IT ACADEMY LESSON PLAN. Microsoft Windows Server Active Directory

(1)

2008

IT ACADEMY LESSON PLAN

Microsoft Windows Server

(2)

Microsoft Windows Server

2008 Active Directory:

Lesson Plans

Introduction

Preparing to teach a course on Microsoft Windows Server 2008 Active Directory Configuration, based on Exam 70-640: TS: Active Directory Configuration for the first time can be a challenge requir-ing careful plannrequir-ing and organization. The Microsoft IT Academy provides these lesson plans to help you save time, skillfully manage the teaching environment, and successfully communicate the in-tended lesson.

The lesson plans are flexible and have been created in a concise format of small teachable units to allow you to use them with any textbook. To support a textbook-independent teaching style, each lesson plan contains suggested demonstrations and explanations.

These lesson plans have been developed to be independent of a predefined lesson schedule. Wheth-er the course is taught in a one-semestWheth-er or one-quartWheth-er tWheth-erm format, we suggest the following class format: a 60-minute lesson lecture followed by a 120-minute lab (hands-on performance) session. This model is recommended in order to increase student performance and enhance the knowledge and skills gained through active participation in the course.

Each lesson plan includes:



Learning Goals

for each lesson.



Learning Objectives

that may be observed throughout the lesson.



Lecture Outline

that details what to present in each class.



Quick Quiz

of multiple choice and true/false type questions.



Lesson Exercises

and

Lesson Projects

are provided at the end of each Lesson Plan to

di-rectly connect the student with the materials that have just been covered in class. The

projects can be used independent of a textbook or as an assessment to determine skill

mastery. To simplify the scoring process, an annotated answer key for each exercise and

project is included to adequately determine if the learning objective was accomplished

through process of lecture and activity.

(3)

Lesson 1:

An Introduction to

Active Directory

Domain Services

Learning Goals//The goal of this lesson is to introduce students

to the Windows Server 2008 Active Directory Domain Services (AD DS) and to point out the benefits of AD DS. The student will learn about the features of AD DS.

Learning Objectives

Upon completion of this lesson, students will be able to un-derstand:

 Active Directory domain service

 Active Directory security

 Components of Active Directory

 Active Directory naming standards

 Working with functional levels in Active Directory

Lesson Introduction

Explain that Microsoft Windows Server 2008 includes Active Directory Services that assist the administrator in managing and securing the network. Student will learn what Active Di-rectory is and the components of AD and its functional levels.

What is Active Directory

Domain Services?

Instructors should do the following:

 Explain that directory services allow network administra-tors to define, manage, access, and secure network re-sources.

 Point out that the two components of Windows Server 2008 that provide directory services are Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

 Explain that AD DS provides full directory services and is commonly referred to as Active Directory.

 Explain that AD LDS is a flexible platform that offers Active Directory functionality without the full overhead.

 Point out that any computer configured to use Active Di-rectory DS role is considered to be a domain controller.

 Explain that the ability of Active Directory to keep all net-work domain controllers apprised of changes to the system is called replication.

(4)

 Point out that the process of a domain controller receiving updates from Active Directory via another domain con-troller is called inbound replication.

 Explain that Active Directory is used to simplify the securi-ty management of network resources and to extend in-teroperability with applications and devices.

What is Active Directory

Security?

 Point out that interoperability with prior versions of Mi-crosoft Windows Active Directory Service is available in Windows Server 2008 through domain functional levels.

 Explain that Windows Server 2008 no longer supports the use of Windows NT domain controllers.

 Explain that Windows Server 2008 provides single sign-on access to any server on the domain.

 Explain that Active Directory offers a redundant solution and creates a fault tolerant system in the event of server failure or network connectivity failure.

 Point out that the Active Directory databases file (ntds.dit) is the common database file that is replicated to other do-main controllers when changes occur.

 Explain that Windows Server 2008 includes a Read-Only Do-main Controller (RODC) option, which Do-maintains a copy of the ntds.dit file that cannot be modified. This file increases security for branch-office deployments.

 Explain that Publishing is a way to make an object available to the network as a resource listed in the Active Directory.

What Are the

Components of Active

Directory?

 Explain that components in Active Directory provide flexi-bility through design, scalaflexi-bility, administration, and securi-ty.

 Point out that objects in Active Directory are categorized as container objects or leaf objects.

 Explain that a container object is an object that houses oth-er objects.

 Explain that a leaf object cannot contain other objects and typically refers to a printer, folder, user, or group.

 Point out that the largest container object in Active Direc-tory is called a forest.

(5)

 Point out that for efficiency, partitions are used to divide in-formation into naming contexts (NC).

 Explain that the two NCs that are replicated forest-wide and stored in the ntds.dit file are the Schema NC and Configura-tion NC.

 Point out that the Schema NC contains rules and definitions for creating and modifying object classes within Active Di-rectory.

 Point out that the Configuration NC contains information regarding the physical topology of the network.

 Explain that each domain controller stores a copy of the Do-main NC that consists of user, computer, and other infor-mation for a particular Active Directory domain.

 Explain that within a forest, Active Directory further divides to create administrative boundaries.

 Point out that a domain tree is a logical grouping of network resources and devices that contain one or more domains.

 Explain that the Active Directory global catalog is not consid-ered a formal partition but should be replicated throughout the forest.

 Point out that the Active Directory can contain one or more organizational units (OUs) that can further subdivide users and resources.

 Explain that an OU is a container that represents a logical grouping of resources that have similar security guidelines.

 Point out that OUs are nested in hierarchical fashion, allow-ing a parent OU to contain one or more child OUs.

 Explain that the administration of an OU can be delegated to a department supervisor or manager to allow that person to manage daily resource access tasks.

 Explain that the Application Partition allows administrators to fine-tune administration by designating where infor-mation will be replicated to in the domain or forest.

 Explain that each resource in Active Directory is represented as an object and each object has a set of attributes.

 Explain that objects in Active Directory are defined in the Active Directory schema.

 Point out that a schema is a master database containing definitions of all objects in the Active Directory.

 Explain that a schema is created from two components: the object and its attributes.

(6)

 Point out that a site in Active Directory is defined as one or more IP subnets that are connected.

