6425C ENU Beta TrainerHandbook Part2

(1)

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

6425C

Configuring and Troubleshooting

Windows Server

®

2008 Active

®

Domain Services

Volume 1

Be sure to access the extended learning content on your Course Companion CD enclosed on the back cover of the book.

(2)

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

Microsoft, Microsoft Press, Access, Active Directory, ActiveX, Convergence, Excel, Forefront, Hyper-V, Internet Explorer, MS, MSDN, MS-DOS, Outlook, PowerPoint, Segoe, SharePoint, SQL Server, Visio, Visual Basic, Visual Studio, Windows, Windows Live, Windows Mobile, Windows NT, Windows PowerShell, Windows Server and Windows Vista. are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Product Number: 6425C Part Number:

(3)

MICROSOFT LICENSE TERMS

OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER

EDITION – Pre-Release and Final Release Versions

These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft

• updates, • supplements,

• Internet-based services, and • support services

for this Licensed Content, unless other terms accompany those items. If so, those terms apply.

By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed Content.

If you comply with these license terms, you have the rights below.

1. DEFINITIONS.

a. “Academic Materials” means the printed or electronic documentation such as manuals,

workbooks, white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content.

b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions

location, an IT Academy location, or such other entity as Microsoft may designate from time to time.

c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and

conducted at or through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or “MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on the subject matter of one (1) Course.

d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning Center during an Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter.

e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or

analog device.

f. “Licensed Content” means the materials accompanying these license terms. The Licensed

Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv) Software. There are different and separate

components of the Licensed Content for each Course.

g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that

may be included with the Licensed Content.

(4)

i. “Student Content” means the learning materials accompanying these license terms that are for

use by Students and Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files for a Course.

j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer

and b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its behalf.

k. “Trainer Content” means the materials accompanying these license terms that are for use by

Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course.

l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as

a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.

m. “Virtual Machine” means a virtualized computing experience, created and accessed using

Microsoft® Virtual PC or Microsoft® Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.

n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these

license terms.

2. OVERVIEW.

Licensed Content. The Licensed Content includes Software, Academic Materials (online and

electronic), Trainer Content, Student Content, classroom setup guide, and associated media.

License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center

location or per Trainer basis.

3. INSTALLATION AND USE RIGHTS.

a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you may:

i. either install individual copies of the relevant Licensed Content on classroom Devices only for

use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR

ii. install one copy of the relevant Licensed Content on a network server only for access by

classroom Devices and only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of Devices accessing the Licensed Content on such server does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session.

iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to

use the Licensed Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance with these license terms.

(5)

i. Separation of Components. The components of the Licensed Content are licensed as a single

unit. You may not separate the components and install them on different Devices.

ii. Third Party Programs. The Licensed Content may contain third party programs. These license

terms will apply to the use of those third party programs, unless other terms accompany those programs.

b. Trainers:

i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized

Learning Center on a classroom Device to deliver an Authorized Training Session.

ii. Trainers may also Use a copy of the Licensed Content as follows:

A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may install and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and for preparation of an Authorized Training Session.

B. Portable Device. You may install another copy on a portable device solely for your own personal training Use and for preparation of an Authorized Training Session.

4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions

in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not

contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final, commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with any further content, including but not limited to the final released version of the Licensed Content for the Course.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to

Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft

software, Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement.

c. Confidential Information. The Licensed Content, including any viewer, user interface, features

and documentation that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers.

i. Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you may not disclose confidential information to third parties. You may disclose confidential information only to your employees and consultants who need to know the information. You must have written agreements with them that protect the confidential information at least as much as this agreement.

ii. Survival. Your duty to protect confidential information survives this agreement. iii. Exclusions. You may disclose confidential information in response to a judicial or

(6)

protective order or otherwise protect the information. Confidential information does not include information that

• becomes publicly known through no wrongful act;

• you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers; or

• you developed independently.

d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date for using the beta version,or (ii) the commercial release of the final release version of the Licensed Content, whichever is first (“beta term”).

e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will destroy all copies of same in the possession or under your control and/or in the possession or under the control of any Trainers who have received copies of the pre-released version.

f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you for such copies and distribution.

