nt1330_ig

ITT TECHNICAL INSTITUTE

NT1330

Client-Server Networking II

Onsite Course

INSTRUCTOR GUIDE

-1- 08/06/2013

Client-Server Networking II INSTRUCTOR GUIDE

Course Revision Table

Change Date Updated Section Change DescriptionImplementation

Quarter

10/08/2011 All New curriculum December 2011

08/06/2013 Page 9: Course-specific Lab Setup

Added explicit instructions on how to perform “keyless” installation and how to perform “re-arm” procedures to extend the trial period for the installed Server 2008 virtual machine

Immediately

-2- 08/06/2013


Table of Contents

COURSE OVERVIEW..............................................................................................................................5

Course Summary.....................................................................................................................................5

Critical Considerations.............................................................................................................................5

INSTRUCTIONAL RESOURCES................................................................................................................6

Required Resources.................................................................................................................................6

Additional Resources...............................................................................................................................6

COURSE MANAGEMENT.......................................................................................................................9

Technical Requirements..........................................................................................................................9

Test Administration and Processing........................................................................................................9

Replacement of Learning Assignments.................................................................................................10

Communication and Student Support...................................................................................................10

Academic Integrity................................................................................................................................10

GRADING...........................................................................................................................................12

COURSE DELIVERY..............................................................................................................................14

Instructional Approach..........................................................................................................................14

Methodology.........................................................................................................................................14

Facilitation Strategies............................................................................................................................15

UNIT PLANS........................................................................................................................................16

Unit 1: Introduction to Networking Concepts.......................................................................................16

Unit 2: Configuring and Maintaining the DHCP and DNS Server Roles..................................................26

Unit 3: Overview of Active Directory Domain Services, Implementing Active Directory.......................38

Unit 4: Working with Active Directory Sites..........................................................................................47

Unit 5: Global Catalog and Flexible Single Master Operations (FSMO) Roles........................................55

Unit 6: Active Directory Administration................................................................................................62

Unit 7: Security Planning and Administrative Delegation......................................................................69-3- 08/06/2013


Unit 8: Introduction to Group Policy & Configuring the User & Computer Environment Using Group Policy.....................................................................................................................................................76

Unit 9: Performing Software Installation with Group Policy and Planning a Group Policy Management and Implementation Strategy...............................................................................................................85

Unit 10: Active Directory Maintenance, Troubleshooting and Disaster Recovery.................................94

-4- 08/06/2013


Course Overview

Course Summary

The typical network server operating system and its functions are the focus of this course. Areas of study include installation, configuration, maintenance and routine administrative tasks of the network services provided by the server in relation to its clients and other servers.

Critical Considerations

The instructor for this course should have extensive networking and teaching experience.

-5- 08/06/2013


Instructional Resources

Required Resources

For the course textbook(s) and other required materials, review the Course Syllabus.

Additional Resources

Internal

ITT Tech Virtual Library:

http://myportal.itt-tech.edu/library/Pages/HomePage.aspx.

Faculty Collaboration Portals: http://myportal.itt-tech.edu/employee/dept/curriculum/FC/default.aspx.

Curriculum Database:

http://myportal.itt-tech.edu/faculty/cdb/Pages/default.aspx.

ITT Tech Library:

BooksBooks > Books24x7

Hannifin, D. (2008). Microsoft windows server 2008 R2 administrator’s reference: The administrator’s essential reference. Syngress Publishing.

Reimer, S., Kezema, C. Mulcare, M. Wright, B. & Microsoft Active Directory Team (2008). Windows server 2008 active directory resource kit. Microsoft Press.

Rommel, Florian. (2008). Active directory disaster recovery. Shapiro, J. (2008). Windows server 2008 bible. Hoboken, NJ: John Wiley and Sons, Inc. Tittle, E. and Koriec, J. (2008). Windows server 2008 for dummies. Hoboken, NJ: John

Wiley and Sons, Inc.

Periodicals:

Periodicals > ProQuest

BlueCat networks; BlueCat networks sets new industry standard with five-hour on-site

repair for IP address management, DNS and DHCP hardware appliances. (2011).

Computers, Networks & Communications, 172.

Active directory domain migration assistance sought by commerce department. (2011,

Jun 01). Targeted News Service.

Periodicals > LexisNexis Academic

Glanz, J. and Markoff, J. (December 5, 2010).Vast hacking by a China fearful of the web.

The New York Times.

Brodkin, J. (2011). Microsoft: Next level of virtualization unlocks server OS, applications.

Network World (Online).

-6- 08/06/2013

http://myportal.itt-tech.edu/faculty/cdb/Pages/default.aspx


External

Wiley Portal: oWiley Student Companion Site

Wiley offers a Student Companion Site for the course’s required texts.

For the Microsoft Official Academic Course: Exam 70-640, Students can log on to: http://bcs.wiley.com/he-bcs/Books?action=index&itemId=0470874988&bcsId=5816.

For the Microsoft Official Academic Course: Exam 70-642, Students can log on to: http://bcs.wiley.com/he-bcs/Books?action=index&itemId=0470875011&bcsId=5829.

(Note: Do not use the lab manual worksheets from these sites. Your custom worksheets are located on the Instructor Companion Site)

Wiley Instructor Companion Site (as Course Support Package)You can access the instructor resources for this course on the John Wiley Web site. Log on to the Web site http://www.wiley.com/college/itt and click on the appropriate content areas on the left hand side of the screen. Next, click on the appropriate course number and you will be brought to the cover image of the textbook used in this course. Click the Instructor Companion Site link located under the book title and log on using the following details:

Username: [email protected]

Password: wileyitt

Periodicals:

8 security considerations for IPv6 deployment. (2011). Network World (Online).

Solid passwords, PC firewalls stop ID thieves. (2011, Jun 25). Chattanooga Times Free

Press, pp. C.1.

Kaufmann, M. and Beaumont, L. (2205) Content networking: Architecture, protocols, and practice. Amsterdam, Boston Elsevier, 2005.

Parui, U. (2010, Installing client tools on a SQL server 2008 failover cluster. SQL Server

Magazine, 12(2), 9-9.

PR, N. (2011, April 7). Facebook Launches Open Compute Project to Share Custom-Engineered, Highly Efficient Server and Data Center Technology With the World. PR Newswire US.

Saran, C. (2008). Microsoft revamps certification for Server 2008. Computer Weekly, 32. Retrieved from EBSCOhost.

Romero, D., & Molina, A. (2011). Collaborative networked organisations and customer communities: value co-creation and co-innovation in the networking era. Production Planning & Control, 22(5/6), 447-472.

NOTE: All links to Web references are subject to change without prior notice.

-7- 08/06/2013

mailto:[email protected]

http://www.wiley.com/college/itt

http://bcs.wiley.com/he-bcs/Books?action=index&itemId=0470875011&bcsId=5829

http://bcs.wiley.com/he-bcs/Books?action=index&itemId=0470874988&bcsId=5816


Course Management

Technical Requirements

Recommended Classroom Setup

In addition to the typical classroom equipment such as the whiteboard, podium, student seats, etc., the

theory classroom must be equipped with the following (either stationary or mobile):

A projection system that can display images onto the wall

A computer for instructional demo purposes with the following recommended configurations:

o CPU – 1.6GHz minimum

o RAM – 2GB minimum

o Hard Drive – 20GB minimum free space

o DVD Drive

o Internet connectivity

o Current version of the most popular operating system

o Current version of a most popular Web browser

o Current version of media players required by the curriculum

o Current version of the most popular productivity software (such as Microsoft Office)

o Any other additional software required by the curriculum

Standard Computer Lab Setup

For the standard computer lab setup, refer to the requirements provided in the current Course Catalog.

Course-Specific Lab Setup

Each student must use the USB external hard drive to store the virtual machine(s) installed in this course

for use in the entire course.

Installing and Re-arming Windows Server 2008

The Windows Server 2008 Evaluation Edition may be installed without activation, and it may be evaluated for 60 days. Additionally, the 60-day evaluation period may be reset (re-armed) three times. This action extends the original 60-day evaluation period by up to 180 days for a total possible evaluation time of 240 days.

How to Install Windows Server 2008 without Activating It

1. Run the Windows Server 2008 Setup program.

-8- 08/06/2013


2. When you are prompted to enter the product key for activation, do not enter a key. Click No when Setup asks you to confirm your selection.

3. You may be prompted to select the edition of Windows Server 2008 that you want to evaluate. Select the edition you want to install.

4. When you are prompted, read the evaluation terms in the Microsoft Software License Terms, and then accept the terms.

5. When the Windows Server 2008 Setup program is finished, your initial 60-day evaluation period starts. To check the time that is left on your current evaluation period, run the slmgr.vbs script that is in the System32 folder. Use the –dli switch to run this script. The slmgr.vbs –dli

command displays the number of days that are left in the current 60-day evaluation period.

How to Re-arm the Evaluation Period

When the initial 60-day evaluation period nears its end, you can run the slmgr.vbs script to rest the evaluation period. To do this, follow these steps:

1. Click Start, and then click Command Prompt.2. Type slmge.vbs –dli, and then press the Enter key to check the current status of your

evaluation period.3. To reset the evaluation period, type slmgr.vbs –rearm, and then press the Enter key.

4. Restart the computer.

This resets the evaluation period to 60 days.

Test Administration and Processing

Tests/examinations for the onsite courses are proctored by instructors in the classroom following

the schedule at the local campus. The final examination is to be conducted in the last week of

the quarter with the first half of the class time allocated to the course review and the second half

of the class time allocated to the examination. If a lab practicum is part of the final examination,

the lab practicum is to be scheduled in the lab time of the last class meeting.

It is against the academic integrity and violation of the institutional policy to reveal the content of

the tests/examinations to students in any format prior to the actual time scheduled for the

test/examination. Every instructor is required to exercise diligence in protecting all testing

materials from being compromised in any form.

Grades for the course must be closed at the scheduled time mandated by the institution.

All quizzes, tests and examinations for the online courses are administered through the online

learning management system (LMS) at scheduled times.

When appropriate, the Formula Sheet provided in the Assessment document must be distributed

to students prior to unit-based, mid-term, or final examinations.

-9- 08/06/2013


Replacement of Learning Assignments

Tests/Examinations – The instructor may add up to 20% of the items to the prescribed set without

altering the grade weight for the category. No substitution is allowed for any of the prescribed

items.

Quizzes – In some cases, standardized quizzes are provided. If there are no quizzes provided,

the instructor is encouraged to construct just-in-time items for this category. Do not alter the

grade weights allocated to this category.

Assignments/Discussions/Projects – Wherever deemed necessary, the instructor may choose to

substitute prescribed items with his or her own version without altering the grade weights

allocated to the category. The substitution items must address the same objectives as the

original items at similar levels of scope and rigor with reasonable rubrics.

Communication and Student Support

Instructors are expected to proactively engage students in the learning of the course through

active guidance, monitoring and follow-ups.

Instructors must remind students to retain all deliverables and reference documentation related to

the course assignments for the duration of the course because assignments of the later units are

built on the work completed earlier in the course.

Onsite instructors must respond to students’ emails and/or phone calls within 48 hours. Graded

assignments must be returned to students by the next class meeting in most cases.

Online instructors are expected to respond to students’ “Ask the Instructor” messages within 24

hours of receipt. Written assignments must be graded within 72 hours. Discussion forums must

be graded within 72 hours after the last day posts are due.

Academic Integrity

All students must comply with the policies that regulate all forms of academic dishonesty, or academic

misconduct, including plagiarism, self-plagiarism, fabrication, deception, cheating, and sabotage. For

more information on the academic honesty policies, refer to the Student Handbook. Check policies and

the Faculty Handbook.

-10- 08/06/2013


Grading

The following template is required for setting up the course grade book in the ITT Technical Institute

student assessment system. Titles are to be entered as written below to enable aggregate analysis of

student learning activities.

Grading CategoryCategory Weight

Graded Deliverable Weight

Assignment 20% Unit 1. Assignment 1. Windows 2008 Network Services

2%

Unit 2. Assignment 1. DHCP Troubleshooting 2%

Unit 3. Assignment 1. Active Directory Design Scenario

2%

Unit 4. Assignment 1. AD Design Replication Scenario

2%

Unit 5. Assignment 1. AD Design Scenario: FSMO Role & GC Placement

2%

Unit 6. Assignment 1. AD User/Group Design Scenario

2%

Unit 7. Assignment 1. AD Password Policy Planning 2%

Unit 8. Assignment 1. Administrative Control versus Trust: Research/Scenario

2%

Unit 9. Assignment 1. GPO Planning Scenario 2%

Unit 10. Assignment 1. AD Disaster Recovery Planning Scenario

2%

Exercise 30% Unit 1. Exercise 1. IP Addressing Scenario 3%

Unit 2. Exercise 1. DNS Scenario 3%

Unit 3. Exercise 1. Company Merger Scenario 3%

Unit 4. Exercise 1. Site-to-Site Connectivity Scenario 3%

Unit 5. Exercise 1. AD FSMO Role Management

Research: Alternate Methods

3%

Unit 6. Exercise 1. AD User and Group Account

Creation

3%

Unit 7. Exercise 1. AD OU Planning Scenario 3%

-11- 08/06/2013


Grading CategoryCategory Weight

Graded Deliverable Weight

Unit 8. Exercise 1. Group Policy in a Mixed Client OS

Environment: Research

3%

Unit 9. Exercise 1. Research Software Deployment

Options

3%

Unit 10. Exercise 1. AD Troubleshooting Scenario:

Troubleshooting Tools

3%

Lab 40% Unit 1. Lab 1. Preparing a Virtual Workstation Image 4%

Unit 2. Lab 1. Configuring DNS and DHCP 4%

Unit 3. Lab 1. Creating a Replica Domain Controller 4%

Unit 4. Lab 1. Working with Active Directory Sites 4%

Unit 5. Lab 1. Global Catalog and Flexible Single

Master Operations (FSMO) Roles

4%

Unit 6. Lab 1. Creating and Managing Users and

Groups

4%

Unit 7. Lab 1. Employing Security Concepts 4%

Unit 8. Lab 1. Exploring Group Policy Administration 4%

Unit 9. Lab 1. Software Distribution and Controlling Group

Policy

4%

Unit 10. Lab 1. Disaster Recovery and Maintenance 4%

Exam 10% Final Exam 10%

-12- 08/06/2013


Course Delivery

Instructional Approach

ITT Technical Institute promotes the principles and methods of Applied Learning grounded into the

following theoretical constructs:

Merrill’s Principles of Instruction suggesting that the most effective learning products or

environments are those that are problem-centered and involve the student in: a) activation of prior

experience, b) demonstration and application of skills, and c) integration of those skills into real-

world activities

Gagné’s Taxonomy of Learned Capabilities that represent progression of competency

development from lower level operational skills to high-level intellectual capacity for solving

unknown, complex, ill-structured problems through application or generation of rules

Bloom/Krathwohl’s Taxonomy of Educational Objectives that determines: a) selection of specific

instructional tasks and associated outcomes, and b) assessment of learning outcomes

Keller’s ARCS Model addressing critical factors of learner motivation and engagement

The Applied Learning approach emphasizes contextualized learning experience, which empowers and

motivates students, while assisting them to develop key competencies required for employment, further

education and professional development, and active participation in their communities.

Methodology

The course design utilizes the ITT/ESI proprietary Explore-Practice-Apply model that allows students to

gradually build their knowledge and skills while engaging in meaningful and context-relevant interactions

with their peers.

-13- 08/06/2013

APPLY

PRACTICE

Engage students in analysis of complex situations and development of solutions required by learning tasks grounded in real-life/workplace contexts

Engage students in applying new concepts in the process of developing and testing new skills through hands-on exercises, labs, role playing and modeling

Facilitate student discovery learning, activation of prior knowledge and building connections between new concepts and existing cognitive frameworks through interactive learning activities

Competencyacquisition

path


For example, if an instructor’s goal is to help students understand that not all websites are equally

credible, in the Explore phase, the instructor might offer several options of advice-givers students may

encounter in their lives and ask which advisors are the most credible and why. It’s possible that Mom is

more credible than the postman, for example. They might generate a list of criteria upon which to judge

reliability. Students would begin to consider what makes data trustworthy.

In the Practice phase, students begin to operate in the world of the professional, but with many

opportunities for low-stakes failure and with a coach nearby. It is here they do labs, hands-on exercises,

or problem sets that give them the idea of how practitioners in this area work. For example, students

investigating website reliability might be asked to visit several sites and look for specific criteria that the

instructor suggests they find based on their brainstormed lists from the Explore activity.

In the Apply phase, students do the work of the professional. This phase provides the opportunity for

students to demonstrate learning; they should not experience much failure. The Practice phase should

be rich with activity so that the student will be confident and competent in the Apply phase. Students

working on website reliability might now develop their own websites in this section, including appropriate

references to make it easy for others to validate the site as being a reliable and accurate source of

information.

Facilitation guidance and teaching tips are accompanied by tools and handouts found in the Course

Support Package. Examples of the Course Support Tools include: presentation slides, worksheets,

illustrations, video files, handouts, checklists and other similar instructional materials. Each tool is

assigned an identification number that allows for easy search within the Course Support Package

accompanying this Instructor Guide.

Facilitation Strategies

The following facilitation strategies are recommended for delivering this course:

Engage students into active, experiential learning process.

Gradually increase complexity of instructional tasks dynamically adapted to student’s current

competency level.

Promote cognitive realism by engaging students into instructional tasks that have real-world

relevance and match the activities of professionals in practice.

-14- 08/06/2013

EXPLORE


Engage students in learning situations where they are challenged by complex problems requiring

analytical thinking, critical reading, and systematic interaction with peers.

