www.syngress.com
Syngress is committed to publishing high-quality books for IT Professionals and
delivering those books in media and formats that fi t the demands of our cus tomers.
We are also committed to extending the utility of the book you purchase via additional
materials available from our Web site.
SOLUTIONS WEB SITE
To register your book, visit www.syngress.com/solutions. Once registered, you can
access our [email protected] Web pages. There you may fi nd an assortment
of valueadded features such as free e-books related to the topic of this book, URLs
of related Web sites, FAQs from the book, corrections, and any updates from the
author(s).
ULTIMATE CDs
Our Ultimate CD product line offers our readers budget-conscious compilations of
some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect
way to extend your reference library on key topics pertaining to your area of
expertise, including Cisco Engineering, Microsoft Windows System Administration,
CyberCrime Investigation, Open Source Security, and Firewall Confi guration, to
name a few.
DOWNLOADABLE E-BOOKS
For readers who cant wait for hard copy, we offer most of our titles in downloadable
Adobe PDF form. These e-books are often available weeks before hard copies, and
are priced affordably.
SYNGRESS OUTLET
Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt
books at signifi cant savings.
SITE LICENSING
Syngress has a well-established program for site licensing our e-books onto servers
in corporations, educational institutions, and large organizations. Contact us at
[email protected] for more information.
CUSTOM PUBLISHING
Many organizations welcome the ability to combine parts of multiple Syngress
books, as well as their own content, into a single volume for their own internal
use. Contact us at [email protected] for more information.use. Contact us at
[email protected] for more information.
Visit us at
This page intentionally left blank
Naomi Alpern John Karnay
Tariq Azad Jeffery Martin
Laura Hunter Gene Whitley
Tony Piltzecker Technical Editor
Robert J. Shimonski Technical Reviewer
Elsevier, Inc., the author(s), and any person or fi rm involved in the writing, editing, or production
(collectively Makers) of this book (the Work) do not guarantee or warrant the results to be
obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work
is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state
to state.
In no event will Makers be liable to you for damages, including any loss of profi ts, lost savings, or other
incidental or consequential damages arising out from the Work or its contents. Because some states do
not allow the exclusion or limitation of liability for consequential or incidental damages, the above
limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when
working with computers, networks, data, and fi les.
Syngress Mediaฎ and Syngressฎ are registered trademarks of Elsevier, Inc. Brands and product names
mentioned in this book are trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 HJIRTCV764
002 PO9873D5FG
003 829KM8NJH2
004 BPOQ48722D
005 CVPLQ6WQ23
006 VBP965T5T5
007 HJJJ863WD3E
008 2987GVTWMK
009 629MP5SDJT
010 IMWQ295T6T
PUBLISHED BY
Syngress Publishing, Inc.
Elsevier, Inc.
30 Corporate Drive
Burlington, MA 01803
The Real MCTS/MCITP Exam 70-640 Prep Kit
Copyright ฉ 2008 by Elsevier, Inc. All rights reserved. Printed in the United States of America.
Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced
or distributed in any form or by any means, or stored in a database or retrieval system, without the
prior written permission of the publisher, with the exception that the program listings may be
entered, stored, and executed in a computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN 13: 978-1-59749-235-5
Publisher: Andrew Williams Page Layout and Art: SPI
Acquisitions Editor: David George Copy Editors: Audrey Doyle, Mike McGee
Technical Editor: Tony Piltzecker Indexer: Ed Rush
Project Manager: Gary Byrne Cover Designer: Michael Kavish
For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales
Director and Rights, at Syngress Publishing; email [email protected].
Tony Piltzecker (CISSP, MCSE, CCNA, CCVP, Check Point CCSA, Citrix
CCA), author and technical editor of Syngress Publishings MCSE Exam 70-296
Study Guide and DVD Training System and How to Cheat at Managing Microsoft
Operations Manager 2005, is an independent consultant based in Boston, MA.
Tonys specialties include network security design, Microsoft operating system
and applications architecture, and Cisco IP Telephony implementations. Tonys
background includes positions as systems practice manager for Presidio Networked
Solutions, IT manager for SynQor Inc, network architect for Planning
Systems, Inc., and senior networking consultant with Integrated Information
Systems. Along with his various certifi cations, Tony holds a bachelors degree in
business administration. Tony currently resides in Leominster, MA, with his wife,
Melanie, and his daughters, Kaitlyn and Noelle.
Technical Editor
v
Robert J. Shimonski (MCSE, etc) is an entrepreneur, a technology consultant,
and a published author with more than 20 years of experience in business and
technology. Roberts specialties include designing, deploying, and managing
networks, systems, virtualization, storage-based technologies, and security analysis.
Robert also has many years of diverse experience deploying and engineering
mainframes and Linux- and UNIX-based systems such as Red Hat and Sun
Solaris. Robert has in-depth work-related experience with and deep practical
knowledge of globally deployed Microsoft- and Cisco-based systems and stays
current on the latest industry trends. Robert consults with business clients to help
forge their designs, as well as to optimize their networks and keep them highly
available, secure, and disaster free.
Robert is the author of many information technology-related articles and
published books, including the best-selling Sniffer Network Optimization and
Troubleshooting Handbook, Syngress (ISBN: 1931836574). Robert is also the
author of other best-selling titles, including Security+ Study Guide and DVD
Training System (ISBN: 1931836728), Network+ Study Guide & Practice Exams:
Exam N10-003 (ISBN: 1931836426), and Building DMZs for Enterprise Networks
(ISBN: 1931836884) also from Syngress. His current book offerings include the
newly published Vista for IT Security Professionals, Syngress (978-1-59749-139-6),
as well as being a series editor on the new Windows Server 2008 MCITP series
from Syngress publishing.
vi
Technical Reviewer
Contributing Authors
vii
Naomi J. Alpern currently works for Microsoft as a consultant
specializing in Unifi ed Communications. She holds many Microsoft
certifi cations, including an MCSE and MCT, as well as additional
industry certifi cations such as Citrix Certifi ed Enterprise Administrator,
Security+, Network+, and A+. Since the start of her technical career,
she has worked in many facets of the technology world, including
IT administration, technical training, and, most recently, full-time
consulting. She likes to spend her time reading cheesy horror and
mystery novels when she isnt browsing the Web. She is also the
mother of two fabulous boys, Darien & Justin, who mostly keep her
running around like a headless chicken.
Tariq Bin Azad is the principal consultant and founder of NetSoft
Communications Inc., a consulting company located in Toronto,
Canada. He is considered a top IT professional by his peers,
coworkers, colleagues, and customers. He obtained this status by
continuously learning and improving his knowledge and information
in the fi eld of information technology. Currently, he holds more than
100 certifi cations, including MCSA, MCSE, MCTS, MCITP (Vista,
Mobile 5.0, Microsoft Communications Server 2007, Windows 2008,
and Microsoft Exchange Server 2007), MCT, CIW-CI, CCA, CCSP,
CCEA, CCI, VCP, CCNA, CCDA, CCNP, CCDP, CSE, and many
more. Most recently, Tariq has been concentrating on Microsoft
Windows 2000/2003/2008, Exchange 2000/2003/2007, Active
Directory, and Citrix implementations. He is a professional speaker
and has trained architects, consultants, and engineers on topics such
as Windows 2008 Active Directory, Citrix Presentation Server, and
Microsoft Exchange 2007. In addition to owning and operating an
independent consulting company, Tariq works as a senior consultant
and has utilized his training skills in numerous workshops, corporate
trainings, and presentations. Tariq holds a Bachelor of Science in
Information Technology from Capella University, USA, a bachelors
viii
degree in Commerce from University of Karachi, Pakistan, and is
working on his ALMIT (Masters of Liberal Arts in Information
Technology) from Harvard University. Tariq has been a coauthor on
multiple books, including the best-selling MCITP: Microsoft Exchange
Server 2007 Messaging Design and Deployment Study Guide: Exams
70-237 and 70-238 (ISBN: 047018146X) and The Real MCTS/
MCITP Exam 640 Preparation Kit (ISBN: 978-1-59749-235-5). Tariq
has worked on projects or trained for major companies and organizations,
including Rogers Communications Inc. Flynn Canada, Cap
Gemini, HP, Direct Energy, Toyota Motors, Comaq, IBM, Citrix
Systems Inc., Unicom Technologies, and Amica Insurance Company.
He lives in Toronto, Canada, and would like to thank his father, Azad
Bin Haider, and his mother, Sitara Begum, for his lifetime of guidance
for their understanding and support to give him the skills that have
allowed him to excel in work and life.
Laura E. Hunter (CISSP, MCSE, MCT, MCDBA, MCP, MCP+I,
CCNA, A+, Network+, iNet+, Security+, CNE-4, CNE-5) is a senior
it specialist with the University of Pennsylvania, where she provides
network planning, implementation, and troubleshooting services for
various business units and schools within the university. Her specialties
include Microsoft Windows 2000/2003 design and implementation,
troubleshooting, and security topics. As an MCSE Early Achiever on
Windows 2000, Laura was one of the fi rst in the country to renew her
Microsoft credentials under the Windows 2000 certifi cation structure.
Lauras previous experience includes a position as the director of
computer services for the Salvation Army and as the LAN administrator
for a medical supply fi rm. She also operates as an independent
consultant for small businesses in the Philadelphia metropolitan area
and is a regular contributor to the TechTarget family of Web sites.
Laura has previously contributed to Syngress Publishings
Confi guring Symantec Antivirus, Corporate Edition (ISBN 1-931836-81-7).
She has also contributed to several other exam guides in the Syngress
Windows Server 2003 MCSE/MCSA DVD Guide and Training
System series as a DVD presenter, contributing author, and technical
reviewer.
ix
Laura holds a bachelors degree from the University of Pennsylvania
and is a member of the Network of Women in Computer Technology, the
Information Systems Security Association, and InfraGard, a cooperative
undertaking between the U.S. Government other participants dedicated
to increasing the security of United States critical infrastructures.
John Karnay is a freelance writer, editor, and book author living in
Queens, NY. John specializes in Windows server and desktop deployments
utilizing Microsoft and Apple products and technology. John
has been working with Microsoft products since Windows 95 and
NT 4.0 and consults for many clients in New York City and Long
Island, helping them plan migrations to XP/Vista and Windows
Server 2003/2008. When not working and writing, John enjoys
recording and writing music as well as spending quality time with
his wife, Gloria, and daughter, Aurora.
Jeffery A. Martin MS/IT, MS/M (MCSE, MCSE:Security, MCSE:
Messaging, MCDBA, MCT, MCSA, MCSA:Security, MCSE:Messaging,
MCP+I, MCNE, CNE, CNA, CCA, CTT, A+, Network+,
I-Net+, Project+, Linux+, CIW, ADPM) has been working with
computer networks for more than 20 years. He is an editor, coeditor,
author, or coauthor of more than 15 books and enjoys training others
in the use of technology.
Gene Whitley (MBA, MCSE, MCSA, MCTS, MCP, Six Sigma
Green Belt) is a senior systems engineer with Nucentric Solutions
(www.nucentric.com), a technology integration fi rm in Davidson, NC.
Gene started his IT career in 1992 with Microsoft, earning his MCP in
1993 and MCSE in 1994. He has been the lead consultant and project
manager on numerous Active Directory and Exchange migration projects
for companies throughout the U.S. Gene has been a contributing
author on such books as How To Cheat At IIS 7 Server Administration,
How To Cheat At Microsoft Vista Administration, and Microsoft Forefront
Security Administration Guide. When not working, he spends his time
with his wife and best friend, Samantha. Gene holds an MBA from
Winthrop University and a BSBA in Management Information Systems
from The University of North Carolina at Charlotte.
This page intentionally left blank
Contents
xi
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Chapter 1 Confi guring Server Roles in Windows 2008 . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
New Roles in 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Using Server Manager to Implement Roles . . . . . . . . . . . . . . . . . . . . . . 3
Using Server Core and Active Directory . . . . . . . . . . . . . . . . . . . . . . . . 9
What Is Server Core? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Read-Only Domain Controllers (RODCs) . . . . . . . . . . . . . . . . . . . . . . . . 15
Introduction to RODC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Its Purpose in Life . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Its Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Confi guring RODC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Removing an RODC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Active Directory Lightweight Directory Service (LDS) . . . . . . . . . . . . . . . 22
When to Use AD LDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Changes from Active Directory Application Mode (ADAM) . . . . . . . . . 23
Confi guring AD LDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Working with AD LDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Active Directory Rights Management Service (RMS) . . . . . . . . . . . . . . . . 28
Whats New in RMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
RMS vs. DRMS in Vista . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Confi guring RMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Active Directory Federation Services (ADFS) . . . . . . . . . . . . . . . . . . . . . . 37
What Is Federation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Why and When to Use Federation . . . . . . . . . . . . . . . . . . . . . . . . . 38
Confi guring ADFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . 54
Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Chapter 2 Confi guring Network Services . . . . . . . . . . . . . . . . . . . . . . . 61
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Confi guring Domain Name System (DNS) . . . . . . . . . . . . . . . . . . . . . . . . 63
Identifying DNS Record Requirements . . . . . . . . . . . . . . . . . . . . . 68
xii Contents
Installing and Confi guring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Using Server Core and DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Confi guring Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Zone Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Active Directory Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Reverse Lookup Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Confi guring Reverse Lookup Zones . . . . . . . . . . . . . . . . . . . . . 87
Confi guring Zone Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Confi guring Dynamic Host Confi guration Protocol (DHCP) . . . . . . . . . . 93
DHCP Design Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
DHCP Servers and Placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Installing and Confi guring DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Using Server Core and DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Confi guring DHCP for DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Confi guring Windows Internet Naming Service (WINS) . . . . . . . . . . . . . .103
Understanding WINS Replication . . . . . . . . . . . . . . . . . . . . . . . . .105
Automatic Partner Confi guration . . . . . . . . . . . . . . . . . . . . . . . .105
Push Partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Pull Partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Push/Pull Partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Replication Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Ring Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Hub-and-Spoke Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Hybrid Replication Models . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Static WINS Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Installing and Confi guring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Using Server Core for WINS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Confi guring WINS for DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .117
Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Chapter 3 Working with Users, Groups, and Computers . . . . . . . . . . 125
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Navigating Active Directory Users and Computers . . . . . . . . . . . . . . . . . .126
Creating and Modifying User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . .129
User Account Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
Creating a New Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Contents xiii
Domain User Account Considerations . . . . . . . . . . . . . . . . . . . . . . . . .131
Password Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Creating a New Account Using Active Directory Users
and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Modifying a Domain User Account Using Active Directory Users
and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Common User Management Options . . . . . . . . . . . . . . . . . . . . . . . . .156
Creating a New User Account Using Script . . . . . . . . . . . . . . . . . . . . .157
Creating User Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Confi guring User Principal Names . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Creating and Modifying Computer Accounts . . . . . . . . . . . . . . . . . . . . . .160
Creating a New Computer Account Using Active Directory Users
and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Modifying a Computer Account Using Active Directory Users
and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Creating a New Computer Account Using a Script . . . . . . . . . . . . . . .167
Resetting a Computer Account Using Active Directory Users
and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Creating and Modifying Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Creating a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Types of Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Group Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Universal Groups Replication Concerns . . . . . . . . . . . . . . . . . . . . .171
Group Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
Creating a New Group Using Active Directory Users
and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Modifying a Group Using Active Directory Users
and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
Creating a New Group Using Script . . . . . . . . . . . . . . . . . . . . . . . . . .176
The Delegation of Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
RODC (Read-Only Domain Controller) . . . . . . . . . . . . . . . . . . . . . .184
Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .189
Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Chapter 4 Confi guring the Active Directory Infrastructure . . . . . . . . 197
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
Working with Forests and Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Understanding Forests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
xiv Contents
Understanding Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Forest and Domain Functional Levels . . . . . . . . . . . . . . . . . . . . . . . . .202
Using Domain Functional Levels . . . . . . . . . . . . . . . . . . . . . . . . . .203
Using the Windows 2000 Domain Functional Level . . . . . . . . . .204
Windows Server 2003 Domain Functional Level . . . . . . . . . . . . .204
Windows Server 2008 Domain Functional Level . . . . . . . . . . . . .205
Confi guring Forest Functional Levels . . . . . . . . . . . . . . . . . . . . . . .206
Windows 2000 Forest Functional Level (default) . . . . . . . . . . . . .206
Windows Server 2003 Forest Functional Level . . . . . . . . . . . . . .207
Windows Server 2008 Forest Functional Level . . . . . . . . . . . . . .208
Raising Forest and Domain Functional Levels . . . . . . . . . . . . . . . . .208
Raising the Domain Functional Level . . . . . . . . . . . . . . . . . . . . .209
Understanding the Global Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . .210
UPN Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
Directory Information Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
Universal Group Membership Information . . . . . . . . . . . . . . . . . . .214
Understanding GC Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Universal Group Membership . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
Attributes in the Global Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . .215
Placing GC Servers within Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
Bandwidth and Network Traffi c Considerations. . . . . . . . . . . . . . . .217
Universal Group Membership Caching . . . . . . . . . . . . . . . . . . . . . .218
Working with Flexible Single Master Operation (FSMO) Roles . . . . . .220
Placing, Transferring, and Seizing FSMO Role Holders . . . . . . . . . .223
Locating and Transferring the Schema Master Role . . . . . . . . . . .224
Locating and Transferring the Domain Naming Master Role . . . .227
Locating and Transferring the Infrastructure, RID, and PDC
Operations Master Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Placing the FSMO Roles within an Active Directory
Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232
Working with Sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Understanding Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
Site Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237
Criteria for Establishing Separate Sites . . . . . . . . . . . . . . . . . . . . . .237
Creating a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Renaming a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243
Creating Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Associating Subnets with Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
Creating Site Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249
Contents xv
Confi guring Site Link Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Understanding Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Intrasite Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
Intersite Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258
Bridgehead Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
Site Link Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260
Forcing Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Replication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Planning, Creating, and Managing the Replication Topology . . . . . . . .262
Planning Replication Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Creating Replication Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Confi guring Replication between Sites . . . . . . . . . . . . . . . . . . . . . . . .263
Troubleshooting Replication Failure . . . . . . . . . . . . . . . . . . . . . . . . . .264
Troubleshooting Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264
Using Event Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265
Working with Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266
Default Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
Forest Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
External Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
Shortcut Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274
SID Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .281
Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Chapter 5 Understanding Group Policy . . . . . . . . . . . . . . . . . . . . . . . . 291
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
Types of Group Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
Local Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
Non-Local Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Network Location Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Group Policy Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
Site, Domain, and OU Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
Group Policy Processing Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311
xvi Contents
Creating and Linking GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
Creating Stand-Alone GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
Linking Existing GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Creating and Linking at One Time . . . . . . . . . . . . . . . . . . . . . . . . . . .316
Controlling Application of Group Policies . . . . . . . . . . . . . . . . . . . . . . . . .318
Enforce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318
Block Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Group Policy Results and Group Policy Modeling . . . . . . . . . . . . . . . .323
WMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330
Group Policy Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
Group Policy Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
GPO Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
Administrative Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335
Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
Starter GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346
Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .348
Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Chapter 6 Confi guring Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Confi guring Software Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Publishing to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
Assigning to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364
Assigning to Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368
Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370
Redeploying Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370
Upgrading Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371
Removing Software Deployed with Group Policy . . . . . . . . . . . . . . . .375
Forced Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
Optional Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377
Confi guring Account Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Domain Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
Account Lockout Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Fine-Grain Password and Account Lockout Policies . . . . . . . . . . . . . . .384
Confi guring a Fine-Grain Password Policy . . . . . . . . . . . . . . . . . . .386
Applying Users and Groups to a PSO with Active Directory
Users and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394
Contents xvii
Confi guring Audit Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397
Logon Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399
Directory Service Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401
Confi guring Directory Service Access Auditing in
Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401
Confi guring Active Directory Object Auditing . . . . . . . . . . . . . .402
Object Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404
Confi guring Object Access Auditing in Group Policy . . . . . . . . . . .405
Confi guring Object Level Auditing . . . . . . . . . . . . . . . . . . . . . . . .405
Other Audit Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Confi guring Additional Security-Related Policies . . . . . . . . . . . . . . . . . . .409
User Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409
Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .411
Restricted Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
Adding a New Restricted Group . . . . . . . . . . . . . . . . . . . . . . . . . .416
Modifying a Restricted Group . . . . . . . . . . . . . . . . . . . . . . . . . . . .419
Deleting a Restricted Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420
Administrative Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420
ADMX Central Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422
Adding ADM Templates to a GPO . . . . . . . . . . . . . . . . . . . . . . . . .424
Converting ADM Files to the ADMX Format . . . . . . . . . . . . . . . . .427
Converting ADM Files to ADMX Files Using the
Command Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427
Converting ADM Files to ADMX Files Using the
MMC Snap-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427
Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432
Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .437
Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .440
Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444
Chapter 7 Confi guring Certifi cate Services and PKI . . . . . . . . . . . . . . 445
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446
What Is PKI? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447
The Function of the PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
Components of PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .450
How PKI Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452
PKCS Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454
How Certifi cates Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460
Public Key Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463
xviii Contents
Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465
Secret Key Agreement via Public Key . . . . . . . . . . . . . . . . . . . . . . .466
Bulk Data Encryption without Prior Shared Secrets . . . . . . . . . . . .466
User Certifi cates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479
Machine Certifi cates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480
Application Certifi cates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480
Analyzing Certifi cate Needs within the Organization . . . . . . . . . . . . . . . .480
Working with Certifi cate Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
Confi guring a Certifi cate Authority . . . . . . . . . . . . . . . . . . . . . . . . . .481
Certifi cate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482
Standard vs. Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482
Root vs. Subordinate Certifi cate Authorities . . . . . . . . . . . . . . . .483
Certifi cate Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .484
Certifi cate Practice Statement . . . . . . . . . . . . . . . . . . . . . . . . . .489
Key Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489
Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489
Assigning Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .496
Enrollments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .496
Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .497
Working with Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501
General Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503
Request Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .505
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506
Subject Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .508
Issuance Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .509
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512
Types of Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513
User Certifi cate Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513
Computer Certifi cate Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .514
Other Certifi cate Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .516
Custom Certifi cate Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . .516
Securing Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .519
Versioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .520
Key Recovery Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .521
Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .523
Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .524
Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .526
Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .529
Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .532
Contents xix
Chapter 8 Maintaining an Active Directory Environment . . . . . . . . . 533
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534
Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534
Using Windows Server Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535
Scheduling a Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .540
Backing Up to Removable Media . . . . . . . . . . . . . . . . . . . . . . . . .548
Backing Up System State Data . . . . . . . . . . . . . . . . . . . . . . . . . . . .551
Backing Up Key Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555
Backing Up Critical Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . .556
Recovering System State Data . . . . . . . . . . . . . . . . . . . . . . . . . . . .557
Recovering Key Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .559
Directory Services Restore Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . .565
Performing Authoritative and Nonauthoritative Restores . . . . . . . . . . .568
Authoritative Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568
Nonauthoritative Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .575
Linked Value Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .575
Backing Up and Restoring GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . .575
Off line Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584
Restartable Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584
Offl ine Defrag and Compaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . .587
Active Directory Storage Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . .590
Monitoring Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .591
The Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .591
The Task Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594
The Applications Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .596
The Processes Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597
The Services Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .598
The Performance Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .598
The Networking Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599
The Users Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .601
The Event Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .602
Custom Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .602
Windows Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .605
Applications and Services Logs . . . . . . . . . . . . . . . . . . . . . . . . . .606
Subscriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .607
Replmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .611
Using Replmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .611
RepAdmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .618
Windows System Resource Manager . . . . . . . . . . . . . . . . . . . . . . . . . .621
The Windows Reliability and Performance Monitor . . . . . . . . . . . . . .623
xx Contents
Resource Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .624
The Performance Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .625
The Reliability Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .627
Data Collector Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .629
Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .631
Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .633
Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .635
Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .637
Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .639
Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .644
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
xxi
Foreword
This books primary goal is to help you prepare to take and pass Microsofts Exam
70-640, Windows Server 2008 Active Directory, Confi guring. Our secondary purpose in
writing this book is to provide exam candidates with knowledge and skills that go
beyond the minimum requirements for passing the exam and help to prepare them
to work in the real world of Microsoft computer networking.
What Is MCTS Exam 70-640?
Microsoft Certifi ed Technology Specialist (MCTS) Exam 70-640 is both a standalone
test for those wishing to master Active Directory technology and a requirement
for those pursuing certifi cation as a Microsoft Certifi ed Information Technology
Professional (MCITP) for Windows Server 2008. Microsofts stated target audience
consists of IT professionals with at least one year of work experience on a mediumsized
or large company network. This means a multisite network with at least three
domain controllers running typical network services such as fi le and print services,
messaging, database, fi rewall services, proxy services, remote access services, an
intranet, and Internet connectivity.
However, not everyone who takes Exam 70-640 will have this ideal background.
Many people will take this exam after classroom instruction or self-study as
an entry into the networking fi eld. Many of those who do have job experience in
IT will not have had the opportunity to work with all of the technologies covered
by the exam. In this book, our goal is to provide background information that will
help you to understand the concepts and procedures described even if you dont
have the requisite experience, while keeping our focus on the exam objectives.
xxii Foreword
www.syngress.com
Exam 70-640 covers the basics of managing and maintaining a network
environment that is built around Microsofts Windows Server 2008. The book
includes the following task-oriented objectives:
■ Confi guring Domain Name System (DNS) for Active Directory
This objective includes confi guring zones, confi guring DNS server settings,
and confi guring zone transfers and replication.
■ Confi guring the Active Directory Infrastructure This objective
includes confi guring a forest or domain, confi guring trusts, confi guring
sites, confi guring Active Directory replication, confi guring the global
catalog, and confi guring operations masters.
■ Confi guring Additional Active Directory Server Roles This
objective includes confi guring Active Directory Lightweight Directory
Service (AD LDS), confi guring Active Directory Rights Management
Service (AD RMS), confi guring the read-only domain controller
(RODC), and confi guring Active Directory Federation Services (AD FS).
■ Creating and Maintaining Active Directory Objects This objective
includes automating the creation of Active Directory accounts, maintaining
Active Directory accounts, creating and applying Group Policy Objects
(GPOs), confi guring GPO templates, confi guring software deployment
GPOs, confi guring account policies, and confi guring audit policies
using GPOs.
■ Confi guring Active Directory Certifi cate Services This objective
includes installing Active Directory certifi cate services, confi guring certifi cate
authority (CA) server settings, managing certifi cate templates, managing
enrollments, and managing certifi cate revocations.
Path to
MCTS/MCITP/MS Certifi ed Architect
Microsoft certifi cation is recognized throughout the IT industry as a way to
demonstrate mastery of basic concepts and skills required to perform the tasks
involved in implementing and maintaining Windows-based networks. The certifi cation
program is constantly evaluated and improved, while the nature of information
technology is changing rapidly; consequently, requirements and specifi cations for
Foreword xxiii
www.syngress.com
certifi cation can also change rapidly. This book is based on the exam objectives as
stated by Microsoft at the time of writing; however, Microsoft reserves the right to
make changes to the objectives and to the exam itself at any time. Exam candidates
should regularly visit the Certifi cation and Training Web site at www.microsoft.
com/learning/mcp/default.mspx for the most updated information on each
Microsoft exam.
Microsoft currently offers three basic levels of certifi cation on the technology
level, professional level, and architect level:
■ Technology Series This level of certifi cation is the most basic, and
it includes the Microsoft Certifi ed Technology Specialist (MCTS)
certifi cation. The MCTS certifi cation is focused on one particular
Microsoft technology. There are 19 MCTS exams at the time of this
writing. Each MCTS certifi cation consists of one to three exams, does
not include job-role skills, and will be retired when the technology is
retired. Microsoft Certifi ed Technology Specialists will be profi cient
in implementing, building, troubleshooting, and debugging a specifi c
Microsoft technology.
■ Professional Series This is the second level of Microsoft certifi cation,
and it includes the Microsoft Certifi ed Information Technology
Professional (MCITP) and Microsoft Certifi ed Professional
Developer (MCPD) certifi cations. These certifi cations consist of one
to three exams, have prerequisites from the Technology Series, focus on
a specifi c job role, and require an exam refresh to remain current. The
MCITP certifi cation offers nine separate tracks as of the time of this
writing. There are two Windows Server 2008 tracks, Server Administrator
and Enterprise Administrator. To achieve the Server Administrator MCITP
for Windows Server 2008, you must successfully complete one Technology
Series exam and one Professional Series exam. To achieve the Enterprise
Administrator MCITP for Windows Server 2008, you must successfully
complete four Technology Series exams and one Professional Series exam.
■ Architect Series This is the highest level of Microsoft certifi cation,
and it requires the candidate to have at least 10 years industry experience.
Candidates must pass a rigorous review by a review board of existing
architects, and they must work with an architect mentor for a period of
time before taking the exam.
xxiv Foreword
www.syngress.com
Prerequisites and Preparation
There are no mandatory prerequisites for taking Exam 70-640, although Microsoft
recommends that you meet the target audience profi le described earlier. Exam
70-640 is the logical choice for the fi rst step in completing the requirements for
the MCITP.
Preparation for this exam should include the following:
■ Visit the Web site at www.microsoft.com/learning/exams/70-640.mspx to
review the updated exam objectives.
■ Work your way through this book, studying the material thoroughly and
marking any items you dont understand.
■ Answer all practice exam questions at the end of each chapter.
■ Complete all hands-on exercises in each chapter.
■ Review any topics that you dont thoroughly understand
■ Consult Microsoft online resources such as TechNet (www.microsoft.com/
technet/), white papers on the Microsoft Web site, and so forth, for better
understanding of diffi cult topics.
■ Participate in Microsofts product-specifi c and training and certifi cation
newsgroups if you have specifi c questions that you still need answered.
■ Take at least one practice exam, such as the one included on the Syngress/
Elsevier certifi cation Web site, www.syngress.com/certifi cation.
Exam Overview
In this book, we have tried to follow Microsofts exam objectives as closely as possible.
However, we have rearranged the order of some topics for a better fl ow and included
background material to help you understand the concepts and procedures that are
NOTE
Those who already hold the MCSA or MCSE in Windows 2003 can
upgrade their certifi cations to MCITP Server Administrator by passing
one upgrade exam and one Professional Series exam. Those who already
hold the MCSA or MCSE in Windows 2003 can upgrade their certifi cations
to MCITP Enterprise Administrator by passing one upgrade exam,
two Technology Series exams, and one Professional Series exam.
Foreword xxv
www.syngress.com
included in the objectives. Here is a brief synopsis of the exam topics covered in
each chapter:
■ Confi guring Server Roles in Windows 2008 In this chapter you will
learn about the new server roles in Windows Server 2008, including
RODCs, AD LDS, AD RMS, and AD FS. We begin with a discussion of
Server Manager and Server Core, and confi guring the Active Directory
Role in Server Core. We then discuss Read-Only Domain Controllers
(RODCs), and their purpose. We show you the features of RODCs, and
then we show you how to install, confi gure, and remove them. Active
Directory Lightweight Directory Service (AD LDS) is discussed next and
how it differs from ADAM. We show you how to install and work with AD
LDS. Next, we show you how to install and work with Active Directory
Rights Management Service (AD RMS) and how it differs from DRMS in
Windows Vista. Finally, we discuss Active Directory Federation Services
(AD FS), including defi ning what it is, explaining why and how to use it,
and describing how to confi gure it.
■ Confi guring Network Services Chapter 2 presents the Network
Services used in Windows Server 2008. We begin by presenting the
Domain Name System (DNS), discussing its requirements, explaining how
to install and confi gure it, and describing how it is used with Server Core.
Youll also learn how to confi gure zones and zone resolution. Next, we
discuss the Dynamic Host Confi guration Protocol (DHCP). We cover
DHCP design principles, installing and confi guring DHCP, using DHCP
with Server Core, and confi guring DHCP for DNS. The third network
service covered in the chapter is Windows Internet Naming Service
(WINS), including installation and confi guration, using WINS with Server
Core, and confi guring WINS for DNS.
■ Working with Users, Groups, and Computers This chapter provides
information about creating and modifying user accounts, creating and
modifying computer accounts, creating and modifying groups, and delegation
of tasks. Creating users, groups, and computers is discussed in the
context of individual, manual creation, as well as creating each from scripts
and modifying each using AD Users and Computers.
■ Confi guring the Active Directory Infrastructure In this chapter you
will learn about creating the organizational structure of your network.
We begin with a discussion of forests and domains, understanding forests,
forest functional levels and operations masters, domain functional levels
xxvi Foreword
www.syngress.com
and operations masters, and domain migrations. We next cover topics such
as subnets, site links, replication, and the global catalog. Finally, we cover
trusts, including forest trusts, authentication, transitive, external, and shortcut
trusts, and SID fi ltering.
■ Understanding Group Policy Group policy is presented in two
chaptersthe fi rst of which covers group policy basics, and the second
of which covers how to confi gure group policies. In this chapter, you
learn about user group policies and computer group policies, site domain
and OU group policy hierarchy, how to create and link group policy
objects (GPOs), both new and existing, controlling the application of
group policies, and using GPO templates.
■ Confi guring Group Policy The second Group Policy chapter discusses
confi guration. We begin by explaining how to confi gure software deployment
and publishing and assigning to users and computers. Next, we talk
about confi guring account policies, including domain password policy,
account lockout policy, and fi ne-grain password policies. The last part of
the chapter talks about confi guring audit policies.
■ Confi guring Certifi cate Services and PKI We look at Public Key
Infrastructure, its components, how it works, and how certifi cates work.
Next, we talk about working with certifi cate services, confi guring a certifi -
cate authority, the different types of certifi cate authorities, backing up and
restoring, assigning roles, enrollments, and revocation. In the last part of the
chapter, we discuss working with templates, including types of templates,
securing permissions, versioning, and key recovery agents.
■ Maintaining an Active Directory Environment In the last chapter of
the book, we discuss how to maintain an Active Directory environment.
We begin by discussing backup and recovery, including using Windows
Server Backup, performing authoritative and nonauthoritative restores,
linked value replication, directory services restore mode, and how to
backup and restore group policy objects. Next, youll learn about offl ine
maintenance, including offl ine defragmentation and compaction, restartable
Active Directory, and storage allocation. Finally, youll learn how to monitor
Active Directory. Discussed here are the various tools used, including
network monitor, task manager, event viewer, replmon, repadmin, systems
resource manager, reliability and performance manager, and server
performance monitor.
Foreword xxvii
www.syngress.com
Exam Day Experience
Taking the exam is a relatively straightforward process. Prometric testing centers
administer the Microsoft 70-640 exam. You can register for, reschedule or cancel an
exam through the Prometric Web site at www.register.prometric.com. Youll fi nd
listings of testing center locations on these sites. Accommodations are made for
those with disabilities; contact the individual testing center for more information.
Exam price varies depending on the country in which you take the exam.
Exam Format
Exams are timed. At the end of the exam, you will fi nd out your score and whether
you passed or failed. You will not be allowed to take any notes or other written
materials with you into the exam room. You will be provided with a pencil and
paper, however, for making notes during the exam or doing calculations.
In addition to the traditional multiple choice questions and the select and drag,
simulation and case study questions, you might see some or all of the following
types of questions:
■ Hot area questions, in which you are asked to select an element or elements
in a graphic to indicate the correct answer. You click an element to select
or deselect it.
■ Active screen questions, in which you change elements in a dialog box (for
example, by dragging the appropriate text element into a text box or
selecting an option button or checkbox in a dialog box).
■ Drag and drop questions, in which you arrange various elements in a
target area.
Test-Taking Tips
Different people work best using different methods. However, there are some
common methods of preparation and approach to the exam that are helpful to
many test-takers. In this section, we provide some tips that other exam candidates
have found useful in preparing for and actually taking the exam.
■ Exam preparation begins before exam day. Ensure that you know the concepts
and terms well and feel confi dent about each of the exam objectives.
Many test-takers fi nd it helpful to make fl ash cards or review notes to study
on the way to the testing center. A sheet listing acronyms and abbreviations
xxviii Foreword
www.syngress.com
can be helpful, as the number of acronyms (and the similarity of different
acronyms) when studying IT topics can be overwhelming. The process of
writing the material down, rather than just reading it, will help to reinforce
your knowledge.
■ Many test-takers fi nd it especially helpful to take practice exams that are
available on the Internet and with books such as this one. Taking the
practice exams can help you become used to the computerized examtaking
experience, and the practice exams can also be used as a learning
tool. The best practice tests include detailed explanations of why the
correct answer is correct and why the incorrect answers are wrong.
■ When preparing and studying, you should try to identify the main points
of each objective section. Set aside enough time to focus on the material
and lodge it into your memory. On the day of the exam, you should be at
the point where you dont have to learn any new facts or concepts; instead,
youll need simply to review the information already learned.
■ The value of hands-on experience cannot be stressed enough. Exam
questions are based on test writers experiences in the fi eld. Working with
the products on a regular basiswhether in your job environment or in
a test network that youve set up at homewill make you much more
comfortable with these questions.
■ Know your own learning style and use study methods that take advantage
of it. If youre primarily a visual learner, reading, making diagrams, watching
video fi les on CD, etc., may be your best study methods. If youre primarily
auditory, classroom lectures, audiotapes you can play in the car as you drive,
and repeating key concepts to yourself aloud may be more effective. If youre
a kinesthetic learner, youll need to actually do the exercises, implement the
security measures on your own systems, and otherwise perform hands-on
tasks to best absorb the information. Most of us can learn from all of these
methods, but have a primary style that works best for us.
■ Although it may seem obvious, many exam-takers ignore the physical
aspects of exam preparation. You are likely to score better if youve had
suffi cient sleep the night before the exam, and if you are not hungry, thirsty,
hot/cold or otherwise distracted by physical discomfort. Eat prior to going
to the testing center (but dont indulge in a huge meal that will leave you
uncomfortable), stay away from alcohol for 24 hours prior to the test, and
dress appropriately for the temperature in the testing center (if you dont
Foreword xxix
www.syngress.com
know how hot/cold the testing environment tends to be, you may want to
wear light clothes with a sweater or jacket that can be taken off ).
■ Before you go to the testing center to take the exam, be sure to allow time
to arrive on time, take care of any physical needs, and step back to take a
deep breath and relax. Try to arrive slightly early, but not so far in advance
that you spend a lot of time worrying and getting nervous about the
testing process. You may want to do a quick last-minute review of notes,
but dont try to cram everything the morning of the exam. Many testtakers
fi nd it helpful to take a short walk or do a few calisthenics shortly
before the exam to get oxygen fl owing to the brain.
■ Before you begin to answer questions, use the pencil and paper provided
to you to write down terms, concepts and other items that you think you
may have diffi culty remembering as the exam goes on. Then you can refer
back to these notes as you progress through the test. You wont have to
worry about forgetting the concepts and terms you have trouble with later
in the exam.
■ Sometimes the information in a question will remind you of another
concept or term that you might need in a later question. Use your pen and
paper to make note of this in case it comes up later on the exam.
■ It is often easier to discern the answer to scenario questions if you can
visualize the situation. Use your pen and paper to draw a diagram of the
network that is described to help you see the relationships between
devices, IP addressing schemes, and so forth.
■ When appropriate, review the answers you werent sure of. However, you
should change your answer only if youre sure that your original answer
was incorrect. Experience has shown that more often than not, when testtakers
start second-guessing their answers, they end up changing correct
answers to the incorrect. Dont read into the question (that is, dont fi ll in
or assume information that isnt there); this is a frequent cause of incorrect
responses.
■ As you go through this book, pay special attention to the Exam Warnings,
as these highlight concepts that are likely to be tested. You may fi nd it
useful to go through and copy these into a notebook (remembering that
writing something down reinforces your ability to remember it) and/or go
through and review the Exam Warnings in each chapter just prior to
taking the exam.
xxx Foreword
www.syngress.com
■ Use as many little mnemonic tricks as possible to help you remember facts
and concepts. For example, to remember which of the two IPsec protocols
(AH and ESP) encrypts data for confi dentiality, you can associate the E
in encryption with the E in ESP.
Pedagogical Elements
In this book, youll fi nd a number of different types of sidebars and other elements
designed to supplement the main text. These include the following:
■ Exam Warning These sidebars focus on specifi c elements on which the
reader needs to focus in order to pass the exam (for example, Be sure you
know the difference between symmetric and asymmetric encryption).
■ Test Day Tip These sidebars are short tips that will help you in
organizing and remembering information for the exam (for example,
When preparing for the exam on test day, it may be helpful to have
a sheet with defi nitions of these abbreviations and acronyms handy for
a quick last-minute review).
■ Confi guring & Implementing These sidebars contain background
information that goes beyond what you need to know from the exam, but
provide a deep foundation for understanding the concepts discussed in
the text.
■ New & Noteworthy These sidebars point out changes in Windows Server
2008 from Windows Server 2003 as they will apply to readers taking the
exam. These may be elements that users of Windows Server 2003 would be
very familiar with that have changed signifi cantly in Windows Server 2008
or totally new features that they would not be familiar with at all.
■ Head of the Class These sidebars are discussions of concepts and facts
as they might be presented in the classroom, regarding issues and questions
that most commonly are raised by students during study of a particular
topic.
Each chapter of the book also includes hands-on exercises in planning and confi guring
the features discussed. It is essential that you read through and, if possible, perform
the steps of these exercises to familiarize yourself with the processes they cover.
You will fi nd a number of helpful elements at the end of each chapter. For
example, each chapter contains a Summary of Exam Objectives that ties the topics
discussed in that chapter to the published objectives. Each chapter also contains an
Foreword xxxi
www.syngress.com
Exam Objectives Fast Track, which boils all exam objectives down to manageable
summaries that are perfect for last-minute review. The Exam Objectives Frequently
Asked Questions section answers those questions that most often arise from readers
and students regarding the topics covered in the chapter. Finally, in the Self Test
section, you will fi nd a set of practice questions written in a multiple-choice format
that will assist you in your exam preparation These questions are designed to assess
your mastery of the exam objectives and provide thorough remediation, as opposed
to simulating the variety of question formats you may encounter in the actual
exam. You can use the Self Test Quick Answer Key that follows the Self Test questions
to quickly determine what information you need to review again. The Self Test
Appendix at the end of the book provides detailed explanations of both the correct
and incorrect answers.
Additional Resources
There are two other important exam preparation tools included with this study
guide. One is the DVD included in the back of this book. The other is the concept
review test available from our Web site.
■ A DVD that provides book content in multiple electronic formats
for exam-day review Review major concepts, test day tips, and exam
warnings in PDF, PPT, MP3, and HTML formats. Here, youll cut through
all of the noise to prepare you for exactly what to expect when you take
the exam for the fi rst time. You will want to watch this DVD just before
you head out to the testing center!
■ Web-based practice exams Just visit us at www.syngress.com/
certifi cation to access a complete Windows Server 2008 concept multiplechoice
review. These remediation tools are written to test you on all of
the published certifi cation objectives. The exam runs in both live and
practice mode. Use live mode fi rst to get an accurate gauge of your
knowledge and skills, and then use practice mode to launch an extensive
review of the questions that gave you trouble.
This page intentionally left blank
1
Configuring Server Roles
in Windows 2008
Chapter 1
Exam objectives review:
˛ Summary of Exam Objectives
˛ Exam Objectives Fast Track
˛ Exam Objectives Frequently Asked Questions
˛ Self Test
˛ Self Test Quick Answer Key
Exam objectives in this chapter:
■ New Roles in 2008
■ Read-Only Domain Controllers (RODCs)
■ Active Directory Lightweight Directory
Service (LDS)
■ Active Directory Rights Management
Service (RMS)
■ Active Directory Federation Services (ADFS)
MCTS/MCITP
Exam 640
2 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
Introduction
With the introduction of new revisions to Microsoft productsbe it Windows,
Exchange, Communications Server, or otherswe have seen a trend toward roles
within each product, as opposed to the various products being an all-in-one type
of solution (as with Exchange 2007), or being additional features that work as a
snap-in, such as DNS in Windows 2003.
With earlier versions of Windows Server 2000 or 2003, an Active Directory
server was just thatan Active Directory server. What we are trying to say here is
that it was more-or-less an all-or-nothing deal when creating a domain controller
in Windows 2003. Very little flexibility existed in the way a domain controller could
be installed, with the exception of whether a domain controller would also be a
global catalog server or flexible single master operation (FSMO) server.
With the release of Windows Server 2008, we have several new ways to deploy
an Active Directory domain controller. In this chapter, we will discuss the new roles
available in Windows Server 2008, how to create a domain controller, and how to
implement and manage server roles.
New Roles in 2008
Windows Server 2008 offers many new ways to skin the Active Directory cat,
if you will. With the introduction of these new roles is a new way to determine
how they are implemented, configured, and managed within an Active Directory
domain or forest. We will be discussing each of these Active Directory roles in
depth later in this chapter, but the new roles (and the official Microsoft definitions)
are as follows:
■ Read-only domain controller (RODC): This new type of domain
controller, as its name implies, hosts read-only partitions of the Active
Directory database. An RODC makes it possible for organizations to easily
deploy a domain controller in scenarios where physical security cannot
be guaranteed, such as branch office locations, or in scenarios where local
storage of all domain passwords is considered a primary threat, such as in
an extranet or in an application-facing role.
■ Active Directory Lightweight Directory Service (ADLDS):
Formerly known as Windows Server 2003 Active Directory Application
Mode (ADAM), ADLDS is a Lightweight Directory Access Protocol
(LDAP) directory service that provides flexible support for directoryenabled
applications, without the dependencies required for Active
Configuring Server Roles in Windows 2008 Chapter 1 3
www.syngress.com
Directory Domain Services (ADDS). ADLDS provides much of the same
functionality as ADDS, but does not require the deployment of domains
or domain controllers.
■ Active Directory Rights Management Service (ADRMS):
Active Directory Rights Management Services (ADRMS), a format and
application-agnostic technology, provides services to enable the creation
of information-protection solutions. ADRMS includes several new features
that were available in Active Directory Rights Management Services
(ADRMS). Essentially, ADRMS adds the ability to secure objects.
For example, an e-mail can be restricted to read-only, meaning it cannot
be printed, copied (using Ctrl + C, and so on), or forwarded.
■ Active Directory Federation Services (ADFS): You can use Active
Directory Federation Services (ADFS) to create a highly extensible,
Internet-scalable, and secure identity access solution that can operate
across multiple platforms, including both Windows and non-Windows
environments. Essentially, this allows cross-forest authentication to
external resourcessuch as another companys Active Directory. ADFS
was originally introduced in Windows Server 2003 R2, but lacked much
of its now-available functionality.
So, these are the roles themselves, but as also mentioned, they can be managed
in a number of new ways:
■ Server Manager: This is likely to be a familiar tool to engineers who
have worked with earlier versions of Windows. It is a single-screen solution
that helps manage a Windows server, but is much more advanced than the
previous version.
■ Server Core: Server Core brings not only a new way to manage roles,
but an entirely new way to deploy a Windows Server. With Server Core,
we can say goodbye to unnecessary GUIs, applications, services, and many
more commonly attacked features.
Discussing Server Core is going to take considerably longer, so lets start with
Server Manager.
Using Server Manager to Implement Roles
Although we will be discussing Server Manager (Figure 1.1) as an Active Directory
Management tool, its actually much more than just that.
4 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
In fact, Server Manager is a single solution (technically, a Microsoft Management
Console [MMC]) snap-in that is used as a single source for managing system identity
(as well as other key system information), identifying problems with servers, displaying
server status, enabled roles and features, and general options such as server updates and
feedback.
Table 1.1 outlines some of the additional roles and features Server Manager can
be used to control:
Figure 1.1 Server Manager
Configuring Server Roles in Windows 2008 Chapter 1 5
www.syngress.com
Server Manager is enabled by default when a Windows 2008 server is installed
(with the exception of Server Core). However, Server Manager can be shut off
via the system Registry and can be re-opened at any time by selecting Start |
Administrative Tools | Server Manager, or right-clicking Computer under
the Start menu, and choosing Manage (Figure 1.2).
Table 1.1 Partial List of Additional Server Manager Features
Role/Feature Description
Active Directory Management of Public Key Infrastructure (PKI)
Certificate Services
Dynamic Host Dynamic assignment of IP addresses to clients
Configuration Server
Domain Name Service Provides name/IP address resolution
File Services Storage management, replication, searching
Print Services Management of printers and print servers
Terminal Services Remote access to a Windows desktop or
application
Internet Information Web server services
Server
Hyper-V Server virtualization
BitLocker Drive Whole-disk encryption security feature
Encryption
Group Policy Management of Group Policy Objects
Management
SMTP Server E-mail services
Failover Clustering Teaming multiple servers to provide high
availability
WINS Server
Legacy NetBIOS
name resolution
Wireless LAN Service Enumerates and manages wireless connections
6 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
So, those are the basics of Server Manager. Now lets take a look at how we use
Server Manager to implement a role. Since we will be discussing the four Active
Directory roles in depth later in this chapter, lets take the IIS role and talk about
using the Add Role Wizard to install Internet Information Services (IIS).
EXERCISE 1.1
USING THE ADD ROLE WIZARD
Notice in Figure 1.1 that the Server Manager window is broken into
three different sections:
■ Provide Computer Information
■ Update This Server
■ Customize This Server
Figure 1.2 Opening Server Manager
Configuring Server Roles in Windows 2008 Chapter 1 7
www.syngress.com
Under the Customize This Server section, click the Add Role icon.
When the wizard opens, complete the following steps to install IIS onto
the server.
1. Click the Add Roles icon.
2. At the Before You Begin window, read the information provided,
and then click Next.
3. From the list of server roles (Figure 1.3), click the check box next
to Web Server (IIS) and then click Next.
4. If you are prompted to add additional required features, read
and understand the features, and then click Add Required
Features.
5. When you return to the Select Server Roles screen, click Next.
Figure 1.3 List of Server Roles
8 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
6. Read the information listed in the Introduction to Web Server (IIS)
window, and then click Next.
7. For purposes of this exercise, we will select all of the default Role
Services, and then click Next.
8. Review the Installation Summary Confirmation screen (Figure 1.4),
and then click Install.
9. When installation is complete, click Close.
10. Notice that on the Server Manager screen, Web Server (IIS) is now
listed as an installed role.
Figure 1.4 The Installation Summary Confirmation Screen
Configuring Server Roles in Windows 2008 Chapter 1 9
www.syngress.com
Using Server Core and Active Directory
For years, Microsoft engineers have been told that Windows would never stand up
to Linux in terms of security simply because it was too darn heavy (too much)
code, loaded too many modules (services, startup applications, and so on), and was
generally too GUI heavy. With Windows Server 2008, Microsoft engineers can
stand tall, thanks to the introduction of Server Core.