5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS. a. Authorized Learning Centers and Trainers:

i. Software.

ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft

Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products which are provided in Virtual Hard Disks.

A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher, then these terms apply:

Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before it stops running. You may not be able to access data used or information saved with the Virtual Machines when it stops running and may be forced to reset these Virtual Machines to their original state. You must remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch it prior to the beginning of the next Authorized Training Session.

B. If the Virtual Hard Disks require a product key to launch, then these terms apply:

Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such Software with Microsoft using such product key.

(7)

You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and conditions of this agreement and the following security

requirements:

o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are accessible to other networks.

o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions locations.

o You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations.

o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from Devices on which you installed them.

o You will strictly comply with all Microsoft instructions relating to installation, use, activation and deactivation, and security of Virtual Machines and Virtual Hard Disks. o You may not modify the Virtual Machines and Virtual Hard Disks or any contents

thereof.

o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.

ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an

Authorized Training Session will be done in accordance with the classroom set-up guide for the Course.

iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip

art, animations, sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their personal training use.

iv. iv Evaluation Software. Any Software that is included in the Student Content designated as

“Evaluation Software” may be used by Students solely for their personal training outside of the Authorized Training Session.

b. Trainers Only:

i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is created; and (b) to comply with all other terms and conditions of this agreement.

ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this agreement.

(8)

iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and

use the Academic Materials. You may not make any modifications to the Academic Materials and you may not print any book (either electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:

• The use of the Academic Materials will be only for your personal reference or training use

• You will not republish or post the Academic Materials on any network computer or broadcast in any media;

• You will include the Academic Material’s original copyright notice, or a copyright notice to Microsoft’s benefit in the format provided below:

Form of Notice:

Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.

6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed

Content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone else’s use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means.

7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some

rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not

• install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the Authorized Training Session;

• allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network server;

• copy or reproduce the Licensed Content to any server or location for further reproduction or distribution;

• disclose the results of any benchmark tests of the Licensed Content to any third party without Microsoft’s prior written approval;

• work around any technical limitations in the Licensed Content;

• reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law expressly permits, despite this limitation;

• make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this limitation;

(9)

• transfer the Licensed Content, in whole or in part, to a third party;

• access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized by Microsoft to access and use;

• rent, lease or lend the Licensed Content; or

• use the Licensed Content for commercial hosting services or general business purposes.

• Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.

8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and

regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting.

9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed

Content marked as “NFR” or “Not for Resale.”

10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as

“Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact the Microsoft affiliate serving your country.

11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you

fail to comply with the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its component parts.

12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the Licensed Content and support services.

13. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law

governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws

of that country apply.

14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the

laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.

15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.

(10)

16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to

• anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or third party programs; and

• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French.

Remarque : Cele contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français.

EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute

utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de

dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.

Cette limitation concerne:

• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et

• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.

Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard.

EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits

prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.

(11)

Thank you for taking our training! We’ve worked together with our Microsoft Certiﬁ ed Partners for Learning Solutions and our Microsoft IT Academies to bring you a world-class learning experience—whether you’re a professional looking to advance your skills or a

student preparing for a career in IT.

■ Microsoft Certiﬁ ed Trainers and Instructors—Your instructor is a technical and

instructional expert who meets ongoing certiﬁ cation requirements. And, if instructors are delivering training at one of our Certiﬁ ed Partners for Learning Solutions, they are also evaluated throughout the year by students and by Microsoft.

■ Certifi cation Exam Benefi ts—After training, consider taking a Microsoft Certifi cation

exam. Microsoft Certifi cations validate your skills on Microsoft technologies and can help differentiate you when finding a job or boosting your career. In fact, independent research by IDC concluded that 75% of managers believe certifi cations are important to team performance1_{. Ask your instructor about Microsoft Certifi cation exam promotions}

and discounts that may be available to you.

