriate policy when applicable.
Troubleshooting Group Policy Issues 11-19
Question: Users in a branch office log on across a slow modem connection. You
want folder redirection to be applied to them even across the slow link. How
would you accomplish this?
Additional Reading
• Identifying Group Policy Client-Side Extensions
• Computer Policy for Client-side Extensions
• Group Policy and Network Bandwidth
11-20 Configuring and Troubleshootig Windows Server 2008 Active Directory Domain Services
Key Points
Some Administrative Template settings may be preferences, rather than policies,
that you cannot remove easily, while older operating systems might not accept
other administrative settings.
Additional Reading
• Microsoft Technet article: Fixing Administrative Template policy setting
problems
Troubleshooting Group Policy Issues 11-21
Key Points
Security policies protect the integrity of the computing environment by controlling
many aspects of it, such as password policies, security options, restricted groups,
network policies, services, public key policies, and so on.
Question: You have configured a password policy in a GPO and linked that policy
to the Research OU. The policy is not affecting domain users in the OU. What is
the problem?
Additional Reading
• Troubleshooting Group Policy application problems
Troubleshooting Group Policy Issues 11-23
Key Points
The Scripts CSE updates the registry with the location of script files so that the
UserInit process can find those values during its normal processing. When a CSE
reports success, it might mean only that the script’s location is placed in the
registry. Even though the setting is in the registry, there could be problems
preventing the setting from being applied to the client. For example, if a script
specified in a Script setting has an error that prevents it from completing, the CSE
does not detect an error.
Group Policy processes a GPO and stores the script information in the registry, in
these locations:
• HKCU\Software\Policies\Microsoft\Windows\System\Scripts (User Scripts)
• HKLM\Software\Policies\Microsoft\Windows\System\Scripts (Machine
Scripts)
11-24 Configuring and Troubleshootig Windows Server 2008 Active Directory Domain Services
Question: A logon script is assigned to an OU. The script executes properly for all
users, but some users report that they get an access-denied message when they try
to access the mapped drive. What is the problem?
Additional Reading
• Microsoft Technet article: Fixing Scripts policy settings problems
Troubleshooting Group Policy Issues 11-25
Scenario
Woodgrove Bank has completed its Windows Server 2008 deployment. As the AD
DS administrator, one of your primary tasks is troubleshooting AD DS issues that
the company help desk escalates to you. You are also responsible for resolving
issues related to Group Policy application and configuration.
Note: Some of the tasks in this lab are designed to illustrate GPO troubleshooting
techniques, and may not always follow best practices.
11-26 Configuring and Troubleshootig Windows Server 2008 Active Directory Domain Services
Next you will apply to all domain users, a preconfigured GPO that maps a drive to
the Data shared folder, and then observe and troubleshoot the results.
All domain users will have a drive mapping to a shared folder named Data. The
GPO is already created, and is backed up. You will restore and apply the GPO that
delivers that policy to the domain, and troubleshoot any issues with the policy.
A user in the Miami OU has submitted the following help-desk ticket:
• User Name: Roya Asbari
• Computer Name: NYC-CL1
• Description of Problem: There is no drive mapping to the Data folder.
This ticket has been escalated to the server team for resolution.
The main tasks are:
1. Start the 6425A-NYC-DC1 virtual machine, and log on as Administrator.
2. Create and link a domain Desktop policy.
• Set the Internet Explorer homepage to http://WoodgroveBank.com.
• Force the classic Start menu for all domain users.
• Force the client computer to wait for the network to initialize at startup
and logon.
• Configure the Windows Firewall to allow inbound remote administration.
3. Restore the Lab11A GPO.
4. Link the Lab11A GPO to the domain.
5. Start the 6425A-NYC-CL1 virtual machine and log on as Administrator.
Troubleshooting Group Policy Issues 11-27
Note: Two logons are required to see the group policy settings because Administrator is
logging on with cached credentials.
2. Click the Start button and ensure you see the classic Start menu.
3. Double click Internet Explorer and then click the red X to stop the
connection attempt to the default startup page. Click the home icon on the
toolbar and ensure that http://WoodgroveBank.com is the homepage.
4. Double click Internet Explorer and then click the red X to stop the
connection attempt to the default startup page. Click the home icon on the
toolbar and ensure that http://WoodgroveBank.com is the homepage.
5. Close Internet Explorer.
6. Double click Computer on the desktop and ensure that you have a mapped
drive to the shared folder named Data.
Troubleshooting Group Policy Issues 11-29
7. Log off.
8. Log on to NYC-CL1 as Roya with the password Pa$$w0rd.
9. Close the Welcome Center.
10. Click the Start button, and ensure Roya gets the classic Start menu.
11. On the desktop, double-click Internet Explorer, and then click the Home icon
on the toolbar to ensure that http://WoodgroveBank.com is the home page.
12. Close Internet Explorer.
13. On the desktop, double-click Computer, and check for the mapped drive to
the shared folder named Data.
Note: If time permits, you can view the Group Policy operational log as Administrator on
NYC-CL1. If you filter the view to show events that Roya generates, you would see that
the log does not detect any errors or warnings for this user. This is because the GPO only
sets a value in the registry that defines the scripts folder’s location. Group Policy is
unaware if the user has access to the location, and the write to the registry was
successful. Therefore, the Group Policy log does not see any errors. You would have to
audit Object Access for the scripts folder to determine access issues.
Note: Another way to resolve the issue would be to move the script to the Netlogon
share.
6. Log off.
Result: At the end of this exercise, you will have resolved a Group Policy scripts
issue.
Troubleshooting Group Policy Issues 11-31
This ticket has been escalated to the server team for resolution.
The main tasks in this exercise are:
1. Restore the Lab11B GPO.
2. Link the Lab11B GPO to the Miami OU.
3. Test the GPO as various users.
4. Troubleshoot the GPO using RSoP.
5. Resolve and test the resolution.
Result: At the end of this exercise, you will have resolved a Group Policy objects
issue.
11-34 Configuring and Troubleshootig Windows Server 2008 Active Directory Domain Services
This ticket has been escalated to the server team for resolution.
The main tasks in this exercise are:
1. Restore the Lab11C GPO.
2. Link the Lab11C GPO to the Miami OU.
3. Test the GPO.
4. Troubleshoot the GPO.
5. Resolve and test the resolution.
Result: At the end of this exercise, you will have resolved a Group Policy objects
issue.
11-36 Configuring and Troubleshootig Windows Server 2008 Active Directory Domain Services
This ticket has been escalated to the server team for resolution.
The main tasks in this exercise are:
1. Create a new OU named Loopback.
2. Restore the Lab11D GPO.
3. Link the Lab11D GPO to the Loopback OU.
4. Move NYC-CL1 to the Loopback OU.
5. Test the GPO.
6. Troubleshoot the GPO.
7. Resolve the issue and test the resolution.
Result: At the end of this exercise, you will have resolved a Group Policy objects
issue.
Troubleshooting Group Policy Issues 11-39
Considerations
Consider the following when implementing an AD DS monitoring plan:
• Client-side extensions handle application of Group Policy at regular,
configurable intervals.
• GPO version numbers determine if a Group Policy has changed.
• Not all CSEs process across a slow link.
• Security settings refresh every 16 hours.
• Windows XP and earlier versions log to the Userenv log for most Group-Policy
issues. You can modify the registry to enable other CSE logs.
• Windows Vista logs to operational logs in Event Viewer.
• Blocking inheritance will block all higher level polices from being applied,
unless those policies are enforced.
• You can filter Group Policy to apply only to certain security principles by using
security settings, or WMI scripts.
11-40 Configuring and Troubleshootig Windows Server 2008 Active Directory Domain Services
• Group Policy is made up of two parts: Group Policy templates, and Group
Policy containers. Group Policy replicates these objects on separate schedules
using different mechanisms.
• Windows XP and later versions log on users with cached credentials by
default. Many users’ settings will require two logons because of this.
• Windows XP and earlier use the ICMP to determine link speed. Windows
Vista and later versions use network awareness to determine link speed.
• Security principles need permission to access script locations, so that they can
execute scripts.
• Computer startup scripts run synchronously by default.
• User logon scripts run asynchronously by default.
Tools
Use the following tools when troubleshooting Group Policy issues:
(continued)
Dcgpofix • Restoring the default Group Policy objects to
their original state after initial installation.
GPOLogView • Exporting Group Policy-related events from
the system and operational logs into text,
HTML, or XML files. For use with Windows
Vista and later versions.