Configuring & Implementing
Scripting vs. GUI
Sure, you can always use a wizard to implement a role, but you also
have the option of using a script. Realistically speaking, its generally not
the most efficient way to deploy a role for a single server, however. Unless
you are going to copy and paste the script, the chance of error is high
in typing out the commands required. For example, take the following
IIS script syntax:
start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-Common
HttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;
IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASPNET;
IIS-NetFxExtensibility;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;
IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IISLoggingLibraries;
IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IISODBCLogging;
IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;
IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;
IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IISRequestFiltering;
IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;
IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IISManagementConsole;
IIS-ManagementScriptingTools;IIS-Management-
Service;IIS-IIS6ManagementCompatibility;IIS-Metabase;IISWMICompatibility;
IIS-LegacyScripts;IIS-LegacySnapIn;IIS-FTP
PublishingService;IIS-FTPServer;IIS-FTPManagement;WAS-Windows
ActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;
WAS-ConfigurationAPI
This script installs ALL of the IIS features, which may not be the
preferred installation for your environment, and within the time it took
to type it out, you may have already completed the GUI install!
10 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
What Is Server Core?
What is Server Core, you ask? Its the just the facts, maam version of Windows
2008. Microsoft defines Server Core as a minimal server installation option for
Windows Server 2008 that contains a subset of executable files, and five server
roles. Essentially, Server Core provides only the binaries needed to support the role
and the base operating systems. By default, fewer processes are generally running.
Server Core is so drastically different from what we have come to know from
Windows Server NT, Windows Server 2000, or even Windows Server 2003 over the
past decade-plus, that it looks more like MS-DOS than anything else (Figure 1.5).
With Server Core, you wont find Windows Explorer, Internet Explorer, a Start menu,
or even a clock! Becoming familiar with Server Core will take some time. In fact,
most administrators will likely need a cheat sheet for a while. To help with it all, you
can find some very useful tools on Microsoft TechNet at http://technet2.microsoft
.com/windowsserver2008/en/library/e7e522ac-b32f-42e1-b914-53ccc78d18161033
.mspx?mfr=true. This provides command and syntax lists that can be used with
Server Core. The good news is, for those of you who want the security and features
of Server Core with the ease-of-use of a GUI, you have the ability to manage a
Server Core installation using remote administration tools.
Figure 1.5 The Server Core Console
Configuring Server Roles in Windows 2008 Chapter 1 11
www.syngress.com
Before going any further, we should discuss exactly what will run on a Server
Core installation. Server Core is capable of running the following server roles:
■ Active Directory Domain Services Role
■ Active Directory Lightweight Directory Services Role
■ Dynamic Host Configuration Protocol (DHCP)
■ Domain Name System (DNS) Services Role
■ File Services Role
■ Hyper-V (Virtualization) Role
■ Print Services Role
■ Streaming Media Services Role
■ Web Services (IIS) Role
NOTE
Internet Information Server is Microsofts brand of Web server software,
utilizing Hypertext Transfer Protocol to deliver World Wide Web
documents. It incorporates various functions for security, allows for
CGI programs, and also provides for Gopher and FTP servers.
Although these are the roles Server Core supports, it can also support additional
features, such as:
■ Backup
■ BitLocker
■ Failover Clustering
■ Multipath I/O
■ Network Time Protocol (NTP)
■ Removable Storage Management
■ Simple Network Management Protocol (SNMP)
■ Subsystem for Unix-based applications
■ Telnet Client
■ Windows Internet Naming Service (WINS)
12 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
The concept behind the design Server Core is to truly provide a minimal server
installation. The belief is that rather than installing all the application, components,
services, and features by default, it is up to the implementer to determine what will
be turned on or off.
Installation of Windows 2008 Server Core is fairly simple. During the installation
process, you have the option of performing a Standard Installation or a Server Core
installation. Once you have selected the hard drive configuration, license key activation,
and End User License Agreement (EULA), you simply let the automatic installation
continue to take place. When installation is done and the system has rebooted, you will
be prompted with the traditional Windows challenge/response screen, and the Server
Core console will appear.
EXERCISE 1.2
CONFIGURING THE DIRECTORY
SERVICES ROLE IN SERVER CORE
So lets put Server Core into action and use it to install Active Directory
Domain Services. To install the Active Directory Domain Services Role,
perform the following steps:
1. The first thing we need to do is set the IP information for the
server. To do this, we first need to identify the network adapter.
In the console window, type netsh interface ipv4 show interfaces
and record the number shown under the Idx column.
2. Set the IP address, Subnet Mask, and Default Gateway for the
server. To do this, type netsh interface ipv4 set address name=
<ID> source=static address=<StaticIP> mask=<SubnetMask>
NOTE
BitLocker Drive Encryption is an integral new security feature in Windows
Server 2008 that protects servers at locations, such as branch offices, as
well as mobile computers for all those roaming users out there. BitLocker
provides offline data and operating system protection by ensuring that
data stored on the computer is not revealed if the machine is tampered
with when the installed operating system is offline.
Configuring Server Roles in Windows 2008 Chapter 1 13
www.syngress.com
gateway=<DefaultGateway>. ID represents the number from
step 1, <StaticIP> represents the IP address we will assign,
<SubnetMask> represents the subnet mask, and <Default
Gateway> represents the IP address of the servers default
gateway. See Figure 1.6 for our sample configuration.
Figure 1.6 Setting an IP Address in Server Core
3. Assign the IP address of the DNS server. Since this will be an
Active Directory Domain Controller, we will set the DNS settings
to point to the DNS server. From the console, type netsh interface
ipv4 add dnsserver name=<ID> address=<DNSIP> index=1. >.
ID represents the number from step 1, and <StaticIP> represents
the IP address of the DNS server (in this case, the same IP address
from step 2).
So, here is where things get a little tricky. When installing the Directory
Services role in a full server installation, we would simply open up a Run
window (or a command line) and type in DCPromo. Then, we would
follow the prompts for configuration (domain name, file location, level of
forest/domain security), and then restart the system. Installing the role in
14 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
Server Core isnt so simple, yet its not exactly rocket science. In order to
make this installation happen, we are going to need to configure an
unattended installation file. An unattended installation file (see Figure 1.7)
s nothing more than a text file that answers the questions that would have
been answered during the DCPromo installation. So, lets assume you have
created the unattended file and placed it on a floppy disk, CD, or other
medium, and then inserted it into the Server Core server. Lets go ahead
and install Directory Services:
1. Sign in to the server.
2. In the console, change drives to the removable media. In our
example, we will be using drive E:, our DVD drive.
3. Once you have changed drives, type dcpromo answer:\answer.txt.
Answer.txt is the name of our unattended file (see Figure 1.7).
Figure 1.7 Installing Directory Services in Server Core
Configuring Server Roles in Windows 2008 Chapter 1 15
www.syngress.com
4. Follow the installation process as it configures directory services.
Once the server has completed the installation process, it will
reboot automatically.
When the server reboots, you will have a fully functional Active
Directory implementation!
Read-Only Domain Controllers (RODCs)
One of the biggest mistakes IT organizations make is underestimating the security risk
presented by remote offices. As a consultant, I have seen many organizations (big and
small) make major investments in their corporate IT security strategy, and then turn
around and place a domain controller on top of a desk in a small/remote officeright
next to an exit. Several times during the course of the day, employees, delivery people,
solicitors, and more walk by this doorand often the server itself. Typically, little exists
to stop these people from walking out the door and selling their newly found (stolen)
hardware on eBay. And this is probably a best-case scenario. What would happen if the
information on this server actually ended up in the wrong hands?
Introduction to RODC
Read-only domain controllers were designed to combat this very problem. Lets
take a scenario where a corporation has a remote office with ten employees. On a
daily basis, these ten people are always in the office, while another five to ten float
in and out and sometimes arent there for weeks at a time. Overall, the company
has about 1,000 employees. In a Windows 2000 Server or Windows Server 2003
Active Directory environment (or, pity you, a Windows NT 4.0 domain), if you
have placed a domain controller in this remote office, all information for every user
account in the organization is copied to this server. Right now, theres probably a light
bulb going off above your head (we can see it all the way from here) as to why this
is a problem just waiting to happen.
Its Purpose in Life
The purpose of the read-only domain controller (RODC) is to deal directly with this
type of issue, and many issues like it. RODCs are one component in the Microsoft
initiative to secure a branch office. Along with RODCs, you may also want to
consider implementing BitLocker (whole-disk encryption), Server Core, as well as
16 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
Role Distributionthe ability to assign local administrator rights to an RODC
without granting a user full domain administrator rights.
Its Features
A number of features come with a RODC, which focus on providing heightened
security without limiting functionality to the remote office users. Some of the key
points here are:
■ Read-only replicas of the domain database: Clients are not allowed
to write changes directly to an RODC (much like a Windows NT BDC).
RODC holds all the Active Directory Domain Services (AD DS) objects
and attributes that a writable domain controller holds, with the exception
of account passwords. Clients, however, are not able to write changes
directly to the RODC.
■ Filtered Attribute Sets: The ability to prevent certain AD attributes
from being replicated to RODCs.
■ Unidirectional Replication: Since clients cannot write changes to an
RODC, there is no need to replicate from an RODC to a full domain
controller. This prevents potentially corrupt (or hijacked) data from being
disbursed, and also reduces unnecessary bandwidth usage.
■ Read-only DNS: Allows one-way replication of application directory
partitions, including ForestDNSZones and DomainDNSZones.
■ Cached accounts: By caching accounts, if the RODC were ever
compromised, only the accounts that have been compromised need to be
reset. The full DCs are aware of which accounts are cached, and a report
can be generated for auditing purposes.
So these are the key features of a read-only domain controller. Now lets step
through the installation process.
Configuring RODC
Configuring an RODC isnt all that different from adding a traditional domain
controller. The most important thing to remember about an RODC is that a writable
domain controller must exist somewhere in the domain. Once this prerequisite
is met, we can go ahead and configure our RODC. Lets assume that our writable
DC is in place, using the domain information from the previous exercise.
Configuring Server Roles in Windows 2008 Chapter 1 17
www.syngress.com
EXERCISE 1.3
CONFIGURING A READ-ONLY DOMAIN CONTROLLER
Lets begin configuring our RODC:
1. Click Start | Administrative Tools | Server Manager.
2. Scroll down to Role Summary, click Add roles.
3. When the Before You Begin page opens, click Next.
4. On the Select Server Roles page, choose Active Directory Domain
Services, and then click Next.
5. Click Next again on the Active Directory Domain Services page.
6. On the Confirm Installation Selections page (Figure 1.8),
click Install.
Head of the class ...
Adding an RODC to an Existing Forest
A read-only domain controller can be added to a preexisting forest, but
this will require that schema changes be made to the forest for this to
work properly. The process is fairly simple. Using the adprep tool with the
/rodcprep switch (the actual syntax would be adprep /rodcprep), we can
add the necessary schema changes to support our RODC.
18 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
7. When installation is complete, click Close.
8. If the Server Manager window has closed, re-open it.
9. Expand Roles, and then click Active Directory Domain Services.
10. Under Summary (Figure 1.9), click the link to Run The Active
Directory Domain Services Installation Wizard.
Figure 1.8 Confirming Installation Selections
Configuring Server Roles in Windows 2008 Chapter 1 19
www.syngress.com
11. Click Next on the Welcome To The Active Directory Domain
Services Installation Wizard page.
12. On the Operating System Compatibility page, click Next.
13. On the Choose A Deployment Configuration page, click Existing
Forest.
14. Ensure Add A Domain Controller To An Existing Domain is
selected, and then click Next.
15. On the Network Credentials page, verify that your domain is
listed, and click Set.
16. In the User Name field, type <domain>\administrator.
17. In the Password field, type your administrator password, and
then click OK (see Figure 1.10).
Figure 1.9 The Summary Page
20 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
18. Click Next.
19. On the Select a Domain page, click Next.
20. On the Select a Site page (if you have Sites and Services configured),
you can choose to which site to add this RODC. In this case, we are
using the default site, click Next.
Select DNS Server and Read-Only Domain Controller on the
Additional Domain Controller Options page and then click Next.
21. In the Group Or User field, type <domain>\administrator, and
then click Next.
22. Verify the file locations, and click Next.
23. On the Active Directory Domain Services Restore Mode
Administrator Password page, type and confirm a restore mode
password, and then click Next.
24. On the Summary page, click Next.
25. The Active Directory Domain Services Installation Wizard dialog
box appears. After installation, reboot the server.
Figure 1.10 Setting Account Credentials
EXAM TIP
It is possible to stage an RODC and delegate rights to complete an
RODC installation to a user or group. In order to do this, you must first
create an account in Active Directory for the RODC in Active Directory
Configuring Server Roles in Windows 2008 Chapter 1 21
www.syngress.com
Removing an RODC
There may come a time when you need to remove an RODC from your forest or
domain. Like anything in this world, there is a right way and a wrong way to go
about doing this. For the exam, youll want to make sure you know the right way.
Removing a read-only domain controller is almost as simple as adding an RODC.
One important thing to remember with an RODC is that it cannot be the firstor
the lastdomain controller in a domain. Therefore, all RODCs must be detached
before removing a final writable domain controller. Fewer steps make up the
removal process. Lets take a look at how this is done.
1. Choose Start | Run.
2. In the Run window, type dcpromo.exe.
3. At the Welcome To Active Directory Domain Services Installation
Wizard screen, click Next.
4. On the Delete The Domain window, make sure the check box is not
checked, and then click Next.
5. Enter your administrator password, and then click Next.
6. Click Next in the Summary window, and then click Next again.
7. When removal is complete, reboot the server.
8. When the server reboots, sign back in.
9. Select Start | Administrative Tools | Server Manager.
10. Scroll down to Role Summary.
11. Expand Roles, and then click Remove Roles.
Users and Computers. Once inside of ADU&C, you must right-click the
Domain Controllers OU container, and select Pre-create Read-Only Domain
Controller Account. From here, you can set the alternate credential for
a user who can then finish the installation. On the server itself, the user
must type dcpromo /UseExistingAccount:Attach in order to complete
the process.
22 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
12. On the Before You Begin page, click Next.
13. Remove the checkmark from Active Directory Domain Services and
DNS Server and click Next.
14. Review the confirmation details, and then click Remove.
15. Review the results page, and click Close.
16. Restart the server if necessary.
Active Directory
Lightweight Directory Service (LDS)
As mentioned earlier, Active Directory Lightweight Directory Service is a slimmeddown
version of AD. The concept of LDS is not new. In fact, it has been around for
several years. However, to date it is probably not as widely known or recognized as
the full ADS installation. Now that AD LDS is a part of the Windows Server 2008
media, you can expect to see many more deployments of the product.
When to Use AD LDS
So, when should you use AD LDS? Well, there are many situations when this is
a more viable option. Typically, LDS is used when directory-aware applications need
directory services, but there is no need for the overhead of a complete forest or domain structure.
Demilitarized Zones (DMZs) are a great example of this. If you are not familiar with
DMZs, Wikipedia defines a DMZ as a physical or logical subnetwork that contains
an organizations external services to a larger untrusted network, usually the Internet.
The purpose of a DMZ is to add an additional layer of security to an organizations
local area network (LAN). You may be hosting an application or Web site in a DMZ
where you want to have the added security of challenge/response using a directory
services model. Since this is in a DMZ, you probably have no need for organizational
units, Group Policy, and so on. By using LDS, you can eliminate these unnecessary
functions and focus on what really is important: authentication and access control.
The other popular option for using LDS is in a situation where you want to
provide authentication services in a DMZ or extranet for internal corporate users.
In this scenario, account credentials can be synchronized between the full internal
domain controller and the LDS instances within the DMZ. This option provides
a single sign-on solution, as opposed to the end user being required to remember
multiple usernames and passwords.
Configuring Server Roles in Windows 2008 Chapter 1 23
www.syngress.com
Changes from Active
Directory Application Mode (ADAM)
As mentioned earlier, the LDS concept has been around since Windows Server
2003 R2, but many improvements and new features have been introduced since the
previous release. Some of the key changes between ADAM and LDS are listed next:
■ Auditing: Directory Service changes can now be audited for when
changes are made to objects and their attributes. In this situation, both old
and new values are logged.
■ Server Core Support: AD LDS is now a supported role for installation
in a Server Core implementation of Windows Server 2008. This makes it
ideal for DMZ-type situations.
■ Support for Active Directory Sites and Services: This makes it
possible for management of LDS instance replication using the morefamiliar
ADS&S tool.
■ Database Mounting Tool: Provides a means to compare data as it exists
in database backups that are taken at different times to help the process of
deciding which backup instance to restore.
These are the key improvements from ADAM in Windows Server 2003 R2 to
AD LDS in Windows Server 2008, but the fact that the product has had more time
to be baked in will greatly improve the functionality and usage of this technology.
Configuring AD LDS
By now, youre probably beginning to see a trend in how things are accomplished
in Windows Server 2008. Everything is done with the use of server roles. Active
Directory Lightweight Directory Services are no different. In our example, we are
going to walk through the process of installing a clean LDS implementation.
EXERCISE 1.4
CONFIGURING LDS
1. Choose Start | Administrative Tools | Server Manager.
2. Scroll down to Role Summary, and then click Add Roles.
3. When the Before You Begin page opens, click Next.
24 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
4. On the Select Server Roles page, select the Active Directory
Lightweight Directory Services option, and then click Next.
5. The installation steps for the role are very straightforward, follow
the prompts and then click Install. After the role installation is
complete, move on to creating an LDS instance.
6. Select Start | Administrative Tools | Active Directory Lightweight
Directory Services Setup Wizard.
7. On the Welcome page, click Next.
8. On the page, select A Unique Instance, and then click Next.
9. On the Instance Name page (Figure 1.11), provide a name for the
AD LDS instance and click Next.
Figure 1.11 The Instance Name Page
10. On the Ports page, we can specify the ports the AD LDS instance
uses to communicate. Accept the default values of 389 and 636,
and then click Next.
Configuring Server Roles in Windows 2008 Chapter 1 25
www.syngress.com
11. On the Application Directory Partition (Figure 1.12) page, we will
create an application directory partition by clicking Yes.
Figure 1.12 The Application Directory Partition Page
12. On this page, we will also need to specify the distinguished name
of our partition. Follow the format in Figure 1.12, and then click
Next.
13. On the File Locations page, review the file locations and click
Next to accept the default locations.
14. On the Service Account Selection page, select an account to
be used as the service account. By default, the Network Service
account is used. Click Next to accept the default option.
15. On the AD LDS Administrators page (Figure 1.13), select a user
(or group to) that will be used as the default administrator for
this instance. Click the default value (Currently Logged On User)
and then click Next.
26 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
16. Select particular LDIF files to work with our LDS implementation.
We will use the MS-ADLDS-DisplaySpecifiers file later in this section,
so check this option off, and then click Next.
17. Review the Ready To Install page and click Next to begin the
installation process. When setup is complete, click Finish.
Working with AD LDS
Several tools can be used to manage an LDS instance. In this book, we will work
with two of these tools. The first is the ADSI Edit tool. ADSI stands for Active
Directory Service Interfaces, and is used to access the features of directory services
from different network providers. ADSI can also be used to automate tasks such
as adding users and groups and setting permissions on network resources. While
making changes to LDS (or Active Directory) is outside the scope of this book,
we will show you how to use ADSI Edit to connect to an LDS instance.
Figure 1.13 The AD LDS Administrators Page
Configuring Server Roles in Windows 2008 Chapter 1 27
www.syngress.com
1. Choose Start |Administrative Tools | ADSI Edit.
2. In the console tree, click ADSI Edit.
3. On the Action menu, click Connect to.
4. In the Name field, type a recognizable name for this connection. This
name will appear in the console tree of ADSI Edit.
5. In Select Or Type A Domain Or Server, enter the fully qualified
domain name (or IP address) of the computer running the AD LDS
instance, followed by a colon and 389representing the port of the LDS
instance.
6. Under Connection point, click Select and choose your distinguished
name, then click OK.
7. In the console tree of the ADSI Edit snap-in, double-click the name you
created in step 4, and then double-click the distinguished name of your
LDS instance.
8. Navigate around the containers to view the partition configuration.
The second tool we will discuss is the Active Directory Sites and Services snap-in.
As mentioned earlier in this section, you can use the ADS&S snap-in to manage
replication of directory information between sites in an LDS implementation. This is
useful when LDS may be implemented in a geographically disbursed environment.
For example, a server farm that may be collocated in a company datacenter and a
disaster recovery location may require replication, and the easiest way to perform
this is via this snap-in. However, its important to note that we must import the
MS-ADLDS-DisplaySpecifiers.ldf file during the instance configuration (earlier in
this section) in order to use ADS&S. Lets review how to use ADS&S to connect to
an LDS instance.
1. Choose Start |Administrative Tools | Active Directory Sites &
Services.
2. Right-click Active Directory Sites and Services, and then click
Change Domain Controller.
3. In the Change Directory Server window, type the FQDN or IP address
of the server running the LDS instance, followed by :389.
4. Navigate the containers to view information about the LDS instance.
28 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
Active Directory
Rights Management Service (RMS)
If you were to poll 100 corporations, you would probably find out that 99 out of
100 companies have probably had a confidential e-mail or document leave their
environment and fall into the hands of someone it was not originally intended.
Microsoft recognized this issue several years back and began working on a product
named Rights Management Server (RMS). RMS is a great product and is in use at
many companies, but the price of the product often put it out of reach for many
companies. With Windows Server 2008, Microsoft has rebranded and incorporated
the product in the operating system itself. As industry and governmental restrictions
continue to increase, as well as the penalties for mishandling information, providing
a technology such as RMS (or AD RMS in 2008) essentially became a demand
on the part of customers. Although Microsoft is including the server portion in
Windows Server 2008, dont be fooledthere is still a Client Access License (CAL)
for Rights management. The three main functions of AD RMS are:
■ Creating rights-protected files and templates: Trusted users can
create and manage protection-enhanced files using common authoring
tools (including Office products such as Word, Excel, and Outlook), as well
as templates from AD RMS-enabled applications.
■ Licensing rights-protected information: Certainly, the key component
of RMS. Issues a special certificate, known as a rights account certificate, used to
identify trusted objects, such as users and groups, which have the authority
to generate rights-protected content.
■ Acquiring licenses to decrypt rights-protected content and
applying usage policies: As the name implies, RMS works with Active
Directory to determine if users have a required rights account certificate in
order to access rights-protected content.
As stated earlier, RMS has been around for some time, but there have been a
number of advancements since the product was released. Lets take a look at some
of these features.
Whats New in RMS
We mentioned early on that probably the most substantial change from earlier versions
of RMS is the fact that it is no longer a separate product from Windows Server. Besides
Configuring Server Roles in Windows 2008 Chapter 1 29
www.syngress.com
the fact that this significantly reduces the barrier to entry to use such a technology, it
has also improved the installation and management of the product. At this stage, you
should be familiar with how we install roles. In fact, the RMS installation also takes
care of the prerequisitessuch as IIS, Message Queuingduring the installation
process. Isnt it exciting to know that installing the RMS role is just as simple? We will
get to the installation and configuration of RMS later in this section. First though, lets
look at three other areas where improvements have been made over the older product:
■ Self-Enrollment: In previous versions of RMS, an RMS server was
forced to connect (via the Internet) to the Microsoft Enrollment Service in
order to receive a server licensor certificate (SLC), which gives RMS the
rights to issue licenses (and its own certificates). In Windows Server 2008,
Microsoft has eliminated this need by bundling a self-enrollment certificate
into Windows Server 2008, which signs the SLC itself.
■ Delegation of Roles: AD RMS now gives you the flexibility to delegate
certain RMS roles out to other users/administrators. There are four RMS
roles: AD RMS Service Group, AD RMS Enterprise Administrators, AD RMS
Template Administrators, and AD RMS Auditors. The RMS Service Group
essentially holds the service account used by RMS. Enterprise Administrators
has full control of all settings and policiesmuch like an Active Directory
Enterprise Administrator. As the name implies, a Template Administrator has
rights to create, modify, read, and export templates. Auditors have rights to
only view RMS information, as well as logs and report generation.
■ Integration with Federation Services: We will be covering AD FS
in the next section, but this allows for the ability to share rights-protected
documents with external entities.
RMS vs. DRMS in Vista
Digital Rights Management (DRM) is a tricky topic, particularly when couched in
the common terms of the movie makers versus the general public. Since that discussion
is intensely personal and very controversial, I want to steer clear of making any
statements that endorse or condemn DRMit is your decision whether or not to
use it. The key differentiator between RMS and DRM is that DRM is generally used
by content manufacturers (music companies, movie companies, and so on), whereas
RMS is intended more for corporations that want to protect company-sensitive data.
30 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
With DRM, content consumers intend to make sure their wishes are met when
producing and distributing contentand its hard to argue with that goal. If you write
the next Great American Novel, or youve painted What the Mona Lisa Did Next,
youre justified in releasing it only for what you consider to be appropriate recompense,
or withholding it from the public until you are satisfied with your remuneration.
The objection to DRM (except from those who insist that all information, all
art, and all content wants to be free) comes from putative content consumers
who are concerned that their own ability to consume the content is unnecessarily
restrictedthey may want to view the movie they purchased on a different screen,
or add subtitles to it so that they can watch it with a deaf relative.
Too much DRM protection on content means that the content is no longer
acceptably usable by your targeted consumersif your goal is to sell content to
those consumers, clearly this is a losing proposition. You dont make money by
killing piracy, unless you make money by selling more products as a result.
For publicly available content, however, some protection may remind otherwisehonest
consumers that the content they are viewing is not completely licensed to
them, distribution rights have not been granted, and the content is only intended
to be accessed through the method or media purchased. Disappointing for the
consumer who bought a DVD, intending to watch it on a remote device, but not
totally unsurprising. (If there is a market for watching movies on remote devices,
maybe a smart company will come along and exploit it by licensing content for
distribution in that way.)
Configuring RMS
Another day, another role. As you can imagine, were going to be using Server
Manager to deploy Rights Management Server. In order to make this work, a
number of things will be in play. During the installation process, we will need to
configure a certificate (via IIS), and install and complete the configuration of the
RMS server role. Lets begin by configuring the certificate.
NOTE
Exercise 1.5 will require the use of a certificate authority. You may want
to wait on this exercise until you review Chapter 6, which covers CAs.
We can understand how you may be too excited to wait, but rather than
making you go through the CA process twice, bookmark this section and
come back to it once you have completed that chapter.
Configuring Server Roles in Windows 2008 Chapter 1 31
www.syngress.com
EXERCISE 1.5
CONFIGURING RIGHTS MANAGEMENT SERVER
1. Select Start | Administrative Tools | Internet Information Services
(IIS) Manager. We installed the IIS role earlier in this chapter.
2. Double-click the server name.
3. In the details pane, double-click Server Certificates.
4. Click Create Domain Certificate.
5. In the Common name field, type the FQDN name of your server
(Figure 1.14).
6. In the Organization field, enter a company name.
7. In the Organization Unit field, enter a division.
Figure 1.14 Creating a Domain Certificate
32 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
8. In the City/locality field, enter your city.
9. In the State/province field, enter your state, and then click Next.
10. Review the Online Certification Authority page, and click Select.
11. Select your Certificate Authority (Figure 1.15), and then click OK.
12. In the Friendly name field, enter the NetBIOS name of this server
(Figure 1.16), and click Finish.
Figure 1.15 Selecting a Certificate Authority
Configuring Server Roles in Windows 2008 Chapter 1 33
www.syngress.com
Now, lets install the role.
1. Choose Start | Administrative Tools | Server Manager.
2. Scroll down to Role Summary, click Add Roles.
3. When the Before You Begin page opens, click Next.
4. On the Select Server Roles page, click Active Directory Rights
Management Services.
5. In the Add Roles Wizard, click Add Required Role Services, and
then click Next.
6. Click Next on the Active Directory Rights Management Services
page.
7. Click Next on the Select Role Services page.
8. Click Next on the Create Or Join An AD RMS Cluster page.
Figure 1.16 Entering a Friendly Name
34 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
9. Click Next on the Set Up Configuration Database page.
10. On the Specify Service Account page, click Specify to choose an
account, and then click Next. This cannot be the same account
you are using to install RMS.
11. Click Next on the Set Up Key Management page.
12. On the Specify Password for AD RMS Encryption page
(Figure 1.17), enter a password and then click Next.
13. Click Next on the Select Web Site page.
14. Review the information on the Specify Cluster Address page
(Figure 1.18), click Validate, and then click Next.
Figure 1.17 The AD RMS Encryption Page
Configuring Server Roles in Windows 2008 Chapter 1 35
www.syngress.com
15. Verify that Choose An Existing Certificate For Secure Socket Layer
(SSL) Encryption is selected on the Choose A Server Authentication
Certificate For SSL Encryption page (Figure 1.19), choose your
server name, and then click Next. SSL provides secure communications
on the Internet for such things as Web browsing, e-mail,
Internet faxing, instant messaging, and other data transfers.
Figure 1.18 Specifying a Cluster Address
36 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
16. Click Next on the Specify a Friendly Name for the Licensor
Certificate.
17. Click Next on the Set up Revocation page.
18. Click Next on the Register This AD RMS Server In Active
Directory page.
19. Click Next on the Web Server page.
20. Click Next on the Select Role Services page.
21. Review the confirmation page, and then click Install.
22. When the installation is complete, click Close.
Next, we need to set up the RMS cluster settings. In this case, clusters
are used as a single serveror set of serversthat share AD RMS publishing
and licensing requests. Lets walk through configuring the cluster settings.
Figure 1.19 Setting SSL Encryption
Configuring Server Roles in Windows 2008 Chapter 1 37
www.syngress.com
1. Choose Start | Administrative Tools | Active Directory Rights
Management Services.
2. Select your server.
3. Right-click the server and choose Properties.
4. Move to the SCP tab and select Change SCP. Click OK. The SCP is
the service connection point that identifies the connection URL
for the service to the clients.
5. Click Yes in the Active Directory Rights Management Services dialog.
6. Right-click the server name, and then click Refresh.
7. Close the window.
At this stage, the server setup is complete. If you wanted to test the
RMS functionality, you could create a document in Word or Excel 2007
and set the permissions by clicking the Office ribbon and preparing
access restrictions.
Active Directory
Federation Services (ADFS)
Federation Services were originally introduced in Windows Server 2003 R2. F provides
an identity access solution, and AD Federation Services provides authenticated
access to users inside (and outside) an organization to publicly (via the Internet)
accessible applications. Federation Services provides an identity management
solution that interoperates with WS-∗ Web Services Architectureenabled security
products. WS-Federation Passive Requestor Profile (WS-F PRP) also makes it possible
for federation to work with solutions that do not use the Microsoft standard
of identity management. The WS-Federation specification defines an integrated
model for federating identity, authentication, and authorization across different trust
realms and protocols. This specification defines how the WS-Federation model is
applied to passive requestors such as Web browsers that support the HTTP protocol.
WS-Federation Passive Requestor Profile was created in conjunction with some
pretty large companies, including IBM, BEA Systems, Microsoft, VeriSign, and RSA
Security.
What Is Federation?
As we described earlier in this chapter, federation is a technology solution that
makes it possible for two entities to collaborate in a variety of ways. When servers
38 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
are deployed in multiple organizations for federation, it is possible for corporations
to share resources and account management in a trusted manner. Earlier in this
chapter, we were discussing Active Directory Rights Management Server. This is
just one way companies can take advantage of FS. With ADFS, partners can include
external third parties, other departments, or subsidiaries in the same organization.
Why and When to Use Federation
Federation can be used in multiple ways. One product that has been using federation
for quite some time is Microsoft Communication Server (previously, Live
Communication Server 2005, now rebranded as Office Communication Server
2007). Federation is slightly different in this model, where two companies can
federate their environments for the purposes of sharing presence information. This
makes it possible for two companies to securely communicate via IM, Live Meeting,
Voice, and Video. It also makes it possible to add presence awareness to many
applications, including the Office suite, as well as Office SharePoint Server. If you
want to know more about OCS and how federation works for presence, we recommend
How to Cheat at Administering Office Communication Server 2007, also by
Elsevier.
A little closer to home, Federation Services can also be used in a variety of
ways. Lets take an extranet solution where a company in the financial service
business shares information with its partners. The company hosts a Windows
SharePoint Services (WSS) site in their DMZ for the purposes of sharing revenue
information with investment companies that sell their products. Prior to Active
Directory Federation Services, these partners would be required to use a customer
ID and password in order to access this data. For years, technology companies have
been touting the ability to provide and use single sign-on (SSO) solutions. These
worked great inside an organization, where you may have several different systems
(Active Directory, IBM Tivoli, and Solaris), but tend to fail once you get outside
the enterprise walls.
With AD FS, this company can federate their DMZ domain (or, their internal
AD) with their partner Active Directory infrastructures. Now, rather than creating
a username and password for employees at these partners, they can simply add the
users (or groups) to the appropriate security groups in their own Active Directory
(see Figure 1.20). It is also important to note that AD FS requires either Windows
Server 2008 Enterprise edition or Datacenter edition.
Configuring Server Roles in Windows 2008 Chapter 1 39
www.syngress.com
Configuring ADFS
In this exercise, we are going to create the account side of the ADFS structure.
The resource is the other half of the ADFS configuration, which is the provider
of the service that will be provided to an account domain. To put it in real-world
terms, the resource would provide the extranet application to the partner company
(the account domain).
EXERCISE 1.6
CONFIGURING FEDERATION SERVICES
1. Click Start | Administrative Tools | Server Manager.
2. Scroll down to Role Summary, and then click Add Roles.
3. When the Before You Begin page opens, click Next.
4. On the Select Server Roles page, select Active Directory
Federation Services (see Figure 1.21) from the list and click Next.
Figure 1.20 The Active Directory Federation Services Structure
40 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
5. Click Next on the Active Directory Federation Services page.
6. In the Select Role Services window, select Federation Service,
and then click Next. If prompted, add the additional prerequisite
applications.
7. Click Create A Self-Signed Certificate For SSL Encryption
(Figure 1.22), and then click Next.
Figure 1.21 Selecting the Role
Configuring Server Roles in Windows 2008 Chapter 1 41
www.syngress.com
8. Click Create A Self-Signed Token-Signing Certificate, and then
click Next.
9. Click Next on the Select Trust Policy page.
10. If prompted, click Next on the Web Server (IIS) page.
11. If prompted, click Next on the Select Role Services page.
12. On the Confirm Installation Selections page, click Install.
13. When the installation is complete, click Close.
The next step in configuring AD FS is to configure IIS to require SSL
certificates on the Federation server:
1. Choose Start | Administrative Tools | Internet Information Services
(IIS) Manager.
2. Double-click the server name.
Figure 1.22 Creating a Self-Signed Token-Signing Certificate
42 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
3. Drill down the left pane to the Default Web Site and
double-click it.
4. Double-click SSL Settings and select Require SSL.
5. Go to Client Certificates and click Accept. Then, click Apply
(Figure 1.23).
6. Click Application Pools.
7. Right-click AD FS AppPool, and click Set Application Pool Defaults.
8. In the Identity pane (Figure 1.24), click LocalSystem, and then
click OK.
Figure 1.23 Requiring Client Certificates
Configuring Server Roles in Windows 2008 Chapter 1 43
www.syngress.com
9. Click OK again.
10. Before we close IIS, we need to create a self-signed certificate.
Double-click the server name again.
11. Double-click Server Certificates.
12. Click Create Self-Signed Certificate.
13. In the Specify Friendly Name field, enter the NetBIOS name of
the server and click OK.
Figure 1.24 Setting Application Pool Defaults
44 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
Next, we need to configure a resource for use with AD FS. In this
case, we are going to use the same domain controller to double as a
Web server. What we will be doing is installing the AD FS Web Agent,
essentially adding an additional role to the server, as part of the AD FS
architecture. This will allow us to use our federated services within a
Web application.
1. Choose Start | Administrative Tools | Server Manager. Scroll down
to Role Summary, and then click Add Roles.
2. When the Before You Begin page opens, click Active Directory
Federation Services.
3. Scroll down to Role Services and click Add Role Services.
4. In the Select Role Services window, select Claims-aware Agent
(Figure 1.25), and then click Next.
Figure 1.25 Setting Services
Configuring Server Roles in Windows 2008 Chapter 1 45
www.syngress.com
6. When installation is complete, click Close.
Now we need to configure the trust policy which would be responsible
for federation with the resource domain.
1. Choose Start | Administrative Tools | Active Directory Federation
Services.
2. Expand Federation Service by clicking the + symbol (see Figure 1.27).
5. Confirm the installation selections (Figure 1.26), and then click
Install.
Figure 1.26 Confirming the Installation
46 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
3. Right-click Trust Policy, and then choose Properties.
4. Verify the information in Figure 1.28 matches your configuration
(with the exception of the FQDN server name), and then click OK.
Figure 1.27 AD FS MMC
Configuring Server Roles in Windows 2008 Chapter 1 47
www.syngress.com
5. When you return to the AD FS MMC, expand Trust Policy and open
My Organization.
6. Right-click Organization Claims, and then click New | Organization
Claim.
7. This is where you enter the information about the resource
domain. A claim is a statement made by both partners and is used
for authentication within applications. We will be using a Group
Claim, which indicates membership in a group or role. Groups
would generally follow business groups, such as accounting and IT.
8. Enter a claim name (we will use PrepGuide Claim). Verify that
Group Claim is checked as well before clicking OK.
9. Create a new account store. Account stores are used by AD FS to
log on users and extract claims for those users. AD FS supports
Figure 1.28 Trust Policies
48 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
two types of account stores: Active Directory Domain Services
(AD DS) and Active Directory Lightweight Directory Services
(AD LDS). This makes it possible to provide AD FS for full Active
Directory Domains and AD LDS domains.
10. Right-click Account Store and choose New | Account Store.
11. When the Welcome window opens, click Next.
12. Since we have a full AD DS in place, select Active Directory
Domain Services (AD DS) from the Account Store Type window
(Figure 1.29), and then click Next.
13. Click Next on the Enable This Account Store window.
14. Click Finish on the completion page.
Figure 1.29 The Account Store Type Window
Configuring Server Roles in Windows 2008 Chapter 1 49
www.syngress.com
Now, we need to add Active Directory groups into the Account Store.
1. Expand Account Stores.
2. Right-click Active Directory, and then click New | Group Claim
Extraction.
3. In the Create A New Group Claim Extraction window
(Figure 1.30), click Add and click Advanced.
Figure 1.30 The Create A New Group Claim Extraction Window
4. Click Object Types, remove the checkmarks from everything
except Groups, and then click OK.
5. Click Find Now.
6. Select Domain Admins from the list of groups by double-clicking.
7. Click OK.
8. The Map To This Organization Claim field should show the claim
we created earlier. Click OK to close the window.
Finally, we will work to create the partner information of our
resource partner, which is prepguides.ads.
1. Expand Partner Organizations.
2. Right-click Resource Partners, and then select New | Resource
Partner.
50 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
3. Click Next on the Welcome window.
4. We will not be importing a policy file, so click Next.
5. In the Resource Partner Details window (Figure 1.31), enter a
friendly name for the partner, and the URI and URL information
of the partner. Note it is identical to what we entered earlier in
Figure 1.28. When the information is complete, click Next.
6. Click Next on the Federation Scenario page. This is the default selection,
which is used for two partners from different organizations
when theres no forest trust.
7. On the Resource Partner Identity Claims page, check UPN Claim
and click Next. A UPN Claim is based on the domain name of your
Active Directory structure. In our case, the UPN is uccentral.ads.
Figure 1.31 Resource Partner Details
Configuring Server Roles in Windows 2008 Chapter 1 51
www.syngress.com
8. Set the UPN suffix. Verify that Replace All UPN Suffixes With The
Following: is selected and then enter your servers domain name.
This is how all suffixes will be sent to the resource partner.
Click Next.
9. Click Next to enable the partner.
10. Click Finish to close the wizard.
Were almost at the end of our account partner configuration. The
last thing we need to do is create an outgoing claim mapping. This is
part of a claim set. On the resource side, we would create an identical
incoming claim mapping.
1. Expand Resource Partners.
2. Right-click your resource partner, and then choose New |
Outgoing Group Claim Mapping.
3. Select the claim we created earlier, enter PrepGuide Mapping,
and then click OK.
As you can imagine, this process would be duplicated on the resource domain,
with the exception that the outgoing claim mapping would be replaced with an
incoming mapping.
52 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
Summary of Exam Objectives
As you can see, Windows 2008 includes a number of amazing advancements in
Windows 2008, in particular those concerning Active Directory services. Each of
these roles provides new layers of features, functions, and security options that were
either not available in previous versions of the product or were not quite baked in
enough, often being included in Version 1.0 of the solution.
When you factor in the additional security of the Server Core installation,
Active Directory has come a long way from its original release in Windows 2000.
As you will find throughout the rest of this book, you can apply Active Directory
roles, and Server Core, in many ways.
Exam Objectives Fast Track
New Roles in 2008
˛ With the release of Windows Server 2008, an Active Directory domain
controller can be deployed in several new ways.
˛ Server Manager is a single solution that is used as a single source for
managing identity and system information.
˛ Server Manager is enabled by default when a Windows 2008 server
is installed.
˛ Server Core is a minimal server installation option for Windows Server
2008 that contains a subset of executable files, as well as five server roles.
Read-Only Domain Controllers
˛ RODC holds all of the Active Directory Domain Services (AD DS)
objects and attributes that a writable domain controller holds, with the
exception of account passwords.
˛ Unidirectional replication prevents RODCs from replicating information
to a writable domain controller.
˛ The installation of read-only domain controllers can be delegated to
other users.
Configuring Server Roles in Windows 2008 Chapter 1 53
www.syngress.com
Active Directory Lightweight Directory Service
˛ Active Directory Lightweight Director Service is a slimmed-down version
of AD.
˛ LDS is used when directory-aware applications need directory services, but
there is no need for the overhead of a complete forest or domain structure.
˛ LDS has many new features over ADAM, including Auditing, Server Core
Support, Support for Active Directory Sites and Services, and a Database
Mounting Tool.
Active Directory Rights Management Services
˛ RMS does require a Client Access License.
˛ The three main functions of AD RMS are creating rights-protected
files and templates, licensing rights-protected information, and acquiring
licenses to decrypt rights-protected content and apply usage policies.
˛ The three new features of AD RMS are delegation of roles, integration
with Federation Services, and self-enrollment.
Active Directory Federation Services
˛ Federation Services were first available in Windows Server 2003 R2.
˛ Federation Services provides an identity management solution that
interoperates with WS-∗ Web Services Architecture-enabled security
products.
˛ WS-Federation Passive Requestor Profile (WS-F PRP) also makes it
possible for federation to work with solutions that do not use the
Microsoft standard of identity management.
˛ The WS-Federation specification defines an integrated model for federating
identity, authentication, and authorization across different trust realms and
protocols.
˛ WS-Federation Passive Requestor Profile was created in conjunction
between IBM, BEA Systems, Microsoft, VeriSign, and RSA Security.
54 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
Exam Objectives
Frequently Asked Questions
Q: Can an RODC replicate to another RODC?
A: No. RODCs can only replicate with full domain controllers. This is a feature of
the RODC, which is meant to beas the name impliesa read-only server.
Since neither RODC would have write capabilities in this example, it would be
pointless to have them replicate to one another.
Q: Can I federate with a Windows Server 2003 R2 forest?
A: Yes, you can, but keep in mind that they will not have all of the same functionality.
Federation was introduced in Windows Server 2003 R2 to allow IT organizations
to take advantage of the basics of federation. However, features such as integration
with other applications like AD RMS and Office Sharepoint Server 2007 are not
available.
Q: Can an RODC exist in a mixed-mode (Windows 2003 and Windows 2008)
domain?
A: Yes, but you must run adprep with the proper switches in order for it to succeed.
If the domain is not prepped for this new Windows Server 2008 role, the RODC
installation will fail almost immediately. adprep is required to add the appropriate
schema modifications for RODC.
Q: LDS sounds pretty cool. Can I just run that for my AD environment?
A: The short answer is yes, but if you are running AD internally, you would probably
want the full functionality of Domain Services. LDS is meant for smaller
environments, such as a DMZ, where additional functionalityin particular,
managementis not a requirement.
Q: Does Rights Management work with mobile devices?
A: Yes, there is a mobile module for Rights Management Services. However, only
Windows Mobile devices are supported with Rights Management. Check with
your wireless vendor or mobile manufacturer for support and availability on
particular models.
Configuring Server Roles in Windows 2008 Chapter 1 55
www.syngress.com
Q: Ive heard that Server Core is only supported in 64-bit edition. Is that true?
A: No. Server Core works in both 32-bit and 64-bit editions, Hyper-V (virtualization)
only runs on 64-bit. It should be noted that as of the writing of this book,
Windows Server 2008 is expected to be the final 32-bit server operating system
released by Microsoft.
Q: Do I have to use Server Manager for role deployment?
A: No. You can also use scripting tools to deploy roles. Also, depending on the
role, role bits (the actual files that make up the role) can sometimes be added
automatically. For example, if you forget to add the Directory Services role
prior to running dcpromo.exe, dcpromo will add the role for you. However,
this is not the case with all roles.
56 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
Self Test
1. You are the administrator for a nationwide company with over 5,000 employees.
Your main office has approximately 4,500 employees, while the companys ten
remote offices have 50 users residing in each. You are often unaware of the
physical security in place at these offices. However, since there is a fairly sizable
amount of users at each office, you must provide them with directory services.
What is the BEST option to use for directory services when security is often an
unknown?
A. Lightweight Directory Services
B. Read-only domain controllers
C. Active Directory Federation Services
D. Active Director Rights Management Services
2. is a format and application-agnostic technology, which
provides services to enable the creation of information-protection solutions.
A. Lightweight Directory Services
B. Read-only domain controllers
C. Active Directory Federation Services
D. Active Director Rights Management Services
3. You are the administrator for a nationwide company with over 5,000 employees.
Your director tells you your company has just signed into a partnership with
another organization, and that you will be responsible for ensuring that authentication
can occur between both organizations without the need for additional
sign-on accounts. Your boss mentions that the partner has a variety of Directory
Services installed throughout their organizations. Which of the following can
Active Directory Federation Services NOT connect to?
A. Lightweight Directory Services
B. Windows Server 2003 Directory Services
C. Windows Server 2003 R2 Directory Services
D. All of the above
4. You are the administrator for a nationwide company with over 5,000
employees. Your main office has approximately 4,500 employees, while your
companys ten remote offices have 50 users each residing in them. You are
often unaware of the physical security in place at these offices. However, since
Configuring Server Roles in Windows 2008 Chapter 1 57
www.syngress.com
there is a fairly sizable amount of users at each office, you need to provide
them with directory services. What is the BEST option to use for directory
services when security is often an unknown?
A. Lightweight Directory Services
B. Read-only domain controllers
C. Active Directory Federation Services
D. Active Director Rights Management Services
5. The Web development team has requested that you implement a new Web
server in a DMZ that will be used for presenting Web sites to customers. Which
of the following is NOT a reason for using Windows Server 2008 Core Server?
A. A Core installation does not require a Windows Server 2008 license.
B. A Core installation does not provide GUIs, which limits console access.
C. Core Server installs fewer services than a full installation of Windows
Server 2008.
D. Core Server uses fewer resources than a full installation of Windows
Server 2008.
6. You have a Windows Server 2003 R2 domain currently running in your
organization. You would like to install a read-only domain controller into
your Directory Services structure, but you do not want to completely
upgrade your domain to Windows Server 2008 Directory Services just yet.
What do you need to do in order to add an RODC?
A. Change the domain functional level to Windows Server 2008 mixed mode.
B. Change the forest functional level to Windows Server 2008 mixed mode.
C. Run adprep on a Windows Server 2003 R2 domain controller.
D. An RODC cannot be added until the entire domain is a Windows Server
2008 Directory Services domain.
7. You are looking to upgrade your environment to Windows Server 2008, and
you are explaining the new Server Manager console to your boss. Which three of
the following answers correctly describe ways that Server Manager can be used?
A. Server Manager can be used to add new server roles.
B. Server Manager can be used to add new server features.
C. Server Manager can be used to configure server failover.
D. Server Manager can be used for scripting commands.
58 Chapter 1 Configuring Server Roles in Windows 2008
www.syngress.com
8. You are attempting to install Directory Services on a Windows Server 2008
Server Core installation. You type dcpromo at the command prompt, but the server
fails to install Directory Services. What is the MOST LIKELY reason for this?
A. Directory Services are not supported on a Server Core installation, only
read-only domain controllers.
B. You must use an unattended file to complete the Directory Services
installation.
C. You must use the Server Manager from another Windows Server 2008
system to complete the installation.
D. Your servers chipset does not support Directory Services in a Server
Core installation.
9. Which of the following Directory Services administration tools can be used in
a Windows Server 2008 Lightweight Directory Services installation?
A. Active Directory Users and Computers
B. Active Directory Sites and Services
C. Active Directory Domains and Trusts
D. Active Directory Licensing Manager
10. BitLocker is a new technology that is available in Windows Server 2008 as well
as Windows Vista. Which is NOT an advantage of using BitLocker?
A. BitLocker can be used to prevent a hacker from detecting my password.
B. BitLocker prevents someone from removing a hard drive from a system
and reading it by installing it on another system.
C. BitLocker prevents someone from loading another operating system onto the
server and reading the contents of the disk using this additional operating
system.
D. All of the above selections are an advantage of using BitLocker.
Configuring Server Roles in Windows 2008 Chapter 1 59
www.syngress.com
Self Test Quick Answer Key
1. B
2. D
3. B
4. B
5. A
6. C
7. A, B, and C
8. B
9. B
10. A
This page intentionally left blank
61
Configuring Network
Services
Chapter 2
Exam objectives in this chapter:
■ Configuring Domain Name System (DNS)
■ Configuring Dynamic Host Configuration
Protocol (DHCP)
■ Configuring Windows Internet Naming
Service (WINS)
Exam objectives review:
˛ Summary of Exam Objectives
˛ Exam Objectives Fast Track
˛ Exam Objectives Frequently Asked Questions
˛ Self Test
˛ Self Test Quick Answer Key
MCTS/MCITP
Exam 640
62 Chapter 2 Configuring Network Services
www.syngress.com
Introduction
When internetworking was first conceived and implemented in the 1960s and 1970s,
the Internet Protocol (IP) addressing scheme was also devised. It uses four sets of
8 bits (octets) to identify a unique address, which is comprised of a network address
and a unique host address. This provided enormous flexibility because the scheme
allowed for millions of addresses. The original inventors of this system probably didnt
envision the networking world as it is todaywith millions of computers spanning
the globe, many connected to one worldwide network, the Internet.
Network Services are to Active Directory what gasoline is to a combustion
enginewithout them, Active Directory would simply be a shiny piece of metal that
sat there and looked pretty. As a matter of fact, network services are not only crucial
to Active Directory, but are equally important to networking on a much larger scale.