 Explain that replication within a site takes place at regular-ly scheduled intervals that are defined by the administra-tor.

 Explain that the Knowledge Consistency Checker (KCC)

au-What Are the Active

Directory Naming

Standards?

 Explain that the Lightweight Directory Access Protocol (LDAP) has become industry standard, since it enables data exchange between directory services and applications.

 Point out that LDAP defines the naming of all objects in the Active Directory database.

 Explain that a Distinguished Name (DN) defines an object in the Active Directory structure through its hierarchical path.

 Point out that the LDAP Naming Attributes include the Com-mon Name, Organizational Unit Name, and Domain Compo-nents.

 Explain that the Domain Name System (DNS) is Active Direc-tory’s default name resolution method.

 Point out that the configuration of DNS is critical for proper functioning of Active Directory.

 Explain that DNS is a distributed name resolution service that provides name resolution for Active Directory domain and computer host name–to–IP address mappings on the network.

 Point out that computers are assigned an IP address and a DNS host name at installation.

 Explain that Active Directory relies on DNS to be a locator service for clients on the network.

 Explain that SRV records are the locator records within DNS that allow the client to locate an Active Directory domain controller.

(7)

Working with Functional

Levels in Active

Directory?

 Point out that functional levels may be changed in Active Directory for a single domain within a multi-domain envi-ronment, allowing for rolling upgrades.

 Explain that changing functional levels is an irreversible ac-tion that can be undone only through a systemwide restore.

 Explain that the following are functional levels available in Windows Server 2008: Windows 2000 Native, Windows Server 2003, and Windows Server 2008.

 Point out that the following functionality is available for the Windows 2000 Native level: Install from Media, Application partitions, Drag-and-drop user interface, Global Group nesting and Universal Security groups, and SIDHistory.

 Point out that with the Windows Server 2003 functional lev-el, the Windows 2000 Native level function is available as well as the following additional functions: lastLogon-timestamp attributes, Passwords and inetOrgPerson ob-jects, and Domain rename.

 Point out that the Windows 2000 functional level is the de-fault forest functional level for Windows Server 2008 and includes the following features: Install from Media, Univer-sal group caching, and Application Directory Partitions.

 Point out that the Windows Server 2003 functional level in-cludes all Windows Server 2000 features as well as the fol-lowing: Improved replication of group objects, Dynamic aux-iliary class objects, User objects can be converted to inet-OrgPerson objects, Schema deactivations, Domain rename, Cross-forest trusts permitted, and Improved Intersite Topol-ogy Generator (ISTG).

 Discuss the guidelines that are important for raising a forest level in Windows Server 2008.

 Explain that trust relationships are used in Windows Server 2008 to allow access to multiple domains across enterprise networks.

 Point out that in a trust relationship, administrators from one domain grant access to resources for administrators from another domain.

 Explain that a shortcut trust or direct path between two do-mains may be created to expedite the process of creating a trust relationship.

(8)

 Explain that a cross-forest trust can be created, allowing us-ers in domains running at least Windows Server 2003 func-tional levels to establish either one-way or two-way rela-tionships.

Lesson Quiz

True/False

1. Active Directory utilizes a single-master database, with all updates and changes made on the primary domain control-ler.

2. A domain is the largest container object in Active Directory. 3. By default, security settings applied to an organizational

unit will be inherited by all child organizational units. 4. Active Directory uses SRV records in DNS to locate domain

controllers and global catalog servers.

5. Each domain within a single Active Directory forest will have its own individual Schema.

Multiple Choice

1. Which of the following are valid container objects in Active Directory? Choose three.

a) Organizational units b) Forests

c) Domains

d) Security groups

2. The Schema database contains what two types of infor-mation?

a) Object attributes b) User names c) Object classes

d) Active Directory containers

3. Active Directory uses what protocol for the basis of its nam-ing format?

a) NetBios b) DNS

(9)

4. What is the default forest functional level in Windows Serv-er 2008 Active Directory?

a) Windows Server 2003 b) Windows Server 2000

c) Windows Server 2000 Mixed d) Windows Server 2008

5. What type of trust can be created to improve performance between two Active Directory domains within the same for-est that may be separated by a slow WAN link?

a) External trust

b) Two-way transitive trust c) Shortcut trust

d) Direct domain trust

Quiz Answers

True/False

1. False. Active Directory utilizes a multi-master database. 2. False. A forest is the largest container object in Active

Direc-tory. 3. True. 4. True.

5. False. The Schema is defined at the forest level for all do-mains in a forest. Multiple Choice 1. A, B, C 2. A, C 3. D 4. B 5. C

Class Projects

Lesson 1—Exercise 1

List and explain the three partitions or naming contexts that are present on each domain controller. Explain how each is replicated.

Explain what an application partition is used for.

(10)

Lesson 1—Project 1

List and explain the three domain functional levels supported in Windows Server 2008 Active Directory. What features are sup-ported with each functional level? Give an example of when each functional level would be appropriate.

What are the three forest functional levels supported in Win-dows Server 2008 Active directory? How do forest functional levels differ from domain functional levels?

Microsoft Video Resources

_{Windows Server 2008 R2 Quick Look—Active Directory}

Admin-istrative Center

This video provides a quick look at Active Directory Administra-tive Center, the new administraAdministra-tive tool in Windows Server 2008 R2.

Length: 6:25

Windows Server 2008 R2 Quick Look—System Health Report

A quick look at System Health Report, a tool in Windows Server 2008 R2 that helps you analyze your servers and provides you with prescriptive system diagnosis.

(11)

Lesson 2:

Implementation of

Active Directory

Learning Goals//The goal of this lesson is to guide students

through the implementation of Windows Server 2008 Active Directory Domain Services (AD DS). Point out that students will use the components of AD DS that were discussed previously.

Learning Objectives

Upon completion of this lesson, students will be able to under-stand:

 Active Directory requirements

 Installing Active Directory

 Raising functional levels

 Additional Active Director

y

installation tasks

Explain that Microsoft Windows Server 2008 implementation requires students to understand the system prerequisites that must be in place. Students will learn how to create a new Ac-tive Directory forest, domain tree, and domain.