■ Customer Satisfaction Guarantee—Our Certiﬁ ed Partners for Learning Solutions offer

a satisfaction guarantee and we hold them accountable for it. At the end of class, please complete an evaluation of today’s experience. We value your feedback!

We wish you a great learning experience and ongoing success in your career!

Sincerely,

Microsoft Learning

www.microsoft.com/learning

1 _{IDC, Value of Certiﬁ cation: Team Certiﬁ cation and Organizational Performance, November 2006}

(12)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

x Configuring and Troubleshooting Windows Server®_{2008 Active Directory}®_{Domain Services}

Acknowledgement

Microsoft® Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.

Damir Dizdarevic – Subject Matter Expert

Damir Dizdarevic, a MCT, MCSE, MCTS, and MCITP, is a manager of the Learning Center at Logosoft d.o.o., in Sarajevo, Bosnia and Herzegovina. Damir specializes in Windows Server® and Exchange Server. He has worked as a subject matter expert and technical reviewer on several Microsoft® Official Curriculum (MOC) courses, and has published more than 350 articles in various Information Technology (IT) magazines, including Windows ITPro. Additionally, he is a Microsoft Most Valuable Professional for Windows Server Infrastructure Management.

Conan Kezema – Subject Matter Expert

Conan Kezema, B.Ed, MCSE, MCT, is an educator, consultant, network systems architect, and author who specializes in Microsoft® technologies. As an associate of S.R. Technical Services, Conan has been a subject matter expert, instructional designer, and author on numerous Microsoft courseware development projects.

Nelson Ruest – Technical Reviewer

Nelson Ruest is an IT expert focused on virtualization, continuous service availability and infrastructure optimization. As an enterprise architect, he has designed and implemented Active Directory structures that manage over one million users. He is the co-author of multiple books, including Virtualization: A Beginner’s Guide for McGraw-Hill Osborne, MCTS Self-Paced Training Kit (Exam 70-652): Configuring Windows Server® Virtualization with Hyper-V®, the best-selling MCTS Self-Paced Training Kit (Exam 70-640): and Configuring Windows Server® 2008 Active Directory® for Microsoft Press.

(13)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

Configuring and Troubleshooting Windows Server®_{2008 Active Directory}®_{Domain Services} _xi

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

xii Configuring and Troubleshooting Windows Server®_{2008 Active Directory}®_{Domain Services}

Lesson 2: Administer Groups 4-45

Lab A: Administer Groups 4-66

Lesson 3: Best Practices for Group Management 4-74

Lab B: Best Practices for Group Management 4-88

Module 5: Managing Computer Accounts

Lesson 1: Create Computers and Join the Domain 5-4

Lab A: Create Computers and Join the Domain 5-34

Lesson 2: Administer Computer Objects and Accounts 5-42 Lab B: Administer Computer Objects and Accounts 5-62

Lesson 3: Offline Domain Join 5-71

Lab C: Offline Domain Join 5-78

Module 6: Implementing a Group Policy Infrastructure

Lesson 1: Understand Group Policy 6-4

Lesson 2: Implement Group Policy Objects 6-21

Lab A: Implement Group Policy 6-38

Lesson 3: A Deeper Look at Settings and GPOs 6-42

Lab B: Manage Settings and GPOs 6-64

Lesson 4: Group Policy Preferences 6-71

Lab C: Manage Group Policy Preferences 6-79

Lesson 5: Manage Group Policy Scope 6-85

Lab D: Manage Group Policy Scope 6-111

Lesson 6: Group Policy Processing 6-120

Lesson 7: Troubleshoot Policy Application 6-131

Lab E: Troubleshoot Policy Application 6-145

Module 7: Managing Enterprise Security and Configuration with Group Policy Settings