Imagine watching television at home and hearing the voice-over for a Microsoft
commercial say Come visit us today at 207.46.19.190! instead of Come visit us
today at www.microsoft.com! Networking services make networking much easier
to understand for the end user, but they also go well beyond that in terms of what
they provide for a networking architecture.
In this chapter, we will explore the Domain Name System (DNS), a method
of creating hierarchical names that can be resolved to IP addresses (which, in turn,
are resolved to MAC addresses). We explain the basis of DNS and compare it to
alternative naming systems. We also explain how the DNS namespace is created and
resolved to an IP address throughout the Internet or within a single organization.
Once you have a solid understanding of DNS, you will learn about Windows
Server 2008 DNS servers, including the different roles DNS servers can play, the
ways DNS Servers resolve names and replicate data, and how Windows Server 2008
Active Directory integrates with DNS. By the end of this chapter, youll have a
detailed understanding of DNS on the Internet, as well as how DNS works within a
Windows Server 2008 network.
We will also discuss two additional services: Windows Internet Naming Service
(WINS) and Dynamic Host Configuration Protocol (DHCP), two common services
used on Transmission Control Protocol/Internet Protocol (TCP/IP) networks. Each
of these services plays an important role in your environment, ultimately assisting
IT professionals in their quest to automate much of the mundane tasks that would
otherwise need to be managed manually.
Configuring Network Services Chapter 2 63
www.syngress.com
Configuring
Domain Name System (DNS)
Microsoft defines the Domain Name System (DNS) as a hierarchical distributed
database that contains mappings of fully qualified domain names (FQDNs) to IP
addresses. DNS enables finding the locations of computers and services through
user-friendly names and also enables the discovery of other types of records used
for additional resources (which we will discuss later) in the DNS database.
A much broader definition comes from the original Request For Comment
(RFC), which was first released way back in November of 1983. RFC 882
(http://tools.ietf.org/html/rfc882) describes DNS conceptually, explaining how
various components (domain name space, name servers, resolvers) come together
to provide a domain name system.
As you can imagine, a number of changes have been made to the original
RFC. In fact, there have been three major RFC releases since the original debuted
25 years ago: RFC 883, RFC 1034, and RFC 1035.
As you probably came to realize by looking at the date of the original DNS
RFC, Microsoft was certainly not the first company to develop DNS services.
In fact, the first Unix-based DNS service was written by four college students way
back in 1984. Later, the code was rewritten by an engineer at Digital Equipment
Corporation (DEC) and renamed Berkeley Internet Name Domain, or BIND,
as it is more commonly known. Since the original DNS code was written, it has
been rewritten by several companies, including Microsoft, Novell, Red Hat, and
many others.
Now that youve had a little history lesson on DNS, lets discuss some of the
various record types that can be held inside a DNS database. The record type will
determine what information is provided to a DNS client requesting data. For
instance, if the DNS server is configured to use an A record (a naming resource
record), it converts an IP address to a hostname. As an example, consider using
207.46.19.190 as the IP address, and www.microsoft.com as the hostname. This
would be a good example of how DNS resolution works.
Another example of a record in use is the MX record. This record type is used
when an e-mail server is trying to determine the IP address of another e-mail
server. Table 2.1 outlines the types of records that can exist in a Windows Server
2008 DNS.
64 Chapter 2 Configuring Network Services
www.syngress.com
Regardless of the type of DNS youre usingMicrosoft, Linux, or another
vendorthe DNS database holds a nearly identical format. Several components make
up a DNS database. Figure 2.1 provides an example of a primary zone database
(we will discuss the various types of zones later in this chapter).
Table 2.1 Common DNS Record Types
Type Description
Host (A) Maps a domain name (such as.www.microsoft.com)
to an IP address
Canonical Name (CNAME) Maps an alias domain name to another server name
Mail exchanger (MX) Maps a domain name to a system that controls
mail flow
Pointer (PTR) Reverses the mapping process; used to convert
domain names to IP addresses
Service location (SRV) Used to map domain names to a specific service
Figure 2.1 A DNS Database File
Configuring Network Services Chapter 2 65
www.syngress.com
Lets take a moment to discuss some of the other information held in the
database file.
■ IN Internet Name This calls out that the information preceding the IN
is the common name of the server. In the first line of the preceding database
file, it indicates that the name at the top-left is the domain name this server
supports. The names shown after the IN are the actual names of the server.
■ SOA Start of Authority This indicates that the server shown in
Figure 2.1 is authoritative over this particular domain. Thus, it has rights to
add, remove, and change records for the domain.
■ 1 Serial number Each time a change is made to a DNS database,
a new serial number is assigned. Other serversknown as secondary
serverscan copy DNS databases for local storage. If this serial number
changes, the secondary servers know they need to update their copy.
■ 900 Refresh Rate How oftenin secondsthe secondary computer
checks to see if it needs to update its database.
■ 600 Retry How long a secondary DNS server should wait before
requesting another update, should an update fail.
■ 86400 Expire How long a secondary server can hold a database
without updatebefore it must purge its records.
■ 3600 Time to Live (TTL) How long a client machine can store a
requested record before it must request a refreshed record.
Thus far, weve been focusing on how an individual DNS server is configured.
However, we must also look at DNS structures on a much higher level as well.
The first thing to understand is that the worldwide DNS structure is just incredibly
massiveand continues to grow on a daily basis as new domains are brought
online. As large as it is, the general structure behind it is relatively simple. DNS is
based on a tree formatand an upside-down tree, at that. At the top of the tree
is the rootthe root is the beginning of all DNS naming conventions and has
total authority over all naming conventions beneath it. DNS Root is essentially
a periodyes, a period. Technically speaking, if you decide to shop online at
Elseviers Web site, you are shopping at www.elsevier.com. If that doesnt make
sense, lets break it down. Basically, domains (and domain server names) are really
read from right-to-left in the computer world. The . is assumed in any DNS resolution,
but is still the highest level. Com would be the second-highest level, followed
by another period for separation, and then Elsevier. So, in regards to DNS hierarchy,
the top level domain would be ., followed by the second-highest level domain,
66 Chapter 2 Configuring Network Services
www.syngress.com
which would be com, followed by the third-highest level domain, Elsevier. When
combined to form an FQDN, the result would be Elsevier.com.
WWW represents nothing more than the name of a server that exists in the
Elsevier.com domain. WWW has become commonplace for World Wide Web
services, but it could just as easily be supercalafragalisticexpialidotious.elsevier.
comthough I doubt it would get as many hits. If you are still confused by how
DNS naming structures work, take a look at Figure 2.2, which shows a sample of
how a DNS tree looks.
Figure 2.2 A Sample DNS Tree
The summit of the DNS namespace hierarchy is the root, which has several
servers managed by the Internet Name Registration Authority (INRA). Immediately
below the root are the COM, NET, EDU, and other top-level domains listed in
Table 2.2. Each of these domains is further divided into namespaces that are managed
by the organizations that register them. For example, syngress.com is managed by a
different organization than umich.edu.
Table 2.2 Domain Suffixes Used on the Internet
Domain Suffix Typical Usage
.mil United States military
.edu Educational facilities
.com Commercial organizations
.net Networks
.org Nonprofit organizations
.gov United States governmentnonmilitary
Continued
Configuring Network Services Chapter 2 67
www.syngress.com
Organizations often split the ownership of their DNS namespace. One team
might be responsible for everything inside the firewall, while another team may be
responsible for the namespace that faces the public. Since Active Directory often
replaces Windows NT as an upgrade, the team responsible for Windows NT will
often take over the DNS namespace management for Active Directory domains.
Since Active Directory DNS design and implementation does differ somewhat from
the standard DNS design and implementation, you can often find the two types of
tasks split between two different groups in the same organization.
Those are the basics on how Domain Name Services function on a much
grander scale. In the coming sections of this chapter, we will discuss how to use
DNS within a Windows Server 2008 environment. First, though, lets discuss
how to install and perform the initial configuration of a DNS on Windows
Server 2008.
Table 2.2 Continued. Domain Suffixes Used on the Internet
Domain Suffix Typical Usage
.us United States
.uk United Kingdom
.au Australia
.de Germany
Other two-letter Other countries
abbreviations (.xx)
NOTE
In addition to the domain suffixes shown in Table 2.2, you will also find
the occasional privately used domain suffix .local. The .local suffix is not
managed by a DNS root server, so the namespace cannot be published
on the Internet when you design the namespace for an Active Directory
network, you can choose to use the .local suffix for domains that will
not have any hosts on the Internet. Keep in mind that using the .local
namespace internally will not prevent an organization from using
Internet resources, such as browsing the Web.
68 Chapter 2 Configuring Network Services
www.syngress.com
Identifying DNS Record Requirements
A Resource Record (RR) is to DNS what a table is to a database.
A Resource Record is part of DNSs database structure that contains the name
information for a particular host or zone. Table 2.3 contains an aggregation of the
most popular RR types that have been collected from the various RFCs that define
their usage:
EXAM WARNING
Check for conflicts when asked questions regarding DNS namespace
designs. For example, if the scenario states that a particular namespace
is already being used for another purpose, it is likely not going to be the
first choice for an Active Directory root domain namespace.
Table 2.3 RR Types
Record Type Common Name Function
RFC
A Address record Maps FQDN to 32-bit IPv4
addresses.
RFC1035
AAAA IPv6 address record Maps FQDN to 128-bit IPv6
addresses.
RFC1886
AFSDB Andrews file system Maps a DNS domain name to a
server subtype that is either an
AFS Version 3 volume or an
authenticated name server using
DCE or NCA.
RFC1183
ATMA Asynchronous Transfer Maps a DNS domain name in the
Mode address owner field to an ATM address
referenced in the atm_address
field.
Continued
Configuring Network Services Chapter 2 69
www.syngress.com
Table 2.3 Continued. RR Types
Record Type Common Name Function
CNAME Canonical name or Maps a virtual domain name
alias name (alias) to a real domain name.
RFC1035
HINFO Host info record Specifies the CPU and operating
system type for the host.
RFC1700
ISDN ISDN info record Maps an FQDN to an ISDN
telephone number.
RFC1183
KEY Public key resource Contains a public key that is
record associated with a zone. In full
DNSSEC (defined later in this
chapter) implementation,
resolvers and servers use KEY
resource records to authenticate
SIG resource records received
from signed zones. KEY resource
records are signed by the parent
zone, allowing a server that
knows a parent zones public
key to discover and verify the
child zones key. Name servers
or resolvers receiving resource
records from a signed zone
obtain the corresponding SIG
record, and then retrieve the
zones KEY record.
MB Mailbox name record Maps a domain mail server name
to the host name of the mail
server.
RFC1035
MG Mail group record Maps a domain mailing group
to the mailbox resource records.
Continued
70 Chapter 2 Configuring Network Services
www.syngress.com
Table 2.3 Continued. RR Types
Record Type Common Name Function
RFC1035
MINFO Mailbox info record Specifies a mailbox for the person
who maintains the mailbox.
RFC1035
MR Mailbox renamed record Maps an old mailbox name to a
new mailbox name for forwarding
purposes.
RFC1035
MX Mail exchange record Provides routing info to reach a
given mailbox.
RFC974
NS Name server record Specifies that the listed name
server has a zone starting with
the owner name. Identify servers
other than SOA servers that
contain zone information files.
RFC1035
NXT Next resource record Indicates the nonexistence of a
name in a zone by creating a
chain of all of the literal owner
names in that zone. It also
indicates which resource record
types are present for an existing
name.
OPT Option resource record One OPT resource record can be
added to the additional data
section of either a DNS request
or response. An OPT resource
record belongs to a particular
transport level message, such as
UDP, and not to actual DNS
data. Only one OPT resource
record is allowed, but not
required, per message.
Continued
Configuring Network Services Chapter 2 71
www.syngress.com
Table 2.3 Continued. RR Types
Record Type Common Name Function
PTR Pointer resource record Points to another DNS resource
record. Used for reverse lookup
to point to A records.
RFC1035
RP Responsible person Provides info about the server
info record admin.
RFC1183
RT Route-through record Provides routing info for hosts
lacking a direct WAN address.
RFC1183
SIG Signature resource Encrypts an RRset to a signers
record (the RRsets zone owner) domain
name and a validity interval.
SOA Start of Authority Indicates the name of origin for
resource record the zone and contains the name
of the server that is the primary
source for information about the
zone. It also indicates other basic
properties of the zone. The SOA
resource record is always first in
any standard zone. It indicates
the DNS server that either
originally created it or is now
the primary server for the zone.
It is also used to store other
properties such as version
information and timings that
affect zone renewal or expiration.
These properties affect how
often transfers of the zone are
done between servers that are
authoritative for the zone.
RFC1537
SRV Service locator record Provides a way of locating
multiple servers that provide
similar TCP/IP services.
Continued
72 Chapter 2 Configuring Network Services
www.syngress.com
Table 2.3 Continued. RR Types
Record Type Common Name Function
RFC2052
TXT Text record Maps a DNS name to a string of
descriptive text.
RFC1035
WKS Well-known services Describes the most popular TCP/
record IP services supported by a protocol
on a specific IP address.
RFC1035
X25 X.25 info record Maps a DNS address to a public
switched data network (PSDN)
address number.
RFC1183
The official IANA (Internet Assigned Numbers Authority) list of DNS parameters
can be found at www.iana.org/assignments/dns-parameters, and a really good
DNS glossary is available at www.menandmice.com/online_docs_and_faq/glossary/
glossarytoc.htm.
Installing and Configuring DNS
DNS can be installed and configured on any version of Windows Server 2008
Web Edition, Standard Edition, Enterprise Edition, or Datacenter Edition.
It is a network service that can be integrated with Active Directory (for security
and replication purposes), or as a stand-alone service. A Windows Server 2008
DNS can manage not only internal namespaces, but external (Internet-facing)
namespaces as well.
In the following examples, we will be installing DNS on a Windows Server
2008 Standard Server.
1. Choose Start | Administrative Tools | Server Manager.
2. Scroll down to Role Summary and click Add Roles.
3. When the Before You Begin page opens, click Next.
Configuring Network Services Chapter 2 73
www.syngress.com
5. At the DNS Server window, read the overview, and then click Next.
6. Confirm your selections, and then click Install.
7. When installation is complete, click Close.
Next, we will configure some basic server settings:
1. Choose Start | Administrative Tools | DNS.
2. Find your server name in the left pane and double-click it. This will open
the DNS configuration for this server (see Figure 2.4).
Figure 2.3 Selecting the DNS Server Role
4. On the Select Server Roles page, select DNS Server (see Figure 2.3),
and then click Next.
74 Chapter 2 Configuring Network Services
www.syngress.com
3. Look at the DNS properties of this server. Right-click the server name and
select Properties from the drop-down menu.
4. The first tab that opens is the Interfaces tab. This tab can be adjusted if
you have additional NICs in your server. This is particularly useful if you
only want DNS queries to be answered by systems on a particular subnet.
In general, you will likely leave it at the default of All IP Addresses.
5. Click the Root Hints tab. Notice there are multiple name servers with
different IP addresses (Figure 2.5). With root hints, any queries that cannot
be answered locally are forwarded to one of these root servers. Optionally,
we can clear our root hints by selecting them and clicking Remove.
Remove all of the servers, and click Forwarders.
Figure 2.4 The Opening DNS Configuration Data
Configuring Network Services Chapter 2 75
www.syngress.com
6. On the Forwarders tab, we can specify where DNS queries that are not
resolved locally will be resolved. As opposed to Root Hints, this gives us
much more control over where our queries are sent. For example, we can
click Edit and enter 4.2.2.1a well-known DNS server. After you
enter the IP address, click OK.
7. Look through the other tabs in the Properties dialog box. In particular,
take a look at the Advanced tab (Figure 2.6). Notice the check box for
BIND Secondariesthis makes it possible for BIND servers to make
local copies of DNS databases. Also, look at the Enable Automatic
Scavenging Of Stale Records option. With this option, you can specify
the period before which DNS will perform a cleanup of old records.
Figure 2.5 DNS Root Hints
76 Chapter 2 Configuring Network Services
www.syngress.com
8. Click Apply to save the changes we made, and then click OK to close
the window.
We still have a lot to do with configuring a DNS server, but before we move
on to configuring zones, lets walk through the process of installing DNS on a
Windows Server 2008 Core Installation.
Using Server Core and DNS
As we discussed in Chapter 1, a Windows Server 2008 Core Server Installation
can be used for multiple purposes. One of the ways Server Core can be used is
to provide a minimal installation for DNS. In the coming sections, we will discuss
the various ways you can manipulate, manage, and configure DNS servers through
the various Windows Server 2008 DNS Graphical User Interfaces (GUIs): DNS
Manager and the Server Manager tool.
Figure 2.6 Advanced DNS Settings
Configuring Network Services Chapter 2 77
www.syngress.com
However, as you will recall, no GUIs are provided with Windows Server 2008
Core Server. A number of advantages to running DNS within Server Core include:
■ Smaller Footprint: Reduces the amount of CPU, memory, and hard
disk needed.
■ More Secure: Fewer components and services running unnecessarily.
■ No GUI: No GUI means that users cannot make modifications to the DNS
databases (or any other system functions) using common/user-friendly tools.
If you are planning to run DNS within a Server Core install, several steps must
be performed prior to installation. The first step is to set the IP information of the
server. To configure the IP addressing information of the server, do the following:
1. Identify the network adapter. To do this, in the console window, type
netsh interface ipv4 show interfaces and record the number shown
under the Idx column.
2. Set the IP address, Subnet Mask, and Default Gateway for the server. To do
so, type netsh interface ipv4 set address name=<ID> source=
static address=<StaticIP> mask=<SubnetMask> gateway=
<DefaultGateway>. ID represents the interface number from step 1,
<StaticIP> represents the IP address we will assign, <SubnetMask> represents
the subnet mask, and <Default Gateway> represents the IP address
of the servers default gateway. See Figure 2.7 for our sample configuration.
Figure 2.7 Setting an IP Address in Server Core
78 Chapter 2 Configuring Network Services
www.syngress.com
3. Assign the IP address of the DNS server. If this server is part of an Active
Directory domain and is replicating Active Directoryintegrated zones
(we will discuss those next), we would likely point this server to another
AD-integrated DNS server. If it is not, we would point it to another external
DNS serverusually the Internet provider of your company. From the
console, type netsh interface ipv4 add dnsserver name=<ID>
address=<DNSIP> index=1. >. ID represents the number from step 1,
while <StaticIP> represents the IP address of the DNS server.
Once the IP address settings are completedyou can verify this by
typing ipconfig /allwe can install the DNS role onto the Core Server
installation:
4. To do this, from the command line, type start /w ocsetup DNSServer-
Core-Role.
5. To verify that the DNS Server service is installed and started, type NET
START. This will return a list of running services.
6. Use the dnscmd command-line utility to manipulate the DNS settings.
For example, you can type dnscmd /enumzones to list the zones hosted
on this DNS server.
7. We can also change all of the configuration options we modified in the
GUI section earlier by using the dnscmd /config option. For example,
we can enable BIND secondaries by typing dnscmd <servername>
/config /bindsecondaries 1. You can see the results in Figure 2.8.
Figure 2.8 Using the dnscmd Utility
Configuring Network Services Chapter 2 79
www.syngress.com
There are many, many more things you can do with the dnscmd utility. For
more information on the dnscmd syntax, visit http://technet2.microsoft.com/
WindowsServer/en/library/d652a163-279f-4047-b3e0-0c468a4d69f31033.mspx.
So far, you have learned how to install and configure the DNS server, now we will
discuss how to configure DNS zones.
Configuring Zones
Weve mentioned zones several times already in this chapter. Simply put, a
zone is the namespace allocated for a particular server. Each level of the DNS
hierarchy represents a particular zone within DNS. For the actual DNS database,
a zone is a contiguous portion of the domain tree that is administered as a single
separate entity by a DNS server. The zone contains resource records for all of the
names within the zone. If Active Directoryintegrated zones are not being used,
some zone files will contain the DNS database resource records required to define
the zone. If DNS data is Active Directoryintegrated, the data is stored in Active
Directory, not in zone files.
■ Primary Zone With a primary zone, the server hosting this zone is
authoritative for the domain name. It stores the master copy of the domain
information locally. When the zone is created, a file with the suffix .dns is
created in the %windir%\System32\dns subdirectory of the DNS server.
■ Secondary Zone This is a secondary sourceessentially a copyof the
primary DNS zone, with read-only capabilities.
■ Stub Zone Only stores information about the authoritative name servers
for a particular zone.
Primary and secondary zones are standard (that is, non-Active Directory
integrated) forward lookup zones. The principal difference between the two is the
ability to add records. A standard primary zone is hosted on the master servers in
a zone replication scheme. Primary zones are the only zones that can be edited,
whereas secondary zones are read-only and are updated only through zone transfer.
DNS master servers replicate a copy of their zones to one or more servers that host
secondary zones, thereby providing fault tolerance for your DNS servers. DNS
standard zones are the types of zones you should use if you do not plan on integrating
Active Directory with your DNS servers.
An Active Directoryintegrated zone is basically an enhanced primary DNS zone
stored in Active Directory and thus can, unlike all other zone types, use multimaster
replication and Active Directory security features. It is an authoritative primary zone
80 Chapter 2 Configuring Network Services
www.syngress.com
in which all of the zone data is stored in Active Directory. As mentioned previously,
zone files are not used nor necessary. Integrating DNS with Active Directory produces
the following additional benefits:
■ Speed Directory replication is much faster when DNS and Active Directory
are integrated. This is because Active Directory replication is performed on a
per-property basis, meaning that only changes that apply to particular zones are
replicated. Because only the relevant information is to be replicated, the time
required to transfer data between zones is greatly reduced. On top of this, a
separate DNS replication topology is eliminated because Active Directory
replication topology is used for both ADI zones and AD itself.
■ Reduced Administrative Overhead Any time you can reduce the
number of management consoles you have to work with, you can reduce
the amount of time needed to manage information. Without the advantage
of consolidating the management of DNS and Active Directory in the
same console, you would have to manage your Active Directory domains
and DNS namespaces separately. Moreover, your DNS domain structure
mirrors your Active Directory domains. Any deviation between Active
Directory and DNS makes management more time-consuming and creates
more opportunity for mistakes. As your network continues to grow and
become more complex, managing two separate entities becomes more
involved. Integrating Active Directory and DNS provides you with the
ability to view and manage them as a single entity.
■ Automatic Synchronization When a new domain controller is brought
online, networks that have integrated DNS and Active Directory have the
advantage of automatic synchronization. Even if a domain controller will
not be used to host the DNS service, the ADI zones will still be replicated,
synchronized, and stored on the new domain controllers.
■ Secure Dynamic DNS Additional features have been added that
enhance the security of secure dynamic updates. These features will be
discussed in the DNS Security Guidelines section later in this chapter.
A reverse lookup zone is an authoritative DNS zone that is used primarily to resolve
IP addresses to network resource names. This zone type can be primary, secondary or
Active Directoryintegrated. Reverse lookups traverse the DNS hierarchy in exactly
the same way as the more common forward lookups.
Stub zones are a new feature introduced in Windows Server 2008. They contain
a partial copy of a zone that can be hosted by a DNS server and used to resolve
Configuring Network Services Chapter 2 81
www.syngress.com
recursive or iterative queries. A recursive query is a request from a host to a resolver
to find data on other name servers. An s query is a request, usually made by a
resolver, for any information a server already has in memory for a certain domain
name. Stub zones contain the Start of Authority (SOA) resource records of the zone,
the DNS resource records that list the zones authoritative servers, and the glue
address (A) resource records that are required for contacting the zones authoritative
servers. Stub zones are useful for reducing the number of DNS queries on a network,
and consequently the resource consumption on the primary DNS servers for that
particular namespace. Basically, stub zones are used to find other zones and can be
created in the middle of a large DNS hierarchy to prevent a query for a distant
zone within the same namespace from having to ascend, traverse, and return over a
multitude of zones.
Windows Server 2008 also allows for a special type of Primary Zoneknown
as an AD-integrated zonewhich basically means that the data is stored within Active
Directory Domain Services, and is replicated to other DNS servers during normal
AD replication periods. AD-integrated zones offer a number of benefits, including:
■ Secure Dynamic Updates Systems that are authenticated by Active
Directory can update their DNS records. This allows name resolution for
clients and servers while eliminating DNS poisoning by rogue systems that
create DNS records.
■ Automatic Synchronization Zones are created and synchronized to
new domain controllers (with DNS installed) automatically.
■ Efficient Replication Less data is replicated since only relevant changes
are propagated.
TEST DAY TIP
Dont underestimate the importance of Secure Dynamic Updates on
the exam. They are essential to providing security when using dynamic
updates in two different ways. First, they provide enhanced security,
which prevents guests (computers that are not part of Active Directory)
from being able to update DNS independently. The second important
feature ties directly to application-push and client management technologies,
such as System Center Configuration Manager. By having a
constantly refreshed (and accurate) database of clients, it makes technologies
such as client management tools much more accurate and useful.
82 Chapter 2 Configuring Network Services
www.syngress.com
Zone Transfer
Zone transfer is the process of copying the contents of the zone file on a primary
DNS server to a secondary DNS server. Using zone transfer provides fault tolerance
by synchronizing the zone file in a primary DNS server with the zone file in
a secondary DNS server. The secondary DNS server can continue performing name
resolution if the primary DNS server fails. Furthermore, secondary DNS servers
can transfer to other secondary DNS servers in the same hierarchical fashion, which
makes the higher-level secondary DNS server a master to other secondary servers.
Three transfer modes are used in a Windows Server 2008 DNS configuration:
■ Full Transfer When you bring a new DNS server online and configure it
to be a secondary server for an existing zone in your environment, it will
perform a full transfer of all the zone information in order to replicate all
the existing resource records for that zone. Older implementations of the
DNS service also used full transfers whenever updates to a DNS database
needed to be propagated. Full zone transfers can be very time-consuming
and resource-intensive, especially in situations where there isnt sufficient
bandwidth between primary and secondary DNS servers. For this reason,
incremental DNS transfers were developed.
■ Incremental Transfer When you are using incremental zone transfers, the
secondary server retrieves only resource records that have changed within
a zone, so that it remains synchronized with the primary DNS server. When
incremental transfers are used, the databases on the primary server and
the secondary server are compared to see if any differences exist. If the
zones are identified as the same (based on the serial number of the Start
of Authority resource record), no zone transfer is performed. If, however,
the serial number on the primary server database is higher than the serial
number on the secondary server, a transfer of the delta resource records
commences. Because of this configuration, incremental zone transfers
require much less bandwidth and create less network traffic, allowing them
to finish faster. Incremental zone transfers are often ideal for DNS servers
that must communicate over low-bandwidth connections.
■ DNS Notify The third method for transferring DNS zone records
isnt actually a transfer method at all. To avoid the constant polling of
primary DNS servers from secondary DNS servers, DNS Notify was
Configuring Network Services Chapter 2 83
www.syngress.com
developed as a networking standard (RFC 1996) and has since been
implemented into the Windows operating system. DNS Notify allows
a primary DNS server to utilize a push mechanism for notifying
secondary servers that it has been updated with records that need to
be replicated. Servers that are notified can then initiate a zone transfer
(either full or incremental) to pull zone changes from their primary
servers as they normally would. In a DNS Notify configuration, the IP
addresses for all secondary DNS servers in a DNS configuration must
be entered into the notify list of the primary DNS server to pull, or
request, zone updates.
Each of the three methods has its own purpose and functionality. How you
handle zone transfers between your DNS servers depends on your individual
circumstances.
TEST DAY TIP
Remember that full and incremental transfers actually transfer the data
between the DNS servers, and that DNS Notify is not a mechanism for
transferring zone data. It is used in conjunction with AXFR (Full Transfer)
and IXFR (Incremental Transfer) to notify a secondary server that new
records are available for transfer.
Lets take a look at how to create a new DNS zone:
1. Choose Start |Administrative Tools | DNS.
2. In the console tree, double-click your server, and then click Forward
Lookup Zones.
3. Right-click Forward Lookup Zones, and then select New Zone.
4. The New Zone Wizard appears. Click Next (see Figure 2.9).
84 Chapter 2 Configuring Network Services
www.syngress.com
5. On the Zone Type page, click Primary zone and then click Next.
6. On the Active Directory Zone Replication Scope page, click Next.
7. On the Zone Name page, in the Name field, type a name for a test zone
(Figure 2.10), and then click Next.
Figure 2.9 The New Zone Wizard
Figure 2.10 The Zone Name Page
Configuring Network Services Chapter 2 85
www.syngress.com
8. On the Zone File page, click Next.
9. On the Dynamic Update page, choose Allow Both Nonsecure And
Secure Dynamic Updates and click Next.
10. On the Completing The New Zone Wizard page, click Finish.
Active Directory Records
If you turned on dynamic updates in the previous exercise, and you have Active
Directory loaded on your server, reboot your system.
After your system reboots, notice the following new records in your zone.
■ _ldap._tcp.<DNSDomainName> Enables a client to locate a domain
controller in the domain named by <DNSDomainName>. A client searching
for a domain controller in the domain uccentral.ads would query the DNS
server for _ldap._uccentral.ads.
■ _ldap._tcp.<SiteName>._sites.<DNSDomainName> Enables a
client to find a domain controller in the domain and site specified (such as
_ldap._tcp.lab._sites.uccentral.ads for a domain controller in the Lab site of
uccentral.ads).
■ _ldap._tcp.pdc._msdcs.<DNSDomainName> Enables a client to find
the PDC Emulator flexible single master operations (FSMO) role holder of
a mixed- or native-mode domain. Only the PDC of the domain registers
this record.
■ _ldap._tcp.gc._msdcs.<DNSForestName> Found in the zone
associated with the root domain of the forest, this enables a client to find
a Global Catalog (GC) server. Only domain controllers serving as GC
servers for the forest will register this name. If a server ceases to be a GC
server, the server will deregister the record.
NOTE
Normally, when configuring Dynamic Updates, you should choose the
Secure Only option. For lab purposes in this book, however, you can
choose Allow Both Nonsecure And Secure Dynamic Updates.
86 Chapter 2 Configuring Network Services
www.syngress.com
■ _ldap._tcp. ._sites.gc._msdcs.<DNSForestName> Enables a client
to find a GC server in the specified site (such as _ldap._tcp.lab._sites.gc._
msdcs.uccentral.ads).
■ _ldap._tcp.<DomainGuid>.domains._msdcs.<DNSForestName>
Enables a client to find a domain controller in a domain based on the domain
controllers globally unique ID (GUID). A GUID is a 128-bit (8 byte)
number that is generated automatically for the purpose of referencing
Active Directory objects. This mechanism and these records are used by
domain controllers to locate other domain controllers when they need to
replicate, for example.
■ <DNSDomainName> Enables a client to find a domain controller via
a normal Host (A) record.
Special records specifically associated with Active Directory allow servers and
clients to interact with Active Directory services in a meaningful way.
Reverse Lookup Zones
As mentioned earlier, a reverse lookup zone is an authoritative DNS zone that is used
primarily to resolve IP addresses to network resource names. This zone type can be
primary, secondary, or Active Directoryintegrated. Reverse lookups traverse the
DNS hierarchy in exactly the same way as the more common forward lookups.
To handle reverse lookups, a special root domain called in-addr.arpa was created.
Subdomains within the in-addr.arpa domain are created using the reverse ordering
of the octets that form an IP address. For example, the reverse lookup domain for
the 192.168.100.0/24 network would be 100.168.192.in-addr.arpa. The reason the
IP addresses are inverted is that IP addresses, when read from left to right, get more
specific; the IP address starts with the more general information first. FQDNs, in
contrast, get more general when read from left to right; the FQDN starts with a
specific host name.
In order for reverse lookup zones to work properly, they use a special RR
called a PTR record that provides the mapping of the IP address in the zone to
the FQDN.
Reverse lookup zones are used by certain applications, such as NSLookup
(an important diagnostic tool that should be part of every DNS administrators
arsenal). If a reverse lookup zone is not configured on the server to which
NSLookup is pointing, you will get an error message when you invoke the
nslookup command.
Configuring Network Services Chapter 2 87
www.syngress.com
Configuring Reverse Lookup Zones
Now, we need to create a matching reverse lookup zone. This will handle reverse
resolution for our subnet. In this case, it is 192.168.1.x.
1. Choose Start |Administrative Tools | DNS.
2. In the console tree, click Reverse Lookup Zones.
3. Right-click Reverse Lookup Zones, and then click New Zone.
4. When the New Zone Wizard appears, click Next.
5. On the Zone Type page, select Primary Zone, and then click Next.
6. On the Reverse Lookup Zone Name page, make sure IPv4 is selected,
and then click Next.
7. On the Reverse Lookup Zone Name page (Figure 2.11), in the
Network ID field, type the start of the subnet range of your network
(in this case, 192.168.1.x), and then click Next.
Head of the class ...
Security Considerations for the
Presence of a Reverse Lookup Zone
Being able to make NSLookup work against your DNS servers is not the
only, or most important, reason why you should configure reverse lookup
zones. Applications on your internal network, such as DNS clients that are
trying to register PTR records in a reverse lookup zone, can leak information
about your internal network out to the Internet if they cannot
find a reverse lookup zone on the intranet. To prevent this information
from leaking from your network, you should configure reverse lookup
zones for the addresses in use on your network.
88 Chapter 2 Configuring Network Services
www.syngress.com
8. On the Zone File page, click Next.
9. On the Dynamic Update page, click Next.
10. On the Completing The New Zone Wizard page, click Finish.
Now we need to enable IPv6 so we can offer domain name resolution for
clients who may use IPv6 as opposed to IPv4. Were also going to need it if we
want to enable IPv6 DHCP addressing later in this chapter.
First, we need to set an IPv6 address for our server. To do so, perform the
following steps:
1. Choose Start and right-click Network.
2. Select Properties from the drop-down menu.
3. Click Manage Network Connections.
Figure 2.11 The Reverse Lookup Zone Name Page
Configuring Network Services Chapter 2 89
www.syngress.com
4. Right-click the Network connection and choose Properties.
5. Double-click Internet Protocol Version 6 (TCP/IPv6).
6. Click the radio button for Use The Following IPv6 Address. If you are
not familiar with IP addressing, you can use 2001:0db8:29cd:1a0f:857b:455
b:b4ec:7403.
7. Enter a Subnet prefix length of 64.
8. Your preferred DNS server would be the same as that mentioned earlier
(your IPv6 address).
9. Close the Network Connections window and re-open the DNS
administrator console.
10. In the console tree, click Reverse Lookup Zones.
11. Right-click Reverse Lookup Zones, and then click New Zone.
12. When the New Zone Wizard appears, click Next.
13. On the Zone Type page, select Primary Zone, and then click Next.
14. On the Reverse Lookup Zone Name page, make sure IPv6 is selected,
and then click Next.
15. In the Reverse Lookup Zone Name field, type in the prefix 2001:0db8:
29cd:1a0f::/64, and then click Next.
16. On the Dynamic Update page, choose Allow Both Nonsecure And
Secure Dynamic Updates (for testing purposes in this book only
normally, you should use Secure Only), and click Next.
17. Click Finish to create the New Zone.
18. To create an IPv6 record, right-click the Primary Lookup Zone for your
domain (in our lab, it is uccentral.ads), and then click New Host.
19. In the Name field, enter the name of your server. Our server name
is dc1.
20. In the IP address field, enter the IPv6 address we set for the server.
21. Verify that Create Associated Pointer (PTR) Record is checked, and
click Add Host.
You should now see a new AAAA record for the server, as well as a new PTR
record in the Reverse Lookup Zone we created.
90 Chapter 2 Configuring Network Services
www.syngress.com
Now you can double-click the Forward Lookup Zones and Reverse
Lookup Zones and view the zones you have created. The zones will be displayed
in the console pane under the appropriate zone type. From here, you can add
records by right-clicking the zone and selecting the type of record you want
Configuring & Implementing
Developing the DNS Design for Your Network
There are few limitations to developing DNS designs and deploying the
service thereafter. You should consider the following points during your
design process:
■ Each domain contains a set of resource records. Resource
records map names to IP addresses or vice versa depending
on which type of record it is. Special resource records exist to
identify types of servers on the networks. For example, an MX
resource record identifies a mail server.
■ If the organization has a large number of hosts, use subdomains
to speed up the DNS response.
■ The only limitation to using subdomains on a single DNS server
is the servers own memory and disk capacity.
■ A zone contains one or more domains and their resource
records. Zones can contain multiple domains if they have a
parent and child relationship.
■ A DNS server with a primary zone is authoritative for the zone,
and updates can be made on that server. There can only be
one primary zone for each zone defined.
■ A DNS server with a secondary zone contains a read-only copy
of the zone. Secondary zones provide redundancy and speed
up query responses by being placed near the computers that
place DNS queries.
■ DNS servers can use primary and secondary zones whether they
are running Windows Server 2008 or are a third-party DNS
server.
Configuring Network Services Chapter 2 91
www.syngress.com
to create. Likewise, you can right-click the zone and select Properties to modify
the properties of the zone. Some of the properties you can modify include:
■ Dynamic Updates: The ability for clients to automatically update
DNS records.
■ Zone Type: You can change a zone type from Primary, to Secondary, or
to Stub Zone. If Active Directory is installed, you can also make the zone
Active Directoryintegrated.
■ WINS integration: We will discuss this later in the chapter, but this is
where you can involve WINS resolution with DNS resolution.
■ Name Servers: You can add the names and IP addresses of servers that
have the rights to create copies of the DNS zone.
■ Zone Transfer: Here, you can specify whether the zone can be transferred
to another DNS server. You can also specify whether it can be transferred
to any server, only the servers in the Name Servers tab (discussed earlier),
or to only specific DNS servers by IP address or FQDN.
Configuring Zone Resolution
There is a new name resolution available with the release of Windows Server 2008:
GlobalNames Zones. The GlobalNames zone was introduced to help phase out the
Windows Internet Naming Service (WINS), which we will discuss later. However, it
is important to note that the GlobalNames zone is not intended to support the same
type of name resolution provided in WINS, records which typically are not managed
by IT administrators. After the configuration of the GlobalNames zone, you are
responsible for management of all records in the zone, as there are no dynamic updates.
So, where this is really relevant is within organizations that have multiple domain
names. Without single-label names (also known as NetBIOS names), Windows-based
computers will append DNS suffixes based on the order provided, either via the
individual TCP/IP settings of the client, DHCP settings, or Group Policy settings.
Again, the key here is that if there are MULTIPLE domain names an organization
must manage, they may find it easier to use the GlobalNames zone since the
GlobalNames zone records can be configured globally for the single-label names.
Records that are contained within the GlobalNames zone are known as global names.
Several prerequisites must be met before using the GlobalNames zone:
■ No existing DNS zone can be named GlobalNames.
■ All authoritative DNS servers must be running Windows Server 2008.
92 Chapter 2 Configuring Network Services
www.syngress.com
■ All DNS servers running on Windows Server 2008 must store a local copy
of the GlobalNames zone or must be able to remotely communicate with
a server that does.
■ The GlobalNames Zone Registry setting must be enabled on the server. This
can be done by typing dnscmd <hostname>/config /enableglobalnamessupport 1.
Lets walk through the steps in configuring a GlobalNames zone:
1. Choose Start.
2. Right-click Command Prompt and select Run As Administrator.
3. At the command prompt, type dnscmd <hostname>/config
/enableglobalnamessupport 1.
4. Close the command-line prompt.
5. Select Start | Administrative Tools | DNS.
6. Right-click your DNS server, and then click New Zone to open the
New Zone Wizard.
7. Create a new zone and give it the name GlobalNames (see Figure 2.12).
Figure 2.12 Creating a GlobalNames Zone
Configuring Network Services Chapter 2 93
www.syngress.com
8. Complete the remaining configuration options as we have done previously,
and then click Finish to complete the process.
Next, we will create a CNAME record for use with the GlobalNames zone:
1. Right-click the GlobalNames zone now available under the Forward
Lookup Zones.
2. Select New Alias (CNAME).
3. Enter the alias of the server. For example, we can name it widgetserver.
4. Enter the FQDN of the target host. In this case, it will be our DNS server
for testing purposes: dc1.uccentral.ads. If you do not have a record for
your server, you may need to stop the CNAME process, and create an
A record in the primary zone for your domain.
5. Click OK.
To test the GlobalNames zone record, simply go to the command prompt of a
client PC and type ping gnztest. This will return the IP address as expected.
Configuring Dynamic Host
Configuration Protocol (DHCP)
The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows
administrators to manage and automate the assignment of IP addresses in a centralized
console. Without DHCP, the IP address must be statically configured on
each computer. This isnt such a big deal in a small (ten client-or-less) environment,
but when you get into significantly larger environments, static IP address management
can become a nightmare. Factor in the mobility of using laptops, and the
need to be able to connect to other networks dynamically, and youll find its almost
impossible in todays world not to use DHCP.
TEST DAY TIP
Review the way in which DHCP traffic is affected by placement of DHCP
servers. For example, when servers are placed locally, the traffic remains
on the subnet. You should also understand how subnetting works when
designing DHCP scopes. For more information on DHCP placement,
you should visit the following Microsoft TechNet site: http://technet2.
microsoft.com/WindowsServer/en/library/3040afd1-e82b-4ded-8fcdaa8fe021fcc11033.
mspx?mfr=true.
94 Chapter 2 Configuring Network Services
www.syngress.com
The way DHCP works is fairly simple. Using a client/server model, a DHCP
server maintains a pool of IP addresses. DHCP clients request and obtain leases
for IP addresses during the boot process. DHCP was derived from the Bootstrap
Protocol (BOOTP), which was a protocol typically used to allow clients to boot
from the network rather than from a hard drive. Through this boot process, BOOTP
assigned an IP address dynamically to the client computer.
Some benefits of using a Windows Server 2008 DHCP server include:
■ DNS integration Windows Server 2008 DHCP integrates directly with
DDNS. When a computer obtains a lease for an IP address, the DHCP
server can then register or update the computers Address (A) records and
pointer (PTR) records in the DNS database via Dynamic DNS on behalf of
the client computer. The result of the twoDHCP used with DDNSis
true dynamic IP address management. Any computer can start up on the
network and receive an IP address that is further registered in the DNS
name server.
■ Multicast address allocation The Windows Server 2008 DHCP can
assign IP addresses to multicast groups in addition to the standard individual
hosts. Multicast addresses are used to communicate with groups such as
server clusters using network load balancing.
■ Detection of unauthorized DHCP servers By restricting DHCP
servers to those that are authorized, you can prevent conflicts and problems
on the network. An administrator must configure Active Directory to
recognize the DHCP server before it begins functioning on the network.
The Windows Server 2008 DHCP service contacts Active Directory to
determine whether it is an authorized DHCP server. Active Directory also
enables you to configure which clients a DHCP server can service.
■ Enhanced monitoring With the Windows Server 2008 DHCP service,
you have the ability to monitor the pool of IP addresses and receive
notification when the address pool is utilized at a threshold level. For
example, you might monitor for a threshold of 90 percent or above.
■ Vendor and user classes Vendor and user classes enable you to distinguish
the types of machines that are obtaining DHCP leases. For example, you can
use a predefined class to determine which users are remote access clients.
■ Clustering Windows Server 2008 DHCP services support clustering.
Through a cluster, you can ensure a higher reliability and availability of
DHCP services to clients.
Configuring Network Services Chapter 2 95
www.syngress.com
The negotiation process consists of only four messages, two from the client and
two from the server. The first message is the DHCP Discover message from the
client to the server. This message looks to a DHCP server and asks for an IP address
lease. The second message is the DHCP Offer message responding from the server
to the client. A DHCP Offer tells the client that the server has an IP address available.
The third message is a DHCP Request message from the client to the server. In this
message, the client accepts the offer and requests the IP address for lease. The fourth
and final message is the DHCP Acknowledge message from the server to the client.
With the DHCP Acknowledge message, the server officially assigns the IP address
lease to the client. Each DHCP server requires a statically applied IP address
DHCP was originally introduced in RFC 2131 back in March of 1997 (http://
www.rfc-editor.org/rfc/rfc2131.txt). Since the inception of DHCP, a number of addon
DHCP options have made it possible to disburse even more IP-related information
to clients, making IP management much more flexible for IT administrators.
DHCP Design Principles
DHCP is heavily reliant on network topology, and is heavily relied upon by the
hosts within a network. For DHCP to function at an optimal level, client computers
must be able to access at least one DHCP server at all times.
When developing a DHCP approach for your network, you must consider
several things first:
■ How many clients will be using DHCP for IP addresses?
■ Where are these clients located and what roles do they have?
■ What does the network topology look like?
■ Are there any unstable WAN links that might cause a network outage if
DHCP clients cannot contact a DHCP server for an IP address lease?
■ Are there any clients that cannot use DHCP?
■ Are there any clients that will be using BOOTP?
■ Which IP addresses are dedicated and must be held outside the IP address
pool?
■ Will you be using Dynamic DNS?
DHCP clients do not wait for the DHCP lease to be over before beginning
renewal. Instead, they begin the renewal at the point when 50 percent of the lease
is up. For example, when a client has a ten-day lease, then after five days, the client
96 Chapter 2 Configuring Network Services
www.syngress.com
sends the DHCP Request message to the DHCP server. If the server agrees to
renew the lease, it responds with a DHCP Acknowledge message. If the client does
not receive the DHCP Acknowledge response, the client waits for 50 percent of the
remaining time (7.5 days after the original lease was made) before sending another
DHCP Request message. This is repeated at 50 percent that remaining time (8.75 days
after the original IP address lease). If the client cannot renew the address, or if the
DHCP server sends a DHCP Not Acknowledged response, the client must begin
a new lease process.
DHCP has only a couple of design requirements:
■ You should have at least two DHCP servers to ensure redundancy. You can
use clustering to ensure availability, but also keep in mind that two separate
DHCP servers at different locations in the network can prevent DHCP
problems resulting from a network link failure.
■ You must either provide a DHCP server on each network segment or configure
routers in between those segments to forward the DHCP messages.
When planning the DHCP servers, the network topology comes into play. It is
critical you place DHCP servers at locations most available to the computers that
need IP addresses.
DHCP Servers and Placement
The number of DHCP servers you need on a network is driven by the number of
clients, availability requirements for the DHCP server, and the network topology.
The number of clients a DHCP server can serve varies based on the hardware of
the server and whether it provides multiple roles or is strictly a DHCP server. Most
can provide IP addresses to thousands of hosts. Server hardware that will have the
greatest impact on DHCP performance includes the network interface and hard
disk. The faster the network interface card (NIC) and disk access, the better. In
addition, multiple NICs will greatly improve performance, since NIC speed in no
way compares to the speed of the internal PC hardware, and adding NICs literally
relieves a bottleneck.
The availability of the DHCP services to the network drives multiple DHCP
servers. You must have at least two DHCP servers. You might want to cluster the
server if you have a large scope of addresses that are provided to a network segment.
The network topology will drive additional servers as well. This is something
that must be reviewed and then planned. Ideally, a network should have a DHCP
server on each segment, although this becomes impractical. Because you can configure
Configuring Network Services Chapter 2 97
www.syngress.com
routers to forward DHCP requests using a DHCP Relay Agent, you can place
DHCP servers at any location on the network. Therefore, you should probably look
at the unstable WAN links as the deciding factors for additional DHCP servers.
A network that has a highly unstable satellite link to a location that has thousands
of clients will require its own DHCP server. However, a network with a highly
unstable satellite link to a location that has only a few clients will probably be
better served by a statically applied IP address or alternate IP configuration used
with DHCP from across the link.
Installing and Configuring DHCP
Installing DHCP in Windows Server 2008 is as simple as adding another role to
a server. Some additional steps must be taken, however, to authorize the DHCP
server. Back in Windows 2000 Server, Microsoft introduced the concept of
authorizing a DHCP server. Microsoft did this because of the problem of rogue
DHCP serversservers that users would install on the network, and configure
to hand out IP addresses, thus causing problems with production DNS servers.
The problem with rogue DHCP servers was that IP addresses that were handed
out would either:
■ Overlap with existing IP addresses in the network, causing a conflict
■ Hand out correct IP addresses, but possibly hand out other incorrect
information, such as DNS, WINS, Subnet Mask, and Gateway information
■ Hand out a completely incorrect range of IP addresses
■ Create unnecessary traffic on the network
During the installation process, we will walk through installing the DHCP role,
configuring DHCP settings, and authorizing the DHCP server. Lets begin.
1. Choose Start | Administrative Tools | Server Manager.
2. Scroll down to Role Summary and click Add Roles.
3. When the Before You Begin page opens, click Next.
4. On the Select Server Roles page, select DHCP Server, and then
click Next.
5. Click Next to get through the DNS Server settings. This screen is verifying
the IP address of our DNS server, which will be passed to clients.
6. Click Next again to skip the WINS settings. If WINS was running
(we will discuss WINS later), we could select the WINS server here.
98 Chapter 2 Configuring Network Services
www.syngress.com
Next, we need to configure a DHCP scope. A DHCP scope is a range of IP
addresses (as well as additional IP options, such as gateway, DNS servers, and WINS
servers) that can be handed out by a DHCP server. In the first example, we are
going to configure both an IPv4 and IPv6 scope.
Now, lets configure our scope:
1. Click Add to add a new DHCP Scope.
2. In the Scope Name field, type Internal Scope.
3. In the Starting IP Address field, type 192.168.1.200, or any IP range
you have available on your network.
4. In the Ending IP Address field, type the end of your scope. We will use
192.168.1.220.
5. In the Subnet Mask field, enter the subnet mask of your network. Our
subnet mask is 255.255.255.0.
6. Skip the default gateway for now, we will add this later.
7. Choose Wired as the Subnet type, but click the down arrow to see the
Wireless option.
8. Verify that Activate This Scope is checked (see Figure 2.13), and then
click OK.
TEST DAY TIP
You should understand the 80/20 rule for DHCP. The 80/20 rule means
that IP scopes should be split between two DHCP servers, so server A can
distribute 80 percent of IP addresses, while server B can hand out the
remaining 20 percent of IP addresses. In this scenario, you would now
have fault tolerance for your subnets. The idea behind the 80/20 rule is
that during the period in which server A is unavailable, the other server
can service requests for addresses.
Configuring Network Services Chapter 2 99
www.syngress.com
9. Click Next once your scope is added.
10. Determine what to do with IPv6 clients. We want to manage IPv6 clients
through DHCP when necessary. To do this, select Disable DHCPv6
Stateless Mode For This Server and click Next.
11. Specify the IP address of an IPv6-enabled DNS server. To do this, enter
the IP address of this server. If you recall, we set IPv6 options in the DNS
section. Verify that our servers IPv6 settings appear in the Preferred DNS
Server IPv6 Address, validate it, and then click Next.
