0789737914_Tearcard.
qxd 8/14/08 4:34 PM Page 1
The 70-640 Cram Sheet
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This Cram Sheet contains the distilled, key facts about Exam 70-640, “TS: Windows Server 2008
Active Directory, Configuring.” Review this information as the last thing you do before you enter
the testing center, paying special attention to those areas where you feel that you need the most
review. A good exam strategy is to transfer all the facts you can recall from this tool onto the
plastic sheet provided when you sit down for the exam.
CONFIGURING DOMAIN NAME SYSTEM (DNS)
FOR ACTIVE DIRECTORY
1. The Internet namespace is divided into discrete
portions called zones. Each DNS server that is
responsible for a zone is considered to be
authoritative for that zone.
2. When you install Active Directory Domain Services
(AD DS) on a Windows Server 2008 computer,
DNS is automatically installed with an Active
Directory–integrated zone for the domain you’re
creating.
3. An Active Directory–integrated zone stores its zone
data in an application directory partition that is
replicated to other DNS servers as part of AD DS
replication.
4. The following zone types are available:
. Primary—A master copy of zone data
stored on an authoritative DNS server
. Secondary—An additional copy of DNS
zone data obtained from the primary
DNS server, used for redundancy and
load-balancing purposes
. Stub—Source information about authorita-
tive names servers in its zone only
5. A forward lookup zone contains information that
resolves a fully qualified domain name (FQDN) to
its corresponding IP address, and a reverse lookup
zone resolves an IP address to its corresponding
FQDN.
6. Dynamic DNS (DDNS) enables automatic updating
of DNS zone data whenever client computers
update their TCP/IP information. Secure dynamic
DNS (SDDNS) enables updates from only authorized
client computers in an Active Directory–integrated
zone.
7. Forwarding refers to the relaying of DNS requests
from one server to another one, when the
first server is unable to process the request.
A conditional forwarder handles requests for
specified domains only.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CONFIGURING THE ACTIVE DIRECTORY
INFRASTRUCTURE
8. Zone delegation involves the delegation of zone
management to other locations or workgroups and
involves creating delegation records that point to
the authoritative DNS servers.
9. Scavenging is the process of removing old
resource records related to computers that have
been removed from the network. DNS permits you
to enable the automatic scavenging of stale
records that are older than a specified period
(7 days by default).
10. The Dnscmd.exe utility enables you to perform
most of the DNS administrative tasks from the
command line. It is useful for scripting purposes
or on Server Core computers.
11. The zone replication scope refers to the subset of
DNS servers that participate in replicating the
zone. You must modify this scope if Windows 2000
DNS servers are present on your network.
12. Two types of zone transfer are available: Full zone
transfer (AXFR) replicates all zone data, and incre-
mental zone transfer (IXFR) replicates only the
modified portion of each zone file. You can modify
the scope of zone transfers from the Zone
Transfers tab of a zone’s Properties dialog box.
13. Application directory partitions contain application-
specific data that is replicated to a specific set of
domain controllers in one or more domains of the
forest. DNS uses the ForestDnsZones and
DomainDnsZones application directory partitions
to hold forestwide and domainwide DNS data,
respectively.
14. DNS supports a series of debug logging options
that log the contents of packets sent to and from
the DNS server. DNS also supports several levels
of event logging, which writes information to the
DNS log that you can then view from Event Viewer.
15. Before installing AD DS, your server must meet the
following requirements:
. It must be running the Standard, Enterprise,
or Datacenter edition of Windows Server
2008. The Web Server edition does not
support AD DS.
. It must have at least 500MB of disk space
for the database and SYSVOL folder, plus at
least 100MB for the transaction log files.
. It must have a disk volume formatted with
the NTFS file system.
. A DNS server must be available. The installa-
tion wizard will offer to install a DNS server
if one is not available.
. You must be logged on with an administra-
tive user account.
16. The Add Roles Wizard in Server Manager enables
you to install AD DS on your server. This installs the
software needed to run AD DS but does not install
a domain.
17. Running dcpromo will do the following:
. Install AD DS if you have not already done so
from the Add Roles Wizard.