Understanding Active

Directory Requirements

 Explain the importance of being familiar with the Windows Server 2008 Central Administrative Interface.

 Demonstrate and describe the Central Administrative Inter-face to students.

 Point out that Active Directory is installed by configuring one or more domain controllers.

 Explain that the Active Directory Installation Wizard (dcpromo) is used to guide the installation scenarios of:

 Adding a domain controller to an existing environ-ment.

 Creating an entirely new forest structure.

 Adding a child domain to an existing domain.

 Adding a new domain tree to an existing forest.

 Demoting domain controllers and eventually remov-ing a domain or forest.

(12)

 Point out that Active Directory may be installed on a full version of Windows Server 2008, Server Core, or a new in-stallation option in Windows Server 2008.

 Explain the following requirements for installing Active Di-rectory:

 The user must have an administrator account and password on the local machine.

 An NT File System (NTFS) partition for the SYSVOL folder structure must be set up.

 The NTFS partition must contain a minimum of 200 MB of free space.

 A minimum of 50 MB of file space is necessary to store the transaction log files.

 TCP/IP (Transmission Control Protocol/Internet Pro-tocol) must be installed and configured.

 An Authoritative DNS Server for the DNS domain must be established.

 The user must know the potential size of the Active Directory database.

 Explain that it is advisable to gather all data needed for the Active Directory installation prior to beginning. The follow-ing are needed:

 Local administrator password

 Domain controller type

 Domain name

 Location for the AD database and log files

 Location for the SYSVOL folder structure

 Where DNS will be installed

 Directory Services Restore Mode (DSRM) password

 Installation CD or network location of the installation files

 Installation of the most up-to-date service packs and

Installing Active

Raising Functional

Levels

 Explain that the purpose of raising functional levels in Active Directory is to enable administrators to take advantage of more advanced features.

 Explain that domain and forest functional levels provide backward compatibility with previous versions of Windows Server.

 Point out that the key requirements for raising functional levels include knowing:

 This is a one-way operation.

 Each domain is handled independently.

 The forest functional level cannot be raised until all domains in the forest are raised to a minimum of the domain functional level.

 The administrator must be logged in as a member of the Domain Admins group to raise a domain.

 The administrator must be logged in as a member of the Enterprise Admins group to raise the forest.

 Demonstrate how to raise the domain functional level using tools in the Administrative Tools Folder.

 Demonstrate how to raise the forest functional level using tools in the Administrative Tools Folder.

 Explain that to provide fault tolerance, a second domain controller should be added to each domain.

(15)

Additional Active

Directory Installation

Tasks

 Explain that the Windows Server 2008 Server Core is an en-vironment for running only specific services and roles.

 Point out that Server Core runs without the use of a graph-ical user interface (GUI).

 Demonstrate how to install Active Directory on Server Core using administrative credentials on the existing Active Direc-tory domain.

 Explain that removing Active Directory from an Active Direc-tory domain is done for troubleshooting purposes or to de-commission older hardware.

 Demonstrate how to remove Active Directory using the ad-ministrative credentials on the existing Active Directory do-main.

 Explain that a read-only domain controller (RODC) is a high-security domain controller suitable for deployment in a branch office.

 Demonstrate how to configure a read-only domain control-ler using administrative credentials on the domain where the RODC is be added.

 Point out that it is possible to run a staged installation of an RODC at a central location and then permit the administra-tor to complete the installation.

 Demonstrate how to set up a staged installation of an RODC using the tools available in the Administrative Tools Folder.

 Demonstrate how to complete a staged installation of an RODC as the remote administrator.

 Explain that if a writable domain controller is ever compro-mised, it is necessary to decommission an RODC to mini-mize damage.

 Demonstrate how to decommission an RODC using the op-tions available in Active Directory.

 Point out that it may be necessary to modify the Active Di-rectory Schema to support in-house applications.

 Discuss how students should plan for changes to the Active Directory Schema by understanding that:

 Schema extensions are replicated to all domain con-trollers.

 Default system classes cannot be modified.

 Classes and attributes added to the Schema cannot be removed.

(16)

 Latency should be anticipated before all domain con-trollers contain consistent Schema information.

 Explain that the Active Directory Schema may be extended for commercial applications manually using a snap-in.

 Demonstrate how to install the Schema management snap-in by loggsnap-ing snap-in as a member of the Schema Admsnap-ins group.

 Explain that Active Directory Lightweight Directory Services (AD LDS) allows directory-enabled applications to store data in the Active Directory Schema.

 Demonstrate how to configure AD LDS by logging in as a member of the local Administrators group.

 Point out that trust relationships are necessary to enable resource accessibility between domains and forests.

 Discuss the four types of trusts that can be established:

 Shortcut trusts

 Cross-forest trusts

 External trusts

 Realm trusts

 Demonstrate how to create a trust relationship by logging in as a member of the Domain Admins group on the local domain.

 Demonstrate how to verify a trust relationship using Active Directory by logging in as a member of the Domain Admins group.

 Demonstrate how to verify a trust relationship using NET-DOM by logging in as a member of the Domain Admins group.

 Demonstrate how to revoke a trust relationship using Active Directory Domains and Trusts by logging in as a member of the Domain Admins group.

 Demonstrate how to revoke a trust relationship using NET-DOM by logging in as a member of the Domain Admins group.

 Explain that a User Principal Name (UPN) is stored in the global catalog and is available forest-wide.

(17)

Lesson Quiz

True/False

1. The Active Directory Installation Wizard can be launched by issuing the dcpromo.exe command.

2. After installing Active Directory and DNS, one of the post-installation tasks requires creating the DNS Application Di-rectory Partition.

3. When installing Microsoft DNS, Forward Lookup and Re-verse Lookup Zones are configured by default.

4. The Server Core version of Windows Server 2008 does not utilize a GUI interface and must be administered through the Command Line.

5. Active Directory Lightweight Directory Services is designed for small branch offices that don’t need the entire suite of Active Directory Services.