Group Policy Management scripts • Sample scripts that perform a number of
different troubleshooting and maintenance
tasks.
Review Questions
1. What tool can test DNS name resolution?
a. NSlookup
b. DCdiag
c. GPResult
d. Ping
2. What log will give details of folder redirection?
________________________________________________________________
3. What visual indicator in the GPMC designates that inheritance has been
blocked?
________________________________________________________________
4. What GPO settings are applied across slow links by default? Choose all that
apply:
a. Scripts policies
b. Security settings
c. Administrative settings
d. Internet Explorer Maintenance
e. EFS Recovery Policy
f. IPSec Policy
Implementing an Active Directory Domain Services Infrastructure 12-1
Module 12
Implementing an Active Directory Domain
Services Infrastructure
Contents:
Lesson 1: Overview of the AD DS Domain 12-3
Lesson 2: Planning a Group Policy Strategy 12-7
Lab A: Deploying Active Directory Domain Services 12-9
Lab B: Configuring Forest Trust Relationships 12-23
Lab C: Designing a Group Policy Strategy 12-31
12-2 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module Overview
Lesson 1:
Overview of the AD DS Domain
In this lesson, you will view the AD DS domain components of which you will
work with in the lab.
12-4 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
The graphic on the slide depicts the current domain configuration at Woodgrove
Bank.
Implementing an Active Directory Domain Services Infrastructure 12-5
Key Points
The graphic on the slide depicts the required domain configuration at Woodgrove
Bank. The Contoso domain will join the Woodgrove Bank forest as a separate tree
in the same forest.
12-6 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
The graphic on the slide shows the current site configuration at Woodgrove Bank.
A new branch office has been created in New York, and a new site will be created
to control logon traffic.
The following two new sites will be created:
• The Contoso.com site will contain the 192.168.0.0 subnet
• The NYC-Branch-Office site will contain the 10.30.0.0 subnet
Implementing an Active Directory Domain Services Infrastructure 12-7
Lesson 2:
Planning a Group Policy Strategy
In this lesson, you will plan Group Policy, and implement them in the labs.
12-8 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
The graphic depicts the new domain controller deployment at Woodgrove Bank.
• The NYC-SRV2 server core computer will be renamed to NYC-DC3 to reflect
the new role and the read-only domain controller (RODC) role will be
installed on NYC-DC3.
• The NYC-SRV1 computer will be renamed to ContosoDC to reflect the new
role and then promoted to become the Contoso domain controller.
Implementing an Active Directory Domain Services Infrastructure 12-9
Scenario
Woodgrove Bank is deploying Windows Server®°2008 operating system AD DS.
The enterprise administrator has created a design for the deployment. As the AD
DS administrator, you will be implementing this design and verifying that all
components in the design work correctly.
Site Info
There will be two new sites; NYC Branch Office and Contoso.
• Site Name – NYC-Head-Office
• Subnet – 10.10.0.0
• Gateway – 10.10.0.1
• Domain Controller – NYC-DC1 10.10.0.10
• Site Name – NYC-Branch-Office
12-10 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
• Subnet – 10.30.0.0
• Gateway – 10.30.0.1
• Domain Controller – NYC-DC3 (RODC) (change the name of NYC-SRV2)
10.30.0.10
• Site Name – Contoso
• Subnet – 192.168.0.0
• Gateway – 192.168.0.1
• Domain Controller – ContosoDC (change the name of NYC-SRV1)
192.168.0.10
Domain Info
There will be two domains; WoodgroveBank.com and Contoso.com.
WoodgroveBank and Contoso belong to the same forest. WoodgroveBank is the
root domain of the forest and Contoso is a separate tree in the forest.
WoodgroveBank.com
Domain Controllers – NYC-DC1, NYC-DC2, NYC-DC3 (RODC) (change the name
of NYC-SRV2)
Contoso.com
Domain Controller – ContosoDC (change the name of NYC-SRV1)
Note: The following lab requires that four virtual machines be running at one time. We
recommend that the student computers be configured with an additional one GB of
RAM (for a total of 3 GB) to improve the virtual machine performance in this lab.
Implementing an Active Directory Domain Services Infrastructure 12-11
Only the branch office employees will have their passwords cached on the RODC.
You will also create the site for the branch office, and create the subnet object
10.30.0.0 for the branch office. Then you will change the name of NYC-SRV2 to
NYC-DC3, to reflect its now role. You will configure the IP address to reflect the
subnet of the branch site. Then you will install RODC on to the server. Finally, you
will configure replication with the head office site to occur every 30 minutes.
The main tasks for this exercise are as follows:
1. Start the virtual machines and log on.
2. Copy the unattended file and change the name of NYC-SRV2 to NYC-DC3.
3. Change the IP address of NYC-SRV2 to 10.30.0.10.
4. Create the NYC-Branch-Office site and rename the default site.
5. Create subnet objects for the NYC head office and branch office sites.
6. Configure the replication schedule.
7. Create an OU for branch office.
8. Create users and groups for the branch office.
12-12 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
f Task 2: Copy the unattend file, and change the name of NYC-SRV2 to
NYC-DC3
1. Copy the NYC-Rodc.txt file from the D:\6425\Mod12\Labfiles folder to the C:
drive.
2. At the command prompt, type Netdom renamecomputer %computername%
/newname:NYC-DC3 /force /reboot:5, and then press ENTER. The computer
will automatically reboot after 5 seconds.
Implementing an Active Directory Domain Services Infrastructure 12-13
f Task 4: Create the NYC-Branch-Office site and rename the Default site
1. On NYC-DC1, open Active Directory Sites and Services.
2. Right-click Sites, and then click New Site named NYC-Branch-Office. Select
the DefaultIPSiteLink, and then click OK.
3. Rename the Default-First-Site-Name to NYC-Head-Office.
f Task 5: Create subnet objects for the NYC head office and branch
office sites
1. Create a new subnet object for the 10.10.0.0/16 subnet. Select the NYC-Head-
Office site, and then click OK.
2. Create a new subnet object for the 10.30.0.0/16. Select the NYC-Branch-
Office site, and then click OK.
5. On the Specify the Computer Name page, in the Computer name field, type
NYC-DC3, and then click Next.
6. On the Select a Site page, click NYC-Branch-Office, and then click Next.
7. On the Additional Domain Controller Options page, keep the defaults, and
then click Next.
8. On the Specify the Password Replication Policy page, click Add, and then
select Allow passwords for the account to replicate to the RODC.
9. Add the BranchUsersGG.
10. On the Delegation of RODC Installation and Administration page, click Set,
and then add the BranchManager account.
11. Finish the wizard to create the RODC account. Notice that NYC-DC3
computer account is listed in AD DS, but the DC type is Unoccupied DC
Account.
Note: If the server is unavailable, wait a few minutes and try again. Notice that NYC-DC3
hosts a copy of the Woodgrovebank.com zone.
f Task 13: Close all virtual machines and discard undo disks
1. Close the 6425A-NYC-SRV2 Virtual Machine Remote Control window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
Result: At the end of this exercise, you will have created an RODC on a Server
Core computer.
Implementing an Active Directory Domain Services Infrastructure 12-17
4. Expand the Global Logs, and then click DNS Events. Examine the events that
describe the zone transfer.
5. Close the DNS Manager.
f Task 10: Promote the server to become the Contoso domain controller
1. Use Server Manager to add the Active Directory Domain Services role.
2. Launch DCPromo.exe.
3. In the Active Directory Domain Services Installation Wizard, select Use
advanced mode installation.
4. On the Operating System Compatibility page, click Next.
5. In the Choose a Deployment Configuration window, click Existing Forest,
click Create a new domain in an existing forest, and then select Create a
new domain tree root instead of a new child domain.
6. On the Network Credentials screen, type Woodgrovebank.com in the domain
name field, click Set, and then use the credentials:
a. User: Administrator
b. Password: Pa$$w0rd
7. Name the new domain tree root Contoso.com.
8. On the Domain NetBIOS Name screen, click Next.
9. Set the domain functional level to Windows Server 2008.
10. In the Select a Site window, click Next.
11. In the Additional Domain Controller Options window, select the check box for
Global Catalog, and then click Next.
12. In the Static IP Assignment message box, click Yes, the computer will use a
dynamically assigned IP address, and then click Yes to continue.
Note: This message refers to the IPV6 interface, which is set to use DHCP.