. Create a domain controller for a new domain.
. Create a new domain tree or join an existing
domain as a child domain.
. Create a new forest of domain trees or join
an existing forest.
. Enable you to specify an answer file that
includes a series of options for unattended
installation of AD DS if you add the /answer
switch.
. Enable advanced user options including the
installation of a domain controller from
backup files if you add the /adv switch
(dcpromo /adv).
18. An alternative user principal name (UPN) suffix
enables users to log on with a logon name
specified in the format of an email address (such
as user@domain.com). Use Active Directory
Domains and Trusts to create an alternate UPN
suffix.
19. Domains and forests in Windows Server 2008
support three functional levels according to the
functionality supported by previous Windows
Server versions:
. Windows 2000—Supports domain
controllers running Windows 2000, Windows
Server 2003, and Windows Server 2008
. Windows Server 2003 native—Supports
domain controllers running Windows Server
2003 and Windows Server 2008
. Windows Server 2008 native—Supports
domain controllers running Windows Server
2008 only
20. When upgrading a forest and domain to Windows
Server 2008, you must run the Adprep
/forestprep command on the schema master
and then run the Adprep /domainprep
command on the infrastructure master of each
domain where you want to introduce a Windows
Server 2008 domain controller.
21. The types of trusts available in Windows Server
2008 are Transitive, Forest, External, Realm, and
Shortcut.
22. Domains map the logical structure of your organi-
zation, whereas sites relate to the physical layout
of the network. The domain namespace is likewise
unrelated to the physical sites.
23. Because of the separation of physical and logical
structures, a site can support multiple domains.
24. The primary function of a site is to consolidate AD
DS requests within a high-speed connection area
and to control replication with external domain
controllers. Sites provide the following features:
. Directory services such as authentication are
provided by the closest domain controller, if
one is located within the site.
. Latency is minimized for replication within
a site.
. Bandwidth utilization for replication is
minimized between sites.
. You can schedule intersite replication
according to the network utilization.
25. Windows Server 2008 creates the first site auto-
matically when you install AD DS. This site is
named Default-First-Site-Name and includes all the
domain controllers.
26. The sites are connected by means of site links,
which are typically lower bandwidth than the LAN
speeds within the site or unreliable/occasional
connections between sites.
27. A site link bridge is a collection of site links. You
create site links and add them to the site link bridge.
28. Intersite replication uses two different protocols:
. Remote Procedure Call (RPC)—Used for
replication of all AD DS partitions across
reliable site links.
. Simple Mail Transport Protocol (SMTP)—
Used only when intersite connections are
unreliable. It replicates only the configuration
and schema partitions and only between
different domains.
29. The site link cost is a numeric parameter that
specifies which one of multiple links will be used
for intersite replication. Its default value is 100. The
total cost between two sites that are not directly
connected is equal to the sum of the costs of all
links crossed in making the connection. By default,
replication uses the available site link with the
lowest cost.
30. The bridgehead server is the domain controller that
controls intersite replication within each site. This
server should be well connected to the WAN links
to other sites. You can designate which server acts
as the bridgehead server from Active Directory
Sites and Services.
31. Global catalog (GC) servers maintain a subset of
information pertaining to all objects located in its
domain, plus summary information pertaining to
objects in other domains of the forest. The GC
server validates universal group memberships
at logon and enables users to search for
resources in other domains of the forest.
32. You can use universal group membership
caching to store a user’s universal group
information when he logs on to that domain
controller the first time. During subsequent
logons, the domain controller can then verify
the user’s universal group membership without
contacting a GC server.
33. Operations masters include five roles that can be
configured from only a single designated domain
controller. The schema master and domain
naming master are forestwide roles held on only
one server in the forest, and the primary domain
controller (PDC) emulator, relative identifier
(RID) master, and infrastructure master are
domainwide roles held on only one server in
each domain of the forest.
34. The schema master is responsible for main-
taining the only writable copy of the schema
in AD DS.
35. The domain naming master manages the addi-
tion and deletion of domains within the forest.
36. The PDC emulator processes requests for
password changes, replication, and user
authentication to clients that do not run Active
Directory client software. It also provides time
synchronization services for the domain.