Multiple Choice

1. To configure DNS to automatically clean up old DNS rec-ords, you should configure:

a) Stale Resource Record Cleanup b) Forward Lookup Zone Cleanup c) Aging/Scavenging

d) DNS Record age limits

2. Which of the following are valid zone types that can be se-lected when configuring Microsoft DNS? Choose three.

a) Stub Zone

b) Active Directory Zone c) Secondary Zone d) Primary Zone

3. Which level of Active Directory credential is required to raise the forest functional level?

a) Domain Administrator b) Forest Administrator c) Enterprise Administrator d) Any of the above

4. Which two of the choices below are unique to a Windows Server 2008 Read Only Domain Controller?

a) Outbound only replication

b) Locally stored password replication policy c) Inbound replication only

(18)

5. Which of the following are types of manual trusts that can be created in a Windows Server 2008 environment? Choose all that apply.

a) Realm trust b) Shortcut trust c) Cross-forest trust d) External trust

Quiz Answers

True/False

1. True.

2. False. The DNS Application Directory Partition is created automatically during the AD and DNS installation process. 3. False. Only Forward Lookup zones are configured by

de-fault. 4. True.

5. False. The ASLDS role is used primarily by developers.

Multiple Choice 1. C 2. A, C, D 3. C 4. B, C 5. A, B, C, D

Class Projects

Explain the items that should be verified in DNS to ensure that the Active Directory installation process has correctly config-ured the DNS Services.

(19)

You are a network administrator for ABC Corp. Your environ-ment consists of three locations, one of which does not have highly skilled IT engineers and is not as secure as you would like it. There are 1,000 users spread throughout the three locations. You have been asked to set up an Active Directory environment using Windows Server 2008. Explain how you would recom-mend setting up the environment. How many and what types of domain controllers would you put in each location? How would you configure DNS?

Microsoft Video Links

Windows Server 2008 R2 Quick Look—Server Core

This video provides a quick overview to help you as an adminis-trator in Windows Server 2008 R2, particularly a couple of en-hancements inside Windows Server Core.

Length: 5:07

Windows Server 2008 R2 Quick Look—Active Directory Admin-istrative Center

This video provides a quick look at Active Directory Administra-tive Center, the new administraAdministra-tive tool in Windows Server 2008 R2.

(20)

Lesson 3:

Using Active

Directory Sites

Learning Goals//The goal of this lesson is to guide students

through Active Directory Sites. Point out that students will learn about replication and site management.

Learning Objectives

Upon completion of this lesson, students will be able to:

 Understand Active Directory Sites

 Understand Active Directory Site replication

 Understand Active Directory Site management

Lesson Introduction

Explain that working with Microsoft Windows Server 2008 Ac-tive Directory Sites requires that students understand the pur-pose of sites and site replication. Students will learn the differ-ences in replication types, how to implement a plan for man-agement of a site, and monitoring site replication to prevent errors. Students will also learn that site replication is the tool used to sustain an efficient and consistent Active Directory en-vironment.

Understanding Active

Directory Sites

 Explain that replication is the process of duplicating Active Directory information between domain controllers for fault tolerance and redundancy.

 Explain that Active Directory Sites allow administrators to control replication traffic.

 Point out that Active Directory replicates through intrasite and intersite replication.

 Explain that intrasite replication is the replication of domain controllers that reside on the same Active Directory site.

 Explain that intersite replication is the replication of domain controllers that reside on different Active Directory sites.

(21)

 Point out that Active Directory sites have the following characteristics:

 Defined by IP Subnets.

 Multiple sites are joined by site links.

 Replication is organized by defined groups of servers.

 Clients query the site information within DNS, at lo-gon, to determine the domain controller to access.

 Sites are independent of logical structure.

Understanding

Replication

 Explain that Active Directory creates a replication topology so that all writeable domain controllers can communicate AD information with each other.

 Point out that one of the following conditions must be met for replication to occur:

 An object is added to or removed from Active Directory.

 The value of an attribute has changed.

 The name of an object has changed.

 Explain that an Update Sequence Number (USN) is main-tained to keep track of any changes to the domain control-ler.

 Point out that in addition to the USN, a Version ID with each Active Directory attribute keeps track of how many times the attribute has been changed.

 Explain that Active Directory uses the Version ID and USN as tie-breakers to determine which attributes to keep and which to discard.

 Explain that the final tie-breaker is the time stamp.

 Point out that Active Directory will designate a bridgehead server to act as a gatekeeper to supervise site-to-site repli-cation.

 Explain that convergence describes the amount of time re-quired for replication to occur.

 Explain that prior to Intrasite Replication, the Knowledge Consistency Checker (KCC) maps the logical network topolo-gy between domain controllers.

 Point out that the KCC will select replication partners for a domain controller and create connection objects between domain controllers and the new partner.

(22)

 Point out that the primary principle for KCCs is the “Rule of Three,” which states that no single domain controller should be more than three hops away from any domain controller that can originate a change to the Active Directo-ry database.

 Point out that the KCC will run every 15 minutes and ana-lyzes the best path and placement for connection objects.

 Point out that intrasite replication minimizes latency to al-low for quick changes.

 Explain that KCC creates a dual counter-rotating ring that reroutes traffic if a domain controller in the ring fails.

 Explain that domain controllers use change notification to inform one another of changes that need to be replicated. Point out that some operations will generate an urgent

rep-Instructors should do the following:

 Point out that the administrator may create and manage additional sites to better control the replication traffic.

 Demonstrate how to rename the default first-site name us-ing the Active Directory Sites and Services MMC Snap-in.

 Demonstrate how to create a new site using Active Directo-ry Sites and Services.

 Demonstrate how to create a new subnet to correspond with any new physical segment on the network.

 Point out that Active Directory Sites must use intersite repli-cation to enable global network communirepli-cation.

 Explain that a site link is a logical, transitive connection tween two sites that mirrors the routed connections be-tween networks and allows for replication.

 Point out that one site within the Active Directory environ-ment must run the intersite topology generator (ISTG), which enables bridgehead server selection and mapping of the topology.

 Explain that cost, schedule, and frequency control the be-havior of replication traffic over a site link.

 Demonstrate how to create a new site link object through Active Directory Sites and Services.

 Explain that when appropriate protocols must be selected when configuring replication.