Provide opportunities for performing scientific inquiry and reflection on individual and group work.

Implement assessments of student learning focused on knowledge transfer into daily professional

practice.

-15- 08/06/2013


Unit Plans

Unit 1: Introduction to Networking Concepts

Course Objectives Covered by this UnitCO1. Install and configure a Microsoft Server 2008 server and a Widows 7 client.CO2. Configure the Windows Server 2008 machine as a DHCP server.

Unit Learning Outcomes Explain IP address components. Contrast classful and classless IP addressing. Explain the function of DNS. Explain the function of DHCP. Install Windows 2008 Server. Prepare a virtual workstation image.

Key Concepts

TCP/IP Addressing, Configuration and Management Windows 2008 Server Networking Services Windows 2008 Server Installation

Reading

Windows 7 Configuration MOAC 70-642 Lesson 1 – Introducing to Networking Concepts Lesson 2 – Installing Windows 2008 Server

Keywords

Use the following keywords to search for additional materials to support your work:

APIPA (Automatic Private IP Addressing) CIDR Notation DHCP FQDN DNS GPT (GUID Partition Table) Dynamic Disks Repair Mode

-16- 08/06/2013


Server Core

Learning Activities

THEORY PORTION

Key Concept: TCP/IP Addressing, Configuration and Management

Explore Activity 1 – TCP/IP Addressing

In-class Activity, Ungraded

Description

NOTE: The knowledge of this section is already covered in the prerequisite / corequisite tree for this course (NT1210 Introduction to Networking). However, it is still necessary to review the important concepts to be directly applied to the Windows networking environment covered in this course. For a comprehensive review of the networking concepts, please refer to NT120 Introduction to Networking.

Explain to students the following:

In order for two human beings to successfully communicate (share information), they must both agree upon and understand the rules for communication (language). Similarly, for two or more computer systems to communicate with one another (share information), they must use an agreed-upon set of rules that all of the systems understand. In computer networking, these rules are called protocols. The TCP/IP protocol suite is one such set of rules and is in fact the most common networking protocol in use today.

TCP/IP stands for transmission control protocol/Internet protocol and represents a suite of protocols (TCP, IP, UDP, etc) that facilitate transmission of data in a network environment.

In TCP/IP terminology, a host represents a network endpoint (a device that sends and/or receives information on a network), e.g., a computer, printer or any other device configured with a network interface).

In TCP/IP terminology, a network represents a logical grouping of hosts configured to send and/or receive information with one another.

Every host on a TCP/IP network must have a unique identifier in order to send and receive data: an IP address.

An IP address consists of two components: host and network address. The host portion is the unique portion of the address assigned to a specific host. The network portion is the same for all hosts on a given network. The subnet mask is used to identify which part of the IP address is host and which part is

network.

Activity:

-17- 08/06/2013


Have students research the various components of the TCP/IP suite, identifying some common protocols and where they reside in the suite (i.e., HTTP is a transport-layer protocol utilizing TCP.)

Unit Learning Outcome(s) attached to this activity:

Explain IP address components.

Course Objective(s) supported by this activity:

Install and configure a Microsoft Server 2008 server and a Widows 7 client.

Estimated Time: 20 minutes

Explore Activity 2: IP Addressing


Description:

Explain the following:

TPC/IP was has been around for many years and, like most technologies, has undergone changes and revisions. The most popular version of TCP/IP in use today is IPv4 (Internet Protocol version 4). IPv6 (Internet Protocol version 6) is gaining acceptance and has been redesigned to meet the demands of current network environments.

An IPv4 address is made of 32 bits, divided into four eight-bit (eight bits equals one byte) parts called octets, often represented in dotted-decimal format:

o 32 bit address: 11000000000000010000000000000011

o The same address broken into octets: 11000000.00000001.00000000.00000011

o The same address written in dotted decimal: 192.1.0.3

An IPv4 address can represent a finite number of unique options for network/host address: 232

possible addresses. When IPv4 was first introduced, the first 8 bits (first octet) was used for the network portion and

the remaining 24 bits (three octets) were used for hosts. This limited the number of networks to 28

or 254, which was inadequate. The next revision of IPv4 address allocation defined classes of address, each class having a

different number of bits allocated to network. This is called classful addressing:o Class A: The most significant or leftmost bit in a class-A network is 0, using the remaining

7 bits of the first octet for the network portion and the remaining bits for hosts.o Class B: The most significant or leftmost two bits in a class-B network are 10, using the

remaining 14 bits of the first two octets for the network portion and the remaining bits for hosts.

o Class C: The most significant or leftmost three bits in a class-C network are 110, using

the remaining 21 bits of the first three octets for the network potion and the remaining bits for hosts.

-18- 08/06/2013


o Class D: Multicast

o Class E: Reserved/Experimental

Classful addressing greatly expanded the flexibility of the original IPv4 addressing design but still proved inadequate to meet the demands of ever-growing TCP/IP network environments.

The next evolution in IPv4 addressing is called CIDR – Classless Inter-Domain Routing. CIDR is a hierarchical structure, much like the previously described classful addressing but allowing for any logical division of the available 32-bit address space into network/host. This is accomplished by including the division in the written address, aka CIDR Notation:

o 10.0.0.0/8 = This is CIDR notation for a network using the first eight bits for network (thus

the /8) and the remaining 24 bits for host.o The “/8” represents a bitmask (subnet mask) to delineate the network/host portion of an

IPv4 address, eg 255.0.0.0 See Tables 1-1, 1-2 and 1-3 in MOAC 70-642

Activity:

Have students discuss what IP-address ranges they use at home, in the classroom, at work? Are they classful? What class are they?



Explain IP address components.Contrast classful and classless IP addressing.


Installation and configure a Microsoft Server 2008 server and a Widows 7 client.

Explore Activity 3: Introducing IPv6


Description:


When IPv4 was first implemented, 232 seemed like an abundant address space (about 4 billion). With the explosion of corporate networks and the Internet, this address space is quickly being exhausted, necessitating the development of IPv6.

IPv6 has been developed to address many of the shortcomings of IPv4, chiefly address exhaustion. IPv6 uses 128-bit address space, allowing for about 340 billion addresses.

IPv6 addresses have are written in hexadecimal format. Sequential zeroes can be suppressed by using a single zero per group or double colon for all contiguous zeroes, thus these all represent valid ways to write the same address:

-19- 08/06/2013


o 2001:0000:0000:0000:0000:0000:0000:7334

o 2001:0:0:0:0:0:0:7334

o 2001::7334

Although IPv6 has been supported since Windows 2003, Windows Vista, Windows 7 and Windows 2008 include IPv6 support natively and it is enabled by default.

There are many additional enhancements to IPv6, including native support for IPSec, etc.

Activity:

Search the Internet for information on IPv4 address exhaustion and the adoption of IPv6, such as can be found at the link below:

http://technet.microsoft.com/en-us/network/bb530961

Discuss the ramifications.



Explain IP address components.



Key Concept: Windows 2008 Server Networking Services

Explore Activity 4 – Introduction to Windows 2008 Network Services

In-class and Homework Activity, Graded

Description:


Windows 2008 Server provides a platform for delivery and management of most networking services, including Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), Routing and Remote Access Service (RRAS), Network Access Protection (NAP) and many others.

Domain Name System (DNS):o As learned previously, all hosts on a TCP/IP network must have a unique address, eg

192.168.0.1 or 2001:0:0:0:0:0:0:7334.o When sharing resources on a network, often the resource must be designated by the

name of the host providing the resource.

-20- 08/06/2013

http://technet.microsoft.com/en-us/network/bb530961


o DNS provides a mechanism to make it easier for a human being to access a resource on

another system by assigning it a convenient name.o For example, if a user wants to access a website hosted on a system with the address of

192.168.111.23, by using DNS the user could just type sales.mycompany.com into their web browser.

o In this example, the user would need to know the “name”: sales.mycompany.com and

DNS would resolve (name resolution) this name to an IP address, providing this information to the web browser to make the request for the resource.

o To allow for scalability (ease of use in small to very large environments), DNS has a

hierarchical naming convention broken into root-level, top-level, second-level and subdomains.

Root is represented by a “.” Top-level is to the right of the “.” Second-level is to the left of the “.” Subdomains are to the left of the second-level

o For example: Redmond.microsoft.com

The right-most period represents the root “com” represents the top-level “Microsoft” represents the second-level “Redmond” represents the subdomain

o Thus redmon.microsoft.com represents a “fully qualified domain name” (FQDN), mapping

a specific host to an IP address relative subdomain and company. DHCP (Dynamic Host Configuration Protocol)

o As learned previously, all hosts on a TCP/IP network must have a unique address, (i.e.,

192.168.0.1 or 2001:0:0:0:0:0:0:7334.)o Assigning these addresses is an insignificant task if you have two or three computers in

your network, but imagine assigning and managing this task for 500 or 1,000 computers!o DHCP provides a mechanism for easily assigning addresses to systems dynamically.

o Manually assigning an address to a given host is called static IP address assignment,

which is practical and required in some situations but quickly becomes unmanageable in large environments.

o DHCP allows for a centrally managed pool of addresses to be configured, including

additional parameters like Gateway and DNS, and dynamically allocated to hosts upon request.

o When a host is configured as a DHCP client, upon boot it will send a broadcast request

looking for a DHCP server. The DHCP server will respond and allocate an IP address to the host, as well as additional parameters that may have been configured.

o If a Windows host is configured as a DHCP client and does not receive a response from

a DHCP server, APIPA (automatic private IP addressing), a function of Windows, will automatically assign itself an address.

RRAS (Routing and Remote Access Service)o The transmission of data across a network from one LAN to another LAN is called

routing.o RRAS allows Windows 2008 to act as a router, facilitating transmission of data between

two LANs.

-21- 08/06/2013


o RRAS requires two network interfaces in a Windows 2008 Server, one connected to each

LAN. o Routing can be as simple as facilitating data transfer between two LANs or as complex

as routing traffic from one side of the world to the other. RRAS in a Windows 2008 environment is designed to facilitate routing in a small-business environment. More complex environments generally require dedicated routing hardware.

NAP (Network Access Protection)o Network security is an increasingly critical concern in today’s network environments. In

many corporate networks, any computer can be plugged into any available network jack and effectively have access to the corporate network.

o NAP is a new feature in Windows 2008 that allows configuration of administrative policies

to define criteria for any given system to access the corporate network, such as requiring up-to-date antivirus software or proper firewall configuration prior to access.

o A system that does not meet the NAP configured policies can be placed in quarantine,

disallowed from network access until policy requirements are met.Activity:

Have students discuss IT-management overhead in reference to DNS and DHCP, with the following question in mind: How many hosts does it take to justify the time and effort to setup a centrally managed solution for name resolution and address allocation? (In other words, is it worth setting up DHCP for two computers, how about five, how about 25…?)

Ask students to write a 1-page report summarizing IT-management overhead in reference to DNS and DHCP.



Explain the function of DNS.Explain the function of DHCP.



Configure the Windows Server 2008 machine as a DHCP server.

LAB PORTION

Key Concept: Windows 2008 Server Installation

Explore Activity 5: Installing Windows 2008


-22- 08/06/2013


Description:


Prior to installation of Windows 2008, some decisions must be made. What type of hardware (physical, virtual, etc) will be used? Will a clean installation be done (installation to new hardware or completely reinitialized hardware), or will Windows 2008 be installed on a system with existing data? Which version of Windows 2008 will be installed (full or Server Core)?

When installing Windows 2008, you will be presented with many of the above choices. Performing a clean install is recommended.

The first step in the actual installation of Windows 2008 is booting your machine to the Windows installation media, following which you will be presented with an installation wizard to guide you through the steps, including language preferences, product key, type of installation, location (hard drive partition) of installation, etc.

Following installation, you will be presented with the Initial Configuration Tasks wizard, which will guide you through some remaining configuration steps:

o Configuring Networking: This allows configuration of the unique host IP address,

Gateway, DNS servers, etc.o Configure Windows Firewall: The Windows Firewall is on by default. You have the

options of turning it off, allowing exceptions through the firewall, and changing the network location, eg from Home to Work to Public. These network locations define some general characteristics of the firewall functionality, with Public being the most restrictive.

Server Manager is a tool allowing you to manage and configure your server through a single console.

Via Server Manager, you can add and remove functionality from your Windows 2008 Server installation. This functionality is broken down into roles, such as the DHCP Server role or the DNS Server role.

In addition to adding and removing roles, Server Manager allows the addition and removal of Windows 2008 Server Features, such as Windows Server Backup or Remote Server Administration Tools.

Storage can be managed via the Server Manager (Storage, Disk Management) option, allowing the configuration of additional storage following Windows 2008 Server installation. Windows 2008 Server support both basic and dynamic disks:

o Basic disks provide legacy support for older operating systems and do not support

advanced functions, like striped or spanned volumes. All disks in a Windows 2008 Server environment begin as basic disks and can be converted to dynamic disks thereafter.

o Dynamic disks support volumes (a logical unit of disk space on one or more physical

disks), spanned volumes (free space from multiple disks), striped volumes, mirrored volumes, etc.

o Both MBR (Master Boot Record) and GPD (GUID Partition Tables) are supported. MBR

provides legacy support. GPD is recommended for disks larger than 2 TB and/or for use with Itanium based systems.

Activity:

-23- 08/06/2013


Ask students to get in groups and discuss Windows 2008 Server Core functionality. Each group should come up with two use-cases for Server Core.

Estimated Time: 20 min


Install Windows 2008 Server.




Practice Activity 1: Preparing a Virtual Workstation Image

Installation of VMWare, Windows 2008 Server installation.



Install Windows 2008 Server.




Apply Activity 1: IP Addressing Scenario

Homework, Graded

Students will respond to the following scenario with design considerations and recommendations.

Facilitation

Give students the scenario below asking them to respond in detail, justifying their recommendations. Encourage particular awareness of future growth and design considerations.

You are an IT Administrator for a newly founded company and have been tasked with designing an IP addressing scheme and a plan for allocation and management of IP addresses.

-24- 08/06/2013


The company will currently have a single, physical location with approximately 145 hosts (computers, printers, etc). IT plans should accommodate 50% growth within the next two years.

At a minimum, address these specific questions, in addition to other concerns/considerations:

1. What subnet range/s should be used?2. Should IP addresses be dynamically or statically assigned?3. Should one or more network/subnets be used?

If DHCP is used, should a router, firewall or Windows Server be utilized and why?


Explain IP address components.Contrast classful and classless IP addressing.Explain the function of DNS.Explain the function of DHCP.



Unit Summary:

This unit reviewed TCP/IP concepts, discussed how IPv4 and IPv6 addresses are managed and configured, and provided an introductory look at some of the networking services offered by Windows Server 2008, which will be discussed in greater detail in later units. In addition, this unit covered the installation of Windows Server 2008.

-25- 08/06/2013


Unit 2: Configuring and Maintaining the DHCP and DNS Server Roles

Course Objectives Covered by this UnitCO2. Configure the Windows Server 2008 machine as a DHCP server.CO3. Configure Active Directory.

Unit Learning Outcomes:

Explain how DHCP works. Install the DHCP Server role. Analyze DHCP configuration options. Explain DNS. Install the DNS Server role. Describe DNS Record Types. Use DNS command-line tools. Make recommendations about DNS Server.

Configure DNS. Configure DHCP.

Key Concepts

DHCP for TCP/IP Address Management DNS Concepts Configuring DNS and DHCP Troubleshooting

Reading

Windows Server 2008 Network Infrastructure Configuration MOAC 70-642 Lesson 3 – Configuring and Managing the DHCP Server Role Lesson 4 – Configuring and Managing the DNS Server Role

Keywords


DHCP (Dynamic Host Configuration Protocol) DNS (Domain Name System) ARP (Address Resolution Protocol) MAC (Media Access Control) DHCPDISCOVER CNAME (Canonical Name Resource Record) Top-Level Domain

-26- 08/06/2013


Host (A) Record MX (Mail Exchanger) Resource Record

-27- 08/06/2013


Learning Activities

THEORY PORTION

Key Concept: Using DHCP for TCP/IP Address Management


Description:

Explore Activity 1: The DHCP Server Role

As we learned in Unit 1, in order for hosts to communication with one another on a TCP/IP network, they must each have a unique IP address assigned. This can be accomplished manually via static IP address assignment, which is practical in special cases or small environments, or dynamically through Dynamic Host Configuration Protocol (DHCP) which is extensible to accommodate even the largest networks.

In addition to the basic requirement of a unique IP address for each host, other parameters are practically required, such as Gateway (required for a host to communicate with another host on a separate subnet) and DNS servers (required for hosts to translate IP addresses into friendly names).

The DHCP Server Role in Windows Server 2008 provides a centrally administered tool for allocating available IP addresses dynamically to hosts, in addition to providing additional configuration parameters such as Gateway and DNS Servers.

The DHCP Server Role tracks all assigned IP addresses, allows centralized changes, such as updating a DNS Server address which is automatically propagated to DHCP Clients, and is extremely flexible and scalable (works in small to large environments).

Activity:

Have students discuss possible situations where static IP address assignment might be beneficial and/or required.



Explain how DHCP works.



Explore Activity 2: Understanding DHCP

-28- 08/06/2013



Description:

The key function of DHCP is dynamic address assignment and relies heavily on the User Datagram Protocol (UDP) to accomplish this.

UDP is a TCP/IP Transport Layer Protocol. DHCP utilizes ports 67 (server) and 68 (client). The key components of a DHCP infrastructure include DHCP Servers (a computer that provides

DHCP configuration to multiple clients); DHCP clients (computers that obtain DHCP configuration information from DHCP servers); and DHCP leases (the length of time a DHCP server assigns configuration information to a DHCP client).