37. The RID master assigns pools of RIDs to each
domain controller. The domain controllers use
these RIDs to uniquely identify each AD DS
object being created in its domain.
38. The infrastructure master updates references
in its domain from objects such as domain
group membership changes to objects in other
domains. It processes these changes and
replicates them to other domain controllers in
its domain.
39. The infrastructure master should not be placed
on a domain controller serving as a GC server.
40. An administrator must be a member of the
Schema Admins group to modify the schema.
You must use the regsvr32.dll command
to register the Schema snap-in and then install
this snap-in to its own MMC console before
you can modify the schema.
CONFIGURING ADDITIONAL ACTIVE
DIRECTORY SERVER ROLES
41. Windows Server 2008 provides a series of
server roles, which are specific functions that a
server can perform on the network, such as
Active Directory Lightweight Directory Services
(AD LDS), Active Directory Federation Services
(AD FS), Active Directory Rights Management
Services (AD RMS), and Active Directory
Certificate Services (AD CS).
42. You can install any of these roles or many other
roles included with Windows Server 2008 from
Server Manager, which provides the Add Roles
Wizard that guides you through installation and
initial configuration of these roles.
43. Introduced in Windows Server 2003 as Active
Directory Application Mode (ADAM), AD LDS
provides additional directory services for
Windows networks and applications without
the need to deploy additional domains or
domain controllers.
44. AD LDS enables you to have a series of
instances, each of which includes its own
directory service with a configuration partition,
a schema partition, and one or more applica-
tion directory partitions. AD LDS instances do
not include domain partitions.
45. You can manage an AD LDS instance using
many of the same tools used with AD DS,
including the Active Directory Services Interface
(ADSI) snap-in, the Active Directory Schema
snap-in, the Active Directory Sites and Services
snap-in, and the Ldp.exe utility.
46. AD RMS enables you to create and work with
rights-protected files and folders and to ensure
that only authorized users have access to
this data.
47. AD RMS uses a system of rights account
certificates to identify users who are granted
access to rights-protected information.
48. A read-only domain controller (RODC) contains
a read-only copy of the AD DS database and
is especially useful when the physical security
of the server might be an issue, such as in
branch offices. All replication to an RODC is
inbound only.
49. You can configure a local user with administra-
tive rights to the RODC without adding the user
to the Domain Admins group.
50. Each RODC is partnered with a writable domain
controller for password replication purposes.
The password cache enables users to log on to
an RODC without contacting a writable domain
controller. Users must contact the writable
domain controller when they log on for the first
time or when they change their password.
51. AD FS provides a single sign-on capability for
authenticating users in one forest to web-
based applications in another forest without
establishing a trust relationship. The federation
server authenticates a user in the account
partner domain to access resources in the
resource partner domain.
52. A claim is a statement made in AD FS about a
client, such as its name, identity, key, group
privilege, or capability. You can have identity
claims (UPN, email, or common name), group
claims, or custom claims.
 0789737914_Tearcard.qxd 8/14/08 4:34 PM
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CREATING AND MAINTAINING ACTIVE
DIRECTORY OBJECTS
53. You can have three types of user accounts:
domain user accounts, which enable users to
gain access to resources in an AD DS domain;
local user accounts, which are local to the
computer where they are configured and
enable access to that computer only; and
built-in user accounts, which exist for specific
administrative tasks to ease the burden of
administration.
54. Groups are collections of user accounts
(although they can also include computers)
that ease administration. You can have security
groups, which can be used for assigning rights
and permissions to resources, or distribution
groups, which are used for distribution
purposes only.
55. Groups can have one of the following three
scopes:
. Global—Includes users, computers, and
other global groups from the same
domain.
. Domain Local—Includes users,
computers, and groups from any domain
in the forest. It provides access to
resources in the domain where they are
located.
. Universal—Includes users and groups
from any domain in the forest and
provides access to any resource in the
forest. Note that universal groups are not
required in a single domain forest.
56. You can use any of several methods to perform
bulk import of account creation:
. Csvde—Enables the import of comma-
separated (CSV) formatted data.