Lesson 1: Delegate the Support of Computers 7-4

(15)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

Configuring and Troubleshooting Windows Server®_{2008 Active Directory}®_{Domain Services} _xiii

Lesson 2: Manage Security Settings 7-20

Lab B: Manage Security Settings 7-48

Lesson 3: Manage Software with GPSI 7-61

Lab C: Manage Software with GPSI 7-80

Lesson 4: Auditing 7-88

Lab D: Audit File System Access 7-101

Lesson 5: Software Restriction Policy and AppLocker 7-107 Lab E: Configure Application Control Policies 7-121

Module 8: Securing Administration

Lesson 1: Delegate Administrative Permissions 8-4

Lab A: Delegate Administration 8-25

Lesson 2: Audit Active Directory® Changes 8-33

Lab B: Audit Active Directory Changes 8-39

Module 9: Improving the Security of Authentication in an AD DS Domain

Lesson 1: Configure Password and Lockout Policies 9-4 Lab A: Configure Password and Account Lockout Policies 9-24

Lesson 2: Audit Authentication 9-30

Lab B: Audit Authentication 9-39

Lesson 3: Configure Read-Only Domain Controllers 9-43 Lab C: Configure Read-Only Domain Controllers 9-63

Module 10: Configuring Domain Name System

Lesson 1: Review of DNS Concepts, Components, and Processes 10-4 Lesson 2: Install and Configure DNS Server in an AD DS Domain 10-25

Lab A: Install the DNS Service 10-38

Lesson 3: AD DS, DNS, and Windows 10-43

Lesson 4: Advanced DNS Configuration and Administration 10-68

(16)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

xiv Configuring and Troubleshooting Windows Server®_{2008 Active Directory}®_{Domain Services}

Module 11: Administering AD DS Domain Controllers

Lesson 1: Domain Controller Installation Options 11-4

Lab A: Install Domain Controllers 11-31

Lesson 2: Install a Server Core Domain Controller 11-39 Lab B: Install a Server Core Domain Controller 11-47

Lesson 3: Manage Operations Masters 11-52

Lab C: Transfer Operations Master Roles 11-71

Lesson 4: Configure DFS-R Replication of SYSVOL 11-76 Lab D: Configure DFS-R Replication of SYSVOL 11-84

Module 12: Managing Sites and Active Directory Replication

Lesson 1: Configure Sites and Subnets 12-4

Lab A: Configure Sites and Subnets 12-22

Lesson 2: Configure the Global Catalog and Application Partitions 12-26 Lab B: Configure the Global Catalog and Application Partitions 12-41

Lesson 3: Configure Replication 12-46

Lab C: Configure Replication 12-73

Module 13: Directory Service Continuity

Lesson 1: Monitor Active Directory 13-4

Lab A: Monitor Active Directory Events and Performance 13-35 Lesson 2: Manage the Active Directory Database 13-51 Lab B: Manage the Active Directory Database 13-64

Lesson 3: Active Directory Recycle Bin 13-77

Lab C: Using Active Directory Recycle Bin 13-81

Lesson 4: Back Up and Restore AD DS and Domain Controllers 13-84 Lab D: Back Up and Restore Active Directory 13-97

Module 14: Managing Multiple Domains and Forests

Lesson 1: Configure Domain and Forest Functional Levels 14-3 Lesson 2: Manage Multiple Domains and Trust Relationships 14-15

(17)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

Configuring and Troubleshooting Windows Server®_{2008 Active Directory}®_{Domain Services} _xv

Lab: Administer a Trust Relationship 14-54 Lesson 3: Move Objects Between Domains and Forests 14-60

(18)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

About This Course i

About This Course

This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.

Course Description

The purpose of this 5-day course is to teach Active Directory® Technology Specialists how to configure Active Directory Domain Services (AD DS) in a distributed environment, implement Group Policy, perform backup and restore, and monitor and troubleshoot Active Directory–related issues.After completing this course, students will be able to implement and configure Active Directory Domain Services in their enterprise environment.