The process of a client obtaining DHCP configuration information from a client involves four steps:

o DHCPDISCOVER: The client sends a broadcast message to “discover” a DHCP server.

o DHCPOFFER: In response to receipt of a DHCPDISCOVER message, DHCP Servers

respond with a DHCPOFFER message containing the address of the DHCP Server, the MAC address of the requesting client, an IP address for the client with subnet mask and lease duration.

o DHCPREQUEST: In response to a DHCPOFFER message, the client sends a broadcast

DHCPREQUEST message to the IP Address of the DHCP Server, including the client-requested IP address and requested parameters (DNS servers, WINS servers, etc).

o DHCPACK: In response to a DHCPREQUEST message, the DHCP Server sends a

DHCPACK (acknowledgement) message containing a valid IP address lease. Because DHCP IP address lease assignment is finite (8 days by default), DHCP clients

periodically attempt to renew their DHCP lease:o First attempt is when half of the lease tie has passed (known as T1).

o Second attempt (if first attempt fails) occurs at 87.5% of the lease time (known as T2).

If the T2 fails, the client will release the IP address at the end of the lease duration.


Explain how DHCP works.



Explore Activity 3: Installing the DHCP Server Role


Description:

-29- 08/06/2013


In Windows Server 2008, the Server Manager provides an easy wizard for installation of the DHCP Server Role:

o From Server Manager, double-click Roles.

o Click Add Role.

o Click Next then place a checkmark next to the DHCP Server role.

o Click Next and Next.

o Fill in the appropriate DNS Server information and click Next.

o Fill in the appropriate WINS Server information and click Next.

o Click Add to create a DHCP Scope (range of addresses to be allocated from this server).

o Place a checkmark next to the “Activate this Scope” and Ok.

o Select Enable DHCPv6 Stateless Mode and click Next.

o Select Skip Authorization of this DHCP Server in AD DS and click Next.

o Click Install on the Confirm Installation Page.

Because the DHCP Server role provides a critical network service, the DHCP Server must be authorized in an Active Directory environment before allocating configuration information to clients.

DHCP Servers that are active and unauthorized are called rogue DHCP servers. To authorize a DHCP Server in an Active Directory environment, launch the DHCP Administrative

Console:o Go to Start, Administrative Tools, DCHP.

o Right-click DHCP and click Manage Authorized Servers.

o Select Authorize and enter the name or IP Address of the DHCP Server to be authorized.

o Click Ok and Ok.

The next steps are configuring a DHCP Scope, DHCP Reservations and DHCP Options.


Install the DHCP Server role.



Explore Activity 4: Configuring the DHCP Server Role


Description:

After installation and authorization of the DHCP Server Role in a Windows Server 2008 environment, an address scope must be configured with appropriate options for the environment. Optionally, address reservations may also be configured.

Configuring a DHCP scope defines the address range that a DHCP Server can allocate to clients. A DHCP Server may have one or many defined scopes. When defining an address scope, you

-30- 08/06/2013


can configure a range of addresses that should not be allocated to clients. This is called an exclusion range. A scope, less exclusions range/s is called an available address pool.

o Go to Start, Administrative Tools, DHCP and drill down to the DHCP Server name.

o Right-click on IPv4 under the server name and select New Scope, click Next.

o Enter a name and description for the new scope and click Next.

o Enter the starting and ending IP address and subnet mask.

o Add exclusions if desired/necessary.

o Change the lease duration or accept the default and click Next.

o Choose whether or not to configure DHCP Options and click Next.

o Enter the Router (default gateway) address and click Add then Next.

o Enter the DNS server and DNS domain name and click Next.

o Enter the WINS server and click Next.

o Click Yes, I want to activate the scope now and click Next.

o Click Finish.

DHCP Reservations provide administrators a way to assign a permanent IP address to a DHCP client without having to manually assign a static IP.

A DHCP Reservation might be used for a network-attached printer which is configured to automatically receive an IP address from a DHCP Server but requires the same IP address permanently so that clients can easily locate it on the network.

To Configure a DHCP Reservation:o Go to Start, Administrative Tools, DHCP and drill down to the appropriate IPv4 scope.

o Beneath the IPv4, go to Reservations, right-click and click New Reservation.

o Enter a name for the reservation (eg HR Network Printer) and the desired IP address.

o Enter the MAC address for the host, click Add and Close.


Analyze DHCP configuration options.



Key Concept: DNS Concepts

Explore Activity 5: Understanding DNS


Description:

The concept of Domain Name System (DNS) is very simple: map a name to an IP address for easier communication between network devices in a TCP/IP network environment.

-31- 08/06/2013


The Internet relies on DNS to allow users to easily find their favorite websites by name instead of having to remember an IP address for each Web Server, eg www.myfavoritesite.com instead of 12.34.56.78.

The process of mapping names to IP addresses is called name resolution and, though simple in concept, is complex in practice and design.

In order to scale to the largest networks in the world, DNS uses a hierarchical (ranked or tiered) namespace structure:

o At the very top of the hierarchy is “root,” represented by “.”

o Immediately under “root” are the top-level domains (.com, .net, .org, etc).

o Second-level domains are below top-level domains and are typically registered to

individuals or organizations, like “mycompany.com” or “myschool.edu.” DNS uses a fully qualified domain name (FQDN) to map a name to an IP address.


Explain the function of DNS.


Configure Active Directory.

Explore Activity 6: Installing & Configuring the DNS Server Role


Description:

In a Windows Server 2008 environment, the DNS Server role is classified based on the type of host name to IP address mappings it will store. These types are called zones, which represent a collection of address mappings for a contiguous portion of the DNS namespace.

A DNS Server can host primary or secondary zones or both. A DNS Server that does not host any zone is called a caching-only server.

In Windows Serve 2008 DNS zone information is stored either in a text file (standard zones) or in Active Directory (Active-Directory integrated zones) and can contain be either a forward (responds to queries to map an IP address to a known name) or a reverse lookup zone (responds to queries to map a known IP address to a name).

Standard zone types include primary, secondary and stub:o Standard Primary zones host a read/write copy of a DNS zone, only one server can host

the master copy and can accept dynamic updates.o Standard secondary zones host a read-only copy of the zone to provide fault tolerance

and to balance the work load.o Standard stub zones host only those records necessary to identify the authoritative DNS

Servers for the zone. There are significant benefits to Active-Directory integrated DNS Zones, including fault tolerance,

enhanced security, multi-master zones and efficient replication.

-32- 08/06/2013


To install the DNS Server Role, launch Server Manager, click Roles, Add Roles, click Next and place a checkmark next to the DNS Server role. Click Next and Install. Upon completion click Close.

To add a standard primary zone to your newly created DNS Server, go to Administrative Tools, DNS. Drill down to Forward Lookup Zones, right click and click New Zone. Choose Primary Zone and click Next. Enter the zone name, eg contoso.com, and click Next. Select Create a New File and click Next. Select Do Not Allow Dynamic Updates and click Next, then Finish.


Install the DNS Server role.



Explore Activity 7: Understanding DNS Zone Transfers and Record Types

Zone transfers represent complete or partial of the data in a zone. This allows secondary zones to receive current records from the primary zone. When changes occur, the primary zone replicates the changes to the secondary zones.

Windows Server 2008 DNS now supports both full and incremental (only changes since the last replication are sent) zone transfers.

DNS Servers can contain many types of records, with the most common being:o Start of Authority (SOA): This represents the original point of authority for a zone.

o Host (A): This maps a FQDN to an IP Address.

o Host (AAAA): Sometimes called a “quad-A” record, this maps a FQDN to an IPv6

Address.o Name Server (NS): This record identifies a DNS Server that is authoritative for a zone.

o Mail Exchange (MX): This record designates an email server for a domain.

o Canonical Name Record (CNAME): This record contains an alias for a FQDN.

o Service Locator (SRV): These records identify servers that provide a specific network

service. Active Directory relies heavily on SRV records to identify Domain Controllers in an Active Directory Domain.


Describe DNS Record Types.Use DNS command-line tools.



-33- 08/06/2013


Explore Activity 8: DNS Queries

A request from a client to a DNS Server is called a query. The client software making the query is called a DNS Resolver. A DNS resolver request contains the FQDN in question, as well as the resource record type (A or MX, etc). The DNS Server receiving the query can respond with a positive answer, which can be authoritative (this is a positive answer from a server with direct authority for the zone in question) or non-authoritative, a referral (containing a helpful reference to resource records not specifically requested in the query), or a negative answer indicating that the queried name does not exist or that the record type requested for the queried name does not exist).

Queries from a client to a server can be one of two types: iterative or recursive. An iterative query is when a client asks a DNS Server to respond with the best information that it has available, without checking with other DNS Servers. Recursion is the process of a DNS Server querying other DNS Servers until it finds the answer to a query.

DNS Servers in a Windows Server 2008 environment can be configured to either support or disallow recursive queries.

Forwarders and Conditional Forwarders can be used to tell a DNS Server where to send queries for external DNS names. Conditional Forwarders can specify where to forward requests based specifically on a domain name.

Activity:

Have the students research root hints.



Explain DNS.



Explore Activity 9: DNS Command-Line Tools

In addition to the DNS Server MMC console in a Windows Server 2008 environment, you can use NsLookup and Dnscmd to troubleshoot and manage DNS.

NsLookup is part of the TCP/IP suite and can be very useful in verifying the configuration and functionality of DNS.

NsLookup can be used as a single command, for example to retrieve the IP address for www.microsoft.com enter “nslookup www.microsoft.com” at a command prompt. NsLookup also

-34- 08/06/2013

http://www.microsoft.com/

http://www.microsoft.com/


supports interactive mode, accepting multiple commands and queries. To enter interactive mode, just enter nslookup at a command prompt and hit enter.

You can easily change which DNS Server to send queries to by entering “server x.x.x.x” where x.x.x.x represents the IP address of the DNS Server.

From a command prompt, type nslookup /? to see the options and command syntax, or type nslookup, hit Enter and type ? and hit Enter again for interactive mode help.

Dnscmd is a component of Windows Server 2008 DNS and can be used to perform most DNS configuration tasks. This can be particularly useful for scripting DNS tasks.

Using Dnscmd, you can create, delete and view zones and records; clear cache; stop and restart DNS services, etc.

To see zone information for the local DNS Server, at a command prompt type “dnscmd localhost /enumzones.”


Use DNS command-line tools.



LAB PORTION

Key Concept: Configuring DNS and DHCP

In-Class and Homework, Graded

Practice Activity 1: Lab 1: Configuring DNS and DHCP

See the Lab Manual for Lab 2: Configuring DNS and DHCP.



Install the DHCP Server role.Analyze DHCP configuration options.Install the DNS Server role.




-35- 08/06/2013


Key Concept: Troubleshooting

Apply Activity 1: DHCP Troubleshooting

Homework, Graded

Students will respond to the following technical support email from a junior IT admin with further questions and considerations. Facilitation Give students the scenario below asking them to respond in detail with clarifying questions, suggested approaches and/or possible solutions. Dear IT Admin:I am working at a branch office and have been tasked with changing out the DHCP scope to match the overall corporate IP address scheme. The main office assigned me an IP address range of 192.168.0.200 through 192.168.0.225. I changed the scope on Friday afternoon and came in on Monday morning to discover that only some of the workstations had picked up new leases from the new DHCP scope. Any ideas as to what may be happening, what I might check or adjust?

Thank you,Junior Admin


Analyze DHCP configuration options.



Apply Activity 2: DNS Scenario

Homework, Graded

Students will respond to the following technical support email from a junior IT admin with further questions and considerations.

Facilitation

Give students the scenario below asking them to respond in detail with clarifying questions, recommendations and/or considerations.

-36- 08/06/2013


Dear IT Admin:

I am working at two branch offices and have been tasked with where to place Active-Directory Integrated DNS Servers and what type to use.

One of the branch offices is very small (maybe 5 users) and has very slow network connectivity. Do I need a DNS Server and, if so, which type of zone should it host?

The second branch office is much larger (about 30 users) and has better network connectivity. Does this office need a DNS Server and, if so, what type of zone would you recommend?

Thank you,

Junior Admin


Explain DNS.Install the DNS Server role.



Unit Summary:

This unit covered the configuration and management of the Dynamic Host Configuration Protocol (DHCP) server role for Windows Server 2008, as well as the role of Domain Name System (DNS) in an Active Directory and Windows Server 2008 environment, DNS implementation and configuration.

-37- 08/06/2013


Unit 3: Overview of Active Directory Domain Services, Implementing Active Directory

Course Objectives Covered by this UnitCO3. Configure Active Directory.

Unit Learning Outcomes Explain Active Directory (AD) Services Describe AD Components Explain AD Functional Levels Install Active Directory Domain Services Configure Active Directory Domain Services Determine necessary information for the design of a domain hierarchy. Determine the necessary information to design a solution in a merger scenario. Create a replica domain controller.

Key Concepts

Active Directory Functions and Benefits Configuring Active Directory

Reading

Windows Server 2008 Active Directory Configuration MOAC 70-640 Lesson 1 – Overview of Active Directory Domain Services Lesson 2 – Implementing Active Directory

Keywords


Active Directory Domain Services (AD DS) Organizational Unit (OU) Domain Controller (DC) Domain Name System (DNS) Lightweight Directory Access Protocol (LDAP) Flexible Single Master Operations (FSMO) Object Identifier (OID) SYSVOL User Principle Name (UPN)

-38- 08/06/2013


Learning Activities

THEORY PORTION

Key Concept: Active Directory Functions and Benefits

Explore Activity 1: Active Directory Functions and Benefits


Description:


One of the primary benefits of a computer network is the sharing of resources (data, applications, services, devices, etc). Particularly in larger environments, the task of administering access and availability of these shared resources can be onerous. In Windows Server 2008, Active Directory Domain Services (AD DS) provides a mechanism to centrally, efficiently manage security, distribution and access to network resources. AD DS scales from small to very large environments, with the ability to manage AD resources from multiple locations (multimaster authentication), to create trust relationships with external networks and to replicate information for fault tolerance and redundancy.

A directory service is somewhat like a phone book for the computer network, providing a complete listing of people and services, as well as a great deal of additional information about each entry. In a Windows Server 2008 environment, the directory services (AD DS) is a repository of information about the people, services and data, which can be centrally, securely managed.

In Windows Server 2008, there are two different directory services roles: Active Directory Domain Services (AD DS), which is a full-featured directory services; and Active Directory Lightweight Directory Services (AD LDS), which as its name implies provides a lightweight, low-overhead directory service.

In a Windows Server 2008 environment, a Windows Server 2008 computer that is configured with the AD DS role is called a domain controller, which stores the AD database and authenticates (verifies who a user or service is and whether or not they are allowed access to a resource) access to resources.

Because AD DS is a multimaster database, it synchronizes any/all changes made from and to any/all domain controllers (replication), providing fault tolerance (a copy of the database, ntds.dit, exists in multiple places), single sign on (authentication can occur with any available domain controller), and the ability to administer AD DS from any available domain controller.

Activity:Have students research a Microsoft Workgroup environment and compare and contrast with AD DS.


-39- 08/06/2013


Unit Learning Outcome(s) attached to this activity:Explain Active Directory Services



Explore Activity 2: Understanding Active Directory Components


Description:


Some of the benefits of AD DS are that it is hierarchical and very flexible. In order to appropriately design an AD infrastructure, it is important to understand the components and how they interrelate.

At the most basic level, AD components fit into one of two categories: container objects (can contain other container objects or leaf objects) and leaf objects (cannot contain other objects, usually representing a single resource like a user or a printer).

Container objects include:o Forest: the largest container (top of the hierarchy), encompassing the fundamental

security boundary in AD.o Domain Tree: a logical grouping of resources containing one or more domains.

o Domains: a logical grouping of resources designated by an AD domain name/

o Organizational Units (OU): a logical grouping of resources within a domain, usually

containing users or resources with similar security or administrative settings. To organize data and facilitate efficient replication the AD DS database (ntds.dit) is divided into

multiple parts (partitions), also known as naming contexts (NCs):o The Schema NC contains the rules and definitions for creating and modifying objects

classes and attributes in AD and is replicated to all DCs in a forest.o The Configuration NC contains information about the physical topology of the network

and is replicated to all DCs in a forest.o The Domain NC contains all of the resource objects, such as users and computers, for a

domain and is replicated to all DCs within a domain. All AD objects have a common set of attributes, including:

o Unique Name: This is an object identifier and is assigned at object creation.

o Globally Unique Identifier (GUID): This is a 128-bit hexadecimal value assigned

automatically to every object in AD when it is created. o Required Object Attributes: These represent attributes that are required for creation of an

object, eg a user account must have a unique name.o Optional Object Attributes: These are informational attributes for an object and are not

required. Naming is a critical component of AD, not only to organize information in a logical and

manageable structure but also to comply to Lightweight Directory Access Protocol (LDAP, an IETF standard) standards for interoperability.

-40- 08/06/2013


Queries and modifications in AD function almost exclusively via LDAP. LDAP and AD refer to objects via their distinguished name (DN) to accurately and uniquely

identify them. DN uses the entire hierarchical path to an object, starting with the object itself and including all parent objects to the root of the domain, eg a user named John Smith who exists in the LucernePublishing.com domain, within the Sales Organizational Unit would have a DN of cn=JSmith, ou=sales, dc=lucernepublishing, dc=com.

CN = common name; OU = organizational unit; DC = domain component, one for each part of a domain name.

In addition to DN, Windows Serve 2008 AD DS supports User Principal Names (UPNs), which are somewhat easier to use. They follow the format of [email protected], often correlating with a user’s domain email account.

As discussed in the previous unit, DNS is an integral component in AD DS, representing the AD mechanism for name resolution.