15. Set the directory services restore mode administrator password to Pa$$w0rd.
16. In the Summary window, click Next, and then select Reboot on completion.
17. Log on to the ContosoDC computer as Contoso\Administrator.
18. Open the DNS management console, and examine the forward lookup zones.
Notice the Contoso.com zone.
19. Use the IPconfig /all command to examine the IP configuration. Notice that
ContosoDC is using 127.0.0.1 as the preferred DNS server.
f Task 11: Close NYC-SRV1 and NYC-DC2 and discard undo disks
1. Close the 6425A-NYC-SRV1 Virtual Machine Remote Control window.
2. In the Close box, select Turn off machine and discard changes. Click OK.
3. Close the 6425A-NYC-DC2 Virtual Machine Remote Control window.
4. In the Close box, select Turn off machine and discard changes. Click OK.
Result: At the end of this exercise, you will have created a domain in a separate
tree and separate site.
12-22 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
This topic introduces the information you need for the next lab.
By the end of the next lab, the Fabrikam forest will be upgraded to Windows
Server 2008 level, and a Windows Server 2008 server will be promoted to become
an additional domain controller in the domain. The Fabrikam.com forest will have
a forest trust relationship with the WoodgroveBank forest. The trust will use
selective authentication such that only the WoodgroveBank Domain Admins group
will be allowed to authenticate to resources in the Fabrikam domain.
Implementing an Active Directory Domain Services Infrastructure 12-23
Scenario
Woodgrove Bank has recently purchased a new subsidiary named Fabrikam, Inc.
Fabrikam is currently running Windows Server®°2003 operating system domain
controllers. One of the first tasks for Woodgrove Bank administrators will be to
upgrade the domain controllers to Windows Server 2008. Fabrikam Inc will
remain in a separate forest, and will trust the Woodgrove Bank forest.
12-24 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Result: At the end of this exercise, you will have created a forest trust.
12-30 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
The graphic on the slide depicts the current organization unit configuration at
Woodgrove Bank.
Implementing an Active Directory Domain Services Infrastructure 12-31
Scenario
As the network administrator for WoodgroveBank.Com, you are responsible for
developing a desktop and security policy that can be centrally managed through
Group Policy.
12-32 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
4. Double-click the Prohibit access to the Control Panel GPO, click the
Delegation tab in the details pane, and then click Advanced.
5. In the Prohibit access to the Control Panel Security Settings dialog box,
select Domain Admins, and then select the check box to Deny the Apply
group policy permission, and then click OK.
6. Click Yes to acknowledge the message. This will exempt the Domain Admins
group from the policy.
f Task 3: Create and link the Force Offline File Encryption GPO
1. Right-click Executives OU, and then click Create a GPO in this domain, and
link it here.
2. In the New GPO dialog box, type Force Offline File Encryption in the Name
field, and then click OK.
3. Right-click the Force Offline File Encryption, and then click Edit.
4. Expand Computer Configuration, expand Policies, expand Administrative
Templates, expand Network, and then click Offline Files.
5. In the detail pane, double-click Encrypt the Offline Files cache.
6. In the Encrypt the Offline Files cache Properties dialog box, click Enabled,
and then click OK.
7. Close the Group Policy Management Editor.
Result: At the end of this exercise, you will have implemented a Group Policy
strategy.
12-38 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Considerations
Consider the following when implementing an AD DS infrastructure:
• Sites can be used to control the scope of logon traffic.
• Separate trees in the forest allow multiple DNS namespaces to exist.
Implementing an Active Directory Domain Services Infrastructure 12-39
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your
learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential, and will
use your responses to improve your future learning experience. Your open and
honest feedback is valuable and appreciated.
Lab: Implementing Read-Only Domain Controllers and Managing Domain Controller Roles L1-1
f Task 2: Verify the forest and domain functional level are compatible
with an RODC deployment
1. On NYC-DC1, click Start, point to Administrative Tools, and then click
Active Directory Users and Computers.
2. Right-click WoodgroveBank.com, and click Properties.
3. In the WoodgroveBank.com Properties dialog box, verify that the domain
functional level and the forest functional level are set to Windows Server 2003.
4. Click Cancel.
L1-2 Module 1: Implementing Active Directory® Domain Services
Result: At the end of this exercise you will have verified that the domain and the
computer are ready to install an RODC.
f Task 3: Install the RODC using the existing account and use
WoodgroveBank\Axel as the account with credentials to perform the
installation
1. Open a command prompt.
2. Type dcpromo /UseExistingAccount:Attach, and then press ENTER.
3. On the Welcome to the Active Directory Domain Services Installation
Wizard page, select the Use advanced mode installation check box and then
click Next.
L1-4 Module 1: Implementing Active Directory® Domain Services
Result: At the end of the exercise you will have installed an RODC and configured its
password replication policy.
Result: At the end of the exercise you will have configured a global catalog server and
configured AD DS domain controller roles.
Lab: Configuring AD DS and DNS Integration L2-9
f Task 4: Create two new zones based on the zone files for Fabrikam and
Contoso
1. Use Windows Explorer to copy the Contoso.com.dns and the
Fabrikam.com.dns files from D:\6425\Mod02\Labfiles to
C:\Windows\System32\DNS. Leave Windows Explorer open.
2. Return to the DNS Manager console, right-click Forward Lookup Zones, and
then click New Zone.
3. In the New Zone Wizard click Next. On the Zone Type page, ensure that
Primary Zone is selected, clear the checkbox to Store the zone in Active
Directory, and then click Next.
4. On the Zone Name page, type Contoso.com, and then click Next.
5. On the Zone File page, select Use this existing file, ensure that
Contoso.com.dns appears in the field, and then click Next.
6. On the Dynamic Updates page, ensure that Do not allow dynamic updates is
selected, click Next, and then click Finish.
7. Repeat steps 2-6 for the Fabrikam.com zone.
5. In the Connect to DNS Server dialog box, click The following computer, type
MIA-RODC in the field, and then click OK.
6. Expand MIA-RODC, expand Forward Lookup Zones, and ensure that all the
DNS zones appear.
Note: If the DNS zones do not appear, open Active Directory Sites and Services on
NYC-DC1. Expand Sites, expand Default-First-Site-Name, expand Servers, expand
MIA-RODC, and click NTDS Settings. Right-click RODC-Connection (FRS) and
click Replicate Now. Click OK. In the DNS Manager console, right-click Forward
Lookup Zones and click Refresh. Verify that the zones now appear. If the zones do
not appear, wait a few minutes and click Refresh again.
f Task 4: Shut down all virtual machines and discard any changes
1. On the host computer, click Start, point to All Programs, point to Microsoft
Virtual Server, and then click Virtual Server Administration Website.
2. Under Navigation, click Master Status. For each virtual machine that is
running, click the virtual machine name, and in the context menu, click Turn
off Virtual Machine and Discard Undo Disks. Click OK.
Lab A: Configuring Active Directory Objects L3-15
4. Click Next.
5. In the Password and Confirm password fields, enter Pa$$w0rd.
6. Clear the User must change password at next logon check box, click Next,
and then click Finish.
7. On NYC-DC1, open a command prompt window.
8. At the command prompt, type the following command and then press ENTER.
dsadd user "cn=Jun Cao,ou=itadmins,dc=WoodgroveBank,dc=com" -samid
Jun -pwd Pa$$w0rd –desc Administrator
You should see a “dsadd succeeded” message.
9. In Active Directory Users and Computers, confirm that Jun Cao’s account
has been added to the IT Admins OU.
7. Right-click Dana Birkby, and then click Properties. Modify the user properties
as follows:
a. On the General tab, set:
• Telephone number - 555-555-0100
• Office - Head Office
• E-mail - Dana@WoodgroveBank.com
b. On the Dial-in tab, set Network Access Permission to Allow access.
c. On the Account tab, click Logon Hours. Configure logon hours to be
permitted between 8:00 A.M. and 5:00 P.M, and then click OK.
d. On the Profile tab, under Home folder, click Connect. Select H as the
drive letter, and in the To box, type
\\NYC-DC1\HomeDirs\Marketing\%username%
e. Click OK.
8. In Windows Explorer, browse to D:\HomeDirs\Marketing. Ensure that a
folder named Dana was created in the folder.
9. Close Windows Explorer.
10. Close the Find Users, Contacts, and Groups dialog box, and then close
Active Directory Users and Computers.