12. On the Authorize DHCP Server, you can specify the credentials of an
authorized user, or just click Next.
13. Click Install to begin the installation.
14. When installation is complete, click Close.
Figure 2.13 Scope Settings for DHCP
100 Chapter 2 Configuring Network Services
www.syngress.com
Using Server Core and DHCP
DHCP is also a role that is supported in a Windows Server 2008 Core installation.
DHCP installation is handled via the command line of the Server Core installation.
However, management of the DHCP server (as well as the DHCP scopes) can be
controlled from a remote Windows Server 2008 system. In this section, we will
install the DHCP role and configure a DHCP scope using the Server Core command
line. Lets begin by installing the role:
1. Sign in to your Windows Server 2008 Core Server system.
2. Install the DHCP bits. To do this, type in start /w ocsetup
DHCPServerCore (Figure 2.14).
Figure 2.14 Installing the DHCP Role
3. Start the DHCP service and set it to start automatically. To do this, type in
sc config dhcpserver start= auto.
4. Type sc query dhcpserver. If the service is not running, start it by typing
sc start dhcpserver. You can see the command syntax in Figure 2.15.
Configuring Network Services Chapter 2 101
www.syngress.com
5. Next, we need to configure our DHCP server by adding the DHCP scope.
To do this, we must first start the netsh application. At the command
prompt, type netsh.
6. At the netsh> prompt, type dhcp server.
7. Add the DHCP Scope at the dhcp server> prompt by typing in
initiate auth.
8. Add the scope by typing in add scope 10.0.0.0 255.0.0.0
BackupScope. 10.0.0.0 indicates the network leased by the DHCP server,
while 255.0.0.0 represents the subnet mask. BackupScope is the name
weve given to the scope.
9. Type in scope 10.0.0.0. This allows us to begin adjusting the scope
options.
10. Configure the start and end of the lease range. To set the start of the range,
type set optionvalue 003 IPAddress 10.0.0.1.
11. To set the end of the range, type set optionvalue 006 IPAddress
10.0.0.50.
12. Enable the scope by typing in set state 1.
13. Type exit to close the netsh application. The preceding syntax can be seen
in Figure 2.16.
Figure 2.15 Starting the DHCP Role
102 Chapter 2 Configuring Network Services
www.syngress.com
Configuring DHCP for DNS
We discussed dynamic updates earlier in this chapter, but it is important to note
that, by default, DHCP does not automatically update DNS servers. Instead, DHCP
can update DNS in two different waysit can either pass fully qualified domain
name (FQDN) information to client computers running Windows Server or
Workstation 2000 (or later), which can in turn update DNS themselves, or DHCP
can be configured to update DNS for legacy (or non-Windows) clients. Non-legacy
Windows clients can update DNS when:
■ Static IP address information is updated
■ An IP address lease period ends and a new address is given to a client
■ When the ipconfig /registerdns command is entered at a command prompt.
This re-registers a client within DNS.
In order for clients to update automatically, we must adjust the properties of our
DHCP scope appropriately by performing the following steps:
1. Choose Start | Administrative Tools | DHCP.
2. Right-click your IPv4 scope.
3. Click the DNS tab.
4. Notice that, by default, dynamic updates are set for DHCP to control
updates only when requested by the client.
Figure 2.16 The netsh Syntax for DHCP
Configuring Network Services Chapter 2 103
www.syngress.com
5. We need to set DHCP to also dynamically update clients (such as
Windows NT 4.0) that cannot update automatically. Place a checkmark
next to the Dynamically Update DNS A And PTR Records For
DHCP Clients That Do Not Request Updates option.
6. Click Apply and then OK.
This is not required for IPv6 scopes since IPv6 was not available in these older
operating systems.
Configuring Windows
Internet Naming Service (WINS)
Windows Internet Naming Service (WINS) was originally developed by Microsoft
as a part of Windows NT. Similar to DNS, WINS adds an IP address-to-system
name mapping in a server-side database. Unlike DNS, WINS focused solely on
the hostname and does not offer a complete naming structure. WINS is a service
that has been going away since Windows 2000 Server, and yet it remains part of
Windows even today.
Many problems existed with WINS, particularly in terms of scalability. Over
the years, the need for WINS and NetBIOS name resolution has been greatly
reduced. However, some applications (legacy versions of Outlook, for example) still
require NetBIOS resolution. In certain situations, LMHOST files can be used in the
absence of a WINS server. LMHOST files have their own problems and limitations
as wellmost specifically, the fact that LMHOST files can become outdated and
contain incorrect data. They require constant updating and maintenance. Similar
to DHCP, once the need for NetBIOS name resolution goes beyond a handful of
systems, using WINS is a much more reasonable solution since it allows for dynamic
updates. Interestingly enough, WINS has become such an afterthought that the TechNet
site for WINS under Windows Server 2008 simply refers you to the documents for
Windows Server 2003.
Your first task in developing a WINS design is to determine whether you need
WINS at all. One thing you need to test for is whether NetBIOS over TCP/IP
is being used to communicate across the network. You can do this through the
Performance. Once you determine whether NetBIOS naming is currently needed,
your next task is to determine whether the network can function without NetBIOS
naming at all. This will require you to test applications and services on a test network
in a lab without using NetBIOS, LMHOSTS, or WINS.
104 Chapter 2 Configuring Network Services
www.syngress.com
The design of a WINS topology should take into account how WINS servers
replicate. Each WINS server pushes or pulls the database from its replication partners.
If you configure the replication partners so they replicate in a domino fashion, it
will take several steps for any change to be updated across the network. The time
for replication to fully synchronize across all WINS servers is called convergence
time. The longer convergence takes, the higher the likelihood of errors. To reduce
convergence time, you can create a hub and spoke topology in which all WINS
servers replicate with a central WINS server. In this topology, you will have the
result of a two-step replication process at any point in time when an update is made
on any WINS server in the network. Windows Server 2008 DNS is compatible
with WINS. You can use both in a network environment that has WINS clients and
DNS clients. We will discuss this a little later in the chapter.
Keep in mind that WINS is a flat file database. All names are considered equal,
and as such, must be unique. This means you can only have one computer named
Ned and one computer named Joe. When there are two computers configured with
the same NetBIOS name, only the first will be able to access the network.
Older Microsoft networks not only used WINS, but also transmitted data across
NetBEUI, a protocol that does not incorporate a network layer. Without a network
layer, NetBEUI is not routable. However, NetBIOS can be routed over TCP/IP or
even over IPX. In the Windows Server 2003 and Windows Server 2008 operating
systems, NetBIOS is only routed over TCP/IP, if it is used at all.
If you determine that you will install or upgrade an existing WINS network,
you must first determine whether the hardware of your server will be sufficient for
WINS. WINS servers use their hard disks quite heavily, so you should make certain
you have sufficient hard disk performance.
You should also determine how many WINS servers you should deploy. A single
WINS server with sufficient hardware and network performance can provide services
to 10,000 clients. You should always plan for at least two WINS servers for redundancy.
WINS has the ability to integrate with DNS so DNS clients can use DNS to look
up records in the WINS database. This helps in case a network has client computers
running non-Microsoft operating systems, such as Unix or Linux. To use the WINS
Lookup Integration feature, you must add a special WINS resource record for the
WINS servers on the network.
From the client perspective, you should be aware of how the node types will
affect the communication preferences of the client computer. Node types affect the
type of WINS traffic that traverses the network. For example, if you want to avoid
all broadcast traffic, you would configure WINS clients to be p-nodes because they
Configuring Network Services Chapter 2 105
www.syngress.com
do not invoke broadcasts to resolve NetBIOS names. You can then configure DHCP
to tell a computer what type of WINS node it will be. The options you have are:
■ b-node A b-node depends on broadcasts to register and resolve names.
If there are no WINS servers configured, this is the default node type used.
■ h-node An h-node will search the configured WINS server first, and then
resort to broadcasts, followed by LMHOSTS, and then DNS to register
and resolve names.
■ m-node The m-node is the opposite of an h-node. It will broadcast first,
and then search the configured WINS server.
■ p-node A p-node only uses point-to-point connections with a configured
WINS server.
Understanding WINS Replication
If WINS is a network service that you will require in your organization, it will be
important to understand how WINS handles redundancy and partnerships. In order
for WINS servers to replicate WINS records with each other, a replication partnership
must be configured between them. Three possible kinds of replication partnerships
can be configured between WINS servers: push/pull (also known as full ), push-only,
and pull-only (also known as limited). You can set up a replication partnership manually
or implement it automatically.
Automatic Partner Configuration
Automatic partner configuration is an option that can be implemented on small
networks to eliminate the administrative effort of configuring replication partnerships
between WINS servers. When the automatic partner configuration is enabled, the
WINS server will send announcements using the multicast Internet Group Messaging
Protocol (IGMP) address at 224.0.1.24, which is the well-known multicast address
for WINS servers. When the WINS server discovers other WINS servers that are
announcing themselves, the WINS server will automatically configure a partnership
agreement between itself and the discovered WINS server. (Both must be enabled
for automatic partner configuration.) When the WINS server discovers another
WINS server, it will add the server to its list of replication partners, configure push/
pull replication between the servers, and set the pull replication interval for every
two hours.
Normally, routers do not forward IGMP traffic, so this configuration is best
used on small unsegmented LANs. However, it is possible to configure routers to
forward this traffic, allowing automatic partner configuration to be used in a routed
106 Chapter 2 Configuring Network Services
www.syngress.com
environment. If the environment has only a few routers, the amount of multicast
broadcast traffic should be minimal.
Push Partnerships
As the name implies, when a push partnership is configured, changes in the WINS
database are pushed to the remote WINS server. More accurately, a WINS server with
records to replicate sends a push notification to target servers (those configured to use
it as a pull partner), alerting them that it has records to update on the target WINS
servers. The push notification includes an owner table that lists the owner IDs and the
highest version ID for each owner. The target servers compare this information with
their own owner tables to determine which records to replicate. The target servers
reply to the push notification with a pull request, and the transfer of records takes
place. Accordingly, since a transfer of records will not take place until a pull request
has been received by the server that sent the push notification, pull replication is the
single mechanism for replication. The process for push replication occurs as follows:
1. The source WINS server receives updates to its database and, based on a
configurable threshold, sends a push notification to the destination WINS
server (its push partner), indicating it has updates to replicate.
2. The destination WINS server for the notification (the push partner)
responds by initiating a pull request to its pull partner (the WINS server
that sent the notification), and the replication is initiated between the
replication partners.
Push replication is not schedulable according to an interval of time. Rather, the
WINS administrator configures an update threshold that will trigger a push notification.
For example, the WINS server could be configured to send a notification to
its push partner after it has received 100 updates.
It is also possible to manually initiate the push notification. When you manually
initiate the push notification, you can choose to push the notification to the
replication partner or trigger the replication to send a notification to all its partners
as well. As an example, consider a replication topology where three WINS servers
are configured as push replication partners. WINS-A replicates to WINS-B, which
replicates to WINS-C. So, if you manually sent a push notification from WINS-A
to its replication partner, WINS-B, you could force WINS-B to also send a push
notification to its other replication partner, WINS-C.
In certain rare situations, it might be desirable to use a push-only replication
partnership for one-way replicationfor instance, from a head office to a branch
office. As an example, suppose WINS-A in the head office configures WINS-B in
Configuring Network Services Chapter 2 107
www.syngress.com
the branch office as its push-only partner. (WINS-B should also configure WINS-A
as its pull-only partner.) When WINS-A receives updates to its records, it notifies
WINS-B, which sends an update (pull) request to WINS-A for the changed records
since the last replication cycle. In this scenario, WINS-B never sends its updated
records to WINS-A.
Push partnerships are generally configured in LAN environments where bandwidth
is not an issue, and it is not necessary to schedule replication to occur during
off-peak hours. In general, you should use push replication partnerships in the
following situations:
■ There is ample bandwidth over LAN or WAN connections.
■ There is a need to ensure that updates are replicated as soon as possible and
the frequency of replication traffic is not a consideration.
Pull Partnerships
Pull replication differs from push replication in that the replication frequency is defined
as an interval of time. At regularly scheduled intervals, a pull partner requests updates
from other WINS servers (those configured to use it as a push partner) for updated
records that have a higher version ID than the ones it currently has in its database.
Pull replication is configured similarly to push replication. The primary difference
is that the WINS administrator schedules the times that the pull replication will
take place.
In some situations, it might be desirable to configure pull-only replication between
replication partners. Usually, this configuration is implemented where WAN links are
operating close to capacity and there is a need to schedule WINS replication during
off-peak hours. Pull-only replication has an advantage over push-only replication in
that the replication schedule can be known in advance. With push-only replication,
replication is triggered by reaching a configured threshold of updates, and you
can only estimate when this would occur based on experience with the network.
However, a disadvantage of pull-only replication is that the WINS server could
potentially have acquired a large number of updates to replicate between cycles.
In general, you should use pull replication partnerships in the following situations:
■ There is limited bandwidth between WINS servers that requires replication
to be scheduled during off hours.
■ There is a need to consolidate updates and reduce the frequency and
amount of replication traffic.
■ There is a need to exercise finer control over the timing and frequency of
replication traffic.
108 Chapter 2 Configuring Network Services
www.syngress.com
Push/Pull Partnerships
A push/pull partnership is the default when you configure replication between
WINS servers. In fact, Microsoft recommends a push/pull partnership as a best
practice and it further recommends that all WINS partnerships be set up this way,
unless there is an overriding need to implement a limited partnership. The only
need that Microsoft cites for a limited partnership is the presence of a large network
connected by relatively slow WAN links. Microsoft often stresses the need for
simplicity in a WINS environment.
With a push/pull partnership, a WINS server will be configured both to
send push notifications and to make pull requests to its replication partner. The
replication partner will also be configured in a similar way. Such a configuration
helps ensure that synchronization among WINS servers is optimal, depending
on the pull schedule and the configured threshold for push notifications, among
other factors. For example, suppose a WINS server suddenly experiences a large
number of updates and immediately sends a push notification to its push partner.
The push partner would immediately request these updates, without waiting
for the request to be triggered by its pull schedule. Conversely, a WINS server
always pulls up-to-date records from its pull partner according to the replication
schedule, regardless of how few records have been updated on the pull partner
WIN server.
You should always try to deploy a push/pull partnership, unless there is an
overriding concern that requires the implementation of a limited partnership.
Replication Models
As we mentioned earlier, the replication model you design will have an effect on
the convergence time for replicated WINS records and fault tolerance for replicated
records. A replication model that is appropriate for your network topology will
ensure the shortest convergence time for replicated WINS records. Where possible,
it is recommended your replication model mirror your network topology and that
you keep this model as simple as possible.
In WINS environments where there are three or more WINS servers, you can
employ either a ring replication model or a hub-and-spoke replication model. In
more complex environments, these models can be combined to ensure optimal
convergence time and fault tolerance for a given network topology. In the following
sections, we will discuss each of these models in more detail.
Configuring Network Services Chapter 2 109
www.syngress.com
Ring Models
In a ring model, three or more WINS servers are configured to replicate with one
another in a circular fashion. The ring model provides for good convergence times
for all replication partners when there are no more than four WINS servers.
In this model, fault tolerance for replication of WINS records is given priority.
Imagine that a record is updated on WINS-A. The record must travel through
either WINS-A or WINS-B before it is replicated to WINS-C. However, suppose
that the WAN link connecting WINS-A and WINS-D fails. The updated record can
still arrive at WINS-C and WINS-D (via WINS-C). Conversely, a record created on
WINS-D can still be replicated to WINS-A via WINS-C and WINS-B.
Hub-and-Spoke Models
In a hub-and-spoke model, all WINS servers replicate with a centrally located hub
WIN server. The hub-and-spoke model provides for the shortest convergence time
in a replication environment that comprises five or more WINS servers, because
it provides for the shortest replication paths between any two WINS servers.
Furthermore, by implementing a hub-and-spoke model, you reduce the number
of replication partnership agreements that you need to maintain.
Even though there are five WINS servers that replicate information, there are only
four replication agreements to maintain. Furthermore, no server is more than two
hops from any other server, regardless of the number of servers added to the topology.
A disadvantage of this model is that it is not as fault tolerant as the ring model.
If WINS-A fails, no WINS server will be able to replicate its records to other WINS
servers. Furthermore, depending on the average number of records the spoke WINS
servers need to replicate and the settings for the push and pull triggers, WINS-A can
be continuously replicating with other servers and processing updates. It should be
well connected to the other WINS servers and have the capacity to handle the load.
To enhance fault tolerance in this situation, you could set up a backup WINS
server in the same location as WINS-A and configure a replication partnership agreement
between them. This solution, however, increases administrative complexity for
the maintenance of replication partnerships. An alternative solution that still provides
a high degree of availability is to use Windows clustering for the hub WINS server.
A Windows cluster gives you the ability to set up separate WINS servers, known
as cluster nodes, that use the same database located in a shared SCSI or Fibre Channel
device. When the WINS server that is the active node in the cluster fails, the services
110 Chapter 2 Configuring Network Services
www.syngress.com
will failover to another node. Failover is the process of taking resources offline in one
node and bringing them online in a new node. The primary advantage of using a
Windows cluster is that in the event of a failure of a WINS server, no subsequent
replication needs to occur to synchronize records when the failed server is brought
online, because only a single database is used.
Hybrid Replication Models
In many situations, it is desirable to combine replication models. As an example,
consider a large organization that has three divisions in different geographic locations.
Each of these divisions has a number of branch offices that are connected to their
respective divisional offices. It might be advantageous to use a ring model of
WINS replication among the divisional offices and use hub-and-spoke replication
for replication between the divisional offices and their respective branch offices.
Many other variations are possible. A hybrid replication model can employ any
mixture of full and limited replication partnerships, driven by the contingencies of
the network topology.
Static WINS Entries
One of the advantages of using WINS is that it provides a way to dynamically
register NetBIOS names, eliminating the need for static entries in LMHOSTS files.
However, certain situations require the use of static mappings in the WINS server
database. For example, if you have non-WINS clients that are running NetBIOS
applications, you might find it desirable to have entries for these clients in the
WINS database so you can allow WINS clients to resolve the NetBIOS names of
those clients. Static mappings are superior to entries in an LMHOSTS file because
they can be replicated throughout the WINS infrastructure.
The use of static mappings can create problems on your network. Unlike dynamic
mappings, static mappings stay in the WINS database until they are manually removed.
(The expiration date for the static mapping entry in the WINS database is labeled as
infinite.) Furthermore, unless the migrate on setting is enabled, static mappings are not
overwritten by dynamic mappings. For example, a client computer might be given
a static mapping in the WINS database, or an LMHOSTS file might be imported to
the WINS database, creating a number of static WINS entries. If the clients associated
with the static mappings are later configured as WINS clients, they would not be able
to perform dynamic registration of their NetBIOS names, unless the migrate on
setting was enabled.
Configuring Network Services Chapter 2 111
www.syngress.com
In general, static entries should never be created for WINS-capable client
computers. However, it is sometimes desirable for security purposes to use static
entries for mission-critical servers to prevent redirection.
Now that you understand the purpose of WINS design fundamentals, as well
as some of the history behind it, lets take a look at how to configure WINS in
Windows Server 2008.
Installing and Configuring
Unlike DNS and DHCP, WINS is a feature of Windows Server 2008, not a role.
Features in Windows Server 2008 simply augment the functionality of roles. In this
scenario, WINS is a feature used to add functionality to name resolution as a whole.
That said, we will discuss how to integrate WINS with DNS later in this section.
Lets install our WINS feature:
1. Choose Start | Administrative Tools | Server Manager.
2. Scroll down to the Features Summary section and click Add Features.
3. At the Select Features window, scroll down and click WINS Server and
then click Next.
4. Click Install to begin the installation process.
5. Click Close once the installation is complete.
As mentioned, WINS is a legacy technology. As such, you can expect that there
wont be an abundance of questions on the exam. However, you should still familiarize
yourself with the console, which is available under Administrative Tools.
Using Server Core for WINS
Installing a feature in Windows Server 2008 Server Core is basically the same as
adding a role. In this section, we are going to walk though the setup of the feature,
as well as set the role to start automatically.
NOTE
Even though the migrate on setting can prevent a number of problems
associated with the ability to overwrite static entries, this setting does
not affect all NetBIOS record types. For example, the domain [1Ch]
record type is never overwritten, regardless of this setting.
112 Chapter 2 Configuring Network Services
www.syngress.com
As you know from Chapter 1 of this book, very few roles can be installed as
part of Windows Server 2008 Server Core. However, many features can be installed,
including:
■ Failover Cluster
■ Network Load Balancing
■ Subsystem for Unix-based applications
■ Multipath IO
■ Removable Storage Management
■ BitLocker Drive Encryption
■ Backup
■ Simple Network Management Protocol (SNMP)
■ WINS
Obviously, at this point in this book, we are only focusing on WINS. So, lets
take a look at how to install the WINS feature and start the service:
1. At the command line, type start /w ocsetup WINS-SC.
2. When installation completes, type sc query WINS or NET START to
verify that the WINS service is running.
3. If the service is not running, type sc start WINS.
4. We can also verify that the service will start automatically by typing
sc config WINS start= auto.
Generally speaking, management of WINS will occur via the GUI from another
Windows Server. However, a number of command-line management options exist
for WINS. Essentially, most of the management will be through the netsh tool, which
we used earlier for setting IP information. To learn more about these commands,
visit http://technet2.microsoft.com/WindowsServer/en/library/430701f0-743a-
4af5-9dd6-95c5c2f956531033.mspx.
Configuring WINS for DNS
As mentioned, WINS has become less relevant in organizations that are running the
latest operating systems and applications. However, there are situations where WINS
is still necessary. One way we can improve name resolution is to tie WINS to DNS
so the two are aware of one another, thereby increasing response time to name
Configuring Network Services Chapter 2 113
www.syngress.com
requests and reducing complexity in name resolution scenarios. Lets look at how
we configure DNS to use WINS as a secondary resource for naming:
1. Choose Start | Administrative Tools | DNS.
2. Find your server name in the left pane and double-click it. This will open
the DNS configuration for this server.
3. Right-click your domain name and select Properties.
4. Select the WINS tab.
5. Place a checkmark next to the Use WINS Forward Lookup option.
6. Enter the IP address of the WINS server and click Add.
7. Click Apply and OK to save your changes.
DNS will now be able to forward requests to WINS to resolve names not found
within its own namespace.
EXAM WARNING
Watch out for any questions that may involve WINS integration with
DNS and IPv6. WINS integration with DNS only supports IPv4 addresses.
114 Chapter 2 Configuring Network Services
www.syngress.com
Summary of Exam Objectives
Having the proper network services installed on your server can make the difference
between a functional Active Directory environment, and one that is infested with
various errors and latency. Microsoft focused on the Core Infrastructure Optimization
modeltaking IT organizations from a basic approach to infrastructure design to a
more dynamic one. DNS, DHCP, and even WINS are steps that move IT professionals
from the basic model. Imagine the time (and pain) involved in updating spreadsheets
with client IP addresses, HOSTS, and LMHOSTS files on client machines for a
500-PC organization!
DNS truly is the backbone of the Windows network. Without DNS, Active
Directory would cease to function. When it comes to Active Directory, DNS does
much more than simple name resolution. It stores information about our LDAP
resources, Global Catalog resources, as well as other resources (such as SIP servers)
within our environment. If a client or server is unable to find these resource records,
having Active Directory in place does us very little good. As an IT professional,
you will also be required to understand the different types of Resource Records
(RRs) that can be used as part of DNS. There are traditionalor more common
Resource Records such as A and PTR records, but you should also familiarize
yourself with special records such as SIP records, since the demand for these types of
records is becoming more and more common.
DHCP is another crucial piece of the network services puzzle. Again, trying to
maintain static addresses for hundreds of systems is not only impractical, it is quite
foolish. Trying to maintain IP ranges for IPv4 systems is cumbersome enough, but
trying to do it with the extended IPv6 addresses will likely become impossible!
Add in the additional information we can push out to our DHCP clients (such
as gateways, Trivial File Transfer Protocol [TFTP] servers, time clock servers, and
domain suffixes, for example) and it makes this a crucial tool in the IT professionals
toolbox. Anyone who is familiar with the Microsoft management consoles can
probably create and authorize a DHCP scope, but it takes a skilled professional to
correctly design and implement a DHCP strategy. In order to do this, you need to
understand not only fundamental IP principles, but also network topologies and
common requirements, such as the 80/20 rule.
Lastly, we have WINS. Although it is going away, there are still places in certain
organizations where it is necessary. Older Microsoft networks not only used WINS,
but also transmitted data across NetBEUI, a protocol that does not incorporate a
network layer. Without a network layer, NetBEUI is not routable. However, NetBIOS
can be routed over TCP/IP or even over IPX. In the Windows Server 2003 and
Configuring Network Services Chapter 2 115
www.syngress.com
Windows Server 2008 operating systems, NetBIOS is only routed over TCP/IP, if it
is used at all. The replication model you design will have an effect on the convergence
time for replicated WINS records and fault tolerance for replicated records.
A replication model that is appropriate for your network topology will ensure the
shortest convergence time for replicated WINS records. Where possible, it is recommended
that your replication model mirror your network topology and that you
keep this model as simple as possible. If NetBIOS resolution is only necessary for a
few systems, you should consider using GlobalNames zone as an alternative.
Will we still see WINS in the next version of Windows? Only time will tell.
Exam Objectives Fast Track
Configuring Domain Name System (DNS)
˛ DNS in Windows Server 2008 supports primary zones (including Active
Directoryintegrated zones), secondary zones, and stub zones.
˛ Active Directoryintegrated zones provide additional functionality,
including secure dynamic updates and Active Directoryintegrated
replication.
˛ The GlobalNames zone was introduced to help phase out the Windows
Internet Naming Service. The GlobalNames zone requires the creation of
a zone named GlobalNames.
Configuring Dynamic Host
Configuration Protocol (DHCP)
˛ Since the inception of DHCP, there have been a number of add-on
DHCP options that make it possible to disburse even more IP-related
information to clients, which makes IP management much more flexible
for IT administrators.
˛ DHCP works by leasing IP addresses for a period of time to a specific
computer. The lease time can be adjusted based on the need for a client to
maintain the address for a period of time.
˛ DHCP can also be used to reserve addresses for systems that would
otherwise need a static address, such as departmental servers and some
client machines where it is required by third-party applications.
116 Chapter 2 Configuring Network Services
www.syngress.com
˛ The 80/20 rule means that IP scopes should be split between DHCP
servers, and that server A can distribute 80 percent of IP addresses, while
server B can hand out the remaining 20 percent of IP addresses.
Configuring Windows
Internet Naming Service (WINS)
˛ WINS was originally introduced by Microsoft as part of Windows NT
Server and was intended to be the de facto name resolution solution.
˛ WINS is still required for the NetBIOS name resolution of legacy operating
systems and applications.
˛ WINS can be incorporated into DNS to provide seamless name resolution.
Configuring Network Services Chapter 2 117
www.syngress.com
Exam Objectives
Frequently Asked Questions
Q: Is the GlobalNames zone intended to replace WINS?
A: No. In fact, Microsoft has gone out of its way to stress the fact that the
GlobalNames Zone is not a replacement for WINS. The GlobalNames zone
is simply intended to assist in the retirement of WINS. As companies upgrade
their legacy operations systems and legacy applications, the need for both
GlobalNames zones and WINS will eventually go away.
Q: I have seen several examples where non-Internet standard DNS names are used.
Is it better to use a standard DNS name (such as .com, .net, or .edu) or to use a
private nonstandard name (for example, .ads or .internal)?
A: This really is a matter of preferenceand in some cases, a bit of a religious
war. Separation of name spaces is common in organizations that do not want
their external namespace (for example, uccentral.com) to match their internal
namespace. This can be beneficial when you want to use similar server names
both internally and externally. Separating namespaces can, however, create
confusion at times when you try to tell someone to go to a server. For example,
you may have a server called mail, which could be an internal or external
server, and if someone doesnt specify mail.uccentral.ads, you may end up on
the wrong server!
Q: Why did Microsoft make WINS a feature and not a role?
A: Simply put, WINS is a solution that is end-of-life. WINS alone cannot provide
an enterprisewide solution for name resolution. In todays environment, we need
DNS in order for Active Directory to function properlywe dont need WINS.
Q: I have a mixed Unix/Windows environment. Some of my DNS zones are hosted
on BIND, and some on Windows Server 2008. Is there any way to integrate
the two?
A: Yes, there are a few ways. First, you can create secondary zones on each of the
DNS servers that stores a local copy of the others zones. Second, you create
DNS Forwarders on the Windows Servers, which will forward any requests
for these zones to the BIND servers. Lastly, you can delegate DNS zones to the
BIND or Windows servers for control over a particular zone.
118 Chapter 2 Configuring Network Services
www.syngress.com
Q: I like the idea of being able to implement DNS, WINS, and DHCP on a
Windows Server 2008 Core Server installation. However, Im not much of a
command-line person. Is there any way I can manage these roles and features
from a GUI?
A: Yes, however you must use the MMC from another Windows Server 2008
(full installation) server to manage these roles and features. If you recall, no
GUIs are provided with Windows Server 2008 Core Server, even after a role
has been installed.
Q: In the past when Ive installed DNS with Active Directory onto a Windows
Server, a domain called . was created. Because of this, I couldnt get to external
servers. Why does this happen?
A: Depending on how DNS was installed, it is possible for the . (root) domain to
be installed within your DNS. Because . is the top-level DNS zone, if installed,
it assumes that there are no other domains except those listed on the server itself.
To fix this, you simply need to remove the . from DNS.
Q: I see there are numerous options that I can push out via DHCP to client
machines. What is the bare minimum I need in order to offer networking
services?
A: The absolute bare minimum would be the IP address and subnet mask to
communicate with a directly connected host on the same subnet. However, this
will severely limit the resources that a client can contact outside of that subnet.
Realistically, you need the IP address, subnet mask, gateway (called the router in
the DHCP options), and at least one DNS server to at least be able to connect
to and use the Internet through your Internet service provider (ISP) or to
communicate with other hosts on remote subnetworks.
Q: I want to use Active Directoryintegrated zones for my DNS servers, but I need
to be able to create secondary copies of the zones to non-Microsoft servers. Is
this possible?
A: Yes, but it couldnt be a live/replicated copy of the zone. In this scenario, you
can only create a secondary copy of the DNS zone. This means that DNS clients
of this non-Microsoft server will have the ability to resolve records, but the zone
cannot be updated (either manually or via dynamic update).
Configuring Network Services Chapter 2 119
www.syngress.com
Self Test
1. You are the administrator for a nationwide company that currently runs
Windows Server 2008 DNS and are reviewing the resource records in your
Active Directoryintegrated DNS zone. You notice there are hostnames that
do not meet your companys naming convention and verify that the computers
are not members of your Active Directory domain. What must you do to
ensure these hosts cannot create records in your DNS zone?
A. Disable DNS and enable DHCP.
B. Configure your zone to enable secure dynamic updates.
C. Disable dynamic updates in your zone.
D. You cannot prevent this from occurring in DNS.
2. You are creating a new standard primary zone for the company you work
for, Name Resolution University, using the domain nru.corp. You create the
zone through the DNS management console, and now you want to view the
corresponding DNS zone file, nru.corp.dns. Where do you need to look in
order to find this file?
A. You cannot view the zone file because it is stored in Active Directory.
B. You can look in the %systemroot%\system32\dns folder.
C. You cannot view the DNS file except by using the DNS management
console.
D. The DNS zone file is actually just a key in the Windows Registry.
You need to use the Registry Editor if you want to view the file.
3. You have removed WINS from your environment, but still have at least one
legacy PC and application that requires NetBIOS resolution. What solution
can you use in place of WINS to address NetBIOS resolution?
A. GlobalNames zones.
B. Reverse zones.
C. Dynamic updates.
D. None of the above. You need WINS for NetBIOS.
120 Chapter 2 Configuring Network Services
www.syngress.com
4. Youve just created a new zone in DNS on a Windows Server 20083based
computer. You check the zone and notice that the only records in it are the
SOA and NS RRs. Checking the configuration, you see that the zone is
configured to accept dynamic updates. What should you do next?
A. Manually add all RRs for the zone, including A, CNAME, PTR, and SRV
records.
B. Manually add A records for all hosts that cannot use dynamic updating.
C. Manually add A RRs and PTR RRs for all hosts that will be using
dynamic updating.
D. Manually initiate a zone transfer to replicate all the needed RR to the
new zone.
5. A DNS server, Aspen, has been successfully resolving queries but with the
wrong information. You use the Monitoring function in the DNS Management
Console for Aspen and test the simple and recursive queries. Both work fine.
What is the most likely cause of the problem?
A. Aspen is not authoritative for the zone in which the wrong information is
being returned.
B. Aspen is not configured to perform iterative queries.
C. Some clients do not support dynamic updates, or manually entered RRs
have errors.
D. The clients that received the wrong information do not support the OPT
record type.
6. Your company has recently migrated from Windows NT 4.0 to Windows
Server 2008 on all of its networked servers, including those running the
DHCP and DNS server services. During the migration, you implemented
Active Directoryintegrated zones. A colleague says you cannot do this because
the zones converted from non-AD-aware operating systems will not allow
secure updates, creating a significant security risk to the organization. What is
your response?
A. When any zone is integrated into AD, it takes on the security features of AD.
B. If the zone is created outside of the AD, it will be configured for no secure
updates and must be re-created to allow for secure updates.
C. If the zone is created outside of AD, it will not be configured for secure
updates but can be modified via the DNS Management Console.
Configuring Network Services Chapter 2 121
www.syngress.com
D. When any zone created before Windows 2000 is integrated into AD, it will
use whatever update type other zones are configured to use.
7. You have been tasked with designing a new Windows Server 2008 Active
Directory forest. The network is currently a combination of Windows 2000
Professional, Windows XP, Windows Vista, and Macintosh clients. You want
to reduce the administration of IP addresses. Which of the following services
would you implement to accomplish this?
A. DHCP
B. DNS
C. WINS
D. DDNS
8. Your company has a Windows Server 2008 domain. All of your servers run
Windows Server 2008 and all of your workstations run Windows Vista
Business. Your DHCP server is configured with the default settings and all of
your Windows Vista machines are configured as DHCP clients with the default
DHCP client settings. You want to use DNS dynamic updates to automatically
register the host record and PTR record for all of your workstations. Which of
the following must you do to accomplish your goal?
A. None. The default settings are sufficient.
B. Configure the DHCP server to always Dynamically Update DNS And
PTR Records.
C. Configure the DHCP server to Dynamically Update DNS And PTR
Records Only If Requested By The DHCP Clients.
D. Configure the workstation to use dynamic updates.
9. Your network contains a mix of Windows 2003 and Windows Server 2008.
You have three domain controllers running Windows Server 2003. Your file
server, print server, and Exchange server are running Windows 2000 Server.
Your DNS, DHCP, and WINS servers are running Windows Server 2008.
All of your clients are running Windows XP Professional with Service Pack 2.
All machines, other than the servers that require a static IP address, are configured
as DHCP clients with the default settings. Your DNS server has been
configured to allow dynamic updates. Which of the following records will be
registered in DNS automatically? (Choose all that apply.)
122 Chapter 2 Configuring Network Services
www.syngress.com
A. MX
B. Host (A)
C. SRV
D. PTR
10. You have implemented DNS on a Windows Server 2008 Core Server installation.
You want to list the DNS zones on this server. What command-line utility
would you use to accomplish this?
A. ocsetup.
B. netsh.
C. dnscmd.
D. None of the above. You must use the GUI from another Windows Server
2008 host.
Configuring Network Services Chapter 2 123
www.syngress.com
Self Test Quick Answer Key
1. B
2. B
3. A
4. B
5. C
6. C
7. A
8. A
9. B, C, and D
10. C
This page intentionally left blank
125
Working with Users,
Groups, and Computers
Chapter 3
Exam objectives in this chapter:
■ Navigating Active Directory Users
and Computers
■ Creating and Modifying User Accounts
■ Creating and Modifying Computer Accounts
■ Creating and Modifying Groups
■ Delegation of Tasks
Exam objectives review:
˛ Exam Objectives Fast Track
˛ Exam Objectives Frequently Asked Questions
˛ Self Test
˛ Self Test Quick Answer Key
MCTS/MCITP
Exam 640
126 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
Introduction
The network administrators daily tasks can be made easieror more difficultby
the number and quality of administrative tools available to perform those tasks.
In Windows Server 2008, Microsoft has provided administrators with a wealth
of graphical and command-line utilities for carrying out their job duties. The
Administrative Tools menu is the place to start, and there youll find predefined
management consoles for configuring and managing most of Windows Server 2008
services and components, including Active Directory tools, DNS, Security policies,
Licensing, Routing and Remote Access, Terminal Services, Media Services, and
more. Also, you can use Server Manager to access all or most of these tools to
perform day-to-day administration tasks from a central console.
As an administrator, one of your major responsibilities is to create and manage
users, groups, computer accounts, OUs, and group policies. Like Active Directory
in Windows 2000 Server and Windows Server 2003, Windows Server 2008 Active
Directory also uses the Active Directory Users and Computers MMC snap-in to
manage user, computer, and group accounts. We will be spending a great amount
of time working with this tool to perform day-to-day activities involving users and
computers. This Active Directory Users and Computers MMC snap-in is one of
thethree most used Active Directory snap-ins employed to manage Active Directory.
From this interface, you not only can manage user, group, and computer accounts,
but you can also use it to manage other aspects of Active Directory, including group
policies, domain controllers, domain security policies, and others. This chapter
focuses on creating users, groups, and computers, and youll learn different tips and
techniques here that will help you manage your Active Directory along the way.
Navigating Active
Directory Users and Computers
The powerful Active Directory Users and Computers administration tool is still
included with Windows Server 2008 to manage Active Directory objects. The Active
Directory Users and Computers administrative console enables you to perform
day-to-day administration tasks, including adding, modifying, deleting, and organizing
Windows Server 2008 user accounts, groups, computer accounts, share resources,
printers, and others. It also allows you to manage domain controllers, organizational
units (OUs), group policies, and domain security policies. To manage Active Directory
users, a number of tools are available, including ADSIEdit.msc, LDIFDE, CSVDE,
command-line utilities, and many more.
Working with Users, Groups, and Computers Chapter 3 127
www.syngress.com
So many administrative tools are available that it can be bit challenging knowing
which one to use. The solution is to practice, practice, practice. With the passage of
time, experience brings familiarityand suddenly it wont seem nearly as difficult
finding the right tool, command, or switch to manage a particular object or perform
bulk user management.
You can access Active Directory Users and Computers snap-ins by selecting
(a) Start | Programs | Administrative Tools | Active Directory Users
and Computers; (b) Start | Control Panel | Administrative Tools | Active
Directory Users and Computers; or (c) Start | Run and then typing MMC
in the Run dialog box to open an empty MMC. Choose File | Add/Remove
Snap-in | Active Directory Users and Computers | Add>, and then
click OK.
TEST DAY TIP
Attribute Editor is available in the Active Directory Users and Computers
MMC snap-in with advanced features enabled. It is easier to use and
navigate the Active Directory Users and Computers snap-in than
ADSIEdit.msc.
NOTE
The Active Directory administrative console is installed automatically on
Windows Server 2008 domain controllers.
Now that youre familiar with how to access and open Active Directory Users
and Computers, its time to understand the default containers and OUs. After you
install and configure a domain controller, you will see several built-in containers
and OUs within the Active Directory Users and Computers snap-in, as shown in
Figure 3.1.
128 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
■ Built-In The Built-In container includes all of the standard groups that are
created automatically when you install a domain controller. These groups
have standard permissions on different objects in the Active Directory
domain. Examples include the Account Operators group, Administrators,
Backup Operators, Server Operators, Replicators, Users, Remote Desktop
Users, and Print Operators.
■ Computers The Built-In Computers container contains the workstations
in your domain. By default, there is no workstation in the container;
however, you will see a list of computers over a period of time as you
install and join workstations within your domain.
■ Domain Controllers The Built-In Domain Controllers OU contains
domain controllers for the domain.
■ Foreign Security Principals The Built-In Foreign Security Principals
container holds objects that are not part of the current domain to which
permissions can be applied.
Figure 3.1 Default Containers and OUs in the Domain
Working with Users, Groups, and Computers Chapter 3 129
www.syngress.com
■ Users The Built-In Users container holds security accounts that are part
of the domain. Several groups are held in this container, and are created
automatically during the installation of the domain controller. For example,
this container holds the default Administrator account and other groups,
including Domain Admins, Enterprise Admins, Domain Controllers,
Domain Guests, Domain Users, Schema Admins, Guests, and many others
in the domain.
Creating and Modifying User Accounts
Now that you are familiar with the default containers and OU structure, it is time
to understand the types of user accounts and the information needed to create them.
In the following section, we will discuss various types of user accounts, built-in
accounts, and how to create and manage user accounts. It is important you understand
that the process involved in creating and managing user accounts, because user
accounts are one of the most frequently used types of objects in Active Directory.
A user account is a record in the Active Directory database that consists of all
the information that defines a user to Windows Active Directory. This information
includes the username, password, logon hours, profile location, group membership
information, and the password required for the user to log on. User account enables
the user to prove his users identity, authenticate to the network and log on to a
local computer or a network to access resources. In the Windows Active Directory
environment, authentication for domain users is based on user accounts in Active
Directory. Authentication confirms the identity of a domain user and allows them
to access network resources. Once logged on, users can access all network resources.
This is known as the single sign-on process, which helps users log on to the client
computer once, using a single user ID and password, and then authenticate to any
computer in the domain.
User Account Types
Three types of user accounts exist in the Windows Server 2008 environment: built-in
user accounts, local user accounts, and domain user accounts. Built-in user accounts
are created automatically during the installation of Windows Server 2008 and Active
Directory. Built-in accounts have pre-assigned permissions and are used to perform
specific administrative tasks like managing printers, backing up files, remote access, and
so on. Examples of two common built-in accounts are Administrator and Guest.
With a local user account, a user authenticates locally from a specific computer
to gain access to a local resource on that computer. Local user accounts are created
130 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
only in the computers local security database, and do not replicate with the domain
controllers in Active Directory domain. In the Active Directory domain, if your users
need to access domain resources, then you should create domain user accounts instead
of local user accounts since the domain will not recognize local user accounts. Local
accounts are used in Workgroup environments instead of in Domain environments.
With a domain user account, a user authenticates from a domain controller in a
domain to gain access to domain resources anywhere on the network. At the time
of authentication, the user provides his logon information to authenticate from
the domain controller, which in turn authenticates the user and creates an access
token containing user information and security settings. This access token identifies
the user and helps him access domain resources without reentering his credentials.
All domain controllers in the Active Directory domain replicate the user account
information so the user is able to authenticate from any domain controller. This
chapter focuses on domain user accounts.
Creating a New Account
Like Windows 2000 Server and Windows Server 2003 Active Directory, domain
users are created and managed in the Windows Server 2008 Active Directory
environment by using the Active Directory Users and Computers MMC snap-in.
Creating and managing a user account in Windows Server 2008 is really no different
than Windows 2000 Server and Windows Server 2003. If you are an experienced
Windows 2000 Server and/or Windows Server 2003 Administrator, you can skip
this section and move on to the next section, because most of the information here
will seem repetitive.
Before I start discussing the user account creation process in detail, I would
like to explain the two built-in accounts on Windows Server 2008 computers: the
Administrator and Guest accounts. The built-in administrator account uses the
password you specified during operating system installation and has full permissions
to the local machine as well as on a domain controller to administer the domain.
It is used to create and modify user accounts, group accounts, manage account and
security policies, group policies, create published printers and sharing, assign rights to
users, change domain policies, and so on. As this account has full permissions on the
Active Directory domain, you must secure this account from hackers and intruders.
This account can be secured in multiple ways, including:
■ Rename this account to hide it from hackers and intruders. Since you cannot
delete this account or remove it from the Administrator account, renaming it
makes it difficult for unauthorized users to guess the administrative accounts
logon name.
Working with Users, Groups, and Computers Chapter 3 131
www.syngress.com
■ Create a dummy administrator account with no permissions and disable that
account to make it difficult for hackers to crack the administrative account.
■ Choose a long and complex password and change your password on a regular
basis. Make sure your password is a combination of alphabets, numbers, and
special characters, which makes it difficult to guess and/or crack.
■ If you are responsible for managing the Active Directory domain, you should
create a separate user account to perform other day-to-day activities and use
the built-in Administrator account only when you perform administrative tasks.
The built-in Guest account allows your users who do not have an Active
Directory account to log on to the domain and access network resources. For
example, a contractor or a partner who needs to access domain resources for a
very short time may use this account to access network resources. By default, this
account is disabled; however, you can enable this account. The Guest account can
use a blank password; however, it is recommended that you assign it a password
and use it only in low-security environments where you have limited resources
or where there is no threat. Like with built-in Administrator account, it is
recommended you rename this account to make it difficult for unauthorized users
to guess the Guest accounts logon name. You can further secure this account by
using a long and complex password. As with the built-in Administrator account,
you cannot delete the Guest account, but you can rename and disable it.
Domain User Account Considerations
Before you create any user accounts, be aware of user account creation rules and
practices. These are mentioned next for your reference:
1. The user account must be unique to other user names in your Active
Directory domain.
2. The user logon name and SAM name must be unique in your Active
Directory domain.
3. User account names can be from 1 to 20 characters in length.
4. You can choose to use any combination of letters, symbols, and numbers
except /\ [ ] :; | = ,+∗?<> @ .
5. The New User window displays both the Active Directory username,
such as [email protected], and the NetBIOS name, such as
Shannon.
6. User logon names are not case-sensitive.
132 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
7. Some organizations use best practices to create standardized usernames,
such as using the users first and last name (Demi.Starr), while others
use first name and last initial (ShannonS). This is just an administrative
best practice to minimize administrative headaches in managing users.
Also, if you have two users with the same namefor example, Shannon
DiSouzayou can use the first name and last initial for the first user, and
then for the second user add additional letters from the last name to
differentiate the duplicate accountsfor example, ShannonD for the
first user, and ShannonDi for the second user.
8. Some organizations also use different letters and best practices to identify
full-time and part-time employees, contractors, and vendors. To identify fulltime
employees, you can use parentheses in the name after the users logon
namefor example, Elanda DiSouza (Full Time) and Demi Starr (Temp).
Password Considerations
To protect user accounts from hackers and intruders, you must assign a strong
password to every user account in your Active Directory domain. As an administrator,
you can assign a password when you create a user account or assign a default password
and then ask users to change the password during logon. To make sure your users
use a strong password, you may have to educate them about how to create passwords
that are actually strong. You may have to remind them from time to time that a strong
password provides an effective defense against unauthorized access and protects your
resources from intruders and unauthorized users. In addition to educating your users,
you may want to implement group policies to enforce strong password policy settings
by enabling password meets complexity requirements to force users to create complex
passwords. Please keep in mind that a strong password:
■ Does not contain dictionary words.
■ Does not contain a username, real name, pet name, family members name,
or company name.
■ Is between 7 and 14 characters long.
■ Will be different from previous passwords.
■ Is a combination of uppercase, lowercase, numbers, and special characters.
An example of a strong password is Sh4$$n0n87r67}D.
Working with Users, Groups, and Computers Chapter 3 133
www.syngress.com
Creating a New Account Using
Active Directory Users and Computers
The Active Directory Users and Computers console is used to create a new domain
user account. You can create User accounts by performing the steps outlined in
Exercise 3.1.
EXERCISE 3.1
CREATING A NEW USER ACCOUNT
BY USING ACTIVE DIRECTORY USERS AND COMPUTERS
1. Log on to the Active Directory domain controller using administrative
privileges.
2. Choose Start | Programs | Administrative Tools and then click
Active Directory Users and Computers.
3. Select the appropriate Active Directory container or organizational
unit to house the new user account. Right-click the container, click
New, and then click User to create the new user account. This will
bring up the New ObjectUser window (see Figure 3.2).
4. Enter the users first and last names in the First Name and Last
Name boxes, respectively. Windows Server 2008 automatically
enters the full name. Enter a username in the box under User
Logon Name. The logon name is required and, in combination with
the domain name on the right (such as [email protected]),
uniquely identifies a user in a domain, tree, or forest. Based on your
naming environment, you may have to choose different domains
for which you have appropriate permissions. Once you enter the
user logon name information, click Next to continue.
5. Enter a password for the user in the Password box. Retype the
password in the Confirm Password box. Check the appropriate
boxes for the various password options, as shown in Figure 3.3.
Table 3.1 lists several password options.
134 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
Table 3.1 Password Options
Option Action
User must change Select this option to force the user to change their
password at next password the first time they log on. This provides a
logon higher level of security by ensuring that the user is
the only person who knows the password.
User cannot change Select this option if you have more than one
password person using the same domain user account
(such as Guest). Choosing this option also makes
sure the accounts password can only be changed
with Administrator privileges, which means it will
prevent the user from creating a new password
or altering an existing password.
Continued
NOTE
You dont have to enter any information in the User Logon Name area
(pre-Windows 2000 Server) as this information is entered automatically.
The entry is the users unique logon name that is used to log on from
earlier versions of Windows, such as Microsoft Windows NT 4.0. This
information is required and must be unique within the domain.
Figure 3.2 Examining the New Object User Window
Working with Users, Groups, and Computers Chapter 3 135
www.syngress.com
Table 3.1 Continued. Password Options
Option Action
Password never Select this option if the user is not required to
expires change his or her password periodically or if you
dont want to force any time restrictions on the
life of the passwordfor example, for a domain
user account that is used by a Windows Server 2008
service.
Account is disabled Select this option to deactivate an account so it
cannot be used to log on to the network. This
option is useful when a user doesnt need it and
leaves for an extended period or in the case of a
new employee who has not yet started.
6. Click Next to bring up the User Account Confirmation screen.
This verifies the users full name, logon name, and any password
restrictions. Click Finish to finalize the new account and view the
new user within the Active Directory container from the Active
Directory Users and Computers snap-in.
Figure 3.3 Examining the Password Options
136 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
Modifying a Domain User Account
Using Active Directory Users and Computers
Like all Windows Server 2008 objects, there is a set of default properties or attributes
associated with the domain user account. Once the domain user account has been
created, these properties can be modified to search for users in the Active Directory.
For example, you can set the office location in the office property and other sections
so you can locate users from a particular office.
In Exercise 3.2, we will examine several user attributes and values. An explanation
of each tab setting is provided to help you understand the various attributes and values.
EXERCISE 3.2
MODIFYING A NEW USER ACCOUNT
BY USING ACTIVE DIRECTORY USERS AND COMPUTERS
1. Log on to the Active Directory domain controller with administrative
privileges.