In addition to the normal name to IP-address mapping function that we learned about in the previous unit, AD relies upon DNS to help clients locate AD services via SRV records. If DNS is not appropriately integrated with AD and a client cannot resolve an SRV record it cannot authenticate and gain access to network resources.


Describe AD Components



Explore Activity 3: AD Functional Levels


Description:


Ideally all servers in a Windows AD DS environment run the same version of Windows Server. Unfortunately, this is often impractical, particularly in large, distributed environments. Because of this AD DS provides levels of interoperability among varying versions of Windows Server and AD DS, referred to as functional levels.

AD DS supports forest and domain functional levels for backwards compatibility with earlier versions of AD DS, effectively limiting the functionality of newer versions of AD DS to only support features supported by all of the DCs in an environment.

The following domain functional levels are supported in Windows Server 2008:o Windows 2000 Native: Providing backwards compatibility with Windows 2000 DCs, while

also supporting 2003 and 2008.o Windows Server 2003: Supporting only 2003 and 2008 DCs.

o Windows Server 2008: Only 2008 DCs supported.

-41- 08/06/2013

mailto:[email protected]


o Note: Keep in mind that a Windows Server may be able to support roles in a domain

other than DC, eg a Windows Server 2003 could provide print services in a Windows Server 2008 domain but not act as a DC.

See Table 1-2 in MOAC 70-640, page 13, for a matrix of domain functional levels. Forest functional levels work like domain functional levels but, instead of applying just to a

particular domain within a forest, apply to the entire forest. Once all DCs in a particular domain or an entire forest meet the requirements, you can raise the

domain or forest functional level to support newer AD features, eg raise a domain from Windows 2000 Native to Windows Server 2003 once all DCs are at a minimum of Windows Server 2003.

See Table 1-3 in MOAC 70-640, page 15, for a matrix of forest functional levels.

Activity:

Have the students review the matrices of AD functionality in tables 1-2 and 1-3 in MOAC 70-640 and discuss the possible business benefits for justifying a move to a higher domain/forest functional level.



Explain AD Functional Levels


CO3. Configure Active Directory.

Key Concept: Configuring Active Directory

Explore Activity 4: AD Implementation


Description:


At a high level, implementing AD DS involves the simple process of configuring the AD DS role on one or more serves in your environment and configuring the workstations to be members of the AD Domain.

In order to install the AD DS role you must have:o A version of Windows Server 2008 that supports AD DS: Standard Edition, Enterprise

Edition or Datacenter Edition.o An account with local administrative privileges for the local machine.

o An NTFS partition to hole the SYSVOL (used for storing Group Policy Objects, login

scripts, etc).

-42- 08/06/2013


o A minimum of 200 MB of space for ntds.dit.

o A minimum of 50 MB of space for the AD DS transaction log files.

o Properly configured TCP/IP.

o A DNS server supporting SRV Records.

To properly design and configure an AD DS implementation, it is important to know as much as you can about the proposed environment combined with the AD components to accurately determine space and performance requirements, eg a user object in AD requires 3,600 bytes and an OU 1,100 bytes.

Some critical pieces of information are required to appropriately install AD DS:o Local administrative credentials

o Domain controller type

o Domain name

o Locations for the database, log files and SYSVOL

o DNS information

o Directory Services Restore Mode (DSRM) password, used for disaster recovery.

o Installation media.

AD DS can be installed via the Server Manager: Start, Server Manager, Roles, Add Roles. Choosing Active Directory Domain Services installs the role, following which you must use Server

Manager or the dcpromo command to complete configuration of AD DS, which walks you choosing the type of DC to configure, the domain name, DNS options and folder locations.

Following AD DS installation and configuration, you should verify that AD was installed and configured properly, particularly directory partitions and DNS functions.

Activity:

Have the students review the AD size requirements on page 24 of MOAC 70-640 and calculate the space requirements for an environment with 5,000 security principals, 50 OUs, 15 certificates and 15,000 ACE’s.



Install Active Directory Domain Services



Explore Activity 5: Configuring AD


Description:

Explain the following:-43- 08/06/2013


Some of the configuration tasks in managing and AD DS environment include raising domain/forest functional levels, removing AD DS from a DC, installation and configuring of Read-Only Domain Controllers (RODC), managing the AD Schema and establishing Trust Relationships.

Following careful planning to insure all DCs in an environment support a higher functional level, you can raise the domain and/or forest functional level to support the additional features of newer versions of AD DS. This task is accomplished via the AD Domains and Trusts Administrative Tool. Right-click a domain and select Raise Domain Functional Level, choosing the appropriate level. A warning will pop up reminding you that this is an irreversible action!

Removing AD from a DC can be accomplished using the dcpromo command (Start, type dcpromo in the search box and hit Enter). When you remove AD from a DC you are demoting it to a member server.

RODC are, as the name implies, read-only, thus no changes can be written directly from the RODC. This allows for greater security particularly in a distributed environment, such as a branch office where no admin is present.

The process of installing an RODC is initially the same as installing AD DS, until the point where you are prompted to choose the DC type. Select RODC, configure the appropriate password replication policy, delegation of authority and installation media.

As previously described, the AD Schema contains information about all of the available objects and their attributes for your AD environment. Over the lifetime of your AD DS implementation, schema updates may become available to support new object types or new attributes. You may also be called upon to implement customized schema objects to support unique organizational objects.

To manage the AD Schema, you must first install the Schema Management Snap-In: from a command prompt, type rgsvr32 schmmgmt.dll to register the DLL, following which you can open an MMC and Add the Active Directory Schema snap-in.

In AD, the ability to share resources across domains or forests is facilitated by Trust Relationships allowing for mutual authentication, loosely based on the notion that if I trust Bob and Bob trusts you, I can trust you. The trust types include:

o Shortcut Trusts: These simplify the “tree-walking” process for frequently access

resources across a forest.o Cross-Forest Trusts: Two-way transitive (transitive describes the trust relationship

between you and I via Bob!) trusts between forests.o External Trusts: One-way, non-transitive (just because Bob trusts you doesn’t mean I do!)

trusts.o Realm Trusts: AD trusts with a UNIX Kerberos environment.


Configure Active Directory Domain Services



Apply Activity 1: Active Directory Design Scenario-44- 08/06/2013


Homework, Graded


Facilitation

Give students the scenario below asking them to respond in detail, justifying their recommendations. Encourage students that their job is to translate business requirements into technical answers/specifications.

You are an IT Administrator for a company implementing a new AD DS infrastructure. Develop a list of business-related questions that you will need answered in order to accurately design a domain hierarchy. Your job is to determine number of DCs, geographical placement, number of domains/forests and OU design. What do you need to know to effectively accomplish this?


Unit Learning Outcomes

Explain Active Directory ServicesUnderstand AD ComponentsExplain AD Functional LevelsInstall Active Directory Domain ServicesConfigure Active Directory Domain Services



Practice Activity 1: Company Merger Scenario

Homework, Graded

Students will respond to the following scenario with a list of detailed questions.

Facilitation

Give students the scenario below asking them to respond in detail, justifying their recommendations. Encourage students that their job is to translate business requirements into technical answers/specifications.

-45- 08/06/2013


As an IT Administrator, you have been tasked with designing the technical strategy for the merger of your company with another company. Develop a list of questions that you will need answered to effectively design a solution for allowing seamless sharing of information resources between the two companies. Your company has a single, Windows Server 2008 Functional-Level AD DS Forest. The new company has a directory service but that is all the information you have been given thus far.

Consider trust relationships, compatibility with other directory services (previous versions of Windows, other operating systems, etc).



Determine the necessary information to design a solution in a merger scenario.



LAB PORTION

In-Class and Homework, Graded

Practice Activity 2: Creating a Replica Domain Controller

See the Lab Manual: Lab 3: Creating a Replica Domain Controller

Unit Summary: This unit introduced the functions and associated benefits of Active Directory Domain Services and covered the installation and configuration of an AD DS environment, including AD components and common managerial tasks.

-46- 08/06/2013


Unit 4: Working with Active Directory Sites

Course Objectives Covered by this UnitCO3. Configure Active Directory.CO4. Explain intrasite and intersite replication between the Windows Server 2008 machines.

Unit Learning Outcomes Explain Active Directory Sites Explain Active Directory Replication Configure Active Directory Replication Make recommendations in an AD Design Replication scenario. Suggest a plan of action for troubleshooting replication.

Key Concepts

Understanding AD Sites and Replication Configuring Replication Managing Replication

Reading

Windows Server 2008 Active Directory Configuration MOAC 70-640 Lesson 3 Working with Active Directory Sites

Keywords


Intersite replication Intersite Topology Generator (ISTG) DCDiag Remote Procedure Calls over IP (RPC over IP) Simple Mail Transfer Protocol (SMTP) Update Sequence Number (USN)

-47- 08/06/2013


Learning Activities

THEORY PORTION

Key Concept: Understanding AD Sites and Replication

Explore Activity 1: Introduction to AD Sites


Description:


As discussed in the previous units, some of the benefits of Active Directory are fault-tolerance and redundancy. One of the mechanisms supporting this in AD is multimaster replication, which functionally keeps the AD Database (ntds.dit) synchronized between all Domain Controllers (DCs) in a domain and between domains in a Forest.

When designing, implementing an AD environment, it is important to make a distinction between the logical and physical components of a Domain/Forest. Servers acting as DCs, Sites (providing the boundaries and ability to manage replication) and WAN links facilitating data transmission represent physical components, while domain trees, OUs and forests represent logical components.

You generally manage the logical components of AD via the Active Directory Users and Computers console and the physical components via the Active Directory Sites and Services console.

During the initial installation of AD DS, a single site is automatically created called Default-First-Site-Name and the first Domain Controller is automatically placed within the servers folder under this site. You can use the AD Sites & Services console to edit and manage these settings.

Some important characteristics of AD Sites include:o Sites are defined by IP subnets that are well-connected (fast and reliable intrasite

network connectivity). In most cases an AD Site is synonymous with a single subnet is synonymous with a single LAN.

o Multiple sites are connected via site links, facilitating intersite replication.

o AD Sites represent physical structure and are independent of AD logical structure, eg a

single site can contain multiple domains. Understanding sites and how they will replicate is possibly the most fundamental component of

initial AD design. Once a site topology is created, domain controllers can be automatically placed in the corresponding site based on the IP address it is assigned (the network portion of the address). This is not a requirement, juts a benefit of site design prior to DC deployment.


-48- 08/06/2013


Explain Active Directory Sites



Explain intrasite and intersite replication between the Windows Server 2008 machines.

Explore Activity 2: Understanding AD Replication


Description:


AD creates a replication topology to define how domain controllers in a forest and in individual domains should communicate with one another and what needs to be communicated.

Replication is triggered when an object is added or removed from AD, when the value of an attribute has changed and when the name of an object is changed.

Because AD is multimaster, changes can be made from any writeable DC. In order to accurately track changes from anywhere within the AD environment, each DC maintains a local value called an update sequence number (USN). When a change is made to an AD object or attribute, the USN is incremented, eg DC1 has a USN of 1000, a change is made to an object name and DC1 increments its USN to 1001, triggering an update to DC2; DC2 receives the update and updates its record of DC1s USN to 1001 and adds the changes to its copy of ntds.dit.

In addition to USN, each AD attribute has a version ID to keep track of how many times the attribute has changed. If the same attribute is modified on two DCs at the same time, AD will use the version ID as a tie-breaker with the higher value winning.

If the version ID cannot decide a tie breaker, AD will next use the time-stamp when the modification took place with the later time-stamp winning. This is one reason that time synchronization is important in an AD environment.

When all DCs in an AD environment agree and have the most up to date information in ntds.dit the environment is converged. The time it takes to reach this state is called convergence.

As previously described, a site is generally defined as a subnet/LAN with reliable, fast network connectivity. This makes intersite replication (replication between DCs in the same site) generally stable, quick and efficient. Because intrasite replication (replication between DCs in different sites) often traverses WAN links, which are slower and less reliable, intrasite replication requires more careful design.

To facilitate successful intrasite replication, AD provides a service called the Knowledge Consistency Checker (KCC), which automates much of the configuration of intrasite replication and can automatically respond to changes in an AD environment.

The KCC is responsible for managing which DCs replicate with which DCs, automatically selecting replication partners for each DC, creating one or more connection objects between each DC and its replication partner/s.

-49- 08/06/2013


The KCC automatically analyzes the AD environment every 15 minutes and attempts to make the most efficient use of connections, minimizing the delay (latency) in propagation of information through the AD environment, utilizing dual counter-rotating ring replication paths, creating additional connection objects whenever needed to insure no more than three hops exist between DCs for replication, and using change notification to inform other DCs when changes need to be replicated.

Activity:

Have students open the AD Sites and Services MMC Snap-In and explore the configuration options, view

NTDIS Settings, etc.



Explain Active Directory Replication



Key Concept: Configuring Replication

Explore Activity 3: Configuring AD Intersite Replication


Description:


Since AD Sites represent the physical topology of your environment, it is generally best practices to name your sites according to physical location.

For site-to-site (intersite) replication to occur, you must create site links (logical, transitive connections between sites), which mirror routed connections between networks.

The Intersite Topology Generator (ISTG) is a process that is responsible for creating a replication topology in a multi-site environment, automatically selecting a bridgehead server (the gatekeeper in each site, responsible for managing site-to-site replication).

Site links have the following characteristics:o They connect two sites using the same protocol.

o They are defined manually, with the exception of the DEFAULTIPSITELINK created

automatically at AD installation.o They correspond to WAN links connecting sites.

-50- 08/06/2013


As we learned previously, sites represent a single subnet/LAN that is well-connected. This implies that intersite connectivity may not be well-connected! As such, one of the chief goals of intersite is minimizing the use of bandwidth, utilizing compression of data and parameters for controlling replication, including:

o Cost: An administrator can assign a cost to a site link to give it relative priority to other

site links. The default value is 100, with acceptable values in the range of 1 to 99,999. The lower the number the higher the priority.

o Schedule: An administrator can determine the schedule that a particular site link is

available for replication.o Frequency: During scheduled available times, the site link’s frequency determines how

often replication can occur. When designing an AD Site Topology, it is important to consider the balance between

performance considerations and convergence.

Activity:

Have the students review the AD size requirements on page 24 of MOAC 70-640 and calculations from the previous activity in Unit 3 (5,000 security principals, 50 OUs, 15 certificates and 15,000 ACE’s), discussing the relative impact of replication in the proposed environment via ISDN lines versus T1 lines.



Configure Active Directory Replication



Key Concept: Managing Replication

Explore Activity 4: Managing AD Replication


Description:


AD replication supports two different protocols: RPC over IP and SMTP. Remote Procedure Calls (RPC) over IP is the default for intra and intersite replication. The RPC

component is widely used for communication between network services, with IP handing addressing and routing.

-51- 08/06/2013


Simple Mail Transfer Protocol (SMTP) provides a solution for replication over very slow or unreliable intersite links, using asynchronous replication (each transaction does not have to complete before another can start), providing limited replication functionality (cannot replication domain directory partitions), cannot be scheduled and requires the use of an Enterprise Certificate Authority to sign SMTP messages ensuring security.

To minimize impact on intersite links, AD designates a bridgehead server in each site. Imagine a site in San Francisco with three DCs and another site in New York with five DCs. All DCs in each site communicate with one another (intrasite replication), but there is no need for all DCs in SF to communicate with NY. It is only necessary for one DC in each site to communicate with a DC in the other site. These are called bridgehead servers and are responsible for communicating between sites and then replicating the site-to-site data within their own site.

The ISTG automatically assigns a bridgehead server in each site, though an administrator can manually set a preferred bridgehead server/s to accommodate specific situations and needs.

Because intersite replication utilizes compression of data, it is important that bridgehead servers have adequate physical resources to accomplish compression/decompression.

Any errors that occur during AD replication will be logged to the Directory Services Event Viewer on each DC. It is important to monitor these Events regularly.

Although replication occurs automatically or on the defined schedule, it can be manually forced to propagate changes or to troubleshoot issues: go to AD Sites and Services, expand Sites, drilling down to the site for which you want to force replication, click NTDS Settings in the console tree, right-click the connection in the details pane and select Replicate Now.

Other than observing object/attribute changes in AD on different DCs, you can monitor replication using dcdiag and repadmin:

o Dcdiag: A command-line tool which can be used to perform connectivity tests, report

errors and analyze permissions and the state of DCs in a domain.o Repadmin: A command-line tool that can be used to view the replication topology or

manually configure a replication topology, force replication and view replication metadata.

Activity:

Have the students open a command prompt on a Windows Server 2008 DC and view the command parameters for dcdiag (dcdiag /?) and repadmin (repadmin /?).



Configure Active Directory Replication



LAB PORTION

Practice Activity 1: Working with Active Directory Sites

-52- 08/06/2013


See the Lab Manual: Lab 3: Working with Active Directory Sites

Homework, Graded

Apply Activity 1: AD Design Replication Scenario

Homework, Graded


Facilitation

Give students the scenario below asking them to respond in detail with recommendations for site-link protocols and replication schedule/frequency, as well as the possibility of recommending/justifying redundant links to each branch.

You are an IT administrator for a company with an existing AD Forest. The company is adding two, new

branch offices and you have been tasked with designing a replication strategy prior to DC deployment.

Branch1 will be connected to the Main Office via a pair of bonded T1 lines and will contain a Call Center

with high employee turnover.

Branch2 will be in a very remote location and will be connected to the Main Office via a 56k POTS line.


Make recommendations in an AD Design Replication scenario.




Practice Activity 2: Site-to-Site Connectivity Scenario

Homework, Graded

Students will respond to the following scenario with practical steps and/or a recommended approach to the problem.