11. On NYC-CL1, log off and then log on as Dana using a password of Pa$$w0rd.
12. Open Windows Explorer and confirm that drive H has been mapped to the
\\NYC-DC1\HomeDirs\Marketing\Dana folder. Create a new text
document in the folder.
13. Close Windows Explorer.
Result: At the end of this exercise, you will have configured AD DS objects.
Access
Resource Requirement Group Names
ExecData\HeadOfficeReports Full control EX_HOReports_FC
EX_HOReports_FC WGB_ExecutivesUG
EX_NYC_BranchReportsFC NYC_BranchManagersGG
EX_NYC_BranchReportsRO WGB_ExecutivesUG
EX_TOR_BranchReportsFC TOR_BranchManagersGG
EX_TOR_BranchReportsRO WGB_ExecutivesUG
EX_MIA_BranchReportsFC MIA_BranchManagersGG
EX_MIA_BranchReportsRO WGB_ExecutivesUG
EX_LON_BranchReportsFC LON_BranchManagersGG
EX_LON_BranchReportsRO WGB_ExecutivesUG
EX_TOK_BranchReportsFC TOK_BranchManagersGG
EX_TOK_BranchReportsRO WGB_ExecutivesUG
EX_CorpFC WGB_ExecutivesUG
WGB_BranchManagersUG
Note: The easiest way to configure access to the ExecData folder is to grant the
executive’s universal group and the branch manager’s universal group Contributor
permissions. You then can control permissions for subfolders by using NTFS file
system permissions.
Note: To simplify the implementation process, some of the required groups already
may have been created. Additionally, configure the required groups for only the
WoodgroveBank.com and the EMEA.WoodgroveBank.com.
ExecData\HeadOfficeReports Executives OU
ExecData\BranchReports\NYC NYC\BranchManagers OU
ExecData\BranchReports\Toronto Toronto\BranchManagers OU
ExecData\BranchReports\Miami Miami\BranchManagers OU
ExecData\BranchReports\London Executives OU
ExecData\Corp Executives OU
L3-22 Module 3: Configuring Active Directory Objects and Trusts
Result: At the end of this exercise, you will have implemented a group implementation
strategy.
Result: At the end of this exercise, you will have examined several options for
automating the management of user objects.
L3-26 Module 3: Configuring Active Directory Objects and Trusts
10. On the Tasks to Delegate page, click Create a custom task to delegate, and
then click Next.
11. On the Active Directory Object Type page, click Only the following objects
in the folder, select the User objects check box, and then click Next.
12. On the Permissions page, ensure that the General check box is selected.
13. Under Permissions, select the Read and write personal information check
box, click Next, and then click Finish.
Note: This step is included in the lab to enable you to test the delegated
permissions. As a best practice, you should install the administration tools on a
Windows workstation rather than enable Domain Users to log on to domain
controllers.
4. Right-click the Toronto organizational unit, and then create a new user with
the following properties:
• First name - Test1
• User logon name - Test1
• Password - Pa$$w0rd
This task will succeed because Sven Buck was delegated the authority to
perform that task.
5. Right-click the Toronto OU, and then create a new group named Group 1.
This task will succeed because Sven Buck was delegated the authority to
perform that task.
6. Right-click the ITAdmins OU, and review the menu options. Verify that Sven
does not have permissions to create any new objects in the ITAdmins OU.
7. Log off and then log on to NYC-DC1 as Helge with the password of
Pa$$w0rd.
8. Click Start, point to Administrative Tools, and then click Active Directory
Users and Computers.
9. In the User Account Control dialog box, type Pa$$w0rd, and then click OK.
10. Right-click the Toronto OU, and review the menu options. Verify that Helge
does not have permissions to create any new objects in the Toronto OU.
11. Expand Toronto, expand CustomerService, right-click Matt Berg, and then
click Reset Password.
12. In the Reset Password dialog box, in the New password and Confirm
password boxes, type Pa$$w0rd, and then click OK twice.
13. Right-click Matt Berg, and then click Properties. In the Matt Berg Properties
dialog box, confirm that Helge has permission to set some user properties
such as Office and Telephone number, but not settings such as Description
and E-mail.
14. Close Active Directory Users and Computers, and then log off.
Result: At the end of this exercise you will have delegated the administrative tasks for
the Toronto office.
L3-30 Module 3: Configuring Active Directory Objects and Trusts
f Task 2: Configure the Network and DNS Settings to enable the forest
trust
1. On VAN-DC1, click Start, point to Control Panel, point to Network
Connections, and click Local Area Connection.
2. Click Properties, click Internet Protocol (TCP/IP) , and then click
Properties.
3. Change the IP address to 10.10.0.110, the Default gateway to 10.10.0.1, and
the Preferred DNS server to 10.10.0.110. Click OK, and close the open
dialog boxes.
4. Click Start, and click Run. In the Open box, type cmd, and press ENTER.
5. At the command prompt, type Net time \\10.10.0.10 /set /y and press
ENTER. This command synchronizes the time between VAN-DC1 and NYC-
DC1. Close the command prompt.
6. Start DNS Manager from the Administrative Tools folder.
7. In the DNS Manager console, expand VAN-DC1.
8. Right-click VAN-DC1, and click Properties.
9. On the Forwarders tab, click New. In the DNS domain field, type
Woodgrovebank.com, and then click OK.
10. In the Seleted domain’s forwarder IP address list, type 10.10.0.10, and then
click Add. Click OK, and close the DNS Manager console.
11. Start Active Directory Domains and Trusts from the Administrative Tools
folder.
12. In Active Directory Domains and Trusts, right-click Fabrikam.com, and then
click Raise Domain Functional Level.
Lab B: Configuring Active Directory Delegation and Trusts L3-31
13. Select Windows Server 2003, click Raise, and then click OK twice.
14. Right-click Active Directory Domains and Trusts, and then click Raise Forest
Functional Level.
15. Select Windows Server 2003, click Raise, and then click OK twice.
16. On NYC-DC1, log on as Administrator.
17. Start DNS Manager from the Administrative Tools folder.
18. In the DNS Manager console, expand NYC-DC1.
19. Under NYC-DC1, right-click Conditional Forwarders, and then click New
Conditional Forwarder.
20. In the DNS Domain field, type Fabrikam.com, click under IP Address, type
10.10.0.110, press ENTER, and then click OK.
21. Close the DNS Manager console.
11. On the Outgoing Trust Authentication Level- Specified Forest page, accept
the default of Forest-wide authentication, and then click Next.
12. On the Trusts Selections Complete page, click Next.
13. On the Trust Creation Complete page, click Next.
14. On the Confirm Outgoing Trust page, click Yes, confirm the outgoing trust,
and then click Next.
15. On the Confirm Incoming Trust page, click Yes, confirm the incoming trust,
and then click Next.
16. On the Completing the New Trust Wizard page, click Finish.
17. Read the Active Directory message, and then click OK.
18. Click OK to close the WoodgroveBank.com Properties dialog box.
11. In the NYC-DC2 Properties dialog box, select the Allowed to Authenticate
permission check box in the Allow column.
12. Click OK to close the NYC-DC2 Properties dialog box.
13. Expand Computers.
14. Click NYC-CL1, and on the Action menu, click Properties.
15. In the NYC-CL1 Properties dialog box, click the Security tab, and then click
Add.
16. In the Select Users, Computers, or Groups dialog box, click Locations, click
Fabrikam.com, and then click OK.
17. In the Select Users, Computers, or Groups dialog box, type MarketingGG,
and then click OK.
18. In the NYC-CL1 Properties dialog box, select the Allowed to Authenticate
permission check box in the Allow column.
19. Click OK to close the NYC-CL1 Properties dialog box.
Result: At the end of this exercise you will have configured trusts based on a trust
configuration design.
Lab: Configuring Active Directory Sites and Replication L4-35
10. Right-click London-Site, and then click Properties. Verify that the correct
subnet is associated with this site, and then click OK.
Result: At the end of this exercise you will configure AD DS sites and subnets and
linked the subnets to the appropriate sites.
10. At the command prompt, type ipconfig /registerdns, and then press ENTER.
11. On NYC-DC1, click Start, point to Administration Tools, and then click DNS.
12. Expand NYC-DC1, expand Forward Lookup Zones, and then click
WoodgroveBank.com. Verify that the IP address for MIA-RODC has been
updated.
13. Expand WoodgroveBank.com, select and then right-click EMEA, and then
click Properties.
14. On the Name Servers tab, click Edit.
15. In the Edit Name Server Record dialog box, click 10.10.0.110, type
10.20.0.110, and then click OK three times.
