MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Don Poulton Pearson 800 East 96th Street Indianapolis, Indiana 46240 USA ii MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Associate Publisher Dave Dusthimer Copyright © 2011 by Pearson Education, Inc. Acquisitions Editor Betsy Brown All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. ISBN-13: 978-0-7897-4708-2 ISBN-10: 0-7897-4708-1 Library of Congress Cataloging-in-Publication Data: Poulton, Don. MCTS 70-640 cert guide : Windows server 2008 Active directory, configuring / Don Poulton. p. cm. ISBN 978-0-7897-4708-2 (hardcover w/CD) 1. Microsoft Windows server--Examinations--Study guides. 2. Operating systems (Computers)--Examinations--Study guides. 3. Directory services (Computer network technology)--Examinations--Study guides. 4. Local area networks (Computer networks)--Management--Examinations--Study guides. 5. Telecommunications engineers--Certification. 6. Electronic data processing personnel--Certification. I. Title. II. Title: Windows server 2008 Active directory, configuring. QA76.76.O63P6685 2011 005.4'476--dc22 2010043593 Printed in the United States of America First Printing: December 2010 Bulk Sales Que Publishing offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 [email protected] Development Editor Box Twelve Communications, Inc. Managing Editor Sandra Schroeder Project Editor Mandie Frank Copy Editor Mike Henry Indexer Erika Millen Proofreader Megan Wade Technical Editor Chris Crayton Publishing Coordinator Vanessa Evans Multimedia Developer Dan Scherf Designer Gary Adair Page Layout Mark Shirar For sales outside of the U.S., please contact International Sales [email protected] Trademarks All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Pearson IT Certification cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Warning and Disclaimer Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the CD or programs accompanying it. iii Contents at a Glance Introduction 3 Chapter 1 Getting Started with Active Directory 17 Chapter 2 Installing and Configuring DNS for Active Directory 43 Chapter 3 Installing Active Directory Domain Services 73 Chapter 4 Configuring DNS Server Settings and Replication 107 Chapter 5 Global Catalogs and Operations Masters 143 Chapter 6 Configuring Active Directory Sites and Replication 173 Chapter 7 Additional Active Directory Roles 205 Chapter 8 Read-Only Domain Controllers 251 Chapter 9 Active Directory User and Group Accounts 281 Chapter 10 Trust Relationships in Active Directory 321 Chapter 11 Creating and Applying Group Policy Objects 345 Chapter 12 Group Policy Software Deployment 393 Chapter 13 Account Policies and Audit Policies 417 Chapter 14 Monitoring Active Directory 453 Chapter 15 Maintaining Active Directory 515 Chapter 16 Installing and Configuring Certificate Services 559 Chapter 17 Managing Certificate Templates, Enrollments, and Certificate Revocation 587 Practice Exam 629 Answers to Practice Exam 691 Appendix A Answers to the “Do I Know This Already?” Quizzes 729 Appendix B Installing Windows Server 2008 R2 763 Glossary 773 Index 796 Elements Available on CD Appendix C Memory Tables 3 Appendix D Memory Tables Answer Key 3 iv MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Table of Contents Introduction 3 Goals and Methods 3 How This Book Is Organized 4 Study and Exam Preparation Tips 7 Learning Styles 7 Study Tips 8 Study Strategies 9 Pretesting Yourself 10 Exam Prep Tips 10 Microsoft 70-640 Exam Topics 12 Chapter 1 Getting Started with Active Directory 17 The Foundation of Active Directory 17 X.500 17 LDAP 18 Naming Standards of X.500 and LDAP 19 Distinguished Names 19 Relative Distinguished Names 20 User Principal Names 21 Globally Unique Identifiers 21 Security Identifiers 21 Active Directory Canonical Names 22 The Building Blocks of Active Directory 22 Namespaces 22 Objects 23 Containers 24 Schemas 24 Global Catalogs 24 Partitions 25 Logical Components of Active Directory 26 Domains 26 Trees 27 Forests 27 Organizational Units 29 Sites 30 Domain Controllers 31 v Global Catalog Servers 31 Operations Masters 32 New Features of Active Directory in Windows Server 2008 33 Server Manager 35 Adding Roles and Features 36 Command-Line Server Management 36 Windows Server 2008 R2 37 Summary 40 Chapter 2 Installing and Configuring DNS for Active Directory 43 “Do I Know This Already?” Quiz 43 The Hierarchical Nature of DNS 48 Installing DNS on Windows Server 2008 R2 49 Configuring DNS Zones 51 DNS Zone Types 52 Primary Zones 53 Secondary Zones 53 Stub Zones 53 Active Directory–Integrated Zones 53 GlobalNames Zones 54 DNS Name Server Roles 55 Primary Name Server 55 Secondary Name Server 55 Caching-Only Server 56 Forwarders 56 Creating DNS Zones 57 Forward Lookup Zones 57 Reverse Lookup Zones 59 DNS Resource Records 61 Configuring DNS Zone Properties 62 Configuring Zone Types 63 Adding Authoritative DNS Servers to a Zone 63 Dynamic, Nondynamic, and Secure Dynamic DNS 64 Zone Scavenging 65 Time to Live 66 Integrating DNS with WINS 68 Command-Line DNS Server Administration 69 Review All the Key Topics 71 vi MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Complete the Tables and Lists from Memory 71 Definitions of Key Terms 71 Chapter 3 Installing Active Directory Domain Services 73 “Do I Know This Already?” Quiz 73 Planning the Active Directory Namespace 77 Subdividing the Active Directory Namespace 77 Administrative or Geographical Organization of Domains 78 Use of Multiple Trees 79 Best Practices 80 Creating Forests and Domains 81 Requirements for Installing Active Directory Domain Services 81 Installing Active Directory Domain Services 82 New Forests 83 New Domains in Existing Forests 88 Existing Domains 89 Performing Unattended Installations of Active Directory 90 Server Core Domain Controllers 92 Removing Active Directory 92 Interoperability with Previous Versions of Active Directory 93 Forest and Domain Functional Levels 94 Upgrading Domain and Forest Functional Levels 95 The Adprep Utility 96 Running the Adprep /forestprep Command 96 Running the Adprep /domainprep Command 97 Upgrading a Windows Server 2003 Domain Controller 97 Additional Forest and Domain Configuration Tasks 98 Verifying the Proper Installation of Active Directory 98 Active Directory Migration Tool v.3.1 100 Alternative User Principal Name Suffixes 101 Review All the Key Topics 103 Complete the Tables and Lists from Memory 103 Definitions of Key Terms 104 Chapter 4 Configuring DNS Server Settings and Replication 107 “Do I Know This Already?” Quiz 107 Configuring DNS Server Settings 112 Forwarding 112 Conditional Forwarders 114 vii Root Hints 116 Configuring Zone Delegation 117 Debug Logging 119 Event Logging 121 DNS Security Extensions 121 Advanced Server Options 123 Server Options 123 Round Robin 124 Disable Recursion 125 Name Checking 125 Loading Zone Data 126 Server Scavenging 126 Monitoring DNS 127 Configuring Zone Transfers and Replication 128 Replication Scope 128 Types of Zone Transfers 130 Full Zone Transfer 130 Incremental Zone Transfer 131 Configuring Zone Transfers 132 Configuring DNS Notify 133 Secure Zone Transfers 134 Configuring Name Servers 136 Application Directory Partitions 138 Installing and Configuring Application Directory Partitions 138 Creating Application Directory Partition Replicas 139 Application Directory Partition Reference Domains 139 Review All the Key Topics 140 Complete the Tables and Lists from Memory 140 Definitions of Key Terms 140 Chapter 5 Global Catalogs and Operations Masters 143 “Do I Know This Already?” Quiz 143 Configuring Global Catalog Servers 148 Planning the Placement of Global Catalog Servers 148 Promoting Domain Controllers to Global Catalog Servers 150 Using Universal Group Membership Caching 151 Using Partial Attribute Sets 152 viii MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Configuring Operations Masters 153 Schema Master 153 Configuring the Schema 154 Extending the Schema 155 Deactivating Schema Objects 159 Domain Naming Master 160 PDC Emulator 160 Time Service 161 Infrastructure Master 162 RID Master 162 Placement of Operations Masters 163 Transferring and Seizing of Operations Master Roles 164 Transferring Operations Master Roles 165 Seizing Operations Masters Roles 167 Review All the Key Topics 169 Complete the Tables and Lists from Memory 169 Definitions of Key Terms 170 Chapter 6 Configuring Active Directory Sites and Replication 173 “Do I Know This Already?” Quiz 173 The Need for Active Directory Sites 178 Configuring Sites and Subnets 179 Creating Sites 180 Adding Domain Controllers 181 Creating and Using Subnets 182 Site Links, Site Link Bridges, and Bridgehead Servers 184 The Need for Site Links and Site Link Bridges 184 Configuring Site Links 185 Site Link Bridges 185 Site Link Costs 186 Sites Infrastructure 189 Knowledge Consistency Checker 189 Intersite Topology Generator 189 Configuring Active Directory Replication 189 Concepts of Active Directory Replication 190 Intersite and Intrasite Replication 191 Distributed File System 192 One-Way Replication 193 ix Bridgehead Servers 193 Replication Protocols 194 Ports Used for Intersite Replication 195 Replication Scheduling 196 Intersite Replication Scheduling 196 Intrasite Replication Scheduling 198 Forcing Intersite Replication 200 Review All the Key Topics 201 Complete the Tables and Lists from Memory 202 Definitions of Key Terms 202 Chapter 7 Additional Active Directory Roles 205 “Do I Know This Already?” Quiz 205 New Server Roles and Features 210 Active Directory Lightweight Directory Services 211 Installing AD LDS 213 Installing the AD LDS Role 213 Installing AD LDS Instances 214 Configuring Data Within AD LDS 217 Using the ADSI Edit Snap-in 217 Using Ldp.exe 218 Using the Active Directory Schema Snap-in 220 Using the Active Directory Sites and Services Snap-in 221 Migrating to AD LDS 221 Configuring an Authentication Server 222 Creating AD LDS User Accounts and Groups 222 Binding to an AD LDS Instance with an AD LDS User 224 Using AD LDS on Server Core 224 Active Directory Rights Management Services 225 Installing AD RMS 226 Certificate Request and Installation 228 Self-Enrollments 230 Delegation 230 Active Directory Metadirectory Services 231 Active Directory Federation Services 231 Installing the AD FS Server Role 233 Configuring Trust Policies 236 User and Group Claim Mapping 237 x MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Configuring Federation Trusts 238 Creating Claims 239 Creating Account Stores 240 Enabling Applications 241 Creating Federation Trusts 242 Windows Server 2008 R2 Virtualization 244 Review All the Key Topics 247 Complete the Tables and Lists from Memory 247 Definitions of Key Terms 248 Chapter 8 Read-Only Domain Controllers 251 “Do I Know This Already?” Quiz 251 Installing a Read-Only Domain Controller 254 Planning the Use of RODCs 254 Installing RODCs 256 Prestaging an RODC 257 Managing a Read-Only Domain Controller 259 Unidirectional Replication 260 Administrator Role Separation 261 Read-Only DNS 262 BitLocker 263 Preparing Your Computer to Use BitLocker 265 Enabling BitLocker 265 Managing BitLocker 269 Replication of Passwords 270 Planning a Password Replication Policy 271 Configuring a Password Replication Policy 272 Credential Caching 273 Administering the RODC’s Authentication Lists 275 syskey 276 Review all the Key Topics 278 Definitions of Key Terms 278 Chapter 9 Active Directory User and Group Accounts 281 “Do I Know This Already?” Quiz 281 Creating User and Group Accounts 286 Introducing User Accounts 286 Introducing Group Accounts 287 Creating User, Computer, and Group Accounts 288 xi Use of Template Accounts 290 Using Bulk Import to Automate Account Creation 291 Csvde Ldifde Dsadd 292 293 294 Additional Command-Line Tools 295 Scripts 296 Configuring the UPN 296 UPN Suffixes 296 Adding or Removing UPN Suffixes 297 Configuring Contacts 298 Creating Distribution Lists 299 Managing and Maintaining Accounts 300 Creating Organizational Units 301 Configuring Group Membership 304 AGDLP/AGUDLP 306 Account Resets 308 Deny Domain Local Group 308 Protected Admin 309 Local Versus Domain Groups 310 Deprovisioning Accounts 312 Delegating Administrative Control of Active Directory Objects 313 Review All the Key Topics 317 Complete the Tables and Lists from Memory 318 Definitions of Key Terms 318 Chapter 10 Trust Relationships in Active Directory 321 “Do I Know This Already?” Quiz 321 Types of Trust Relationships 325 Transitive Trusts 325 Forest Trusts 326 External Trusts and Realm Trusts 326 Shortcut Trusts 327 Creating and Configuring Trust Relationships 328 Creating a Forest Trust Relationship 329 Creating External Trust Relationships 335 Creating Realm Trust Relationships 336 Creating Shortcut Trust Relationships 337 xii MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Managing Trust Relationships 338 Validating Trust Relationships 338 Authentication Scope 338 SID Filtering 340 Removing a Cross-forest Trust Relationship 341 Review All the Key Topics 343 Complete the Tables and Lists from Memory 343 Definitions of Key Terms 343 Chapter 11 Creating and Applying Group Policy Objects 345 “Do I Know This Already?” Quiz 345 Overview of Group Policy 351 Components of Group Policy 351 Group Policy Containers 352 Group Policy Templates 352 New Features of Group Policy in Windows Server 2008 and Windows Server 2008 R2 354 Creating and Applying GPOs 355 Managing GPOs 359 Linking GPOs 360 Managing GPO Links 361 Deleting a GPO 362 Delegating Control of GPOs 362 Specifying a Domain Controller 365 Configuring GPO Hierarchy and Processing Priority 365 OU Hierarchy 367 Enforced 367 Block Inheritance 369 Modifying the Sequence of GPO Application 370 Disabling User Objects 370 Group Policy Filtering 371 Security Filtering of GPOs 371 Windows Management Instrumentation 374 Windows PowerShell 374 Configuring GPO Templates 376 Group Policy Loopback Processing 377 User Rights 378 ADMX Central Store 379 Administrative Templates 380 xiii Restricted Groups 384 Starter GPOs 385 Shell Access Policies 387 Review All the Key Topics 389 Complete the Tables and Lists from Memory 389 Definitions of Key Terms 390 Chapter 12 Group Policy Software Deployment 393 “Do I Know This Already?” Quiz 393 Types of Software Deployment 398 Assigning and Publishing Software 399 Assigning Software to Users 399 Assigning Software to Computers 399 Publishing Software to Users 399 Deploying Software Using Group Policy 400 ZAP Files 402 Software Installation Properties 403 Software Package Properties 405 Upgrading Software 407 Use of Transform Files to Modify Software Packages 409 Redeployment of Upgraded Software 411 Removal of Software 413 Review All the Key Topics 414 Complete the Tables and Lists from Memory 414 Definitions of Key Terms 414 Chapter 13 Account Policies and Audit Policies 417 “Do I Know This Already?” Quiz 417 Use of Group Policy to Configure Security 422 Configuring Account Policies 422 Domain Password Policies 423 Account Lockout 426 Unlocking an Account 427 Kerberos Policy 428 Fine-Grained Password Policies 428 Password Settings Precedence 429 Configuring Fine-Grained Password Policies 430 Managing Fine-Grained Password Policies 435 Viewing the Resultant PSO 435 xiv MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Security Options 436 Using Additional Security Configuration Tools 439 Auditing of Active Directory Services 441 New Features of Active Directory Auditing 441 Using GPOs to Configure Auditing 442 Available Auditing Categories 442 Configuring Basic Auditing Policies 443 Configuring Advanced Audit Policies 446 Using Auditpol.exe to Configure Auditing 447 Review All the Key Topics 449 Complete the Tables and Lists from Memory 450 Definitions of Key Terms 450 Chapter 14 Monitoring Active Directory 453 “Do I Know This Already?” Quiz 453 Tools Used to Monitor Active Directory 459 Network Monitor 459 Task Manager 463 Configuring Application Priority 465 Event Viewer 466 Customizing Event Viewer 468 Customizing Event Viewer Detail 470 Reliability and Performance Monitor 471 Resource Monitor 473 Reliability Monitor 473 Performance Monitor 476 Data Collector Sets 479 Windows System Resource Manager 484 Server Performance Advisor 486 Monitoring and Troubleshooting Active Directory Replication 487 replmon 487 491 repadmin 491 replicate showmeta 492 showreps 492 add sync 492 493 syncall 493 xv showconn 493 replsummary dcdiag 494 494 Troubleshooting the Application of Group Policy Objects 496 Resultant Set of Policy 496 Planning Mode/Group Policy Modeling 497 Logging Mode/Group Policy Results 501 Using the Delegation of Control Wizard 509 Gpresult 509 Review All the Key Topics 512 Complete the Tables and Lists from Memory 513 Definitions of Key Terms 513 Chapter 15 Maintaining Active Directory 515 “Do I Know This Already?” Quiz 515 Backing Up and Recovering Active Directory 520 Backup Permissions 521 Use of Windows Server Backup 521 Installing Windows Server Backup 521 Backing Up Critical Volumes of a Domain Controller 522 The wbadmin Command 525 Scheduling a Backup 526 Using Removable Media 527 Recovering Active Directory 528 Directory Services Restore Mode 528 Performing a Nonauthoritative Restore 529 Using the wbadmin Command to Recover Your Server 534 Performing an Authoritative Restore 536 Recovering Back-Links of Authoritatively Restored Objects 537 Performing a Full Server Recovery of a Domain Controller 538 Linked-Value Replication and Authoritative Restore of Group Memberships 539 The Active Directory Recycle Bin 540 Enabling the Active Directory Recycle Bin 541 Using the Active Directory Recycle Bin to Restore Deleted Objects 543 Backing Up and Restoring GPOs 545 Backing Up GPOs 545 Restoring GPOs 545 Importing GPOs 547 Using Scripts for Group Policy Backup and Restore 548 xvi MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Offline Maintenance of Active Directory 549 Restartable Active Directory 549 Offline Defragmentation and Compaction 550 Online Defragmentation 551 Offline Defragmentation 551 Active Directory Database Storage Allocation 553 Review All the Key Topics 555 Complete the Tables and Lists from Memory 556 Definitions of Key Terms 556 Chapter 16 Installing and Configuring Certificate Services 559 “Do I Know This Already?” Quiz 559 What’s New with Certificate Services in Windows Server 2008? 563 New Features of Active Directory Certificate Services in Windows Server 2008 R2 564 Installing Active Directory Certificate Services 565 Configuring Certificate Authority Types and Hierarchies 565 Installing Root CAs 567 Installing Subordinate CAs 571 Understanding Certificate Requests 571 Using Certificate Practice Statements 572 Configuring Certificate Authority Server Settings 573 Installing the Certificates Snap-in 573 Working with Certificate Stores 575 Using Group Policy to Import Certificates 575 Backing Up Certificates and Keys 576 Restoring Certificates and Keys 577 Using Group Policy to Enable Credential Roaming 578 Backing Up and Restoring Certificate Databases 580 Assigning Administration Roles 581 Configuring Certificate Server Permissions 582 Review All the Key Topics 583 Complete the Tables and Lists from Memory 584 Definitions of Key Terms 584 Chapter 17 Managing Certificate Templates, Enrollments, and Certificate Revocation 587 “Do I Know This Already?” Quiz 587 Managing Certificate Templates 592 xvii Understanding Certificate Template Types 592 Configuring Certificate Templates 593 Securing Template Permissions 595 Enabling the Use of Templates 597 Managing Different Certificate Template Versions 597 Archiving Keys 599 Configuring Key Recovery Agents 599 Managing Certificate Enrollments 602 Understanding Network Device Enrollment Services 602 Enabling Certificate Autoenrollment 605 Configuring Web Enrollment 606 Configuring Smart Card Enrollment 609 Creating Enrollment Agents 610 Using Group Policy to Require Smart Cards for Logon 614 Managing Certificate Revocation 616 Configuring Certificate Revocation Lists 617 Configuring a CRL Distribution Point 619 Troubleshooting CRLs 620 Configuring Online Responders 621 Configuring Responder Properties 622 Adding a Revocation Configuration 623 Configuring Arrays 624 Configuring Authority Information Access 624 Review All the Key Topics 625 Complete the Tables and Lists from Memory 626 Definitions of Key Terms 626 Practice Exam 629 Answers to Practice Exam 691 Appendix A Answers to the “Do I Know This Already?” Quizzes 729 Appendix B Installing Windows Server 2008 R2 763 Glossary 773 Index 796 Elements Available on CD Appendix C Memory Tables 3 Appendix D Memory Tables Answer Key 3 xviii MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring About the Author Don Poulton (A+, Network+, Security+, MCSA, MCSE) is an independent consultant who has been involved with computers since the days of 80-column punch cards. After a career of more than 20 years in environmental science, Don switched careers and trained as a Windows NT 4.0 MCSE. He has been involved in consulting with a couple of small training providers as a technical writer, during which time he wrote training and exam prep materials for Windows NT 4.0, Windows 2000, and Windows XP. Don has written or contributed to several titles, including Security+ Lab Manual (Que, 2004); MCSA/MCSE 70-299 Exam Cram 2: Implementing and Administering Security in a Windows 2003 Network (Exam Cram 2) (Que, 2004); MCSE 70-294 Exam Prep: Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure (Que, 2006); MCTS 70-620 Exam Prep: Microsoft Windows Vista, Configuring (Que, 2008); and MCTS 70-680 Cert Guide: Microsoft Windows 7, Configuring (Que, 2011). In addition, he has worked on programming projects, both in his days as an environmental scientist and more recently with Visual Basic to update an older statistical package used for multivariate analysis of sediment contaminants. When not working on computers, Don is an avid amateur photographer who has had his photos displayed in international competitions and published in magazines such as Michigan Natural Resources Magazine and National Geographic Traveler. Don also enjoys traveling and keeping fit. Don lives in Burlington, Ontario, with his wife, Terry. xix Dedication I would like to dedicate this book to my wife Terry, who has stood by my side and supported me throughout the days spent writing this book. This project would not have been possible without her love and support. Acknowledgments I would like to thank all the staff at Pearson and in particular Betsy Brown for making this project possible. My sincere thanks goes out to Chris Crayton for his helpful technical suggestions, as well as Jeff Riley, development editor, and Mike Henry, copy editor, for their improvements to the manuscript. —Don Poulton xx MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring About the Technical Reviewer Christopher A. Crayton is an author, technical editor, technical consultant, security consultant, trainer, and SkillsUSA state-level technology competition judge. Formerly, he worked as a computer and networking instructor at Keiser College (2001 Teacher of the Year); as network administrator for Protocol, a global electronic customer relationship management (eCRM) company; and at Eastman Kodak Headquarters as a computer and network specialist. Chris has authored several print and online books, including The A+ Exams Guide, Second Edition (Cengage Learning, 2008); Microsoft Windows Vista 70-620 Exam Guide Short Cut (O’Reilly, 2007); CompTIA A+ Essentials 220-601 Exam Guide Short Cut (O’Reilly, 2007); The A+ Exams Guide (Charles River Media, 2008); The A+ Certification and PC Repair Handbook (Charles River Media, 2005); The Security+ Exam Guide (Charles River Media, 2003); and A+ Adaptive Exams (Charles River Media, 2002). He is also coauthor of the How to Cheat at Securing Your Network (Syngress, 2007). As an experienced technical editor, Chris has provided many technical edits/reviews for several major publishing companies, including Pearson Education, McGraw-Hill, Cengage Learning, Wiley, O’Reilly, Syngress, and Apress. He holds MCSE, A+, and Network+ certifications. xxi We Want to Hear from You! As the reader of this book, you are our most important critic