Audience

The primary audience for this course includes Active Directory Technology Specialists, Server Administrators, and Enterprise Administrators who want to learn how to implement Active Directory in a distributed environment; secure domains using Group Policy; perform backup and restore; and monitor and troubleshoot Active Directory configuration to ensure trouble-free operation.

Student Prerequisites

This course requires that you meet the following prerequisites:

• Basic understanding of networking. You should understand how TCP/IP functions and have a basic understanding of addressing, name resolution (Domain Name System [DNS]/Windows® Internet Name Service [WINS]), connection methods (wired, wireless, virtual private network [VPN]), and NET+ or equivalent knowledge.

• Intermediate understanding of network operating systems. You should have an intermediate understanding ofoperating systems such as Windows 2000, Windows XP, or Windows Server® 2003.An understanding ofthe Windows Vista® operating system client is nice to have.

• An awareness of security best practices.You should understand file system permissions, authentication methods, workstation, and server hardening methods, and so forth.

• Basic knowledge of server hardware.You should have an A+ or equivalent knowledge.

(19)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

About This Course ii

• Some experience creating objects in Active Directory. • Basic concepts of backup and recovery in a Windows Server

Environment.You should have basic knowledge of backup types, backup methods, backup topologies, and so forth.

Course Objectives

After completing this course, students will be able to:

• Describe the features and functionality of Active Directory Domain Services. • Perform secure and efficient administration of Active Directory.

• Manage users and service accounts. • Manage groups.

• Manage computer accounts.

• Implement a Group Policy infrastructure.

• Manage enterprise security and configuration by using Group Policy settings. • Secure administration.

• Improve the security of authentication in an AD DS Domain. • Configure Domain Name System.

• Administer AD DS domain controllers. • Manage sites and Active Directory.

• Monitor, maintain, and back up directory Service to ensure continuity. • Manage multiple domains and forests.

(20)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

About This Course iii

Course Outline

This section provides an outline of the course:

Module 1: This module explains how to install and configure Active Directory Domain Services and install and configure a read-only domain controller. Module 2: This module explains how to work securely and efficiently in Active Directory.

Module 3: This module explains how to manage and support user accounts in Active Directory.

Module 4: This module explains how to create, modify, delete, and support group objects in Active Directory.

Module 5: This module explains how to create and configure computer accounts. Module 6: This module explains what Group Policy is, how it works, and howbest to implement Group Policy in your organization.

Module 7: This module explains how to manage security and software installation and how to audit files and folders.

Module 8: This module explains how toadminister Active Directory Domain Services securely.

Module 9: This module explains the domain-side components of authentication, including the policies that specify password requirements and the auditing of authentication-related activities.

Module 10: This module explains how to implement DNS to support name resolution both within your AD DS domain and outside your domain and your intranet.

Module 11: This module explains how to administer domain controllers in a forest.

Module 12: This module explains how tocreate a distributed directory service that supports domain controllers in portions of your network that are separated by expensive, slow, or unreliable links.

(21)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

About This Course iv

Module 13:This module explains about the technologies and tools that are available to help ensure the health and longevity of the directory service. You will explore tools that help you monitor performance in real time, and you will learn to log performance over time so that you can keep an eye on performance trends in order to spot potential problems.

Module 14:This module explains how toraise the domain and forest functionality levels within your environment, how to design the optimal AD DS infrastructure for your enterprise, how to migrate objects between domains and forests, and how to enable authentication and resources access across multiple domains and forests.

(22)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

About This Course v

Course Materials

The following materials are included with your kit:

• Course Handbook. The Course Handbook contains the material covered in class. It is meant to be used in conjunction with the Course Companion CD. • Course Companion CD. The Course Companion CD contains the full course

content, including expanded content for each topic page, full lab exercises and answer keys, and topical and categorized resources and Web links. It is meant to be used both inside and outside the class.

Note: To access the full course content, insert the Course Companion CD into the CD-ROM

drive, and then in the root directory of the CD, double-click StartCD.exe.