Facilitation

-53- 08/06/2013


A junior IT administrator has been tasked with troubleshooting problems with intersite AD replication. Respond to his inquiry with suggested approach and any recommendations for troubleshooting:

To: IT Admin

I am troubleshooting replication between the Main Office and Branch Office 1. It seems that changes to user object attributes take a very long time to propagate or do not propagate at all? I am not sure when replication is supposed to occur and have no idea where to begin testing? Do you have any recommendations, any suggested steps to help me narrow down the problem? Thank you!

Junior Admin



Suggest a plan of action for troubleshooting replication.




Unit Summary:

This unit introduced Active Directory Sites, their function and how they are created and administered. It also covered replication, the process and how replication can be managed and monitored.

-54- 08/06/2013


Unit 5: Global Catalog and Flexible Single Master Operations (FSMO) Roles

Course Objectives Covered by this UnitCO3. Configure Active Directory.CO4. Explain intrasite and intersite replication between the Windows Server 2008 machines. CO5. Configure Universal Group Membership CachingCO6. Transfer and seize FSMO roles.

Unit Learning Outcomes Explain the functions of a Global Catalog Server Explain the FSMO Roles Plan FSMO Role Holders Maintain FSMO Roles Determine the necessary information for the development of an FSMO/GC implementation plan. Determine the best tools for determining FSMO roles. Develop a plan for the failure of a role holder.

Key Concepts

The Global Catalog Understanding FSMO Roles Configuring FSMO Roles Transferring/Seizing FSMO Roles

Reading

Windows Server 2008 Active Directory Configuration MOAC 70-640 Lesson 4 Global Catalog and Flexible Single Master Operations (FSMO) Roles

Keywords


Domain Naming Master Primary Domain Controller (PDC) Emulator Relative Identifier (RID) Universal Group Membership Caching Security Identifier (SID)

-55- 08/06/2013


Learning Activities

THEORY PORTION

Key Concept: The Global Catalog

Explore Activity 1: Introduction to the Global Catalog


Description:


The Global Catalog (GC) is a key component of Active Directory. By default, the first Domain Controller (DC) installed in the forest root domain is a GC. A GC acts as a repository for all objects in the host server’s local domain, as well as a partial coy of all objects from other domains within the same forest (the partial attribute set or PAS).

Any and all DCs in an Active Directory environment can be configured to function as a GC server depending on the needs of the environment.

The four primary functions of the Global Catalog in Active Directory are:o Facilitating forest-wide searches: An AD search used TCP port 3268, which is directed to

a GC for response.o User Principal Name (UPN) resolution: As discussed in previous units, a UPN allows a

user to login with a standardized naming convention, often matching the users email address (eg [email protected]). A login request using a UPN is processed by a GC.

o Maintaining Universal Group membership information: Universal Groups can be used to

assign permissions for any resource in the forest, as opposed to domain local or global group memberships which are stored at the domain level.

o Maintaining a copy of all objects in the domain: A GC server contains a copy of its own

naming context (NC – AD partition), as well as the PAS for every other NC in the forest. Particularly in distributed sites, performance load and network bandwidth utilization are key

considerations for where to place GC Servers. To improve performance and minimize bandwidth utilization, Windows Server 2003 and 2008 support Universal Group Membership Caching. When a user logs on at a site without a GC Server, the GC is queried, following which the user’s group membership information is cached at the local site DC, eliminating the need for communication with GC the next time the user logs in.


Explain the functions of a Global Catalog Server

-56- 08/06/2013




Key Concept: Understanding FSMO Roles

Explore Activity 2: Introduction to Flexible Single Master Operations (FSMO) Roles


Description:


As previously discussed, Active Director is a multimaster database, meaning that changes can be made from any writeable DC in the environment, following which all changes are replicated throughout the environment, ensuring a consistent and up-to-date AD topology. Although AD utilizes multiple methods to avoid conflicts (timestamps, version IDs), there are some critical AD functions that require an extra measure of protection against possible duplication/error, more suited to a single-master model. AD uses Flexible Single Master Operations (FSMO) roles to handle these functions.

In a smaller environment, all FSMO roles can reside on a single DC. In larger environments, they can be distributed to multiple DCs.

There are five FSMO roles, two of which support forest-wide functionality, three of which support domain-wide functionality:

o Relative Identifier (RID) Master: This domain-specific role is responsible for providing

relative identifiers to DCs in a domain. A DC allocates a RID when a new object is created. If a DC runs out of RIDs and no RID Master is available, new objects cannot be created on that DC.

o Infrastructure Master: This domain-specific role is responsible for reference updates from

its domain objects to other domains.o Primary Domain Controller (PDC) Emulator: This domain-specific role provides

backwards compatibility with Microsoft NT 4.0 domains and manages password changes, account lockout and time synchronization.

o Domain Naming Master: This forest-wide role has the authority to create and delete

domains, domain trees, and application data partitions.o Schema Master: This forest-wide role is responsible for managing AD schema changes.

As the name implies (Flexible Single-Master Operations Roles), there can be only one DC per domain/forest functioning in each of the FSMO roles.

Activity:

Have students discuss the relative impact of any of the FSMO roles becoming unavailable in an AD

environment.

-57- 08/06/2013




Explain the FSMO Roles




Key Concept: Configuring FSMO Roles

Explore Activity 3: Understanding FSMO Role Placement


Description:


When the first DC is installed in a new forest, it must contain all five FSMO roles in addition to functioning as a Global Catalog Server. As the forest grows and additional DCs are installed, some of these roles can be transferred to other DCs to distribute the performance load and provide some fault tolerance.

When creating a new child domain within an existing forest, the first DC in the child domain must contain the three domain-specific FSMO roles (PDC Emulator, RID Master and Infrastructure Master).

Some considerations for placement of FSMO roles include:o Schema Master should be placed on a highly available DC as all schema changes

require the availability of this role.o Domain Naming Master can co-exist with the Schema Master Role and a Global Catalog

Server, which would be suitable for a smaller environment.o PDC Emulator should be place on a highly available DC as it supports critical processes,

including login of down-level clients, time synch, etc. Best practices are to separate this role from the Global Catalog Server functionality.

o RID Master should be placed in proximity to the DCs where most AD objects are created,

as these DCs will be the largest consumers of RIDs. Best practices are to combine this role with the PDC Emulator role.

o Infrastructure Master is perhaps the least critical FSMO Role. Best practices to place this

on a DC that is not a GC Server but to place it in the same site as a GC Server. When planning for FSMO Role placement, it is important to consider the number of domains in

the forest, the physical structure of the network (sites, site connectivity) and the total number of DCs in each domain.

-58- 08/06/2013


Activity:

Have the students review the table 4-3 in MOAC 70-640 and corrective actions pursuant to each FSMO Role failure.



Planning FSMO Role Holders




Key Concept: Transferring/Seizing FSMO Roles

Explore Activity 4: Managing FSMO Roles


Description:


Whether planned or unplanned, there will invariably be times when an FSMO Role becomes unavailable, when a DC needs to be decommissioned, site-to-site connectivity fails, the needs of the organization change, or a DC fails.

As certain functions of AD require these FSMO Roles, when a role becomes unavailable the role must be transferred or seized:

o Role transfer is the preferred method but requires the availability of the DC currently

holding the role.o Role seizure is your only choice if the DC currently holding the role is no longer available.

Before moving a role, planned or unplanned, it is important to know where the roles currently reside. You can view and change (transfer) domain-wide roles via the Active Directory Users and Computers snap-in (All Tasks, Operations Masters).

To view and change (transfer) the Domain Naming Master Role, open Active Directory Trusts, right-click AD Domains and Trusts and select Operations Master.

Viewing and changing (transfer) the Schema Master Role requires registering the schmmgmt dll and opening the AD Schema snap-in, right-click Ad Schema and select Change Operations Master.

To seize an FSMO Role, you can use the ntdsutil command-line tool. When using this tool, ntdsutil will first attempt to transfer a role (if the previous role-holder is available), failing this it will force seizure.

-59- 08/06/2013



Maintaining FSMO Roles


Transfer and seize FSMO roles.

LAB PORTION

Practice Activity 1: Lab (TBD)

In-Class Activity, Graded

See the Lab Manual: Lab 5


Apply Activity 1: AD Design Scenario - FSMO Role & GC Placement

Homework, Graded

Students will respond to the following scenario with a list of 5 to 10 questions.

Facilitation

Give students the scenario below asking them to consider what information they would need to develop an FSMO/GC implementation plan for a new AD Forest.

You are an IT consultant for a newly forming company and have been asked to design an Active Directory

Forest implementation. Your immediate task is to designate where the FSMO Roles and Global Catalog

Servers will be placed in the new environment. Develop a list of 5 to 10 questions you will need answered

in order to determine the most appropriate locations for the FSMO Role Holders and GCs.


Determine the necessary information for the development of an FSMO/GC implementation plan.



Explain intrasite and intersite replication between the Windows Server 2008 machines. -60- 08/06/2013


Configure Universal Group Membership Caching


Practice Activity 2: AD FSMO Role Management Research: Alternate Methods

Homework, Graded


Facilitation

A junior IT administrator has been tasked with documenting current FSMO Role Holders and GC Servers, as well as documenting procedures for responding to FSMO Role unavailability:

To: IT Admin

I need to determine which DCs currently hold which roles and determine which DCs are Global Catalog Servers. I also need to develop a plan for failure of a role holder. I know there are multiple ways to accomplish this task but I’m not sure the best tools for any given scenario? Would you use ntdsutil or MMC Snap-ins? What about dcdiag? Any advice or suggestions would be appreciated!

Junior Admin



Determine the best tools for determining FSMO roles.

Develop a plan for the failure of a role holder.



Unit Summary:

This unit introduced the Global Catalog Server and its functionality in Active Directory Services. Active Directory Flexible Single-Master Operations (FSMO) Roles and their functionality were described, as well as the mechanisms for moving FSMO Roles in an AD environment.

-61- 08/06/2013


Unit 6: Active Directory Administration

Course Objectives Covered by this UnitCO3. Configure Active Directory.CO9. Use different methods to maintain and troubleshoot Active Directory servers.

Unit Learning Outcomes Explain user account types and functions Analyze group types and scopes Explain default and special ID groups Create users, computers and groups Recommend a strategy for creating groups. Recommend as strategy for creating user accounts.

Key Concepts

User and Group Accounts Built-in and Special identity Groups Creating AD Objects

Reading

Windows Server 2008 Active Directory Configuration MOAC 70-640 Lesson 5 Active Directory Administration

Keywords


Comma-Separated Value Directory Exchange (CSVDE) Global Group Local Group LDAP Data Interchange Format (LDIF) Security Account Manager (SAM) Windows Script Host (WSH)

-62- 08/06/2013


Learning Activities

THEORY PORTION

Key Concept: User and Group Accounts

Explore Activity 1: Understanding User Accounts in AD


Description:


User Accounts are perhaps the most basic and useful AD object, used as the primary means for users (people) to access network resources (computers, data, printers, etc). Defining valid users and a means by which to verify that a user is who they say they are is the first step in providing access to resources in the Active Directory environment.

The combination of a valid user account and a known value, commonly a password, serve to confirm a user’s identity (authentication). Once a user’s identity is established, AD can then allow or deny access to specific resources based on the privileges assigned to the user (authorization).

There are three types of user accounts in Windows Server 2008:o Local Accounts: These provide access to resources on the local computer and are stored

in the Security Account Manager (SAM) database on the local computer.o Domain Accounts: These provide access to Active Directory Domain resources and are

stored in the AD database for use throughout the AD environment.o Built-in User Accounts: These are automatically created and can be local or domain

accounts, depending on whether the server is standalone or part of an AD Domain. Two examples of built-in accounts are the Administrator and Guest account. The local

Administrator account has full control in the local environment, as the domain Administrator has full control in the domain environment. The Guest account is used to provide temporary access to the network for a user, is disabled by default and, if to be used should be renamed.

Some basic, best practices for managing the security of user accounts include:o Rename the Administrator account: The Administrator account is a built-in account and,

as such, is widely known to exist in a default Windows Server configuration. Because this account has a high level of privileges and is so commonly known, it is a good idea to rename the account to something not easily guessed.

o Set a strong password: This is a good practice for any account but particularly for those

with high privileges, such as the Administrator account. The password should be long (seven characters or more) and complex (using upper and lower case letters, numbers and special characters).

o Limit knowledge of administrator passwords: Limiting this knowledge limits the risk of

security breaches. -63- 08/06/2013


o Do not use the Administrator account for daily, non-administrative tasks: Least privilege is

good practice, meaning grant/use the minimal necessary privileges required to accomplish a task.


Explain User Account types and functions



Explore Activity 2: Understanding Group Accounts in AD


Description:


In Active Directory, Groups can be used to assign the same set of permissions to multiple users simultaneously, eg instead of assigning rights to the HR folder to each member of the HR Department, an HR Group can be created, assigning rights to the group and placing HR Staff in the Group.

When users authenticate to AD, an access token is created identifying the user and all of the groups the user’s account is a member of, collectively granting or denying resource access (authorization).

Groups can also contain other groups, which is called group nesting. There are multiple types (how a group can be used in AD) of groups in AD and different scopes

(what types of objects a group can contain): Group types include distribution groups (non-security groups, commonly used for email

distribution lists) and security groups (security groups for granting resource-access permissions). Group scopes in AD include:

o Domain Local Groups: Can contain user and computer accounts, global groups and

universal groups from any domain, and domain local groups from the same domain. Domain Local Groups are used to assign permissions to resources that reside in the same domain as the group.

o Global Groups: Can contain user and computer accounts and global groups from the

same domain. Global Groups are used to assign permissions to resources anywhere in the forest.

o Universal Groups: Can contain user and computer accounts, global groups and universal

groups from anywhere in the forest. Universal Groups are used to consolidate groups and accounts that span multiple domains or an entire forest.

Remember that group scope (domain, global or universal) refers to where the resources are located as opposed to the members.

-64- 08/06/2013



Explain Group types and scopes




Key Concept: Built-in and Special identity Groups

Explore Activity 3: Understanding Default and Special Identity Groups


Description:


Because there are many universally applicable functions in a typical AD environment, Active Directory includes many default Groups for common tasks/functions. Default Groups vary somewhat based on the network services installed on a DC, eg the DHCP Users Group is created when the DHCP Server Role is installed on a DC.

A few examples of default groups include:o Backup Operators: Able to backup and restore all files on a computer regardless of

specific file permissions.o Remote Desktop Users: Able to log on to a computer from a remote location.

o Users: Used for general access.

o Domain Admins: Able to perform administrative tasks on any computer in the domain.

See MOAC 70-640 Table 5-1 for a complete listing of Active Directory default groups. In addition to Default Groups, AD also includes special identity groups. Special ID Group

membership cannot be viewed or manually modified. These provide special functionality in AD. Some examples of Special ID Groups include the Everyone group, the Local Service group, the

Network group, etc. See MOAC 70-640 Table 5-2 for a complete listing of Active Directory special identity groups. In addition to the previously discussed group types, there are also Local Groups, not to be

confused with Domain Local Groups. Local Groups can contain user, computer and group accounts from AD but are specific to resources on a local computer or server. Local Groups are not replicated beyond the local computer/server and are contained in the local SAM database only.


Explain default and specialty ID groups

-65- 08/06/2013




Use different methods to maintain and troubleshoot Active Directory servers.

Key Concept: Creating Active Directory Objects

Explore Activity 4: Creating Users, Computers and Groups


Description:


Creating objects in Active Directory is one of the most common administrative tasks. There are multiple tools via which to accomplish this task, depending upon the specific circumstances of the object creation.

Generally, local user accounts and groups will be managed via the local computer/server Administrative Tools, Computer Management snap-in. This tool provides a familiar interface and is suitable for creation of a limited number of local users and local groups.

Creation of AD uses, computers and groups can be accomplished via batch files, comma-separated value directory exchange (CSVDE), LDAP Data Interchange Format Directory Exchange (LDIFDE), Windows Script Host (WSH) or the Active Directory Users and Computers snap-in:

o Batch Files facilitate automation of routine and/or repetitive tasks, combining command-

line tools/commands into a single file, usually with the *.bat or *.cmd extension.o CSVDE is used to import or export AD information in the comma-separated value file

format (*.csv). CSVDE cannot be used to modify or delete existing objects.o LDIFDE can be used to import or export AD information and can be used to add, delete

or modify AD objects. LDIFDE supports other LDAP compliant directory services.o WSH functions much like batch files but utilizes Microsoft Visual Basic Scripting Edition

(VBScript) or Jscript.o AD Users and Computers provides an MMC Snap-In, graphical interface to add, delete or

modify AD objects and is often used for managing a small number of additions or changes.

Batch files have many and varied application for IT administrative tasks and can be written with any text editor. The dsadd command can be used to create, delete, view and modify AD objects.

CSVDE uses the common, CSV format, supported by Microsoft Excel for example. CSVDE works well for importing AD objects that may already exist in a spreadsheet or other CSV-exportable format. CSVDE is also useful for exporting AD objects to a spreadsheet or other CSV-compatible application.

LDIFDE is a more flexible option than CSVDE, based on the LDIF standard, allowing add/modify/delete functionality.

-66- 08/06/2013


WSH is a powerful scripting environment, allowing for a great many administrative functions, not relegated to AD object creation/modification.


Creating Users, Computers and Groups




LAB PORTION

Practice Activity 1: Lab: TBD

In-class Activity, Graded

See the Lab Manual: Lab 6.

Apply Activity 1: AD User/Group Design Scenario

Homework, Graded

Students will respond to the following scenario with recommendations and considerations.