and commentator. We value your opinion and want to know what we’re doing right, what we could do better, what areas you’d like to see us publish in, and any other words of wisdom you’re willing to pass our way. As an associate publisher for Pearson Publishing, I welcome your comments. You can email or write me directly to let me know what you did or didn’t like about this book—as well as what we can do to make our books better. Please note that I cannot help you with technical problems related to the topic of this book. We do have a User Services group, however, where I will forward specific technical questions related to the book. When you write, please be sure to include this book’s title and author as well as your name, email address, and phone number. I will carefully review your comments and share them with the author and editors who worked on the book. Email: [email protected] Mail: Dave Dusthimer Associate Publisher Pearson Education 800 East 96th Street Indianapolis, IN 46240 USA Reader Services Visit our website and register this book at www.pearsonITcertification.com/register for convenient access to any updates, downloads, or errata that might be available for this book. Introduction MCTS Windows Server 2008 Active Directory, Configuring Cert Guide (Exam 70-640) is designed for network administrators, network engineers, and consultants who are pursuing the Microsoft Certified Technology Specialist (MCTS) or Microsoft Certified IT Professional (MCITP) certifications for Windows Server 2008. This book covers the “TS: Microsoft Windows Server 2008 Active Directory, Configuring” exam (70-640), which earns you the Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration certification. The exam is designed to measure your skill and ability to implement, administer, and troubleshoot Active Directory running on Windows Server 2008. Microsoft not only tests you on your knowledge of Active Directory, but it has purposefully developed questions on the exam to force you to problem-solve in the same way that you would when presented with a real-life error. Passing this exam demonstrates your competency in administration. This book covers all the objectives that Microsoft has established for exam 70-640. It doesn’t offer end-to-end coverage of Active Directory in Windows Server 2008; rather, it helps you develop the specific core competencies that you need to master as an Active Directory administrator. You should be able to pass the exam by learning the material in this book, without taking a class. Goals and Methods The number-one goal of this book is a simple one: to help you get ready to take—and pass—Microsoft Certification Exam 70-640, “TS: Windows Server 2008 Active Directory, Configuring.” You will find information within this book that will help ensure your success as you pursue this Microsoft exam and the Technology Specialist or IT Professional certification. Because Microsoft certification exams stress problem-solving abilities and reasoning more than memorization of terms and facts, our goal is to help you master and understand the required objectives for the 70-640 exam. 4 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring To aid you in mastering and understanding the MCTS certification objectives, this book uses the following methods: ■ Opening topics list: This defines the topics to be covered in the chapter; it also lists the corresponding 70-640 exam objectives. ■ Do I Know This Already Quizzes: At the beginning of each chapter is a quiz. The quizzes, and answers/explanations (found in Appendix A), are meant to gauge your knowledge of the subjects. If the answers to the questions don’t come readily to you, be sure to read the entire chapter. ■ Foundation Topics: The heart of the chapter. Explains the topics from a hands-on and a theory-based standpoint. This includes in-depth descriptions, tables, and figures that are geared to build your knowledge so that you can pass the exam. The chapters are broken down into several topics each. ■ Key Topics: The key topics indicate important figures, tables, and lists of infor- mation that you should know for the exam. They are interspersed throughout the chapter and are listed in table form at the end of the chapter. ■ Memory Tables: These can be found on the DVD within Appendix C, “Memory Tables.” Use them to help memorize important information. ■ Key Terms: Key terms without definitions are listed at the end of each chapter. Write down the definition of each term and check your work against the complete key terms in the glossary. How This Book Is Organized Although this book could be read cover-to-cover, it is designed to be flexible and enable you to easily move between chapters and sections of chapters to cover just the material that you need more work with. If you do intend to read all the chapters, the order in the book is an excellent sequence to use. Chapter 1, “Getting Started with Active Directory,” is an introductory chapter that presents the concepts around which Active Directory is built. It serves as a reference to the material that follows and eases users who are new to Active Directory into the book. If you have worked with Active Directory in Windows 2000 or Windows Server 2003, you might want to start with Chapter 2; however, you should take a look at the overview presented here of new capabilities of Active Directory in Windows Server 2008 and its R2 update. Introduction 5 The core chapters, Chapters 2 through 17, cover the following topics: ■ Chapter 2, “Installing and Configuring DNS for Active Directory”: This chapter focuses on the concepts of Domain Name System (DNS) required for setting up an Active Directory domain. You learn about how to install DNS on your server and how to set up and configure DNS zones. ■ Chapter 3, “Installing Active Directory Domain Services”: This chapter shows you how to set up your first domain. It then continues to discuss creating additional domain controllers in this domain and child domain controllers. It also discusses the requirements that must be met when upgrading domains based on older Windows server versions to allow them to operate in Windows Server 2008 with complete functionality. ■ Chapter 4, “Configuring DNS Server Settings and Replication”: This chapter builds on Chapter 2 to delve into additional items that you must configure in server settings, zone transfers, and DNS replication. ■ Chapter 5, “Global Catalogs and Operations Masters”: Proper operation of global catalog servers and operations masters is vital to the day-to-day functioning of your domain and forest. This chapter focuses on the configuration and troubleshooting steps necessary with these specialized domain controllers. ■ Chapter 6, “Configuring Active Directory Sites and Replication”: Active Directory divides forests and domains on a geographical basis by using sites. To function properly, Active Directory depends on data replication among all its domain controllers. This chapter shows you how to set up sites and ensure that all directory objects are located in the site corresponding to their locations. It then continues with configuring replication, both on an intrasite and intersite basis. ■ Chapter 7, “Additional Active Directory Roles”: This chapter takes care of other Active Directory roles including Active Directory Lightweight Directory Services (AD LDS), Active Directory Federation Services (AD FS), and Active Directory Rights Management Service (AD RMS). AD LDS is designed to provide additional directory services where an additional domain and its domain controllers are not required. AD RMS enhances security in your domain by enabling the creation of rights-protected files and folders that can be accessed only by authorized users. AD FS provides a single sign-on capability for authenticating users to multiple web-based applications. ■ Chapter 8, “Read-Only Domain Controllers”: This chapter discusses how to set up a read-only domain controller (RODC) and configure its interaction with 6 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring other (writable) domain controllers in your forest. An RODC is useful in a situation such as a branch office where physical security of the domain controller might be of concern. ■ Chapter 9, “Active Directory User and Group Accounts”: This chapter shows you how to create user and group accounts in Active Directory, including methods for bulk creation of large numbers of accounts. It introduces the various types and scopes of groups available in Active Directory and the recommended methods of nesting these groups to facilitate the provision of access to resources in your forest. It also looks at account properties, creation of organizational units (OUs), and delegation of control. ■ Chapter 10, “Trust Relationships in Active Directory”: By default, all domains in a forest trust each other. However, you might need to access objects located in another forest, and this chapter talks about methods you might use to provide and troubleshoot such access. Windows Server 2008 provides several types of trust relationships that can be used for meeting different requirements. ■ Chapter 11, “Creating and Applying Group Policy Objects”: Group Policy is at the heart and soul of resource management in Active Directory. This chapter shows you how to set up Group Policy objects and configure them to apply to users, groups, and OUs as required. The hierarchy of GPO application and the methods to modify this hierarchy are also discussed. ■ Chapter 12, “Group Policy Software Deployment”: This chapter shows you how to use Group Policy for deploying software to large numbers of users so that they have the applications they need to perform their jobs. You also learn how to upgrade software when new editions and features become available and how to remove software when it is no longer required by users. ■ Chapter 13, “Account Policies and Audit Policies”: This chapter expands the coverage of Group Policy to include policies that govern the safety and security of accounts in your domain and audit access to Active Directory objects and components so that you can meet the increasingly complex regulatory requirements. ■ Chapter 14, “Monitoring Active Directory”: This chapter focuses on the tools you can use to monitor the functionality of Active Directory. You also learn about the tools and methods used for monitoring Active Directory replication as well as the tools and techniques you can use to monitor and troubleshoot the application of Group Policy. ■ Chapter 15, “Maintaining Active Directory”: This chapter shows you how to back up, recover, restart, and troubleshoot Active Directory and its components. Introduction 7 You learn how to perform nonauthoritative and authoritative restore of Active Directory and how to use the new Windows Server 2008 R2 Active Directory Recycle Bin. ■ Chapter 16, “Installing and Configuring Certificate Services”: A system of certificates is vital to carrying out secure business, especially when an Internet presence is required. This chapter shows you how to set up a hierarchy of certificate servers within Active Directory and back up, restore, and archive your certificates and keys. ■ Chapter 17, “Managing Certificate Templates, Enrollments, and Certificate Revocation”: Certificates issued by your servers require management to ensure that users requiring certificates can obtain them, and that compromised certificates are revoked and cannot be used by unauthorized parties. This chapter looks at these topics and helps you to ensure the security of your certificate hierarchy. In addition to the 17 main chapters, this book includes tools to help you verify that you are prepared to take the exam. The CD includes the glossary, practice test, and memory tables that you can work through to verify your knowledge of the subject matter. Study and Exam Preparation Tips It’s a rush of adrenaline during the final day before an exam. If you’ve scheduled the exam on a workday, or following a workday, you will find yourself cursing the tasks you normally cheerfully perform because the back of your mind is telling you to read just a bit more, study another scenario, practice another skill so that you will be able to get this exam out of the way successfully. The way that Microsoft has designed its tests lately does not help. I remember taking Microsoft exams many years ago and thoroughly understanding the term paper certified. Nowadays, you can’t get through a Microsoft exam without knowing the material so well that when confronted with a problem, whether a scenario or reallife situation, you can handle the challenge. Instead of trying to show the world how many MCSEs are out there, Microsoft is trying to prove how difficult it is to achieve a certification, including the newly created MCTS and MCITP as well as the MCSE and MCSA, thereby making those who are certified more valuable to their organizations. Learning Styles To best understand the nature of preparation for the test, it is important to understand learning as a process. You are probably aware of how you best learn new 8 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring material. You might find that outlining works best for you, or, as a visual learner, you might need to “see” things. Or, as a person who studies kinesthetically, the hands-on approach serves you best. Whether you need models or examples, or you just like exploring the interface, or whatever your learning style, solid test preparation works best when it takes place over time. Obviously, you shouldn’t start studying for a certification exam the night before you take it; it is very important to understand that learning is a developmental process. Understanding learning as a process helps you focus on what you know and what you have yet to learn. People study in a combination of different ways: by doing, by seeing, and by hearing and writing. This book’s design fulfills all three of these study methods. For the kinesthetic, there are key topics scattered throughout each chapter. You will also discover step-by-step procedural instructions that walk you through the skills you need to master Active Directory in Windows Server 2008. The visual learner can find plenty of screen shots explaining the concepts described in the text. The auditory learner can reinforce skills by reading out loud and copying down key concepts and exam tips scattered throughout the book. You can also practice writing down the meaning of the key terms defined in each chapter, and in completing the memory tables for most chapters found on the accompanying DVD. While reading this book, you will realize that it stands the test of time. You will be able to turn to it over and over again. Thinking about how you learn should help you recognize that learning takes place when you are able to match new information to old. You have some previous experience with computers and networking. Now you are preparing for this certification exam. Using this book, software, and supplementary materials will not just add incrementally to what you know; as you study, the organization of your knowledge actually restructures as you integrate new information into your existing knowledge base. This leads you to a more comprehensive understanding of the tasks and concepts outlined in the objectives and of computing in general. Again, this happens as a result of a repetitive process rather than a singular event. If you keep this model of learning in mind as you prepare for the exam, you will make better decisions concerning what to study and how much more studying you need to do. Study Tips There are many ways to approach studying, just as there are many different types of material to study. However, the tips that follow should work well for the type of material covered on Microsoft certification exams. Introduction 9 Study Strategies Although individuals vary in the ways they learn information, some basic principles of learning apply to everyone. You should adopt some study strategies that take advantage of these principles. One of these principles is that learning can be broken into various depths. Recognition (of terms, for example) exemplifies a rather surface level of learning in which you rely on a prompt of some sort to elicit recall. Comprehension or understanding (of the concepts behind the terms, for example) represents a deeper level of learning than recognition. The ability to analyze a concept and apply your understanding of it in a new way represents further depth of learning. Your learning strategy should enable you to know the material at a level or two deeper than mere recognition. This will help you perform well on the exams. You will know the material so thoroughly that you can go beyond the recognition-level types of questions commonly used in fact-based multiple-choice testing. You will be able to apply your knowledge to solve new problems. Macro and Micro Study Strategies One strategy that can lead to deep learning includes preparing an outline that covers all the objectives and subobjectives for the particular exam you are planning to take. You should delve a bit further into the material and include a level or two of detail beyond the stated objectives and subobjectives for the exam. Then you should expand the outline by coming up with a statement of definition or a summary for each point in the outline. An outline provides two approaches to studying. First, you can study the outline by focusing on the organization of the material. You can work your way through the points and subpoints of your outline, with the goal of learning how they relate to one another. For example, you should be sure you understand how each of the main objective areas for Exam 70-640 is similar to and different from another. Then you should do the same thing with the subobjectives; you should be sure you know which subobjectives pertain to each objective area and how they relate to one another. Next, you can work through the outline, focusing on learning the details. You should memorize and understand terms and their definitions, facts, rules and tactics, advantages and disadvantages, and so on. In this pass through the outline, you should attempt to learn detail rather than the big picture (the organizational information that you worked on in the first pass through the outline). Research has shown that attempting to assimilate both types of information at the same time interferes with the overall learning process. If you separate your studying into these two approaches, you will perform better on the exam. 10 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Active Study Strategies The process of writing down and defining objectives, subobjectives, terms, facts, and definitions promotes a more active learning strategy than merely reading the material does. In human information-processing terms, writing forces you to engage in more active encoding of the information. Simply reading over the information leads to more passive processing. Using this study strategy, you should focus on writing down the items that are highlighted in the book—bulleted or numbered lists, key topics, notes, cautions, and review sections, for example. You need to determine whether you can apply the information you have learned by attempting to create examples and scenarios on your own. You should think about how or where you could apply the concepts you are learning. Again, you should write down this information to process the facts and concepts in an active fashion. Common-Sense Strategies You should follow common-sense practices when studying: You should study when you are alert, reduce or eliminate distractions, and take breaks when you become fatigued. Pretesting Yourself Pretesting allows you to assess how well you are learning. One of the most important aspects of learning is what has been called meta-learning. Meta-learning has to do with realizing when you know something well or when you need to study some more. In other words, you recognize how well or how poorly you have learned the material you are studying. For most people, this can be difficult to assess. Memory tables, practice questions, and practice tests are useful in that they reveal objectively what you have learned and what you have not learned. You should use this information to guide review and further studying. Developmental learning takes place as you cycle through studying, assessing how well you have learned, reviewing, and assessing again until you feel you are ready to take the exam. You might have noticed the practice exam included in this book. You should use it as part of the learning process. The Exam Gear test-simulation software included on this book’s CD-ROM also provides you with an excellent opportunity to assess your knowledge. You should set a goal for your pretesting. A reasonable goal would be to score consistently in the 90% range. Exam Prep Tips After you have mastered the subject matter, the final preparatory step is to understand how the exam will be presented. Make no mistake: An MCTS exam challenges Introduction 11 both your knowledge and your test-taking skills. Preparing for the 70-640 exam is a bit different from preparing for those old Microsoft exams. The following is a list of things that you should consider doing: ■ Combine your skill sets into solutions: In the past, exams would test whether you knew to select the right letter of a multiple choice answer. Today, you need to know how to resolve a problem that may involve different aspects of the material covered. For example, on exam 70-640 you could be presented with a problem that requires you to understand how to configure Group Policy to apply to a specific set of users and not to other users, and to troubleshoot this policy if it is not properly applied. The skills themselves are simple. Being able to zero in on what caused the problem and then to resolve it for a specific situation is what you need to demonstrate. In fact, you should not only be able to select one answer, but also multiple parts of a total solution. ■ Delve into excruciating details: The exam questions incorporate a great deal of information in the scenarios. Some of the information is ancillary: It will help you rule out possible issues, but not necessarily resolve the answer. Some of the information simply provides you with a greater picture, as you would have in real life. Some information is key to your solution. For example, you might be presented with a question that lists the components of an Active Directory domain such as the number of server and client computers, the organizational unit (OU) structure, and so on. When you delve further into the question, you realize that the OU structure is the problem. Other times, you will find that the OU structure simply eliminates one or more of the answers that you could select. If you don’t pay attention to what you can eliminate, the answer can elude you completely. And other times, the hardware configuration simply lets you know that the hardware is adequate. ■ Microsoft likes to quiz exam takers on the latest modifications of its technology: From time to time, Microsoft seeds new questions into its exam database and beta tests these questions on exam takers. During the beta period for each question, its answer is not taken into account in computing the final score. However, when Microsoft is satisfied with the question’s performance, it becomes live and is scored appropriately. You can expect to see questions that test your knowledge of the latest changes in Active Directory technology, including the enhancements introduced in 2009 with Windows Server 2008 R2. ■ It’s a GUI test: Microsoft has expanded its testing criteria into interface recogni- tion. You should be able to recognize each dialog box, properties sheet, options, and defaults. You will be tested on how to perform typical configuration actions in Active Directory. In fact, Microsoft has begun to include performance-based questions on its exams that instruct you to perform a given task and presents 12 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring you with a live version of some Active Directory tool. You must complete the required