 Point out that Remote Procedure Calls over Internet Proto-col (RPC over IP) and Simple Mail Transport ProtoProto-col (SMTP) are the two possible protocols for replication.

(23)

 Explain that RPC over IP is the default protocol for all repli-cation traffic and is commonly used to communicate with network services.

 Explain that SMTP should be used when a direct or reliable IP connection is not available and is the standard messaging protocol.

 Explain that a bridgehead server is designated to minimize the bandwidth required for intersite replications, since this is a bandwidth intensive process.

 Explain that the administrator may select to override the default bridgehead server and create a preferred bridge-head server list.

 Demonstrate how to designate preferred bridgehead serv-ers through Active Directory Sites and Services.

 Point out that domain controllers from different sites can communication through the site link bridge.

 Explain that the site link bridge is enabled by default.

 Demonstrate how to disable automatic site link bridging through Active Directory Sites and Services.

 Demonstrate how to create a manual site link bridge through Active Directory Sites and Services.

 Point out that administrators may have to force or manage replication due to an Active Directory problem.

 Demonstrate how to refresh the intrasite replication topol-ogy through Active Directory Sites and Services.

 Demonstrate how to determine which server holds the ISTG (Intersite Topology Generator) role through Active Directory Sites and Services.

 Demonstrate how to force manual replication, between two Domain Controllers to correct errors or inconsistencies, through Active Directory Sites and Services.

 Point out that many issues can be prevented by monitoring the replication activity.

 Explain out that two tools for monitoring replication are Dcdiag and Repadmin.

 Explain that the following can be accomplished with Dcdiag:

 Perform connectivity and replications tests

 Report DNS registration problems

 Analyze the permissions required for replication

(24)

 Explain that the following can be accomplished with Repad-min:

 View the replication topology from each domain controller

 Manually create a replication topology

 Force replication between domain controllers

 View the replication metadata

Lesson Quiz

True/False

1. While intrasite replication occurs almost immediately, inter-site replication occurs at a configured interval, which by de-fault is every 180 minutes.

2. Active Directory sites replicate the logical structure of the environment and can contain only one Active Directory do-main.

3. The bridgehead server in an Active Directory site receives replication updates from all domain controllers in remote sites.

4. Intrasite replication uses the Knowledge Consistency Check-er (KCC) to detCheck-ermine replication paths.

5. In a multi-site environment, each domain controller runs the Intersite Topology Generator to determine site replication paths.

Multiple Choice

1. Active Directory sites are based on which of the following? a) Domain structure

b) Forest Structure c) IP subnets d) DNS naming

2. Active Directory replication occurs when all of the follow-ing occur except:

a) The name of an object changes b) A client PC logons to the domain

c) An objected is added or removed from Active Direc-tory

(25)

3. What is the connection called that connects two sites and enables replication to occur?

a) Site Bridge b) Transitive trust c) Route Path d) Site Link

4. Which two of the following protocols can be used for inter-site replication?

a) DNS b) IP c) SNMP d) IPX/SPX

5. Which two of the following tools can be used to monitor and manage Active Directory sites?

a) Dcdaig b) Netdiag c) Nslookup d) Repadmin

Quiz Answers

True/False

1. True.

2. False. AD sites represent the physical structure of the envi-ronment and may contain multiple domains.

3. False. Bridgehead servers communicate only the bridgehead server in the remote sites for replication information.

4. True.

(26)

Class Projects

Explain how Active Directory keeps track of changes to the ntds.dit file and handles changes that are replicated. What three factors can be used to determine if a replicated change should be added by the receiving domain controller?

List and explain the three attributes that should be configured when creating a site link in a multiple site environment.

Explain in detail the intrasite and intersite replication process. Include in your definition the replication protocols used, factors used to determine which replication protocol is appropriate, replication interval, how replication partners are determined, how compression is used or not used, etc.

Microsoft Video

Resources

Windows Server 2008 R2 Quick Look—Active Directory Ad-ministrative Center

This video provides a quick look at Active Directory Adminis-trative Center, the new adminisAdminis-trative tool in Windows Server 2008 R2.

Length: 6:25

Windows Server 2008 R2 Quick Look—System Health Report

A quick look at System Health Report, a tool in Windows Serv-er 2008 R2 that helps you analyze your sServ-ervServ-ers and provides you with prescriptive system diagnosis.

(27)

Lesson 4:

Using Global Catalog

and Flexible Single

Master Operations

(FSMO) Roles

Learning Goals//The goal of this lesson is to explain the

im-portant role of the global catalog server in Active Directory. Point out that students will also learn about the Flexible Single Master Operations role in Active Directory domains and forest.

Learning Objectives

 Understand the global catalog

 Understand Flexible Single Master Operations (FSMO) roles

 Understand site management

Lesson Introduction

Explain that Microsoft Windows Server 2008 Active Directory’s global catalog and Flexible Single Master Operation (FSMO) roles are important roles in the accurate functionality of Active Directory. Students will learn about the placement of the glob-al catglob-alog, and how to add or remove a globglob-al catglob-alog. Student will also learn the function of Relative Identifier, Infrastructure Master, Primary Domain Controller Emulator, Domain Naming, and Schema Master FSMO roles in the Active Directory domain and forest.

Understanding the

Global Catalog

 Explain that the global catalog houses a subset of forest-wide Active Directory objects and is a central repository of object copies.

 Point out that complete object copies and partial copies of objects from other domains within the same forest are re-ferred to as partial attribute sets (PAS).

 Explain that by default the first domain controller installed on a forest houses the global catalog server.

 Point out that the four main functions of the global catalog are:

 Facilitating searches for objects in the forest.

(28)

 Maintaining universal group membership information.

 Maintaining a copy of all objects in the domain.

 Explain that a universal group contains users, groups, and computers from any domain in the forest.

 Explain that when an attribute is indexed, it is stored in the PAS and replicated to all global catalogs.

 Explain that if a global catalog server is not available, then universal global memberships are stored on the local do-main controller. This is called universal group membership caching.

 Point out the following benefits of universal caching:

 Eliminates the need for a global catalog in remote locations

 Provides better logon performance for users with cached information

 Minimizes WAN usage for replication traffic

 Demonstrate how to enable universal group membership caching using Active Directory Sites and Services.