2. Click Start | Programs | Administrative Tools and then click Active
Directory Users and Computers.
3. Select the appropriate Active Directory container or organizational
unit where the user account is residing. Right-click the desired user
and then select Properties.
4. The General tab contains the users first name, initials, last name,
display name, description (usually a job titlefor example,
Sr. Managerthat will appear on the management console),
office location, telephone number(s), e-mail address, and Web
page(s). Type in the appropriate information, as shown in
Figure 3.4.
Working with Users, Groups, and Computers Chapter 3 137
www.syngress.com
5. Click the Address tab. This tab contains the users street address,
P.O. Box, city, state/province, ZIP/postal code, and country/region
information, as shown in Figure 3.5. Its helpful to have this
information if you want to retrieve it later to locate a user and
mail them any packages or information.
Figure 3.4 The General Tab
138 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
6. Click the Accounts tab. This tab contains the users logon name,
domain, the users pre-Windows 2000 logon, their logon hours,
the computers theyre permitted to log on to, their unlock
account settings, account options, and account expiration date
settings (see Figure 3.6).
Figure 3.5 The Address Tab
Working with Users, Groups, and Computers Chapter 3 139
www.syngress.com
7. Set the account properties by clicking the appropriate boxes for
the Account options, as explained in Table 3.2.
Table 3.2 Password Options
Option Action
User must change Select this option to force user to change his or
password at her password the first time that he or she logs
next logon on. This provides higher level of security by
ensuring that the user is the only person who
knows the password.
Continued
Figure 3.6 The Accounts Tab
140 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
Table 3.2 Continued. Password Options
Option Action
User cannot change Select this option if you have more than one
password person using the same domain user account
(such as Guest). Choosing this option also
enforces accounts password can be changed
only with Administrator privileges, which
means that it will prevent the user from creating
a new password or altering an existing password.
Password never expires Select this option if user is not required to
change his or her password periodically or
if you dont want to force any time restriction
on the life of the password For example, for
a domain user account that is used by a
Windows Server 2008 services.
Store password using This option is use to enhance security of password
reversible encryption by using reversible encryption to store the
password.
Account is disabled This option is use to deactivate an account, so
it cannot be used to logon to the network
This option is useful when a user doesnt need
it and leaves for an extended leaves or in a
case of new employee who has not yet started.
Smart card is required for This option enables you to use smart card in the
interactive logon network if you would like to enhance domain
logon security by using Smart cards and PIN
instead of using a user name and password.
Account is sensitive and This option enables you to disable account
cannot be delegated delegation. This is an additional security level
to delegate/not to delegate user account.
Ideally, you should enable this option for
domain service accounts.
Use Kerberos DES encryption This option enables you to use DES encryption
types for this account for this account instead of standard Kerberos
encryption.
This account supports This option enables you to use AES 128 bit
Kerberos AES 128-bit encryption for this account instead of standard
encryption Kerberos encryption.
Continued
Working with Users, Groups, and Computers Chapter 3 141
www.syngress.com
8. Click Logon Hours to allow the user to only log on at certain
days and times of the week (Figure 3.7), which is useful in forcing
employees to log on to the domain only during their allowed
working hours. This will help you increase your domain security
by reducing the amount of time the account is vulnerable to
unauthorized access. In the Logon Hours For User, shown in
Figure 3.7, select the days and hours for which you want to allow
or deny access. By default, Windows Server 2008 permits access
for all hours on all days. Two settings control logon hours:
■ Logon Permitted is used to control the hours during which a
user is permitted to log on. The days and hours within which
the user has allowed access appear in blue.
■ Logon Denied is used to designate the hours during which
a user is denied logon. The days and hours within which the
user is denied access appear in white.
Table 3.2 Continued. Password Options
Option Action
This account supports This option enables you to use AES 256 bit
Kerberos AES 256-bit encryption for this account instead of standard
encryption Kerberos encryption.
Do not require Kerberos This option allows user to log on from a computer
preauthentication that supports Kerberos, but does not support
the preauthentication feature of Kerberos.
Figure 3.7 The Logon Hours Dialog Box
142 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
9. Click OK to continue.
10. Click Log On To lets the user log on to only certain workstations
(Figure 3.8). This will help you increase your domain security by
forcing employees to log on to the domain only from their allowed
workstations, thus preventing users from accessing another users
data (accidentally or intentionally) that is stored on that users
computer. By default, Windows Server 2008 lets users access all
workstations in the domain. In the Logon Workstations dialog box,
as shown in Figure 3.8, select The Following Computers, and then
type in the NETBIOS name of the computer from which a user
is permitted to log on in the Computer name box (for example,
WORKSTATION01), and then click Add to add the computer. The
main point to remember here is that the computer name must be
the NetBIOS name, and the NetBIOS protocol must be installed
and enabled on all machines that use this account policy. Repeat
this step to add other computers to the list.
NOTE
Changing the logon hours setting would apply to the users next attempted
connection. It wouldnt affect a user currently logged on to the system.
Figure 3.8 The Logon Workstations Dialog Box
Working with Users, Groups, and Computers Chapter 3 143
www.syngress.com
11. Click OK to continue.
12. In addition to logon hours and logon workstations, you can use
an account expiration date, shown in Figure 3.9, to increase
domain security. You can choose either of the following settings:
■ Never is used if you do not want the user account to expire.
Generally, you may want to choose this setting for service
accounts and Domain Admin accounts.
■ End of (date) is used to disable the user account automatically
on the date you specify. You may want to use this setting to
force to expire temporary employees and contractors accounts.
NOTE
You can also edit an existing list and remove computers from an existing
list by clicking the Edit and Remove buttons.
Figure 3.9 The Accounts Tab
144 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
13. Click the Profile tab to define the profile path, logon script, home
folder local path, and shared folder location, shown in Figure 3.10.
You can choose one of the following settings:
■ Profile path contains the path where a users profile will be
stored. If no directory location is entered, the default location
is \Documents and Settings\username. It is important to define
the user profile path because user profiles are used to provide
consistency to each user by saving and retrieving the users
desktop environment. User profiles come in four different
types: local user profiles, roaming user profiles, temporary
user profiles, and mandatory user profiles.
Figure 3.10 The Profile Tab
Working with Users, Groups, and Computers Chapter 3 145
www.syngress.com
NOTE
Local user profiles are available only at the local computer. They are
created in the users profile directory on each system where the user
logs on. When the user logs on to a system for the first time, and if
there is no profile defined, the system will use the \Document and
Settings\Default User profile to create the new local user profile in
the Document and Settings\username directory. If the user logs on to
many different systems in your domain, he will be unable to maintain
one profile, and may end up with many profiles on many different
systems.
Roaming user profiles allow users to maintain one profile while
they log on at multiple computers and move from system to system.
A roaming profile is a shared folder on a server, which allows a user to
access a roaming profile from any system in the domain. Whenever a
user starts a session, the profile is copied from the shared network folder
to the local computer. Once copied to the local system, all the users
settings will be updated locally on the local profile and will be copied
to the shared folder on a server when the user logs off.
Mandatory user profiles are read-only roaming profiles that are used
to maintain desktop consistency. No modifications will ever be saved on
the users profile. Users will be able to modify desktop settings and several
other settings, but they wont be saved when the user logs off. Like
roaming profiles, the mandatory profile is also a shared network folder,
which allows the user to access mandatory profiles from any system in
the domain. No user should be allowed to make changes to mandatory
user profiles except system administrators.
Temporary User Profiles are used only if a users profile is unable to
load due to errors. At the end of each session, temporary user profiles
are deleted. Therefore, all changes made during the session will be lost
when the user logs off the system.
■ Logon script contains the path to optional traditional MS-DOS
command scripts (.exe, .bat, and .com) for downlevel operating
systems, or Visual Basic Scripting (.vbs) for operating systems
that support Windows Scripting Host (WSH).
■ Home folder local path contains the home directory path on
the local machine.
146 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
■ Home folder connect contains the home directory path targeted
on a shared network folder. This option requires you to choose
a network drive letter from the pull-down menu, which will be
used to reference the remote connection from the local machine.
Also, the To field should contain the UNC name of the remote
directoryfor example, \\Servername\Sharename\Directory.
Test Day Tip
Home Folder Overview
Home folder is an additional folder that can be used to centralize a
users documents on a networked server for easy access from any client
computer, central backup/restore, and version control. As home folder is
not a part of a users profile, its size can vary to meet the users need. It
is not uncommon to find you have a home folder that is in the hundreds
of megabytes.
14. Click the Telephones tab to store home, pager, mobile, FAX, and
IP phone info for quick reference (as shown in Figure 3.11) on
where to contact the user. Entering information in this tab is
optional.
Working with Users, Groups, and Computers Chapter 3 147
www.syngress.com
15. Click the Organization tab to enter information regarding a users
relations with an organization, such as job title, department,
company, and manager name (as shown in Figure 3.12).
Figure 3.11 The Telephones Tab
148 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
16. Click the Member Of tab to add a user to different security groups
and to assign permissions on domain resource (see Figure 3.13).
By default, each computer is a member of the Domain Users
groups. You can make a user account a member of different
groups; however, the best practice is to give group memberships
that are necessary, but not assign excessive memberships to either
users or computers. By default, each user is a member of the
Domain Users groups. Windows allows a user to belong to many
groups, one of which is the users primary group. You can set the
users Primary Group in the Member Of tab by clicking Set Primary
Group. The selected group becomes the primary group and is displayed
in bold; the group that was previously the primary group is
no longer in bold. To add the user into a different security group,
click Add, type in the group name, and then click Check Names.
Click OK to add the user to the particular group. Click OK to return
to Active Directory Users and Computers snap-ins.
Figure 3.12 The Organization Tab
Working with Users, Groups, and Computers Chapter 3 149
www.syngress.com
17. Click the Dial-in tab to configure the user account for use with
remote access (as shown in Figure 3.14).
Many different settings included here can be used individually or
in combination with other settings to control user dial-in permissions.
Network Access Permissions is the first section, which allows you to
control a users access by choosing Allow Access and Deny Access and
also control his access through NAP by clicking Control Access Through
NPS Network Policy.
In addition to NAP policies and NAP server, you can also decide to use
Callback as a security feature. Three different options control callback:
■ No Callback is the first and default choice, which allows users
to directly dial into the domain to gain access to the network.
Figure 3.13 The Member Of Tab
150 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
■ Set by Caller (Routing And Remote Access Service Only)
is used to allow users to specify callback telephone numbers
during an initial connection. This is a good choice for traveling
professionals, such as executives, sales, and IT staff, since it
prevents long-distance telephone bills.
■ Always Callback to is where you enter a specific telephone
number to restrict users from establishing remote connections
from a specific location / telephone number.
In addition to the preceding settings, you can also choose Assign
Static IP Addresses and Apply Static Routes to define a static IP address
and a default route.
Figure 3.14 The Dial-in Tab
Working with Users, Groups, and Computers Chapter 3 151
www.syngress.com
18. Click the Environment tab to configure the user account for use with
the Terminal Services startup environment. The Starting Program lets
you specify the program that will open whenever the user connects
and logs on to a terminal server, whereas Client Devices allows
you to specify whether the users local drives and printers will be
available in the terminal services session (as shown in Figure 3.15).
19. Click the Sessions tab (as shown in Figure 3.16) to configure the
Terminal Services session timeout, active session limit, the idle
session limit, and reconnection settings, as explained in Table 3.3.
Figure 3.15 The Environment Tab
152 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
Table 3.3 The Sessions Tab
Setting Description
End a disconnected Select this option to specify the amount of time
session that terminal services will keep users session
active even though user is no longer actively
connected. This takes memory space on the
terminal server, but it is useful if your user gets
disconnected because of network connectivity
issues.
Continued
Figure 3.16 The Sessions Tab
Working with Users, Groups, and Computers Chapter 3 153
www.syngress.com
20. Click the Remote Control tab (as shown in Figure 3.17) to configure
the Terminal Services remote control settings that will allow the
user to observe or actively control the users Terminal Services
session, including being able to input keyboard and mouse actions
to the session.
Table 3.3 Continued. The Sessions Tab
Setting Description
Active session limit Select this option to specify the maximum
amount of time that the users Terminal Services
session can be active before the session is
automatically disconnected. Users will receive a
warning message two minutes before a Terminal
Services session disconnects. This will allow users
to move mouse or press any key on the keyboard
to keep the session active and running.
Idle session limit Select this option to specify the maximum
amount of time that an active Terminal Services
session can be idle before the session is discon
nected. Users will receive a warning message
two minutes before a Terminal Services session
disconnects. This will allow users to move mouse
or press any key on the keyboard to keep the
session active and running.
When a session limit is Select this option to specify the session limits
reached or connection including whether to disconnect or end the
is broken users Terminal Services session when an active
session limit or an idle session limit is reached.
Allow reconnection Select this option to specify if the user can
reconnect from any client to a disconnected
session on a terminal server. From originating
client only is use for Citrix clients only.
154 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
21. The Terminal Service Profile tab (as shown in Figure 3.18) allows
you to specify the location of the Terminal Service profile and home
folder. Settings in this tab will apply to Terminal Services only.
Figure 3.17 The Remote Control Tab
Working with Users, Groups, and Computers Chapter 3 155
www.syngress.com
22. The COM+ tab (Figure 3.19) lets you specify the Partition Set.
Figure 3.18 The Terminal Services Profile Tab
156 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
23. Click Apply, and then click OK to finalize the account changes
and view the user within the Active Directory container from the
Active Directory Users and Computers snap-in.
Common User Management Options
Aside from creating and configuring user accounts, you may be responsible for
performing a number of different management tasks. Table 3.4 lists different
management actions you can take on the user account.
Figure 3.19 The COM+ Tab
Working with Users, Groups, and Computers Chapter 3 157
www.syngress.com
Table 3.4 Common User Management Options
Tasks Description
Copy The option enables you to create a new user account by
copying an existing user account.
Disable Account This option disables the user account and prevents the
account from being used.
Enable Account This option enables the user account, so that you will be
able to use it in a network.
Reset Password This option enables you to assign / reset a new password
in case if a user forgets his/her password.
Move This option enables you to move the user account between
different containers and OUs.
Delete This option deletes the user account for users who do not
belong to your company or has left the company.
Rename This option enables you to rename a user account in case
of any Name change.
Creating a New User Account Using Script
To create users by using script, you can use VBScript or the built-in dsadd command.
Ive found the dsadd command useful because it allows you to use command lines in
batch files for day-to-day user administrative tasks.
The following is an example of the VBScript used to create a user in Active
Directory:
′ This code creates a single user named Joanna DiSouza
Const ADS_UF_NORMAL_ACCOUNT = 512
set objParent = GetObject(LDAP://<ParentDN>)
set objUser = objParent.Create(user, cn=<UserName>) ′ e.g. Joanna
objUser.Put sAMAccountName, <UserName> ′ e.g. Joanna
objUser.Put userPrincipalName, <UserUPN> ′ e.g. [email protected]
objUser.Put givenName, <UserFirstName> ′ e.g. Joanna
objUser.Put sn, <UserLastName> ′ e.g. DiSouza
158 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
objUser.Put displayName, <UserFirstName> <UserLastName> ′ e.g. Joanna
DiSouza
objUser.Put userAccountControl, ADS_UF_NORMAL_ACCOUNT
objUser.SetInfo
objUser.SetPassword(<Pa$$w0rd>)
objUser.AccountDisabled = FALSE
objUser.SetInfo
Creating User Template
As you know, templates simplify the creation of a large number of user accounts.
In a template, you can define all the account parameters you need to define for
your users. You can then use this template to create user accounts by simply filling
in the Name, Full Name and Description Password, and Confirm Password fields.
Make sure this template account is disabled and has all the desired properties you
need for most of your users. During creation of a new user account, you will get
the same wizard and dialog pages as when creating any new user; however, the new
user object will have most of the attributes the template user has. Templates help
you create users more quickly than creating them individually.
Creating and managing user templates in Windows Server 2008 is really no
different than Windows 2000 and Windows 2003. If you are an experienced
Windows 2000 and/or Windows 2003 administrator, you can skip this section
and move on to the next.
In Exercise 3.3, we will use an existing user account of Shannon Forever to
create a new user account for a different user by utilizing the copy process.
EXERCISE 3.3
CREATING A NEW USER ACCOUNT BY USING AN EXISTING
USER ACCOUNT IN ACTIVE DIRECTORY USERS AND
COMPUTERS
1. Log on to the Active Directory domain controller with administrative
privileges.
2. Click Start | Programs | Administrative Tools and then click Active
Directory Users and Computers.
Working with Users, Groups, and Computers Chapter 3 159
www.syngress.com
3. Right-click the desired user (in our case, its Shannon Forever),
and then select Copy.
4. Enter the name information of the new user (Demi), and then
click Next.
5. Enter a password, select any appropriate account options you
want enabled, and then click Next.
6. Click Finish.
Configuring User Principal Names
Like Windows 2000 and Windows 2003 Active Directory, every domain user account
in Windows Server 2008 Active Directory is given a friendly name, known as the
user principal name (UPN), in order to help a user log on to the domain. UPN is
an Internet-style logon name, which is shorter than the distinguished name, making
it easy to remember. The UPN is made up of a prefix and suffix, composed of the
users logon name and the domain DNS name, such as admastering.com. In large
enterprise environments, some organizations may want to map an additional UPN
suffix to the e-mail address to provide additional security and simplify the logon
process. This can provide an additional layer of security without revealing your
Active Directory infrastructure information to your users during the logon process.
Some organizations may have several domain trees and domains, which can confuse
users. For example, the user objects, Joanna DiSouza in the Toronto.Ontario.Canada.
admastering.com domain may have to log on as [email protected].
admastering.com. This may not only confuse users, but some users may find this
longer DNS hard to remember and difficult to type in. If this is the case or if you
are looking to map the user logon name to the e-mail address, you may want to add
an additional UPN suffix by using the Active Directory Domains and Trusts tool.
For example, Toronto.Ontario.Canada.admastering.com may have an alternate DNS
suffix of admasteringcanada.com, which can help users logon to Toronto.Ontario.
Canada.admastering.com domain as [email protected] instead of
[email protected]. The UPN suffix serves as an
alias or substitute for the real domain name.
In the following section, we will add an additional UPN suffix to map a users
logon name to their e-mail address. In Exercise 3.4, we are assuming that the AD
forest is rooted at a different domain name (for example, admastering.com) than the
e-mail domain name (for instance, admasteringcorp.com).
160 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
EXERCISE 3.4
ADDING AN ALTERNATE UPN SUFFIX
1. Log on to the Active Directory domain controller with administrative
privileges.
2. Click Start | Programs | Administrative Tools and then click Active
Directory Domains and Trusts.
3. Click Action | Properties. The UPN Suffixes tab appears
4. To add an alternative suffix, just type the suffix in the box
(for example, admasteringcorp.com) and then click the Add
button.
5. Repeat step 4 to add other suffixes from the list.
6. To remove an alternative suffix, just select the suffix in the box
and click the Remove button.
7. Repeat step 6 to remove other suffixes from the list.
8. Close the Active Directory Domains and Trusts console.
Creating and
Modifying Computer Accounts
All computers in your Active Directory domain must have computer accounts in the
Active Directory. Just like how an Active Directory user account represents a person;
computer accounts represent computers. To access domain resources securely, every
computer in your domain needs to access domain controllers by establishing a secure
channel to a domain controller. This secure channel is an authenticated channel in
which a computer presents a password to a domain controller (which is verified
against the password stored in Active Directory with the computers account) so
that later on computers will be able to use this secure channel to securely transfer
encrypted data to and from the domain controller. Computer accounts are also
utilized to force domain permissions and group policies. Computer accounts are
inherited directly from the user object class and inherit all or most of the attributes
of user objects with the addition of some additional attributes. You can create a
computer account manually in an Active Directory domain by using Active
Directory Users and Computers; however, the computer accounts are created
Working with Users, Groups, and Computers Chapter 3 161
www.syngress.com
automatically when an administrator joins a computer to a domain. Just like Active
Directory user accounts, you can access computer account properties by using the
Active Directory Users and Computers console, where you would see some/most
of the same generic tabs you have seen earlier in this chapter when configuring
user accounts.
Creating a New Computer Account
Using Active Directory Users and Computers
The Active Directory Users and Computers console is used to create a new computer
account. The process of creating a computer account in Active Directory is the same
as creating a user accountby right-clicking the appropriate container, choosing
New, and then clicking Computer to create the computer account.
You can create computer accounts by performing the steps outlined in Exercise 3.5.
EXERCISE 3.5
CREATING A NEW COMPUTER ACCOUNT
BY USING ACTIVE DIRECTORY USERS AND COMPUTERS
1. Log on to the Active Directory domain controller with administrative
privileges.
2. Click Start | Programs | Administrative Tools and then click Active
Directory Users and Computers.
3. Select the appropriate Active Directory container or organizational
unit to house the new computer account. Right-click the container,
click New, and then click Computer to create the new computer
account. This will bring up the New ObjectComputer window.
4. Enter the computer name, as shown in Figure 3.20. Creating a
computer account is a one-step process, which prompts you to
enter a computer name and pre-Windows 2000 name to identify
the computer (Windows Server 2008, Windows 2003, Windows
2000, member server, or domain controller). Notice the User Or
Group: option, which is used to change the group that can join
the computer to the domain. By default, Domain Admins have an
authority to join new computers with the domain. Depending on
your environment, you may have to change this group to allow
desktop deployment groups to join computers with the domain.
162 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
5. If yours is a pre-Windows 2000 computer, you may want to click
the Assign This Computer Account As A Pre-Windows 2000
Computer check box (as shown in Figure 3.20) at the bottom of
the dialog box. This option is used to create computer accounts
for computers running legacy operating systems.
6. Click OK. Close the Active Directory Users and Computers console.
Modifying a Computer Account
Using Active Directory Users and Computers
Like all Windows Server 2008 objects, a set of default properties or attributes is
associated with the computer account. Once the computer account has been
created, these properties can be modified to search for computers in Active
Directory. For example, you can set the office location in the location property
so youre able to locate computers belonging to a particular office. In Exercise 3.6,
we will examine several computer attributes and values. An explanation of each
tab setting is provided to help you understand these attributes and values.
Figure 3.20 The New Object Computer Window
Working with Users, Groups, and Computers Chapter 3 163
www.syngress.com
EXERCISE 3.6
MODIFYING A COMPUTER ACCOUNT
BY USING ACTIVE DIRECTORY USERS AND COMPUTERS
1. Log on to the Active Directory domain controller with administrative
privileges.
2. Click Start | Programs | Administrative Tools and then click Active
Directory Users and Computers.
3. Select the appropriate Active Directory container or organizational
unit where the computer account is residing. Right-click the desired
computer account and then click Properties. The General tab
contains the Computer Name (pre-Windows 2000 name), DNS
Name, DC Type, Site, and Description fields. Type in the description
of the computer, as shown in Figure 3.21.
Figure 3.21 The General Tab
164 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
4. Click the Operating System tab. This tab contains the operating
system name and version running on the machine, as well as any
operating system service packs that have been applied to the
machine.
5. Click the Member Of tab. As shown in Figure 3.22, this tab contains
the Active Directory security group information of which this
computer is a member. Just as we can organize users into security
groups to assign permissions about domain resources, we can
also organize computers into groups to assign permissions. For
example, you can put certain computers into a group and then
assign permission to the group to access a certain printer. This
way, no matter which user is logged on to the computer, that
user will be able to access the printer for that group unless he
was assigned denied permissions. By default, each computer is
a member of the Domain Computers groups. You can make a
computer account a member of different groups; however, the
best practice is to give group memberships that are necessary,
but to not assign excessive memberships since managing permissions
may get confusing in your environment when a user logs
on to that computer and he/she effectively has membership to
the groups to which the computer is assigned. Like user accounts,
group membership with computer accounts is of utmost importance.
To add a computer into a different security group, click
Add, type in the group name, and then click Check Names. Click
OK to return to the computer properties. Repeat this process to
add a computer to multiple groups.
NOTE
In Windows 2000 and after, all earlier versions of Windows, such as
Windows NT and Windows 9x are referred as pre-Windows 2000
computers, which use NetBIOS names to establish connections.
In Windows 2000 and later versions, DNS is the primary name
resolution method, so in a mixed environment, both the NetBIOS
and DNS names are often displayed for objects.
Working with Users, Groups, and Computers Chapter 3 165
www.syngress.com
Windows allows a computer to belong to many groups, one of which
is the computers primary group. You can also set the computers Primary
Group in the Member Of tab by clicking Set Primary Group. The selected
group becomes the primary group and is displayed in bold; the group
that was previously the primary group is no longer in bold.
Figure 3.22 The Member Of Tab
166 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
6. Click the Location tab. This tab contains the physical location of
the computer.
7. Click the Managed By tab. As shown in Figure 3.23, this tab
contains the contact information for the person responsible for
this computer. To add an appropriate person, click the Change
button, type in an appropriate persons name, and then click
Check Names. Click OK to return to the Managed By screen.
Figure 3.23 The Managed By Tab
Working with Users, Groups, and Computers Chapter 3 167
www.syngress.com
8. Click the Dial-in tab. This tab contains the dial-in settings used to
control whether this computer is allowed to utilize dial-in
services.
9. Click OK. Close the Active Directory Users and Computers console.
Creating a New
Computer Account Using a Script
To create a computer account using script, you can either use VBScript or the built-in
dsadd command. I have found the dsadd command useful because it lets you use
command lines in batch files for day-to-day administrative tasks.
The following is an example of VBScript used to create a computer account in
Active Directory:
′ This code creates a computer account named JOANNAWKS
′ ------ SCRIPT CONFIGURATION ------
strBase = <ParentComputerDN> ′ e.g. cn=Computers,dc=admastering,dc=com
strComp = <ComputerName> ′ e.g. JOANNAWKS
strDescr = <Description> ′ e.g. Joannas workstation
′ ------ END CONFIGURATION ------
′ ADS_USER_FLAG_ENUM
Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &h1000
set objCont = GetObject(LDAP:// & strBase)
set objComp = objCont.Create(computer, cn= & strComp)
objComp.Put sAMAccountName, strComp & $
objComp.Put description, strDesc
objComp.Put userAccountControl, ADS_UF_WORKSTATION_TRUST_ACCOUNT
objComp.SetInfo
Resetting a Computer Account
Using Active Directory Users and Computers
As explained in the previous section, every computer in your domain establishes a
secure channel of communication with the domain controller to transfer data securely.
This requires each computer to provide a password at the time of logon. This randomly
selected password is stored on the domain controllers for authentication purposes and
is updated automatically every 30 days. It is possible that the computers password and
the domain controllers password dont match, and so communication between the two
168 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
machines fails. If that is a case, you may want to reset a computer account in Active
Directory so that computer will be able to reestablish the connection.
In Exercise 3.7, we will reset a computer account.
EXERCISE 3.7
RESETTING A COMPUTER ACCOUNT
BY USING ACTIVE DIRECTORY USERS AND COMPUTERS
1. Log on to the Active Directory domain controller with administrative
privileges.
2. Click Start | Programs | Administrative Tools and then click Active
Directory Users and Computers.
3. Select the appropriate Active Directory container or organizational
unit where the computer account is residing. Right-click the desired
computer account and then click Reset Account.
4. Click Yes in the Active Directory Domain Services dialog box,
confirming that the computer account be reset.
5. You will receive a confirmation box, as shown in Figure 3.24,
indicating that the computer account (computer name) was
successfully reset.
6. Click OK to continue.
Figure 3.24 Active Directory Domain Services
Working with Users, Groups, and Computers Chapter 3 169
www.syngress.com
Creating and Modifying Groups
As an Active Directory administrator, you will be working with groups in order to
minimize and simplify administrative efforts by assigning permissions and rights to
a group of users rather than individual users. In generic terms, a group is just a collection
of objects. Groups are used most frequently in a security context, whereby
you set up a group of users and apply certain permissions or rights to that group.
Using a group is much easier, quicker, and fun when applying security than when
using individual users. In an Active Directory environment, you can use these
groups for many different purposes, including controlling access to resources (such
as shared folders, files, printers, and so on), e-mail distribution lists, and defining a
filter for the application of group policies. A group is not a new concept in Active
Directory and the Windows environment. As an administrator, it is important you
understand these different types of groups, and how to create, delete, and modify
these groups, as well as perform other common tasks, such as adding to groups,
changing a groups scope, and assigning permissions to a group rather than an
individual user. In Active Directory, groups are flexible objects, given that they
can contain any other type of Active Directory object as a member. For example,
besides creating groups of users, you can also create groups of computers, contacts,
and other types of groups.
The type and scope of the group will determine their usage in Active Directory.
Active Directory allows you to create security and distribution groups. Security groups
are mostly used to assign permission to resources, whereas distribution groups are used
for e-mail distribution. Most of your management should be done through the groups.
You can also use Security groups for e-mail distribution groups; however, it is recommended
you use Distribution groups rather than Security groups. The scope, or area of
influence, for a group determines where members of the group can be located in the
forest and where in the forest you can use the group to assign permissions. This lesson
introduces you to the various types of groups along with common administrative tasks
you can perform on them. You will also learn about the various categories of default
groups, and at the end Ill share with you how to plan a group strategy.
Creating a Group
Groups are created in Active Directory using the Active Directory Users and
Computers MMC snap-in or via the script using a command-line utility like
dsadd. However, before we get into the business of creating and managing groups,
we must understand group types, the scope of groups, and their relationship with
other objects in Active Directory.
170 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
The Active Directory environment includes several built-in groups. Ill describe
them over the course of the next few pages to make sure you understand their
scope and usage before you attempt to create your own custom groups (as well as
built-in groups) to meet the needs of your organization.
Types of Groups
As discussed before, the purpose of groups is to control user permissions by
grouping users according to similar permissions or job functions. This simplifies our
work as an Active Directory administrator because we can manage users at a group
level instead of giving them permissions at an individual user level. If you worked
at all with Windows 2000 and Windows 2003, you are certainly familiar with local,
global, and universal groups, and how they are employed to organize users so they
can access resources. Not many changes have occurred with these groups except
that in Windows Server 2008 there are few new built-in groups. In the next few
pages, we will get into the details of groups and their various types. In Active
Directory, you can either create groups to assign permissions or to distribute e-mail
messages. To facilitate this, Active Directory uses two types of groups: the security
group and the distribution group. All group details and membership information
are stored in the Active Directory database.
■ Security Groups Windows Server 2000/2003/2008 uses security groups
to assign permissions to resources like folders, files, printers, and applications.
Technically, security groups can be used to distribute e-mails also, but it is
recommended security groups only be used for one purpose: to assign
permissions to resources.
■ Distribution Groups Distribution groups cannot be used to assign
permissions. They are used only for nonsecurity-related functions, such
as sending e-mail messages to a group of users. Programs like Microsoft
Exchange are designed to use distribution groups as distribution lists for
sending e-mail messages to multiple users.
Group Scopes
Now that we understand groups, its time to discuss group scopes. When we create
a group, we must select a group scope along with group types. The scope of a group
determines the boundaries of the group, such as where in the network youre able
to use the group to assign permissions to it. The three group scopes are domain
local, global, and universal.
Table 3.5 lists different group scopes.
Working with Users, Groups, and Computers Chapter 3 171
www.syngress.com
Table 3.5 Group Scopes
Group Scope Description
Domain local ■ Limited to a single domain only.
■ Members can come from any domain in a forest.
■ Members access resources only in the local domain.
■ Domain local groups are not visible outside their
own domain.
Global ■ Members can come only from local domains.
■ Members can access resources in any domain in a forest.
■ Domain global groups are visible to all trusted domains.
■ Domain global groups can have members users
and groups within their own domain.
■ Global groups can be nested.
Universal ■ Members can come from any domain in a forest.
■ Members can access resources in any domain in
a forest.
■ Universal groups are visible to all trusted domains.
■ Universal groups can have members users and
groups from any trusted domain.
Universal Groups Replication Concerns
Before we get into more details about group membership and the step-by-step
procedure to create these groups, it is time to understand one critical factor: the
universal group replication impact. Universal security groups get members information
from a global catalog server. Universal groups continuously communicate with
a global catalog server to get information about members from the other domains.
In case of any changes, such as adding/removing a user from a universal group,
changes are replicated to other global catalogs in the forest.
Group Strategies
If you have used Windows NT 4.0, Windows 2000, and Windows 2003, then you
might be familiar with the term group nesting, which refers to adding groups to
other groups (known as nesting) to reduce the number of times permissions need
172 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
to be assigned. In Windows Server 2008, you can add unlimited levels of nesting in
domains. Let me give you a quick example to clarify and explain group nesting. For
instance, your organization may have offices in diverse geographical locations and
have a number of sales people working in each geographical region. You can create
a group for all salespeople in your region and add them to their own regional
group, such as East Sales, West Sales, North Sales, and Central Sales. You can then
later add each regional group into another group called Worldwide Sales Team.
If you need to assign permissions to access regional resources, use regional groups.
When all the salespeople in the network need access to a resource, you assign
permissions only to the Worldwide Sales Team. This group strategy allows for the
easy assignment of permissions.
The following are general guidelines for group nesting:
■ Minimize the level of nesting. If you have multiple groups nested within
each other, it will be harder for you to troubleshoot permissions issues.
■ Document group membership to keep track of group memberships and
permission assignments.
Microsoft has introduced a concept of AGDLP and AGGUDLP in order to
manage domain resources. AGDLP stands for Accounts > Global > Domain Local >
Permissions, while AGGUDLP stands for Accounts > Global Groups > Global
Groups > Universal Groups > Domain Local Groups and is applied when planning
and implementing the construction groups as well as assigning permissions on
resources. Here is how AGDLP is used to describe the practice:
■ A: Create a user account(s).
■ G: Create a global group and add the user account(s) in the global group
as members.
■ DL: Create a domain local group in the domain that contains the resource,
and then add the global group as a member of this domain local group.
■ P: Assign permissions on the resource using the domain local group.
Creating a New Group Using
Active Directory Users and Computers
The Active Directory Users and Computers console is used to create new groups
and add members to those groups. You can create groups by performing the steps
outlined in Exercise 3.8.
Working with Users, Groups, and Computers Chapter 3 173
www.syngress.com
EXERCISE 3.8
CREATING A NEW GROUP BY USING
ACTIVE DIRECTORY USERS AND COMPUTERS
1. Log on to the Active Directory domain controller with administrative
privileges.
2. Click Start | Programs | Administrative Tools and then click Active
Directory Users and Computers.
3. Select the appropriate Active Directory container or organizational
unit to house the new group. Right-click the container, click New,
and then click Group to create the new group. This will bring up
the New ObjectGroup window.
4. Enter the name of the group and select the group scope (Domain
Local, Global, or Universal) and the group type (Security or
Distribution). Once you enter the group information, click OK
to continue.
Modifying a Group Using
Active Directory Users and Computers
Like all Windows Server 2008 objects, a set of default properties or attributes are
associated with the group. Once the group has been created, these properties can
be modified. For example, you can add the description of the group and define
the group manager. Once you have created the group, you can manage the group
by double-clicking the group object in the Active Directory Users and Computers
MMC snap-in tool.
In Exercise 3.9, we will examine several group attributes and values. An explanation
of each tab setting is provided to help you understand these attributes and values.
EXERCISE 3.9
MODIFYING A NEW GROUP BY USING
ACTIVE DIRECTORY USERS AND COMPUTERS
1. Log on to the Active Directory domain controller with administrative
privileges.
174 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
2. Click Start | Programs | Administrative Tools and then click Active
Directory Users and Computers.
3. Select the appropriate Active Directory container or organizational
unit where the group resides. Right-click the desired group and
then select Properties.
4. The General tab contains the group name, description, e-mail,
group scope, group types, and notes. Type in the appropriate
information, as shown in Figure 3.25.
5. Click the Members tab. This tab contains the group members, as
shown in Figure 3.26. By default, there are no users in the newly
created groups. You can add a user account, a member, or a
group by clicking Add, typing in the username, and then clicking
Check Names. Click OK to add the user to the particular group.
Figure 3.25 The General Tab
Working with Users, Groups, and Computers Chapter 3 175
www.syngress.com
6. Click the Member Of tab to add groups to different security groups,
and to assign permissions to domain resources. To add a group into
a different security group, click Add, type in the group name, and
then click Check Names. Click OK to add the group to a particular
group.
7. Click the Managed By tab. As shown in Figure 3.27, this tab
contains the contact information of a person who is responsible
for this group. To add an appropriate person, click the Change
button, type in an appropriate person name, and then click
Check Names. Click OK to return to the Managed By screen.
Figure 3.26 The Members Tab
176 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
8. Click Apply, and then click OK to finalize the account changes
and view the user within the Active Directory container from the
Active Directory Users and Computers snap-in.
Creating a New Group Using Script
To create a group using script, you can use VBScript or the built-in dsadd command.
Ive found the dsadd command useful since it allows you to use command lines in
batch files for day-to-day user administrative tasks.
The following is an example of VBScript used to create a group in Active Directory:
′ This code creates a single group named Sales
′ ------ SCRIPT CONFIGURATION ------
strGroupParentDN = <GroupParentDN> ′ e.g. ou=Users,dc=admastering,dc=com
strGroupName = <GroupName> ′ e.g. Sales
Figure 3.27 The Managed By Tab
Working with Users, Groups, and Computers Chapter 3 177
www.syngress.com
strGroupDescr = <GroupDesc> ′ e.g. Sales group
′ ------ END CONFIGURATION ------
′ Constants taken from ADS_GROUP_TYPE_ENUM
Const ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 1
Const ADS_GROUP_TYPE_GLOBAL_GROUP = 2
Const ADS_GROUP_TYPE_LOCAL_GROUP = 4
Const ADS_GROUP_TYPE_SECURITY_ENABLED = -2147483648
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = 8
set objOU = GetObject(LDAP:// & strGroupParentDN)
set objGroup = objDomain.Create(group,cn= & strGroupName)
objGroup.Put groupType, ADS_GROUP_TYPE_GLOBAL_GROUP _
Or ADS_GROUP_TYPE_SECURITY_ENABLED
objOU.Put description, strGroupDescr
objOU.SetInfo
The Delegation of Tasks
One reason to create multiple OUs is to delegate administrative responsibilities and
divide the administrative workload between different administrators. Delegation is
a powerful concept and a tool in Active Directory. As a concept, its been around for
a while, thus Windows 2000 and Windows 2003 administrators may find information
in this section little repetitivebut hey, you can either skip the section or take a quick
glance to review the information.
In this lesson, well learn how to use the Delegation Of Control Wizard and
will delegate administrative control of domains, OUs, and containers to other
administrators, groups, or users within your organization so they will be able
to perform certain administrative functions according to their requirements.
Delegation lets you set up decentralized administration (to share a workload) while
still maintaining control of your overall Enterprise network. Delegation is easy to
configure, but you must establish a careful plan before implementing delegation.
Though the delegation wizard is simple and straightforward, you still need to be
aware of how permissions and permission inheritance work in the AD structure.
In a small or medium-sized organization, a few administrators would be responsible
for managing Active Directory objects. However, in any large organization, the
administration is divided between different administrators. To ensure these administrators
receive appropriate permissions, you must run the delegation wizard to set
up permissions on the domain, OU, and container levels. Consider an example. If
Khalid is an administrator of the domain, he can assign permissions to a new trainee
178 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
or group of users and assign them permissions on a particular container in Active
Directorytherefore, a trainee or a group of users will have Full Control in every
container below North America. Depending on your requirements, Khalid can
assign users a full control or give them granular level permissions, such as resetting
passwords or creating new users only, so that they will be able to perform limited
tasks. In other words, as an administrator, you can delegate some responsibilities, but
not necessarily all of them. With Delegation of Control, you can still keep your
administrative hand over an enterprise and all the tasks performed in an enterprise,
while delegating easier tasks to other people. Delegation of Control is an
excellent tool that allows you to divide your workload to new or inexperienced
administrators without creating any challenges for yourself or anyone else. You can
use Delegation of Control in many different ways, but make sure that whichever
method you choose fits in your administrative model. In most cases, we delegate
permissions on OU and container levels rather than the domain level. You can
further fine-tune your permissions by controlling the inheritance to take effect for
all objects and child and grandchild OUs within that OU.
In the following section, we will delegate task responsibilities to several inexperienced
administrators. An explanation of each step is provided to help you understand
these values.
EXERCISE 3.10
DELEGATING PERMISSIONS ON AN OU TO NEW USERS
BY USING ACTIVE DIRECTORY USERS AND COMPUTERS
1. Log on to the Active Directory domain controller with administrative
privileges.
2. Click Start | Programs | Administrative Tools and then click Active
Directory Users and Computers.
3. Select the appropriate Active Directory container or organizational
unit where you want to delegate control, click the Action menu,
and then click Delegate Control.
4. The Delegation of Control Wizard begins with a Welcome screen,
shown in Figure 3.28. Click the Next button to continue.
Working with Users, Groups, and Computers Chapter 3 179
www.syngress.com
5. The Users Or Groups window appears (Figure 3.29). Click the
Add button and type in the user(s) or group(s) name to which
you want to delegate control. Click Check Names to verify your
names, and then click OK to add a group to a particular group.
Use the Remove button if you need to remove a user or group
from the list. Click the Next button on the Users Or Groups page.
Figure 3.28 The Delegation of Control Wizard
180 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
6. On the Tasks To Delegate page, as shown in Figure 3.30, you
have two radio button options. You can either choose to
Delegate The Following Common Tasks, in which you select the
desired options, or you can choose to Create A Custom Task To
Delegate. The first option has many predefined tasks, while the
custom option allows you to have more granular control and
delegation. Most organizations may find that delegating the following
common tasks is sufficient for their needs. This section is
focused only on delegating common tasks instead of creating a
custom task. If you decide to delegate common tasks, you have
the following check box list from which to select.
Figure 3.29 The Users Or Groups Screen
Working with Users, Groups, and Computers Chapter 3 181
www.syngress.com
■ Create, delete, and manage user accounts: This option enables
you to delegate the right to create, delete, and configure user
accounts.
■ Reset user passwords and force password changes at the
next logon: This option enables you to delegate the right to
permit the resetting of passwords only. This option is helpful
if you would give a particular user or group, such as help desk
users, the right to reset passwords when users forget their
passwords or need to be assigned a new password.
■ Read all user information: This option enables you to delegate
the right to read all user information.
■ Create, delete, and manage groups: This option lets you
delegate the right to permit the user or group to create,
delete, and configure group accounts.
Figure 3.30 Tasks to Delegate
182 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
■ Modify the membership of a group: This option lets you delegate
the right to the user or group to modify the membership
of an existing group, but not to create, delete, or configure
group accounts.
■ Manage Group Policy links: This option enables you to
delegate the user or group to manage Group Policy links
and make changes to them.
■ Generate Resultant Set of Policy (Planning): This option enables
you to delegate the user or group to manage and generate
resultant sets of policies to plan any group policy implementation,
but they wont be able to perform any logging or manage
group policy links.
■ Generate Resultant Set of Policy (Logging): This option lets you
delegate to a user or group the right to generate a resultant
set of policies (logging), but they wont be able to perform any
planning or manage any group policy links.
■ Create, delete, and manage inetOrgPerson accounts: This
option enables you to delegate the right to create, delete,
and manage inetOrgPerson accounts.
■ Reset inetOrgPerson passwords and force password change
at next logon: This option lets you delegate the right to reset
passwords and force password changes at the next logon.
■ Read all inetOrgPerson information: This option enables you to
delegate the right to read all inetOrgPerson user information.
7. On the Completing The Delegation Of Control Wizard page, as
shown in Figure 3.31, review your selections, and then click the
Finish button if it is accurate. If it is not accurate, use the Back
button to make changes and then click Finish.
Working with Users, Groups, and Computers Chapter 3 183
www.syngress.com
■ Verifying Delegated Permissions: Once you finish the delegation,
you can verify permissions by right-clicking the container,
and then clicking Properties. Click the Security tab. Here you
will be able to verify your permissions.
■ Removing Delegating Permissions: The Delegation Of Control
Wizard can be used only to grant administrative permissions.
If you want to remove those privileges, you must do so manually
in the Security tab in the Properties dialog box for the
container and in the Advanced Security Settings dialog box
for the container.
Figure 3.31 Completing the Delegation of Control Wizard
184 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
RODC (Read-Only Domain Controller)
A read-only domain controller (RODC) is a new type of domain controller in
the Windows Server 2008 Active Directory environment that allows organizations
to easily deploy a domain controller in locations where physical security cannot
be guaranteed. Besides providing improved security, faster logon, unidirectional
replication, credential caching, and more efficient resource access, one of the biggest
advantages of RODC is Admin role separation. Instead of your remote administrators
having access to the RODC remotely to perform administrative tasks on
the server, the RODC allows you to assign a user local administrator rights to the
RODC without giving that person domain administrative permissions. You can delegate
local administrative permissions for an RODC to any domain user to perform
day-to-day administrative tasks, such as stopping services, running backups, installing
drivers, rebooting the server, and installing updates, patches, and service packs. This
limits the RODC local administrator to have permissions on that particular branch
office RODC without having any user rights for the domain or other domain
controllers. In this way, the branch user performs certain tasks to manage the RODC
without compromising security.
Administrative separation on RODC has the potential to reduce the administrative
burden on central administrators by delegating basic operation responsibilities to the
branch office user. This option may require additional training for your branch office
user; however, it is an excellent way to decentralize operation tasks. This option provides
extensive security since the site administrator will log on using an administrative
account that is local to the RODC rather than use their domain credentials. On the
other hand, this option will produce more work for you as an administrator because
you have to manage separate logons for each RODC in each remote location. Though
it may add some extra challenges, the benefits are well worth it.
Working with Users, Groups, and Computers Chapter 3 185
www.syngress.com
Exam Objectives Fast Track
Navigating Active Directory Users and Computers
˛ The Active Directory Users and Computers administration console allows
you to manage domain controllers, organizational units (OUs), group policies,
and domain security policies.
˛ Attribute Editor is available in the Active Directory Users and Computers
MMC snap-in with advanced features enabled. It is easier to use and navigate
the Active Directory Users and Computers snap-in than ADSIEdit.msc.
˛ The Active Directory administrative console is installed automatically on
Windows Server 2008 domain controllers.
Creating and Modifying User Accounts
˛ Local user profiles are available only at the local computer. They are
created in the users profile directory on each system where the user logs
on. When the user logs on to a system for a first time, and if there is no
profile defined, the system will use the \Document and Settings\Default
User profile to create the new local user profile in the Document and
Settings\username directory. If the user logs on to many different systems
in your domain, he will be unable to maintain one profile, and may be
ended up with many profiles on many different systems.
˛ Roaming user profiles allow users to maintain one profile while they log
on at multiple computers and move from system to system. A roaming
profile is a shared folder on a server that allows a user to access a roaming
profile from any system in the domain. Whenever a user starts a session,
the profile is copied from the shared network folder to the local computer.
Once copied to the local system, all the users settings will be updated
locally on the local profile and will be copied over to the shared folder
on a server when users logs off.
˛ Mandatory user profiles are read-only roaming profiles that are used to
maintain desktop consistency. No modifications will ever be saved on the
users profile. Users will be able to modify desktop settings and several other
settings, but these wont be saved when the user logs off. Like roaming
profiles, a mandatory profile is also a shared network folder that allows the
user to access mandatory profiles from any system in the domain. No user
186 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
should be allowed to make changes to mandatory user profiles except
system administrators.
˛ Temporary user profiles are used only if the users profile is unable to
load due to errors. At the end of each session, temporary user profiles are
deleted, and therefore all changes made during the session will be lost
when the user logs off from the system.
˛ Understand that users in your Active Directory domain must have a strong
password. A strong password is at least seven to nine characters long, does
not contain the users account name, and consists at least three of the four
following groups of characters: uppercase characters, lowercase characters,
numbers, and special keyboard symbols, such as !, @, #, $, ∗.
Creating and Modifying Computer Accounts
˛ Each computer in your domain provides a password to the domain controller
at the time of logon. This randomly selected password is updated
automatically every 30 days. It is possible that the computers password
and the domain controllers password dont match, and communication
between the two machines fails. If this is the case, you may want to reset
a computer account in Active Directory so that computer will be able to
reestablish the connection.
Creating and Managing Objects
˛ Many graphical management tools are built using the Microsoft
Management Console and snap-ins.
˛ You can create and manage an Active Directory object via MMC snap-ins,
scripts, and the power shell.
˛ Most graphical administration tools can be found as preconfigured
management consoles accessible via Start | Programs | Administrative
Tools. Understand how Active Directory objects can be organized by
using the Active Directory Users and Computers tool.
Creating and Modifying Groups
˛ Windows Server 2000/2003/2008 uses security groups to assign permissions
to resources like folders, files, printers, and applications. Technically, Security
groups can also be used to distribute e-mails, but it is recommended you use
Working with Users, Groups, and Computers Chapter 3 187
www.syngress.com
Security groups only for one purpose: to assign permissions to resources.
˛ Understanding the purpose of local, global, and universal groups is essential
in Windows Server 2008.
˛ Domain Local groups are limited to a single domain only. Members can
come from any domain in a forest; members can access resources only in
the local domain; and Domain Local groups are not visible outside their
own domain.
˛ Global group members can come only from the local domain; members can
access resources in any domain in a forest; Domain Global groups are visible
to all trusted domains and Domain Global groups can have members users
and groups from within their own domain. Global groups can be nested.
˛ Universal group members can come from any domain in a forest; Members
can access resources in any domain in a forest. Universal groups are visible
to all trusted domains and can include members users and groups from
any trusted domain.
˛ Using groups can help you simplify administration by granting rights and
assigning permissions once to a group rather than multiple times to each
individual member.
˛ The concepts of AGDLP and AGGUDLP are important in managing
domain resource. AGDLP stands for Accounts > Global > Domain Local >
Permissions, while AGGUDLP stands for Accounts > Global Groups >
Global Groups > Universal Groups > Domain Local Groups and is applied
when planning and implementing the construction of groups, as well as
the assigning of permissions on resources.
˛ Universal security group replication issues are important because universal
security groups get members information from a global catalog server.
Universal groups continuously communicate with a global catalog server
to get information about members from the other domain. In case of any
changes, such as adding/removing a user from a universal group, changes
are replicated to other global catalogs in the forest.
˛ Group deletion only deletes the group and removes the permissions associated
with it. Deleting a group does not delete user accounts that are members of
the group.
˛ Members of groups may include user accounts, contacts, other groups, and
computers.
188 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
˛ Every domain user is given a friendly name, known as the user principal
name (UPN), in order to help users log on to the domain. UPN is an
Internet-style logon name, which is shorter than the distinguished name
and thus is easier to remember.