16. Close the DNS management console.
Result: At the end of this exercise you will have configured AD DS replication.
L4-40 Module 4: Configuring Active Directory Domain Sites and Replication
8. Right-click the Users container, point to New and click User. Create a new
user with a first name and logon name of TestUser, and a password of
Pa$$w0rd.
9. In Active Directory Sites and Services, click Miami-Site, expand MIA-RODC,
and click NTDS Settings. Right-click the connection object between NYC-DC1
and MIA-RODC, and click Replicate Now. Click OK to close the Replicate
Now dialog box.
Note: If you receive an error message when forcing replication on the connection
object, under MIA-RODC, right-click NTDS Settings, point to All Tasks, and click
Check Replication Topology. Expand NYC-DC1, right-click NTDS Settings,
point to All Tasks, and click Check Replication Topology. Wait one minute and
try step 9 again.
Result: At the end of this exercise you will have verified that AD DS replication is
working.
Lab: Creating and Configuring GPOs L5-43
6. Right-click the Executives OU, and then click Link and Existing GPO…
7. In the Select GPO dialog box, click the Restrict Desktop Display GPO, and
then click OK.
8. Right click the Miami OU, click Link an Existing GPO…, and then select the
Restrict Control Panel policy.
9. Repeat the previous step to link the Restrict Control Panel policy to the
Toronto and NYC OUs.
Result: At the end of this exercise you will have created and configured GPOs.
f Task 4: Create and apply a WMI filter for the Server Security GPO
1. In the GPMC, right-click the WMI Filters folder, and then click New.
2. In the Name field, type Windows Vista or XP operating system.
3. In the New WMI Filter dialog box, click Add.
4. In the WMI Query dialog box, type:
Select * from Win32OperatingSystem where Caption = “Microsoft
Windows Vista Enterprise” OR Caption = “Microsoft Windows XP
Professional”.
5. Click OK, and then click Save.
6. In the Group Policy Objects folder, click the Vista or XP Security policy, and
then click the Scope tab.
7. In the WMI Filtering section, select the Windows Vista or XP operating
system query from the drop-down list.
8. Click Yes to confirm the operation.
Result: At the end of this exercise you will have configured the scope of GPO settings.
Lab: Creating and Configuring GPOs L5-49
f Task 2: Verify that a Miami branch user is receiving the correct policy
1. Log on to NYC-CL1 as Anton with a password of Pa$$w0rd.
2. Ensure that there is no link to the Run menu in the Accessories folder on the
Start Menu.
3. Ensure that there is no link to Control Panel on the Start Menu.
4. Log off.
Hint: When you attempt to access display settings, you will receive a message
informing you that this has been disabled.
5. Log off.
f Task 6: Verify that the last logged on username does not appear
• Verify that the last logged on username does not appear.
Result: At the end of this exercise you will have tested and verified a GPO application.
Result: At the end of this exercise you will have backed up restored and imported
GPOs.
Note: This step is included in the lab to allow you to test the delegated permissions.
As a best practice, you should install the administration tools on a Windows
workstation rather than enable Domain Users to log on to domain controllers.
Result: At the end of this exercise you will have backed up restored and imported
GPOs.
Lab: Configuring User Environments Using Group Policy L6-55
f Task 2: Create the logon script to map to the Data shared folder
1. Click Start, click Search, type Notepad in the Search box, and then press
ENTER.
2. In Notepad, type Net Use J: \\NYC-DC1\Data.
3. Close Notepad and save the file as C:\Map.bat. Ensure the Save as type field
is All Files.
f Task 3: Copy the script to the NetLogon share, and assign it to the
Miami, Toronto, and NYC OUs
1. Click Start, and then click Computer.
2. In the right pane, double-click Local Disk (C:).
3. Right-click the Map.bat script, click Copy to copy the script to the clipboard,
and then close the Windows Explorer window.
4. Click Start, point to Administrative Tools, and then click Group Policy
Management.
L6-56 Module 6: Configuring User Environments Using Group Policy
7. Click the Settings tab, examine the current settings, and then click OK. Click
Yes to acknowledge the Warning message, and then close the Group Policy
Management Editor.
8. Right-click the Executives OU, and then click Link an existing GPO. Select
the Executive Redirection GPO, and then click OK.
Result: At the end of this exercise you will have configured scripts and folders
redirection.
f Task 4: Create and assign a domain-level GPO for all domain users
1. Right-click the Group Policy Objects folder, and then click New.
2. In the New GPO dialog box, type All Users Policy in the Name field, and then
click OK.
3. Right-click the All Users Policy GPO, and then click Edit.
4. Under User Configuration, expand Policies, expand Administrative
Templates, and then click System. In the Details pane, double-click the
Prevent access to registry editing tools setting, click Enabled, and then click
OK.
5. Click Start Menu and Taskbar. In the details pane, double-click Remove
Clock from the system notification area, click Enabled, and then click OK.
6. Close the Group Policy Management Editor.
7. Right-click the WoodgroveBank.com domain, click Link an existing GPO,
select the All Users Policy GPO, and then click OK.
10. Repeat the previous step to link the Branch Users Policy GPO to the Toronto
and NYC OUs.
11. Minimize the Group Policy Management Console.
Result: At the end of this exercise you will have configured Administrative Templates.
4. Click the Common tab, check the Item-level targeting check box, and then
click Targeting.
5. In the Targeting Editor dialog box, click New Item, and then click Operating
System.
6. In the Product list, click Windows Server 2008, and then click OK twice.
Result: At the end of this exercise you will have configured preferences.
4. Click Start, and click All Programs. Verify that Administrative Tools are listed
on the Start menu and that the Games folder is not displayed. Preferences
assigned to Windows Vista computers are also applied to Windows Server
2008 computers.
5. Close all open windows.
Note: To apply group policy preferences to Windows Vista computers, you must
download and install Group Policy Preference Client Side Extensions for Windows
Vista (KB943729).
f Task 3: Log on as a user in the Executives OU, and observe the applied
settings
1. Log on to NYC-CL1 as Tony using the password Pa$$w0rd.
2. Close the Welcome Center windows. Ensure that the clock is not displayed in
the Notification area.
3. Click Start, right-click the Documents folder, and then click Properties.
Ensure the location is \\nyc-dc1\execdata\tony.
4. Click Start, click Search, type Regedt32 in the Search box, and then press
ENTER. Ensure that Registry editing is disabled.
5. Ensure that the Windows Sidebar is not displayed.
6. Log off NYC-CL1.
11. Click the Settings tab. Under Computer Configuration, click Administrative
Templates. Expand each of the settings.
Question: What settings were delivered to the computer?
Answer: Windows Firewall: Allow inbound remote administration exception,
Slow Link Detection speed set to 800 kps.
12. Under User Configuration, expand each of the settings.
Question: What settings were delivered to the user?
Answer: The Executive Redirection policy delivers folder redirection settings.
The All Users Policy delivers settings to remove the clock and disable registry
editing.
Result: At the end of this exercise you will have verified the GPO application.
Lab: Implementing Security Using Group Policy L7-67
9. In the details pane, double-click the Account lockout threshold setting, set
the value to be 5 invalid logon attempts, and then click OK.
10. In the Suggested Value Changes dialog box, click OK to accept the values of
30 minutes, and then click OK.
11. Close the Group Policy Management Editor, and leave the GPMC open.
Result: At the end of this exercise you will have configured account and security policy
settings.
11. In the msDS-MinimumPasswordLength value, type 10, and then click Next.
12. In the msDS-MinimumPasswordAge value, type -5184000000000, and then
click Next.
13. In the msDS-MaximumPasswordAge value, type -6040000000000, and then
click Next.
14. In the msDS-LockoutThreshold value, type 3, and then click Next.
15. In the msDS-LockoutObservationWindow value, type -18000000000, and
then click Next.
16. In the msDS-LockoutDuration value type -18000000000, click Next, and
then click Finish.
17. Close the ADSI Edit MMC without saving changes.
Result: At the end of this exercise, you will have implemented fine grained password
policies.
L7-72 Module 7: Implementing Security Using Group Policy
5. In the New Hash Rule dialog box, click Browse, navigate to C:\Program
Files\Internet Explorer\iexplore.exe, and then click Open.