actions and no others; otherwise, your response will be scored as incorrect. ■ Practice with a time limit: The tests have always been time restricted, but it takes more time to read and understand the scenarios now and time is a whole lot tighter. To get used to the time limits, test yourself with a timer. Know how long it takes you to read scenarios and select answers. Microsoft 70-640 Exam Topics Table I-1 lists the exam topics for the Microsoft 70-640 exam. This table also lists the book parts in which each exam topic is covered. Table I-1 Microsoft 70-640 Exam Topics Chapter Topics 70-640 Exam Objectives Covered 1 (n/a) The Foundation of Active Directory The Building Blocks of Active Directory New Features of Active Directory in Windows Server 2008 2 The Hierarchical Nature of DNS Installing DNS on Windows Server 2008 Configuring Domain Name System (DNS) for Active Directory ■ Configure Zones Configuring DNS Zones 3 Planning the Active Directory Namespace Configuring the Active Directory Infrastructure Creating Forests and Domains ■ Configure a forest or a domain Upgrading Older Versions of Active Directory Additional Forest and Domain Configuration Tasks 4 Configuring DNS Server Settings Configuring Zone Transfers and Replication Configuring Domain Name System (DNS) for Active Directory ■ Configure DNS Server Settings ■ Configure DNS Zone Transfers and Replication Introduction 13 Table I-1 Microsoft 70-640 Exam Topics Chapter Topics 5 Configuring Global Catalog Servers Configuring Operations Masters 6 The Need for Active Directory Sites Configuring Sites and Subnets Site Links, Site Link Bridges, and Bridgehead Servers 70-640 Exam Objectives Covered Configuring the Active Directory Infrastructure ■ Configure the global catalog ■ Configure operations masters Configuring the Active Directory Infrastructure ■ Configure sites ■ Configure Active Directory replication Configuring Active Directory Replication 7 New Server Roles and Features Configuring Additional Active Directory Server Roles Active Directory Lightweight Directory Services (AD LDS) ■ Active Directory Rights Management Services (AD RMS) Configure Active Directory Lightweight Directory Services (AD LDS) ■ Active Directory Federation Services (AD FS) Configure Active Directory Rights Management Service (AD RMS) ■ Configure Active Directory Federation Services (AD FS) Windows Server 2008 R2 Virtualization 8 9 Installing a Read-Only Domain Controller Configuring Additional Active Directory Server Roles Managing a Read-Only Domain Controller ■ Creating User and Group Accounts Creating and Maintaining Active Directory Objects Managing and Maintaining Accounts 10 Types of Trust Relationships Creating and Configuring Trust Relationships Managing Trust Relationships Configure the read-only domain controller (RODC) ■ Automate creation of Active Directory accounts ■ Maintain Active Directory accounts Configuring the Active Directory Infrastructure ■ Configure trusts 14 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Table I-1 Microsoft 70-640 Exam Topics Chapter Topics 11 Overview of Group Policy Creating and Applying GPOs Configuring GPO Templates 12 Types of Software Deployment Deploying Software Using Group Policy 70-640 Exam Objectives Covered Creating and Maintaining Active Directory Objects ■ Create and apply Group Policy objects (GPOs) ■ Configure GPO templates Creating and Maintaining Active Directory Objects ■ Configure software deployment GPOs Upgrading Software Removal of Software 13 14 Use of Group Policy to Configure Security Creating and Maintaining Active Directory Objects Auditing of Active Directory Services ■ Configure account policies ■ Configure audit policy by using GPOs Tools Used to Monitor Active Directory Maintaining the Active Directory Environment Monitoring and Troubleshooting Active Directory Replication ■ Monitor Active Directory Troubleshooting the Application of Group Policy Objects 15 16 Backing Up and Recovering Active Directory Maintaining the Active Directory Environment Offline Maintenance of Active Directory ■ Configure backup and recovery ■ Perform offline maintenance What’s New with Certificate Services in Windows Server 2008? Configuring Active Directory Certificate Services Installing Active Directory Certificate Services ■ Install Active Directory Certificate Services Configuring Certificate Authority Server Settings ■ Configure CA server settings Introduction 15 Table I-1 Microsoft 70-640 Exam Topics Chapter Topics 17 Managing Certificate Templates Managing Certificate Enrollments Managing Certificate Revocation 70-640 Exam Objectives Covered Configuring Active Directory Certificate Services ■ Manage certificate templates ■ Manage enrollments ■ Manage certificate revocation This chapter covers the following subjects: ■ Planning the Active Directory Namespace: This section provides a basic in- troduction to best practices you should follow in planning and designing an Active Directory namespace that will serve your company properly both now and in the years to come. ■ Creating Forests and Domains: In this section, you learn how to create your first domain controller in a new Active Directory forest. You then learn how to add additional domain controllers to your forest and create child domains. ■ Interoperability with Previous Versions of Active Directory: Many organiza- tions are using Active Directory domains based on Windows 2000 and Windows Server 2003. This section takes you through the preparatory tasks you must perform before you can add a Windows Server 2008 R2 domain controller as well as the actual upgrading of older domain controllers. In addition, it introduces you to the concept of forest and domain functional levels, as well as the benefits of the newest Windows Server 2008 R2 functional levels. ■ Additional Forest and Domain Configuration Tasks: After you have installed and configured your first domain, you should perform several additional tasks. This section discusses verifying your Active Directory installation, using the Active Directory Migration tool (ADMT), and creating alternative user principal name (UPN) suffixes. CHAPTER 3 Installing Active Directory Domain Services In Chapter 1, “Getting Started with Active Directory,” you were introduced to the basic building blocks of the logical Active Directory structure: forests, trees, domain, and organizational units (OUs). You were also introduced to the concept of sites for distinguishing portions of the network separated physically by slow WAN links. Now you begin to create an actual Active Directory forest and domain structure. The act of installing Active Directory on a server is conceptually very simple. You need only run the Active Directory Domain Services (AD DS) Installation Wizard from the Add Roles Wizard of Server Manager and provide answers to the questions the wizard asks. The actual act of installing AD DS, however, can be thought of as the tip of the iceberg. Before you install AD DS, you need to plan how Active Directory will fit into your company’s corporate and geographical structure as well as your expectations for future growth and the potential for acquiring other companies. This chapter serves only as a basic introduction to the topic of planning. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter or simply jump to the “Exam Preparation Tasks” section for review. If you are in doubt, read the entire chapter. Table 3-1 outlines the major headings in this chapter and the corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.” Table 3-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping Foundations Topics Section Questions Covered in This Section Planning the Active Directory Namespace 1 Creating Forests and Domains 2–7 Interoperability with Previous Versions of Active Directory 8–9 Additional Forest and Domain Configuration Tasks 10–11 74 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring 1. Which of the following are best practices that you should follow when planning an AD DS domain structure? (Choose all that apply.) a. Employ a test lab b. Prepare thorough documentation c. Keep everyone, including top managers, informed d. Understand thoroughly the network’s TCP/IP infrastructure e. Develop and adhere to an adequate security policy f. Know the capabilities of your WAN links 2. On which of the following editions of Windows Server 2008 R2 can you install the AD DS role? (Choose all that apply.) a. Web b. Foundation c. Standard d. Enterprise e. Datacenter 3. Which of the following tools can you use to install AD DS on a server running Windows Server 2008 R2? (Choose two.) a. The dcpromo.exe command b. The Manage Your Server tool c. The Configure Your Server tool d. The Add Roles Wizard e. The Add Features Wizard 4. Which of the following conditions would represent a problem when you are at- tempting to install the first domain controller in your domain? a. A DHCP server is not present. b. A DNS server is not present. c. The server’s hard disk is formatted with the FAT32 file system. d. The server’s hard disk has only 10 GB free space available. 5. Which of the following is a new AD DS administrative tool included with Windows Server 2008 R2 and was not present in older versions of Windows Server? a. Active Directory Users and Computers b. Active Directory Administrative Center c. Active Directory Sites and Services Chapter 3: Installing Active Directory Domain Services 75 d. Active Directory Domains and Trusts e. User Manager for Domains 6. Your computer is running the Server Core edition of Windows Server 2008 R2. You want to promote this server to domain controller. What should you do? a. Use Server Manager to run the Add Roles Wizard. b. Use the Initial Configuration Tasks window to run the Add Roles Wizard. c. Use dcpromo.exe and specify the required parameters when prompted. d. Use dcpromo.exe together with an answer file that provides the required parameters. e. You cannot promote this server to domain controller without reinstalling Windows Server 2008 as a full edition server. 7. You are the administrator of DC1, which is a Windows Server 2008 R2 domain controller in your company’s domain. You are experiencing problems with DC1 and decide to run the Active Directory Installation Wizard again on this machine. What happens? a. A new copy of the AD DS software is installed. b. Two copies of the AD DS software will exist side-by-side. c. The domain controller is demoted to a member server. d. You receive an error message informing you that the wizard cannot be run again. 8. Which of the following is not a valid domain or forest functional level for a do- main controller running Windows Server 2008 R2? a. Windows 2000 mixed b. Windows 2000 native c. Windows Server 2003 native d. Windows Server 2008 native e. Windows Server 2008 R2 native 9. You have installed Windows Server 2008 R2 on a brand-new server and want to promote this server to domain controller in your domain, which has domain controllers running Windows Server 2003 and operates at the Windows Server 2003 native domain functional level. What should you do first? a. Run adprep /forestprep and then run adprep /domainprep. b. Run adprep /domainprep and then run adprep /forestprep. c. Raise the domain functional level to Windows Server 2008 R2. d. Raise the forest functional level to Windows Server 2008 R2. 76 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring 10. Your company has acquired another company, and both companies operate an AD DS forest with a single domain. The CIO has decided that all users of the acquired company are to be moved into your company’s domain so that the other company’s forest and domain can be decommissioned. What tool should you use to assist you in this action? a. Active Directory Users and Computers b. Active Directory Administrative Center c. Active Directory Migration Tool (ADMT) d. User State Migration Tool (USMT) 11. You are the administrator for the sales.que.com domain. You are configuring an implicit user principal name (UPN) suffix user named Sharon. Which of the following is a valid implicit UPN? a. [email protected] b. [email protected] c. Sales.que.com\Sharon d. Sales\Sharon Chapter 3: Installing Active Directory Domain Services 77 Foundation Topics Planning the Active Directory Namespace As discussed in Chapter 1, “Getting Started with Active Directory,” the domain is the primary administrative unit within an Active Directory namespace. Windows Server 2008 uses the concept of domains to separate available resources among registered users. It is also the basic security unit, as you will see throughout this book, because many of the security requirements in Active Directory are focused at the domain level. Therefore, it is important to begin the process of planning any company’s Active Directory Domain Services (AD DS) namespace from the viewpoint of the domain structure. All planning starts from the name of your company’s root domain. Recall in Chapter 1 that each tree has a root domain that is located at the top of the inverted tree structure. All subdomains contain this root domain name in their own domain names. In addition, the first domain in the entire forest is not only a root domain, it is also the forest root. Also, the top-level domain names used on the Internet and defined in the DNS hierarchy are included. The latter is not an absolute requirement if you are planning a domain that has no Internet representation whatsoever, but what company these days does not have a presence on the Internet? Therefore, it makes sense that your root domain can take the same name as your Internet domain name as registered with InterNIC (Internet Network Information Center). Consider a fictional company with an Internet domain name of mycompany.biz. Although you can use this name as your AD DS root domain name, it creates a risk of revealing your company’s AD DS structure to the public Internet. Consequently, you might want to keep the internal name separate and use something like mycompany.local for the AD DS root domain name of the same fictional company. Subdividing the Active Directory Namespace You can subdivide your namespace within Active Directory in two ways: ■ Separate domains ■ Organizational units (OUs) In many instances, the use of separate domains or OUs would serve just as well as the other. In larger companies, the use of separate domains often arose from the limitations of the Security Accounts Manager (SAM) database in Windows NT. Because the AD DS database can hold millions of objects, this limitation is seldom of importance in AD DS design. For this reason, and because a single domain structure is the easiest type of structure to administer, this method is the best means of organizing your company’s namespace if possible. There is no specific need to create separate domains for administrative functions, geographical sites, or departments in the 78 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring company. Logically, you can handle this function by setting up a system of OUs. An internal system of OUs provides the following additional advantages: ■ It can be administered either centrally or locally. The concept of delegation of control in AD DS facilitates the assignment of individuals as local administrators. ■ User authentication is simpler and faster within a single domain environment, regardless of where a user is located. ■ It is far simpler to modify when needed—for example, if your company is reorganized. ■ It is flexible and can include an internal hierarchy of departments, sections, work units, and so on. There are, however, reasons for using separate domains for discrete divisions of your company: ■ This approach can facilitate decentralized administration of network resources. ■ In the case of multiple Internet domain names, the domain can be built to mirror the Internet functionality. ■ Multiple domains representing different geographical locations might reduce the amount of replication traffic across low wide area network (WAN) links. ■ User account requirements that vary among departments or locations, such as password complexity, are more easily handled with separate domains. ■ International legal and language needs might be handled more easily by using separate domains. ■ Very massive organizations can be broken down into a domain structure. Administrative or Geographical Organization of Domains You can organize a series of domains along either administrative or geographical means. For example, Figure 3-1 shows mycompany.biz organized along three administrative divisions—Accounting, Products, and Advertising—all reporting to a Management group, contrasted with the company’s main offices located in San Francisco, Dallas, Toronto, and Atlanta. You need to take into account conditions that favor either the administrative or geographical model. This can include the following factors: ■ Plans for future offices in additional cities ■ Projected growth of each of the company’s divisions ■ Potential for reorganization of the company along new departmental lines ■ Requirements for centralized or decentralized administration of the company Chapter 3: Installing Active Directory Domain Services 79 Figure 3-1 Administrative and geographical divisions of mycompany.biz. Management Accounting Products Advertising Toronto San Francisco Atlanta Dallas ■ Needs for different security levels in either certain departments or certain offices ■ Current or future use of one or more Internet DNS namespaces Such factors suggest the best domain organization for your company’s AD DS namespace. Use of Multiple Trees Within the AD DS forest, you can have one or more trees. As outlined in Chapter 1, the main difference between trees and forests is that domains within a tree share a contiguous namespace, whereas domains located in different trees in the same forest have a disjointed namespace. Thus, que.com and examcram.com are root domains in two separate trees of the same forest. In almost all multiple domain enterprises, it makes sense to employ a single tree. The major exception occurs when two companies merge and want to maintain their separate identities. Their identities, and indeed their Internet namespaces, are best served by having more than one tree in the forest. NOTE Another way of designing a multidomain forest is to employ an empty forest root domain with a series of child domains representing administrative or geographical divisions of the company. The root domain contains only a small number of objects, and you can readily control membership in the Enterprise Admins and Schema Admins groups. The impact of business decisions, such as the spin-off or 80 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring renaming of subsidiary companies, can be handled more readily. On the other hand, you must ensure that the forest root domain controllers are carefully secured and protected against disaster because their loss effectively destroys the entire forest structure. Best Practices Planning the AD DS domain structure is an act that has far-reaching implications. This process is something that cannot simply be decided by a few network administrators sitting down with a few diagrams of the network and company business structures. Rather, it must involve the company’s senior and middle management as well as business strategy specialists and representatives from remote offices. If you use internally developed applications, representatives of the development team should be involved. The following guidelines will help you make your AD DS implementation proceed smoothly: Key Topic ■ Know everything there is to know about the network: Although this guideline might sound intuitive for senior administrators who have built the network from the ground up, those who have come on the scene more recently need to gather information about everything that must be accounted for in an AD DS plan. ■ Employ a test lab: The lab should contain representative domain controllers, member servers, and client computers. Set up a mini version of your complete network and engage the assistance of a representative set of users to test all facets of the implementation thoroughly. ■ Prepare thorough documentation: This point can never be understated. Use tools such as Microsoft Visio to prepare diagrams of different levels of company detail, from the major administrative units down to the smallest workgroups. Visio is a tool that is specifically designed for preparing administrative diagrams such as those required in this scenario. This exercise also helps in optimizing communication between technical individuals and top management. ■ Use an email distribution list to keep everyone informed: When all concerned individuals have full access to the latest developments, unpleasant surprises are minimized. ■ Keep all employees informed: Although the regular workers might not under- stand the details of what is happening, they should be informed of the summary points of any planned changes. They will then be much more able to cope with the changes. In addition, they could provide valuable feedback. ■ Ensure that all top managers know what’s happening: This point also can never be understated. This helps prevent unpleasant surprises and the need to redo portions of the planning process. Chapter 3: Installing Active Directory Domain Services 81 ■ Understand thoroughly the network’s TCP/IP infrastructure: Your understand- ing helps in designing the network and DNS configuration that is the foundation of the AD DS infrastructure. It is especially true in developing the proper site structure, as will be discussed in Chapter 6, “Configuring Active Directory Sites and Replication.” ■ Develop and adhere to an adequate security policy: Thoroughly review any security policy that your company already has in place. Apply the policy’s constraints to the proper design of your company’s domain structure. Make any appropriate changes as you develop the AD DS infrastructure. ■ Know the capabilities of your WAN links: If your network includes slow WAN links, test and monitor the use of these links before and during the AD DS implementation to ensure that you have the optimum configuration. Creating Forests and Domains After you have created a comprehensive plan for your organization’s AD DS structure, you are almost ready to begin the installation. The first task that you must perform is to install the first domain controller for the forest root domain. Requirements for Installing Active Directory Domain Services Before you can install AD DS, you must have at least one server that meets the following requirements: Key Topic ■ Operating system: The server must be running the Foundation, Standard, Enterprise, or Datacenter edition of Windows Server 2008 R2. Note that a server running the Web edition cannot act as a domain controller. ■ Adequate hard disk space: Beyond the space used for installing Windows Server 2008 R2, the server must have a minimum of 500 MB of disk space for the Active Directory database and SYSVOL folder, plus at least 100 MB for the transaction log files. The larger the proposed network, the more disk space is necessary. And in practical terms, you should have several gigabytes of available space at a minimum. In Windows Server 2008 R2, you should have additional disk space for the following reasons: —The online defragmentation process is changed in Windows Server 2008 R2. —Windows Server 2008 R2 domain controllers have additional indices on the large link table. —The Active Directory Recycle Bin in Windows Server 2008 R2 holds deleted objects and their attributes until cleared. ■ A disk volume formatted with the NTFS file system: This ensures security of the database; furthermore, it is required for the SYSVOL folder. Windows Server 2008 R2 creates an NTFS partition by default when installed. 