. Ldifde—Enables the import of data
formatted according to the LDAP Data
Interchange Format Data Exchange type.
. Dsadd—Enables you to add objects of
several types to AD DS. You can use
scripts and batch files with this tool for
automating account creation.
57. Within a single domain, Microsoft recommends
the AGDLP means of nesting groups. This
stands for placing accounts (A) into global
groups (G), placing the global groups into
domain local groups (DL), and assigning
permissions (P) to the domain local groups.
58. A multiple domain situation adds universal
groups (U), making the acronym AGUDLP.
59. Windows Server 2008 allows you to delegate
various levels of control on parts of a domain.
The Delegation of Control Wizard assists you
in delegating control to the appropriate users
or groups.
60. Group Policy is a series of configuration
settings that you can apply to objects in AD DS
and use to control the user environment in
contexts such as user desktop appearance,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Page 2
network access, folder redirection,
logon/logoff/startup/shutdown scripts, applica-
tion deployment, and security options. It is
processed in sets known as Group Policy
objects (GPOs).
61. In Windows Server 2008, Group Policy
Management Console (GPMC) is the sole loca-
tion for managing all aspects of Group Policy.
62. Group Policy is processed in the following
order: Local, Site, Domain, OU, child OU.
63. You can use either of the following two
methods for changing this default behavior:
. Enforced—Prevents policies at lower
levels from overwriting policies applied
from a higher level.
. Block Inheritance—Prevents policies
from higher up in the processing order
from being automatically applied at
lower levels. If the Enforced setting is
applied also, it takes precedence over
Block Inheritance.
64. You can filter the effects of GPO application
by denying the Read and Apply Group Policy
permissions to a user or group that should not
receive the settings contained in the GPO.
65. Windows Management Instrumentation (WMI)
filters enable an administrator to modify the
scope of a GPO according to the attributes of
destination computers.
66. Loopback processing is designed to reverse
the normal processing rules. It has two
settings:
. Replace—Replaces user-based settings
with those applied to the computer.
. Merge—Applies user-based settings
and combines them with computer-
based ones.
67. The new ADMX Central Store provides a
central location within the SYSVOL folder for
applying all administrative template-based
policy settings. It considerably reduces
the quantity of space required for GPO
maintenance, especially in large domains
with many OUs and linked GPOs.
68. A Starter GPO is a predefined set of policy
settings that cannot be linked to an AD DS
container but is used as a starting point for
creating new GPOs. It saves time when you
must create several GPOs with similar (but not
identical) settings.
69. You can use Group Policy to manage all phases
of software deployment, including installation,
patching, upgrading, and removal.
70. Group Policy allows you to assign software to
users or computers or to publish software
to users. You cannot publish software to
computers.
71. Assigned software is available on the user’s
Start menu and is installed when a user
accesses it from this location or when she
double-clicks an associated document.
72. Published software is not available on the Start
menu but is available from Control Panel Add or
Remove Programs or when the user double-clicks
an associated document.
73. You can configure many software package
deployment properties in Group Policy, including
the behavior of software upgrades.
74. When using Group Policy to remove software, you
can specify mandatory removal, which immediately
removes software from affected computers, or
optional removal, which enables users to continue
using the software but without support.
75. You can run Resultant Set of Policy (RSoP) in one
of two modes. Planning mode (Group Policy
Modeling Wizard) enables you to test potential
policy configuration changes prior to actually
making them. Logging mode (Group Policy Results
Wizard) enables you to troubleshoot the effects of
currently applied policy.
76. You can use Gpupdate to force the refresh of
Group Policy settings from any computer in the
domain.
77. Group Policy enables you to configure domain-
based account policies, including password and
account lockout policies. Windows Server 2008
provides default settings for these policies that
provide a medium level of security. Account
policies defined in Group Policy apply at the
domain level only.
78. New to Windows Server 2008 is the ability to
define fine-grained password policies, which apply
only to a selected set of users or groups. These
policies are defined not in Group Policy but in a
Password Settings Object (PSO).
79. You can use ADSI Edit to define the settings in a
PSO, and you can use Active Directory Users and
Computers to apply the PSO to the required users
or groups.