 Point out that the following guidelines will help the admin-istrator determine if an additional global catalog server is needed:

 Each site should contain a global catalog server to facilitate user logons.

 The amount of bandwidth necessary to replicate the global catalog information should be considered.

 The domain controller must have ample hard drive space to house the global catalog.

 The site containing port 3268, the port used for Ac-tive Directory object searches, must also be the site containing the global catalog server.

 Demonstrate how to configure an additional global catalog server using Active Directory Sites and Services.

Understanding Flexible

Single Master

Operations (FSMO)

Roles

 Explain that FSMO includes specialized roles such as sche-ma sche-management or adding and removing additional do-mains from an Active Directory forest.

(29)

 Point out that the three domain-specific FSMO roles that are:

 Relative Identifier (RID) Master

 Infrastructure Master

 Primary Domain Controller (PDC) Master

 Explain that the Relative Identifier (RID) Master is related to the domain that it was created for and is assigned to an ob-ject at creation.

 Point out that RIDs are a part of the object’s security identi-fier (SID).

 Explain that the Infrastructure Master is responsible for replicating changes to an object’s SID or distinguished name (DN).

 Point out that the Infrastructure Master replicates changes to all domains that have a trust relationship with the source domain.

 Explain that the Primary Domain Controller (PDC) emulator is responsible for the following tasks:

 Time management synchronization within an Active Directory Domain

 Managing edits to Group Policy Objects

 Managing replication of security-sensitive account replication events

 Explain that the following Active Directory time synchroni-zation processes are used to assist in conflict resolution:

 Client and member services within a domain will syn-chronize their clocks against the domain controller that authenticated them.

 Domain controllers in each domain will synchronize their time against the PDC Emulator of their domain.

 The PDC Emulator of each domain in the forest will synchronize its time against the PDC Emulator of the forest root domain.

 The PDC Emulator of the forest root domain can ob-tain its time from the internal clock.

 Point out that the two roles in Active Directory that have forest-wide authority are:

 Domain Naming Master

 Schema Master

 Explain that the Domain Naming Master role is held by only one domain controller in the forest, and this role verifies the uniqueness of the name to the forest.

(30)

 Point out that the following should be considered when de-termining the locations for the FSMO role:

 Number of domains that will be part of the domain

 Physical structure of the network

 Number of domain controllers that will be available on each domain

 Point out that the two attributes used to describe a domain controller are:

 Highly available

 High capacity

 Explain that highly available domain controllers are central-ly located and contain additional hardware to keep the con-troller functioning properly.

 Explain that high-capacity domain controllers have great processing ability and more memory, and are available through faster network access.

 Point out that the two techniques used to manage FSMO role outages are:

 Role transfer

 Role seizure

 Explain that role transfer occurs when the FSMO is moved from one domain controller to another.

 Explain that role seizure occurs when a forced transfer of FSMO from one domain controller to another occurs due to failure.

 Demonstrate how to view the RID Master, PDC Emulator, or Infrastructure Master FSMO Role holders using the Active Directory Users and Computer MMC Snap-in.

 Demonstrate how to view the Domain Naming Master FSMO Role holder through Active Directory Domains and Trusts.

 Demonstrate how to view the Schema Master FSMO Role holder through the Active Directory Schema Snap-in.

 Demonstrate how to transfer the RID Master, PDS Emula-tor, or Infrastructure Master FSMO Role through the Active Directory Users and Computers MMC Snap-in.

 Demonstrate how to transfer the Domain Naming Master FSMO Role through Active Directory Domains and Trusts snap-in.

 Demonstrate how to transfer the Schema Master FSMO Role through the Active Directory Schema Snap-in.

(31)

Lesson Quiz

True/False

1. A global catalog server will contain a complete copy of its Domain NC, but not information about other domains in the forest.

2. For redundancy, it is recommended that each domain have at least two RID Masters.

3. If a user object, John Doe, is deleted and then re-created lat-er exactly as it was before being deleted, it will receive the same GUID as the original John Doe.

4. The Domain Naming Master is a domain-specific FSMO role that has responsibility for ensuring that all names within a domain are unique.

5. If the RID Master fails, the failure will not be visible until the domain controller runs out of RIDS that were previously assigned by the RID Master.

Multiple Choice

1. What feature of Windows Server 2008 can allow remote members of Universal groups to log on to the domain when a local global catalog server is not available?

a) Two-way transitive trusts between domains b) Local cached credentials

c) Universal Group Caching d) RID Master

2. Which three of the following FSMO roles are domain specif-ic?

a) Relative Identifier (RID) Master b) Schema Master

c) Primary Domain Controller (PDC) Emulator d) Infrastructure Master

3. Which two of the following five FSMO roles have forest-wide authority?

a) Domain Naming Master b) RID Master

(32)

4. It’s considered a best practice to run which two of the fol-lowing FSMO roles on the same domain controller?

a) Schema Master b) PDC Emulator

c) Domain Name Master d) RID Master

5. Which of the following procedures would be used to recover from a domain controller failure when the domain controller was running one or more of the FSMO roles?

a) Role Seizure b) Role Transfer c) Role Migration d) Role Failover

Quiz Answers

True/False

1. False. A global catalog server contains a complete copy of its domain NC and a partial attribute set for all other do-mains in the forest.

2. False. There can only be one RID Master per domain. 3. False. When an object is deleted, the GUID will never be

used again.

4. False. The Domain Naming Master is a forest-wide FSMO role that is responsible for the creation of domains, domain trees, and application data partitions.

5. True. Multiple Choice 1. C 2. A, C, D 3. A, C 4. B, D 5. A

Class Projects

(33)

List and explain the five FSMO roles in a Windows Server 2008 forest. Explain which FSMO roles are domain specific and which are forest wide.

You are the Active Directory administrator for a multi-domain Active Directory forest with five locations. What factors should you consider when determining the placement and number of global catalog servers? What factors should you consider when determining where to place the FSMO roles?