• Course evaluation. At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.

To provide additional comments or feedback on the course, send e-mail to [email protected]. To inquire about the Microsoft Certification Program, send e-mail to [email protected].

Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business scenario of the course.

Virtual Machine Configuration

In this course, you will use Hyper-Vdeployed on Windows Server 2008 to perform the labs.

(23)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

About This Course vi

The following table shows the role of each virtual machine that this course uses:

Virtual machine Role

6425C-NYC-DC1 Windows Server 2008 DC in Contoso domain 6425C-NYC-DC2 Windows Server 2008 DC in Contoso domain 6425C-NYC-CL1 Windows 7 Client in Contoso domain 6425C-NYC-CL2 Windows 7 Client in Contoso domain 6425C-BRANCHDC01 Windows Server 2008 WorkGroup member 6425C-BRANCHDC02 Windows Server 2008 Server Core DC in Contoso

domain

6425C-NYC-SVR1 Windows Server 2008 WorkGroup member 6425C-NYC-SVR2 Windows Server 2008 WorkGroup member 6425C-NYC-SVR-D Windows Server 2008 WorkGroup member 6425C-TST-DC1 Windows Server 2008 DC in Tailspintoys domain

Software Configuration

The following software is installed on the virtual machines: • Windows Server 2008 R2 Enterprise

• Windows 7 Enterprise

Classroom Setup

Each classroom computer will have the same virtual machine configured in the same way. To log on to a virtual machine as a different user while performing the labs in this course, perform the following steps.

f

Run an application with administrative credentials.

1. Right-click the application, and then click Run as administrator. A User Account Control (UAC) dialog box appears.

(24)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

About This Course vii

2. The User Account Control dialog box will display one of three options. Do the steps based on the option you see:

If the User Account Control dialog box prompts you to continue or cancel: • Click Continue.

If the User Account Control dialog box gives you the option to Use another account:

1. Click Use another account.

2. In the User Name box, type the user name. 3. In the Password box, type the password. 4. Press Enter or click OK.

If the User Account Control dialog box does not give you the option to use another account, and prompts you for a user name and password:

1. In the User Name box, type the user name. 2. In the Password box, type the password. 3. Press Enter or click OK.

(25)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

About This Course viii

Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.

• Intel Virtualization Technology (IntelVT) or AMD Virtualization (AMD-V) processor

• Dual 120 GB hard disks 7200 RM SATA or better* • 4 GB RAM

• DVD drive • Network adapter

• Super VGA (SVGA) 17-inch monitor

• Microsoft Mouse or compatible pointing device • Sound card with amplified speakers

(26)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

Managing Enterprise Security and Configuration with Group Policy Settings 7-1

Module7

Managing Enterprise Security and Configuration

with Group Policy Settings

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

7-2 Configuring

Module

Group P and feat Group P infrastru software Configu configu of files a deploy applicat Object After co • Del • Man • Man g and Troubleshooting W

Overview

Policy can be use tures of Window Policy infrastruct ucture to manage e installation. You uration Wizard, th red based on a se and folders. In th applications by u tions by using ap tives ompleting this mo legate the suppor nage security sett nage software by

indows Server® 2008 Ac

w

ed to manage the s. In the previous ture. In this modu e several types of

u will also discov hat make it easier erver’s roles. You he final sections o using Group Polic pplication control

odule, you will be rt of computers.

tings. y using GPSI.

ctive Directory® Domain

configuration of s module, you lea ule, you will learn configuration rel ver tools, such as r to determine wh u will also learn h of the module, yo cy, and how to re l policies.

e able to:

Services

a variety of comp arned how to con n to apply that

lated to security a the Security hich settings sho

ow to configure a u will learn how estrict access to ponents nfigure a and uld be auditing to