Delegation of Tasks
˛ The Delegation of Control Wizard is used to assign specific permissions to
specific users. It helps administrators distribute the load to system administrators
and the regional administrator.
˛ RODC allows you to delegate local administrative permissions for an RODC
to any domain user to perform day-to-day administrative tasks such as stopping
services, making backups, installing drivers, rebooting the server, and installing
updates, patches, and service pack.
Working with Users, Groups, and Computers Chapter 3 189
www.syngress.com
Exam Objectives
Frequently Asked Questions
Q: What methods are available for me as an administrator to navigate Active
Directory?
A: Administrators can use Active Directory Users and Computers, Power Shell, and
ds commands to navigate Active Directory.
Q: Which tools can I use to edit attributes of objects in Active Directory?
A: ADSIEdit.msc is a graphical console that is used to edit attributes of objects in
Active Directory.
Q: What is the difference between Active Directory Users and Computers and
ADSIEdit.msc?
A: Active Directory Users and Computers tool is used for day-to-day administration,
whereas ADSIEdit.msc is another graphical tool, but allows you to modify
object attributes and low-level object information.
Q: What is the difference between a local user account and a domain user account?
A: Local user accounts are created only in the computers local security database
and do not replicate with the domain controllers. They authenticate locally to
gain access to local resources, whereas domain user accounts are used to gain
access to domain resources.
Q: What is the purpose of renaming the Administrator user account?
A: Renaming the Administrator account provides you with extra security against
hackers and intruders, and makes it difficult for unauthorized users to guess the
administrative accounts logon name.
Q: My organization does not wish to allow users to save their desktop settings in
their profile. What can I do to prevent users from saving their desktop settings
in their profile?
A: Use mandatory profiles since they are read-only profiles and allow you to maintain
desktop consistency.
190 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
Q: What is an example of a strong user password?
A: A strong password:
■ Does not contain dictionary words.
■ Does not contain a username, real name, pet name, family members name,
or company name.
■ Is between 7 and 14 characters long.
■ Is different from previous passwords.
■ Is a combination of uppercase, lowercase, numbers and special characters.
An example of a strong password is Sh4$$n0n87r67}D.
Q: My organization is planning to create multiple users in Active Directory.
Can I use scripting to achieve this?
A: Yes, you can use scripting and a combination of built-in tools like dsadd to add
multiple users.
Q: What is the purpose of a computer account?
A: Computer accounts are just like user accounts; however, user accounts are
used to represent users, whereas computer accounts are used to represent
computers.
Q: How long does a domain controller store computer account passwords?
A: Thirty days.
Q: Why does a domain controller store computer account passwords?
A: To access domain resources securely, every computer in your domain needs to
access domain controllers by establishing a secure channel to a domain controller.
This secure channel is an authenticated channel in which a computer presents
a password to a domain controller (which is verified against the password stored
in Active Directory with the computers account) so that computers can later be
able to use this secure channel to securely transfer encrypted data to and from
the domain controller.
Q: Which group should I use to allow users to access resources?
A: Windows Server 2000/2003/2008 uses security groups to assign permissions to
resources like folders, files, printers, and applications.
Working with Users, Groups, and Computers Chapter 3 191
www.syngress.com
Q: Which group should I use to allow users to send e-mails?
A: Both Security and Distribution groups can be used to allow users to send e-mails
to multiple users; however, distribution groups are designed solely for distributing
e-mails. You cannot use distribution groups to assign permissions. They used only for
nonsecurity-related functions, such as sending e-mail messages to groups of users.
Q: Which group type should I use in my environment if I want to add users from
different trees and forests in my domains?
A: Universal groups.
Q: Is there any strategy recommended by Microsoft to create groups and users?
A: Yes, Microsoft has created AGDLP and AGGUDLP to manage domain resources.
AGDLP stands for Accounts > Global > Domain Local > Permissions, while
AGGUDLP is short for Accounts > Global Groups > Global Groups > Universal
Groups > Domain Local Groups and is applied when planning and implementing
the construction of groups, as well as when assigning permissions on resources.
Q: Is there an easy way to configure delegation?
A: Yes, you can use the delegation wizard to configure delegation in your environment.
Q: What is the purpose of delegation?
A: Delegation lets you set up decentralized administration (to share a workload)
while still maintaining control of your overall Enterprise network. Delegation
of Control is an excellent tool that allows you to divide your workload between
new and/or inexperienced administrators without creating any challenges for
yourself or them. You can use Delegation of Control in many different ways,
but make sure that whichever method you choose fits with your administrative
model. In most cases, we delegate permissions on the OU and container levels
rather than the domain level. You can further fine-tune your permissions by
controlling the inheritance so it takes effect for all objects.
Q: What is RODC and how is it different than regular Active Directory domain
controllers?
A: RODC is a new type of domain controller in the Windows Server 2008 Active
Directory environment. It allows organizations to easily deploy a domain controller
in locations where physical security cannot be guaranteed. It provides improved
security, faster logon, unidirectional replication, credential caching, and more
efficient resource access, along with an Admin role separation.
192 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
Self Test
1. You have just installed a Windows Server 2008 domain controller in your environment.
Which of the following default containers holds the default groups?
A. Users
B. Computers
C. Built-in
D. Default Groups
2. You tried to reset a password, but received a message that your password does
not meet the password complexity requirements. What might be the problem?
A. The user password is not complex enough.
B. The user is accessing a domain from a Windows 98 workstation machine.
C. The user is accessing a domain from a Windows MT workstation machine.
D. The user is accessing a domain from a Windows NT 4.0 machine.
3. Your organization has one Active Directory domain in the Active Directory
forest. You are responsible for creating accounts for all users in your domain.
Your company just bought another company with 5000 user accounts, and
you are required to create their new user accounts without using a third-party
tool. Which of the following commands should be used to achieve this?
A. dsadd
B. dsuseradd
C. adduser
D. adduser.ps
4. You suspect that a user may be able to log on after office hours. From which
tab on a users Properties dialog box can you set logon hours?
A. The Account tab
B. The Security tab
C. The General tab
D. The Profile tab
5. You are at a branch office of your company assisting a user on his PC. While
assisting the user, you receive a phone call from your boss who wants to know
Working with Users, Groups, and Computers Chapter 3 193
www.syngress.com
why all the users are required to change their passwords the first time they log
on? What would be the best way to answer his question?
A. Its a default Active Directory group and domain policy to enforce user
passwords set by the administrator.
B. Its a default Active Directory group policy and cannot be modified.
C. This is a new feature in Active Directory 2008 to introduce extra security.
D. This is just a check box for user account properties to force users to change
the default passwords set by the administrator at the time of the creation of
their account. This then forces users to pick their own password.
6. Lisa works as a branch office administrator for your organization. She receives
a call from her manager, Dina, asking which of the following characteristics
make up a strong password. Which one is correct?
A. Contains a username or pets name.
B. Contains dictionary words.
C. Contains place names.
D. Is a combination of letters and numbers.
7 Which of the following options require administrative privileges to change the
password?
A. User must change password at next logon.
B. User cannot change password.
C. Password never expires.
D. Store password using reversible encryption.
8. You are attempting to describe the purpose of a template account to a co-worker.
What should you tell them?
A. A template account exists only for Novell users.
B. A template account exists only for Unix users.
C. A template account exists only for Windows NT 4.0 users.
D. A template account simplifies the creation of a large number of user
accounts. In a template, you can define all the account parameters you
need to for your users. You can then use this template to create user
accounts by simply filling in the Name, Full Name and Description
Password, and Confirm Password fields.
194 Chapter 3 Working with Users, Groups, and Computers
www.syngress.com
9. Joanna is responsible for administering a small Active Directory domain. Recently,
your company has acquired a small company where all the computers are installed
in a workgroup. Which of the following operations must she perform in order to
create the computer accounts? (Choose all that apply.)
A. Select Start | Run, and then type in the joinallwks /user:administrator
command.
B. Select Start | Programs | Administrative Tools | Active Directory Users
and Computers, and then right-click the computer container and create
the computer objects.
C. Rename the existing computers in a workgroup.
D. Query for resources.
10. What is the purpose of resetting an account?
A. Helps you reset a computer password stored in Active Directory so the
computer can make a trusted connection with Active Directory.
B. Helps you reboot the computer.
C. Helps you restart netlogon services.
D. Helps you change the authentication protocol from NTML to Kerberos.
Working with Users, Groups, and Computers Chapter 3 195
www.syngress.com
Self Test Quick Answer Key
1. C
2. A
3. A
4. A
5. D
6. D
7. B
8. D
9. B
10. A
This page intentionally left blank
197
Exam objectives in this chapter:
■ Working with Forests and Domains
■ Working with Sites
■ Working with Trusts
Configuring the Active
Directory Infrastructure
Chapter 4
Exam objectives review:
˛ Summary of Exam Objectives
˛ Exam Objectives Fast Track
˛ Exam Objectives Frequently Asked Questions
˛ Self Test
˛ Self Test Quick Answer Key
MCTS/MCITP
Exam 640
198 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
Introduction
A Microsoft Active Directory network has both a physical and a logical structure.
Forests and domains define the logical structure of the network, with domains
organized into domain trees in which subdomains (called child domains) can be
created under parent domains in a branching structure. Domains are logical units
that hold users, groups, computers, and organizational units (OUs, which in turn
can contain users, groups, computers, and other OUs). Forests are collections of
domain trees that have trust relationships with one another, but each domain tree
has its own separate namespace.
In order to allow Active Directory to support the physical structure of your
network, we will also discuss the configuration of Active Directory sites, site links,
and subnet objects. Active Directory sites and subnets define the physical structure
of an Active Directory network. Sites are important in an enterprise-level multiple
location network, for creating a topology that optimizes the process of replicating
Active Directory information between domain controllers (DCs). Sites are used for
replication and for optimizing the authentication process by reducing authentication
traffic across slow, high-cost WAN links. Site and subnet information is also used by
Active Directory-enabled services to help clients find the nearest service providers.
In this chapter, you will learn all about the functions of forests and domains in
the Windows Server 2008 Active Directory infrastructure, and we will walk you
through the steps of creating a forest and domain structure for a network. Youll
learn to create the forest root domain and a child domain, as well as the importance
of Flexible Single Manager Operation (FSMO) roles within an Active Directory
domain and forest. We will also discuss the role of sites in the Active Directory
infrastructure, and how replication, authentication, and distribution of services
information work within and across sites. We will explain the relationship of sites
with domains and subnets, and how to create sites and site links. Youll also learn
about site replication and how to plan, create, and manage a replication topology.
Well walk you through the steps of configuring replication between sites, and
discuss how to troubleshoot replication failures.
In addition to these concepts, we will also discuss Active Directory trust
relationships. Trust relationships define the ways in which users can access network
Configuring the Active Directory Infrastructure Chapter 4 199
www.syngress.com
resources across domains and forests. Without a trust between the domain to which
a user belongs and the domain in which a resource resides, the user wont be
able to access that file, folder, printer, or other resource. Hence, it is important for
network administrators to understand how the built-in (implicit) trusts in the Active
Directory network function, and how to create explicit trusts to provide access (or
faster access) between domains.
Working with Forests and Domains
Active Directory is composed of a number of components, each associated with
a different type of Active Directory functionality; you should understand each
component before making any changes to the network. Active Directory Domain
Services is a distributed database, which means it can be spread across multiple
computers within a domain or a forest. Among the major logical components that
you need to be familiar with are:
■ Forests
■ Trees
■ Domains
■ The domain namespace
Administrative boundaries, network and directory performance, security, resource
management, and basic functionality are all dependent on the proper design and
placement of these elements.
Figure 4.1 shows the logical view of a Windows Server 2008 Active Directory.
Note that the differentiation between forests and trees is most obvious in the namespace.
By its nature, a tree is one or more domains with a contiguous namespace. Each
tree consists of one or more domains, and each forest consists of one or more trees.
Because a forest can be composed of discrete multiple trees, a forests namespace
can be discontiguous. By discontiguous, we mean that the namespaces anchor to
different forest-root domain name system (DNS) domains, such as cats.com and
dogs.com. Both are top-level domains and are considered two trees in a forest when
combined into a single directory, as shown in Figure 4.1.
200 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
Understanding Forests
An Active Directory always begins with a forest root domain, which is automatically
the first domain you install. This root domain becomes the foundation for additional
directory components. As the cornerstone of your enterprise-computing
environment, you should protect it well. Fault tolerance and good backups are not
optionalthey are essential. If an administrative error or hardware failure results in
the unrecoverable loss of this root structure, the entire forest becomes inoperable.
Certain forest objects and services are present only at the root (e.g., the Enterprise
Administrators and Schema Administrators groups, and the Schema Master and
Domain Naming Master FSMO roles which we will discuss later in this chapter).
Understanding Domains
The domain serves as the administrative boundary of Active Directory. It is the
most basic component that can functionally host the directory. Simply put, Active
Directory uses the domain as a container of computers, users, groups, and other
object containers. Objects within the domain share a common directory database
partition, replication boundaries and characteristics, security policies, and security
relationships with other domains.
Typically, administrative rights granted in one domain are valid only within
that domain. This also applies to Group Policy Objects (GPOs), but not necessarily
Tree
Forest
Tree
Dogs.com
Labs.dogs.com
Cats.com
Yellow.labs
.dogs.com
Black.labs
.dogs.com
Calico.cats.com
Root
Domain
Domain
Child
Domain
Child
Domain
Child
Domain
Child
Domain
Figure 4.1 The Logical View of a Windows Server 2008 Active Directory
Configuring the Active Directory Infrastructure Chapter 4 201
www.syngress.com
to trust relationships, which you will learn more about later in the book. Security
policies such as the password policy, account lockout policy, and Kerberos ticket
policy are defined on a per-domain basis. The domain is also the primary boundary
defining your DNS and NetBIOS namespaces. The DNS infrastructure is a requirement
for an Active Directory domain, and should be defined before you create the
domain.
There are several good reasons for a multiple-domain model, although a significant
number of Active Directory implementations rely on a single-domain forest
model. In the early days of Windows 2000, the most common recommendation was
for a so-called empty forest root model, in which the forest root domain contains
only built-in objects, and all manually created objects reside in one or more child
domains. Whatever the design decision reached by your organization, it is a good
practice to avoid installing additional domains unless you have a specific reason for
them, as each additional domain in a forest incurs additional administrative overhead
in the form of managing additional DCs and replication traffic. Some of the more
common reasons to create additional domains include:
■ Groups of users with different security policy requirements, such as strong
authentication and strict access controls.
■ Groups of users requiring additional autonomy, or administrative separation
for security reasons.
■ A requirement for decentralized administration due to political, budgetary,
time zone, or policy pressures.
■ A requirement for unique namespaces.
■ Controlling excessive directory replication traffic by breaking the domain
into smaller, more manageable pieces. This often occurs in an extremely
large domain, or due to a combination of geographical separation and
unreliable WAN links.
■ Maintaining a preexisting NT domain structure.
You can think of a domain tree as a DNS namespace composed of one or
more domains. If you plan to create a forest with discontiguous namespaces, you
must create more than one tree. Referring back to Figure 4.1, you see two trees in
that forest, Cats.com and Dogs.com. Each has a contiguous namespace because each
domain in the hierarchy is directly related to the domains above and below it in
each tree. The forest has a discontiguous namespace because it contains two unrelated
top-level domains.
202 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
The primary Active Directory partitions, also called naming contexts, are replicated
among all DCs within a domain. These three partitions are the schema partition, the
configuration partition, and the domain partition.
■ The schema partition contains the classSchema and the attributeSchema
objects that make up the directory schema. These classes and attributes
define all possible types of objects and object properties within the forest.
Every DC in the entire forest has a replica of the schema partition.
■ The configuration partition, replicated identically on all DCs throughout
the forest, contains Active Directorys replication topology and other configuration
data.
■ The domain partition contains the local domain objects, such as computers,
users, and groups, which all share the same security policies and security
relationships with other domains. If multiple DCs exist within a domain, they
contain a replica of the same domain partition. If multiple domains exist within
a forest, each domain contains a unique domain partition.
Because each domain contains unique principles and resources, there must be
some way for other domains to locate them. Active Directory contains objects
that adhere to a naming convention called the DN, or distinguished name. The DN
contains enough detail to locate a replica of the partition that holds the object
in question. Unfortunately, most users and applications do not know the DN, or
what partition might contain it. To fulfill that role, Active Directory uses the Global
Catalog (GC ), which can locate DNs based on one or more specific attributes of
the needed object. ( We will discuss the GC later in this chapter).
Forest and Domain Functional Levels
Forest functional levels and domain functional levels are a mechanism that Microsoft uses
to support backward compatibility with previous versions of Active Directory, and to
expose more advanced functionality as functional levels are raised. Functional levels are
a feature that helps improve performance and security. In Windows 2000, each domain
had two functional levels (which were called modes), native mode and mixed mode,
and the forest had only one functional level. Windows Server 2003 introduced two
more functional levels to consider in both domains and forests. Windows Server 2008
drops support for two legacy functional levels that were designed to support Windows
NT Backup Domain Controllers, and adds another forest and domain functional level
to support pure Windows Server 2008 environments. To enable the Windows Server
2008 forest and domain-wide features, all DCs must be running Windows Server 2008
Configuring the Active Directory Infrastructure Chapter 4 203
www.syngress.com
and the functional levels must be set to Windows Server 2008. Table 4.1 summarizes
the levels, DCs supported in each level, and each levels primary purpose.
Table 4.1 Domain and Forest Functional Levels
Type Functional Level Supported DCs Purpose
Domain Windows 2000 2000, 2003, Supports upgrades from
Default 2008 2000 to 2008; no support
for NT backup domain
controllers (BDCs).
Domain Windows 2003, 2008 Supports upgrades
Server 2003 from 2003 to 2008; all
Windows Server 2003
domain-wide Active
Directory features are
enabled.
Domain Windows 2008 Provides support for all
Server 2008 features of Windows
Server 2008 Active
Directory
Forest Windows 2000 2000, 2003, Supports mixed environ
Default 2008 ments during upgrade;
lower security, high
compatibility
Forest Windows 2003, 2008 Supports upgrades from
Server 2003 2003 to 2008; all
Windows Server 2008
Active Directory features
are enabled.
Forest Windows 2008 Provides support for all
Server 2008 features of Windows
Server 2008 Active
Directory
Using Domain Functional Levels
Active Directory technology debuted with Windows 2000. Now, with Windows
Server 2008, it has been refined and enhanced. Active Directory is now easier to
deploy, is more efficient at replication, has improved administration, and poses a better
end-user experience. Some features are enabled right away, whereas others require
204 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
a complete migration of DCs to the new release before they become available. There
are countless new features, the most significant of which we will discuss next.
Using the Windows 2000 Domain Functional Level
The Windows 2000 domain functional level is the default domain functional level
in Windows Server 2008, and is primarily intended to support an upgrade from
Windows 2000 to Windows Server 2008. This domain functional level offers full
compatibility with all down-level operating systems for Active Directory DCs, and
is characterized by the following features:
Microsoft Windows NT 4.0 DCs are not supported.
The following Active Directory features are supported in this mode:
■ Universal Security Groups
■ Group nesting
■ Converting groups between distribution and security groups
■ SIDHistory
The following Active Directory features are not supported in this mode:
■ DC rename
■ Logon timestamp attribute updated and replicated
■ User password support on the InetOrgPerson objectClass
■ Constrained delegation
■ Users and Computers container redirection
■ Can be raised to the Windows Server 2003 or Windows Server 2008
domain functional level
Windows Server 2003 Domain Functional Level
The Windows Server 2003 domain functional level supports both Windows Server
2003 and Windows Server 2008 DCs. This level does not allow for the presence of
Windows NT or Windows 2000 DCs, and is designed to support an upgrade from
2003 to 2008. All 2003 Active Directory domain features are enabled at this level,
providing a good balance between security and backward compatibility.
DCs not supported at this level:
■ Windows NT 4.0 DCs
■ Windows 2000 DCs
Configuring the Active Directory Infrastructure Chapter 4 205
www.syngress.com
The following Active Directory domain-wide functions are supported at both
this level and the Windows 2000 domain functional level:
■ Universal Security Groups
■ Group nesting
■ Converting groups between distribution and security groups
■ SIDHistory
The following upgraded Active Directory domain-wide functionality is supported
at this domain functional level:
■ DC rename
■ Logon timestamp attribute updated and replicated
■ User password support on the InetOrgPerson objectClass
■ Constrained delegation
■ Users and Computers container redirection
■ Can be raised to the Windows Server 2008 domain functional level
■ Can never be lowered to the Windows 2000 domain functional level
In the Windows Server 2003 domain functional level, only Windows Server
2003 and Windows Server 2008 DCs can exist.
Windows Server 2008 Domain Functional Level
The Windows Server 2008 domain functional level supports only Windows Server
2008 DCs. This level does not allow for the presence of Windows NT, Windows
2000, or Windows Server 2003, and is designed to support the most advanced
Active Directory feature set possible. All 2008 Active Directory domain features are
enabled at this level, providing the highest level of security and functionality and
the lowest level of backward compatibility.
The following Windows Server 2008 domain-wide functions are supported
only at this level:
■ Distributed File System (DFS) replication support for the Windows
Server 2008 System Volume (SYSVOL) share, providing more robust and
fault-tolerant replication of SYSVOL and its contents
■ Advanced Encryption Standard (AES 128 and AES 256) encryption support
for the Kerberos protocol
206 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
■ Logging of Last Interactive Logon Information, including:
■ The time of the last successful interactive logon for a user
■ The name of the workstation from which the used logged on
■ The number of failed logon attempts since the last logon
■ Fine-grained password policies, which allow you to specify password and
account lockout policies for individual users and groups within an Active
Directory domain
■ Cannot be raised to any higher domain functional level, because no higher
level exists at this time
■ Can never be lowered to the Windows 2000 or Windows Server 2003
domain functional level
In the Windows Server 2008 domain functional level, only Windows Server 2008
DCs can exist.
Configuring Forest Functional Levels
The Windows Server 2008 forest functional levels are named similarly to the
domain functional levels, and serve a similar purpose. Table 4.1 summarizes the
levels, the DCs supported in each level, and each levels primary purpose.
As with domain functional levels, each forest functional level carries over the
features from lower levels, and activates new features as well. These new features
apply across every domain in your forest. After you raise the forest functional level,
earlier OSs cannot be promoted to DCs. For example, Windows NT 4.0 BDCs are
not supported by any forest functional level, and Windows 2000 DCs cannot be
part of the forest except through external or forest trusts once the forest level has
been raised to Windows Server 2003.
Windows 2000 Forest Functional Level (default)
The Windows 2000 forest functional level is primarily designed to support mixed
environments during the course of an upgrade. Typically, this applies to a transition
from Windows 2000 to Windows Server 2003 or Windows Server 2008. It is also
the default mode for a newly created Windows Server 2008 domain. It is characterized
by relatively lower-security features and reduced efficiency, but maintains the
highest compatibility level possible for Active Directory. In the Windows 2000 forest
functional level:
Configuring the Active Directory Infrastructure Chapter 4 207
www.syngress.com
■ Windows 2000, Windows Server 2003, and Windows Server 2008 DCs
are supported
■ Windows NT 4.0 BDCs are not supported
A Windows Server 2008 forest at the Windows 2000 forest functional level
can be raised to either the Windows 2003 or the Windows Server 2008 forest
functional level.
Windows Server 2003 Forest Functional Level
The Windows Server 2003 forest functional level enables a number of forest-wide
features that were not available at the Windows 2000 forest functional level, and
is designed to allow for a 2003 to 2008 upgrade process. This level does not allow
for the presence of Windows NT or Windows 2000 DCs anywhere in the forest.
All Windows Server 2003 Active Directory forest features are enabled at this level,
as follows:
■ DCs not supported at this level:
■ Windows NT 4.0 DCs
■ Windows 2000 DCs
■ All new Active Directory forest features are supported at this level.
The following forest-wide improvements are available at this forest
functional level:
■ Efficient group member replication using linked value replication
■ Improved Knowledge Consistency Checker (KCC) intersite replication
topology generator algorithms
■ ISTG aliveness no longer replicated
■ Attributes added to the GC, such as ms-DS-Entry-Time-To-Die, Message
Queuing-Secured-Source, Message Queuing-Multicast-Address, Print-Memory,
Print-Rate, and Print-Rate-Unit
■ Defunct schema objects
■ Cross-forest trust
■ Domain rename
■ Dynamic auxiliary classes
208 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
■ InetOrgPerson objectClass change
■ Application groups
■ Reduced NTDS.DIT size
■ Improvements in intersite replication topology management
■ Can be raised to the Windows Server 2008 forest functional level
■ Cannot be downgraded to the Windows 2000 forest functional level
without performing a full forest recovery
In the Windows Server 2003 forest functional level, both Windows Server 2003
and Windows Server 2008 DCs can exist.
Windows Server 2008 Forest Functional Level
The Windows Server 2008 forest functional level is the highest forest functional
level available in Windows Server 2008, and supports only Windows Server 2008
DCs in each domain within a forest. At present, this forest functional level does not
expose any new functionality over and above the 2003 forest functional level. The
primary advantage of the 2008 forest functional level at present is that, once you
have raised the functional level to 2008, any domains that are subsequently added
to the forest will be automatically created at the Windows Server 2008 domain
functional level.
Raising Forest and Domain Functional Levels
Before increasing a functional level, you should prepare for it by performing the
following steps:
1. Inventory your domain or forest for DCs that are running any earlier versions
of the Windows Server operating system.
2. Physically locate any down-level DCs in the domain or forest as needed,
and either upgrade or remove them.
3. Verify that end-to-end replication is working in the forest using repadmin.
exe and/or dcdiag.exe.
4. Verify the compatibility of your applications and services with the version
of Windows that your DCs will be running, and specifically their compatibility
with the target functional level. Use a lab environment to test for
compatibility issues, and contact the appropriate vendors for compatibility
information.
Configuring the Active Directory Infrastructure Chapter 4 209
www.syngress.com
When you are considering raising the domain functionality level, remember that
the new features will directly affect only the domain being raised. The two domain
functional levels available to raise are:
■ Windows Server 2003
■ Windows Server 2008
Once the functional level of a particular domain has been raised, no prior version
DCs can be added to the domain. In the case of the Windows Server 2003 domain
functional level, no Windows 2000 servers can be promoted to DC status after the
functionality has been raised. In the case of the Windows Server 2008 domain functional
level, no Windows Server 2003 DCs can be added to the domain after the
functional level has been raised to Windows Server 2008.
Raising the Domain Functional Level
Before raising the functional level of a domain, all DCs must be upgraded to the
minimum OS level as shown in Table 4.1. Remember that when you raise the
domain functional level to Windows Server 2003 or Windows Server 2008, it can
never be changed back to a previous domain functional level. Exercise 4.1 takes you
systematically through the process of verifying the current domain functional level.
Exercise 4.2 takes you through the process of raising the domain functional level.
To raise the domain functional level, you must be a Domain Admin in the domain
in question.
EXERCISE 4.1
VERIFYING THE DOMAIN FUNCTIONAL LEVEL
1. Log on as a Domain Admin of the domain you are checking.
2. Click on Start | Control Panel | Performance and Maintenance |
Administrative Tools | Active Directory Users and Computers, or
use the Microsoft Management Console (MMC) preconfigured
with the Active Directory Users and Computers snap-in.
3. Locate the domain in the console tree that you are going to
raise in functional level. Right-click the domain and select Raise
Domain Functional Level.
4. In the Raise Domain Functional Level dialog box, the current domain
functional level appears under Current domain functional level.
210 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
EXERCISE 4.2
RAISING THE DOMAIN FUNCTIONAL LEVEL
1. Log on locally as a Domain Admin to the PDC or the PDC
Emulator FSMO of the domain you are raising.
2. Click on Start | Administrative Tools | Active Directory Domains
and Trusts, or use the MMC preconfigured with the Active
Directory Domain and Trusts snap-in.
3. Locate the domain in the console tree that you are going to
raise in functional level. Right-click the domain and select Raise
Domain Functional Level.
4. A dialog box will appear titled Select an available domain functional
level. There are only two possible choices, although both might not
be available:
■ Select Windows Server 2003, and then click the Raise button
to raise the domain functional level to Windows Server 2003.
■ Select Windows Server 2008, and then click the Raise button
to raise the domain functional level to Windows Server 2008.
Understanding the Global Catalog
Active Directory uses the Global Catalog (GC), which is a copy of all the Active
Directory objects in the forest, to let users search for directory information across all
the domains in the forest. The GC is also used to resolve user principal names (UPNs)
when the DC that is authenticating logon isnt aware of the account (because that
account resides in a different domain). When the DC cant find the users account in
its own domain database, it then looks in the GC. The GC also stores information
about membership in Universal Groups.
The GC contains a portion of every naming context in the directory, including
the schema and configuration partitions. To be able to find everything, the GC must
contain a replica of every object in the Active Directory. Fortunately, it maintains
only a small number of attributes for each object. These attributes are those most
commonly used to search for objects, such as a users first, last, and logon names.
The GC extends an umbrella of awareness throughout the discontiguous namespace
of the enterprise.
Although the GC can be modified and optimized, it typically requires infrequent
attention. The Active Directory replication system automatically builds and maintains
Configuring the Active Directory Infrastructure Chapter 4 211
www.syngress.com
the GC, generates its replication topology, and determines which attributes to
include in its index.
The GC is a vital part of Active Directory functionality. Given the size of enterpriselevel
organizations, on many networks, there will be multiple domains and, at times,
multiple forests. The GC helps in keeping a list of every object without holding
all the details of those objects; this optimizes network traffic while still providing
maximum accessibility.
NOTE
The first DC in a domain becomes the GC server by default.
Whenever a user is searching for an object in the directory, the GC server is
used in the querying process for multiple reasons. The GC server holds partial
replicas of all the domains in a forest, other than its own (for which it holds a full
replica). Thus, the GC server stores the following:
■ Copies of all the objects in the domain in which it resides
■ Partial copies of objects from other domains in the forest
NOTE
When we say that the GC server holds a partial copy of an object, we
mean that it includes only some of the objects attributes in its database.
Attributes are object properties, and each object has a number of attributes.
For example, one attribute of a User Account object would be the
username. You can customize the attributes of a particular object type
by editing the schema, which we will discuss later in this chapter.
The key point is that the GC is designed to have the details that are most commonly
used for searching for information. This allows for efficient response from
a GC server. There is no need to try to find one item out of millions of attributes,
because the GC has the important search-related items only. This makes for quick
turnaround on queries.
212 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
The scope of Directory Services has changed from the days of Windows NT
4.0 Directory Services. With Active Directory, a user record holds more than just
a username for an individual. The persons telephone number, e-mail address,
office location, and so forth can be stored in Active Directory. With this type of
information available, users will search the directory on a regular basis. This is
especially true when Microsoft Exchange is in the environment.
Whether a person is looking for details on another user, looking for a printer,
or simply trying to locate another resource, the GC will be involved in the final
resolution of the object. As mentioned previously, the GC server holds a copy of
every object in its own domain and a partial copy of objects in other domains
in the forest. Therefore, users can search outside their own domains as well as
within, something that could not be done with the old Windows NT Directory
Services model.
UPN Authentication
The UPN is meant to make logon and e-mail usage easier, because the two (your
user account and your e-mail address) are the same. An example of a UPN is Brian@
syngress.com. The GC provides assistance when a user from a domain logs on and
the DC doesnt know about the account. When the DC doesnt know the account,
it generally means that the account exists in another domain. The GC will help in
finding the users account in Active Directory. The GC server will help to resolve the
user account so that the authenticating DC can finalize logon for the user.
EXAM WARNING
With Windows Server 2008 and beyond, you will see more and more references
to UPN use in single or multiple domain environments. Be sure
to understand how the UPN works in relation to logon, and how the GC
keeps this information available efficiently.
Directory Information Search
With Active Directory, users have the ability to search for objects such as other users
or printers. To help a user who is searching the database for an object, the GC answers
requests for the entire forest. Because the complete copy of every object available is
listed in the GC, searches can be completed quickly and with little use of network
bandwidth.
Configuring the Active Directory Infrastructure Chapter 4 213
www.syngress.com
When you search the entire directory, the request is directed to the default
GC port 3268. The GC server is also known to other computers on the network
because of SRV records in the DNS. That is how a node on the network can query
for a GC server. There are SRV records specifically for GC services. These records
are created when you create the domain.
When users search for information in Active Directory, their queries can cross WAN
links, depending on the network layout. Each organization is different. Figure 4.2
shows an example layout with GC servers in the corporate office in Chicago and
a branch office in Seattle. The other two sites do not have GC servers. When queries
are initiated at the Chicago branch office, the queries use the corporate office GC
server. With a high-speed fiber connection, bandwidth isnt an issue.
Chicago
Branch Office 25 users
Branch Office 100 Users
Seattle
Branch Office <10 Users
New York
Fiber connection
56 K Frame
T1
Global Catalog
Server
Global Catalog Server
Corporate Headquarters
Figure 4.2 Example GC Search Query
The branch office in New York has a slow link but less than 10 users. These
users will use the GC in Chicago as well. Even though the pipe between these
locations is only 56K, the minimal number of users doesnt warrant having a GC
server in New York. The Seattle office has a T1, which is decent connectivity,
but there are more than 100 users in this location. Considering that, searches
will be more efficient with a GC server locally. We will look at sites later in the
chapter, but Figure 4.2 will help you get a basic understanding of how the query
process works.
214 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
Universal Group Membership Information
When setting up your network, certain features will be available based on the forest
functional level and domain functional level. Universal Groups is one of these features
that will or will not be available depending on your functional level. If your domain
functional level is set to at least Windows 2000 Native or later, you will have Universal
Groups available on your network. Universal Groups can have members belonging
to various domains in the forest. Without a GC server, Universal Groups could
not exist. That is because Universal Group membership is stored in the GC only.
This means that every DC will not have a copy of Universal Group membership;
only the DCs serving as GC servers have this information. When a user logs on, his
Universal Group membership is checked. The GC provides this information to the
authenticating DC.
Universal Group membership information is stored in all GC servers, so you need
to consider the design of your GC server layout when adding to or changing the GC
server configuration. The number of users at a location will help to determine when
you need a GC server. A large number of queries of the GC information over slow
links arent recommended; placing a GC at each site is a better design. With sites with
a small number of users, you can get away with not having a GC server at each site.
We discuss this in more detail later in this chapter, in the section Placing GC Servers
within Sites.
Understanding GC Replication
You know now that GC servers hold information for all of the objects in their own
domains and a partial copy of the objects from other domains in the forest. For this
to be possible, some type of replication has to happen between the GC servers.
EXAM WARNING
Be prepared to see diagrams similar to Figure 4.2 that show network layouts
and the various GC servers you have on your network. Part of being
a successful network administrator is being able to determine whether
the design is good. Because many Active Directory-integrated applications,
such as Microsoft Exchange, need access to a GC for authentication, GCs
should be placed in sites that support these applications, as well as sites
that are connected over lower-speed WAN links.
Configuring the Active Directory Infrastructure Chapter 4 215
www.syngress.com
The default attributes included in the GC make up the most commonly searched
for items. These items are part of normal Active Directory replication.
The Knowledge Consistency Checker (KCC) generates the GC replication
topology. The GC is only replicated between DCs that are GC servers; the information
is not replicated to other DCs. A few things can affect replication; for example,
Universal Group membership, and the number of attributes included in the GC.
Universal Group Membership
The GC holds the sole responsibility of maintaining Universal Group membership.
The names of the Global Groups and Domain Local Groups are also in the GC,
but their membership lists are not. This helps to keep the size of the database small
enough to efficiently answer queries.
For replication purposes, it is best to keep Universal Group membership relatively
static. Every change made to a Universal Group is replicated to every GC server.
Keeping these changes to a minimum will keep the GC replication traffic to a
minimum.
Attributes in the Global Catalog
When you first set up Active Directory, a series of default attributes from Active
Directory are in the GC. Sometimes the default set of attributes is missing an
item you would like to see. For example, perhaps you want to have a coworkers
department number as part of his user record; you can accomplish this by adding
an attribute. You can use the Active Directory Schema snap-in to include additional
attributes in the GC by placing a checkmark next to the Index this attribute
checkbox, as shown in Figure 4.3. To get to this option, open the Schema
snap-in, and expand the Attributes section. Right-click any attribute, and select
Properties.
TEST DAY TIP
Universal Groups can exist only if the functional level of your network is
Windows 2000 native or later. Universal Group information is replicated
between GC servers. Replication traffic can consume bandwidth, which is
why site topology is important; putting a GC at each site keeps replication
traffic to a minimum.
216 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
Prior to Windows Server 2003, each time the GC attribute set was extended,
a full synchronization of all attributes stored in the GC was completed. In a large
network, this often caused a serious amount of network traffic. With Windows
Server 2003 and Windows Server 2008, only the additional attribute or attributes
are replicated to other GC servers. This makes for more efficient use of network
bandwidth.
Placing GC Servers within Sites
Another consideration when it comes to replication is placement of your GC servers.
In a small network with one physical location, GC server placement is easy. Your
first DC that is configured will hold the GC role. If you have one site, but more than
one DC, you can move the role to another DC if you want to or configure additional
DCs as GCs. Most networks today consist of multiple physical locations, whether in
the same city or across the country. If you have high-speed links connecting your
branch offices you might be okay, but many branch office links use limited bandwidth
connections. If the connection between locations is less than a T1, you might have
limited bandwidth depending on what traffic is crossing the wire. As a network
Figure 4.3 Adding Attributes to the GC
Configuring the Active Directory Infrastructure Chapter 4 217
www.syngress.com
administrator, you will have to work with your provider to gauge how much utilization
there is across your WAN links.
Another factor is reliability. If your WAN links are unreliable, replication traffic
and synchronization traffic might not successfully cross the link. The less reliable the
link, the more the need for setting up sites and site links between the locations.
Without proper planning, replication traffic can cause problems in a large network.
Sites help to control replication traffic. Making the most of available bandwidth is an
important factor in having a network that allows your users to be productive. Logon
and searching Active Directory are both affected by GC server placement. If users
cannot find the information they need from Active Directory, they might not be able
to log on or find the information or data they need.
Configuring & Implementing
GC in an Exchange Server Environment
Now that Active Directory is the single directory used in Windows 2000,
Windows Server 2003, and Windows Server 2008 networks, there is very tight
integration with Microsoft Exchange. Prior to Exchange 2000, Exchange had
its own directory and the domain had its own directory service. There were
links between the two, but they were still technically separate directories.
Because all user information (first name, last name, and contact
information) is kept in Active Directory, users will be searching more and
more throughout the directory. In previous versions of Exchange, there
was a Global Address List that you could search to locate people within
your organization. Information such as telephone numbers, fax numbers,
and office locations can be part of your GC strategy with Windows Server
2003. It is important for administrators to ensure that users can reach the
data for which they are searching as quickly and easily as possible. Proper
planning and location of your GC information is important to successful
queries of your directory information.
Bandwidth and Network Traffic Considerations
Active Directory replication works differently depending on whether it is intersite or
intrasite replication. DCs that are part of the same site (intrasite) replicate with one
218 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
another more often than DCs in different sites (intersite). If you have sites that are
geographically dispersed, you need to be careful how you handle your GC server
placement. The bandwidth between geographically dispersed offices is often minimal.
The rule of thumb is to have GC servers in selected sites. In most cases, you do not
want to have a GC server in every site because of the vast amount of replication
that would occur. The following examples describe situations in which you should
have a GC server within a site:
■ If you have a slow WAN link between geographic locations. If you have a
DC at each location, a good rule is to also have a GC server at each location.
If the WAN link supports traffic for normal DC traffic, it should also
handle GC traffic.
■ If you have an application that relies heavily on GC queries across port 3268,
youll want to have a GC server in the site in which the application runs. An
example of this is Exchange 2000, which relies heavily on GC information.
■ Youll want to have GCs in as many sites as possible to support Universal
Group membership authentication. We look at caching of Universal
Groups, which can reduce traffic related to this, in the next section.
TEST DAY TIP
Microsofts documentation recommends that if you have 50 or more
users at a given location, you should give that location a DC serving as
a GC server. This will help to reduce the number of queries crossing the
WAN for Active Directory object searches.
Data replicated between sites is compressed, which makes better use of available
bandwidth. Because the data is compressed, more can be sent over a limited amount
of bandwidth. This is how site placement and design can be critical to efficient
network operation.
Universal Group Membership Caching
The Windows Server 2003 Active Directory introduced Universal Group caching as a
new feature, and this feature is also available in Windows Server 2008. When a user
logs on to the network, his membership in Universal Groups is verified. For this to
happen, the authenticating DC has to query the GC. If the GC is across a WAN
link, the logon process will be slow every time. To alleviate this, the DC that queries
Configuring the Active Directory Infrastructure Chapter 4 219
www.syngress.com
the GC can cache this information, which cuts down on the amount of data traveling
across the WAN link for Universal Group information.
The cache is loaded at the first user logon. Every eight hours by default, the
DC will refresh the cache from the nearest GC server. Caching functionality is
administered in Active Directory Sites and Services as shown in Figure 4.4, and can
be turned off if desired. You can also designate the GC server from which you want
the cache to refresh, giving you more control over traffic distribution on the network.
NOTE
The NTDS Site Settings Properties box is not the same NTDS Settings
Properties box you accessed to make a DC act as a GC. Instead of
accessing the properties of NTDS settings under the DC node in the
Servers container, you must access the properties of NTDS Site Settings in
the right console pane when you select a site name (e.g., Default-First-
Site-Name). The similarity of these two settings can be confusing if you
havent worked with the console much.
Figure 4.4 Configuring Universal Group Caching
220 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
Prior to Windows Server 2003, Active Directory logon would immediately
fail if a GC could not be located to check Universal Group membership. With
Universal Group caching in Windows Server 2003 and Windows Server 2008, DCs
cache complete group membership information, so even if a GC server cannot be
reached, logon will still happen based on cached Universal Group information.
Working with Flexible
Single Master Operation (FSMO) Roles
In Windows NT 4.0, the domain had only one authoritative source for domainrelated
information, the primary domain controller or PDC. With the implementation
of Active Directory came the multimaster replication model, where objects
and their properties can be modified on any DC and become authoritative through
replication conflict resolution measures. This scalability effort came with a price in
complexity, however, and Active Directory FSMO roles were introduced to control
certain domain and forest-wide operations that are not well suited for a multimaster
environment. Some operations such as modifying the Active Directory schema or
adding or removing a domain or domain tree are sufficiently critical or sensitive
that their functions need to reside on a single DC within the domain or forest.
The advantage of using FSMOs is that conflicts cannot be introduced while
a particular Operations Master is offline; the alternative would involve resolving
conflicts later, possibly to significantly negative result. The disadvantage is that all
Operations Masters must be available at all times to support all dependent activities
within the domain or forest. Windows Server 2008 Active Directory requires five
operational master roles:
■ Schema Master To update the schema of a forest, you must have access
to the Schema Master DC, which controls all schema updates and modifications.
There can be only one Schema Master in the forest.
■ Domain Naming Master The Domain Naming Master DC controls the
addition or removal of domains in the forest as well as adding and removing
any cross-references to domains in external Lightweight Directory Access
Protocol (LDAP) directories. There can be only one Domain Naming
Master in the forest.
■ Infrastructure Master The Infrastructure Master is responsible for
updating references from objects in the local domain to objects in other
domains. There can be only one Infrastructure Master DC in each
domain.
Configuring the Active Directory Infrastructure Chapter 4 221
www.syngress.com
■ Relative ID (RID) Master The RID Master processes RID pool
requests from all DCs in the local domain. These relative identifiers are
the unique part of the SID, which is a Security Identifier used to uniquely
identify objects and group memberships. There can be only one RID
Master DC in each domain.
■ PDC Emulator The PDC Emulator is a DC that advertises itself as the
PDC to workstations, member servers, and BDCs running Windows NT.
It is also the Domain Master Browser, and handles Active Directory password
changes, maintenance of trust relationships, as well as time synchronization
for servers and clients within a domain. There can be only one PDC
Emulator in each domain.
Two of these operate at the forest level only, you will have a single Schema
Master and Domain Naming Master within each Active Directory forest regardless
of how many domains exist within the forest. Conversely, the RID Master, PDC
Emulator, and Infrastructure Master operate at the domain level. To examine this
role relationship between master roles and the required authorization for administering
them in the forest and domains, refer to Table 4.2.
Table 4.2 Valid Authorization Levels for Viewing, Transferring,
and Seizing Operations Master Roles
Domain
Domain Administrator
Administrator on the
on the Local Forest-Root Enterprise
Role Task Domain Domain Administrator
Schema Viewing, X (Plus Schema X
Master transferring, Admins
or seizing membership)
Domain X X
Naming
Master
Viewing,
transferring,
or seizing
Continued
222 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
To illustrate, if you have a single Active Directory forest containing a parent
domain and a child domain, you will have one each of the Schema Master and
Domain Naming Master FSMO roles, and two each of the Infrastructure Master,
RID Master, and PDC Emulator, with one of each domain-wide FSMO configured
in each of the two domains. A single-domain forest, therefore, has five rolesone of
each. Each domain added after the forest root domain has three additional masters.
With that information, we can determine the number of operations master servers
required in a given forest with the following formula:
( (Number of domains ∗ 3) + 2)
Given the formula, we can determine that the forest depicted in Figure 4.5,
with three domains, needs a maximum of 11 server platforms to support the 11
FSMO roles (3 ∗ 3 = 9, and 9 + 2 = 11), unless you assign multiple roles to a single
DC. Often, small domains, empty root domains, or best practices will make combining
several of these roles onto a single DC desirable. In the example shown in
Figure 4.5, the following roles exist:
■ One Schema Master in Dogs.com
■ One Domain Naming Master in Dogs.com
■ Three PDC Emulators (one each in Dogs.com, Fish.com, and Cat.fish.com)
Table 4.2 Continued. Valid Authorization Levels for Viewing,
Transferring, and Seizing Operations Master Roles
Domain
Domain Administrator
Administrator on the
on the Local Forest-Root Enterprise
Role Task Domain Domain Administrator
Infrastructure Viewing, X X
Master transferring,
or seizing
RID Master Viewing, X X
transferring,
or seizing
PDC Emulator Viewing, X X
transferring,
or seizing
Configuring the Active Directory Infrastructure Chapter 4 223
www.syngress.com
■ Three RID Masters (one each in Dogs.com, Fish.com, and Cat.fish.com)
■ Three Infrastructure Masters (one each in Dogs.com, Fish.com, and
Cat.fish.com)
Dogs.com
Tr ansitive
Tr u st
Fish.com
Cat.fish.com
Transitive
Tr u s t
Root
Domain
Domain
Implicit
Trust
Top-Level
Domain
Figure 4.5 Creating a New Child Domain in an Existing Domain
Placing, Transferring,
and Seizing FSMO Role Holders
The first DC that you install in the forest root will automatically host all five roles. The
first DC that you install in any additional domains will automatically host the three
roles of PDC Emulator, RID Master, and Infrastructure Master.
You can use the ntdsutil.exe command-line utility to transfer FSMO roles, or you
can use an MMC snap-in tool. Depending on which role you want to transfer, you
can use one of the following three MMC snap-in tools:
■ Active Directory Schema snap-in (Schema Master role)
■ Active Directory Domains and Trusts snap-in (Domain Naming Master role)
■ Active Directory Users and Computers snap-in (RID Master,
Infrastructure Master, and PDC Emulator roles)
To forcibly seize a role, you must use the ntdsutil utility. If a computer cannot be
contacted due to a hardware malfunction or long-term network failure, the role must
224 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
be seized. If the PDC Emulator role holder fails, you can seize the PDC Emulator
FSMO role to another DC and then return the role to the original role holder when
it comes back online. In the case of other FSMO role holders, particularly the RID
Master and Schema Master FSMO role holders, you must take significantly greater
care if you need to seize the FSMO role due to a hardware or network failure.
If you seize the Schema Master or RID Master FSMO role holder to another DC,
the original role holder must never be returned to Active Directory; the original role
holder must be reformatted before being returned to your production environment.
Locating and Transferring the Schema Master Role
The DC that hosts the Schema Master role controls each update or modification
to the schema. You must have access to the Schema Master to update the schema
of a forest.
EXAM WARNING
Remember this distinction between the GC and the Schema Master:
The GC contains a limited set of attributes of all objects in the Active
Directory. The Schema Master contains formal definitions of every object
class that can exist in the forest and every object attribute that can exist
within an object. In other words, the GC contains every object, whereas
the schema contains every definition of every type of object.
NOTE
You must be a member of the Schema Admins group to perform this
operation. The built-in Administrator account in the forest root domain
is automatically configured as a member of this group when the Active
Directory forest is created.
Refer to Exercise 4.3 for instructions on how to identify the DC that is performing
the Schema Master operations role for your forest using the command line
or the GUI. Refer to Exercise 4.4 for instructions on how to transfer the Schema
Master operations role for your forest to a different DC, and Exercise 4.9, later in
this chapter, for steps to seize the role to another DC in case of a failure.
Configuring the Active Directory Infrastructure Chapter 4 225
www.syngress.com
Temporary loss of the Schema Master is not noticeable to domain users. Enterprise
and domain administrators will not notice the loss either, unless they are trying to
install an application that modifies the schema during installation or trying to modify
the schema themselves. You should seize the schema FSMO role to the standby
operations master only if your old Schema master will be permanently offline.
EXERCISE 4.3
LOCATING THE SCHEMA OPERATIONS MASTER
1. Log on as an Enterprise Administrator in the forest you are checking.
2. Click Start | Run.
3. Type regsvr32 schmmgmt.dll in the Open box, and click OK.
This registers the Schmmgmt.dll.
4. Click OK in the dialog box showing that the operation succeeded.
5. Click Start | Run, type mmc, and then click OK.
6. On the menu bar, click File | Add/Remove Snap-in, click Add,
double-click Active Directory Schema, click Close, and then click OK.
7. Expand and then right-click Active Directory Schema in the topleft
pane, and then select Operations Masters to view the server
holding the Schema Master role, as shown in Figure 4.6.
Figure 4.6 The Server Holding the Schema Master Role
226 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
EXERCISE 4.4
TRANSFERRING THE SCHEMA
OPERATIONS MASTER ROLE
1. Log on as an Enterprise Administrator in the forest where you
want to transfer the Schema Master role.
2. Click Start | Run.
3. Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
This registers the Schmmgmt.dll.
4. Click OK in the dialog box showing that the operation succeeded.
5. Click Start | Run, type mmc, and then click OK.
6. On the menu bar, click File | Add/Remove Snap-in, click Add,
double-click Active Directory Schema, click Close, and then
click OK.