Facilitation

A junior IT administrator has been tasked with creation groups for a newly formed division/s. Respond to the request for help below:

To: IT Admin

I need to provide access to resources throughout our AD environment and am not sure which strategy is best for each of these situations. Please provide any thoughts or recommendations for group type and scope! Thank you.

1. Marketing wants to be able to print the company newsletter to printers in each department throughout all domains in the forest?

2. HR wants users from anywhere in the forest to be able to print vacation requests to the printer in the HR Department?

3. Research and Development wants to have administrative access to their workstations and the member server in their department but wants to make certain that these permissions are specific to their local machines, not distributed anywhere else?

Junior Admin

-67- 08/06/2013



Recommend a strategy for creating groups.




Practice Activity 1: AD User and Group Account Creation

Homework, Graded


Facilitation

A junior IT administrator has been tasked with the following AD administrative tasks. Respond with recommendations and considerations:

To: IT Admin

As you may know, we recently acquired a new company and I have been given responsibility to accomplish the following tasks! I would appreciate any input on the best tool to use for each. Thank you!

1. The acquired company currently uses a Novell Netware Directory Service. I need to create user accounts for all of the existing employees, probably about 150!

2. The acquired company uses an email application I have never heard of and will continue to use this program for the foreseeable future. I need to provide them a list of users (first and last name and email address) for all users in our company so they can create a contact list in their email application.

3. I need to create a handful of Groups, maybe 5 to 10, to assign printer resources to each of the divisions in the newly acquired company?

Junior Admin



Recommend a strategy for creating groups.Recommend as strategy for creating user accounts.



-68- 08/06/2013



Unit Summary:

This unit covers user and group accounts and the most common Active Directory administrative tasks associated with these, including the various tools available for administering user and group accounts.

-69- 08/06/2013


Unit 7: Security Planning and Administrative Delegation

Course Objectives Covered by this UnitCO3. Configure Active Directory.CO8. Analyze different techniques to secure Windows Server 2008

Unit Learning Outcomes Plan user-account security Implement user-account security Secure access to active directory Plan organizational unit structure Recommend a password policy. Determine the necessary information for recommending an OU Structure.

Key Concepts

Planning User-Account Security Implementing User-Account Security Securing Active-Directory Access Creating Active Directory Objects

Reading

Windows Server 2008 Active Directory Configuration MOAC 70-640 Lesson 6 Security Planning and Administrative Delegation

Keywords


Active Directory Migration Tool (ADMT) Dictionary Attack DSMove Password Cracking Runas Secondary Logon

-70- 08/06/2013


Learning Activities

THEORY PORTION

Key Concept: Planning User-Account Security

Explore Activity 1: Understanding User Account Security


Description:Explain to students the following:

In an Active Directory environment, the combination of two pieces of information allows or denies access to network resources: username and password. If these two pieces of information are compromised, access to the network is compromised. Planning and implementing user-account security is one of the most fundamental components of securing a network infrastructure.

The first component of designing user-account security is the username, which is often overlooked in security planning. Usernames generally follow a corporate standard naming convention, often “first initial, last name,” eg jsmith. Unfortunately, this particular combination is extremely easy to guess and/or the corporate information from which the username is derived is not a closely guarded secret. Many corporate websites contain all of the necessary information to easily guess usernames.

There are many possible username naming conventions, including a limited character combination of first and last name with a number appended, eg JSmith123; or last name followed by first initial followed by a number, eg SmithJ123, etc.

Remember that the username represents 50% of the information needed to gain access to network resources and should be as carefully planned as the password.

Best practices indicate using something other than just the first name or the first initial last name. The second component of designing user-account security is the password (an alphanumeric

string used in combination with a username to validate a user’s identity – authentication). Alternatives to passwords are becoming more common, such as personal identification numbers (PIN), Smart Cards and biometric devices (thumbprint readers, etc).

Security is always inconvenient and the IT Administrators job is strike the right balance between security and convenience for the users. We can easily choose extremely secure passwords for all users, such as Xjhh8&*1!@hhHH, which the users could never remember, forcing them to write them down for reference, effectively compromising network security.

As an IT Admin, critical components of designing user-account security are an awareness of the needs of the user in conjunction with the extreme importance of network security. As such, educating the users is of utmost importance.

Help users to understand some basic guidelines for protecting their passwords:o If you have to write it down, keep the paper in a secure location.

o Don’t give your password to anyone.

o Do not save your password on your computer (auto-login features, cached entries, etc).

-71- 08/06/2013


o Always use a strong password.


Plan user-account security


Analyze different techniques to secure Windows Server 2008

Key Concept: Implementing User-Account Security

Explore Activity 2: Implementing User-Account Security


Description:


By definition, a strong password is a password that is difficult to compromise. Examples of weak passwords include words from the dictionary, names of relatives or pets, well-

known personal dates like an anniversary or street address. Statistically one of the most common passwords used is “password.”

Methods for compromising passwords are numerous and varied, including social engineering (manipulating someone into unintentionally giving information needed to discern a password) and password cracking. Password cracking is an attempt to discover a user’s password generally using a software tool. Types of password cracking include brute force attacks (using a software tool to go through every possible combination of characters until the password is discovered) and dictionary attack s(using a set of predefined words or character combinations to discover a password).

As an IT Administrator, it is important to develop a password policy that aligns with the needs of the organization, eg the password policy for a Department of Defense Contractor should be more stringent than the password policy for ABC Comics.

Designing a password policy comes down to these decisions:o How long should the passwords be?

o What character sets should they contain (upper/lower case alpha, numeric and/or special

characters)?o What character sets should passwords NOT contain (username, dictionary words, etc)?

o How often should passwords be changed?

Best practices for a strong password include 8 characters in length, combination of all character sets (upper/lower alpha, numbers and special symbols).

These best practices can be technically enforced via Windows Server 2008 security settings, but it is important to help users understand the requirement and to encourage creative strategies to make passwords easy to remember but hard to guess, such as the use of phrases or

-72- 08/06/2013


pneumonics, eg if a user loves to fish they might use a password regarding their favorite lake (meaningful to them, easy to remember but hard for someone else to guess): Love2Fish@Lake.

Unit Learning Outcome(s) attached to this activity:Implementing User-Account Security


CO8. Analyze different techniques to secure Windows Server 2008

Key Concept: Securing Access to Active Directory

Explore Activity 3: Securing Admin Access to AD


Description:


The principle of least privilege is critical in securing access to network resources: assign and use the least privileges necessary to accomplish a task.

Because the Administrator accounts, including Domain Admins, Enterprise Admins and Schema Admins, have such extensive privileges, these accounts should only be used when necessary to perform an administrative task and should have extra measures of security to protect them.

Windows Server 2008 provides the runas feature to easily elevate privileges to perform administrative tasks. Runas can be used from a command line to specify a logon account to use to perform a task. “Run as administrator” can also be used in some situations from the graphical user interface (GUI) in Windows Server 2008.

Runas functions as follows:o Maintains your primary logon (the account you used to log into Windows), creating a

secondary logon for administrative access.o The secondary logon is only valid while using the tool/program you launched via the

runas command.o Runas does not support all Windows functionality, such as an operating system upgrade

or configuration of system parameters.o Runas requires the secondary logon service.

o Runas and “run as administrator” can be used to start two separate instances of a

secondary logon to elevate privileges. o Runas can be used for secondary logon for any available account, not just admin

accounts. “Run as administrator” can be accessed by navigating to the desired application, pressing and

holding down the Shift key, right-clicking the application and selecting run as administrator. Runas can be accessed by opening a command prompt and typing the runas command, followed

by appropriate command-line options.

-73- 08/06/2013



Secure Access to Active Directory



Key Concept: Creating Active Directory Objects

Explore Activity 4: Understanding Organizational Unit Strategies


Description:


Organizational Units (OUs) are objects in Active Directory that can contain other OUs, users, computers and groups and can be used to manage users and computers via Group Policy Objects. Generally, OUs are designed hierarchically in an AD environment to group resources and users/computers to mirror your organizational structure.

OUs are often designed to match the functional structure of your organization, eg OUs representing the departments in the organization, such as HR, Sales, Marketing.

OUs may also be designed to match the geographical structure of your organization, eg based on physical locations such as SFO, NYC, etc.

Another strategy for OU design is a combination of both functional and geographical, eg an SFO OU with a nested OU for HR and Sales, and another OU for NYC with nested Marketing and Management OUs.

One of the distinct benefits of Organizational Units is the ability within Active Directory to give limited control for certain administrative tasks (delegation) to OUs and the resources it contains, including other OUs. For example, you might want to allow the Manager of the Call Center in SFO to be able to create and delete User accounts in their respective OU due to high staff turn-over.

AD provides a tool called the Delegation of Control Wizard, which walks you through delegating permissions to domains, OUs or containers, allowing you to choose Users and the tasks they should be able to perform.

OUs can also be used to provide consistent user, computer and member server configurations via Group Policy Objects (GPOs). GPOs provide powerful policies for controlling many aspects of computer, server and user configuration.

Keeping all of these factors and functions in mind will help you design an effective OU structure and, as your organization grows and changes you can easily move objects around in AD from OU to OU, even moving OUs via familiar, Windows drag-and-drop functionality in AD Users and Computers.

Unit Learning Outcome(s) attached to this activity:-74- 08/06/2013


Plan Organizational Unit Structure



LAB PORTIONPractice Activity 1: Lab 1: Employing Security Concepts



Apply Activity 1: AD Password Policy Planning Scenario

Homework, Graded


Facilitation

You are an IT consultant and receive the following email from a client. Respond with recommendations and considerations to the following questions:

To: IT Consultant

A competitor recently got “hacked” and our board of directors is suddenly concerned about information security! However, as a business manager, I am concerned about employee productivity! I don’t want staff to have to jump through 17 security hoops before getting to work every morning. Can you please give me your opinion regarding what a “strong” password is and why, as a business manager, I should care? What would you consider a reasonable approach?

Thank you,Business Manager


Recommend a password policy.



Practice Activity 1: AD OU Planning Scenario

-75- 08/06/2013


Homework, Graded

Students will respond to the following scenario with a list of questions to obtain the appropriate information to successfully complete their assigned task.

Facilitation

As an IT Administrator, you have been tasked with designing an Active Directory Domain Organizational Unit Structure for a new AD implementation at an existing organization. You are scheduled to meet with the management team and need to formulate a list of questions you will need answered in order to recommend an OU Structure appropriate to the organization.

Develop a list of 5-10 questions to guide your design plan.



Determine the necessary information for recommending an OU Structure.



Unit Summary:

This unit covered considerations and recommendations for security planning for Users and Groups in an Active Directory environment, as well as considerations for securing access to Active Directory. This unit also covered how to plan an Organizational Unit structure to help effectively manage resource access and AD object management.

-76- 08/06/2013


Unit 8: Introduction to Group Policy & Configuring the User & Computer Environment Using Group Policy

Course Objectives Covered by this UnitCO3. Configure Active Directory.CO7. Analyze Group Policy applicationsCO8. Analyze different techniques to secure Windows Server 2008CO9. Use different methods to maintain and troubleshoot Active Directory servers.

Unit Learning Outcomes Describe Group Policy. Implement Group Policy. Configuring Group Policy to install and manage software on the Windows 7 client machine. Manage and Maintain Group Policy. Configure Group Policies in a Mixed Client OS environment. Contrast Group Policies supported by different operating systems. Recommend policies to control user/computer configuration. Use advanced Group Policy management tools to control Group Policy application.

Key Concepts Explaining Group Policy Planning and Implementing Group Policy Configuring Security Policies with GPOs Configuring User Settings with GPOs Maintaining Group Policy

ReadingWindows Server 2008 Active Directory Configuration MOAC 70-640 Lesson 7 – Introduction to Group Policy Lesson 8 –Configuring the User and Computer Environment Using Group Policy

KeywordsUse the following keywords to search for additional materials to support your work:

ADMX Domain GPO Group Policy Management Console (GPMC) Loopback Processing Windows Deployment Serves (WDS) Account Lockout Policies Fine-Grained Password Policies (FGPP) Key Distribution Center (KDC) Password Settings Object (PSO)

-77- 08/06/2013


Learning Activities

THEORY PORTION

Key Concept: Explaining Group Policy

Explore Activity 1 – Introduction to Group Policy



Group Policies in a Windows Server 2008 Active Directory environment provide a powerful set of tools to apply computer and user settings throughout the network for any systems running Windows 2000 and newer (older versions of Windows do not support all of the features of Group Policy that newer versions support).

The settings that can be managed via Group Policy are numerous but include the following major categories:

o Registry-based policies: This is a broad category based on Windows registry changes,

such as Desktop settings and environment variables.o Software installation policies: These can be used to distribute software, from complete

application installation to updates.o Folder redirection: These policies allow common folder locations to be redirected to

network locations, eg redirecting My Documents to a centralized user share on the network for backup and accessibility.

o Offline file storage: These settings can be used to make network files available on a

system even when not connected to the network (caches local copies and synchronizes to the network when attached).

o Scripts: These policies can be used to apply logon, logoff, startup and shutdown scripts

for configuring the user environment. o Windows Deployment Services (WDS): These policies aide in installation and repair of a

Windows. These categories cumulatively allow fine-grained control of everything from installing a Microsoft

Word patch to a standard corporate Desktop wallpaper to mapped drives and uniformed Desktop shortcuts, as well as security policies such as password length, complexity, etc.

Group Policies are applied through Group Policy Objects (GPOs). A GPO can contain just a few or many configuration settings for users and/or computers, as appropriate to your environment. GPOs are applied (linked) to OUs, domains or sites, applying to the objects they contain. Security group filtering allows configuration of exclusions for items within the OU, domain or site that you do not want the GPO to apply to.

Consider a network environment with 200 computers. Without Group Policy, if the users required there My Documents redirected to a network location and offline files enabled, an administrator would have to physically configure each computer! With Group Policy, these settings can be configured, tested and applied centrally, saving a great deal of time, reducing risk of error via uniformed configuration settings and easily accommodating policy changes in the future. These

-78- 08/06/2013


benefits represent just one example of the return on investment (ROI – tangible benefits to the organization) of Group Policy, practically reducing the total cost of ownership (TCO) of workstation and server management in an Active Directory environment.

Unit Learning Outcome(s) attached to this activity:Describe Group Policy.

Course Objective(s) supported by this activity:CO7. Analyze Group Policy applications

Key Concept: Planning & Implementing Group Policy

Explore Activity 2: Implementing Group PolicyIn-class Activity, Ungraded

Description:Explain the following:

Because of the power and myriad options available via Group Policy, as well as the hierarchical way GPOs are applied, it is important to approach the design of Group Policy Objects (GPOs) thoughtfully and methodically. Although security filtering can be used to exclude objects from receiving GPO settings, best practices are to design GPOs to broadly apply to all objects within the OU, domain and/or site to which they are applied.

It is important to understand that there are three distinct types of GPO:o Local: Stored on the local computer, these GPOs have fewer configuration options and

cannot be used to redirect folders or install software.o Domain: Created in Active Directory and linked to OUs, domains and/or sites, these are

stored in both the Group Policy Container (GPC – an AD object storing GPO properties) and Group Policy Templates (GPTs – located in the policies subfolder of the SYSVOL share).

o Starter: These are new to Windows Server 2008 and can be used as a starting point

(template) for creation of a new GPO. Domain and local GPOs can be used in concert. If conflicting settings exist between local and

domain GPOs, domain GPOs take precedence. The Group Policy Container (GPC) can be viewed via the Active Directory Users and Computers

console. Group Policy Templates (GPTs) can be viewed by navigating to the SYSVOL share on a DC, eg

C:\Windows\Sysvol\Sysvol\mydomain.local\Policies. GPTs are represented by GUIDs, eg {6AC178C-016F-11D2-945F-00C04FB984F9}.

Unit Learning Outcome(s) attached to this activity:Implement Group Policy.

Course Objective(s) supported by this activity:CO3. Configure Active Directory.CO7. Analyze Group Policy applications

-79- 08/06/2013


Explore Activity 3: Configuring Group Policy SettingsIn-class Activity, Ungraded


The Group Policy Management Console is used to create and modify Group Policy Objects (GPOs). The specific settings within a GPO are edited using the Group Policy Management Editor.

To implement a GPO, it is necessary to create a GPO, edit settings and link to an OU, domain and/or site. However, the specific order of these steps depends on your preferred method of implementation, eg you can create and link in one step or create a new GPO and then link it later.

Remember that GPOs are hierarchical and that, by default when linking a GPO to an OU, domain or site, the GPO will apply to all child objects of the OU, domain or site.

When editing GPO settings via the Group Policy Management Editor, you will find a Computer Configuration node as well as a User Configuration node, each with varying settings that apply specifically to the computer or user. Both the Computer and User nodes contain subnodes:

o Software Settings: Computer settings are applied to anyone who logs onto the computer,

whereas User settings are applied based on the User logging in irrespective of which computer they are logging into.

o Windows Settings: Contains security settings, scripts, folder redirection options, etc.

Again, Computer settings are applied to the computer irrespective of who logs in, whereas User settings are applied based on the User login irrespective of which computer is used.

o Administrative Templates: These contain registry-based policy settings. Over 100 admin

templates are installed by default, based on eXtinsible Markup Language (XML) and stored in ADMX files.

In some situations, a computer/user will be subject to multiple GPOs, including local and domain (site, domain and/or OU policies). These policies are processed in the following order: local, site, domain, OU (LSDOU). It may be helpful to remember that the domain policy located closest to the object takes precedence.