82 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring It is strongly recommend that you use a fault-tolerant disk volume such as RAID-1 (disk mirroring) or RAID-5 (disk striping with parity) for the Active Directory files. This enables the domain controller to function in the event of a disk failure, until the failed disk can be replaced. However, fault-tolerant disks are no substitute for regular backups of Active Directory. Backups are discussed in Chapter 15, “Maintaining Active Directory.” TIP ■ A DNS server: Active Directory requires that a DNS server that supports service (SRV) resource records be present. This can be any server running Windows 2000 or later or a UNIX server running Berkeley Internet Name Domain (BIND) 4.9.7 or later. If you want to integrate the DNS database with Active Directory, you should install DNS on the same server that you install AD DS. If the Active Directory Installation Wizard cannot find a suitable DNS server, you will be prompted to install one. DNS is discussed in Chapter 2, “Installing and Configuring DNS for Active Directory,” and Chapter 4, “Configuring DNS Server Settings and Replication.” ■ Administrative privileges: You must be logged on with an account that has the appropriate administrative privileges. For the first domain controller, this is a local administrator. To add a domain to an existing forest, you must be a member of the Enterprise Admins group in this forest; to add a domain controller to an exiting domain, you must be a member of the Domain Admins or Enterprise Admins group in this domain. Group memberships are discussed in Chapter 9, “Active Directory User and Group Accounts.” Installing Active Directory Domain Services As in Windows 2000 and Windows Server 2003, Active Directory provides the Active Directory Installation Wizard (dcpromo.exe) that handles all aspects of installing or removing Active Directory. Windows Server 2008 is different from previous Windows Servers in that you install AD DS first and then install a domain controller. You can install AD DS without installing a domain controller if you are configuring your server for a directory-related application such as Exchange Server. This section looks at the use of this wizard for installing different types of domain controllers. You can start the Active Directory Installation Wizard from the Add Roles Wizard in Server Manager or directly from the dcpromo.exe command. The following sections describe the use of the Add Roles Wizard for installing AD DS. NOTE If you run dcpromo.exe without having first installed AD DS, Windows installs this service before starting the Active Directory Installation Wizard. Chapter 3: Installing Active Directory Domain Services 83 New Forests As already noted, the first domain installed is the root domain in its forest. You must be a local administrator on the server on which you install Active Directory to proceed. The following procedure describes the installation of the first domain: Step 1. In the Add Roles Wizard, select Active Directory Domain Services and then click Next. Step 2. If you receive a message box labeled Add features required for Active Directory Domain Services and asking you to install .NET Framework 3.5.1, click Add Required Features. Step 3. The wizard displays the Introduction to Active Directory Domain Services page shown in Figure 3-2. Make note of the points displayed by this page. If you want additional details regarding installation of Active Directory, click any of the links provided. When finished, click Next. Figure 3-2 You can use the Add Roles Wizard to begin the installation of AD DS. Key Topic Step 4. Note the information provided on the Confirm Installation Selections page and then click Install to begin installing Active Directory. Step 5. The wizard displays an Installation Progress page that charts the progress of installation. After a few minutes, it informs you that the AD DS role has been installed successfully and that you need to launch the Active Directory Domain Services Installation Wizard (dcpromo.exe). Click Close to exit the wizard and return to Server Manager. 84 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Step 6. Scroll down to the Roles Summary section of Server Manager. Note that Active Directory Domain Services is shown as having been installed. A message marked with a red X indicates the number of system services that are not running. Step 7. Click this message. You are informed that the server is not yet running as a domain controller. Click the link provided to start the AD DS Installation Wizard. Step 8. This wizard opens with a Welcome page. Click Next. Step 9. The Operating System Compatibility page shown in Figure 3-3 informs you that Windows Server 2008 R2 security settings affect how older versions of Windows communicate with the domain controller. Access the Knowledge Base article quoted for more information. Click Next to proceed with AD DS installation. Figure 3-3 You are informed about security settings that prevent some older Windows clients or non-Windows systems from logging on to the Windows Server 2008 R2 domain controller. Key Topic Step 10. On the Choose a Deployment Configuration page shown in Figure 3-4, select Create a new domain in a new forest and then click Next. On this page, you would select the Existing forest option when creating a new domain in an existing forest or adding a domain controller to an existing domain. These options are discussed later in this chapter. Step 11. Type the full DNS name of the forest root domain and then click Next. Chapter 3: Installing Active Directory Domain Services 85 Figure 3-4 The wizard provides options for installing a domain controller in an existing forest or a new one. Windows Server 2008 R2 no longer supports the creation of single-label domain names; however, you can still upgrade existing single-label domains to Windows Server 2008 R2. For more information, refer to “Information about configuring Active Directory domains by using single-label DNS names” at http://support.microsoft.com/kb/300684. NOTE Step 12. The wizard verifies the forest and NetBIOS names and then displays the Set Forest Functional Level page shown in Figure 3-5. Select the appropriate forest functional level and then click Next. The available domain and forest functional levels are discussed later in this chapter. Step 13. Select a domain functional level and then click Next. Step 14. The Additional Domain Controller Options page provides the following additional options that you can install for the domain controller. Ensure that DNS Server is selected and then click Next. —DNS Server: Installs DNS on this server. This option is selected by default when first installing AD DS because DNS is required for Active Directory. —Global Catalog: Installs a Global Catalog server. This option is not available but selected when installing the first domain controller in any domain because this server must be a global catalog server. 86 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Figure 3-5 The wizard enables you to select from four forest functional levels. Key Topic —Read-Only Domain Controller (RODC): Installs an RODC. This option is not available because the first domain controller cannot be an RODC. Installing an RODC is discussed in Chapter 8, “Read-Only Domain Controllers.” Step 15. If the server does not have a statically assigned IP address, you are informed of this fact. A domain controller (and in particular, one that is configured as a DNS server) should always have a statically assigned IP address to ensure that client computers can always reach it. Select Yes, open the IP properties so that I can assign a static IP address to the network adapter, and then configure an appropriate IP address, subnet mask, default gateway, and default DNS server address. Step 16. If you receive a message informing you that a delegation for the DNS server will not be created, click Yes to continue. You might receive this message if you are installing DNS on this server. If so, you should manually create this delegation later. Step 17. Confirm the locations provided for the database, log files, and SYSVOL folders. If you want to change any of these locations, type the desired path or click Browse. When finished, click Next. When setting up a domain controller on a production network, it is advisable to place the database and log folders on a separate drive from the SYSVOL folder. TIP Chapter 3: Installing Active Directory Domain Services 87 The reason for doing so is to improve only I/O performance; this does not improve security or fault tolerance, as an exam question might lead you to believe. Step 18. On the Directory Services Restore Mode Administrator Password page, type and confirm a secure password. Make a careful note of the password you typed in case you need to use it later and then click Next. Step 19. The wizard provides a Summary page as shown in Figure 3-6. Review the information provided on the Summary page. If you want to change any settings, click Back and make the appropriate changes. If you want to export information to an answer file, click Export settings and provide an appropriate path and filename. Then click Next to configure AD DS. This process takes several minutes. Figure 3-6 The wizard provides a summary page that enables you to review the settings you’ve specified. Step 20. When the completion page appears, click Finish and then click Restart Now to reboot your server. To reboot the server automatically, select the Reboot on Completion check box. NOTE The Welcome page of the Active Directory Installation Wizard also contains an Advanced mode option. Select the check box provided to perform any of the following actions: 88 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring ■ Installing a domain controller from backup media created on an existing domain controller ■ Modifying the NetBIOS name generated by default ■ Selecting a source domain controller when installing an additional domain controller in the domain ■ Defining a password replication policy that specifies the passwords cached on a read-only domain controller (RODC) You can also invoke the Advanced mode directly from the dcpromo command by including the /adv parameter with this command. New Domains in Existing Forests After you have installed the forest root domain, you can add additional child domains or domain trees to the forest. Either procedure is similar to the procedure already outlined for creating a forest root domain, as follows: Step 1. Follow the procedure to install AD DS and start the Active Directory Installation Wizard as described in the previous section until you receive the Choose a Deployment Configuration page previously shown in Figure 3-4. Step 2. On this page, select Existing forest, and then select Create a new domain in an existing forest. Then click Next. Step 3. On the Network Credentials page, type the name of the parent domain in which you want to install a child domain. Then click Set and specify the username and password of an account with the appropriate privileges described earlier in this chapter and click Next. Step 4. On the Name the New Domain page shown in Figure 3-7, type the name of the parent and child domains in the spaces provided. The new domain will be created as a child domain or new tree automatically depending on the name you provide. Then click Next. Step 5. On the Set Domain Functional Level page, select the required functional level and then click Next. Domain functional levels are discussed later in this chapter. Step 6. On the Select a Site page, select an appropriate site and then click Next. Sites are discussed in Chapter 6. Step 7. Complete the installation of the domain controller according to steps 14–20 of the previous procedure. Chapter 3: Installing Active Directory Domain Services 89 Figure 3-7 You create a child domain name from the name of the parent domain and the new top-level name on the Name the New Domain page. Existing Domains Installing additional domain controllers in an existing domain is important for the following reasons: Key Topic ■ Doing so adds fault tolerance and load balancing to the domain. In other words, additional domain controllers help share the load and improve performance. ■ Users logging on to the domain can connect to any available domain controller for authentication. ■ Users at a remote location can connect to a domain controller at their site rather than making a slow connection across a WAN link. ■ If a domain controller should become unavailable because of a network or hardware failure, users can still log on to the domain. To install an additional domain controller in an existing domain, follow the same procedure as in the previous section, except select the Add a domain controller to an existing domain option shown in Figure 3-4. Then select the proper domain from the Select a Domain page (this page will display all available domains in the forest). The remainder of the procedure is the same as that for creating a new domain in an existing forest, except that the Set Domain Functional Level page does not appear. 90 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Performing Unattended Installations of Active Directory Key Topic Windows Server 2008 R2 enables you to specify parameters for Active Directory installation in an answer file that you can use to facilitate the installation of multiple domain controllers. This file is formatted as a simple text file containing the statement [DCINSTALL] on the first line followed by statements in the form option=value. Table 3-2 describes several of the more common options you can use in this file: Table 3-2 Several Options Used for Unattended Domain Controller Installation Option Value Meaning UserName Username of administrative user Installs the domain controller in the context of this user. Password User’s password | * Specifies the password of the user installing the domain controller. Use * to prompt for the password. ReplicaOrNewDomain Domain | Replica | ReadOnlyReplica Specifies whether to install a new domain, an additional domain controller (replica) in an existing domain, or an RODC in an existing domain. ReplicaDomainDNSName Existing domain name Specifies the fully qualified domain name (FQDN) of the domain in which you are installing an additional domain controller. NewDomain Forest | Tree | Child Specifies whether to install a new forest, a new tree in an existing forest, or a child domain. NewDomainDNSName Domain name to be created Specifies the FQDN for a new domain. ParentDomainDNSName Parent domain name Specifies the FQDN of the parent domain when creating a child domain. ChildName Child domain name Specifies the top-level DNS name of the child domain. This name is prefixed to the parent name to create the FQDN of the child domain. Chapter 3: Installing Active Directory Domain Services 91 Table 3-2 Several Options Used for Unattended Domain Controller Installation Option Value ForestLevel 0 | 2 | 3 | 4 Meaning Specifies the forest functional level of a new forest: 0 = Windows 2000 2 = Windows Server 2003 3 = Windows Server 2008 4 = Windows Server 2008 R2 DomainLevel 0 | 2 | 3 | 4 Specifies the domain functional level of a new domain. Parameters have the same meaning as just described. InstallDNS Yes | No Specifies whether a DNS server is installed. ConfirmGC Yes | No Specifies whether the domain controller is installed as a global catalog server. DatabasePath Path to database folder Default is %systemroot%\NTDS. LogPath Path to log folder Default is %systemroot%\NTDS. SysvolPath Path to SYSVOL folder Default is %systemroot%\SYSVOL. RebootOnCompletion Yes | No Specifies whether to restart the computer on completion, regardless of success. Many additional options are available, including options specific to the demotion of domain controllers. For additional information, consult “Appendix of Unattended Installation Parameters” at http://technet.microsoft.com/en-us/library/ cc732086(WS.10).aspx. To perform an unattended installation of a domain controller, open a command prompt and type the following command: dcpromo /answer:path_to_answer_file where path_to_answer_file specifies the complete path to the unattended answer file containing the parameters specified in Table 3-2. You can also include any of these parameters in the command line by prefixing each of them with the “/” character. The output to the command prompt will track the progress of the 92 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring promotion, and then the server will automatically reboot if the RebootOnCompletion parameter has been specified. Server Core Domain Controllers You cannot use Server Manager or a simple execution of dcpromo to promote a Server Core machine to a domain controller. You must use an unattended installation answer file in a similar manner to that described in the previous section. This file must include the information required to identify the domain being joined, including the username and password for a domain administrator account. NOTE For further information on the use of Server Core, including its use as a domain controller, refer to “Server Core Installation Option of Windows Server 2008 Step-by-Step Guide” at http://technet.microsoft.com/en-us/library/ cc753802(WS.10).aspx. Removing Active Directory The Active Directory Installation Wizard also enables you to remove Active Directory from a domain controller, thereby demoting it to a member server. Proceed as follows: Step 1. Click Start > Run, type dcpromo, and then press Enter. Step 2. Windows checks whether Active Directory Domain Services is installed and then displays the Welcome page. Click Next. Step 3. If you receive a message warning you of the effects of removing a global catalog server, click OK. Step 4. You receive the Delete the Domain page shown in Figure 3-8. Note all the warnings displayed about the effects of removing a domain. Select the check box only if you are removing the last domain controller from its domain and then click Next. Step 5. You receive the Application Directory Partitions page if the server holds the last replica of any application directory partitions. Click Next, select the check box labeled Delete all application directory partitions on this Active Directory domain controller, and then click Next again to remove the application directory partitions. Step 6. Type and confirm a password for the local Administrator account on the server, and then click Next. Step 7. Read the information provided on the Summary page. If you need to make any changes, click Back. When ready, click Next to demote the server. Chapter 3: Installing Active Directory Domain Services 93 Figure 3-8 When you demote a domain controller, you are warned of the effects of deleting the domain. Step 8. When the demotion is finished, click Finish and then click Restart now to restart the server. To reboot the server automatically, select the Reboot on Completion check box. NOTE Although this procedure demotes the computer to a member server, it does not remove AD DS. If you want to remove AD DS after demoting the server, use the Remove Roles Wizard available from Server Manager after restarting the server. Interoperability with Previous Versions of Active Directory Many organizations have created Active Directory domains based on Windows 2000 or Windows Server 2003 domain controllers and are now in a position to take advantage of the new features of Windows Server 2008 and Windows Server 2008 R2 Active Directory. You can add new Windows Server 2008 domain controllers to an existing older Active Directory forest or upgrade all domain controllers in the forest to Windows Server 2008. As summarized in Chapter 1, Active Directory in Windows Server 2008 and Windows Server 2008 R2 introduces numerous additional features not supported by previous versions of Windows Server. Many of these features limit the interoperability of Windows Server 2008 with previous versions, and Microsoft has 94 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring extended the concept of domain and forest functional levels to define the actions that can be done on a network that includes older domain controllers. This section looks at these functional levels and the tools used for upgrading an older Active Directory network to Windows Server 2008. Forest and Domain Functional Levels As you noticed when installing your first domain controller (refer to Figure 3-5), Table 3-3 summarizes the forest and domain functional levels supported by Active Directory in Windows Server 2008. Key Table 3-3 Forest and Domain Functional Levels in Windows Server 2008 R2 Active Topic Directory Forest Functional Level Domain Functional Levels Supported Domain Controllers Supported Windows 2000 native Windows 2000 native Windows 2000 Windows Server 2003 native Windows Server 2003 Windows Server 2008 native Windows Server 2008 Windows Server 2008 R2 native Windows Server 2008 R2 Windows Server 2003 native Windows Server 2003 Windows Server 2008 native Windows Server 2008 Windows Server 2008 R2 native Windows Server 2008 R2 Windows Server 2008 native Windows Server 2008 Windows Server 2008 R2 native Windows Server 2008 R2 Windows Server 2008 R2 native Windows Server 2008 R2 Windows Server 2003 native Windows Server 2008 native Windows Server 2008 R2 native To make use of the functionality provided by Windows Server 2008 Active Directory, you must upgrade all domain controllers to Windows Server 2008 and upgrade the functional levels accordingly. A domain running at the Windows Server 2008 domain functional level located in a forest running at a lower functional level supports domain-based Windows Server 2008 Active Directory features but not forest-based ones. Furthermore, to make use of the newest Active Directory features in Windows Server 2008 R2, you must upgrade all domain controllers to Windows Server 2008 R2 and upgrade the domain and forest functional levels accordingly. Chapter 3: Installing Active Directory Domain Services 95 NOTE You can deploy an RODC to a domain in which the domain and forest functional levels are set to Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. Windows Server 2008 does not support the Windows 2000 mixed functional level previously found in older Active Directory networks. If you still have any domain controllers running Windows NT 4.0, you must upgrade or remove these domain controllers before introducing a Windows Server 2008 or Windows Server 2008 R2 domain controller on your network. Upgrading Domain and Forest Functional Levels To raise the forest functional level, you must first raise the functional level of all domains in the forest to the same or higher domain functional level. To raise the domain functional level, perform any of the following three actions: ■ Open the Active Directory Administrative Center snap-in, right-click your domain, and then choose Raise the domain functional level. ■ Open the Active Directory Users and Computers snap-in. Right-click Active Directory Users and Computers and choose All Tasks > Raise domain functional level. ■ Open the Active Directory Domains and Trusts snap-in, right-click your domain, and choose Raise domain functional level. In the dialog box shown in Figure 3-9, select the appropriate functional level and click Raise. Then click OK to accept the warning that is displayed. Figure 3-9 Raising the domain functional level. 