(28)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

• Describe the purpose and functionality of auditing

(29)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

7-4 Configuring

Lesson 1

Delegate

Many en They ar desk pe client co the cred local Ad personn group, s a group group. R will lear the loca comput adminis systems g and Troubleshooting W

e the Sup

nterprises have o e often referred t ersonnel need to omputers, and th dentials used by s dministrators gro nel do not need th so do not place th p representing sup Restricted groups rn how to use res al Administrators ters to the help d stration of any sc s.

pport of C

one or more peop to as the help des troubleshoot, con hese tasks often re support personne up on client com he high level of p hem in that group pport personnel i s policies enable y stricted groups po group of clients esk. The same ap ope of computer

Compute

ple dedicated to su sk, desktop suppo nfigure, or perfor equire administra el must be at the mputers. However privilege given to p. Instead, config is added to the lo you to do just tha olicies to add the

and, thereby, del pproach can be us

s to the team resp

Services

rs

upporting end us ort, or just suppo rm other support ative privileges. T level of a membe r, desktop suppor the Domain Adm gure client system ocal Administrato at, and in this les e help desk perso legate support of sed to delegate th ponsible for thos

sers. ort. Help t tasks on Therefore, er of the rt mins ms so that ors sson, you nnel to f those he se

(30)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

Objectives

After completing this lesson, you will be able to: • Describe restricted groups.

• Use Restricted Groups policies to modify or enforce the membership of groups.

(31)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

7-6 Configuring

What

Key Po When y Configu Security in the fo g and Troubleshooting W

Are Restrict

oints

you edit a Group uration node, the y Settings node, y ollowing screen s indows Server® 2008 Ac

ted Groups?

Policy object (GP Policies node, th you will find the R shot.

PO) and expand he Windows Setti Restricted Group

Services

the Computer ings node, and th ps policy node, as he

(32)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

Restricted Groups policy settings enable you to manage the membership of groups. There are two types of settings: This group is a member of (the Member Of setting) and Members of this group (the Members setting).

It’s very important to understand the difference between these two settings. A Member Of setting specifies that the group specified by the policy is a member of another group. On the left of the previous screen shot, you can see a typical example: The CONTOSO\Help Desk group is a member of the Administrators group. When a computer applies this policy setting, it ensures that the Help Desk group from the domain becomes a member of its local Administrators group. If there is more than one GPO with restricted groups policies, each Member Of policy is applied. For example, if a GPO linked to the Client Computers organizational unit (OU) specifies CONTOSO\Help Desk as a member of Administrators, and a second GPO linked to the SEA OU (a sub-OU of the Client Computers OU) specifies CONTOSO\NYC Support as a member of

Administrators, a computer in the NYC OU will add both the Help Desk and NYC Support groups to its Administrators group in addition to any existing members of the group, such as Domain Admins. This example is illustrated in the following screen shot.

(33)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

7-8 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services

As you can see, restricted groups policies that use the Member Of setting are cumulative. The second type of restricted groups policy setting is the Members setting, which specifies the entire membership of the group specified by the policy. The dialog box on the right of the side-by-side dialog boxes shown earlier is a typical example: The Administrators group’s Members list is specified as CONTOSO\Help Desk. When a computer applies this policy setting, it ensures that the local Administrators group’s membership consists only of

CONTOSO\Help Desk. Any members not specified in the policy are removed, including Domain Admins. The Members setting is the authoritative policy—it defines the final list of members. If there is more than one GPO with restricted group policies, the GPO with the highest priority prevails. For example, if a GPO linked to the Client Computers OU specifies the Administrators group

membership as CONTOSO\Help Desk, and another GPO linked to the NYC OU specifies the Administrators group membership as CONTOSO\NYC Support. The computers in the NYC OU have only the NYC Support group in their

(34)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

If you use both Members and Member Of restricted groups policies, the precedent Members policy setting sets the authoritative baseline membership for the group, and then the cumulative memberships of Member Of policies augment that baseline.

In your enterprise, be careful to design and test your restricted groups policies to ensure that they achieve the desired result.