Although LSDOU describes default processing, exceptions can be configured. GPOs can be configured with the following options:

o Enforce: Cannot be blocked by any child OU.

o Block Policy Inheritance: Blocks inheritance from a parent OU. Enforce overrides this

setting.o Loopback Processing: Loopback refers to the GPO processing as normal, following

which the computer settings are reapplied after the user policies have been processed, providing two options for GPO list processing:

Merge: Settings are appended. In conflicts, the computer policy takes precedence.

Replace: Reapplied Computer settings overwrite previously applied settings.

Unit Learning Outcome(s) attached to this activity:Configuring Group Policy to install and manage software on the Windows 7 client machine.

-80- 08/06/2013



Key Concept: Configuring Security Policies with GPOs

Explore Activity 4: Implementing GPO Security PoliciesIn-class Activity, Ungraded


Most of the GPO security settings can be found in the Windows Settings folder under the Computer node. Everything from password length to event auditing to IPSec policies can be managed centrally.

Some of the subnodes under the Windows Settings include:o Account Policies: Password policies, lockout policies, Kerberos policies.

o Local Policies: Local computer policies.

o Event Log Policies: Event viewer log configuration.

o IPSec Policy: Administrative control of mandatory IPSec policies.

Although the security settings are primarily applied via the Computer node, there are two additional nodes under the User Configuration that control user-specific security policies:

o Public Key Policies: Security certificate settings.

o Software Restriction Policies: Disallow applications.

Fine-Grained Password Policies (FGPP) are new to Windows Server 2008 and allow for multiple password policies. Previous versions of Windows only allowed for a single, domain-wide password policy.

Some of the available security configuration options under Computer Configuration, Windows Settings, Security Settings, Account Policies include:

o Password: Minimum password length, maximum password age, require password

complexity, etc.o Account Lockout: Lockout duration, lockout threshold, etc (these features control how

many times a password can be entered incorrectly before they are “locked out,” and cannot login).

o Kerberos: These settings control AD authentication, whose default mechanism is

Kerberos. Kerberos allows domain access by issuing a ticket via the Key Distribution Center (KDC). Tickets are only valid for a limited time. Kerberos policies allow configuration of the period of validity, etc.

Some of the available security configuration options under Computer Configuration, Windows Settings, Security Settings, Local Policies include:

o Audit Policy: Allows configuration of logging for security events, including successful

and/or failed logon events, account and object access. Auditing for Directory Service Access and Object Access require the additional step of configuring the objects to be audited.

o User Rights Assignment: Allows configuration of user rights needed to perform system

tasks.

-81- 08/06/2013


o Security Options: Allows configuration of digital signing, driver installation, floppy/CD-

Rom access, etc. Under Computer Configuration, Windows Settings, Security Settings, you will also find:

o Restricted Groups, which allows configuration of group-membership lists (who belongs to

which group, eg Local Administrators or Backup Operators).o System Services, which allows configuration of startup and security settings for services

running on the computer.


Course Objective(s) supported by this activity:CO3. Configure Active Directory.CO7. Analyze Group Policy applicationsCO8. Analyze different techniques to secure Windows Server 2008

Key Concept: Configuring User Settings with GPOs

Explore Activity 5: Configuring User Policy SettingsIn-class Activity, Ungraded


The User Configuration node in a GPO includes functions to control settings specific to the user account being used for logon.

Under User Configuration, Policies, Windows Settings, you will find these subnodes: Remote Installation Services, Scripts (logon/logoff), Security Settings, Folder Redirection, Policy-Based QoS and Internet Explorer Maintenance.

Folder Redirection allows for administrative configuration of redirection of the Documents, Application Data, Desktop and Start Menu folders to a network location or alternate local location. The chief benefits of folder redirection are ease of backup and accessibility from outside of the local computer.

Folder Redirection settings allow for basic redirection (all users receiving this policy setting will be directed to the same folder location, with individual subfolders) or advanced redirection (redirection location differs based on user group membership).

As with many GPO settings, Folder Direction can be applied in such a way that the policy is removed when a user falls outside of the scope of the GPO or it can be configured to leave the settings in place even after a user is no longer subject to the GPO (tattooing). When a policy is configured for tattooing, it will not be reversed unless another GPO overwrites the setting.

Offline Files is a separate Group Policy category but is often used in conjunction with Folder Redirection. It can be found under User Configuration, Policies, Administrative Templates, Network. As the name implies, Offline Files settings can be used to make network files accessible to users even when they are disconnected (offline) from the network. The policy settings can control which files are available offline, how the files are synchronized and cached.

-82- 08/06/2013


Under User Configuration, Policies, Administrative Templates, System, you can administratively control the amount of storage space can be used for user data (disk quotas). Quotas can be configured to log disk-use overage, warn the user and/or enforce disk-usage limitations.



Key Concept: Maintaining Group Policy

Explore Activity 6: Maintaining and Optimizing Group PolicyIn-class Activity, Ungraded


Following creation of GPOs, it is important to understand how and when the settings are actually applied to the computers and users within the scope of the policies.

By default, Computer Configuration policies are applied when a computer starts and User Configuration policies are applied during user logon. These policies are intermittently refreshed throughout the day, to accommodate changes/updates to GPOs without forcing the users to restart and logon again.

The GPO refresh intervals can be customized via the Computer Configuration, Policies, Administrative Templates, System, Group Policy node. Default is 90 minutes with a random offset of 0 to 30 minutes. DC refresh interval is set to 2 minutes by default. The same policies can be found under the User Configuration, Policies, Administrative Templates, System, Group Policy for user policy refresh interval.

There are times when it is beneficial to force a GPO refresh, particularly during testing. Windows 2003 and Server 2008 include the gpupdate.exe command-line tool to accomplish this. From a command prompt, enter gpupdate /target:user or gpudpate /target:computer to force a refresh of user/computer policies.

You can increase the performance of GPO processing by disabling processing of either the computer or user configuration portions of a GPO, if they are not being used. This can be accomplished via the Group Policy Management Console.

Unit Learning Outcome(s) attached to this activity:Manage and Maintain Group Policy.

Course Objective(s) supported by this activity:Analyze Group Policy applications

LAB PORTION

-83- 08/06/2013


Practice Activity 1: Lab 1: Exploring Group Policy Administration


DescriptionSee the Lab Manual: Lab 8.


Unit Learning Outcome(s) attached to this activity:Use advanced Group Policy management tools to control Group Policy application.

Course Objective(s) supported by this activity:Configure Active Directory.Analyze Group Policy applicationsAnalyze different techniques to secure Windows Server 2008Use different methods to maintain and troubleshoot Active Directory servers

Practice Activity 2: Group Policy in a Mixed Client OS Environment

Homework, Graded

DescriptionAlthough Group Policies are compatible with Windows 2000 and newer versions of Windows, some policy settings are not backwards compatible, eg Remote Desktop settings do not apply to Windows 2000.

Research and identify five policies that are supported by Windows Vista and/or Windows 7 but not with Windows XP or older.


Unit Learning Outcome(s) attached to this activity:Contrast Group Policies supported by different operating systems.


Apply Activity 1: Administrative Control versus Trust: Research/Scenario

Homework, Graded


Facilitation

-84- 08/06/2013


You are an IT consultant and receive the following email from a client. Respond with recommendations and considerations to the following questions:

To: IT Consultant

We have an existing network consisting of approximately 40 workstations in a Windows Workgroup environment. We do not currently take advantage of local policies to control user/computer configuration, as it is too cumbersome to manage on each individual computer. We are implementing an Active Directory Domain and are excited about the possibility of being able to control user and computer settings particularly from a security perspective.

We understand that there are hundreds and hundreds of options for things we can control and are hoping you can help us by recommending the most important initial policies? Users have had complete control of their desktops up to this point, so we would like to strike a balance between trust and control!


Unit Learning Outcome(s) attached to this activity:Recommend policies to control user/computer configuration.


Unit Summary: This unit covered Group Policy, the function and value of Group Policy Objects, and how some of the computer and user settings can be configured and applied. Policy processing, refresh intervals and maintenance were also covered.

-85- 08/06/2013


Unit 9: Performing Software Installation with Group Policy and Planning a Group Policy Management and Implementation Strategy

Course Objectives Covered by this UnitCO3. Configure Active Directory.CO7. Analyze Group Policy applicationsCO8. Analyze different techniques to secure Windows Server 2008CO9. Use different methods to maintain and troubleshoot Active Directory servers.

Unit Learning Outcomes Manage Software through Group Policy. Install Software with Group Policy. Manage Group Policy. Filter Group Policy Scope. Test and Troubleshoot GPO Results. Perform software installation with Group Policy. Determine information needed to develop an implementation scenario. Recommend an approach for installing software.

Key Concepts Managing Software with Group Policy Implementing Software with Group Policy Restricting Software with Group Policy Managing Group Policy Filtering Group Policy Scope Testing GPO Results

ReadingWindows Server 2008 Active Directory Configuration MOAC 70-640 Lesson 9 – Performing Software Installation with Group Policy Lesson 10 – Planning a Group Policy Management and Installation Strategy

KeywordsUse the following keywords to search for additional materials to support your work:

Distribution Share Hash Algorithm .msi File System Development Life Cycle (SDLC) .zap File Common Information Management Object Model (CIMOM) GPResult Resultant Set of Policy (RSoP). Windows Management Instrumentation (WMI)

-86- 08/06/2013


Learning Activities

THEORY PORTION

Key Concept: Managing Software with Group Policy

Explore Activity 1 – Understanding Group Policy Software Management


Description:


One of the most onerous tasks of administering a computer network is installation, maintenance and management of software applications. Group Policy provides tools to dramatically increase the efficiency and control of installing, upgrading, patching and removing software from domain computers.

The System Development Life Cycle (SDLC) is an industry standard, structured approach to development of information systems software, projects and components. The Software Life cycle is a derivative specific to the life cycle of business applications, from evaluation to deployment to discontinuation of use. Specific phases of the Software Life Cycle include:

o Planning: Analysis, compatibility, installation methods.

o Implementation: Prep for deployment.

o Maintenance: Tasks required to keep the software application running smoothly.

o Removal: Clean removal in preparation for a new software life cycle.

Group Policy can assist particularly in the last three phases of the Software Life Cycle. Windows Server 2008 uses the Windows Installer to install and manage an .msi file. An .msi is a

relational database file. The Windows Installer Service on the client-side uses the .msi file to install, manage, patch and remove the managed application.

Many software applications are available in an .msi package, particularly Microsoft applications, such as Microsoft Office. However, sometimes the .msi package needs to be customized for a particularly implementation, in which case an .mst (msi transform) can be created for custom deployment.

.msp files are patch files, used to apply updates, service packs or hot fixes to installed .msi applications.

Software applications that are not available in an .msi format, can be repackaged using a third-party application (Wyse, Altiris, etc), creating an .msi that supports Group Policy management and deployment features.

When an application cannot be repackaged as an .msi, a .zap file can be created to publish an application. A .zap file, much like an .ini file, contains additional package installation information, but does not fully support all of the Group Policy deployment and management options: can only be published not assigned; cannot be configured for unattended installation; may require manual privilege elevation; cannot be automatically removed, etc.


-87- 08/06/2013


Manage Software through Group Policy.


Key Concept: Implementing Software with Group Policy

Explore Activity 2: Understanding Software Distribution with Group PolicyIn-class Activity, Ungraded


Software applications distributed with Group Policy can be installed on a computer when the computer starts, when a user logs on or on demand based on file associations.

When an application is ready for distribution, the installation package must be made accessible to the computers on which it will be installed. This is accomplished via creation of a distribution share (software distribution point), which is just a shared folder containing the necessary files, granting the necessary permissions to users/computers (read permission).

The next step is configuring a GPO to either assign or publish an application:o Assigning an application to a user makes it available on the user’s Start Menu.

Installation is triggered when the user clicks the Start Menu shortcut.o When assigning an application to a computer, the application is installed at start up.

o Publishing an application makes it available to the user for installation via the

Add/Remove Programs option in Control Panel.o Applications can also be published using file-activated installation: when a user attempts

to open a file associated with a published application, the application is installed.o Applications cannot be published to computers, only assigned.

Use the Group Policy Management console to create/edit/modify a GPO to distribute an application.

Some customization options are available directly from the properties of an .msi package (right-click, properties), including specifying an .mst (.msi transform), deployment options, category assignment, etc.

Software categories can be used to categorize applications to make them easier for users to find/understand. Categories allow logical arrangement in Add/Remove Programs, such as by functionality (Word Processor, Spreadsheets) or organizationally (HR Department, Marketing Department).

Unit Learning Outcome(s) attached to this activity:Install Software with Group Policy.


Key Concept: Restrict Software with Group Policy

Explore Activity 3: Securing Software with Group Policy-88- 08/06/2013




In addition to distributing and managing software applications in an Active Directory environment, Group Policy allows administrators to control which software can be installed and by whom via Software Restriction Policies.

First introduced in Windows Server 2003 and Windows XP, Software Restriction Policies can be used to create specific restrictions for applications:

o Unrestricted: Allow all applications to run, except those specifically excluded.

o Disallowed: Prevent all applications from running, except those specifically allowed.

o Basic User: Prevents applications from running if they require administrative privileges.

The default security level is Unrestricted. Software Restriction Policies require a method for identifying software applications in conjunction

with rules for allowed/disallowed usage. Software Restriction Rules govern application usage by identifying software applications:

o Hash Rule: A hash is a series of bytes with a fixed length, uniquely identifying a program

or file. A hash value is computed by a hash algorithm.o Certificate Rule: Uses the signing cert of an application.

o Path Rule: Identifies software by specifying the path (directory path where the application

is stored).o Network Zone Rule: Apply to Windows Installer Packages installed from a trusted area of

the network. Software Restriction Policies can be powerful tools to secure an environment but require careful

thought, planning and testing.

Unit Learning Outcome(s) attached to this activity:Installi Software with Group Policy


Key Concept: Manage Group Policy

Explore Activity 4: Understanding Group Policy ManagementIn-class Activity, Ungraded


Because of the power and flexibility of Group Policy, it is important to understand the options available for management of Group Policy, including testing, modeling, backup and troubleshooting.

The Group Policy Management console provides a single interface for creating, editing, applying and testing Group Policy Objects in an Active Directory environment.

Some of the important administrative tasks available via the Group Policy Management console include:

-89- 08/06/2013


o Importing and copying GPO settings.

o Backing up and restoring GPOs.

o Modeling Group Policy Results with Resultant Set of Policy (RSoP) queries.

o Viewing HTML reports of GPO settings and RSoP information.

o Searching GPOs.

Installed by default in Windows Server 2008, the Group Policy Management console is under Administrative Tools.

When highlighting an OU, Domain or Site in the Group Policy Management console, you will see three tabs in the right pane:

o Linked Group Policy Objects: Displays GPOs linked to the node.

o Group Policy Inheritance: Displays order of precedence for policies linked to the node.

o Delegation: Displays users and groups with administrative permissions to the node.

When managing an individual GPO via the Group Policy Management console, you will see the following tabs in the right-hand pane:

o Scope: Displays where this policy is linked.

o Details: Displays read-only properties for the policy.

o Settings: Displays an HTML report of policy settings.

o Delegation: Displays users and groups with administrative permissions for the policy

Unit Learning Outcome(s) attached to this activity:Manage Group Policy.


Key Concept: Filtering Group Policy Scope

Explore Activity 5: Understanding Group Policy FilteringIn-class Activity, Ungraded


As previously discussed, Group Policy is hierarchal and propagation of settings to objects and nested objects applies downward by default. This can be controlled using Block and Enforce Policy inheritance options. Additionally, for finer-grained control of policy inheritance, policy settings can be filtered for specific users and/or groups:

o Security Group Filtering uses the GPO Security tab in the Group Policy Management

console to determine access to a policy.o WMI Filtering uses WMI queries to define criteria for access to a policy.

For a computer or user to receive GPO settings, the computer/user must have read and apply group policy permissions for the GPO. Denying these permissions to a specific group or user effectively “filters” them from inheriting the GPO settings.

Windows Management Instrumentation (WMI) is a component of Microsoft Windows operating systems used for management and control. WMI queries can be used to define criteria based on

-90- 08/06/2013


hardware, software, OS version and services to filter or apply GPO settings (see MOAC 70-640 Table 10-2 for WMI filter examples).

An use-case scenario for WMI filtering might be determining hard-drive free space prior to installation of a large application package or determining OS version before distribution of an OS-specific patch.

WMI Filters are not compatible with Windows 2000-based computers. It is always advisable to design and implement Group Policy to minimize the need for Security

Group Filtering and WMI filtering, particularly because of the management overhead as well as the system performance impact of WMI filtering on affected computers.

Unit Learning Outcome(s) attached to this activity:Filter Group Policy Scope.


Key Concept: Testing GPO Results

Explore Activity 6: Testing and Troubleshooting GPO PropagationIn-class Activity, Ungraded


In a complex Active Directory environment, including many GPOs and intricate inheritance and filtering, it is important to test and verify propagation of settings. Resultant Set of Policy (RSoP) is the sum of all applied policies for a user or computer.

The RSoP Wizard provides a tool to test and debug policy inheritance. RSoP functions in two modes:

o Planning Mode: Simulate the effect of policy settings prior to implementation.

o Logging Mode: Queries existing policies linked to sites, domains, domain controllers and

OUs. RSoP can be used as a stand-alone MMC or via the Group Policy Management Console. RSoP relies upon the Common Information Management Object Model (CIMOM) database, an

WMI component containing information gathered at computer startup, including hardware, Group Policy Software Installation, IE Maintenance settings, scripts, folder redirection and security settings.

Group Policy Modeling is the process of running RSoP in Planning Mode via the Group Policy Management Console. Group Policy Modeling queries can be saved, as can query output (HTML reports).