6. Ensure that the Security level is Disallowed, and then click OK.
7. Right-click Additional Rules, and then click New Path Rule.
8. In the Path field, type *.vbs, and then click OK.
9. Close the Group Policy Management Editor.
Result: At the end of this exercise you will have configured restricted groups and
software restriction policies.
f Task 2: Start NYC-SVR1 and join the domain and disable the Windows
Firewall
1. Start NYC-SVR1. Log on as LocalAdmin with a password of Pa$$w0rd.
2. If required, open Server Manager. Click Change System Properties.
3. On the Computer Name tab, click Change.
4. In the Member of section, click Domain, type WoodgroveBank.com in the
field, and then click OK.
5. Enter the credentials of Administrator and Pa$$w0rd, and then click OK.
6. Click OK to restart the computer.
7. Log on as Woodgrovebank\Administrator, with the password Pa$$w0rd.
8. Click Start, click Control Panel, double-click Windows Firewall, and then
click Change settings.
9. In the Windows Firewall Settings dialog box, click Off, and then click OK to
disable the Windows Firewall.
Note: This next step is performed to simplify the lab, and is not a recommended
practice.
7. On the Select server Roles screen, clear the DNS Server check box.
8. Check the File Server check box.
9. Check the Print Server check box, and then click Next.
10. On the Select Client Features window, click Next.
11. On the Select Administration and Other Options screen, click Next.
12. On the Select Additional Services screen, click Next.
13. On the Handling Unspecified Services screen, click Next.
14. On the Confirm Service Changes screen, examine the changes, and then click
Next.
15. On the Network Security screen, click Next.
16. On the Network Security Rules screen, click Next.
17. On the Registry Settings screen, click Next.
18. On the Require SMB security Signatures screen, click Next.
19. On the Outbound Authentication Methods screen, click Next.
20. On the Outbound Authentication using Domain Accounts screen, check the
Clocks that are synchronized with the selected server’s clock check box,
and then click Next.
21. On the Inbound Authentication Methods screen, click Next.
22. On the Registry Settings summary screen, click Next.
23. On the Audit Policy screen, click Next.
24. On the System Audit Policy screen, click Next
25. On the Audit Policy Summary screen, click Next.
26. On the Save Security Policy screen, click Next.
27. On the Security Policy File Name screen, type FPPolicy at the end of the
C:\Windows\security\msscw\policies\ path, and then click Include
Security Templates.
28. On the Include Security Templates dialog box, click Add.
29. Navigate to Documents\Security\Templates\FPSecurity, click Open, click
OK, and then click Next.
L7-76 Module 7: Implementing Security Using Group Policy
30. On the Apply Security Policy screen, click Apply Now, and then click Next.
31. On the Applying Security Policy screen, click Next, and then click Finish.
Result: At the end of this exercise you will have configured security templates.
f Task 4: Use group policy modeling to test the settings on the file and
print server
1. Open the GPMC, right-click Group Policy Modeling, and then click Group
Policy Modeling Wizard,
2. On the Welcome screen, click Next.
L7-78 Module 7: Implementing Security Using Group Policy
Result: At the end of this exercise you will have verified the security configuration.
Lab: Monitoring AD DS L8-79
Note: Actual events may take a few minutes to show up in the Forwarded Events
log. Start and stop the DNS service again, if required.
L8-82 Module 8: Implementing an Active Directory® Domain Services Monitoring Plan
16. Switch to NYC-DC2, and repeat the steps to stop and start the DNS service.
The message box will appear, displaying your message. Click OK to
acknowledge the message.
Note: The message box may be hidden behind the Event Viewer window. Look
for it on the Task Bar.
Result: At the end of this exercise you will have monitored AD DS using Event Viewer.
Result: At the end of this exercise you will monitor AD DS using the Performance and
Reliability Monitor.
Result: At the end of this exercise you will have configured AD DS Auditing.
Lab: Implementing an AD DS Maintenance Plan L9-87
9. Expand Windows Firewall, expand Firewall Rules, and then expand Active
Directory Domain Controller – LDAP for Global Catalog (TCP-In).
10. Close the SCW Viewer window, and then click Next.
11. On the Role-Based Service Configuration page, click Next.
12. On the Select Server Roles page, ensure the Domain Controller (Active
Directory) check box is selected, and then click Next.
13. On the Select Client Features page, click Next.
14. In the Select Administration and Other Options page, select the Active
Directory – RsoP Planning Mode check box. Leave the other options selected,
and then click Next.
15. In the Select Additional Services page, click Next.
16. On the Handling Unspecified Services page, ensure that Do not change the
startup mode of the service is selected, and then click Next.
17. On the Confirm Service Changes page, review the service configurations that
will be changed, and then click Next.
18. On the Network Security page, click Next.
19. On the Network Security Rules page, review the firewall rules that will be
configured on the server, and then click Next.
20. On the Registry Settings page, click Next.
21. On the Require SMB Security Signatures page, click Next.
22. On the Require LDAP Signing page, select the Windows 2000 Service Pack 3
or later check box, and then click Next.
23. On the Outbound Authentication Methods page, click Next.
24. On the Outbound Authentication using Domain Accounts page, ensure that
Windows NT 4.0 Service Pack 6a or later operating systems and Clocks
that are synchronized with the selected server’s clock are selected, and then
click Next.
25. On the Inbound Authentication Methods page, clear the Computers that
require LAN Manager authentication and Computers that have not been
configured to use NTLMv2 authentication check boxes, and then click Next.
26. On the Registry Settings Summary page, review the changes, and then click
Next.
27. On the Audit Policy page, click Next.
Lab: Implementing an AD DS Maintenance Plan L9-89
28. On the System Audit Policy page, select Audit successful and unsuccessful
activities, and then click Next.
29. On the Audit Policy Summary page, click Next.
30. On the Save Security Policy page, click Next.
31. On the Security Policy File Name page, type c:\windows\security\msscw\
policies\NYC-DC1.xml as the policy file name, and then click Next.
32, In the Security Configuration Warning, click OK.
33. On the Apply Security Policy page, ensure that Apply Later is selected, and
then click Next.
34. Click Finish to complete the Security Configuration Wizard.
Result: At the end of this exercise, you will have run the SCW to lock down services on
an AD DS domain controller, and performed AD DS database maintenance tasks.
Exercise 2: Backing Up AD DS
f Task 1: Install the Windows Server Backup Feature
1. From the Administrative Tools, start Server Manager.
2. In Server Manager, click Features, and then click Add Features.
3. On the Select Features page, expand Windows Server Backup Features, and
then select the Windows Server Backup and Command-line Tools check
boxes.
4. Click Next, and then click Install.
5. When the installation finishes, click Close.
Lab: Implementing an AD DS Maintenance Plan L9-91
Result: At the end of this exercise, you will have installed the Windows Server Backup
feature, used it to schedule a backup of the AD DS information, and performed an on
demand backup.
Note: When entering the version number, do not include a leading “/”. The format
for the recovery command will be similar to wbadmin start systemstaterecovery –
version:04/27/2008-15:49.
Result: At the end of this exercise you will have performed an authoritative restore of
AD DS information.
f Task 5: View the information for the deleted user account in the
mounted snapshot
1. Click Start, click Run, type LDP, and then click OK.
2. On the Connection menu, click Connect.
3. In Server, type localhost, in Port, type 51389, and then click OK.
4. On the Connection menu, click Bind.
5. In Bind, ensure that Bind as currently logged on user is selected, and then
click OK.
6. On the View menu, click Tree.
7. In BaseDN, type dc=woodgrovebank,dc=com and then click OK.
8. Browse to the ITAdmins OU, and then double-click CN=Axel Delgado. View
the Description, physicalDeliveryOfficeName, and Telephone Number
Attributes. You now can add this attribute information to the user object in
Active Directory Users and Computers.
9. Close LDP.exe.
10. In the command prompt, stop Dsamain.exe by pressing CTRL+C.
11. Close the command prompt.
L9-98 Module 9: Implementing an Active Directory Domain Services Maintenance Plan
Result: At the end of this exercise, you will have restored a deleted user account and
viewed the restored user properties by using the AD DS data mining tool.
Lab: Troubleshooting AD, DNS and Replication Issues L10-99
15. In the Computer Name/Domain Changes dialog box, click Domain, type
WoodgroveBank.com in the Domain field, and then click OK.
16. In the Computer Name/Domain Changes dialog box, type Administrator as
the user name and Pa$$w0rd as the password, and then click OK twice.
17. In the Computer Name/Domain Changes dialog box, click OK twice, and
then click Close.