Microsoft Video

Resources

Active Directory Domain Services in Microsoft Windows Server 2008

Demonstrates new features and enhancements that are fo-cused around the fundamentals: improved security, reliability, performance, reduced operational complexity, and increased deployment flexibility. This session presents the Windows Server 2008 features in Active Directory.

(34)

Lesson 5:

Administration of

Active Directory

Learning Goals//The goal of this lesson is to explain the

man-agement of users and groups in Active Directory. Point out that students will also learn how to configure and manage the-se accounts.

Learning Objectives

 Understand user accounts

 Understand group accounts

 Understand special identity groups and local groups

 Develop a group implementation plan

Lesson Introduction

Explain that Microsoft Windows Server 2008 Active Directory Domain Services tasks include the administration of users and groups to enable network access. Students will learn the de-tails of users and group accounts. Students will also learn about special identity groups and local groups. The task of cre-ating a group implementation plan will be discussed and demonstrated during this lesson.

Understanding User

Accounts

 Explain that the user account in Active Directory is used to provide access to resources.

 Point out that authentication verifies a user’s identity through Active Directory.

 Explain that there are three types of user accounts in Win-dows Server 2008:

 Local accounts

 Domain accounts

 Built-in user accounts

 Point out that a local account can access the local computer only and is stored in the Security Account Manager data-base on the local computer.

 Point out that domain accounts are used to access Active Directory resources or other network resources. This ac-count information is stored in Active Directory.

(35)

 Explain that a built-in administrator account has full control of files and management on the local computer.

 Point out the following built-in administrator account guide-lines that should be considered:

 Rename the administrator account.

 Set a strong password.

 Limit knowledge of administrator passwords to only a few individuals.

 Do not use the administrator account for daily non-administrative tasks.

 Explain that Windows Server 2008 provides a built-in guest account that may be used for temporary network access.

 Point out the following built-in guest account guidelines that should be considered:

 Rename the guest account after enabling it for use.

 Set a strong password.

Understanding Group

Accounts

 Explain that groups are used in Windows Server 2008 to make network permissions more manageable.

 Point out that groups enable the administrator to apply a set of permissions to multiple users.

 Explain that an access token is created at logon for each us-er. These tokens identify users and their appropriate permis-sions.

 Point out that a user may be a member of more than one group, which is called group nesting.

 Point out that when users are a member of one group and that group becomes a member of another group, they are automatically given the new group’s permissions. This is called nested membership.

 Explain that two characteristics that define a group are group type and group scope.

 Point out that group type determines how a group is used in Active Directory, and the two group types that are stored in an Active Directory database are:

 Distribution groups

 Security groups

 Explain that distribution groups are used for the distribution of information.

(36)

 Explain that group scope controls the objects that can be contained in a group.

 Point out that group scopes for Active Directory are:

 Domain local groups

 Global groups

 Universal groups

 Explain that domain local groups include user accounts, computer accounts, global groups, and universal groups for the same domain.

 Explain that global groups include user accounts, computer accounts, global groups, and universal groups for the same domain as a global group.

 Explain that universal groups include user accounts, com-puter accounts, global groups, and universal groups for an-ywhere in the forest.

 Point out that group nesting refers to groups that are add-ed as members of other groups.

 Explain that built-in security groups are created when Win-dows Server 2008 Active Directory is installed with a set of predefined network related tasks.

 Demonstrate how to view groups using the Active Directo-ry Users and Computers Snap-in.

Understanding Special

Identity Groups and

Local Groups

 Explain that administrators cannot modify the mem-berships of, or view the membership list of, users in special identity groups.

 Explain that a local group is a group of users who are specific to one local machine.

(37)

Developing a Group

Implementation Plan

 Explain that a group implementation plan should be devel-oped to accommodate changes within the organization.

 Point out that group implementation plans should include the following:

 Who has the ability and responsibility to create, de-lete, and manage groups

 How domain local and universal groups are to be used

 A policy that states guidelines for creating new groups and deleting old groups

 Naming standards document to keep group names consistent

 Standards for group nesting

 Point out that the creation of Active Directory objects is a common task for administrators.

 Explain that the following are the commonly used methods for creating multiple users and groups:

 Batch files

 Comma-Separated Value Directory Exchange (CSVDE)

 LDAP Data Interchange Format Directory Exchange (LDIFDE)

 Windows Script Host (WSH)

 Demonstrate how to create users, computers, and groups using Windows Server 2008 local administrator credentials.

 Demonstrate how to create users, computers, and groups using Windows Server 2008 domain administrator creden-tials.

 Point out that batch files can be created using a text editor.

 Explain that batch files may be created, deleted, viewed, or modified using the Dsadd command at the Windows Server 2008 command line.

 Explain that Comma-Separated Value (CSV) files may be used to import and export information from Microsoft Excel or Exchange to the Active Directory Database.

 Explain that the LDIFDE utility provides the ability to modify existing records in Active Directory.

(38)

Lesson Quiz

True/False

1. Microsoft Best Practice recommends deleting the guest ac-count for security reasons.

2. Distribution groups are used to assign permissions. 3. The Dsadd command can be used in a batch file to create

bulk user accounts.

4. Group nesting refers to adding users to multiple security groups.

5. Domain Local Groups can be used to grant permissions to resources on any computer that is joined to the Active Di-rectory Domain.

Multiple Choice

1. What are the three types of user accounts in Active Directo-ry?

a) Built-in user accounts

b) Special Identity user accounts c) Local user accounts

d) Domain user accounts

2. Windows Server 2008 utilizes which two of the following group types?

a) Distribution group b) Global group c) Security group d) Local group

3. Active Directory in Windows Server 2008 supports which three of the following group scopes?

a) Domain Local group b) Distribution group c) Global group d) Universal groups

4. Windows Server 2008 offers several tools for managing or creating bulk objects in Active Directory. Which of the tools listed below provides the ability to add, modify, and delete Active Directory Objects?

(39)

5. Which of the following groups is disabled by default? a) Anonymous users b) Guest c) Administrators d) Everyone True/False

1. False. The Guest account, like the Administrator account, cannot be deleted. It’s considered a best practice to rename the Guest account.