80. Windows Server 2008 enables you to audit
actions performed by users across the domain,
such as logging on and off or accessing files and
folders. You can configure auditing by using either
Group Policy or the new auditpol.exe
command-line tool.
81. To audit access to AD DS objects such as files,
folders, or printers, you must first configure the
Audit Object Access policy. Then you must specify
which objects are to be audited by configuring
the system access control list (SACL) for each
required object.
MAINTAINING THE ACTIVE DIRECTORY
ENVIRONMENT
82. Windows Server 2008 provides a new backup
application called Windows Server Backup. This
program works by backing up critical volumes.
83. Windows Server 2008 also enables you to
perform backups from the command line using
the new wbadmin utility. This utility enables you
to schedule backups and perform system state
backups.
84. You can restore data from backup by restarting the 94. You can archive the private key of specific certifi-
domain controller in Directory Services Restore cates so that you can recover it if it becomes lost.
Mode. A normal (nonauthoritative) restore is a You can configure specific users or groups as key
simple restore from backup. When you restart the recovery agents for this purpose.
server normally, AD DS replication updates the data 95. The Network Device Enrollment Service (NDES)
to the current condition. enables you to create certificates for network
85. An authoritative restore ensures that mistakenly devices such as routers or switches, which do not
deleted objects are not deleted again when have machine accounts in AD DS.
replication takes place. You use ntdsutil to
96. To enable the use of a certificate from a third-party
mark restored objects as authoritative.
CA, import these certificates into the Trusted Root
86. Windows Server 2008 allows you to stop AD DS to Certification Authorities node in an appropriate
perform actions such as offline defragmentation GPO. You can also import the certificate into the
and moving the database to another volume. user’s or computer’s Trusted Root Certification
Authorities certificate store.
87. AD DS defragmentation can occur in two modes:
. Online mode—In this mode, the server 97. AD CS provides wizards that enable you to back up
remains online while the process takes or restore its database. You can also back up AD
place. CS using the System State backup.
98. AD CS provides role-based administration, which
. Offline mode—This mode offers greater
enables you to assign predefined task-based roles
benefits, but you must take the server offline
by stopping AD DS. to different individuals. Available roles include PKI
Administrator, Certificate Manager, Backup
88. You can monitor AD DS with any of the following
Operator, Audit Manager, and Key Recovery
tools: Network Monitor, Task Manager, Event
Manager.
Viewer, Reliability and Performance Monitor, and
Windows System Resource Manager. Each of these 99. A revoked certificate is published in the Certificate
tools can perform a defined set of actions. Revocation List (CRL). AD CS in Windows Server
2008 publishes a full CRL and a delta CRL, which
CONFIGURING ACTIVE DIRECTORY is a list of certificates that have been revoked since
the last publication of a full CRL. Delta CRLs enable
CERTIFICATE SERVICES
you to publish CRL information more frequently
89. Windows Server 2008 provides two types of
with less replication traffic.
certification authorities (CAs):
100. The online responder role service is an alternative
. Enterprise CA—Integrated with AD DS;
to publishing CRLs. It provides signed responses
stores its database in Active Directory
to clients requesting certificate revocation
. Standalone CA—Stores its database information.
separately from Active Directory
90. You can have a two- or three-tier PKI hierarchy
composed of a root CA, an intermediate CA (three-
tier hierarchy only), plus one or more issuing CAs.
Only one root CA exists in any hierarchy.
91. Windows Server 2008 supports the following three
types of certificate templates:
. Version 1—This type is read-only and
supported by computers running Windows
2000 and later.
. Version 2—This type is editable and
supports autoenrollment. It is supported by
computers running Windows XP, Windows
Server 2003, and later.
. Version 3—This type supports new features
such as Cryptography API:Next Generation.
It is supported only by computers running
Windows Vista and Windows Server 2008.
92. Only versions 2 and 3 certificate templates
support autoenrollment and require that users have
the Read, Enroll, and Autoenroll permissions to
autoenroll certificates.
93. When you duplicate a certificate template, you
have the option of creating the duplicate as a
version 2 or 3 template.