18. In the Microsoft Windows message, click Restart Now.
19. After the computer restarts, attempt to log on to NYC-CL1 as Chris using the
password Pa$$w0rd.
Question: Was the logon successful?
Answer: Yes.
20. Log off NYC-CL1.
Trouble Ticket #2: A Help Desk staff member named Markus Breyer has been
given the task to add new hires to the NYC BranchManagers organizational unit in
the Woodgrovebank.com domain. Markus is a HelpDesk global group member. All
members of the HelpDesk group should be able to manage user accounts from
client workstations by using Remote Desktop. Yet when Markus attempts to add
new hires, he is unsuccessful. The matter has been escalated to you.
1. Log onto NYC-CL1 as Markus, using the password Pa$$w0rd.
2. Click Start, click All Programs, click Accessories, and then click Remote
Desktop Connection.
3. In the Remote Desktop Connection box, type NYC-DC1, and click Connect.
Question: Were you successful in connecting to the remote computer? What,
if any, error messages did you receive?
Answer: No. The error message indicates that computer cannot connect to the
remote computer.
Question: What do you think is the problem?
Answer: We need to ensure that Remote Desktop is enabled on NYC-DC1.
4. On NYC-DC1, open Server Manager.
5. In the Computer Information section, click Configure Remote Desktop.
L10-102 Module 10: Troubleshooting AD DS, DNS, and Replication Issues
6. In the System Properties dialog box, click Allow connections only from
computers running Remote Desktop with Network Level Authentication
(more secure).
7. In the Remote Desktop dialog box, click OK.
8. Click Select Users. In the Remote Desktop Users dialog box, click Add, type
HelpDesk, and then click OK three times.
9. On NYC-CL1, in the Remote Desktop Connection dialog box, click Connect.
10. In the Windows Security dialog box, type WoodgroveBank\Markus as the
user name and Pa$$w0rd as the password, and then click OK.
Question: Were you successful? What, if any, error messages did you receive?
Answer: No. The error message says that the user has not been granted the
right to log on through Terminal Services.
Question: How will you attempt to resolve this problem?
Answer: We must grant the user rights to using Terminal Services to NYC-
DC1.
11. Close the Remote Desktop window.
12. On NYC-DC1, click Start, click Administrative Tools, and then click Group
Policy Management.
13. Expand Forest:WoodgroveBank.com, expand Domains, expand
WoodgroveBank.com, click Group Policy Objects, right-click Default
Domain Controllers Policy, and then click Edit.
14. Expand Computer Configuration, expand Policies, expand Windows
Settings, expand Security Settings, expand Local Policies, and then click
User Rights Assignment.
15. Double-click the Allow log on through Terminal Services Properties, select
the Define these policy settings check box, and then click Add User or
Group.
16. Type HelpDesk, and then click OK twice.
17. Open a command prompt, type gpupdate /force, and then press ENTER.
18. On NYC-CL1, in the Remote Desktop Connection dialog box, click Connect.
Lab: Troubleshooting AD, DNS and Replication Issues L10-103
Result: At the end of this exercise you will have resolved two trouble tickets with
authentication and authorization issues.
Lab: Troubleshooting AD, DNS and Replication Issues L10-105
11. Type WoodgroveBank.com, and then press ENTER. Verify that no results are
returned.
Question: What steps will you take to resolve this issue?
Answer: Make sure there is basic connectivity between the two domain
controllers. On NYC-DC1, verify that the DNS service is running, and check to
see if the zone has replicated. Determine what types of zones are running on
both DNS servers. Ensure that NYC-DC1 is permitting zone transfers to NYC-
DC2, and that the zone transfers successfully.
12. On NYC-DC2, click Start, point to Administrative Tools, and then click
Services.
13. In the Services console, ensure that the DNS service is Started.
14. Start the DNS management console from Administrative Tools.
15. Expand Forward Lookup Zones, and then click WoodgroveBank.com.
Question: What error do you get?
Answer: Zone not loaded by DNS Server.
16. Expand NYC-DC2, expand Forward Lookup Zones, right-click
WoodgroveBank.com, and then click Properties.
Question: What type of zone is WoodgroveBank.com? Verify the zone
settings.
Answer: WoodgroveBank.com is a secondary zone, configured to use
10.10.0.10 as the master server.
17. On NYC-DC1, start the DNS management console from the Administrative
Tools.
18. Expand NYC-DC1, expand Forward Lookup Zones, select, and then right-
click WoodgroveBank.com, and then click Properties.
Question: What type of zone is WoodgroveBank.com?
Answer: WoodgroveBank.com is a primary zone.
19. On the Zone Transfers tab, select the Allow zone transfers check box.
20. Click To any server, and then click OK.
21. Repeat the previous steps to enable zone transfers for the
_msdcs.woodgrovebank.com zone.
Lab: Troubleshooting AD, DNS and Replication Issues L10-107
Note: If the zone is not transferred immediately, wait one minute, and then press
F5 again.
Result: At the end of this exercise you will have resolved a trouble ticket with DNS
integration and AD DS issues.
L10-108 Module 10: Troubleshooting AD DS, DNS, and Replication Issues
9. In the command prompt, type ping NYC-DC1, and then press ENTER.
Question: Was the ping successful?
Answer: Yes.
10. In the command prompt, type ping NYC-DC2, and then press ENTER.
Question: Was the ping successful?
Answer: Yes, but the ping used the IPv6 address.
11. In the command prompt, type NSLookup, and then press ENTER.
12. Type server 10.10.0.10, and then press ENTER.
13. Type NYC-DC2.Woodgrovebank.com, and then press ENTER. Verify that the
NYC-DC2 address is listed as 10.11.0.11. Type Exit and press ENTER.
14. On NYC-DC1, open DNS Manager, and then delete the record for NYC-DC2
in the WoodgroveBank.com domain.
15. Right-click WoodgroveBank.com, and then click Properties.
16. In the Dynamic updates field, click Nonsecure and secure, and then click
OK.
17. On NYC-DC2, in the command prompt, type Ipconfig /registerdns, and then
press ENTER.
18. Type net stop netlogon & net start netlogon, and then press ENTER.
19. On NYC-DC1, in DNS Manager, refresh the view, and then verify that the
NYC-DC2 record has been added with an IP address of 10.10.0.11.
20. On NYC-DC1, in the command prompt, type dnscmd /clearcache, and then
press ENTER.
21. In the command prompt, type IPConfig /flushdns, and then press ENTER.
22. Open Active Directory Sites and Services. Expand Sites, expand Default-First-
Site-Name, expand Servers, expand NYC-DC2, and then click NTDS Settings.
L10-110 Module 10: Troubleshooting AD DS, DNS, and Replication Issues
23. Right-click the connection object with NYC-DC1, and then click Replicate
Now.
Question: Was the replication successful? What error message did you
receive?
Answer: Yes, the replication was successful. No error message was received.
24. On NYC-DC2, in Active Directory Users and Computers, under NYC, in the
Branch Managers OU, verify that the test user account you created in Exercise
1 is now displayed.
Trouble Ticket #5: The Help Desk has noticed that when some users in the
Woodgrovebank.com New York branch log on, they are not getting the expected
automatic drive mappings. All users should get a drive mapping that maps the H:
drive to \\NYC-DC1\data. The Help Desk has confirmed that the Group Policy
Object is configured correctly. The logon script is called MapDataDir.bat, and is
supposed to be located in the Netlogon share.
Question: What do you think might be the problem(s)?
Answer: If the policy is configured correctly, then perhaps the policy or the script
is not being replicated properly between the domain controllers. Because
replication is working properly between NYC-DC1 and NYC-DC2, we should verify
that the logon script is being replicated between the domain controllers.
Question: What troubleshooting step(s) will you take to resolve the problem(s)?
Answer: Check the Netlogon shares on both NYC-DC1 and NYC-DC2 to check if
the MapDataDir.bat file is located in both locations. If not, then we will need to
determine why replication is failing. Start by making sure the FRS and DFSR
services are running on both domain controllers in Services applet of Control
Panel. If they are, then we will need to troubleshoot network issues between the
two domain controllers.
1. On NYC-DC1, open Windows Explorer, and then browse to
C:\Windows\SYSVOL\sysvol\WoodgroveBank.com\Scripts. Confirm that
the MapDataDir.bat file is located in the folder.
2. Click Start, click Search, and then in the search box, type \\NYC-
DC2\Netlogon, and then press ENTER.