2. False. Security groups are used to assign permissions. 3. True. 4. False. 5. True. Multiple Choice 1. A, C, D 2. A, C 3. A, C, D 4. A 5. B

Quiz Answers

Class Projects

List and explain four best practices for securing a local or do-main security account.

(40)

Explain how Active Directory uses default groups. Explain when each of the following groups is created and how users become members.  Account Operators  Administrators  Guest  DHCP Administrators  Domain Users

Explain how special identity groups are used in Windows Serv-er 2008. How do usServ-ers become membServ-ers of a special identity group? How do you view the members of a special identity group?

Microsoft Video

Resources

Provide users with seamless corporate network access from anywhere with Windows 7, Windows Server 2008 R2, and Di-rectAccess

Remote users? Mobile users? People working from home, from the coffee shop, from the airport? How do you provide them with secure connections that are easy to use and deploy while still maintaining the integrity of your network? Windows 7 and Windows Server 2008 R2 provide the answer with DirectAc-cess. This video presents a walk-through of the configuration of DirectAccess and discusses the requirements for deploying it in your network.

(41)

Allowing External Users to Manage IIS7 Web Applications

Web servers often need remote administration by an external consultant. Many companies outsource web development ac-tivities and as a result, they need to grant external users access to manage both content and configuration on their web serv-ers. IIS 7 includes a new management service which addresses this need, and TS RemoteApp provides a secure way to make management tools available outside the firewall. This demo shows how you can configure the management service, work with feature delegation, and connect to IIS Manager from out-side the firewall using TS RemoteApp.

Length: 10:16

Use Group Policy in Windows Vista and Windows Server 2008

An examination of the improvements and changes in Group Policy management in Windows Vista and Windows Server 2008. Includes a look at the new format of Group Policy tem-plates, the central store, and multiple local group policies, then drills down into device management using Group Policy.

(42)

Using Group Policy with Windows and Windows Server 2008

A scenario-based walk-through using a series of demonstra-tions to offer an in-depth understanding of new and enhanced Group Policy functions in Windows Vista, as well as plans for the Windows Server 2008 timeframe. This session showcases Windows Vista as a Windows Vista Group Policy administrative workstation. Learn about new Group Policy features in Win-dows Vista, including the new format and functionality of Ad-ministrative Template (ADMX) files (and interop with legacy ADM files), the ADMX central store, improved awareness of changing network conditions, using multiple local Group Policy Objects (MLGPOs), and Group Policy Management Console (GPMC) integration into the operating system. Demos include using the new event viewer ("Crimson"), along with showcasing a selection of the hundreds of new policy settings delivered with Windows Vista. Finally, we provide an introduction to the products acquired from DesktopStandard and discuss their fu-ture availability and roadmap.

(43)

Lesson 6:

Security Planning and

Administrative

Delegation of Active

Learning Objectives

 Implement Account Security

 Plan an organizational unit strategy

Lesson Introduction

Explain that Microsoft Windows Server 2008 Active Directory requires that all accounts access the network through a secure password. Discuss with students the importance of having an organizational policy for user name and password creation. Explain to students that securing the administrative side of Ac-tive Directory is necessary to prevent hackers from gaining un-authorized access to the network. Describe how organization-al units are used to secure administrative resources.

Implementing Account

Security

 Explain that user account security is an important aspect of a secure network.

 Point out that the network administrator will create guide-lines for the user name scheme, and it is extremely im-portant that the organization strictly follow the guidelines.

 Explain that Windows Server 2008 requires that all user ac-counts be accompanied with a secure password.

 Explain that a password is an alphanumeric sequence of characters that must accompany the user name to gain ac-cess to network resources.

 Point out the following best practices for protecting your password:

 Keep documented password in a secure location.

(44)

 Do not save passwords to your computer to enable easy access.

 Always use suggested standards for a strong, secure passwords.

 Explain that a strong password is a password that is created with a secure combination of characters and length to make it difficult for a hacker to discover.

 Point out that password-cracking is any attempt to discover another user’s password.

 Explain that dictionary attacks are automated password cracking tools used to attempt every combination of a set of characters to crack a password.

 Explain that strong passwords include the following charac-teristics:

 Minimum of eight characters in length

 Contains at least one uppercase and one lowercase letter, one numeral, and one non-alphabetic charac-ter

 Differs significantly from previous passwords

 Explain that securing the administrator password is critical, since a hacker with access to the administrator password can do extensive damage.

 Point out that using the Run as Administrator option through a standard user account is the preferred method for performing administrative tasks and reducing risk.

 Demonstrate how to use Run as from the GUI while logged in as a Windows Server 2008 member.

 Demonstrate how to use Run as from the command line while logged in as a domain administrator.

Planning an

Organizational Unit

Strategy

 Explain that organizational units (OUs) can include the Ac-tive Directory objects.

 Explain that OUs can be created to represent the company’s functional foundation.

 Point out that organizational units are created for the fol-lowing reasons:

 They represent the functional and geographical mod-el of the company and its resources.

 They delegate administrative control over a contain-er’s resources to lower-level or branch office adminis-trators.

(45)

 Explain that OUs can be nested to create a solid structure, but nesting should be done with careful planning and cau-tion.

 Point out that delegating authority at the OU level will allow access only to the OU and its hierarchy.

 Explain that the Delegation of Control Wizard is a simple interface to delegate permissions.

 Demonstrate how to delegate administrative control of an OU through Active Directory Users and Computers.

 Demonstrate how to verify and remove delegated permis-sions using Active Directory Users and Computers.

 Explain that objects may be moved between OUs for admin-istrative or business purposes.

 Point out that the Drag-and-Drop method or move menu options may be used in the Active Directory Users and Com-puters window.

 Demonstrate how to move an object between OUs using Drag-and-Drop in the Active Directory Users and Computers window.

 Demonstrate how to move an object between OUs using the move option in the Active Directory Users and Comput-ers window.

Lesson Quiz

True/False

1. A default configuration of Active Directory in Windows Server 2008 allows for user accounts with no password to log on to the domain.

2. A dictionary attack is an attempt to hack a computer by try-ing all combinations of characters.

3. Organizational units are units in Active Directory that cannot be nested.

4. Organizational units are most often used in a decentralized administration model.