96 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring To raise the forest functional level, access the Active Directory Domains and Trusts snap-in. Right-click Active Directory Domains and Trusts and select Raise forest functional level. Select the appropriate functional level, click Raise, and then click OK to accept the warning that is displayed. You can also right-click your domain name in the Active Directory Administrative Center and choose Raise the forest functional level and then follow the same procedure described here. WARNING It is important to remember that raising forest and domain functional levels is a one-way operation. You cannot go back to a lower functional level. In addition, you cannot introduce an older domain controller after you have raised the domain functional level. NOTE For additional information on domain and forest functional level upgrades, refer to “Identifying Your Functional Level Upgrade” at http://technet.microsoft.com/en-us/library/cc754209(WS.10).aspx. Key The Adprep Utility Topic Microsoft provides the Adprep utility to prepare a down-level Active Directory domain for receiving Windows Server 2008 and Windows Server 2008 R2 domain controllers. Found in the \sources\adprep folder of the installation DVD-ROM, this tool prepares the forest and domain by extending the Active Directory schema and updating several required permissions. Running the Adprep /forestprep Command You must run the Adprep /forestprep command on the schema master of the forest first. It extends the schema to receive the new Windows Server 2008 enhancements, including the addition of directory descriptors for certain objects including granular password policies. You have to run this command and let its changes replicate throughout the forest before you run the Adprep /domainprep command. To run this command, you must be a member of the Enterprise Admins, Schema Admins, and Domain Admins groups in the forest root domain. WARNING Before running this command, ensure that any Windows 2000 domain controllers are upgraded to SP2 or later, or at least to SP1 with hotfix QFE265089. Refer to Microsoft Knowledge Base article 331161 for more information. Chapter 3: Installing Active Directory Domain Services 97 Running the Adprep /domainprep Command Run the Adprep /domainprep command on the infrastructure master of each domain in which you plan to introduce Windows Server 2008 domain controllers. It adjusts access control lists (ACLs) on Active Directory objects and on the SYSVOL shared folder for proper access by Windows Server 2008 domain controllers. To run this command, you must be a member of the Domain Admins group in the respective domain and the domain must be operating at the Windows 2000 Server native mode or higher. You can also run the Adprep /domainprep /prep command to include updates required for enabling Resultant Set of Policy (RSoP) planning mode functionality. Remember that you must run adprep /forestprep on the schema master and that you must run this command before you run adprep /domainprep. Also remember that you must run adprep /domainprep on the infrastructure master of each domain in which you want to introduce a Windows Server 2008 domain controller and that you must complete these commands before promoting or upgrading an existing domain controller. TIP Upgrading a Windows Server 2003 Domain Controller You can also upgrade an existing Windows Server 2003 domain controller to Windows Server 2008. See Appendix B, “Installing Windows Server 2008 R2,” for information on upgrading Windows Server 2003 computers; the procedure outlined in this chapter automatically upgrades AD DS to Windows Server 2008. However, you cannot upgrade a Windows 2000 domain controller to Windows Server 2008 directly; you must first upgrade to Windows Server 2003 and then to Windows Server 2008. Note that to upgrade a Windows Server 2003 domain controller to Windows Server 2008, you must first run the Adprep utility as already discussed to upgrade the schema for accepting Windows Server 2008 domain controllers. You can upgrade a Windows Server 2003 domain controller to Windows Server 2008 R2, provided the server meets the hardware requirements discussed in Appendix B. Before upgrading the first Windows Server 2003 domain controller, ensure that you have run the Adprep /forestprep and Adprep /domainprep commands and that these commands have completed without error. Then select the Install now command from the Welcome screen displayed by the Windows Server 2008 R2 DVD-ROM, and follow the instructions provided by the Installation Wizard and summarized in Appendix B, “Memory Tables”. 98 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Additional Forest and Domain Configuration Tasks This section introduces two additional configuration tasks specified in the Exam 70-640 objectives for configuring a forest or domain: use of the Active Directory Migration Tool (ADMT) v.3.1 and the alternative user principal name (UPN) suffix. Before introducing these tasks, we take a quick look at some procedures that verify that AD DS has been properly installed and, in doing so, introduce some to the administrative tools included with AD DS. Verifying the Proper Installation of Active Directory After you have installed Active Directory, there are several steps you should perform to verify that the proper components have been installed. Click Start > Administrative Tools. On a Windows Server 2008 R2 computer, you should see links to five Active Directory management tools: Active Directory Administrative Center, Active Directory Domains and Trusts, Active Directory Module for Windows PowerShell, Active Directory Sites and Services, and Active Directory Users and Computers. You should also see a link to the DNS snap-in unless you have specified another server as the DNS server for your domain. Open Active Directory Users and Computers. You should see the default containers Builtin, Computers, ForeignSecurityPrincipals, Managed Service Accounts, and Users under the domain you have created. You should also see a default Domain Controllers OU. Select this OU and verify that computer accounts for all domain controllers in the domain are present, as shown in Figure 3-10. On a Windows Server 2008 R2 computer, open Active Directory Administrative Center. As shown in Figure 3-11, this new MMC snap-in enables you to perform a large range of administrative tasks on your domain, including the following: ■ Creating and managing user, group, and computer accounts ■ Creating and managing OUs and other Active Directory containers ■ Managing other trusted AD DS domains ■ Using query-building searches to filter AD DS data Uses of this tool will be discussed throughout this Cert Guide as appropriate, together with references to tools used on Windows Server 2008 computers that are not running R2. Chapter 3: Installing Active Directory Domain Services 99 Figure 3-10 After installing Active Directory, you should see a default set of containers in the Active Directory Users and Computers, together with domain controller computer accounts in the Domain Controllers OU. Figure 3-11 Windows Server 2008 R2 adds the Active Directory Administrative Center to the suite of tools provided for administering AD DS. In this discussion and elsewhere in this book, the term Windows Server 2008 is taken to include both the original and R2 versions unless otherwise noted. The term Windows Server 2008 R2 is used when referring to new features added with this version of the server software. NOTE 100 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring The Active Directory Administrative Center is installed automatically when you install the AD DS server role in Windows Server 2008 R2. You can also install this tool on a Windows Server 2008 R2 member server or a Windows 7 computer by installing the Remote Server Administration Tools (RSAT) feature. You cannot, however, install Active Directory Administrative Center on a computer running the original version of Windows Server 2008 or on older versions of Windows Server. NOTE For an overview of the capabilities of the Active Directory Administrative Center, refer to “What’s New in AD DS: Active Directory Administrative Center” at http://technet.microsoft.com/en-us/library/dd378856(WS.10).aspx. Active Directory Migration Tool v.3.1 ADMT v.3.1 is the most recent version of a utility, available for download from the Microsoft website, which assists you in migrating objects such as users, groups, and computers between Active Directory domains in the same forest or in different forests. This tool assists you in the potentially difficult task of restructuring your AD DS forest structure; for example, when changes in your organization’s business structure occur because of mergers, acquisitions, or divestitures. You can migrate these objects from a source domain running at any functional level of Windows 2000 native or higher to a target domain running at any functional level of Windows 2000 native or higher. If the source and target domains are in different forests, you must configure trust relationships between the domains in use to ensure data security during the migration process. Actions performed by ADMT include the following: ■ Ensures security of objects being migrated by using 128-bit encryption with the Passport Export Server (PES) service ■ Preserves the SID history of objects being migrated ■ Enables migration of user profiles ■ Migrates computer accounts including domain controllers ■ Enables the restructuring of Active Directory domains between forests ■ Enables you to use a preconfigured SQL database to hold migration information ■ Enables you to perform test migrations so that you can ensure the actual migration will run properly ■ Provides a log file that you can check for migration errors and other problems ■ Provides for rollback options in the event that the migration does not proceed properly ■ Facilitates the decommissioning of old domains in forests to be removed Chapter 3: Installing Active Directory Domain Services 101 NOTE If you are migrating from or restructuring Windows NT 4.0 domains to Active Directory, you should use the 3.0 version of ADMT. You can use version 3.0 when restructuring a series of Windows NT 4.0 domains (such as account and resource domains structured into a multiple trust model) into a single Active Directory domain. Version 3.0 runs on Windows 2000 and Windows Server 2003 computers only; it does not run on Windows Server 2008 computers. ADMT 3.1 runs on a server running the original edition of Windows Server 2008 only; it does not run on Windows Server 2008 R2. To use ADMT 3.1, navigate to http://www.microsoft.com/downloads/details.aspx?familyid=AE279D01-7DCA413C-A9D2-B42DFB746059&displaylang=en and click the Download button. Then follow the instructions provided to download and save the admtsetup31.exe file to an appropriate location on your computer. Double-click the file, click Run, and then follow the instructions provided to install ADMT 3.1. NOTE For more information on ADMT 3.1, refer to “ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains” at http://www.microsoft.com/downloads/en/confirmation.aspx?familyId= 6d710919-1ba5-41ca-b2f3-c11bcb4857af&displayLang=en. For information on use of ADMT 3.1 in domains with Windows Server 2008 R2 domain controllers, refer to “Known issues that may occur when you use ADMT 3.1 to migrate to a domain that contains Windows Server 2008 R2 domain controllers” at http://support. microsoft.com/kb/976659. Alternative User Principal Name Suffixes As mentioned earlier in this chapter, a UPN is a logon name specified in the format of an email address such as [email protected] It is a convenient means of logging on to a domain from a computer located in another domain in the forest or a trusted forest. Two types of UPNs are available: ■ Implicit UPN: This UPN is always in the form [email protected], such as [email protected] It is defined on the Account tab of a user’s Properties dialog box in Active Directory Users and Computers. ■ Explicit UPN: This UPN is in the form [email protected], where an administra- tor can define values for each string. For example, a user named Peter in the domain could have an explicit UPN in the form [email protected] Using explicit UPNs is practical when an organization does not want to reveal its internal domain structure. sales.que.com Windows Server 2008 supports the principle of the UPN suffix, first introduced in Windows Server 2003. This is the portion of the UPN to the right of the at (@) character. By default, the UPN suffix is the DNS domain name of the domain in which the user account is located. 102 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Adding an alternative UPN suffix provides several advantages: ■ You can use a common UPN suffix across all users in a forest. This is especially useful if some users have long domain names. ■ The UPN suffix enables you to conceal the actual domain structure of the forest from external users. ■ You can use separate UPN suffixes in situations where different divisions of a company have separate email domain names, thereby enabling users to log on with a name that matches their email address. To define an alternative UPN suffix, access Active Directory Domains and Trusts from the Administrative Tools folder. Right-click Active Directory Domains and Trusts and click Properties. From the Properties dialog box shown in Figure 3-12, type the name of the alternative UPN suffix desired, click Add, and then click OK. After you have done this, the alternative UPN suffix is available when you are configuring new or existing user accounts. For more information on configuring user accounts, see Chapter 9. Figure 3-12 You can configure alternative UPN suffixes from the Active Directory Domains and Trusts Properties dialog box. Key Topic Chapter 3: Installing Active Directory Domain Services 103 Exam Preparation Tasks Review All the Key Topics Review the most important topics in the chapter, noted with the key topics icon in the outer margin of the page. Table 3-4 lists a reference of these key topics and the page numbers on which each is found. Key Topic Table 3-4 Key Topics for Chapter 3 Key Topic Element Description Page Number List Lists important guidelines you should follow in preparing to install AD DS 80 List Summarizes requirements for installing AD DS 81 Figure 3-2 You use the Add Roles Wizard to begin the installation of AD DS 83 Figure 3-3 Displays important security considerations when installing AD DS 84 Figure 3-5 Selecting a forest functional level 86 List Summarizes important reasons for installing multiple domain controllers in a domain 89 Paragraph Describes the methods of performing unattended installations of AD DS 90 Table 3-3 Summarizes available forest and domain functional levels in Windows Server 2008 R2 94 Paragraph Describes the adprep utility used for preparing forests and domains for upgrade 96 Figure 3-12 Specifying additional UPN suffixes 102 Complete the Tables and Lists from Memory Print a copy of Appendix C, “Memory Tables” (found on the CD), or at least the section for this chapter, and complete the tables and lists from memory. Appendix D, “Memory Tables Answer Key,” also on the CD, includes completed tables and lists to check your work. 104 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Definitions of Key Terms Define the following key terms from this chapter, and check your answers in the glossary. Active Directory Migration Tool (ADMT), Active Directory Administrative Center, Adprep, dcpromo, domain controller (DC), domain functional level, forest functional level, forest root, read-only domain controller (RODC), Server Core, universal principal name (UPN), universal principal name (UPN) suffix This page intentionally left blank Index A A and AAAA (host) resource records, 61 AboveNormal priority level, 465 access denying, 308–309 shell access policies, 387 account lockout policy, 426–427 account partners, 231 account policies, 422 account lockout policy, 426–427 “Do I Know This Already?” quiz, 417–421 domain password policies, 423, 425 exam preparation task, 449–450 Kerberos policy, 428 unlocking accounts, 427 “Account Policies” (article), 428 account stores, creating, 240–241 accounts account lockout policy, 426–427 AD LDS accounts, creating, 222–223 delegating administrative control, 313–316 group accounts configuring group membership, 304–305 creating manually, 288–290 creating with Csvde tool, 292–293 creating with Dsadd tool, 294–295 creating with Ldifde tool, 293–294 creating with scripts, 296 denying access, 308–309 deprovisioning, 313 “Do I Know This Already?” quiz, 281–285 exam preparation tasks, 317–318 explained, 287 local versus domain groups, 310–312 nesting with AGDLP/AGUDLP, 306–307 template accounts, 290–291 unlocking, 427 user accounts contact, 298–299 creating manually, 288–290 creating with Csvde tool, 292–293 creating with Dsadd tool, 294–295 creating with Ldifde tool, 293–294 creating with scripts, 296 deprovisioning, 312–313 distribution lists, 299–300 “Do I Know This Already?” quiz, 281–285 exam preparation tasks, 317–318 explained, 286 Protected Admin accounts, 309–310 resetting, 308 UPNs (user principal names), 296–298 Active Directory AD CS (Active Directory Certificate Services). See AD CS AD DS (Active Directory Domain Services). See AD DS 798 Active Directory AD FS (Active Directory Federation Service). See AD FS AD LDS (Active Directory Lightweight Directory Service). See AD LDS AD MDS (Active Directory Metadirectory Services), 231 AD RMS (Active Directory Rights Management Service),. See AD RMS audits configuring with Auditpol.exe, 447, 449 configuring with GPOs, 442–447 “Do I Know This Already?” quiz, 417–421 exam preparation task, 449–450 new features, 441–442 backing up backup permissions, 521 critical volumes of domain controllers, 522–524 GPOs (Group Policy Objects), 545, 548 to removable media, 527 scheduling backups, 526–527 wbadmin utility, 525 Windows Server 2008 versus Windows Server 2008 R2, 520–521 Windows Server Backup installation, 521–522 classes. See classes containers, explained, 24 domains administrative and geographical organization of, 78–79 application directory partition reference domains, 139 benefits of multiple domains, 26–27 best practices, 80–81 domain controllers, 26, 31, 33 explained, 26, 31 forests, 27 functional levels, 94–96 installing domain controllers in existing domains, 89 installing new domains in existing forests, 88 multiple trees, 79 ntds.dit files, 26 offline domain join, 38 RODCs (read-only domain controllers), 33 trees, 27 flexible single-master operations (FSMO) servers, 32–33 forests functional levels, 94–96 installation, 83–87 installing new domains in, 88 foundations LDAP (Lightweight Directory Access Protocol), 18–19 X.500, 17–18 GC (global catalog) servers features, 148 partial attribute sets, 152–153 placement, 148–150 promoting domain controllers to, 150 removing, 151 UGMC (Universal Group Membership Caching), 151 global catalogs “Do I Know This Already?” quiz, 143–147 exam preparation tasks, 169–170 explained, 24–25, 31 global catalog servers, 31–32 group accounts configuring group membership, 304–305 creating manually, 288–290 creating with Csvde tool, 292–293 creating with Dsadd tool, 294–295 creating with Ldifde tool, 293–294 creating with scripts, 296 delegating administrative control, 313–316 Active Directory 799 denying access, 308–309 deprovisioning, 313 “Do I Know This Already?” quiz, 281–285 exam preparation tasks, 317–318 explained, 287 local versus domain groups, 310–312 nesting with AGDLP/AGUDLP, 306–307 Group Policy, 34 installation, 82 Active Directory Migration Tool (ADMT) v.3.1, 100–101 alternative UPN (user principal name) suffixes, 101–102 “Do I Know This Already?” quiz, 73–76 domain controllers in existing domains, 89 domains, 78–81, 88 exam preparation tasks, 103–104 namespaces, 77–78 new forests, 83–87 requirements, 81–82 Server Core domain controllers, 92 unattended installations, 90–92 verifying, 98, 100 interoperability with previous versions of Active Directory, 93 Adprep utility, 96–97 forest and domain functional levels, 94–96 upgrading Windows Server 2003 domain controllers, 97 namespaces contiguous namespaces, 23 disjointed namespaces, 23 explained, 22 flat namespaces, 23 hierarchical namespaces, 23 planning, 77 subdividing, 77–78 naming standards canonical names, 22 DNs (distinguished names), 19–20 GUIDs (globally unique identifiers), 21 RDNs (relative distinguished names), 20–21 SIDs (security identifiers), 21–22 UPNs (user principal names), 21 new features in Windows Server 2008, 33–34 objects. See objects operations masters, 153 “Do I Know This Already?” quiz, 143–147 domain naming masters, 160 exam preparation tasks, 169–170 failures, 164–165 infrastructure masters, 162 PDC emulators, 160–162 placement, 163–164 RID masters, 162 schema masters, 153–160 seizing operations master roles, 167–168 transferring operations master roles, 165–167 OUs (organizational units), explained, 29–30 partitions application partitions, 25 configuration partitions, 25 domain partitions, 25 explained, 25 schema partitions, 25 passwords, 34 recovering. See also Recycle Bin authoritative restore, 536–537 authoritative restore of group memberships, 539 Directory Services Restore Mode (DSRM), 528–529 explained, 528 full-server recovery of domain controllers, 538–539 GPOs (Group Policy Objects), 545, 547–548 linked-value replication, 539 800 Active Directory nonauthoritative restore, 529–534 recovering back-links of authoritatively restored objects, 537 wbadmin command, 534–535 Recycle Bin, 37 enabling, 541–543 explained, 540–541 restoring deleted objects, 543–545 removing, 92–93 replication bridgehead servers, 193–194 DFS (Distributed File System), 192–193 “Do I Know This Already?” quiz, 173–177 exam preparation tasks, 201–202 explained, 190–191 forcing, 200–201 intersite replication, 191, 195–201 intrasite replication, 191, 198–199 multi-master replication, 190 one-way replication, 193 ports, 195 replication protocols, 194–195 scheduling, 196–199 restarting, 549–550 schemas, 24 security enhancements, 34 Server Core, 33 Server Manager adding roles and features, 36 capabilities, 36 command-line server management, 36 opening, 35 server roles, 33. See also specific roles “Do I Know This Already?” quiz, 205–209 exam preparation tasks, 247–248 installing, 211 removing, 211 role services, 210 sites benefits of, 178–179 creating, 180–181 “Do I Know This Already?” quiz, 173–177 domain controllers, adding, 181 exam preparation tasks, 201–202 explained, 30, 178 ISTG (Intersite Topology Generator), 189 KCC (Knowledge Consistency Checker), 189 planning, 179 site link bridges, 185 site links, 184–188 subnets, 182–184 trust relationships authentication scope, 338–340 defined, 325 “Do I Know This Already?” quiz, 321–324 exam preparation tasks, 343 external trusts, 326, 335–336 forest trusts, 326, 329–330, 332–335 prerequisites, 328–329 realm trusts, 326, 336 removing cross-forest trust relationships, 341–342 shortcut trusts, 327, 337 SID filtering, 340–341 table of trust types, 328 transitive trusts, 325–326 validating, 338 user accounts contact, 298–299 creating manually, 288–290 creating with Csvde tool, 292–293 creating with Dsadd tool, 294–295 creating with Ldifde tool, 293–294 creating with scripts, 296 delegating administrative control, 313–316 deprovisioning, 312–313 distribution lists, 299–300 “Do I Know This Already?” quiz, 281–285 exam preparation tasks, 317–318 explained, 286 Protected Admin accounts, 309–310 AD CS (Active Directory Certificate Services) 801 resetting, 308 template accounts, 290–291 UPNs (user principal names), 296–298 Windows Server 2008 R2 virtualization, 244–246 zones configuring zone transfers, 132–133 DNS notify, 133–134 full zone transfer (AXFR), 130 incremental zone transfer (IXFR), 131 replication scope, 128–130 secure zone transfer, 134–136 Active Directory Administrative Center (ADAC), 38 “Active Directory Backup and Restore in Windows Server 2008” (article), 526 Active Directory Certificate Services. See AD CS Active Directory Domain Services Installation Wizard, 258–259 Active Directory Federation Service. See AD FS “Active Directory Federation Services Role” (article), 233 Active Directory Installation Wizard, 82 installing domain controllers in existing domains, 89 installing new domains in existing forests, 88 installing new forests, 83–87 Active Directory Lightweight Directory Service. See AD LDS Active Directory Management Pack, 38 Active Directory Metadirectory Services (AD MDS), 231 Active Directory Migration Tool (ADMT) v.3.1, 100–101 “Active Directory Recycle Bin Step-by-Step Guide” (article), 545 “Active Directory Replication over Firewalls” (article), 195 Active Directory Rights Management Service. See AD RMS “Active Directory Rights Management Services Overview” (article), 226 Active Directory Schema snap-in, 220 Active Directory Sites and Services snap-in, 179, 221 adding domain controllers, 181 creating sites, 180–181 creating subnets, 182–184 Active Directory Web Services, 38 AD CS (Active Directory Certificate Services), 34 certificate practice statements, 572–573 certificate requests, 571–572 certificate revocation Authority