7. Right-click Active Directory Schema in the top-left pane, and then
click Change Active Directory Domain Controller.
8. As shown in Figure 4.7, select the This Domain Controller or AD
LDS instance, enter the name of the DC that will be the new role
holder, and then click OK.
9. Right-click Active Directory Schema again, and then click
Operations Master.
10. Click Change.
11. Click OK to confirm that you want to transfer the role, and then
click Close.
Configuring the Active Directory Infrastructure Chapter 4 227
www.syngress.com
Locating and Transferring the Domain Naming Master Role
The Domain Naming Master DC controls the addition or removal of domains in
the forest, and adding and removing any cross-references to domains in external
LDAP directories. There can be only one Domain Naming Master in the forest.
Refer to Exercise 4.5 for instructions on how to identify the DC that is performing
the Domain Naming Master operation role for your forest. Refer to Exercise 4.6
for instructions on how to transfer the Domain Naming Master operations role for
your forest to a different DC.
EXERCISE 4.5
LOCATING THE DOMAIN
NAMING OPERATIONS MASTER
1. Log on as an Enterprise Administrator in the forest you are
checking.
Figure 4.7 Changing an Active Directory Domain Controller
228 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
2. Click Start | Run, type mmc, and then click OK.
3. On the menu bar, click File | Add/Remove Snap-in, click Add,
double-click Active Directory Domains and Trusts, click Close,
and then click OK.
4. Right-click Active Directory Domains and Trusts in the top-left
pane, and then click Operations Masters to view the server
holding the Domain Naming Master role.
EXERCISE 4.6
TRANSFERRING THE
DOMAIN NAMING MASTER ROLE
1. Click Start | Administrative Tools | Active Directory Domains
and Trusts.
2. Right-click Active Directory Domains and Trusts, and click Change
Active Directory Domain Controller, unless you are already on the
DC to which you are transferring the role. Select the This Domain
Controller or AD LDS instance, enter the name of the DC that will
be the new role holder, and then click OK.
3. In the console tree, right-click Active Directory Domains and
Trusts, and then select Operations Master. Click Change.
4. Click OK for confirmation, and click Close.
Locating and Transferring the
Infrastructure, RID, and PDC Operations Master Roles
The Infrastructure Master is responsible for updating references from objects in the
local domain to objects in other domains. There can be only one Infrastructure
Master DC in each domain. The RID Master processes RID pool requests from all
DCs in the local domain. There can be only one RID Master DC in each domain.
The PDC Emulator is a DC that advertises itself as the PDC to workstations,
member servers, and BDCs running Windows NT. It is also the Domain Master
Browser, and handles Active Directory password collisions, or discrepancies. There
can be only one PDC Emulator in each domain.
Refer to Exercise 4.7 for instructions on how to identify the DCs that are
performing the FSMO roles for your forest using the Active Directory Users and
Configuring the Active Directory Infrastructure Chapter 4 229
www.syngress.com
Computers GUI interface. Refer to Exercise 4.8 for instructions on how to
transfer the Infrastructure, RID, and PDC Master operations roles for your domain
to different DCs, and to Exercise 4.9 for instructions on how to seize the FSMO
Master roles.
EXERCISE 4.7
LOCATING THE INFRASTRUCTURE,
RID, AND PDC OPERATIONS MASTERS
1. Log on as an Enterprise Administrator in the forest you are
checking.
2. Click Start | Run, type dsa.msc, and click OK. This is an alternative
method for opening the Active Directory Users and Computers
administrative tool.
3. Right-click the selected Domain Object in the top-left pane, and
then click Operations Masters.
4. Click the Infrastructure tab to view the server holding the
Infrastructure Master role.
5. Click the RID tab to view the server holding the RID Master role.
6. Click the PDC tab to view the server holding the PDC Master role.
EXERCISE 4.8
TRANSFERRING THE INFRASTRUCTURE,
RID, AND PDC MASTER ROLES
1. Click Start | Administrative Tools | Active Directory Users and
Computers.
2. Right-click Active Directory Users and Computers, and click
Connect to Domain Controller unless you are already on the DC
you are transferring to. Select the This Domain Controller or AD
LDS instance, enter the name of the DC that will be the new role
holder, and then click OK.
3. In the console tree, right-click Active Directory Users and
Computers, and click All Tasks | Operations Master.
230 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
4. Take the appropriate action for the role you want to transfer:
■ Click the Infrastructure tab, and click Change.
■ Click the RID tab, and click Change.
■ Click the PDC tab, and click Change.
5. Click OK for confirmation, and click Close.
EXERCISE 4.9
SEIZING THE FSMO MASTER ROLES
1. Log on to any working DC.
2. Click Start | Run, type ntdsutil in the Open box, and then click OK.
3. Type activate instance ntds and press Enter.
3. Type roles, and press Enter.
4. In ntdsutil, type ? at any prompt to see a list of available commands,
and press Enter.
5. Type connections, and press Enter.
6. Type connect to server servername, where servername is the
name of the server that will receive the role, and press Enter.
7. At the Server connections: prompt, type q, and press Enter.
8. Type the appropriate seizing command, as shown next. See the
example in Figure 4.8. If the FSMO role is available, ntdsutil.exe
will perform a transfer instead. Respond to the Role Seizure
Confirmation Dialog box, as shown in Figure 4.9.
seize Sfrastructure master
seize RID master
seize PDC
Figure 4.8 Seizing the PDC Master Role
D:\WINDOWS\system32\ntdsutil.exe: activate instance ntds
Active instance set to ntds.
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server DC4
Configuring the Active Directory Infrastructure Chapter 4 231
www.syngress.com
Binding to DC4 ...
Connected to DC4 using credentials of locally logged on user.
server connections: q
fsmo maintenance: seize PDC
Attempting safe transfer of PDC FSMO before seizure.
FSMO transferred successfully - seizure not required.
Server DC4 knows about 5 roles
Schema - CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,
CN=Configuration,DC=Dogs,DC=com
Domain - CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,
CN=Configuration,DC=Dogs,DC=com
PDC - CN=NTDS Settings,CN=DC4,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=
Configuration,DC=Dogs,DC=com
RID - CN=NTDS Settings,CN=DC4,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=
Configuration,DC=Dogs,DC=com
Infrastructure - CN=NTDS Settings,CN=DC4,CN=Servers,CN=Default-First-
Site-
Name,C
N=Sites,CN=Configuration,DC=Dogs,DC=com
fsmo maintenance:q
Figure 4.9 Seizing the Schema Operations Master Role
9. After you seize the role, type q, and then press Enter repeatedly
until you quit the Ntdsutil tool.
232 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
Placing the FSMO Roles
within an Active Directory Environment
It is a good idea to place the RID and PDC Emulator roles on the same DC. Downlevel
clients and applications target the PDC, making it a large consumer of RIDs.
Good communication between these two roles is important. If performance demands
it, place the RID and PDC Emulator roles on separate DCs, but make sure they stay
in the same site and that they are direct replication partners with each other.
As a general rule, you should place the Infrastructure Master on a DC that is not
a GC server to maintain proper replication. There are two exceptions to this rule:
■ Single domain forest If your forest contains only one Active Directory
domain, there can be no phantoms. The Infrastructure Master has no
functionality in a single domain forest. In that case, you can place the
Infrastructure Master on any DC.
■ Multidomain forest where every DC holds the GC Again, there can
be no phantoms if every DC in the domain hosts a GC. There is no work
for the Infrastructure Master to perform. In that case, you can place the
Infrastructure Master on any DC.
Additionally, ensure that the Infrastructure Master has a direct connection object
to a GC server somewhere in the forest, preferably in the same site.
Considering the forest-wide FSMOs, the Schema Master and Domain Naming
Master roles are rarely used and should be tightly controlled. For that reason, you can
place them on the same DC. Another Microsoft-recommended practice is to place
the Domain Naming Master FSMO on a GC server. Taking all of these practices
together, a Microsoft-recommended best-practice empty root domain design might
consist of two DCs with the following FSMO/GC placement:
■ DC 1:
■ Schema Master
■ Domain Naming Master
■ GC
■ DC 2:
■ RID Master
■ PDC Emulator
■ Infrastructure Master
Configuring the Active Directory Infrastructure Chapter 4 233
www.syngress.com
Working with Sites
In todays distributed network environment, the communication must always be
rapid and reliable. Geographical and other restrictions resulted in the need to create
smaller networks, known as subnets. These subnets provide rapid and reliable communication
between locations, which can also be attained in larger networks by
using Microsoft Windows Server 2008 Active Directory Sites. They ensure rapid and
reliable communication by using the methods offered by Microsoft Windows Server
2008 Active Directory Sites to regulate inter-subnet traffic.
A site defines the network structure of a Windows Server 2008 Active Directory.
A site consists of multiple Internet Protocol (IP) subnets linked together by rapid and
reliable connections. The primary role of sites is to increase the performance of
a network by economic and rapid transmission of data. The other roles of sites are
replication and authentication. The Active Directory physical structure manages when
and how the authentication and replication must take place. The Active Directory
physical structure allows the management of Active Directory replication scheduling
between sites. The performance of a network is also based on the location of objects
and logon authentication as users log on to the network.
TEST DAY TIP
As a network administrator, you must be familiar with the various roles
and services offered by the Active Directory Sites. You neednt worry
about memorizing every detail for this particular exam. What you do have
to know are the basics of how each role and services of Active Directory
Sites works, and how Active Directory Sites can be used efficiently in terms
of data transmission as part of a large network.
Understanding Sites
A site is as a collection of interconnected computers that operate over IP subnets.
A site is also a place on a network having high-bandwidth connectivity. The relationship
of sites to Active Directory components is based on the following network
operations performed by sites:
■ Control of replication occurrences
■ Changes made with the sites
■ How efficiently DCs within a domain can communicate
234 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
A site can contain one or more domains, and a domain can be part of one or
more sites. Sites and domains do not have to maintain the same namespace. Sites and
domains are interrelated because sites control replication of the domain information.
Head of the Class
The Relationship between Sites and Domains
Domains are also defined as units of replication. All the DCs present in a
particular domain can receive changes and replicate those changes to all
other DCs present in the domain of a network. A DNS server recognizes
each domain that is present in a particular site. If your network requires
more than one domain, you can easily create multiple domains. Figure 4.10
illustrates the relationship between sites and domains in a network, and
helps us to understand that a site can have one or more domains, and a
domain can have one or more sites.
Figure 4.10 The Relationship between the Sites
and Domains Present in a Network
Domain
Site
Domain
Site Site
Domain
Configuring the Active Directory Infrastructure Chapter 4 235
www.syngress.com
The sites present in an Active Directory denote the physical structure of a network.
The physical structure information is available as site and site link objects in the
directory. This information is used to build the most efficient replication topology.
Generally, Active Directory Sites and Services are used to define sites and site links.
Whereas sites represent the physical structure of the network, domains represent
the logical structure of the organization. This partitioning of physical and logical
structures offers the following advantages:
■ You can develop and manage the logical and physical structures of your
network independently.
■ You do not have to base domain namespaces on your physical network.
■ You can deploy DCs for multiple domains within the same site.
■ You can deploy DCs for the same domain in multiple sites.
In Figure 4.10, we see how multiple sites reside in a single domain,
and how a single site can consist of multiple domains. A domain provides
the following benefits:
■ It organizes domain objects.
■ It publishes resources and information about domain objects.
■ It applies GPOs to the domain to perform resource and security
management.
■ It delegates authority to eliminate the need for administrators
with broad administrative authority.
■ Security policies and settings such as user rights and password
policies do not change from one domain to another.
■ Each domain stores only the information about the objects
located in that domain.
EXAM WARNING
Make sure you are familiar with the benefits provided by a domain,
and how a domain works to provide them for you.
236 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
Subnets
In Active Directory, a site consists of a set of computers that are interconnected in a
LAN. Computers within the same site typically exist in the same building, or on the
same campus network. A single site consists of one or more IP subnets. These subnets
are a section of an IP network, with each subnet having a unique network address.
A subnet address consists of a cluster of neighboring computers in much the
same way as the postal codes group neighboring postal addresses. Figure 4.11 shows
one or more clients residing within a subnet that defines an Active Directory site.
TEST DAY TIP
Make sure you know and understand the differences between the physical
and logical structures of the network. Be aware of how each is used to
build the most efficient replication topology.
The subnet created through Active Directory Sites and Services are sections of
an IP network, with each subnet having a unique network address. In Figure 4.11,
231.01.01.0/19 is a unique network address of the Active Directory site.
Sites and subnets are represented in Active Directory by site and subnet objects,
which we create through the Active Directory Sites and Services administrative
tool. Each site object is associated with one or more subnet objects.
Figure 4.11 The Active Directory Site with One or More Client
Computers within a Subnet
Active Directory site
Client
Configuring the Active Directory Infrastructure Chapter 4 237
www.syngress.com
Site Planning
You should plan thoroughly before creating and deploying an Active Directory. Site
planning enables you to optimize the efficiency of the network and reduce administrative
overhead. High-performance sites are developed based on the proper planning
of the physical design of your network. Site planning enables you to determine
exactly which sites you should create and how they can be linked using site links and
site link bridges. Site information is stored in the configuration partition, which enables
you to create sites and related information at any point in your deployment of Active
Directory.
Site planning enables you to publish site information in the directory for use
by applications and services. Generally, the Active Directory consumes the site
information. Youll see how replication impacts site planning later in this chapter.
Criteria for Establishing Separate Sites
When you initially create a domain, a single default Active Directory site called
Default-Site-First-Name is created. This site represents your entire network. A domain
or forest consisting of a separate site can be highly efficient for a LAN connected
by high-speed bandwidth.
NOTE
A configuration partition is a portion of a basic disk that can contain
logical drives. A configuration partition is used if you want to have more
than four volumes on your basic disk. A DC always stores the partitions
for the schema and configuration. The schema and configuration are
replicated to every DC in the domain tree or forest.
NOTE
A forest is defined as multiple Active Directory domains that share the
same class, site, attribute definitions, and replication information (but
not necessarily the same namespace). The domains present in the same
forest are linked with two-way transitive trust relationships.
238 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
If a single LAN consists of a separate subnet or if a network consists of multiple
subnets connected by a high-speed connection, establishing a separate site topology
offers the following advantages:
■ Simplified replication management
■ Regular directory updates between all DCs
Establishing separate site topology enables all replication to occur as intrasite
replication, which requires no manual replication configuration. A separate site
design enables DCs to receive updates with respect to directory changes.
Creating a Site
Sites are created using the Active Directory Sites and Services tool of Windows
Server 2008. Exercise 4.10 walks you through the steps involved in creating a site.
Active Directory Sites and Services is an MMC that you can use to administer
the replication of directory data. You can also use this tool to create new sites, site
links, subnets, and so forth.
EXERCISE 4.10
CREATING A NEW SITE
1. To open the Active Directory Sites and Services tool, click Start |
Control Panel | Administrative Tools | Active Directory Sites and
Services. The Active Directory Sites and Services console appears,
as shown in Figure 4.12.
NOTE
Intrasite replication refers to replication among DCs within the same
site. Intersite replication refers to replication among DCs located at
different sites.
Configuring the Active Directory Infrastructure Chapter 4 239
www.syngress.com
2. Highlight the Sites folder in the left-hand tree pane of the Active
Directory Sites and Services console. Right-click and select the
Sites folders New Site option from the context menu, as shown
in Figure 4.13.
Figure 4.12 The Active Directory Sites and Services Tool
240 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
3. Selecting the New Site option opens a New Object Site dialog
box, as shown in Figure 4.14.
Figure 4.13 The New Site Option
Configuring the Active Directory Infrastructure Chapter 4 241
www.syngress.com
4. Type the name of the site in the Name box present in the New
Object Site dialog box, as shown in Figure 4.15.
Figure 4.14 The New Object Site Dialog Box
242 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
5. Select an initial site link object for the site from the New Object Site
dialog box.
6. Click OK. You will be presented with a pop-up box indicating the
next steps that you should follow once the new site is created.
Read this informational message and then click OK. This completes
the process of creating a site using the Active Directory Sites and
Services tool.
Figure 4.15 The Name of the Site
Configuring the Active Directory Infrastructure Chapter 4 243
www.syngress.com
Renaming a Site
Renaming a site is one of the first tasks you should perform when administering
a site structure. When you create a site initially, it is created with the default name
Default-First-Site-Name. You can change this name based on the purpose of the
site, such as the name of the physical location.
A site is also renamed when a network of an organization is expanded by one
or more sites. Even if an organization is located in a single location, it makes sense
to rename the Default-First-Site-Name, because you never know when the network
will expand. Renaming a site enables administrators to differentiate sites present in
a network easily and perform administration tasks efficiently.
When a DC becomes aware that its site has been renamed, it will update its
DNS records appropriately. Because of issues with cached DNS lookups and client
caching of site names that will lead to temporary delays in connectivity directly after
a rename, its best to name and rename sites as early as possible in the deployment.
After renaming a site, its advisable to manually force replication with other DCs in
the same site.
You rename a site using the Active Directory Sites and Services tool of Windows
Server 2008. Exercise 4.11 walks you through the steps involved in renaming a
new site.
EXERCISE 4.11
RENAMING A NEW SITE
1. To open the Active Directory Sites and Services tool, click Start |
Control Panel | Administrative Tools. Double-click Active Directory
Sites and Services. The Active Directory Sites and Services dialog
box appears.
2. Expand the Sites folder in the left-hand tree pane of the Active
Directory Sites and Services console.
3. Right-click the site you want to rename and select the Rename
option from the context menu.
4. Type the new name of the site in the Name box in the left
console pane.
5. Click OK. This completes the process of renaming a site using the
Active Directory Sites and Services tool.
244 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
Creating Subnets
Subnets are associated with the Active Directory sites to match client computers.
The subnets are denoted by a range of IP addresses. The Active Directory Sites
and Services user interface prevents you from having to provide the subnet names
manually; instead, you are prompted for a network address. An example of a subnet
name for an IP Version 4 network is 10.14.208.0/20. This IP address consists of two
portions: The network address appears before the slash, and a representation of the
subnet mask appears after the slash. Table 4.3 shows some common subnet masks
and the corresponding slash notations. The number following the slash indicates the
number of binary digits (bits) that make up the network partition of the IP address.
The number 255 in decimal translates to 11111111 in binary (8 bits); thus, you can
see how the subnet masks in Table 4.3 translate to the corresponding slash notations.
NOTE
The Windows Server 2008 Active Directory consists of the default site
link, named DEFAULTIPSITELINK, which is created automatically when
the first domain in the network is created. This link is assigned to the
Default-First-Site-Name site. These are the names assigned automatically
when you create the first site. You should change the default names to
something more descriptive.
Table 4.3 Subnet Masks and Slash Notation
Subnet Mask Slash Notation
255.0.0.0 /8
255.255.0.0 /16
255.255.255.0 /24
255.255.255.128 /25
255.255.255.192 /26
255.255.255.224 /27
255.255.255.240 /28
Continued
Configuring the Active Directory Infrastructure Chapter 4 245
www.syngress.com
IP Version 6 (IPv6) is a new implementation of the Transmission Control
Protocol/Internet Protocol (TCP/IP) that is increasing in prevalence, as it addresses
a number of shortcomings that have appeared in IPv4 over time. Windows Server
2008 is the first version of the Windows operating system that has included support
for IPv6 out of the box; IPv6 is one of the default protocols included in a fresh
installation of the Windows Server 2008 operating system. IPv6 was developed to
address a number of limitations of IPv4, the most notable being the limitations of
the IPv4 address space, that is, the list of usable TCP/IP addresses provided by IPv4.
When TCP/IP was developed in the 1960s, no one foresaw the Internet explosion
of the 1990s that would threaten to exhaust the 4-billion-plus IP addresses
available through IPv4. The useful lifespan of IPv4 has been extended through the
use of private IP networks and the network address translator (NAT), but a longterm
solution is still required. To this end, IPv6, the next generation of TCP/IP,
was developed to provide a significantly larger address space for current and future
implementations of TCP/IP networks.
IPv6 uses 128 bits, or 16 bytes, for its addressing scheme, which provides 2128
(about 340 billion) IP addresses. IPv6 address notation is noticeably different from
the dotted-decimal of IPv4, using eight groups of four hexadecimal digits, separated
by colons. For example, 192.168.1.243 is an example of an IPv4 IP address, and
5ab1:0c12:63d7:0237:9175:bade:0370:7334 is an example of an IPv6 IP address.
If an IPv6 address contains a series of sequential zeros, the address can be shortened
to use a single zero in each group, or else the entire grouping can be represented
using a double colon (::). So, the following three strings all represent the same IPv6
address:
■ 5925:0000:0000:0000:0000:0000:0000:2742
■ 5925:0:0:0:0:0:0:2742
■ 5925::2742
Table 4.3 Continued. Subnet Masks and Slash Notation
Subnet Mask Slash Notation
255.255.255.248 /29
255.255.255.252 /30
255.255.255.254 /31
246 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
IPv6 includes a few other enhancements for performance and security. Notably,
IP security through the use of IPSec is an integral part of IPv6, whereas it was an
optional feature under IPv4.
You create subnets using the Active Directory Sites and Services tool of Windows
Server 2008. Exercise 4.12 shows the steps involved in creating subnets.
EXERCISE 4.12
CREATING SUBNETS
1. To open the Active Directory Sites and Services tool, click Start |
Control Panel | Administrative Tools, and then double-click Active
Directory Sites and Services. The Active Directory Sites and
Services console appears.
2. Highlight the Sites folder in the left-hand tree pane of the Active
Directory Sites and Services console. Expand the Sites folder.
3. Right-click Subnets and select New Subnet from the context
menu, as shown in Figure 4.16.
NOTE
The loopback address in IPv6 is expressed as ::1.
Configuring the Active Directory Infrastructure Chapter 4 247
www.syngress.com
4. Selecting the New Subnet option opens a New Object Subnet
dialog box. Type the network address and subnet mask in the
form of dotted-decimal notation in the text boxes present in the
New Object Subnet dialog box.
6. Select a site object for this subnet from the list provided in the
New Object Subnet dialog box.
7. Click OK. This completes the process of creating a subnet using
the Active Directory Sites and Servi ces tool.
Associating Subnets with Sites
After creating sites and subnets, the next step is to associate your subnets with sites.
Computers on Active Directory networks communicate with each other using the
TCP/IP assigned to sites based on their locations in a subnet. Remember that a
site consists of one or more IP subnets. You specify the subnets associated with each
Figure 4.16 The New Subnet Option
248 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
site on your network by creating subnet objects in the Active Directory Sites and
Services console. The association of subnets with sites enables the computers on the
Active Directory network to use the subnet information to find a DC in the same
site so that authentication traffic will not cross over WAN links. Active Directory
also uses subnets during the replication process to determine the best routes
between DCs.
You associate subnets with sites using the Active Directory Sites and Services
tool of Windows Server 2008. Exercise 4.13 walks you through the steps involved
in associating subnets with sites.
EXERCISE 4.13
ASSOCIATING SUBNETS WITH SITES
1. To open the Active Directory Sites and Services tool, click Start |
Administrative Tools, and then click Active Directory Sites and
Services.
2. Highlight the Subnet folder present in the left-hand tree pane of
the Active Directory Sites and Services console (see Figure 4.17).
Figure 4.17 The Subnet Folder
Configuring the Active Directory Infrastructure Chapter 4 249
www.syngress.com
3. Right-click the newly created subnet and select the Properties option;
this will open a Properties dialog box, as shown in Figure 4.18.
Figure 4.18 Subnet Dialog Box for Associating/Changing the Site
4. Associate any site with this subnet by selecting the available site
from the site drop-down menu, and click OK. This completes
the process of associating a subnet with a site using the Active
Directory Sites and Services tool.
Creating Site Links
After creating and defining the scope of each site, the next step in the site configuration
process is to establish connections between the sites. The physical connectivity
between the sites is established between the Active Directory databases by site link
objects. A site link object is an Active Directory object that embodies a set of sites
that can communicate at uniform cost. A site link connects only two sites and
250 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
corresponds to a WAN link for an IP transport. A site link connecting more than
two sites corresponds to Asynchronous Transfer Mode (ATM) and metropolitan area
network (MAN) through leased lines and IP routers. Each site link is based these
four components:
■ Transport The networking technology to move the replication traffic
■ Sites The sites that the site link connects
■ Cost The value to calculate the site links by comparing to others, in terms
of speed and reliability charges
■ Schedule The times and frequency at which the replication will occur
You create site links using the Active Directory Sites and Services tool of
Windows Server 2008. Exercise 4.14 walks you through the steps involved in creating
sitae links.
EXERCISE 4.14
CREATING SITE LINKS
1. To open the Active Directory Sites and Services tool, click Start |
Administrative Tools, and then click Active Directory Sites and
Services.
2. Highlight the Inter-Site Transports folder in the left-hand tree
pane of the Active Directory Sites and Services console. Expand
the Inter-Site Transports folder, as shown in Figure 4.19.
Configuring the Active Directory Infrastructure Chapter 4 251
www.syngress.com
3. Right-click either the IP or the SMTP folder (depending on what
protocol the network is based on) in the left-hand tree pane of
the Active Directory Sites and Services console. Select New Site
Link from the context menu, as shown in Figure 4.20.
Figure 4.19 The Inter-Site Transports Folder
252 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
4. Selecting the New Site Link option opens a New Object Site
Link dialog box.
5. Type the name of the new site link object in the Name box in the
New Object Site Link dialog box.
6. Select two or more sites for establishing connection from the
Sites not in this site link box, and click Add.
7. Click OK. This completes the process of creating a new site link
object using the Active Directory Sites and Services tool.
Configuring Site Link Cost
Site link costs are calculated to determine how expensive an organization considers
the network connection between two sites that the site link is connecting.
Higher costs represent more expensive connections. If two site links are available
between two sites, the lowest-cost site link will be chosen. Each site link is assigned
Figure 4.20 The New Site Link Option
Configuring the Active Directory Infrastructure Chapter 4 253
www.syngress.com
an IP or Simple Mail Transfer Protocol (SMTP) transport protocol, a cost, a replication
frequency, and an availability schedule. All these parameters reflect the characteristics
of the physical network connection.
The cost assigned to a site link is a number on an arbitrary scale that should
reflect, in some sense, the expense of transmitting traffic using that link. Cost can be
in the range of 1 to 32,767, and lower costs are preferred. The cost of a link should be
inversely proportional to the effective bandwidth of a network connection between
sites. For example, if you assign a cost of 32,000 to a 64 kbps line, you should assign
16,000 to a 128 kbps line and 1,000 to a 2 Mbps line. It makes sense to use a high
number for the slowest link in your organization. As technology improves and communication
becomes cheaper, its likely that future WAN lines will be faster than todays,
so theres little sense in assigning a cost of 2 for your current 128 kbps line and a cost
of 1 for your 256 kbps line, because quicker links cant be priced more cheaply.
You configure site link costs using the Active Directory Sites and Services tool
of Windows Server 2008. Exercise 4.15 illustrates the steps involved in creating site
link costs.
EXERCISE 4.15
CONFIGURING SITE LINK COSTS
1. To open the Active Directory Sites and Services tool, click Start |
Administrative Tools, and then click Active Directory Sites and
Services.
2. Highlight the Sites folder in the left-hand tree pane of the Active
Directory Sites and Services console and expand the Sites folder.
3. Highlight the Inter-Site Transports folder in the left-hand tree
pane of the Active Directory Sites and Services console and
expand the Inter-Site Transports folder.
4. Right-click the site link whose cost you want to configure in the
left-hand tree pane of the Active Directory Sites and Services
console, and select Properties. Selecting Properties opens a dialog
box, as shown in Figure 4.21.
254 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
Figure 4.21 The Properties Option
5. Type the value for the cost of replication of the site link object in
the Cost box in the dialog box.
6. Click OK. This completes the process of configuring site link costs
using the Active Directory Sites and Services tool.
Configuring the Active Directory Infrastructure Chapter 4 255
www.syngress.com
Understanding Replication
Replication is defined as the practice of transferring data from a data store present
on a source computer to an identical data store present on a destination computer
to synchronize the data. In a network, the directory data must live in one or more
places on the network to be equally available to all users. The Active Directory
directory service manages a replica of directory data on one or more DCs, ensuring
the availability of directory data to all users. The Active Directory works on the
concept of sites to perform replication efficiently, and it uses the KCC to choose
the best replication topology for the network automatically.
Replication is an essential process for any domain that has multiple DCs.
Replication ensures that each copy of the domain data is up-to-date, and is done
by sending information regarding changes from one DC to another. Earlier versions
of NT were configured in a single-master environment where the PDC was used
to maintain and manage the master copy of the domain database, and was also in
charge of replicating changes to the BDCs. In a single-master environment, if for some
reason the PDC is unavailable, no changes can be made to the database.
In Windows Server 2008 domains, every writable DC has a complete copy of
the Active Directory of its own domain. This is similar to the NT model, but the
difference is that each Windows Server 2008 DC first accepts and makes changes
to the database and then replicates those changes to other DCs. An environment in
which multiple computers are used for managing changes is known as a multimaster
environment.
NOTE
The KCC is a process that runs on a DC, and identifies the most efficient
replication topology for the network automatically, based on the data
provided by the network in Active Directory Sites and Services.
256 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
A multimaster environment has many advantages over the single-master
configuration, including the following:
■ There are no single points of failure, as every DC can accept changes to
the database.
■ DCs that accept changes to the database are distributed throughout the
network. This allows administrators to make changes on local DCs and let
the replication ensure that these changes are updated to all other DCs in
an efficient manner.
Replication in a Windows Server 2008 environment is one of two types:
■ Intrasite replication Replication that occurs between DCs within
a site
■ Intersite replication Replication that occurs between DCs in
different sites
It is important to understand the differences between these methods when
planning the site structure and replication.
Intrasite Replication
Intrasite replication occurs between DCs within a site. The system implementing
such replication uses high-speed, synchronous Remote Procedure Calls (RPCs).
Within a site, a ring topology is created by the KCC between the DCs for
replication (see Figure 4.22). The KCC is a built-in process that runs on all DCs
and helps in creating replication topology. It runs every 15 minute by default and
delegates the replication path between DCs based on the connection available.
The KCC automatically creates replication connections between DCs within
the site. The ring topology created by the KCC defines the path through which
changes flow within the site. All the changes follow the ring until every DC
receives them.
Configuring the Active Directory Infrastructure Chapter 4 257
www.syngress.com
The KCC analyzes the replication topology within a site to ensure efficiency.
If a DC is added or removed, it reconfigures the ring for maximum efficiency.
It also configures the ring so that there will be no more than three hops between
any two DCs within the site, which sometimes results in the creation of multiple
rings (see Figure 4.23).
Server 1
Server
3
Server
2
Server
4
Figure 4.22 Ring Topology for Replication
258 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
Intersite Replication
Intersite replication takes place between DCs in different sites. The drawback of intersite
communication is that you have to configure it manually. Active Directory
builds an efficient intersite replication topology with the information provided by
the user. The directory saves this information as site link objects. A DC running
the ISTG service is used to build the topology. An Inter-site Topology Generator
is an Active Directory process that runs on one DC in a site and considers the cost
of intersite connections. It ensures that the previous DCs are no longer available,
and checks to determine whether new DCs have been added. The KCC process
updates the intersite replication topology. A least-cost spanning-tree algorithm is
used to eliminate superfluous replication paths between sites. An intersite replication
topology is updated regularly to respond to any changes that occur in the network.
It would be useful if the traffic needs to cross a slower Internet link.
Server 3 Server 6
Server 4
Server 1
Server 2 Server
5
Figure 4.23 The Three-Hop Rule of Intrasite Replication
Configuring the Active Directory Infrastructure Chapter 4 259
www.syngress.com
Intersite replication across site links occurs every 180 minutes; you can change this
if necessary. In addition, you can schedule the availability of the site links for use. By
default, a site link is accessible to carry replication 24 hours a day, seven days a week,
and you can also change this if necessary. You also can configure a site link to use
low-speed synchronous RPCs over TCP/IP or asynchronous SMTP transport. That
is, replication within a site always uses RPC over IP, whereas replication between sites
can use either RPC over IP or SMTP over IP. Replication between sites over SMTP
is supported for only DCs of different domains. DCs of the same domain must
replicate by using the RPC over IP transport. Hence, you can configure a site link to
point-to-point, low-speed synchronous RPC over IP between sites, and low-speed
asynchronous SMTP between sites.
Bridgehead Servers
A bridgehead server is a server that is mainly used for intersite replication. You can
configure a bridgehead server for every site that is created for each intersite replication
protocol. This helps to control the server that is used to replicate information
to other servers.
To configure a server as a bridgehead server, follow these steps:
1. Choose Start | Administrative Tools | Active Directory Sites and
Services.
2. Expand the Sites folder.
3. Expand the site in which a bridgehead server has to be created, and then
expand the Servers folder.
4. Right-click on the server and choose Properties.
5. In the Transports available for inter-site transfer area, select the protocol
for which this server should be a bridgehead and click Add.
6. Click OK to set the properties, and then close Active Directory Sites
and Services.
The ability to configure a server as a bridgehead server gives you greater control
over the resources used for replication between intersites.
Site Link Bridges
Often, there is no need to deal with site link bridges separately, as all the links are
automatically bridged by a property known as a transitive site link. Sometimes when
260 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
you need to control through which sites the data can flow, you need to create site
link bridges. By default, all the site links created are bridged together.
The bridging enables the sites to communicate with each other. If this is not
enabled by the automatic bridging due to the network structure, disable the same
and create an appropriate site link bridge. In some cases, it is necessary to control
the data flow through the sites. In these cases, it is necessary to create site link
bridges. To disable transitive site links (automatic bridging), follow these steps:
1. Choose Start | Administrative Tools | Active Directory Sites and
Services.
2. Expand the Sites folder and then expand the Inter-Site Transports
folder.
3. Right-click on the transport for which the automatic bridging should be
turned off, and choose Properties.
4. On the General tab, clear the Bridge all site links checkbox and
click OK.
To create a site link bridge, follow these steps:
1. Choose Start | Administrative Tools | Active Directory Sites and
Services.
2. Expand the Sites folder and then the Inter-Site Transports folder.
3. Right-click on the transport that needs to be used, and choose New Site
Link Bridge.
4. In the Name box, enter a name for the site link bridge.
5. From the list of Site links not in this bridge, select the site link to be
added.
6. Remove any extra site links in the Site links in this bridge box and
click OK.
Scheduling
You can configure replication frequency by providing an integer value that
informs the Active Directory as to how many minutes it should wait before it can
use a connection to check replication updates. The interval of time must be not
less than 15 minutes and not more than 10,080 minutes. For any replication to
happen, a site link is essential. Follow these steps to configure site link replication
frequency:
Configuring the Active Directory Infrastructure Chapter 4 261
www.syngress.com
1. Choose Start | Administrative Tools | Active Directory Sites
and Services.
2. Expand the Inter-Site Transports folder; select either the IP or the
SMTP folder and right-click the site link for which the site replication
frequency is to be set.
3. Click Properties, and in the Properties dialog box for the site link, enter
in the Replicate Every box the number of minutes between replications.
The default value is 180.
4. Click OK.
Forcing Replication
Data is usually replicated based on a change notification within sites. Its up to
the administrator to force immediate replication. To do so for all data on a given
connection in a single direction, perform the following steps:
1. Choose Start | Administrative Tools | Active Directory Sites and
Services. Expand Sites in the left-hand tree pane.
2. Expand the name of the site that has to replicate to.
3. Expand the name of the server for replicating.
4. Select the servers NTDS Settings object. The right console pane will be
populated with the servers inbound connection objects.
5. In the right pane, right-click the name of the server from which you want
to replicate, and select Replicate Now.
You also can force replication from the command line by using the repadmin.
exe utility from the Support Tools.
Replication Protocols
When creating site links, you have the option of using either IP or SMTP as the
transport protocol:
■ SMTP replication You can use SMTP only for replication over site links.
It is asynchronous; that is, the destination DC does not wait for the reply,
so the reply is not received in a short amount of time. SMTP replication
also neglects Replication Available and Replication Not Available settings
on the site link schedule, and uses the replication interval to indicate how
often the server requests changes When choosing SMTP, you must install
262 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
and configure an enterprise certificate authority (CA), as it signs the SMTP
messages that are exchanged between DCs. SMTP replication is designed
for use over slow or unreliable WAN links, in situations where IP connectivity
between sites is too unreliable to be used for Active Directory
replication.
■ IP replication All replication within a site occurs over synchronous RPC
over IP transport. The replication within a site is fast and has uncompressed
delivery of updates. Replication events occur more frequently within a site
than between sites, and the overhead of compression would be inefficient
over fast connections.
Planning, Creating,
and Managing the Replication Topology
An important job when implementing replication topology is planning, creating,
and managing the replication topology, as discussed next.
Planning Replication Topology
Lets now discuss how to plan a replication topology:
■ Before starting a replication planning process, we need to first finish the
forest, domain, and DNS.
■ It is essential to have an understanding of Active Directory replication, the
File Replication Service (FRS), and SYSVOL replication used to replicate
group policy changes.
■ For Active Directory replication, a rule of thumb is that a given DC that acts
as a bridgehead server should not have more than 50 active simultaneous
replication connections at any given time.
Creating Replication Topology
The next step is to create the replication topology. Lets discuss how to create a
replication topology:
■ Active Directory replication is a one-way pull replication whereby the
DC that needs updates (the target DC) gets in touch with the replication
partner (the source DC). Then, the source DC selects the updates that
the target DC needs, and copies them to the target DC. Because Active
Configuring the Active Directory Infrastructure Chapter 4 263
www.syngress.com
Directory uses a multimaster replication model, each DC functions as both
source and target for its replication partners. From the view of a DC, it has
both inbound and outbound replication traffic, depending on whether it is
the source or the destination of a replication sequence.
■ Inbound replication is the incoming data transfer from a replication partner
to a DC, and outbound replication is the data transfer from a DC to its
replication partner.
■ System policies and logon scripts that are stored in SYSVOL use FRS to
replicate. Each DC keeps a copy of SYSVOL for network clients to access.
FRS is also used for DFS.
■ Components of the replication topology such as the KCC, connection
objects, site links, and site link bridges are to be checked by the administrator.
There are two methods for creating a replication topology:
■ Use the KCC to create connection objects. This method is recommended
if there are 100 or fewer sites.
■ Use a scripted or third-party tool for the creation of connection objects.
This method is recommended if there are more than 100 sites.
Configuring Replication between Sites
To ensure that users can log on within a given span of time, it is necessary to
locate DCs near them, which sometimes involves moving the DCs between sites.
The purpose of a site is to help manage the replication between DCs and across
slow network links. In addition to creating the site and adding subnets to that site,
we also need to move DCs into the site, as replication happens between DCs. The
DC has to be added to a site to which it belongs so that clients within a site can
look for the DCs in the site and can log on to it.
To move DCs, follow these steps:
1. Select Click Active Directory Sites and Services.
2. Choose the Sites folder and then select the site where the server
is located.
3. In the site, expand the Servers folder.
4. Right-click on the DC you want to move, and choose Move.
5. Select the destination subnet from the dialog box and click OK.
264 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
Troubleshooting Replication Failure
DCs usually handle the process involved with replication automatically. Unsuccessful
network links and wrong configurations prevent the synchronization of information
between DCs.
There are many ways to monitor the behavior of Active Directory replication
and correct problems if they occur.
Troubleshooting Replication
A common symptom of replication problems is that the information is not updated
on some or all DCs. There are several steps that you can take to troubleshoot Active
Directory replication, including:
■ Check the network connectivity The basic requirement for any type
of replication to work properly in a distributed environment is network
connectivity. The ideal situation is that all the DCs are connected by highspeed
LAN links. In the real world, either a dial-up connection or a slow
connection is common. Check to see whether the replication topology is
set up properly. In addition, confirm whether the servers are communicating.
Failed dial-up connection attempts can prevent important Active
Directory information from being replicated.
■ Examine the replication topology The Active Directory Sites and
Services tool helps to verify whether a replication topology is logically
consistent. You do this by right-clicking the NTDS Settings within a
Server object and selecting All Tasks | Check Replication Topology.
If there are any errors, a dialog box will alert you to the problem.
■ Validate the event logs Whenever an error in the replication configuration
occurs, events are written to the Directory Service event log. The Event Viewer
administrative tool can provide the details associated with any problems in
replication.
■ Verify whether the information is synchronized Many administrators
forget to execute manual checks regarding the replication of Active Directory
information. One of the reasons for this is that Active Directory DCs have
their own read/write copies of the Active Directory database. Therefore,
no failures are encountered while creating new objects if connectivity does
not exist. It is important to regularly check whether the objects have been
synchronized between DCs. The manual check, although tedious, can prevent
inconsistencies in the information stored on DCs.
Configuring the Active Directory Infrastructure Chapter 4 265
www.syngress.com
■ Check router and firewall configurations Firewalls are used to restrict
the types of traffic transferred between networks. They increase security
by preventing unauthorized users from transferring information. In some
cases, company firewalls might block the types of network access that
should be available for Active Directory replication to occur.
■ Verify site links Before any DCs in different sites can communicate, the
sites must be connected by site links. If replication between sites doesnt
occur properly, verify whether the site links are in the proper positions.
Using Event Viewer
You use the Event Viewer for configuring Active Directory event logging. To
configure Active Directory event logging, follow these steps:
1. Select Start | Run. In the Open box, type regedit, and click OK.
2. Locate and click the following Registry key: HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\
Diagnostics.
3. Each entry in the right-hand pane of the Registry Editor window represents
a type of event that Active Directory can log. All entries are set to the
default value of 0 (None).
To configure event logging for the appropriate component, follow these steps:
1. In the right-hand pane of the Registry Editor, double-click the entry that
represents the type of event that is to be logged; for example, Security
Events.
2. Type the logging level thats needed in the Value data box, and click OK.
3. Repeat step 2 for each component that you want to be logged. Then, on
the Registry menu, click Exit to quit the Registry Editor.
Some of the events that you can write to the event log include:
■ KCC
■ MAPI events
■ Security events
■ Replication events
■ Directory access
266 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
■ Internal configuration
■ Internal processing
■ Intersite messaging
■ Service control setup
Each entry is assigned a value of 0 through 5, which determines the level of
details of the events that are logged:
■ 0 (None) Only critical events and error events are logged at this level. This
is the default setting for all entries.
■ 1 (Minimal) Very high-level events are recorded in the event log at this
setting. Events can include one message for each major task that the service
performs. You can use this when the location to start an investigation is not
known.
■ 2 (Basic) This level adds additional information beyond what is logged
at the minimal level, without significantly impacting the system resources
required to capture these log events
■ 3 (Extensive) This level records more detailed information than the lower
levels, such as steps that are performed to complete a task.
■ 4 (Verbose) This level records significant details, but excludes the debug
strings that are recorded at the highest logging level.
■ 5 (Internal) This level logs all events, including debug strings and configuration
changes. A complete log of the service is recorded.
Working with Trusts
One of the many issues that need to be dealt with in any computer organization is
how to protect resources. The main difficulty that administrators face is the dilemma
NOTE
Logging levels should always be set to the default value of 0 (None)
unless there is an investigation at issue. If the Registry Editor is used
incorrectly, it can cause serious problems that will require reinstalling
the operating system.
Configuring the Active Directory Infrastructure Chapter 4 267
www.syngress.com
of how to ensure that the companys resources are not accessible by those who do
not need access. The other side of that coin, and something that is equally important,
is how to ensure that people who do need access are granted access with the least
amount of hassle. In small companies, the issues are simpler, because multiple domains
rarely exist. In todays larger corporations and conglomerates, the issues of security
are compounded. What administrators need is an easy tool to manage access across
multiple domains and, often, across forests.
The tool is Active Directory Domains and Trusts. With Active Directory
Domains and Trusts, an administrator can establish relationships between domains
that will allow users in one domain to access the resources in another. This way,
the administrator can ensure that all users who need access can have it without the
hassles involved in having user accounts in multiple domains.
As the name implies, trusts are all about sharing information. For security purposes,
you should carefully consider your reasons before creating a new trust relationship,
as well as knowing which type of trust to implement. In Active Directory,
a shortcut trust doesnt add more trust; rather, it can make the trusts you already
have more efficient. External trusts are a concept left over from Windows NT, but
are still necessary for sharing resources with a Windows NT domain or any other
Windows domain outside your forest. Finally, you should consider the Windows
Server 2008 forest trust to provide a transitive trust relationship between two Active
Directory forests that are running Windows Server 2003 or Windows Server 2008
on all installed DCs. As you can see, trusts are varied in properties and purposes.
The most important concepts to understand about trusts before you create them
are direction and transitivity. Always be aware of the extent of any internal access
that you grant to external users.
Trusts are predetermined avenues of access to forest resources. It is like giving
someone a key to your house and hoping that he or she wont misuse your trust.
DCs do the authenticating, but not all DCs necessarily trust each other. Thats where
you come in, setting the relationships between domains that govern the flow of
information.
Two primary attributes of trusts are direction and transitivity. The direction of trust
flows from the trusting domain to the trusted domain, as shown by the arrow in
Figure 4.24. Cats.com trusts Dogs.com. The direction of access is always in the opposite
direction; Dogs.com accesses resources in Cats.com. This is a one-way trust. Likewise,
Dogs.com trusts Fish.com, but does not trust Cats.com. Two one-way trusts can
combine to simulate a single two-way trust.
268 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
The second attribute of the trust is transitivity, or a measure of how far the trust
extends. A nontransitive trust has limits. The trusted domain, and only the trusted domain,
can access resources through the trust to the trusting domain. As shown in Figure 4.24,
if the Dogs.com domain has trusts to other domains such as Fish.com, those other
domains are barred from access to Cats.com unless they have a nontransitive trust of
their own. The absence of the third leg of the trust breaks the circle of access. This is
the behavior of all trusts in Windows NT.
Conversely, transitive trusts, such as the ones shown in Figure 4.25, are the
skeleton keys of access. Anyone on the trusted side of the trust relationship can
enter, including anyone trusted by the trusted domain. When a user or process
requests access to a resource in another domain, a series of hand-offs occurs within
the authentication process down the trust path, as shown in Figure 4.25. When Cats.
com trusts Dogs.com, they must trust all Dogs.com child domains equally at the
level of the trust. There are two types of trusts in Figure 4.25, parent and child and
tree-root. All trusts shown are bidirectional and transitive, as they are by default in
Windows Server 2008. Calico.cats.com has a trust relationship with Yellow.labs.dogs.
com because of the trust path that extends through all three intervening domains.
If Calico.cats.com has no reason to trust Yellow.labs.dogs.com, the cats must apply
permissions to limit or block the access.
Dogs.com
Cats.com Fish.com
Trust
Nontransitive
Tr u st
Nontransitive
Tr u st
Root
Domain
Domain Domain
Figure 4.24 The Nontransitive Trust
TEST DAY TIP
Remember that default Windows Server 2008 trust relationships are
friendly. The default and most common trusts in Active Directory, which
are parent and child and tree-root trusts, are both bidirectional and transitive,
meaning that the trust path extends throughout the entire forest.
Configuring the Active Directory Infrastructure Chapter 4 269
www.syngress.com
A trust is a logical authentication path between two domains. A trust path is the
number of trusts that must be traversed between the source and destination of a
resource request. Two trusts, tree-root and parent and child, are created by default when
running the Active Directory Installation Wizard. You can create the other four
trustsshortcut, external, realm, and forestas needed with the New Trust Wizard or
the Netdom.exe command-line tool.
When creating those four trusts, you have the option of creating two one-way
relationships, simulating bidirectional capabilities. As with any use of passwords,
it is a security best practice to use long, random, and complex passwords in the
establishment of trusts. The best option is to use the New Trust Wizard to create
both sides simultaneously, in which case the wizard generates a strong password for
you. Naturally, you must have the appropriate administrative credentials in both
domains for this to work.
Weve been talking about two-way (bidirectional) trusts; but a trust can also
be one-way (unidirectional). One-way trusts are created to allow more restrictive
You can remember this type of transitive trust with the old saying, Any
friend of yours is a friend of mine.
Other types of Windows Server 2008 trusts exist, such as forest, shortcut,
and external, each of which can be bidirectional or unidirectional and have
different transitivity properties. One of the first things you should do when
you sit down at the testing station is to write down the trusts and their
properties on your scratch paper. Do this before starting the test so as not
to waste valuable time.
Dogs.com
Labs.dogs.com
Cats.com
Yellow.labs.dogs.com
Calico.cats.com
Trust
Transitive
Trusts
Root
Domain
Domain
Child
Domain
Child
Domain
Child
Domain
Figure 4.25 The Transitive Trust
270 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
control over which users are allowed access to resources. For example, in Figure 4.26,
a one-way trust is created between Domain X and Domain Y. Users in Domain
X have access to resources in Domain Y. However, users in Domain Y do not have
access to resources in Domain X. In this definition, Domain X is referred to as the
trusted domain, and Domain Y is the trusting domain. A two-way trust allows users
in either domain to have access to resources in the other domain.
One-way trusts must specify the direction of the trust. One-way trusts can be either
incoming or outgoing, depending on whether the trust is created from the trusting or
the trusted domain. Incoming trusts permit the users in the domain where the trust
is created (the trusted domain) to access resources in the specified domain (the trusting
domain). Users in the trusting domain do not have access, through this trust, to the
resources in the trusted domain. (You can, however, create a second trust that goes the
other way, to accomplish the same effect as a two-way trust).
Outgoing trusts allow the users in the specified domain (the trusted domain) to
have access to resources in the originating domain (the trusting domain). Users in
the originating domain do not have access to resources in the specified domain.
Domain X
Domain Y
One-Way Trust
Figure 4.26 One-Way Trust
Another concept and set of terms to understand in regard to trusts is:
■ Implicit
■ Explicit
Configuring the Active Directory Infrastructure Chapter 4 271
www.syngress.com
Implicit trusts are trusts that are created automatically by the nature of the builtin
relationships between domains within a forest. These implicit trusts are two-way
and transitive. Implicit trusts automatically exist between each domain that is created
and its child domain(s). An implicit trust also exists between the root domain
of each domain tree and the root domains of every other domain tree in the forest.
An explicit trust is one that is created by an administrator; it does not exist
automatically, but has to be explicitly created. For example, an administrator can
create an explicit trust (in this case, called a shortcut trust) between any two child
domains in different domain trees to provide for a direct trust (and faster authentication)
between them.
Explicit trusts are also used to enable authentication across forests. When a forest
trust is created, a transitive trust is created between the forest root domains in both
forests. This allows all the members in the forest to exchange authentication information
with the other forest. The forest trust is also called an explicit trust between the
two forests. If an additional forest trust is created between one of the original forests
and a third forest, an implicit trust with the other original forest is not established to
the third forest. For the third forest to have a trust relationship with the other forest,
an explicit forest trust must be created between the two (see Figure 4.27).