GPResult is a command-line tool that can be used to generate an RSoP query. GPResult provides command switches to specify RSoP output for a specific user or computer

and to control verbosity of output, etc.

Unit Learning Outcome(s) attached to this activity:Test and Troubleshoot GPO Results.

-91- 08/06/2013



LAB PORTION

Practice Activity 1: Lab 1: Software Distribution and Controlling Group Policy


DescriptionSee the Lab Manual: Lab 9.


Unit Learning Outcome:Perform software installation with Group Policy.

Course Objective(s) supported by this activity:Analyze Group Policy applications.

Practice Activity 2: GPO Planning Scenario

Homework, Graded

DescriptionStudents will develop a list of 10 to 15 questions with the goal of obtaining all the information that would be required to develop a software deployment strategy via Group Policy. Encourage students to consider assignment versus publishing, application compatibility (hardware and GPO requirements), exceptions/filtering, etc.

Facilitation

As an IT Administrator, you have been tasked with developing a software deployment strategy for your company’s three, primary business-critical applications. In anticipation of a meeting with management, develop a list of 10 to 15 questions you will need answered regarding the applications and environment in order to accurately develop an implementation scenario.


Unit Learning Outcome(s) attached to this activity:Determine information needed to develop an implementation scenario.

Course Objective(s) supported by this activity:Analyze Group Policy applications,

-92- 08/06/2013


Apply Activity 1: Research Software Deployment Options

Homework, Graded

Students will respond to the following scenario with recommendations and considerations. Encourage students to be specific about assigning versus publishing applications, customization of application package, scope filtering, etc.

Facilitation

You are an IT consultant and receive the following email from a client. Respond with a detailed, recommended approach:

To: IT Consultant

We have an existing Active Directory environment, consisting of 300 computer nodes. We need to install the latest version of Adobe Acrobat Reader to all compatible computers, with the following requirements:

- The application is not supported on Windows XP.- We need to have automatic updates turned off within the application.- We need a silent, automatic installation.- The Engineering Department needs to be excluded, as they use a proprietary PDF app.

Can we automate this deployment through Group Policy and meet all of the requirements? Please recommend a course of action.


Unit Learning Outcome(s) attached to this activity:Recommend an approach for installing software.


Unit Summary: This unit covered software distribution, management and maintenance via Group Policy Objects, as well as planning considerations, securing software via Group Policy, and the tools available for testing and troubleshooting Group Policy Object inheritance.

-93- 08/06/2013


Unit 10: Active Directory Maintenance, Troubleshooting and Disaster Recovery

Course Objectives Covered by this Unit

CO9. Use different methods to maintain and troubleshoot Active Directory servers.

Unit Learning Outcomes

Explain how to monitor and maintain Active Directory. Recommend a backup and restore strategy for Active Directory. Troubleshoot Active Directory. Recommend a maintenance schedule. Backup and restore Active Directory

Key Concepts

Maintain Active Directory Backup Active Directory Restore Active Directory Monitor and Troubleshoot Active Directory

Reading

Windows Server 2008 Active Directory Configuration MOAC 70-640 Lesson 11 – Active Directory Maintenance, Troubleshooting and Disaster Recovery

Keywords


ADSIEdit Authoritative Restore Boot Configuration Data (BCD) Dscalcs Extensible Storage engine (ESE) LDP Nltest Repadmin Tombstone Wbadmin Windows Power Shell

-94- 08/06/2013


Learning Activities

THEORY PORTION

Key Concept: Manage Software with Group Policy

Explore Activity 1 – Understanding Active Directory Maintenance



As you leverage Windows Server 2008 Active Directory technologies in your environment, it becomes increasingly important to develop a proactive, as opposed to reactive, approach to managing and maintaining AD components, including monitoring, troubleshooting, backup and restore.

As previously discussed, Active Directory stores information in a database. The database is transactional, based on the Extensible Storage Engine (ESE) format. A transaction can contain more than one change. Requests for modifications occur as follows:

o Ad writes the transaction to a transaction buffer located in memory (RAM).

o AD writes the transaction to the Transaction Log file (edb.log) before writing it to the

database. The edb.log grows to 10 MB by default and then is renamed sequentially, (edbx.log, eg edb1.log).

o AD writes the transaction from the transaction buffer to the ntds.dit database.

o AD compares the transaction to the edbx.log to ensure it matches.

o AD updates the edb.chk (checkpoint file), which contains references to transaction points

in the log file for use in a recovery scenario. The aforementioned process allows AD to process multiple transactions before writing them to

the DB. As changes/modifications occur in the AD database, fragmentation can occur (data becomes

spread inefficiently across the disk). Defragmentation rearranges the data contiguously for greatest efficiency and performance. AD supports two types of defragmentation:

o Online Defragmentation: A process called garbage collection runs automatically every 12

hours be default on DCs. Online defragmentation runs as part of the garbage collection process but does not reduce the size of the AD DB. Tombstones (what is left behind after an object is deleted from AD) are also deleted during garbage collection, as well as unneeded log files.

o Offline Defragmentation: Running an Offline Defragmentation is a manual process that

requires the AD service to be offline (unavailable to service requests). In previous version of AD, this required restarting the server in Directory Services Restore Mode (DSRM), but in Windows Server 2008 AD behaves like a normal, Windows service and can be stopped and restarted (Restartable Active Directory Domain Services).

-95- 08/06/2013



Explain how to monitor and maintain Active Directory.



Key Concept: Backup Active Directory

Explore Activity 2: Understanding AD Backup


Description:


Like all data in your network environment, Windows Server 2008 and the AD database should be a part of your backup and recovery plan, planning for the possibility of hardware, Operating System (OS) or Active Directory failure and how you will recover from a failure.

As previously discussed, Active Directory has a fault-tolerant design and it is always recommended, in even small environments, to have more than one DC in case one DC fails. In addition, Windows Server 2008 supports a feature called Windows Server Backup, replacing the old ntbackup from previous versions.

Windows Server Backup supports backup from command-line, useful for scripting, via Windows Power Shell (a new task-based scripting technology that is part of Windows Server 2008). It does not, however, support file-level backup, only volume-level backup.

Windows Server 2008 supports both manual backups (manually initiated by a server administrator) and scheduled backups (regularly scheduled by a server administrator) via either the command-line or wbadmin.exe, the GUI for managing Windows Server Backup.

Scheduled backups reformat the volume on the target drive hosting the backup and therefore must be on a local, physical drive not containing any critical volumes.

In previous versions of Windows Server, it was necessary to backup the System State Data in order to recover AD. In Windows Server 2008, critical volumes must be backed up, which includes the following data:

o System Volume: Hosts the boot files: bootmgr.exe, the Windows boot loader; Boot

configuration Data (BCD), which replaces boot.ini and describes boot applications and settings.

o Boot Volume: Hosts the Windows OS and Registry.

o The Volume hosting the SYSVOL share.

o The Volume hosting the AD database (ntds.dit).

o The Volume hosting the AD DB log files.

In Windows Server 2008, System State data varies depending upon the roles installed on the Server.

-96- 08/06/2013


Unit Learning Outcome(s) attached to this activity:Backup and Restore Active Directory



Key Concept: Restore Active Directory

Explore Activity 3: Understanding AD Restoration


Description:


How and when you restore AD depends upon the situation and circumstances. There are multiple options available, as follows.

Restoration via Normal Replication: Because of Ads fault-tolerant design, including normal replication of data from one DC to another, you may be able to just reinstall AD Services on a failed server and let normal replication populate the AD DB.

Nonauthoritative Restore: You can use a previous backup of AD to restore a DC to a known, good point-in-time. Restoring a single DC in this fashion is known as a nonauthoritative restore. Following a nonauthoritative restore, normal AD replication brings the restored DC up to date.

Authoritative Restore: If you need to restore AD data that has been deleted, you will need to perform an authoritative restore (a nonauthoritative restore will allow post-deletion updates to replicate and re-delete restored data).An authoritative restore is more complex than a nonauthoritative restore and requires that the AD object be restored, as well as back-links (references to attributes in another object). The authoritative restore process creates an LDIF file containing the back-links that must be restored.


Explain how to restore Active Directory



Key Concept: Monitor Active Directory

Explore Activity 4: Understanding AD Monitoring and Troubleshooting

-97- 08/06/2013



Description:


Monitoring AD gives an IT administrator the opportunity to detect problems before they occur, possibly avoiding service disruption, increasing system reliability and improving performance.

Event Logs are one of the tools available in a Windows Server 2008 environment to observe the health of Active Directory. When AD is installed, a Directory Services event log is created, accessible via the Event Viewer. Warnings (indicated by a yellow triangle with exclamation point) and Stop Errors (indicated by a red circle with an X) should be monitored closely, analyzed and appropriate actions taken. The Event Viewer allows easy filtering based on event level, so that warnings and stop errors can be seen.

The Reliability and Performance Monitor can also be a useful tool, allowing you to collect real-time performance data for immediate analysis, baseline and/or historical analysis. There are numerous system counters that can be monitored, broken down into categories called performance objects, with individual items called performance counters.

Some important AD performance counters include:o Directory Replication (DRA) Inbound: Monitors the size of compressed data that was

replicated from other sites.o DRA Outbound Bytes: Monitors the compressed size of outbound AD data.

o DS Directory Reads/Sec: Monitors the number of directory reads per second.

o NTLM Binds/Sec: Monitors the number of NT LAN Manager (NTLM) authentications per

second processed by a DC. For a complete list of NTDS Performance Object Counters, see MOAC 70-640 Table 11-1. For logging in greater detail, diagnostic logging can be enabled via the registry on a Windows

Server 2008 via HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics, changing the default value of 0 (none) to:

o 1 (Minimal): High-level events are recorded.

o 2 (Basic): More detail than level 1.

o 3 (Extensive): More detail than level 2.

o 4 (Verbose): Significantly more detail than level 3.

o 5 (Internal): Logs all events, including debug strings and config changes.

When adjusting NTDS logging, it is advisable to gradually increase logging detail until the necessary information is obtained, as opposed to just going directly to level 5.

Other AD diagnostic tools include:o DCdiag: A command-line tool for analyzing the state of a DC.

o Repadmin: A command-line tool for checking replication.

o ADSIEdit: An MMC console for verifying functional levels and low-level AD editing.


Explain how to monitor and troubleshoot Active Directory

-98- 08/06/2013




LAB PORTION

Practice Activity 1: Lab 1: Disaster Recovery and Maintenance



Description


Unit Learning Outcome:Troubleshoot Active Directory.

Course Objective(s) supported by this activity:Use different methods to maintain and troubleshoot Active Directory servers.

Apply Activity 1: AD Disaster Recovery Planning Scenario

Homework, Graded

DescriptionStudents will respond to the following scenario with recommendations and considerations. Encourage students justify their recommendations with explanation of benefit (ROI), etc.

Facilitation

You are an IT consultant and receive the following email from a client. Respond with a detailed, recommended approach:

To: IT Consultant

We have an existing Active Directory environment, consisting of a main office with two DCs, three branch offices with one DC each and a fourth, smaller office with a Read-Only DC. We are evaluating our backup and restore strategy and are wondering which of the following solutions you might recommend for each individual environment? We want to minimize cost but maximize uptime. Which of the following would you recommend for any/all locations and, where applicable, what schedule (daily, weekly, etc):

- Fault-tolerant hardware (RAID1, RAID5, etc)?- Backup of the DC to local disk?

-99- 08/06/2013


- Backup of the DC to removable storage?- Additional DC?

Thank you,

Business Manager


Recommend a backup and restore strategy for Active Directory.



Practice Activity 1: AD Troubleshooting Scenario: Troubleshooting Tools

Homework, Graded

DescriptionStudents will respond to the following scenario with recommendations and considerations. Encourage students to be specific in their recommended tools and frequency of use and to remember backup/restore planning.

Facilitation

You are an IT Administrator and receive the following request for help from a Junior IT Admin. Respond with clarifying questions, suggestions and/or recommended approaches:

To: IT AdminI have been tasked with developing a proactive maintenance schedule for the three DCs in our branch office and am hoping for your advice and input. What types of things should I be paying attention to on a regular basis and how often? I’m not sure what tools are available and want to be thorough! Can you help me develop a plan?

Thank you,Junior IT Admin



Recommend a maintenance schedule.



-100- 08/06/2013


Unit Summary:

This unit covered the tools available to proactively monitor and maintain Active Directory, including backup and restore tools and strategies, event logs and command-line tools.

-101- 08/06/2013


APPENDIX

Reminder: As a faculty member at ITT Technical Institute, it is your responsibility to securely maintain

and ensure the integrity of standardized assessments, assignments, and their accompanying answers. It

is advisable to grade all exams outside of the classroom to avoid inadvertently leaving the answers

unattended.

Final Exam

Answer Key

Question Number

Correct Answer

Course Objective(s) Tested Bloom’s Level Reference with page(s)

1 a CO1 Knowledge 70-642: Lesson 1 - Introducing the Domain Name System (DNS)

2 a CO1 Application 70-642: Lesson 1 - Using the Routing and Remote Access Service (RRAS)

3 d CO1 Comprehension 70-642: Lesson 1 - Introducing Network Access Protection (NAP)

4 c CO1 Analysis 70-642: Lesson 1 - Understanding TCP/IP Addressing

5 d CO1 Comprehension 70-642: Lesson 1 - Understanding TCP/IP Addressing

6 a CO1 Comprehension 70-642: Lesson 1 - Understanding TCP/IP Addressing

7 a CO1 Synthesis 70-642: Lesson 2 - Installing the Software

8 c CO1 Evaluation 70-642: Lesson 2 - Installing the Software

9 c CO1 Comprehension 70-642: Lesson 2 - Installing the Software

10 d CO1 Analysis 70-642: Lesson 2 - Installing the Software

11 c CO2 Analysis 70-642: Lesson 3 - Configuring the DHCP Server Role

-102- 08/06/2013


12 d CO2 Analysis 70-642: Lesson 3 - Configuring the DHCP Server Role

13 d CO2 Analysis 70-642: Lesson 3 - Configuring the DHCP Server Role

14 a CO3 Comprehension 70-642: Lesson 4 - Configuring the Domain Name System (DNS) Service

15 c CO3 Analysis 70-642: Lesson 4 - Configuring the Domain Name System (DNS) Service

16 c CO3 Synthesis 70-642: Lesson 4 - Configuring the Domain Name System (DNS) Service

17 a CO3 Comprehension 70-640: Lesson 1 - Introducing Active Directory Domain Service

18 d CO3 Comprehension 70-640: Lesson 1 - Introducing Active Directory Domain Service

19 c CO3 Comprehension 70-640: Lesson 1 - Introducing Active Directory Domain Service

20 d CO3 Comprehension 70-640: Lesson 1 - Introducing Active Directory Domain Service

21 b CO3 Application 70-640: Lesson 2 - Designing an Active Directory Implementation

22 c CO3 Comprehension 70-640: Lesson 2 - Designing an Active Directory Implementation

23 d CO3 Analysis 70-640: Lesson 2 - Designing an Active Directory Implementation

24 c CO4 Analysis 70-640: Lesson 3 - Introducing Active Directory Sites

25 a CO4 Analysis 70-640: Lesson 3 - Introducing Active Directory Sites

26 c CO4 Comprehension 70-640: Lesson 3 - Introducing Active Directory Sites

27 c CO5 Comprehension 70-640: Lesson 4 - Understanding the Global Catalog

28 c CO5 Synthesis 70-640: Lesson 4 - Understanding the Global Catalog

29 b CO6 Comprehension 70-640: Lesson 4 - Understanding Flexible Single Master Operations (FSMO) Roles

30 b CO8 Comprehension 70-640: Lesson 5 - Understanding User Accounts

-103- 08/06/2013


31 c CO8 Comprehension 70-640: Lesson 5 - Understanding User Accounts

32 d CO8 Comprehension 70-640: Lesson 5 - Understanding User Accounts

33 b CO7 Analysis 70-640: Lesson 6 - Planning and Implementing Account Security

34 a CO7 Application 70-640: Lesson 6 - Planning and Implementing Account Security

35 b CO7 Synthesis 70-640: Lesson 6 - Planning and Implementing Account Security

36 b CO7 Synthesis 70-640: Lesson 7 - Introducing Group Policy

37 d CO7 Synthesis 70-640: Lesson 7 - Introducing Group Policy

38 b CO7 Application 70-640: Lesson 7 - Introducing Group Policy

39 b CO8 Analysis 70-640: Lesson 8 - Configuring Security Policies Using Group Policy Objects

40 b CO8 Analysis 70-640: Lesson 8 - Configuring Security Policies Using Group Policy Objects

41 d CO8 Comprehension 70-640: Lesson 8 - Configuring Security Policies Using Group Policy Objects

42 b CO7 Analysis 70-640: Lesson 9 - Managing Software through Group Policy

42 d CO7 Comprehension 70-640: Lesson 9 - Managing Software through Group Policy

44 a CO7 Comprehension 70-640: Lesson 9 - Managing Software through Group Policy

45 b CO7 Analysis 70-640: Lesson 10 - Managing Group Policy

46 a CO7 Analysis 70-640: Lesson 10 - Managing Group Policy

47 c CO7 Comprehension 70-640: Lesson 10 - Managing Group Policy

48 a CO9 Synthesis 70-640: Lesson 11 - Maintaining

-104- 08/06/2013


Active Directory49 d CO9 Synthesis 70-640: Lesson 11 - Maintaining

Active Directory50 c CO9 Application 70-640: Lesson 11 - Maintaining

Active Directory

-105- 08/06/2013

nt1330_ig

Documents

active directory maintenance

active directory sites47unit

microsoft windows server

course textbooks

course syllabus

installed server

active directory38unit

active directory resource