Information Access (AIA), 624–625 certificate revocation lists (CRLs), 617, 619–621 explained, 616–617 online responders, 621–624 certificate stores, 575 certificate templates archiving keys, 599 configuring, 593–595 defined, 592 duplicating, 597–598 enabling, 597 key recovery agents (KRAs), 599–602 permissions, 595–597 template types, 592 Certification Authority Web Enrollment configuring smart card enrollment, 609–610 configuring Web enrollment, 606–607 creating enrollment agents, 610–613 802 AD CS (Active Directory Certificate Services) enabling certificate autoenrollment, 605–606 Network Device Enrollment Services (NDES), 602–604 configuration assigning administration roles, 581–582 assigning certificate server permissions, 582–583 backing up and restoring certificate databases, 580–581 backing up certificates and keys, 576–577 enabling credential roaming, 578–580 importing certificates, 575–576 restoring certificates and keys, 577–578 “Do I Know This Already?” quiz, 559–562, 587–591 exam preparation tasks, 583–584, 625–626 explained, 210 installation, 565 certificate authority types and hierarchies, 565–567 Certificates snap-in, 573–574 root CAs, 567–568, 570–571 subordinate CAs, 571 new features, 563–565 “AD CS: Restricted Enrollment Agent” (article), 614 AD DS (Active Directory Domain Services) database storage allocation, 553–554 defragmentation offline defragmentation, 551–552 online defragmentation, 551 monitoring. See monitoring Active Directory restarting, 549–550 “AD DS Fine-Grained Password and Account Lockout Policy Step-byStep Guide” (article), 436 AD DS Installation Wizard, 256–257 AD FS (Active Directory Federation Service) explained, 210, 231–232 federation trust configuration, 238 account stores, 240–241 claims, 239 creating federation trusts, 242–243 enabling applications, 241–242 installing, 233–236 role services, 232–233 trust policy configuration, 236–237 user and group claim mapping, 237–238 Web agents, 233 “AD FS in Windows Server 2008 R2 Step-by-Step Guide” (article), 243 AD LDS (Active Directory Lightweight Directory Service), 34 AD LDS security principal, 223 binding to AD LDS instances, 222, 224 configuration, 217 with Active Directory Schema snap-in, 220 with Active Directory Sites and Services snap-in, 221 with ADSI Edit snap-in, 217–218 with Ldp.exe, 218–220 creating AD LDS user accounts and groups, 222–223 explained, 210–213 installation, 213 AD LDS instances, 214–216 AD LDS roles, 213 migrating to, 221 on Server Core, 224–225 AD LDS Administrators page (Lightweight Directory Services Setup Wizard), 215 “AD LDS Getting Started Step-byStep Guide” (article), 217 Advanced tab (Properties dialog box) 803 AD MDS (Active Directory Metadirectory Services), 231 AD RMS (Active Directory Rights Management Service), 34 benefits of, 225–226 certificate request and installation, 228–230 delegation, 230–231 enhancements to, 226 explained, 210 installing, 226–228 self-enrollments, 230 AD RMS Auditors administrative role, 230 AD RMS Enterprise Administrators administrative role, 230 “AD RMS Prerequisites” (article), 228 “AD RMS Step-by-Step Guide” (article), 228 AD RMS Template Administrators administrative role, 230 ADAC (Active Directory Administrative Center), 38 Add Counters dialog box, 477, 479 Add Items dialog box, 524 Add Monitored Server Wizard, 487, 489–491 add nc replica command, 139 Add or Remove Snap-ins dialog box, 574 add parameter (repadmin utility), 492–493 Add Revocation Configuration Wizard, 623 Add Role Services Wizard, 603 Add Roles Wizard, 36, 83 installing CAs with, 567–571 Add Upgrade Package dialog box, 407–408 Additional Domain Controller Options page (Active Directory Domain Services Installation Wizard), 259 Additional Domain Controller Options page (Active Directory Installation Wizard), 85 administration authentication lists, 275–276 DNS servers, 69–70 administration roles, assigning, 581–582 administrative control, delegating, 313–316 administrative organization of domains, 78–79 “Administrative Template Settings” (article), 384 administrative templates, 380–384 administrator role separation, 261–262 ADMIT (Active Directory Migration Tool) v.3.1, 100–101 ADMX central store, 379–380 ADMX format, 354 Adprep utility, 96 Adprep /domainprep command, 97 Adprep /forestprep command, 96 Adprep /rodcprep command, 255 ADSI Edit snap-in, 217–218 Advanced Password Replication Policy dialog box, 275–276 “Advanced Security Audit Policy Settings” (article), 447 Advanced Security Settings dialog box, 316 Advanced tab (Properties dialog box), 123 Disable Recursion setting, 125 Enable automatic scavenging of stale records setting, 126 804 Advanced tab (Properties dialog box) Loading Zone Data setting, 126 Name Checking setting, 125–126 Round Robin setting, 124–125 Server Options, 123–124 Advanced tab (Software Installation Properties dialog box), 404 Advertising test (dcdiag utility), 495 AGDLP strategy, 306–307 agents, creating enrollment agents, 610–613 AGUDLP strategy, 306–307 AIA (Authority Information Access), configuring, 624–625 allocating database storage, 553–554 alternative UPN (user principal name) suffixes, 101–102 Answer files, 770 answers to “Do I Know This Already?” quizzes chapter 2, 729–731 chapter 3, 731–732 chapter 4, 732–734 chapter 5, 735–736 chapter 6, 737–739 chapter 7, 739–741 chapter 8, 741–743 chapter 9, 743–745 chapter 10, 745–747 chapter 11, 747–749 chapter 12, 749–751 chapter 13, 751–753 chapter 14, 754–756 chapter 15, 756–758 chapter 16, 758–759 chapter 17, 759–761 answers to practice exam, 691–727 Application Directory Partition page (Lightweight Directory Services Setup Wizard), 215 application directory partitions, 25, 138–139 application directory partition reference domains, 139 creating application directory partition replicas, 139 installing and configuring, 138–139 application priority, configuring, 465 archiving keys, 599 arrays, configuring, 624 assigning administration roles, 581–582 certificate server permissions, 582–583 software to computers/users, 399 attributes, 23, 154 Auditpol.exe, 447, 449 audits configuring with Auditpol.exe, 447, 449 configuring with GPOs, 442 advanced auditing policies, 446–447 available auditing categories, 442–443 basic auditing policies, 443–445 “Do I Know This Already?” quiz, 417–421 exam preparation tasks, 449–450 new features, 441–442 authentication scope, 338–340 smart cards, implementing, 609–610, 612–615 authentication lists, administration, 275–276 authentication servers, configuration binding to AD LDS instances, 222, 224 creating AD LDS user accounts and groups, 222–223 authoritative restore, 536–537 CAs (Certificate Authorities) 805 authoritative restore of group memberships, 539 authoritative secondary servers, adding to zones, 63 Authority Information Access (AIA), configuring, 624–625 autoenrollment, 605–606 automating Windows Server 2008 R2 installation, 770–771 AXFR (full zone transfer), 130 B Back Up Group Policy Object dialog box, 545 back-links of authoritatively restored objects, recovering, 537 BackupAllGPOS.wsf, 548 BackupGPO.wsf, 548 backups backup permissions, 521 of certificate databases, 580–581 of certificates and keys, 576–577 critical volumes of domain controllers, 522–524 GPOs (Group Policy Objects), 545, 548 to removable media, 527 scheduling, 526–527 wbadmin utility, 525 Windows Server 2008 versus Windows Server 2008 R2, 520–521 Windows Server Backup installation, 521–522 batch files, 296 BelowNormal priority level, 465 Berkeley Internet Name Domain (BIND), 124 best practices, domain structure, 80–81 Best Practices Analyzer (BPA), 38 BIND (Berkeley Internet Name Domain), 124 binding to AD LDS (Active Directory Lightweight Directory Service) instances, 222, 224 BitLocker enabling, 265–269 explained, 263–264 managing, 269–270 preparing for, 265 turning off, 269 Block Inheritance setting (GPOs), 369 boot option (Gpupdate), 511 BPA (Best Practices Analyzer), 38 BranchCache, 39 bridgehead servers, 193–194 bulk import, creating accounts with, 291–292 Csvde tool, 292–293 Dsadd tool, 294–295 Ldifde tool, 293–294 scripts, 296 C c parameter (dcdiag utility), 495 cache.dns file, 117 caching, credential caching, 273–275 caching-only servers, 56 canonical names, 22 CAs (Certificate Authorities) Certification Authority Web Enrollment configuring smart card enrollment, 609–610 configuring Web enrollment, 606–607 creating enrollment agents, 610–613 806 CAs (Certificate Authorities) enabling certificate autoenrollment, 605–606 Network Device Enrollment Services (NDES), 602–604 enterprise CAs, 565 intermediate CAs, 566 issuing CAs, 566 root CAs, 566 standalone CAs, 566 subordinate CAs, installing, 571 three-tier CA hierarchy, 566 two-tier CA hierarchy, 566 catalogs. See global catalogs Categories tab Software Installation Properties dialog box, 405 Software Package Properties dialog box, 406 CDPs (CRL distribution points), configuring, 619–620 Certificate Authorities. See CAs certificate databases, backing up and restoring, 580–581 Certificate Export Wizard, 576–577 Certificate Import Wizard, 577–578 certificate practice statements, 572–573 certificate requests, 571–572 certificate revocation Authority Information Access (AIA), 624–625 certificate revocation lists (CRLs) CDPs (CRL distribution points), 619–620 configuring, 617, 619 troubleshooting, 620–621 explained, 616–617 online responders, 621–624 certificate server permissions, assigning, 582–583 Certificate Services. See AD CS (Active Directory Certificate Services) certificate stores, 575 certificate templates archiving keys, 599 configuring, 593–595 defined, 592 duplicating, 597–598 enabling, 597 key recovery agents (KRAs), 599–602 permissions, 595–597 template types, 592 certificates, request and installation, 228–230 Certificates snap-in, installing, 573–574 Certification Authority Backup Wizard, 580–581 Certification Authority Restore Wizard, 581 Certification Authority Web Enrollment configuring smart card enrollment, 609–610 configuring Web enrollment, 606–607 creating enrollment agents, 610–613 enabling certificate autoenrollment, 605–606 Network Device Enrollment Services (NDES), 602–604 Change Domain Controller dialog box, 166 Change Zone Replication Scope dialog box, 129–130 “Changes in Functionality from Windows Server 2008 to Windows Server 2008 R2” (article), 434 Check Replication Topology option (replmon utility), 490 configuration 807 checking names, 125–126 ChildName option (Active Directory installation), 90 Choose a Deployment Configuration page (Active Directory Installation Wizard), 84 claims creating, 239 user and group claim mapping, 237–238 Claims-aware agents, 233 classes, 23, 154 CLC (Client Licensor certificate), 229 Clear Log option (replmon utility), 490 clearcache command (dnscmd), 70 Client Licensor certificate (CLC), 229 cmdlets, Enable-ADOptionalFeature, 541 CNAME (alias) resource record, 61 command-line DNS server administration, 69–70 command-line server management, 36 commands. See also utilities add nc replica, 139 Adprep /domainprep, 97 Adprep /forestprep, 96 dcpromo, 91–92 dnscmd, 113–114, 118–119, 125, 137–138 dsmgmt, 262 ldifde, 221 net start ntds, 550 net stop ntds, 550 netdom, 341 netdom trust, 335 remove nc replica, 139 repadmin /prp, 274 syskey, 276–277 Windows Server Core commands, 768–769 comments for Group Policy settings, 354 “Compact the directory database file (offline defragmentation)” (article), 553 Computer Management snap-in, 36 computers, assigning software to, 399 conditional forwarders, 114–115 config command (dnscmd), 70 configurable credential caching, 273 configuration accounts. See accounts Active Directory bridgehead servers, 193–194 DFS (Distributed File System), 192–193 forcing, 200 one-way replication, 193 ports, 195 replication, 191–200 replication protocols, 194–195 scheduling, 196–199 Active Directory sites adding domain controllers, 181 creating sites, 180–181 creating subnets, 182–184 ISTG (Intersite Topology Generator), 189 KCC (Knowledge Consistency Checker), 189 site link bridges, 185 site links, 184–188 AD LDS (Active Directory Lightweight Directory Service), 217 with Active Directory Schema snap-in, 220 with Active Directory Sites and Services snap-in, 221 with ADSI Edit snap-in, 217–218 with Ldp.exe, 218–220 808 configuration application priority, 465 arrays, 624 Authority Information Access (AIA), 624–625 CDPs (CRL distribution points), 619–620 certificate templates, 593–595 contacts, 298–299 CRLs (certificate revocation lists), 617, 619 DNS (Domain Name System) authoritative secondary servers, 63 “Do I Know This Already?” quiz, 43–47 Dynamic DNS (DDNS), 64 exam preparation tasks, 71 integrating with WINS, 68–69 name server roles, 55 Nondynamic DNS (NDDNS), 64 overview, 51–52 resource records, 61 Secure Dynamic DNS (SDDNS), 65 time to live (TTL), 66–68 zone creation, 57–60 zone properties, 62 zone scavenging, 65–66 zone types, 52–55, 63 DNS server application directory partitions, 138–139 debug logging, 119–121 DNS monitoring, 127–128 DNS notify, 133–134 DNS Security Extensions (DNSSEC), 121–123 “Do I Know This Already?” quiz, 107–111 event logging, 121 exam preparation tasks, 140 forwarding, 112–115 loading zone data, 126 name checking, 125–126 name servers, 136–138 replication scope, 128–130 rescursion, 125 root hints, 116–117 round robin, 124–125 server options, 123–124 server scavenging, 126 zone delegation, 117–119 zone transfer, 130–136 federation trusts, 238 account stores, 240–241 claims, 239 creating federation trusts, 242–243 enabling applications, 241–242 fine-grained password policies, 430–434 GC (global catalog) servers, 148 partial attribute sets, 152–153 placement, 148–150 promoting domain controllers to, 150 removing, 151 UGMC (Universal Group Membership Caching), 151 GPO hierarchy and processing priority, 365, 367 Block Inheritance setting, 369 disabling user objects, 370 Enforced setting, 367–368 modifying sequence of GPO application, 370 OU hierarchy, 367 group membership, 304–305 online responders, 621–624 operations masters domain naming masters, 160 failures, 164–165 infrastructure masters, 162 PDC emulators, 160–162 placement, 163–164 RID masters, 162 seizing operations master roles, 167–168 transferring operations master roles, 165–167 password replication policy, 272–273 dcpromo command 809 schema masters configuring schema, 154–155 deactivating schema objects, 159–160 extending schema, 155–158 schema definitions, 153–154 smart card enrollment, 609–610 trust policies, 236–237 Web enrollment, 606–607 configuration partitions, 25 Configure a DNS Server Wizard, 117 “Configure the Network Device Enrollment Service” (article), 604 “Configuring SID Filter Quarantining on External Trusts” (article), 341 Confirm Incoming Trust page (New Trust Wizard), 334 Confirm Outgoing Trust page (New Trust Wizard), 334 ConfirmGC option (Active Directory installation), 91 Connection Settings dialog box, 430 contacts, configuring, 298–299 containers defined, 153 explained, 24 GPCs (Group Policy Containers), 352 contiguous namespaces, 23 control of GPOs (Group Policy Objects), delegating, 362, 364 CopyAllGPOs.wsf, 548 CopyGPO.wsf, 548 costs, site link, 186–188 counters, 477, 479 “Create an LDIF file for recovering back-links for authoritatively restored objects” (article), 538 Create Custom View dialog box, 469 Create New Attribute dialog box, 156–157 Create New Data Collector Set Wizard, 480–481 Create Object dialog box, 222, 431 Create Organizational Unit dialog box, 303 CreateGPO.wsf, 548 “Creating External Trusts” (article), 336 “Creating Realm Trusts” (article), 337 credential caching, 273–275 credential roaming, enabling, 578–580 CRL distribution points (CDPs), 619–620 CRLs (certificate revocation lists) CDPs (CRL distribution points), 619–620 configuring, 617, 619 troubleshooting, 620–621 cross-forest trust relationships, removing, 341–342 cscript scregedit.wsf command, 768 .csv extension, 292 Csvde tool, 292–293 customizing Event Viewer, 468–471 D data collector sets, 479–484 database storage allocation, 553–554 DatabasePath option (Active Directory installation), 91 databases certificate databases, backing up and restoring, 580–581 database storage allocation, 553–554 SAM (Security Accounts Manager) database, 77 dcdiag tool, 189, 494–496 dcpromo command, 91–92, 769 810 DDNS (Dynamic DNS) DDNS (Dynamic DNS), 64 deactivating schema objects, 159–160 debug logging, 119–121 Debug Logging tab (Properties dialog box), 120 default schemas, 24 defragmentation offline defragmentation, 551–552 online defragmentation, 551 delegating AD RMS, 230–231 administrative control, 313–316 control of GPOs (Group Policy Objects), 362, 364 zones, 117–119 Delegation of Control Wizard, 364, 509 Delegation of RODC Installation and Administration page (Active Directory Domain Services Installation Wizard), 259 Delete option (replmon utility), 490 deleted objects, restoring, 543–545 deleting GPOs (Group Policy Objects), 362 denying access, 308–309 Deploy Software dialog box, 401, 410 deployment of software. See software deployment Deployment tab (Software Package Properties dialog box), 405 deprovisioning accounts, 312–313 DFS (Distributed File System), 192–193 DFS Management snap-in, 193 “DFS Step-by-Step Guide for Windows Server 2008” (article), 193 dialog box, 219, 224. See also names of specific dialog boxes DIB (Directory Information Base), 18 differencing VHDs (virtual hard disks), 246 DirectAccess, 39 Direction of Trust page (New Trust Wizard), 331–332 Directory Information Base (DIB), 18 Directory Services Restore Mode (DSRM), 528–530 Directory Services Restore Mode Administrator Password page (Active Directory Installation Wizard), 87 Disable Recursion setting (DNS server), 125 disabling recursion, 125 user objects, 370 disjointed namespaces, 23 distinguished names (DNs), 19–20 Distributed File System (DFS), 192–193 distribution lists, creating, 299–300 distribution points, 400 DNs (distinguished names), 19–20 DNS (Domain Name System) command-line DNS server administration, 69–70 DNS server. See DNS server “Do I Know This Already?” quiz, 43–47 domain namespaces, 48 Dynamic DNS (DDNS), 64 exam preparation tasks, 71 hierarchical nature of, 48–49 hostnames, 49 installing on Windows Server 2008 R2, 49–51 integrating with WINS, 68–69 Do I Know This Already? quiz 811 monitoring, 127–128 Nondynamic DNS (NDDNS), 64 read-only DNS, 262–263 resource records, 61 root-level domains, 49 second-level domains, 49 Secure Dynamic DNS (SDDNS), 65 server roles caching-only servers, 56 forwarders, 56–57 primary name servers, 55 secondary name servers, 55–56 top-level domains, 49 zones adding authoritative secondary servers to, 63 configuring zone properties, 62 configuring zone types, 63 creating, 57–60 forward lookup zones, 57–58 GlobalNames zones, 54–55 integrated zones, 53–54 primary zones, 53 reverse lookup zones, 59–60 secondary zones, 53 stub zones, 53 time to live (TTL), 66–68 zone scavenging, 65–66 DNS notify, 133–134 DNS Security Extensions (DNSSEC), 121–123 DNS server, configuration application directory partitions, 138–139 debug logging, 119–121 DNS monitoring, 127–128 DNS notify, 133–134 DNS Security Extensions (DNSSEC), 121–123 “Do I Know This Already?” quiz, 107–111 event logging, 121 exam preparation tasks, 140 forwarding, 112–115 loading zone data, 126 name checking, 125–126 name servers, 136–138 recursion, 125 replication scope, 128–130 root hints, 116–117 round robin, 124–125 server options, 123–124 server scavenging, 126 zone delegation, 117–119 zone transfer, 130–136 dns.log file, 119 dnscmd command, 113–114, 118–119, 125, 137–138 Dnscmd.exe utility, 69–70 DNSSEC (DNS Security Extensions), 121–123 “Do I Know This Already?” quiz account policies and auditing, 417–421 Active Directory installation, 73–76 Active Directory maintenance, 515–519 AD CS (Active Directory Certificate Services), 559–562, 587–591 answers chapter 2, 729–731 chapter 3, 731–732 chapter 4, 732–734 chapter 5, 735–736 chapter 6, 737–739 chapter 7, 739–741 chapter 8, 741–743 chapter 9, 743–745 chapter 10, 745–747 chapter 11, 747–749 chapter 12, 749–751 chapter 13, 751–753 chapter 14, 754–756 812 Do I Know This Already? quiz chapter 15, 756–758 chapter 16, 758–759 chapter 17, 759–761 DNS installation and configuration, 43–47 DNS server configuration, 107–111 global catalogs and operations masters, 143–147 GPOs (Group Policy Objects), 345–350 Group Policy software deployment, 393–397 monitoring, 453–458 RODCs (read-only domain controllers), 251–253 server roles, 205–209 sites and replication, 173–177 trust relationships, 321–324 user and group accounts, 281–285 “Domain Controller and Member Server Policy Settings” (article), 438 domain controllers, 26 adding to sites, 181 backing up critical volumes of, 522–524 bridgehead servers, 193–194 explained, 31 full-server recovery of, 538–539 installing in existing domains, 89 promoting to GC (global catalog) servers, 150 RODCs (read-only domain controllers), 33 administrator role separation, 261–262 BitLocker, 263–270 “Do I Know This Already?” quiz, 251–253 exam preparation tasks, 278 installing, 256–257 password replication, 270–276 planning use of, 254–255 preparing for, 255–256 prestaging, 257–259 read-only DNS, 262–263 syskey utility, 276–277 unidirectional replication, 260–261 Server Core domain controllers, 92 specifying, 365 Windows Server 2003 domain controllers, upgrading, 97 domain groups, 310–312 Domain Name System. See DNS domain namespaces, 48 domain naming masters, 160 domain partitions, 25 domain password policies, 423, 425 domain-wide authentication, 339 DomainDnsZones, 138 DomainLevel option (Active Directory installation), 91 domains administrative and geographical organization of, 78–79 application directory partition reference domains, 139 benefits of multiple domains, 26–27 best practices, 80–81 domain controllers. See domain controllers domain password policies, 423, 425 explained, 26 forests, 27 installation, 83–87 functional levels table of, 94–95 upgrading, 95–96 installation installing domain controllers in existing domains, 89 installing new domains in existing forests, 88 exam preparation tasks 813 multiple trees, 79 ntds.dit files, 26 offline domain join, 38 root-level domains, 49 second-level domains, 49 top-level domains, 49 trees, 27 Dsadd tool, 223, 294–295 dsget, 295 dsmgmt utility, 262 dsmod, 295 dsmove, 295 dsquery, 295 dsrm, 295 DSRM (Directory Services Restore Mode), 528–529 dual-factor authentication, 609 Duplicate Template dialog box, 605 duplicating certificate templates, 597–598 DVD-ROM, installing Windows Server 2008 R2 from, 764–766 Dynamic DNS (DDNS), 64 dynamic VHDs (virtual hard disks), 245 E Edit Forwarders dialog box, 113–114 Edit Name Server Record dialog box, 117, 137 “11 Essential Tools for Managing Active Directory” (article), 295 Enable automatic scavenging of stale records setting (DNS server), 126 Enable Certificate Templates dialog box, 597–598 “Enable Clients to Locate a Domain Controller in the Next Closest Site” (article), 263 Enable-ADOptionalFeature cmdlet, 541 enabling AD FS applications, 241–242 BitLocker, 265–269 certificate autoenrollment, 605–606 certificate templates, 597 credential roaming, 578–580 Recycle Bin, 541–543 Enforced setting (GPOs), 367–368 enrollment. See Certification Authority Web Enrollment enrollment agents, creating, 610–613 enterprise CAs (certificate authorities), 565 Enterprise PKI (PKIView), 564 enumzones command (dnscmd), 70 Establish Restricted Enrollment Agents’ (article), 614 event logging, 121 Event Logging tab (Properties dialog box), 121 Event Viewer, 466–471 replication monitoring, customizing, 470–471 exam. See practice exam exam preparation tasks account policies and auditing, 449–450 Active Directory installation, 103–104 Active Directory maintenance, 555–556 AD CS (Active Directory Certificate Services), 583–584, 625–626 DNS (Domain Name System) installation and configuration, 71 DNS server configuration, 140 global catalogs and operations masters, 169–170 GPOs (Group Policy Objects), 389–390 Group Policy software deployment, 414 814 exam preparation tasks monitoring, 512–513 RODCs (read-only domain controllers), 278 server roles, 247–248 sites and replication, 201–202 trust relationships, 343 user and group