Question: Is the MapDataDir.bat file in the folder?
Answer: No, it is not.
Lab: Troubleshooting AD, DNS and Replication Issues L10-111
Note: If the file does not appear in the folder, wait one minute and refresh the
view. If it still does not appear, restart the File Replication Service on NYC-DC2.
Question: What was the actual problem(s), and how did you resolve it?
Answer: The File Replication Service and the DFS Replication Service on NYC-
DC2 were shut down. The Windows Firewall on NYC-DC1 was also blocking
file replication traffic.
Result: At the end of this exercise you will have resolved a trouble ticket with AD DS
replication issues.
Lab: Troubleshooting Group Policy Issues L11-113
8. In the Important URLs dialog box, select the check box to Customize Home
page URL, type http://WoodgroveBank.com, and then click OK.
9. Expand Administrative Templates, click Start Menu and Taskbar, double-
click Force classic Start Menu, click Enabled, and then click OK.
10. Close the Group Policy Management Editor.
Note: Two logons are required to see the group policy settings because
Administrator is logging on with cached credentials.
2. Click the Start menu, and ensure you see the classic Start menu.
3. Double click Internet Explorer, and then click the red X to stop the
connection attempt to the default startup page. Click the home symbol on the
toolbar, and ensure that http://WoodgroveBank.com is the homepage.
Note: If time permits, you can view the Group Policy operational log as
Administrator on NYC-CL1. If you filter the view to show events that Roya generates,
you would see that the log does not detect any errors or warnings for this user. This
is because the GPO only sets a registry value that defines the location of the scripts
folder. Group Policy is unaware if the user has access to the location. The write to
the registry was successful. Therefore, the Group Policy log does not see any errors.
You would have to audit Object Access for the scripts folder to determine access
issues.
Lab: Troubleshooting Group Policy Issues L11-117
Note: Another way to resolve the issue would be to move the script to the Netlogon
share.
Result: At the end of this exercise, you will have resolved a Group Policy scripts
issue.
9. Right-click the Group Policy Results, query Roya on NYC-CL1 in the left
pane, and then click Rerun Query.
10. In the User Configuration Summary section, click Group Policy Objects, and
then click Applied GPOs.
11. Click Denied GPOs.
Result: At the end of this exercise you will have resolved a Group Policy Object issue.
Result: At the end of this exercise you will have resolved a Group Policy object issue.
Lab: Troubleshooting Group Policy Issues L11-121
f Task 2: Copy the Unattend file and change the name of NYC-SRV2 to
NYC-DC3
1. On NYC-SVR2, at the command prompt, type
copy \\10.10.0.10\D$\6425\Mod12\Labfiles\NYC-Rodc.txt C:\ and press
ENTER.
2. Type Netdom renamecomputer %computername% /newname:NYC-DC3
/force /reboot:5, and then press ENTER. The computer will automatically
reboot after 5 seconds.
3. After the server reboots, log on as Administrator with a password of
Pa$$w0rd.
L12-124 Module 12: Implementing an Active Directory Domain Services Infrastructure
f Task 4: Create the NYC-Branch-Office site and rename the Default site
1. On NYC-DC1, click Start, click Administrative Tools, and then click Active
Directory Sites and Services.
2. Expand Sites, then right-click Sites and then click New Site.
3. In the New Object – Site dialog box, type NYC-Branch-Office in the Name
field. Select the DefaultIPSiteLink, and then click OK. Click OK again to
acknowledge the message.
4. Right-click the Default-First-Site-Name, and then click Rename.
5. Type NYC-Head-Office, and then press ENTER.
f Task 5: Create subnet objects for the NYC head office and branch
office
1. Right-click Subnets, and then click New Subnet.
2. In the New Object- Subnet dialog box, in the Prefix text field, type
10.10.0.0/16, select the NYC-Head-Office site, and then click OK.
3. Right-click Subnets, and then click New Subnet.
4. In the New Object- Subnet dialog box, in the Prefix text field, type
10.30.0.0/16, select the NYC-Branch-Office site, and then click OK.
Lab A: Deploying Active Directory Domain Services L12-125
5. In the New Object- Group dialog box, type BranchUsersGG. Verify that you
are creating a global security group, and then click OK.
6. Press the CTRL key, and then click to select both the Branch Manager and the
Branch User accounts
7. Right-click the selected accounts, and then click Add to a group.
8. In the Select Groups dialog box, type BranchUsersGG, and then click OK
twice.
7. On the Additional Domain Controller Options page, accept the defaults, and
then click Next.
8. On the Specify the Password Replication Policy page, click Add, click Allow
passwords for the account to replicate to this RODC, and then click OK.
9. Type BranchUsersGG, click OK, and then click Next.
10. On the Delegation of RODC Installation and Administration page, click Set. In
the Select User or Group dialog box, type BranchManager, click OK, and
then click Next.
11. On the Summary page, review your selections, click Next, and then click
Finish to create the RODC account. Notice that NYC-DC3 computer account
is listed in Active Directory, but the DC type is Unoccupied DC Account.
Note: If you receive an error message when you log on, wait one minute and try
to log on again.
3. On NYC-DC1, refresh the view of the Domain Controllers OU. Notice the DC
Type for NYC-DC3 is now set to Read-only, DC.
4. Open Active Directory Sites and Services, and then examine the NYC-Branch-
Office site. Notice that NYC-DC3 is now listed in the Servers container.
L12-128 Module 12: Implementing an Active Directory Domain Services Infrastructure
5. Open the DNS Manager, right-click DNS, and then click Connect to DNS
Server.
6. In the Connect to DNS Server dialog box, click The following server, type
NYC-DC3 in the field, and then click OK.
Note: If the server is unavailable, wait a few moments and try again.
Result: At the end of this exercise you will have created an RODC on a Server Core
computer.
5. On the Forward or Reverse Lookup Zone page, ensure that Forward lookup
zone is selected, and then click Next.
6. On the Zone Name page, type WoodgroveBank.com, and then click Next.
7. On the Master DNS Servers page, type 10.10.0.10, press ENTER, click Next,
and then click Finish.
8. Expand Forward Lookup Zones, and then click WoodgroveBank.com. Wait
for the zone transfer to finish. You will have to refresh the console to see the
changes.
9. Expand the Global Logs, and then click DNS Events. Examine the events that
describe the zone transfer.
Question: What version of the WoodgroveBank.com zone was transferred?
Answer: Answers will vary.
10. Close the DNS Manager.
Note: This message refers to the IPV6 interface, which has a dynamically assigned
address.
f Task 11: Close NYC-SRV1 and NYC-DC2 and discard undo disks
1. Close the 6425A-NYC-SRV1 Virtual Machine Remote Control window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
L12-134 Module 12: Implementing an Active Directory Domain Services Infrastructure
Result: At the end of this exercise you will have created a domain and a site.
Lab B: Configuring Forest Trust Relationships L12-135
17. Right-click Forward Lookup Zones, and then click New Zone.
18. In the New Zone Wizard, click Next.
19. On the Zone Type screen, click Stub Zone, and then click Next.
20. On the Active Directory Zone Replication Scope screen, click Next.
21. On the Zone Name screen, type WoodgroveBank.com, and then click Next.
22. On the Master DNS Servers screen, type 10.10.0.10, click Add, click Next,
and then click Finish.
23. Click WoodgroveBank.com. It may take a few moments for the zone transfer
to occur. You will have to refresh the console to see the changes.
24. Close the DNS Manager.
Result: At the end of this exercise you will have upgraded the Fabrikam domain and
created a forest trust with Woodgrove Bank.
Lab C: Designing a Group Policy Strategy L12-141
WoodgroveBank.com
Executives
IT Admins
Miami
NYC
Toronto
Member Servers
Web Servers
SQL Servers
L12-142 Module 12: Implementing an Active Directory Domain Services Infrastructure
f Task 3: Create and link the Force Offline File Encryption GPO
1. Right-click Executives OU, and then click Create a GPO in this domain, and
Link it here.
2. In the New GPO dialog box, type Force Offline File Encryption in the Name
field, and then click OK.
3. Right-click the Force Offline File Encryption, and then click Edit.
4. Expand Computer Configuration, expand Policies, expand Administrative
Templates, expand Network, and then click Offline Files.
5. In the detail pane, double-click Encrypt the Offline Files cache.
6. In the Encrypt the Offline Files cache Properties dialog box, click Enabled,
and then click OK.
7. Close the Group Policy Management Editor.