(35)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

7-10 Configuring

Demo

Restri

Key Po You can delegati Demon 1. Star Pa$ 2. On Pol Pat 3. In t and 4. Rig 5. In t g and Troubleshooting W

onstration: D

icted Groups

oints n use restricted gr ion of administra nstration Steps rt 6425C-NYC-DC $$w0rd. NYC-DC1 click S licy Managemen t.Coleman_Admi the console tree, e d then click the G ht-click the Grou the Name box, ty

Delegate Adm

s Policies

roups policies wi ative privileges for

s

C1 and log on as

Start, point to Ad t with administra in with the passw expand Forest:co Group Policy Obj

up Policy Objects ype Corporate He

ministration

ith the Member O r computers by fo s Pat.Coleman w dministrative To ative credentials. word Pa$$w0rd. ontoso.com, Dom jects container. s container, and t elp Desk, and th

Services

by Using

Of setting to mana ollowing these st

ith the password

ools and run Gro Use the account

mains and conto

then click New. en click OK. age the teps: d up oso.com,

(36)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

6. In the details pane, right-click Corporate Help Desk, and then click Edit. The Group Policy Management Editor appears.

7. In Group Policy Management Editor, navigate to Computer

Configuration\Policies\Windows Settings\Security Settings\Restricted Groups.

8. Right-click Restricted Groups and click Add Group.

9. Click Browse and, in the Select Groups dialog box, type the name of the group you want to add to the Administrators group—for example, CONTOSO\Help Desk—and click OK.

10. Click OK to close the Add Group dialog box. A Properties dialog box appears.

11. Click Add next to the This group is a member of section. 12. Type Administrators, and click OK.

The Properties group policy setting should look similar to the dialog box on the left of the side-by-side dialog boxes shown earlier.

13. Click OK again to close the Properties dialog box.

Delegating the membership of the local Administrators group in this manner adds the group specified in step 9 to that group. It does not remove any existing members of the Administrators group. The Group Policy setting simply tells the client, “Make sure this group is a member of the local Administrators group.” This allows for the possibility that individual systems could have other users or groups in their local Administrators group. This group policy setting is also cumulative. If multiple GPOs configure different security principals as members of the local Administrators group, all will be added to the group.

To take complete control of the local Administrators group, follow these steps:

Demonstration Steps

1. In Group Policy Management Editor, navigate to Computer

Configuration\Windows Settings\Security Settings\Restricted Groups. 2. Right-click Restricted Groups, and click Add Group.

3. Type Administrators, and click OK. A Properties dialog box appears.

(37)

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18 /2

01

1

7-12 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services

5. Click Browse and enter the name of the group you want to make the sole member of the Administrators group—for example, CONTOSO\Help Desk— and click OK.

6. Click OK again to close the Add Member dialog box.

The group policy setting Properties should look similar to the dialog box on the left of the side-by-side dialog boxes shown earlier.

7. Click OK again to close the Properties dialog box.

When you use the Members setting of a restricted groups policy, the Members list defines the final membership of the specified group. The steps just listed result in a GPO that authoritatively manages the Administrators group. When a computer applies this GPO, it adds all members specified by the GPO and removes all members not specified by the GPO, including Domain Admins. Only the local Administrator account will not be removed from the Administrators group because Administrator is a permanent and unremovable member of Administrators.

6425C ENU Beta TrainerHandbook Part2

6425C

Configuring and Troubleshooting

Windows Server

®

2008 Active

Directory

®

Domain Services

Volume 1

MICROSOFT LICENSE TERMS

OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER

EDITION – Pre-Release and Final Release Versions

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18

/2

01

1

Acknowledgement

Damir Dizdarevic – Subject Matter Expert

Conan Kezema – Subject Matter Expert

Nelson Ruest – Technical Reviewer

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18

/2

01

1

Contents

B

ET

A C

O

U

R

SE

W

A

R

E E

XP

IR

ES

4/

18

/2

01

1

B

ET

A C

O

U