accounts, 317–318 Expires After setting (SOA records), 68 explicit UPNs (user principal names), 101 extending schema, 155–158 external trusts creating, 335–336 explained, 326 F f parameter (dcdiag utility), 495 failed replication, monitoring tools, 470–471 failures, operations master failures, 164–165 fault tolerance, 31 features, adding, 36 Federation Service. See AD FS (Active Directory Federation Service) Federation Service Proxy, 233 federation trusts configuring, 238 account stores, 240–242 claims, 239 creating, 242–243 ferr parameter (dcdiag utility), 495 File Extensions tab (Software Installation Properties dialog box), 404 File Locations page (Lightweight Directory Services Setup Wizard), 215 File Replication Service (FRS), 192 files cache.dns, 117 dns.log, 119 Gpt.ini., 353 .msi files, 412 Registry.pol, 353 transform files compared to patches, 411 modifying software packages with, 409–410 virtual hard disk (VHD) files, 245–246 Zero Administration Package (ZAP) files, 402–403 Filter Current Log dialog box, 470 filtering Group Policy, 371 Security Filtering, 371–372 Windows Management Instrumentation (WMI), 374 Windows PowerShell, 374–376 SID filtering, 340–341 fine-grained password policies configuring, 430–434 explained, 428–429 managing, 435 password settings precedence, 429 viewing resultant PSO, 435–436 fixed VHDs (virtual hard disks), 245 flat namespaces, 23 flexible single-master operations (FSMO) servers, 32–33 folders, SYSVOL, replication, 261 force option (Gpupdate), 511 forcing intersite replication, 200–201 forest trusts creating, 329–330, 332–335 explained, 326 GPOs (Group Policy Objects) 815 forest-wide authentication, 339 ForestDnsZones, 138 ForestLevel option (Active Directory installation), 91 forests explained, 27 functional levels table of, 94–95 upgrading, 95–96 installation, 83–87 installing new domains in, 88 forward lookup zones, 57–58 forwarders, 56–57 Forwarders tab (Properties dialog box), 113 forwarding conditional forwarders, 114–115 explained, 112–113 specifying forwarders, 113–114 foundations of Active Directory LDAP (Lightweight Directory Access Protocol), 18–19 X.500, 17–18 Freesysvol test (dcdiag utility), 496 FRS (File Replication Service), 192 Frsevent test (dcdiag utility), 496 FSMO (flexible single-master operations) servers, 32–33 full zone transfer (AXFR), 130 full-server recovery of domain controllers, 538–539 G GC (global catalog) servers, 31-32 features, 148 partial attribute sets, 152–153 placement, 148–150 promoting domain controllers to, 150 removing, 151 UGMC (Universal Group Membership Caching), 151 General tab Software Installation Properties dialog box, 403 Software Package Properties dialog box, 405 geographical organization of domains, 78–79 global catalogs “Do I Know This Already?” quiz, 143–147 exam preparation tasks, 169–170 explained, 24–25, 31 GC (global catalog) servers, 31-32 features, 148 partial attribute sets, 152–153 placement, 148–150 promoting domain controllers to, 150 removing, 151 UGMC (Universal Group Membership Caching), 151 globally unique identifiers (GUIDs), 21, 352 GlobalNames zones, 54–55 GPCs (Group Policy Containers), 352 gpedit.msc, 134 GPMC (Group Policy Management Console), 34 creating GPOs, 355–359 explained, 354 GPOs (Group Policy Objects) administrative templates, 380–384 ADMX central store, 379–380 backing up, 545, 548 creating, 355–359 delegating control of, 362, 364 deleting, 362 816 GPOs (Group Policy Objects) “Do I Know This Already?” quiz, 345–350 filtering, 371 Security Filtering, 371–372 Windows Management Instrumentation (WMI), 374 Windows PowerShell, 374–376 hierarchy and processing priority, 365, 367 Block Inheritance setting, 369 disabling user objects, 370 Enforced setting, 367–368 modifying sequence of GPO application, 370 OU hierarchy, 367 importing, 547–548 linking, 360 loopback processing, 377–378 managing GPO links, 361–362 restoring, 545, 547–548 restricted groups, 384–385 RSoP (Resultant Set of Policy) Delegation of Control Wizard, 509 explained, 496–497 Gpresult, 509–510 Gpupdate, 511 logging mode, 501–508 planning mode, 497–501 saving RSoP data, 508–509 shell access policies, 387 specifying domain controllers, 365 Starter GPOs, 385–387 user rights, 378 Gpresult, 509–510 Gpt.ini file, 353 GPTs (Group Policy Templates), 352–353 Gpupdate, 511 group accounts configuring group membership, 304–305 creating with Csvde tool, 292–293 with Dsadd tool, 294–295 with Ldifde tool, 293–294 manually, 288–290 with scripts, 296 delegating administrative control, 313–316 denying access, 308–309 deprovisioning, 313 “Do I Know This Already?” quiz, 281–285 exam preparation tasks, 317–318 explained, 287 local versus domain groups, 310–312 nesting with AGDLP/AGUDLP, 306–307 Group Policy, 34 account policies, 422 account lockout policy, 426–427 “Do I Know This Already?” quiz, 417–421 domain password policies, 423, 425 exam preparation task, 449–450 Kerberos policy, 428 unlocking accounts, 427 additional security-related policy settings, 436–439 administrative templates, 380–384 ADMX central store, 379–380 audits, configuring, 442 advanced auditing policies, 446–447 Auditpol.exe, 447, 449 available auditing categories, 442–443 basic auditing policies, 443–445 explained, 351–352 filtering, 371 Security Filtering, 371–372 Windows Management Instrumentation (WMI), 374 Windows PowerShell, 374–376 hierarchy (GPOs) 817 fine-grained password policies configuring, 430–434 explained, 428–429 managing, 435 password settings precedence, 429 viewing resultant PSO, 435–436 GPCs (Group Policy Containers), 352 GPMC (Group Policy Management Console) creating GPOs, 355–359 explained, 354 GPOs. See GPOs (Group Policy Objects) GPTs (Group Policy Templates), 352–353 importing certificates with, 575–576 loopback processing, 377–378 new features, 354–355 overview, 352 restricted groups, 384–385 RSoP (Resultant Set of Policy) Delegation of Control Wizard, 509 explained, 496–497 Gpresult, 509–510 Gpupdate, 511 logging mode, 501–508 planning mode, 497–501 saving RSoP data, 508–509 shell access policies, 387 software, redeploying, 413 software deployment assigning software, 399 benefits of, 398 “Do I Know This Already?” quiz, 393–397 exam preparation tasks, 414 explained, 400–401 modifying software packages with transform files, 409–410 publishing software, 399 redeploying upgraded software, 411–412 removing software, 413 software installation properties, 403–405 software lifecycle, 398–399 software package properties, 405–407 upgrading software, 407–409 ZAP files, 402–403 software package properties, 405 user rights, 378 Group Policy Containers (GPCs), 352 Group Policy Management Console (GPMC), 34 creating GPOs, 355–359 explained, 354 “Group Policy Management Console Scripting Samples” (article), 549 Group Policy Objects. See GPOs “Group Policy Settings Reference for Windows and Windows Server” (article), 384 Group Policy Templates (GPTs), 352–353 groups AD LDS groups, creating, 222–223 authoritative restore of group memberships, 539 restricted groups, 384–385 GTIMESERV, 161 GUIDs (globally unique identifiers), 21, 352 H h parameter (dcdiag utility), 495 hardware requirements for Windows Server 2008 R2, 763–764 Help command, 769 hierarchical namespaces, 23 hierarchical nature of DNS (Domain Name System), 48–49 hierarchy (GPOs), 365, 367 818 High priority level High priority level, 465 hostnames, 49 “How to rebuild the SYSVOL tree and its content in a domain” (article), 261 Hyper-V, 38, 244–246 I-J “Implement Role-Based Administration” (article), 583 implicit UPNs (user principal names), 101 Import Settings Wizard, 547–548 ImportGPO.wsf, 548 importing certificates, 575–576 GPOs (Group Policy Objects), 547–548 Importing LDIF Files page (Lightweight Directory Services Setup Wizard), 215 incremental zone transfer (IXFR), 131 info command (dnscmd), 70 infrastructure masters, 162 installation Active Directory, 82 Active Directory Migration Tool (ADMT) v.3.1, 100–101 alternative UPN (user principal name) suffixes, 101–102 “Do I Know This Already?” quiz, 73–76 domain controllers in existing domains, 89 domains, 78–81, 88 exam preparation tasks, 103–104 namespaces, 77–78 new forests, 83–87 requirements, 81–82 Server Core domain controllers, 92 unattended installations, 90–92 verifying installation, 98, 100 AD CS (Active Directory Certificate Services), 565 certificate authority types and hierarchies, 565–567 root CAs, 567–568, 570–571 subordinate CAs, 571 AD FS (Active Directory Federation Service), 233–236 AD LDS (Active Directory Lightweight Directory Service), 213 AD LDS instances, 214–216 AD LDS roles, 213 AD RMS (Active Directory Rights Management Service), 226–228 application directory partitions, 138–139 certificate request and installation, 228–230 DNS (Domain Name System) “Do I Know This Already?” quiz, 43–47 exam preparation tasks, 71 on Windows Server 2008 R2, 49–51 Hyper-V, 245–246 Network Monitor, 460–461 RODCs (read-only domain controllers), 254 AD DS Installation Wizard, 256–257 planning use of, 254–255 preparation, 255–256 prestaging, 257–259 server roles, 211 software installation properties, 403–405 Windows Server 2008 R2 automated installation, 770–771 complete server installation, 765 complete server installation from DVD-ROM, 764–766 upgrading Windows Server 2003 or 2008 computers, 769–770 ldifde command 819 Windows Server Core commands, 768–769 Windows Server Core computers, 767–768 Windows Server Backup, 521–522 WSRM (Windows System Resource Manager), 484 Installation Progress page (Add Roles Wizard), 83 InstallDNS option (Active Directory installation), 91 Installing AD LDS page (Lightweight Directory Services Setup Wizard), 216 Instance Name page (Lightweight Directory Services Setup Wizard), 214 integrated zones, 53–54 integrating DNS (Domain Name System) with WINS, 68–69 intermediate CAs (certificate authorities), 566 Internet Server Application Programming Interface (ISAPI) filters, 602 Internet Society (ISOC), 49 interoperability with previous versions of Active Directory, 93 Adprep utility, 96 Adprep /domainprep command, 97 Adprep /forestprep command, 96 forest and domain functional levels table of, 94–95 upgrading, 95–96 upgrading Windows Server 2003 domain controllers, 97 intersite replication, 191, 195 forcing, 200–201 scheduling, 196–198 Intersite Topology Generator (ISTG), 189 intrasite replication, 191 scheduling, 198–199 Introduction to Active Directory Domain Services page (Add Roles Wizard), 83 ISAPI (Internet Server Application Programming Interface) filters, 602 ISOC (Internet Society), 49 Issue and Manage Certificates permissions, 582 issuing CAs (certificate authorities), 566 ISTG (Intersite Topology Generator), 189 IXFR (incremental zone transfer), 131 K KCC (Knowledge Consistency Checker), 189 Kccevent test (dcdiag utility), 496 KDC (Kerberos Key Distribution Center), 428 Kerberos policy, 428 key recovery agents (KRAs), 599–602 keys archiving, 599 backing up, 576–577 key recovery agents (KRAs), 599–602 restoring, 577–578 Knowledge Consistency Checker (KCC), 189 KnowsOfRoleHolders test (dcdiag utility), 495 KRAs (key recovery agents), 599–602 L LDAP (Lightweight Directory Access Protocol), 18–19 ldifde command, 221, 293–294, 434 820 Ldp.exe Ldp.exe, 218–220, 541–544 Lightweight Directory Access Protocol (LDAP), 18–19 Lightweight Directory Service. See AD LDS (Active Directory Lightweight Directory Service) Lightweight Directory Services Setup Wizard, 214–216 linked-value replication, 539 linking GPOs (Group Policy Objects), 360 links, GPO links creating, 360 managing, 361–362 lists authentication lists, administration, 275–276 distribution lists, creating, 299–300 load balancing, 31 loading zone data, 126 Loading Zone Data setting (DNS server), 126 local groups, 310–312 lockout, account lockout policy, 426–427 logging debug logging, 119–121 directory service information, Event Viewer and, 468 event logging, 121 logging mode (RSoP), 501–508 logoff option (Gpupdate), 511 LogPath option (Active Directory installation), 91 lookup zones forward lookup zones, 57–59 overview, 57 reverse lookup zones, 59–60 loopback processing mode (Group Policy), 377–378 Low priority level, 465 M Machine certificate, 229 MachineAccount test (dcdiag utility), 496 mail exchanger (MX) resource record, 61 Manage Backups dialog box, 546 Manage CA permissions, 583 Managed Service Accounts, 39 managing BitLocker, 269–270 fine-grained password policies, 435 GPO (Group Policy Object) links, 361–362 trust relationships authentication scope, 338–340 SID filtering, 340–341 validating relationships, 338 mapping user and group claims, 237–238 Maximum Tolerance for Computer Clock Synchronization policy setting, 428 MDT (Microsoft Deployment Toolkit) 2010, 771 Microsoft Simple Certificate Enrollment Protocol, 563 “Microsoft ® Hyper-V Server 2008 R2” (article), 246 migrating to AD LDS (Active Directory Lightweight Directory Service), 221 Modifications tab (Software Package Properties dialog box), 407 modifying schemas, 24 NDES (Network Device Enrollment Services) 821 software packages with transform files, 409–410 monitoring Active Directory data collector sets, 479–484 “Do I Know This Already?” quiz, 453–458 Event Viewer, 466–471 exam preparation tasks, 512–513 Network Monitor, 459–461, 463 Performance Monitor, 476–479 Reliability Monitor, 473, 475 replication dcdiag, 494–496 Event Viewer, 470–471 repadmin, 491–494 replmon, 487–491 Resource Monitor, 473–474 Server Performance Advisor, 486 Task Manager, 463–465 Windows System Resource Manager (WSRM), 484–486 monitoring DNS (Domain Name System), 127–128 Monitoring tab DNS server, 127–128 Properties dialog box, 127–128 Move Server dialog box, 181 .msi files, 412 .msp extension, 411 .mst extension, 411 multi-master replication, 190 Multibyte (UTFB), 126 multimaster replication, 26 multiple domains, benefits of, 26–27 multiple trees, 79 MX (mail exchanger) resource record, 61 N n parameter (dcdiag utility), 495 Name Checking setting (DNS server), 125–126 name server (NS) resource record, 61 name servers caching-only servers, 56 configuration, 136–138 forwarders, 56–57 primary name servers, 55 secondary name servers, 55–56 Name the New Domain page (Active Directory Installation Wizard), 88 names hostnames, 49 name checking, 125–126 namespaces, 23 contiguous namespaces, 23 disjointed namespaces, 23 domain namespaces, 48 explained, 22 flat namespaces, 23 hierarchical namespaces, 23 planning, 77 subdividing, 77–78 naming standards canonical names, 22 DNs (distinguished names), 19–20 GUIDs (globally unique identifiers), 21 RDNs (relative distinguished names), 20–21 SIDs (security identifiers), 21–22 UPNs (user principal names), 21 NCSecDesc test (dcdiag utility), 495 NDDNS (Nondynamic DNS), 64 NDES (Network Device Enrollment Services), 602–604 822 nesting group accounts nesting group accounts, 306–307 net start ntds command, 550 net stop ntds command, 550 netdom command, 341 netdom join command, 768 netdom trust command, 335 “Netdom trust” (article), 341 NetLogons test (dcdiag utility), 495 netsh advfirewall command, 769 netsh interface IPv4 command, 769 Network Credentials page Active Directory Domain Services Installation Wizard, 258 Active Directory Installation Wizard, 88 Network Device Enrollment Services (NDES), 602–604 Network Location Awareness (NLA), 354 Network Monitor, 459–461, 463 New Connection Security Rule Wizard, 134–136 New Delegation Wizard, 118 new features of Active Directory, 33–34 New Group dialog box, 311 New Name Server Record dialog box, 63, 117–118, 136–137 New Object - Contact dialog box, 299 New Object - Organizational Unit dialog box, 303 New Object - Site dialog box, 180 New Object - Site Link Bridge dialog box, 186 New Object - Site Link dialog box, 185 New Object - Subnet dialog box, 182 New Object - User dialog box, 288 New Starter GPO dialog box, 386 New Trust Wizard external trusts, creating, 335–336 forest trusts, creating, 329–330, 332–335 realm trusts, creating, 336 shortcut trusts, creating, 337 NewDomain option (Active Directory installation), 90 NewDomainDNSName option (Active Directory installation), 90 NLA (Network Location Awareness), 354 nmcap.exe, 463 Non RFC (ANSI), 126 nonauthoritative restore, 529–534 Nondynamic DNS (NDDNS), 64 Normal priority level, 465 normal restore, 529–534 notifications, DNS notify, 133–134 Notify dialog box, 133 NS (name server) resource record, 61 NTDS Settings Properties dialog box, 150 ntds.dit files, 26 ntdsutil utility, 167–168, 529 O objectGUID, 21 objects attributes, explained, 23 defined, 23, 153 GPOs. See GPOs (Group Policy Objects) objectGUID, 21 Password Settings Container, 429 ObjectsReplicated test (dcdiag utility), 496 oclist command, 768 passwords 823 ocsetup command, 769 OCSP (Online Certificate Status Protocol), 563 offline defragmentation, 551–552 one-way replication, 193 Online Certificate Status Protocol (OCSP), 563 online defragmentation, 551 Online Responder Installation, Configuration, and Troubleshooting Guide, 621 Online Responder Properties dialog box, 622 online responders, 621–624 opening Server Manager, 35 Operating System Compatibility page Active Directory Domain Services Installation Wizard, 258 Active Directory Installation Wizard, 84 operations masters, 32–33, 153 “Do I Know This Already?” quiz, 143–147 domain naming masters, 160 exam preparation tasks, 169–170 failures, 164–165 infrastructure masters, 162 PDC emulators, 160–162 placement, 163–164 RID masters, 162 schema masters configuring schema, 154–155 deactivating schema objects, 159–160 extending schema, 155–158 schema definitions, 153–154 seizing operations master roles, 167–168 transferring operations master roles, 165–167 Operations Masters dialog box, 166 OUs (organizational units) creating, 301–304 explained, 29–30 hierarchy, 367 P p parameter (dcdiag utility), 495 packages modifying with transform files, 409–410 software package properties, 405–407 ParentDomainDNSName option (Active Directory installation), 90 partial attribute sets, 152–153 partitions application directory partitions, 25, 138–139 application directory partition reference domains, 139 creating application directory partition replicas, 139 installing and configuring, 138–139 configuration partitions, 25 domain partitions, 25 explained, 25 schema partitions, 25 Password option (Active Directory installation), 90 “Password Replication Policy” (article), 272 Password Settings Container, 429 Password Settings Objects. See PSOs passwords, 34 domain password policies, 423, 425 fine-grained password policies configuring, 430–434 explained, 428–429 managing, 435 824 passwords password settings precedence, 429 viewing resultant PSO, 435–436 replication authentication list administration, 275–276 configuring, 272–273 credential caching, 273–275 explained, 270–271 planning, 271–272 patches, compared to transform files, 411 PDC emulators, 160–162 “Performance and Reliability Monitoring Step-by-Step Guide for Windows Server 2008” (article), 472, 484 Performance Logs and Alerts. See data collector sets Performance Monitor, 476–479 “Performance Monitor Getting Started Guide,” 479 “Performing Authoritative Restore of Active Directory Objects” (article), 540 permissions backup permissions, 521 certificate server permissions, assigning, 582–583 certificate template permissions, 595–597 placement of GC (global catalog) servers, 148–150 of operations masters, 163–164 planning Active Directory sites, 179 namespaces, 77 password replication policy, 271–272 RODCs (read-only domain controllers), 254–255 “Planning for Active Directory Forest Recovery” (article), 528 planning mode (RSoP), 497–501 pointer (PTR) resource record, 61 policies Group Policy. See Group Policy management, 34 password replication policy authentication list administration, 275–276 configuring, 272–273 credential caching, 273–275 planning, 271–272 trust policy configuration, 236–237 ports for intersite replication, 195 Ports page (Lightweight Directory Services Setup Wizard), 214 PowerShell, 296, 374–376 PowerShell 2.0, 37 practice exam, 629–689 answers, 691–727 preparing for BitLocker, 265 for RODCs (read-only domain controllers), 255–256 prestaging RODCs (read-only domain controllers), 257–259 primary name servers, 55 Primary Server setting (SOA records), 68 primary zones, 53 priority of applications, configuring, 465 processing priority (GPOs), 365, 367 promoting domain controllers to global catalog servers, 150 properties software packages, Group Policy and, 405 zone properties authoritative secondary servers, 63 recovery 825 configuring, 62 Dynamic DNS (DDNS), 64 Nondynamic DNS (NDDNS), 64 Secure Dynamic DNS (SDDNS), 65 time to live (TTL), 66–68 zone scavenging, 65–66 zone types, 63 Properties dialog box (DNS server), 112 Advanced tab, 123 Disable Recursion setting, 125 Enable automatic scavenging of stale records setting, 126 Loading Zone Data setting, 126 Name Checking setting, 125–126 Round Robin setting, 124–125 Server Options, 123–124 Debug Logging tab, 120 Event Logging tab, 121 Forwarders tab, 113–114 Monitoring tab, 127–128 Root Hints tab, 116 Trust Anchors tab, 122 Properties of New Template dialog box, 605 Properties option (replmon utility), 491 Protected Admin accounts, 309–310 protocols LDAP (Lightweight Directory Access Protocol), 18–19 Remote Procedure Call (RPC) over IP, 184 replication protocols, 194–195 SMTP (Simple Mail Transfer Protocol), 184 X.500, 17–18 PSOs (Password Settings Objects) defined, 429 viewing, 435–436 PTR (pointer) resource record, 61 Publishing license, 229 publishing software to users, 399 Q q parameter (dcdiag utility), 495 quizzes. See ‘“Do I Know This Already?” quiz R r option (Gpresult), 509 RAC (Rights account certificate), 229 RDNs (relative distinguished names), 20–21 RDS (Remote Desktop Services), 38 Read permissions, 582 read-only DNS, 262–263 read-only domain controllers. See RODCs Ready to Install page (Lightweight Directory Services Setup Wizard), 216 realm trusts creating, 336 explained, 326 Realtime priority level, 465 RebootOnCompletion option (Active Directory installation), 91 recovery. See also Recycle Bin authoritative restore, 536–537 authoritative restore of group memberships, 539 Directory Services Restore Mode (DSRM), 528–529 explained, 528 full-server recovery of domain controllers, 538–539 GPOs (Group Policy Objects), 545, 547–548 826 recovery linked-value replication, 539 nonauthoritative restore, 529–534 recovering back-links of authoritatively restored objects, 537 wbadmin command, 534–535 Recovery Wizard, 531–534 recursion, disabling, 125 Recycle Bin enabling, 541–543 explained, 540–541 restoring deleted objects, 543–545 redeploying upgraded software, 411–412 Refresh Interval setting (SOA records), 68 Registry.pol file, 353 REG_DWORD value, 195 relationships, trust authentication scope, 338–340 defined, 325 “Do I Know This Already?” quiz, 321–324 exam preparation tasks, 343 external trusts, 326, 335–336 forest trusts, 326, 329–330, 332–335 prerequisites, 328–329 realm trusts, 326, 336 removing cross-forest trust relationships, 341–342 shortcut trusts, 327, 337 SID filtering, 340–341 table of trust type, 328 transitive trusts, 325–326 validating, 338 relative distinguished names (RDNs), 20–21 Reliability and Performance Monitor console, 472 Reliability Monitor, 473, 475 Remote Desktop Services (RDS), 38 Remote Procedure Call (RPC) over IP, 184 removable media, 527 remove nc replica command, 139 Remove Software dialog box, 413 removing Active Directory, 92–93 cross-forest trust relationships, 341–342 GC (global catalog) servers, 151 server roles, 211 software, 413 repadmin, 491 /add parameter, 492–493 /replicate parameter, 491 /replsummary parameter, 494 /showconn parameter, 493 /showmeta parameter, 492 /showreps parameter, 492 /sync parameter, 493 /syncall parameter, 493 repadmin /prp command, 274 repadmin tool, 189 ReplicaDomainDNSName option (Active Directory installation), 90 ReplicaOrNewDomain option (Active Directory installation), 90 replicas, application directory partition replicas, 139 replicate parameter (repadmin utility), 491 Replicate this attribute to the Global Catalog option, 154 replication bridgehead servers, 193–194 DFS (Distributed File System), 192–193 Revoked Certificates Properties dialog box 827 “Do I Know This Already?” quiz, 173–177 Event Viewer, customizing, 470–471 exam preparation tasks, 201–202 explained, 190–191 forcing, 200–201 intersite replication, 191, 195 forcing, 200–201 scheduling, 196–198 intrasite replication, 191 scheduling, 198–199 linked-value replication, 539 monitoring dcdiag, 494–496 repadmin, 491–494 replmon, 487–491 multi-master replication, 190 one-way replication, 193 password replication authentication list administration, 275–276 configuring, 272–273 credential caching, 273–275 explained, 270–271 planning, 271–272 replication protocols, 194–195 scheduling intersite replication, 196–198 intrasite replication, 198–199 scope, 128–130 unidirectional replication, 260–261 Replications test (dcdiag utility), 495 replmon, 189, 487–491 replsum.exe, 38 replsummary parameter (repadmin utility), 494 Report Options dialog box, 489 Report Status dialog box, 490 Request Certificates permissions, 583 “Request Handling” (article), 595 resetting user accounts, 308 resilient software, 398 Resource Monitor, 473–474 resource partners, 231 resource records (DNS), 61 Responsible Person setting (SOA records), 68 restarting Active Directory, 549–550 restore options. See also Recycle Bin authoritative restore, 536–537 authoritative restore of group memberships, 539 Directory Services Restore Mode (DSRM), 528–529 explained, 528 full-server recovery of domain controllers, 538–539 GPOs (Group Policy Objects), 545, 547–548 linked-value replication, 539 nonauthoritative restore, 529–534 recovering back-links of authoritatively restored objects, 537 wbadmin command, 534–535 RestoreAllGPOs.wsf, 548 RestoreGPO.wsf, 548 restoring authoritative, 536 certificate databases, 580–581 certificates and keys, 577–578 restricted groups, 384–385 Resultant Set of Policy. See RSoP Retry Interval setting (SOA records), 68 reverse lookup zones, 59–60 Revoked Certificates Properties dialog box, 618 828 revoking certificates revoking certificates Authority Information Access (AIA), 624–625 certificate revocation lists (CRLs) CDPs (CRL distribution points), 619–620 configuring, 617, 619 troubleshooting, 620–621 explained, 616–617 online responders, 621–624 RID masters, 162 RidManager test (dcdiag utility), 495 Rights account certificate (RAC), 229 Rights Management Service. See AD RMS (Active Directory Rights Management Service) RODCs (read-only domain controllers), 33, 52 administrator role separation, 261–262 BitLocker enabling, 265–269 explained, 263–264 managing, 269–270 preparing for, 265 turning off, 269 “Do I Know This Already?” quiz, 251–253 exam preparation tasks, 278 installing, 256–257 password replication authentication list administration, 275–276 configuring, 272–273 credential caching, 273–275 explained, 270–271 planning, 271–272 planning use of, 254–255 preparing for, 255–256 prestaging, 257–259 read-only DNS, 262–263 syskey utility, 276–277 unidirectional replication, 260–261 role services, 210 role-based administration, 581 roles, 33. See also server roles adding, 36 administration roles, assigning, 581–582 role-based administration, 581 root CAs (certificate authorities) defined, 566 installing, 567–568, 570–571 root hints, 116–117 Root Hints tab (Properties dialog box), 116 root-level domains, 49 Round Robin setting (DNS server), 124–125 RSoP (Resultant Set of Policy) Delegation of Control Wizard, 509 explained, 496–497 Gpresult, 509–510 Gpupdate, 511 logging mode, 501–508 planning mode, 497–501 saving RSoP data, 508–509 S s option (Gpresult), 509 s parameter (dcdiag utility), 495 SAM (Security Accounts Manager) database, 77 Save Filter to Custom View dialog box, 470 saving RSoP (Resultant Set of Policy) data, 508–509 scavenging, 65–66, 126 SCEP (Simple Certificate Enrollment Protocol), 602 Select a Domain page (Active Directory Installation Wizard) 829 Schedule for (site link name) dialog box, 197 Schedule for dialog box, 199 scheduling backups, 526–527 replication forcing replication, 200–201 intersite replication, 196–198 intrasite replication, 198–199 Schema Admins group, 154 schema masters configuring schema, 154–155 deactivating schema objects, 159–160 extending schema, 155–158 schema definitions, 153–154 schema partitions, 25 schemas configuring, 154–155 deactivating schema objects, 159–160 default schemas, 24 explained, 24 extending, 155–158 modifying, 24 scope, replication scope, 128–131 scope option (Gpresult), 510 scripts backup and restore scripts, 548 creating accounts with, 296 SDDNS (Secure Dynamic DNS), 65 second-level domains, 49 secondary name servers, 55–56 secondary zones, 53 Secure Dynamic DNS (SDDNS), 65 security, 34. See also backups account policies account lockout policy, 426–427 domain password policies, 423, 425 Kerberos policy, 428 unlocking accounts, 427 AD LDS security principal, 223 additional security-related policy settings, 436–439 audits configuring with Auditpol.exe, 447, 449 configuring with GPOs, 442–447 “Do I Know This Already?” quiz, 417–421 exam preparation task, 449–450 new features, 441–442 backup permissions, 521 fine-grained password policies configuring, 430–434 explained, 428–429 managing, 435 password settings precedence, 429 viewing resultant PSO, 435–436 secure zone transfer, 134–136 security configuration tools, 439–441 user authentication, smart cards, 609–610, 612–615 Security Accounts Manager (SAM) database, 77 Security Configuration and Analysis snap-in, 439 Security Configuration Wizard, 439 Security Filtering (GPOs), 371–372 security identifiers (SIDs), 21–22 “Security Options” (article), 438 Security Settings dialog box, 372 Security tab (Software Package Properties dialog box), 407 Security Templates snap-in, 439 seizing operations master roles, 167–168 Select a Domain page (Active Directory Installation Wizard), 89 830 Select a Site page (Active Directory Installation Wizard) Select a Site page (Active Directory Installation Wizard), 88 Select Schema Object dialog box, 157, 159 selective authentication, 339 self-enrollments (AD RMS), 230 Serial Number setting (SOA records), 68 Server Core, 33 AD LDS (Active Directory Lightweight Directory Service) on, 224–225 domain controllers, 92 Server Licensor certificate (SLC), 229 Server Manager adding roles and features, 36 capabilities, 36 command-line server management, 36 opening, 35 Server Options (DNS server), 123–124 Server Performance Advisor, 486 server roles. See also names of specific roles AD CS (Active Directory Certificate Services), 210 AD FS (Active Directory Federation Service) explained, 210, 231–232 federation trust configuration, 238–243 installing, 233–236 role services, 232–233 trust policy configuration, 236–237 user and group claim mapping, 237–238 Web agents, 233 AD LDS (Active Directory Lightweight Directory Service) AD LDS security principal, 223 binding to AD LDS instances, 222, 224 configuration, 217–221 creating AD LDS user accounts and groups, 222–223 explained, 210–213 installation, 213–216 migrating to, 221 on Server Core, 224–225 AD MDS (Active Directory Metadirectory Services), 231 AD RMS (Active Directory Rights Management Service) benefits of, 225–226 certificate request and installation, 228–230 delegation, 230–231 enhancements to, 226 explained, 210 installing, 226–228 self-enrollments, 230 “Do I Know This Already?” quiz, 208–209 installing, 211 removing, 211 role services, 210 server scavenging, 126 “Server Security Policy Management in Windows Server 2008” (article), 441 ServerManagerCmd command, 36, 769 servers bridgehead servers, 193–194 DNS servers. See DNS servers flexible single-master operations (FSMO) servers, 32–33 GC (global catalog) servers, 31-32 features, 148 partial attribute sets, 152–153 placement, 148–150 promoting domain controllers to, 150 removing, 151 UGMC (Universal Group Membership Caching), 151 sites 831 name servers, configuration, 136–138 roles, 33 adding, 36 “Do I Know This Already?” quiz, 205–207 exam preparation tasks, 247–248 Server Core, 33 Server Manager adding roles and features, 36 capabilities, 36 command-line server management, 36 opening, 35 Windows Server. See Windows Server 2008 R2 service (SRV) resource record, 61 Service Account Selection Partition page (Lightweight Directory Services Setup Wizard), 215 Services test (dcdiag utility), 496 Set Domain Functional Level page (Active Directory Installation Wizard), 88 Set Forest Functional Level page (Active Directory Installation Wizard), 85 Setting Up Certificate Enrollment Web Services’ (article), 609 Setup Options page (Lightweight Directory Services Setup Wizard), 214 shell access policies, 387 shortcut trusts creating, 337 explained, 327 Show Attribute Meta-Data for Active Directory Object option (replmon utility), 490 Show Bridgehead Servers option (replmon utility), 490 Show Current Performance Data option (replmon utility), 490 Show Domain Controllers in Domain option (replmon utility), 490 Show Global Catalog Servers in Enterprise option (replmon utility), 490 Show Group Policy Object Status option (replmon utility), 490 Show Replication Topologies option (replmon utility), 490 Show Trust Relationships option (replmon utility), 490 showconn parameter (repadmin utility), 493 showmeta parameter (repadmin utility), 492 showreps parameter (repadmin utility), 492 SID filtering, 340–341 “SID Filtering Dialog box-Securing External Trusts” (article), 341 SIDs (security identifiers), 21–22 signing certificates, obtaining, 610 Simple Certificate Enrollment Protocol (SCEP), 602 Simple Mail Transfer Protocol (SMTP), 184 site link bridges, 185 site links configuring, 185–186 costs, 186–188 explained, 184 sites benefits of, 178–179 creating, 180–181 “Do I Know This Already?” quiz, 173–177 domain controllers, adding, 181 exam preparation tasks, 201–202 explained, 30, 178 832 sites ISTG (Intersite Topology Generator), 189 KCC (Knowledge Consistency Checker), 189 planning, 179 site link bridges, 185 site links configuring, 185–186 costs, 186–188 explained, 184 subnets, creating, 182–184 skip parameter (dcdiag utility), 495 SLC (Server Licensor certificate), 229 Slides of Trust page (New Trust Wizard), 332 smart card authentication strategy, implementing, 609–610, 612–615 smart card enrollment, configuring, 609–610 SMTP (Simple Mail Transfer Protocol), 184 snap-ins Active Directory Schema, 220 Active Directory Sites and Services, 179, 221 adding domain controllers, 181 creating sites, 180–181 creating subnets, 182–184 ADSI Edit, 217–218 Certificates, installing, 573–574 DFS Management, 193 Security Configuration and Analysis, 439 Security Templates, 439 SOA (start of authority) resource record, 61, 68 software package properties, 405 redeploying, Group Policy and, 413 software deployment assigning software to computers, 399 to users, 399 benefits of, 398 “Do I Know This Already?” quiz, 393–397 exam preparation tasks, 414 with Group Policy explained, 400–401 software installation properties, 403–405 software package properties, 405–407 ZAP files, 402–403 modifying software packages with transform files, 409–410 publishing software to users, 399 redeploying upgraded software, 411–412 removing software, 413 software lifecycle, 398–399 upgrading software, 407–409 Software Installation and Maintenance assigning software, 399 publishing software, 399 Software Installation Properties dialog box, 403, 405 Software Package Properties dialog box, 405–407 solution accelerators, 771 “Specify CRL Distribution Points” (article), 620 Specify the Computer Name page (Active Directory Domain Services Installation Wizard), 258 SRV (service) resource record, 61 staging environments, 548 standalone CAs (certificate authorities), 566 troubleshooting 833 start of authority (SOA) resource record, 61, 68 Starter GPOs, 385–387 statistics command (dnscmd), 70 Stop Other Services dialog box, 550 Strict RFC (ANSI), 125 stub zones, 53 subdividing namespaces, 77–78 subnets, creating, 182–184 subordinate CAs (certificate authorities), installing, 571 Summary page (Active Directory Installation Wizard), 87 Support Tools, Event Viewer, customizing, 470–471 sync parameter (repadmin utility), 493 syncall parameter (repadmin utility), 493 Synchronize Each Directory Partition with All Servers option (replmon utility), 490 syskey utility, 276–277 Sysprep, 771 system keys, 276–277 System Recovery Options dialog box, 538 Systemlog test (dcdiag utility), 496 SYSVOL folder, replication, 261 SysvolPath option (Active Directory installation), 91 T target option (Gpupdate), 511 Task Manager, 463–465 template accounts, 290–291 templates administrative templates, 380–384 certificate templates archiving keys, 599 configuring, 593–595 defined, 592 duplicating, 597–598 enabling, 597 key recovery agents (KRAs), 599–602 permissions, 595–597 template types, 592 GPTs (Group Policy Templates), 352–353 template accounts, 290–291 test parameter (dcdiag utility), 495 three-tier CA hierarchy, 566 Time Service (W32time), 161–162 time to live (TTL), 66–68 top-level domains, 49 TPM (Trusted Platform Module), 263–264 transfer, zone transfer configuration, 132–133 full zone transfer (AXFR), 130 incremental zone transfer (IXFR), 131 secure zone transfer, 134–136 transferring operations master roles, 165–167 transform files compared to patches, 411 modifying software packages with, 409–410 transitive trusts, 325–326 trees explained, 27 multiple trees, 79 troubleshooting certificate revocation lists (CRLs), 620–621 Group Policy with RSoP Delegation of Control Wizard, 509 explained, 496–497 Gpresult, 509–510 Gpupdate, 511 834 troubleshooting logging mode, 501–508 planning mode, 497–501 saving RSoP data, 508–509 Trust Anchors tab (Properties dialog box), 122 Trust Creation Complete page (New Trust Wizard), 333 Trust Name page (New Trust Wizard), 330–331 trust policies, configuring, 236–237 trust relationships authentication scope, 338–340 defined, 325 “Do I Know This Already?” quiz, 321–324 exam preparation tasks, 343 external trusts creating, 335–336 explained, 326 forest trusts creating, 329–330, 332–335 explained, 326 prerequisites, 328–329 realm trusts creating, 336 explained, 326 removing cross-forest trust relationships, 341–342 shortcut trusts creating, 337 explained, 327 SID filtering, 340–341 table of trust type, 328 transitive trusts, 325–326 validating, 338 Trust Selections Complete page (New Trust Wizard), 333 Trust Type page (New Trust Wizard), 330–331 Trusted Platform Module (TPM), 263–264 trusts, federation trusts account stores, 240–241 claims, 239 configuring, 238–241 configuring/enabling applications, 241–242 creating, 242–243 TTL (time to live), 66–68 turning off BitLocker, 269 two-tier CA hierarchy, 566 U u option (Gpresult), 510 u parameter (dcdiag utility), 495 UGMC (Universal Group Membership Caching), 151 unattend.xml file, 770 unattended installations of Active Directory, 90–92 “Understanding AD FS Role Services” (article), 233 “Understanding AD RMS Certificates” (article), 230 “Understanding Claims” (article), 238 “Understanding User Accounts” (article), 286 “Understanding When to Create a Shortcut Trust” (article), 337 unidirectional replication, 260–261 Universal Group Membership Caching (UGMC), 151 unlocking accounts, 427 Update Status option (replmon utility), 490 Upgrades tab (Software Package Properties dialog box), 406 upgrading domain and forest functional levels, 95–96 utilities 835 software, 407–409 Windows Server 2003 domain controllers, 97 Windows Server 2003 or 2008 computers, 769–770 UPNs (user principal names), 21, 101–102, 296–298 Use license, 230 “Use the Network Device Enrollment Service” (article), 604 user accounts contact, 298–299 creating with Csvde tool, 292–293 with Dsadd tool, 294–295 with Ldifde tool, 293–294 manually, 288–290 with scripts, 296 delegating administrative control, 313–316 deprovisioning, 312–313 distribution lists, 299–300 “Do I Know This Already?” quiz, 281–285 exam preparation tasks, 317–318 explained, 286 Protected Admin accounts, 309–310 resetting, 308 template accounts, 290–291 UPNs (user principal names), 296–298 user authentication, smart cards, implementing, 609–610, 612–615 user objects, disabling, 370 user option (Gpresult), 509 user principal names (UPNs), 21, 101–102, 296–298 user rights (Group Policy), 378 UserName option (Active Directory installation), 90 users administrator role separation, 261–262 assigning software to, 399 publishing software to, 399 “Using Identity Federation with Active Directory Rights Management Services Step-by-Step Guide” (article), 237 utilities Adprep, 96-97 Adprep /rodcprep, 255 Auditpol.exe, 447, 449 Csvde, 292–293 dcdiag, 494–496 dnscmd, 137–138 Dsadd, 223, 294–295 dsget, 295 dsmgmt, 262 dsmod, 295 dsmove, 295 dsquery, 295 dsrm, 295 Event Viewer, 466–471 Gpresult, 509–510 Gpupdate, 511 Ldifde, 293–294, 434 Ldp.exe, 218–220, 541–544 Network Monitor, 459–461, 463 nmcap.exe, 463 ntdsutil, 529 Performance Monitor, 476–479 Reliability Monitor, 473, 475 repadmin, 491 /add parameter, 492–493 /replicate parameter, 491 /replsummary parameter, 494 /showconn parameter, 493 /showmeta parameter, 492 836 utilities /showreps parameter, 492 /sync parameter, 493 /syncall parameter, 493 replmon, 487–491 Resource Monitor, 473–474 Server Performance Advisor, 486 syskey, 276–277 Task Manager, 463–465 wbadmin, 525, 534–535 Windows System Resource Manager (WSRM), 484–486 V v option (Gpresult), 510 v parameter (dcdiag utility), 495 validating trust relationships, 338 verifying Active Directory installation, 98, 100 VerifyReferences test (dcdiag utility), 496 VHD (virtual hard disk) files, 245–246 viewing PSOs, 435–436 virtual hard disk (VHD) files, 245–246 virtualization, Windows Server 2008 R2, 244–246 W W32time, 161–162 wait option (Gpupdate), 511 wbadmin command, 525, 534–535 WDS (Windows Deployment Services), 771 Web agents (AD FS), 233 Welcome page (Active Directory Installation Wizard), 87 “What’s New in AD DS: Active Directory Recycle Bin” (article), 545 “What’s New in Group Policy” (article), 355 Windows Deployment Services (WDS), 771 Windows Installer, 412 Windows Management Instrumentation (WMI), 374 Windows Memory Diagnostic tool, 764 Windows PowerShell, 296, 374–376 Windows PowerShell 2.0, explained, 37 Windows Script Host (WSH), 296 Windows Server 2003 Support Tools, Event Viewer, 470–471 upgrading, 769–770 Windows Server 2003 domain controllers, upgrading, 97 Windows Server 2008 Active Directory. See Active Directory certificate services. See AD CS (Active Directory Certificate Services) security configuration tools, 439–441 upgrading, 769–770 Windows Server 2008 R2 features, 211 hardware requirements, 763–764 installation automated installation, 770–771 complete server installation from DVD-ROM, 764–766 upgrading Windows Server 2003 or 2008 computers, 769–770 Windows Server Core commands, 768–769 Windows Server Core computers, 767–768 installing DNS (Domain Name System) on, 49–51 new features, 37–39 virtualization, 244–246 wizards 837 “Windows Server 2008 Restartable AD DS Step-by-Step Guide” (article), 550 Windows Server Backup backing up critical volumes of domain controllers, 522–524 backup permissions, 521 installing, 521–522 to removable media, 527 restore options. See also Recycle Bin authoritative restore, 536–537 authoritative restore of group memberships, 539 Directory Services Restore Mode (DSRM), 528–529 explained, 528 full-server recovery of domain controllers, 538–539 GPOs (Group Policy Objects), 545, 547–548 linked-value replication, 539 nonauthoritative restore, 529–534 recovering back-links of authoritatively restored objects, 537 wbadmin command, 534–535 scheduling backups, 526–527 wbadmin utility, 525 Windows Server 2008 versus Windows Server 2008 R2, 520–521 Windows Server Core commands, 768–769 installation, 767–768 Windows Server Migration Tools, 39 Windows System Resource Manager (WSRM), 484–486 Windows Time Service (W32time), 161–162 Windows token-based agents, 233 WINS, integrating with DNS (Domain Name System), 68–69 wizards Active Directory Installation Wizard, 82 installing domain controllers in existing domains, 89 installing new domains in existing forests, 88 installing new forests, 83–87 AD DS Installation Wizard, 256–257 Add Monitored Server Wizard, 487, 489–491 Add Revocation Configuration Wizard, 623 Add Role Services Wizard, 603 Add Roles Wizard, 36, 83 installing CAs with, 567–568, 570–571 Certificate Export Wizard, 576–577 Certificate Import Wizard, 577–578 Certification Authority Backup Wizard, 580–581 Certification Authority Restore Wizard, 581 Configure a DNS Server Wizard, 117 Create New Data Collector Set Wizard, 480–481 Delegation of Control Wizard, 364, 509 Import Settings Wizard, 547–548 Lightweight Directory Services Setup Wizard, 214–216 New Connection Security Rule Wizard, 134–136 New Delegation Wizard, 118 New Trust Wizard creating external trusts, 335–336 creating forest trusts, 329–330, 332–335 creating realm trusts, 336 creating shortcut trusts, 337 838 wizards Recovery Wizard, 531–534 Security Configuration Wizard, 439 WMI (Windows Management Instrumentation), 374 “Work with WMI Filters” (article), 374 WSH (Windows Script Host), 296 WSRM (Windows System Resource Manager), 484–486 X-Z X.500, 17–18 z option (Gpresult), 510 ZAP (Zero Administration Package) files, 402–403 zoneadd command (dnscmd), 70 zonedelete command (dnscmd), 70 zoneexport command (dnscmd), 70 zoneinfo command (dnscmd), 70 zones (DNS) adding authoritative secondary servers to, 63 configuring zone properties, 62 configuring zone types, 63 creating, 57–60 DNS notify, 133–134 forward lookup zones, 57–58 GlobalNames zones, 54–55 integrated zones, 53–54 loading zone data, 126 primary zones, 53 replication scope, 128–130 reverse lookup zones, 59–60 secondary zones, 53 stub zones, 53 time to live (TTL), 66–68 zone delegation, 117–119 zone scavenging, 65–66 zone transfer configuration, 132–133 full zone transfer (AXFR), 130 incremental zone transfer (IXFR), 131 secure zone transfer, 134–136 This page intentionally left blank Try Safari Books Online FREE Get online access to 5,000+ Books and Videos FREE TRIAL—GET STARTED TODAY! www.informit.com/safaritrial Find trusted answers, fast Only Safari lets you search across thousands of best-selling books from the top technology publishers, including Addison-Wesley Professional, Cisco Press, O’Reilly, Prentice Hall, Que, and Sams. Master the latest tools and techniques In addition to gaining access to an incredible inventory of technical books, Safari’s extensive collection of video tutorials lets you learn from the leading video training experts. WAIT, THERE’S MORE! Keep your competitive edge With Rough Cuts, get access to the developing manuscript and be among the first to learn the newest technologies. Stay current with emerging technologies Short Cuts and Quick Reference Sheets are short, concise, focused content created to get you up-to-speed quickly on new and cutting-edge technologies. Your Publisher for IT Certification Apps Articles & Chapters Pearson IT Certification is the leader in technology certification learning and preparation tools. Blogs Books Visit pearsonITcertification.com today to find • CERTIFICATION EXAM information and guidance for IT certifications, including eBooks eBooks (Watermarked) Cert Flash Cards Online Newsletters • EXAM TIPS AND TRICKS by reading the latest articles and sample chapters by Pearson IT Certification·s expert authors and industry experts, such as • Mark Edward Soper and David Prowse - CompTIA Podcasts Question of the Day Rough Cuts Short Cuts • Wendell Odom - Cisco • Shon Harris - Security Videos • Thomas Erl - SOACP Connect with Pearson IT Certification pearsonITcertification.com/ newsletters • SPECIAL OFFERS (pearsonITcertification.com/promotions) • REGISTRATION for your Pearson IT Certification products to access additional online material and receive a coupon to be used on your next purchase Be sure to create an account on pearsonITcertification.com and receive member·s-only offers and benefits. Pearson IT Certification is a publishing imprint of Pearson twitter.com/ pearsonITCert facebook.com/ pearsonitcertification youtube.com/ pearsonITCert pearsonitcertification. com/rss/ This page intentionally left blank
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project
advertisement
© 2021