X
Y
Z
Forest 1
Forest 2 Forest 3
Transitive Two-Way Trust
Transitive Two-Way Trust
Implied Trust
Implicit Trust
Figure 4.27 Implicit Trust
272 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
The primary advantage of Active Directory trust relationships is that administrators
no longer need to create multiple user accounts for each user who needs access
to resources within each domain. Administrators can now add the users of the other
domains to their access control lists (ACLs) to control access to a resource. To take
full advantage of these relationships, the administrator must know about the various
types of trust that exist, and when to use them.
Default Trusts
When the Active Directory Installation Wizard is used to create a new domain
within an existing forest, two default trusts are created: a parent and child trust, and
the tree-root trust. Four additional types of trusts can be created using the New
Trust Wizard or the command-line utility netdom. The default trust relationships
inside a Windows 2000, Windows Server 2003, and Windows Server 2008 forest are
transitive, two-way trusts.
A parent and child trust is a transitive, two-way trust relationship. It allows
authentication requests made in the child domain to be validated in the parent
domain. Because the trusts are transitive, these requests pass upward from child to
parent until they reach the root of the domain namespace. This relationship will
allow any user in the domain to have access to any resource in the domain if the
user has the proper permissions granted.
An additional transitive, two-way trust is created to simplify the navigation:
the tree-root trust. This is especially needed in large organizations that might have
multiple levels of child domains. The tree-root trust is a trust that is created between
any child domain and the root domain. This provides a shortcut to the root. This
trust relationship is also automatically created when a new domain is created.
Forest Trusts
A forest trust can only be created between the root domains in two forests. Both
forests must be Windows Server 2003 or Windows Server 2008 forests. These trusts
TEST DAY TIP
On the day of the test, you will want to review the types of trusts as
well as when to use them. On the exam, you might be given a scenario
that will require you to determine the type of trust that will best meet
the requirements in the scenario.
Configuring the Active Directory Infrastructure Chapter 4 273
www.syngress.com
can be one- or two-way trusts. They are considered transitive trusts because the
child domains inside the forest can authenticate themselves across the forest to
access resources in the other forest.
Forest trusts help to manage the Active Directory infrastructure. They do this
by simplifying the management of resources between two forests by reducing the
required number of external trusts. Instead of needing multiple external trusts, a
two-way forest trust between the two root domains will allow full access between
all the affected domains. Additionally, the administrator can take advantage of both
the Kerberos and NTLM authentication protocols to transfer authorization data
between forests.
Forest trusts can provide complete two-way trusts with every domain within
the two forests. This is useful if you have created multiple forests to secure data
within the forest or to help isolate directory replication within each forest.
External Trusts
You use an external trust when you need to create a trust between domains outside
of your forest. These trusts can be one- or two-way trusts. They are always nontransitive
in nature. This means you have created an explicit trust between the two
domains, and domains outside this trust are not affected. You can create an external
trust to access resources in a domain in a different forest that is not already covered
by a forest trust (see Figure 4.28).
EXAM WARNING
Although the trust relationship is considered transitive, this applies only
to the child domains within forests. The transitive nature of the trust
exists only within the two forests explicitly joined by a forest trust. The
transitivity does not extend to a third forest unless you create another
explicit trust (see Figure 4.27).
EXAM WARNING
You will always need to create an external trust when connecting to
a Windows NT 4.0 or earlier domain. These domains are not eligible to
participate in Active Directory. These trusts must be one-way trusts.
If you have worked with Windows NT 4.0, you will remember that the
only trusts allowed were nontransitive one-way trusts.
274 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
After the trust has been established between a domain in a forest and a domain
outside the forest, the security principals from the domain outside the forests will
be able to access the resources in the domain inside the forest. Security principals
can be the users, groups, computers, or services from the external domain. They are
account holders that are each assigned a SID automatically to control access to the
resources in the domain.
The Active Directory in the domain inside the forest will then create foreign
security principal objects representing each security principal from the trusted
external domain. You can use these foreign security principals in the domain local
groups. This means that the domain local groups can have members from the
trusted external domain. You use these groups to control access to the resources
of the domain.
The foreign security principals are seen in Active Directory Users and
Computers. Because the Active Directory automatically creates them, you should
not attempt to modify them.
Shortcut Trusts
Shortcut trusts are transitive in nature and can be either one-way or two-way. These
are explicit trusts that you create when the need exists to optimize (shortcut) the
authentication process. Without shortcut trusts in place, authentication travels up
Transitive Two-Way Trust
External Trust
External Trust
Forest 1
Forest 3
Forest 2
Windows NT 4.0 Domain
Figure 4.28 External Trust
Configuring the Active Directory Infrastructure Chapter 4 275
www.syngress.com
and down the domain tree using the default parent and child trusts, or by using the
tree-root trusts. In large, complex organizations that use multiple trees, this path can
become a bottleneck when authenticating users. To optimize access, the network
administrator can create an explicit shortcut trust directly to the target domain
(see Figure 4.29).
Forest 1
Shortcut Trust
Figure 4.29 Shortcut Trust
You use these trusts when user accounts in one domain need regular access to
the resources in another domain. Shortcut trusts can be either one- or two-way.
You should establish one-way shortcut trusts when the users in one domain need
access to resources in the other domain, but those in the second domain do not
need access to resources in the first domain. You should create two-way trusts
when the users in both domains need access to the resources in the other domain.
The shortcut trust will effectively shorten the authentication path, especially if the
domains belong to two separate trees in the forest.
SID Filtering
One security concern when using trusts is a malicious user who has administrative
credentials in the trusted domain sniffing the trusting domain to obtain the credentials
of an administrator account. With the credentials of the trusting domain administrator,
the malicious user could add his SID to allow full access to the trusting domains
resources. This type of threat is called an elevation of privilege attack.
The security mechanism used by Windows Server 2003 and Windows Server
2008 to counter an elevation of privilege attack is SID filtering. SID filtering is
used to verify that an authentication request coming in from the trusted domain
only contains the domain SIDs of the trusted domain. It does this by using the
SIDHistory attribute on a security principal.
276 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
SID filtering uses the domain SID to verify each security principal. If a security
principal includes a domain SID other than one from trusted domains, the SID
filtering process removes the SID in question. This is done to protect the integrity
of the trusting domain. This will prevent the malicious user from being able to
elevate his or her privileges or those of other users.
There are some potential problems associated with SID filtering. It is possible
for a user whose SID contains SID information from a domain that is not trusted
to be denied access to the resources in the trusting domain. This is can be a problem
when universal groups are used. Universal groups should be verified to contain only
users that belong to the trusted domain.
You can disable SID filtering if there is a high level of trust for all administrators
in the affected domains, there are strict requirements to verify all universal group
memberships, and any migrated users have their SIDHistories preserved. To disable
SID filtering, use the netdom command.
NOTE
Security principal is a term used to describe any account that has a SID
automatically assigned. Examples of security principals are users, groups,
services, and computers. Part of each security principal is the domain SID
to identify the domain in which the account was created.
Configuring the Active Directory Infrastructure Chapter 4 277
www.syngress.com
Summary of Exam Objectives
The logical structure of the network is defined by forests and domains, with
domains organized into domain trees in which subdomains (called child domains)
can be created under parent domains in a branching structure. Domains are logical
units that hold users, groups, computers, and OUs (which in turn can contain users,
groups, computers, and other OUs). Forests are collections of domain trees that
have trust relationships with one another, but each domain tree has its own separate
namespace. Aspects of the physical structure include sites, servers, roles, and links.
An Active Directory always begins with a forest root domain, which is automatically
the first domain that you install. This root domain becomes the foundation for
additional directory components. The domain is the starting point of Active Directory.
It is the most basic component that can functionally host the directory. Simply
put, Active Directory uses the domain as a container of computers, users, groups,
and other object containers. Objects within the domain share a common directory
database partition, replication boundaries and characteristics, security policies, and
security relationships with other domains. The process of creating the forest and
domain structure is centered on the use of the Active Directory Installation Wizard,
which is also known as the dcpromo utility.
In Windows NT 4.0, the domain had only one authoritative source for domainrelated
information: the primary DC, or PDC. The implementation of Active
Directory brought the multimaster model, where objects and their properties could
be modified on any DC and become authoritative through replication conflict
resolution measures. The problem with the multimaster architecture is that some
domain and enterprise-wide operations are not well suited for it. The best design
placed those functions on a single DC within the domain or forest, and Microsoft
created the Active Directory FSMO roles. The Active Directory supports five
operational master roles: the Schema Master, Domain Master, RID Master, PDC
Emulator, and Infrastructure Master. Two of these operate at the forest level only: the
Schema Master and the Domain Naming Master. Conversely, the RID Master, PDC
Emulator, and Infrastructure Master operate at the domain level. You can use the
ntdsutil.exe command-line utility to transfer FSMO roles, or you can use an MMC
snap-in tool. Depending on which role you want to transfer, you need to use one of
the following three MMC snap-in tools: Active Directory Schema, Active Directory
Domains and Trusts, or Active Directory Users and Computers. To seize a role, you
must use the ntdsutil utility. If a computer cannot be contacted due to a hardware
malfunction or long-term network failure, the role must be seized. After you seize
a Master role, the old DC that hosted it should never be brought back online.
278 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
This is especially true of the Schema Master, Domain Naming Master, and RID
Master roles.
The GC server is one of the most important roles played by one or more DCs
in your network. It might not appear to do much on the surface, but the GC is
responsible for helping to resolve names for objects throughout your forest. The GC
server holds a copy of all the objects in the domain in which the server is located.
That same GC server holds a partial replica of other domains in the forest. The
information that the GC holds from other domains includes common search items.
This limited but frequently accessed information makes queries very efficient.
GC servers are responsible for UPN authentication. When a user logs on using
the UPN, the GC is queried to locate the user account and a DC in the appropriate
domain. GC servers are also responsible for answering queries against Active Directory.
If a user wants to locate another person within the organization, that user could use
his workstation to search Active Directory. The queries are sent to IP port 3268, which
is used for GC communication.
You must consider placement of GC servers early in the design process for
your network. If you dont determine where you do and do not need a GC server
and plan accordingly, you could have communication problems and users could
be adversely affected. A good rule of thumb is to remember that if a location has
more than 50 users, a DC is needed at that location. Dividing the network into sites
makes a difference in how replication traffic is handled in regard to GC information.
Replication within a site (intrasite replication) is handled differently than replication
between different sites (intersite replication). Placement of GC servers within every
site might not be necessary, but you should keep track of how much bandwidth
computers are using. GC queries in large quantities can tie up significant bandwidth.
Active Directory trust relationships come in many flavors to meet the needs of
the situation where users in one domain need access to the resources in another
domain. First, there are the default trusts created between parent and child domains.
These trusts are automatically created to simplify usage of resources in a tree. The
network administrator can create additional types of trusts, such as external, shortcut,
realm, and forest trusts. External trusts link two external domains. Shortcut trusts
simplify the authentication paths needed to authenticate users. Realm trusts are
created to connect a non-Windows network to a Windows Server 2003 or Windows
Server 2008 domain. Forest trusts link forests together in the enterprise.
As you create these additional trust types, you can determine whether the trust
will work in one direction only, or in both directions. When the trust works in both
directions, it is called a two-way or bidirectional trust, and users in both domains
have access to resources in both domains.
Configuring the Active Directory Infrastructure Chapter 4 279
www.syngress.com
Another issue is whether the trust is transitive. A transitive trust passes through
one trusted domain to another. A transitive trust implies a trust relationship when
more than two domains are involved. If Domain A trusts Domain B and Domain B
trusts Domain C, Domain A trusts Domain C. This is sometimes not the effect you
want when creating trusts. The administrator has control over the transitive nature
of the trust. As a further protection, SID filtering prevents users from an untrusted
domain from being able to access resources in your domain.
Finally, this chapter also explained the role of sites, and discussed the relationship
of sites to other Active Directory components. We showed you how to create sites
and site links, and explained site replication. This chapter enables you to become
familiar with exam objectives covering such topics as the various roles and services
offered by Active Directory sites.
Exam Objectives Fast Track
Working with Forests and Domains
˛ You should know what type of domain you want to install before you
begin, and the namespace it will use.
˛ To improve a domains reliability, you should always create at least two DCs
in each domain.
˛ The first DC that you install in the forest is the root DC. It is responsible
for the GC and for all five FSMO roles. Some roles can later be transferred
to other DCs for performance and diversification.
Working with Sites
˛ Sites are used for optimizing the authentication process, by reducing
authentication traffic across slow, high-cost WAN links.
˛ Subnets provide rapid and reliable communication between locations.
˛ The primary role of sites is to increase the performance of a network,
which is achieved by economic and rapid transmission of data.
˛ Replication enables transferring data from a data store present on a source
computer to an identical data store present on a destination computer.
˛ The KCC is a process that runs on a DC.
280 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
˛ The process of associating a subnet with a site notifies Active Directory
sites about the physical networks that are represented by the site.
˛ Cost is the value used to calculate site links by comparing one to others, in
terms of speed and reliability charges.
Working with Trusts
˛ Active Directory trust relationships allow users in one domain to access
resources in another domain without having to create additional accounts
in the domain with the resources.
˛ Whenever a child domain is created, two-way transitive trusts are
automatically created between the parent and the child.
˛ Forest trusts are created between the root domains of two forests to allow
users in one forest to access resources in the other forest.
˛ SID filtering is a security device that uses the domain SID to verify each
security principal.
Configuring the Active Directory Infrastructure Chapter 4 281
www.syngress.com
Exam Objectives
Frequently Asked Questions
Q: What is the big deal about raising the functional levels of my domains and
forests? Shouldnt I raise the levels as soon as they meet the prerequisites?
A: No. Remember that functional levels, once raised, cannot be lowered again.
In addition, some situations are better suited to skipping a level, rather than
raising to one level and then the other. In this case, known future restructuring
and upgrade activities should be considered before raising functional levels.
Q: How much of the Active Directory design stage should be complete before
I install my first DC?
A: Primarily, the DNS design should be complete, and the decision should be made
about how the forest-root domain will be used. Additional DCs and domains
can be added later. FSMO roles and GCs can be shifted as needed, and trusts
with other forests and external domains can be added later. Essentially, the first
DC that you install should be in a lab environment. From that perspective, you
should install your first DC for testing and training purposes as soon as possible.
Q: If every FSMO role can be seized by another DC upon failure, why would
I want to spread the roles out among different machines?
A: There are several reasons. Chief among these are the associated risks of seizing
roles. Lost or corrupted directory data can result from FSMO failures, especially
if the malfunctioning machine ever comes back online. Seizing roles should not
be considered a routine operation. Another consideration is performance. Each
role exacts a certain amount of CPU and memory overhead, and your servers
might perform better if roles are spread among multiple systems. If that werent
enough, some roles and functions should not coexist on the same DC, such as
the Infrastructure Master and the GC. FSMO placement should not be ignored,
and this knowledge will be important on the test.
Q: What are the differences between external, realm, and shortcut trusts?
A: An external trust is created to establish a relationship with a domain outside
your tree or forest. A realm trust is created to establish a relationship with a
non-Microsoft network using Kerberos authentication. A shortcut trust is used
to optimize the authentication process.
282 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
Q: What type of trust needs to be created between the root domain and a domain
that is several layers deep inside the same tree?
A: None. Transitive two-way trusts are automatically created between the layers
of the tree structure. A root trust is also created automatically so that any child
domain has a shortcut to the root domain.
Q: What is the difference between implied, implicit, and explicit trusts?
A: An implicit trust is one that is automatically created by the system. An example
is the trusts created between parent and child domains. An explicit trust is one
that is manually created. An example is a forest trust between two trees. An
implied trust is one that is implied because of the transitive nature of trusts.
An example is the trust between two child domains that are in different trees,
and a forest trust was created between the roots of the tress.
Q: What exactly does SID filtering accomplish?
A: SID filtering is used to secure a trust relationship where the possibility exists
that someone in the trusted domain might try to elevate his or her own or
someone elses privileges.
Q: How do you change the time the KCC runs?
A: The KCC, which manages connection objects for inter- and intrasite replication,
runs every 15 minutes by default. To change this, start regedit and go to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
NTDS\Parameters Registry entry. Then, from the Edit menu, select New,
DWORD Value.
Q: How do I move a server to a different site?
A: If the sites and subnets are configured, new servers are automatically added to
the site that owns the subnet. However, a server can be manually moved to a
different site. To perform this task, start the Active Directory Sites and Services.
Expand the site that currently contains the server, and expand the Servers container.
Right-click the server and select Move from the context menu. There will
be a list of all the sites. Select the new target site, and click OK.
Q: How can a server belong to more than one site?
A: By default, a server belongs to only one site. However, you can configure a
server to belong to multiple sites. Because sites are necessary for replication,
Configuring the Active Directory Infrastructure Chapter 4 283
www.syngress.com
for clients to find resources, and to decrease traffic on intersite connections,
simply modifying a sites membership might cause performance problems.
To configure a server for multiple site membership, log on to the server you
want to join multiple sites. Start regedit or regedt32. Go to the HKEY_
LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesNetlogon\
Parameters Registry entry, select Add Value from the Edit menu, enter the
name Site Coverage and a REG_MULTI_SZ value, and click OK. Next,
enter the names of the sites to join, each on a new line. (Press Shift + Enter to
move to the next line.) Click OK. Close the Registry Editor.
Q: How do I disable site link transitivity?
A: Site links are bridged together to make them transitive so that the KCC can
create connection objects between DCs. We can disable site link transitivity
manually by bridging specific site links. Start the Active Directory Sites and
Services snap-in. (Select Administrative Tools | Active Directory Sites
and Services from the Start menu.) Expand the Sites folder and expand the
Inter-Site Transports folder. Right-click the protocol for which you want to
disable transitivity (IP or SMTP), and select Properties. Clear the Bridge all
site links checkbox, and click Apply.
Q: How do you rename a site?
A: When you install your first DC, the DC creates the default site, Default-
First-Site-Name. This name isnt very descriptive, so you might want to
rename it. Start the Active Directory Sites and Services snap-in. (Select
Administrative Tools | Active Directory Sites and Services from the
Start menu.) Expand the Sites folder. Right-click the site that is to be renamed
(e.g., Default-First-Site-Name), and select Rename. Enter the new name, and
press Enter.
Q: I want to enable GC functionality on a DC. Where do I do that?
A: In the NTDS Settings Properties window on the General tab. You simply
check the box next to Global Catalog and click OK.
Q: I have an office with only 10 users. Should I put a GC server at this location?
A: Probably not; Microsoft recommends that 50 or more users at a location
constitutes the necessity for a local DC at that office.
284 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
Q: I am noticing a large amount of traffic between my corporate office and branch
office. I recently added a GC server/DC at my branch office. Why all the extra
traffic?
A: More than likely, you didnt set up a site for each location. Having GC servers
located in sites helps to control replication and should cut down on bandwidth
usage. Data is compressed before being sent between sites, which keeps bandwidth
usage down.
Configuring the Active Directory Infrastructure Chapter 4 285
www.syngress.com
Self Test
1. A large company has just merged with yours. This organization has recently
converted its internal network from IPv4 addressing to IPv6 to support a
number of new network applications that required it. You must now begin to
plan for IPv6 support on your own internal network. You are creating training
materials for your junior networking staff. Which of the following features is
built into IPv6 that was not required in IPv4?
A. Classless Inter-Domain Routing (CIDR)
B. IP Security through the use of IPSec
C. Network address translator (NAT)
D. Loopback IP addressing
2. Your IT manager wants you to link four divisions of the company through a
ring of eight unidirectional cross-forest trusts. He uses this reasoning: If multiple
forest trusts are established, authentication requests made in any domain
of any forest can pass through multiple forest trusts, hence multiple Kerberos
domains, on their way to their destination. Why is he wrong?
A. Although each cross-forest trust is transitive at the forest level, where all
domains in both forests can authenticate, they are not transitive at the
federated forest level as he suggests. The trust path cannot include more
than one cross-forest trust.
B. Cross-forest trusts are not transitive, and will not allow pass-through
authentication.
C. To create a mesh trust relationship between four forests, you need only
four cross-forest trusts.
D. Cross-forest trusts are bidirectional, so only three trusts are needed to link
all four forests. Completing the ring is not necessary.
3. What FSMO roles should exist in a child domain in a Windows Server 2008
forest? (Choose all that apply).
A. Schema Master
B. Domain Naming Master
C. PDC Emulator
D. RID Master
286 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
E. GC
F. Infrastructure Master
Correct Answers & Explanations: C, D, and F. Answer C is correct because
the PDC Emulator FSMO role exists in each domain in an Active Directory
forest. Answer D is correct because the RID Master FSMO role exists in
each domain in an Active Directory forest. Answer F is correct because the
Infrastructure Master FSMO role exists in each domain in an Active Directory
forest.
Incorrect Answers & Explanations: A, B, and E. Answer A is incorrect because
the Schema Master FSMO role exists only in the forest root domain. Answer
B is incorrect because the Domain Naming Master FSMO role exists only in
the forest root domain. Answer E is incorrect because the Global Catalog is
not a FSMO role.
4. Your network operations center has identified excessive bandwidth utilization
caused by authentication traffic in the root domain subnet, especially between
Calico.cats.com and Labs.dogs.com. Your logical network is set up as shown in the
diagram. What type of trust or trusts would you set up to alleviate the situation?
Dogs.com
Labs.dogs.com
Cats.com
Yellow.labs.dogs.com
Calico.cats.com
Transitive
Trusts
Domain
Child
Domain
Child
Domain
Root
Domain
Child
Domain
Question #4 Diagram
A. Set up a bidirectional transitive parent and child trust between Calico.cats.
com and Labs.dogs.com.
B. Set up a shortcut trust between Calico.cats.com and the forest root, and set
up a second shortcut trust between Labs.dogs.com and the forest root.
Configuring the Active Directory Infrastructure Chapter 4 287
www.syngress.com
C. Set up a shortcut trust between Calico.cats.com and Labs.dogs.com.
D. Set up two shortcut trusts between Calico.cats.com and Labs.dogs.com.
E. Set up a realm trust between Calico.cats.com and Labs.dogs.com.
5. Your company, mycompany.com, is merging with the yourcompany.com
company. The details of the merger are not yet complete. You need to gain
access to the resources in the yourcompany.com company before the merger
is completed. What type of trust relationship should you create?
A. Forest trust
B. Shortcut trust
C. External trust
D. Tree Root trust
6. Your boss just informed you that your company will be participating in a joint
venture with a partner company. He is very concerned about the fact that a
trust relationship needs to be established with the partner company. He fears
that an administrator in the other company might be able to masquerade as
one of your administrators and grant himself privileges to resources. You assure
him that your network and its resources can be protected from an elevated
privilege attack. Along with the other security precautions that you will take,
what will you tell your boss that will help him rest easy about the upcoming
scenario?
A. The permissions set on the Security Account Manager (SAM) database
will prevent the other administrators from being able to make changes.
B. The SIDHistory attribute tracks all access from other domains. Their activities
can be tracked in the System Monitor.
C. The SIDHistory attribute from the partners domain attaches the domain
SID for identification. If an account from the other domain tries to elevate
its own or another users privilege, the SID filtering removes the SID in
question.
D. SID filtering tracks the domain of every user who accesses resources.
The SIDHistory records this information and reports the attempts to the
Security log in the Event Viewer.
288 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
7. You recently completed a merger with yourcompany.com. Corporate decisions
have been made to keep the integrity of both of the original companies;
however, management has decided to centralize the IT departments. You are
now responsible for ensuring that users in both companies have access to the
resources in the other company. What type of trust should you create to solve
the requirements?
A. Forest trust
B. Shortcut trust
C. External trust
D. Tree root trust
8. Robin is managing an Active Directory environment of a medium-size
company. He is troubleshooting a problem with the Active Directory. One
of the administrators made an update to a user object and another reported
that he had not seen the changes appear on another DC. It was more than
a week since the change was made. Robin checks the problem by making
a change to another Active Directory object. Within a few hours, the change
appears on a few DCs, but not on all of them. Which of the following is
a possible cause for this problem?
A. Connection objects are not properly configured.
B. Robin has configured one of the DCs for manual updates.
C. There might be different DCs for different domains.
D. Creation of multiple site links between the sites.
9. James is a systems administrator for an Active Directory environment that
consists of two dozen sites. The physical network environment is not fully
routed, and James has disabled automatic site link transitivity. He now wants to
set up three site links to be transitive, as they are physically connected to one
another. Which of the following Active Directory objects is responsible for
representing a transitive relationship between sites?
A. Additional sites
B. Additional site links
C. Bridgehead servers
D. Site link bridges
Configuring the Active Directory Infrastructure Chapter 4 289
www.syngress.com
10. Steffi is an administrator of a medium-size organization responsible for
managing Active Directory replication traffic. She finds an error in the replication
configuration. How can she look for specific error messages related
to replication?
A. Use the Active Directory Sites and Services administrative tool
B. Use the Disk Management tool
C. View the System log option in the Event Viewer
D. View the Directory Service log option in the Event Viewer
290 Chapter 4 Configuring the Active Directory Infrastructure
www.syngress.com
Self Test Quick Answer Key
1. B
2. A
3. C, D, and F
4. C
5. C
6. C
7. A
8. A
9. D
10. D
291
Understanding Group
Policy
Chapter 5
MCTS/MCITP
Exam 640
Exam objectives in this chapter:
■ Types of Group Policies
■ Group Policy Hierarchy
■ Creating and Linking GPOs
■ Controlling Application of Group Policies
■ GPO Templates
Exam objectives review:
˛ Summary of Exam Objectives
˛ Exam Objectives Fast Track
˛ Exam Objectives Frequently Asked Questions
˛ Self Test
˛ Self Test Quick Answer Key
292 Chapter 5 Understanding Group Policy
www.syngress.com
Introduction
One of the major advantages of Active Directory is its ability to offer authentication
and identity management for users and computers. Although this is certainly a key
component of Active Directory, one can argue that an even more important (and
sometimes overlooked) component of Active Directory is its ability to centrally manage
the experience of these users and computers. By offering a centralized management
solution, we can take a majority of the legwork out of system administration.
Group Policy makes it possible to perform a number of tasks, including:
■ Password enforcement
■ Auditing
■ Software deployment
■ Desktop management
■ Desktop security
For example, if you were the administrator of a 10,000-seat organization, would
you prefer configuring the background and display settings on all 10,000 systems
individually, or would you like to implement one set of rulesor one policyand
have it pushed down to these machines? How about patch management? Would
you prefer to manually walk around a CD or DVD to each workstation to patch
systems, or would you rather point machines (via a policy) to an update site, where
you have preapproved these patches?
Group Policy and sites are also a key component of Active Directory administration.
Today people tend to work from home, work from the office, and travel
to branch offices rather frequently. It may be important to manage each scenario
differently. Again, it is much easier to manage these systems from a policy as
opposed to individual system management.
In this chapter, you will learn about the different types of policies available to
you as an administrator, how to create and manage these policies, as well as key
design principles, such as Group Policy Object (GPO) hierarchies.
Types of Group Policies
Group Policies allow you, the administrator, to manage users and computers in your
Active Directory environment. Being able to enforce settings and configurations in
your infrastructure allows you to do everything from dictate lockdown to empower
users with simplicity. A wide-open infrastructure just doesnt make sense in todays
world of viruses, Trojans, and network attacks. It just makes sense as an administrator
Understanding Group Policy Chapter 5 293
www.syngress.com
to take advantage of Group Policy to manage your environment in a centralized
fashion with ease and flexibility. There are two types of Group Policy:
■ Local Group Policy
■ Nonlocal Group Policy
A good amount of planning and testing should go into any Group Policy before
it is deployed, but to get started you will need a thorough understanding of the
types of Group Policies. We will discuss these in the following sections.
Local Group Policy
Local Group Policies exist on every machine. They are stored on each computer
individually and affect the local machine and local users with their settings. The
benefit of Local Group Policies is that if a machine does not belong to a domain
a mechanism still exists to lock down the local workstation. In the past, only
one Local Group Policy could exist per machine, but a new feature of Windows
Vista and Windows Server 2008 is the Multiple Local Group Policy object
(MLGPO). Traditional Local Group Policies have two configurable sections: a User
Configuration section and a Computer Configuration section. MLGPOs further
segment the User Configuration section to allow configuration based on user role.
The new User Configurations come in three flavors:
■ Administrator
■ Non-Administrator
■ User-specific
Each person in an environment falls into one of two user roles: You are an administrator,
calling the shots and controlling the environment, or a nonadministrator, living
and working in the environment configured by the administrator. The Administrator
role will include any user account that is part of the local Administrators group. The
Non-Administrator role is every other user account on the local machine. Each user
will apply either the Administrator or the Non-Administrator policy, but never both.
The user-specific configuration allows the Administrator to configure additional settings
for any individual user on the local machine. There can still only be one local
Computer configuration policy per machine, and it will affect all users logging on.
These flavors allow you the flexibility to control users on shared machines,
where different types of users may be working on the same workstations throughout
the day. This is a particularly useful feature in smaller working environments where
sharing is frequent or environments where kiosks and common area machines may
be predominant. The one large drawback of utilizing Local Group Policies is that
294 Chapter 5 Understanding Group Policy
www.syngress.com
they are configured per machine, which can result in a lot of running around for
anyone to manage in larger environments. You cannot edit multiple Local Group
Policies with the default Local Security Policy console from the Administrative Tools
menu. The Local Security Policy console allows you to edit the traditional Local
Group Policy. You must use a custom console for multiple Local Group Policies.
See Exercise 5.1 for step-by-step details.
EXERCISE 5.1
ACCESSING MULTIPLE LOCAL GROUP POLICIES
1. Click Start | Run.
2. In the Open dialog box type mmc and click OK.
3. Click File | Add/Remove Snap-in.
4. Select Group Policy Object Editor from Available Snap-ins:
and click Add (see Figure 5.1).
Figure 5.1 Adding the GPO Editor Snap-In
Understanding Group Policy Chapter 5 295
www.syngress.com
5. In the Select Group Policy Object window click Browse.
6. In the Browse for a Group Policy Object window select the Users
tab (see Figure 5.2).
Figure 5.2 Configuring Multiple Local Group Policies
7. Select Non-Administrators and click OK.
8. In the Select Group Policy Object window click Finish.
9. In Add or Remove Snap-ins click OK.
10. In the console tree expand the Console Root and then expand
Local Computer \Non-Administrators Policy.
11. Expand User Configuration | Administrative Templates |
Control Panel and click on Add or Remove Programs.
12. In the Settings pane double-click Add or Remove Programs.
13. On the Setting tab select Enabled and click OK.
14. Close all windows and logon as a Non-Administrator account to
test the configuration of the policy.
296 Chapter 5 Understanding Group Policy
www.syngress.com
Local Group Policies can be very useful in large and small environments alike.
With the new MLPGO user roles, workgroups are now offered greater flexibility
which contributes to ease of administration. Machines in larger environments
that require isolation from the domain can now be locked down more readily as
well. Because LGPOs are stored on the local computer upholding the policies and
maintaining consistency across machines can prove difficult. Running around from
machine to machine making LGPO changes is something that can quickly fill an
administrators day.
Non-Local Group Policy Objects
Non-local GPOs exist in Active Directory with the same purpose as LGPOs
lockdown and configuration. GPOs contain boatloads of settings and configuration
options that allow you to depict user and workstation environments in your enterprise.
So, for instance, you can perform action. Machines belonging to an Active
Directory domain will download the GPOs affecting them from the domain controllers
(DCs) in their domain and apply the policy settings. When you create a new
GPO in the Active Directory environment it is broken down into a Group Policy
Container (GPC) and a Group Policy Template (GPT). The GPC exists in Active
Directory and contains version information, and the GPT is stored in the System
Volume (SYSVOL) directory on each DC in the domain and contains the settings
of a policy. The SYSVOL directory on the DCs is a shared directory which is replicated
between DCs. This allows a client to authenticate against any DC and download
the policies they require from that same DC. Because the SYSVOL directory
is replicated throughout the domain environment, the clients receive a consistent
copy of any GPO regardless of the DC they connect to. Another benefit in using
SYSVOL as a storage location for GPOs is that regardless of where or how many
times in Active Directory the GPO is referenced, only a single copy of the GPC
and GPT needs to be stored. Just like LGPOs, all GPOs are divided into two
configurable sections:
■ User Configuration
■ Computer Configuration
These sections each have Policies and Preferences that are configurable. Its the
combination of the User and Computer Configuration sections that make up a
users environment on any given workstation in your enterprise.
Understanding Group Policy Chapter 5 297
www.syngress.com
When you are configuring policies sometimes your policy will contain only
User Configuration settings or only Computer Configuration settings, but not both.
In these cases, it is a best practice recommendation to disable the unused portion of
the policy. The benefit of doing so is that downloads will not take place unnecessarily.
Normally, a computer will download all GPOs applied to it in Active Directory. The
machine isnt aware of how many settings exist in the policy until it actually gets to
the GPT and pulls the files and applies them. If the GPT is empty for Computer settings,
the machine will be initiating a download without cause. So, by disabling policy
pieces not in use, you ultimately save your machines the trouble of downloading
empty policies, as well as unnecessary network bandwidth use.
A policy can also be disabled altogether. This is particularly useful when you
suspect a policy of causing issues in your environment. You may disable a policy
and then test to see if the unwanted effect is gone. If the issue is resolved you know
that the policy was the root cause. If the undesired situation persists you can enable
the policy and move on to the next one. This allows for easy troubleshooting
without having to unlink policies in the Active Directory environment. Perform
the following steps to adjust the status of a policy:
1. Click Start | Server Manager.
2. Expand Features | Group Policy Management | Forest | Domains.
3. Expand the domain where the policy existsfor example, The3Bears.com.
EXAM WARNING
Know when Group Policies are processed.
Machine starts up:
1. Computer Configuration settings are applied.
2. Startup scripts run.
User logs on:
1. User Configuration settings are applied.
2. Logon scripts run.
Background refresh of changes takes place every 90 minutes for both
the Computer and the User configurations. Only changes are applied,
not the entire policy.
298 Chapter 5 Understanding Group Policy
www.syngress.com
4. Expand Group Policy Objects.
5. Select the policy you would like to editfor example, All Users Desktop
Lockdown.
6. In the center pane click the Details tab.
7. Under GPO Status click the drop-down menu and select the desired
option (see Figure 5.3):
■ All settings disabled
■ Computer configuration settings disabled
■ Enabled
■ User configuration settings disabled
Figure 5.3 Configuring GPO Status Settings
Understanding Group Policy Chapter 5 299
www.syngress.com
As you create policies in your environment, it is a good idea to name them
in a way that is intuitive. You will find that months later when you return to a
policy for whatever reason, it will be easier to figure out the intended purpose
of the policy if you have created a descriptive naming convention and abided by
it. To assist in the administrators quest for clarity, Microsoft has created a new
Comment section within Group Policy. The Comment section is configured
per policy, not per link, so each place in Active Directory where the policy is
linked will reflect the same text in the Comment section. The Comment section
gives you the opportunity to type in a few descriptive sentences about the Group
Policy. You can really input whatever you like, but it may be a good idea to set
up company standards around what belongs in this field. Some good suggestions
would be to input text describing the author of the policy, who authorized the
policy, the purpose of the policy, whom the policy should be affecting and why,
and so on.
To view the Comment field for a Group Policy, follow these steps:
1. Click Start | Server Manager.
2. Expand Features | Group Policy Management | Forest | Domains.
3. Expand the domain where the policy existsfor example, The3Bears.com.
4. Expand Group Policy Objects.
5. Select the policy you would like to viewfor example, Smokeys Team
Lockdown.
6. In the center pane click the Details tab.
7. The Comment section is displayed on this tab. See Figure 5.4.
EXAM WARNING
Remember: It is a best practice recommendation to disable unused
portions of Group Policies.
300 Chapter 5 Understanding Group Policy
www.syngress.com
To edit/enter text into the Comment field follow these steps:
1. Click Start | Server Manager.
2. Expand Features | Group Policy Management | Forest | Domains.
3. Expand the domain where the policy existsfor example, The3Bears.com.
Figure 5.4 Comment Section of a Group Policy
Understanding Group Policy Chapter 5 301
www.syngress.com
Figure 5.5 Selecting the Properties of a Group Policy
4. Expand Group Policy Objects.
5. Select the policy you would like to editfor example, Smokeys Team
Lockdown.
6. Right-click on the policy and select Edit.
7. In the Group Policy Management Edit window right-click the name
of the policy and click Properties. See Figure 5.5.
8. Select the Comment tab to edit/enter text. See Figure 5.6.
302 Chapter 5 Understanding Group Policy
www.syngress.com
The Comment field is also available on each Administrative Template setting
within a Group Policy. If there are things you need to remember about a setting, or
if there is information that would prove useful to other administrators about how
something is configured, a comment at the policy level may be too broad. You can
take advantage of the setting level Comment field to document additional details.
Just remember that the field exists only on Administrative Template settings and will
not be visible on Software Settings, Windows Settings, or any Preferences for both
User and Computer Configuration. To view the Comment tab at the setting levels
right-click a setting within a policy and click Properties. See Figure 5.7.
Figure 5.6 Entering or Editing Comments on a Group Policy
Understanding Group Policy Chapter 5 303
www.syngress.com
Preferences
A new feature of Group Policy in Windows Server 2008 is the ability to configure
Preferences. Preferences allow you to configure many settings in a users environment
that are not available via traditional Group Policies. Things that were traditionally
configured in logon scripts such as printers, mapped network drives, and shortcuts
can now be set via Preferences. These new settings are extremely interesting in that
what you configure is not enforced. When a setting is enforced users cannot change
the enforced value and the option to modify the setting will appear grayed out. With
Preferences the settings are configured by the policy; however, the values are not
grayed out and the user can modify the values at any time. For instance, if a user has
a shortcut icon created via Preferences, the user retains the ability to edit or delete
Figure 5.7 Setting Level Comment Field
304 Chapter 5 Understanding Group Policy
www.syngress.com
the shortcut icon. If a policy is removed for any reason the configuration does not
revert, but instead remains as the policy left it. Because the user is not restricted
from changing the setting, the user can edit it at any time. By default, Preferences
are refreshed when Group Policy refreshes, but this can be configured on a per-
Preference basis. You can also configure the Preferences in a policy to be applied just
once. This can be useful for policies that normally dont require adjustment after their
initial configuration, such as Environmental Values or Power Settings. Each Preference
has a Common tab which allows you to configure options (see Figure 5.8).
Figure 5.8 Common Tab Options for Preferences
Another exciting feature of Preferences is the ability to perform targeting.
Targeting allows you to select which users and machines the Preference will
apply to. Instead of using mechanisms available in Group Policies, such as Security
Filtering and WMI Filtering, Preferences take things to a new level. Security
Understanding Group Policy Chapter 5 305
www.syngress.com
Filtering uses permissions to allow specific users, computers, and groups to apply
a policy. WMI Filtering uses information about the computer, such as operating
system or free disk space, to determine whether the policy should apply. Both of
these mechanisms determine whether a policy in its entirety should apply. So, either
all the settings in a policy apply, or none of the settings apply. With Preferences,
there is more flexibility in defining the audience for a policy than with Security
Filtering and WMI Filtering. Within Preferences exists a whole slew of criteria that
can be combined to target the smallest to the largest groups of users and computers.
Settings such as CPU Speed, Free Disk Space, Language, IP Address Range, and
Operating System are examples of the granularity that can be achieved within the
Targeting Editor (see Figure 5.9). Also, targeting of different groups for different
settings can be performed from within a single policy. Because targeting is configured
per Preference setting in a single policy you can have Printer A which pushes
to IP Address Range 192.168.1.25-192.168.1.125 and Printer B which pushes to
IP Address Range 192.168.1.126192.168.1.199, as depicted in Figure 5.10.
Figure 5.9 Targeting Editor
306 Chapter 5 Understanding Group Policy
www.syngress.com
Network Location Awareness
In todays disparate world, the reality is that users in a large enterprise may be connecting
into the domain from a variety of places across a variety of bandwidth types.
In situations where the bandwidth may be limited there are certain policy settings
that you would not want traversing the wire. Software Policies are a good example of
Figure 5.10 Utilizing Preference Targeting
EXAM WARNING
Group Policy settings are enforced and Preferences are simply set. Users
are allowed to modify a Preference after it has been configured on their
workstations. If your goal is lockdown, Preferences are not the appropriate
mechanism to employ.
Understanding Group Policy Chapter 5 307
www.syngress.com
a Group Policy setting that just doesnt work in low-bandwidth situations. Office 2007
installing across a T1 line to 40 users in a satellite office should only ever occur in an
administrators nightmare, not on his or her network.
To allow Group Policy to determine what types of settings are appropriate
based on the bandwidth of the connected user, Microsoft has built a new feature
into Windows Vista and Windows Server 2008, called Network Location Awareness.
In previous operating systems, network bandwidth was detected utilizing the
Internet Control Message Protocol (ICMP). Essentially, ping packets sent across the
network would determine whether a connection was deemed slow. This proved
to be a less-than-perfect solution because in many situations, users connecting from
a slow link location may have a firewall between them and the DC, potentially
blocking the ICMP traffic. This prevented proper detection of network bandwidth,
therefore causing policies to process improperly and allowing for large policy
settings to process across slow links. Network Location Awareness mitigates this
by making Group Policy aware of the network bandwidth and state.
In earlier versions of Windows, Group Policy just wasnt aware of the state of
the network connection on a machine. Policies apply during system boot, during
user logon, and thereafter at regular refresh intervalsthats it. So, if a machine
were to miss a Group Policy Refresh because it was disconnected from the network,
it would start the countdown timer to the next refresh time frame. If the
machine was reconnected to the network before reaching the refresh interval, it
would just continue to wait until the refresh time arrived. Group Policy had no
indication that the network was now available and that the policies would process
successfully. With Windows Vista and Windows Server 2008 the implementation of
Network Location Awareness allows Group Policy to become more in tune with
the machines network state. For instance, if a mobile user moves his laptop in and
out of different network conditions such as wireless, docked, virtual private network
(VPN) connected, wired, and so on, the processing of Group Policy can occur with
each change. So, if the machine failed on its last attempt to refresh or if the retry
window has arrived, the machine will use the availability of the DCs as an additional
factor in determining whether Group Policy processing should occur.
User
Each GPO is broken down into two main components: User Configuration and
Computer Configuration. The User Configuration has both Policies and Preferences
available. The User Configuration can be used to do many things, including but
not limited to deploying software, locking down application settings, administrating
desktop settings, and assigning logon scripts. Configuring the user portion of a GPO
308 Chapter 5 Understanding Group Policy
www.syngress.com
gives you the ability to influence a user and her experience, even as she moves
around within the organization.
For example, Steve arrives at the office, rushes into the nearest conference room,
and powers up his laptop. He logs on to the domain to prepare for a conference call.
When Steve authenticates against the domain from his laptop, all policies affecting
his user account in the domain are processed and applied. So, lets say that Steves
user account has the following settings in effect from those policies:
■ Run line removed from the Start menu
■ Control Panel hidden
He finishes his conference call and heads to his desk to officially start the day.
He sits at his desk and logs on to the domain again, this time from his desktop
machine. Steve is now using a different machine; however, the policies affecting his
user account in Active Directory remain the same. If the summation of the processed
policies gives him the previously listed settings at his laptop, from his desktop they
would be the same. The policies follow his user account throughout the environment.
Computer
The computer configuration section of a GPO also has both Policies and
Preference sections available. Many of the sections in a GPO overlap between
the User and Computer Configurations. Examples of overlap are scripts, security
settings, and the Control Panel. The contents of each section will vary between
the User and Computer Configurations, and what is possible in one may not
exist in the other. The Control Panel settings are a good example of this. There
are only two subsections within the Control Panel for Computer Configuration:
Regional and Language Options, and User Accounts. The Control Panel under the
User Configuration has much more to offer: Add or Remove Programs, Display,
Printers, Programs, and Regional and Language Options. Notice the overlap
between Regional and Language Options in the two sections. For the most part,
setting options in the User and Computer Configurations will be different, but in
the event of overlap, a conflict may occur. If a conflict arises between the User and
Computer Configurations, the Computer Configuration will take precedence.
Some settings within Group Policy you can apply only to machines. The
Loopback Processing mode setting is a good example of this. Computer Configuration
settings can be extremely useful in situations where the user is irrelevant in the application
of the policy. Windows Updates and Event Viewer are good examples of this
because regardless of the user logging on to the machine, the settings will rarely differ.
It just makes sense to apply these types of policy settings to machine accounts rather
Understanding Group Policy Chapter 5 309
www.syngress.com
than user accounts because the logged on user is irrelevant. Computers that have a
special function in an organization are also a practical target for computer-based policy
settings, such as a dedicated kiosk machine or a public Web access workstation. In any
case, Computer Configuration settings can offer a powerful solution to administrators
seeking a method of applying machine-based settings across the enterprise.
Group Policy Hierarchy
When applying GPOs in an Active Directory environment it is just as important to
take heed of where you are applying a policy as it is to plan what you are putting
in it. The default nature of a GPO is to trickle down the tree structure from where
it is applied and impact all objects along the way. Without careful planning and consideration,
you run the risk of ending up with an undesired outcome. As a result of
poor planning or a lack of understanding of the Active Directory hierarchy, multiple
policies can combine and produce lockdown when it is undesired or allow users
to retain settings that may be considered a risk. To plan for and deploy an effective
Group Policy infrastructure it is crucial to understand how the Active Directory
hierarchy comes into play.
Site, Domain, and OU Hierarchy
The first policy to process is always the local policy (LGPO). Once the local policy
has completed processing, the domain-level policies are applied. Group Policies can
be applied at three levels within the Active Directory environment:
■ Site
■ Domain
■ Organizational unit (OU)
A single GPO can be applied at multiple locations in the hierarchy and any
level can have multiple policies applied.
The Site level represents the highest level in which a GPO can be applied. Policies
linked at the Site level are the first domain-based policies to be downloaded and
applied. Because machines become members of Sites based on their Internet Protocol
(IP) address, machines from multiple domains may become members of a single Site.
This can present issues, because GPOs are stored at the domain level. Only DCs from
the domain in which a GPO was created will have a copy of the GPT available for
download. If a GPO is created directly on a site object, the GPT will be stored in
the domain identified as the forest root. Machines may be required to use bandwidth
to download the pertinent GPO while their users wait. In general, linking at the
310 Chapter 5 Understanding Group Policy
www.syngress.com
Site should be performed with caution. It has the implication of targeting multiple
domains as well as the chance of creating inconsistency for mobile users unless applied
with careful planning. With the proper planning and testing, linking at the Site level
can be useful in situations such as software deployment, but understanding the
ramifications of Site linking is critical for you to effectively apply GPOs.
Configuring & Implementing
Applying GPOs at the Site Level
The Site level may present an unpredictability factor for applying GPOs.
The reason most environments will stay away from settings at this tier
has to do with the nature of a Site. A Site is a group of well-connected
computers. You create a Site within Active Directory and then associate
it with any subnets that are considered well connected. Geographically
distributed environments will have numerous sites. Users in todays world
are mobile and they may move between different Sites by visiting remote
offices or, in some cases, by simply carrying their laptops from building
to building on a company campus. Each time a machine moves to a new
Site it will be affected by the GPOs linked to the Site it is in at that point
in time, hence the unpredictability factor. Sometimes the machine will
get a setting and sometimes it will notdepending on the Site the GPOs
happen to be in that day. If GPOs linked at the Site level are different
from Site to Site, the GPO result for a given user or computer will vary.
Without knowing which Site a mobile user may be associated with, there
is no way to consistently enforce policy.
Once the Local and Site level policies have been processed, the next policies to
apply are any Domain linked policies. When applying a Group Policy at the Domain
level, the settings configured in the policy will be inherited down the tree structure
and will be applied to all objects in the hierarchy. This includes both computer objects
and user objects in the tree. Applying policies at the Domain level is appropriate when
the settings are applicable across the enterprise. Settings mandated by corporate security
policies are a good example of a compelling Domain level Group Policy. Because
Domain level Group Policies are so widespread, they will have a large impact if many
Understanding Group Policy Chapter 5 311
www.syngress.com
policies are applied at this level. Keeping Domain level policies to a minimum is in
your best interest to minimize processing overhead.
EXAM WARNING
Remember that one policy with many settings will process faster than
multiple policies with a few settings apiece. Reducing the number of
policies will speed up the time it takes for policies to download, in turn
making logon for users faster.
The final level in the hierarchy is the OU. In most organizations, you will
want to apply your policies at the OU level. You will have more granular control
at this tier, and the scope of the policy is narrowed to affect only the desired user
or computer accounts. The default nature of policies at the OU level is to inherit
down the tree structure to all child objects, user accounts, computer accounts, and
child OUs, including their child objects.
TEST DAY TIP
To help you remember the policy inheritance order, take advantage of
the paper you will receive during your test. When you first sit down,
draw the hierarchy of Site, Domain, and OU. You can then reference
your diagram as you need it.
Group Policy Processing Priority
When a machine boots up or a user logs on, the machine is tasked with scrambling
to collect and download all applicable policies and apply them in the correct order.
Many policies can affect a single user or machine, and when more than one GPO
is applied the result is a summation of all the policies involved. This is similar to a
person getting ready to go outside on a cold winter day. Lets say Justin pulls on a
long-sleeve shirt, a sweater, and finally a jacket. Justin is dressed in layers, but the
first two layers he put on are covered by the layer he put on last. Policies are applied
in a similar fashion. Starting from the top of the hierarchy, the settings are cumulated;
however, if a conflict occurs, the last value processed for that setting applies.
312 Chapter 5 Understanding Group Policy
www.syngress.com
The first policy to be applied is the local policy. If the machine is a Windows Vista
or Windows Server 2008 (non-DC), the MLGPO is applied in the following way:
■ Local Computer Policy
■ Administrators or Non-Administrators Local Group Policy
■ User-specific Local Group Policy
The final policy processed will win in the event of a conflict, so a Userspecific
setting will always win over a Local Computer Policy setting. Next to be
processed are policies linked to the Site level. It is typically not a recommended
practice to link GPOs at the Site level. It can be difficult to predict which users will
be affected by a Site-level policy and when. For example, if a laptop user were to
work in the Atlanta office on a Monday, then hop a plane on Tuesday to the Miami
office to work for the rest of the week, the policies that are applied to his machine
may differ between the two locations when Site-level policies are in use. So, if the
Miami administrator chose to lock down the command prompt in a GPO and then
applied the GPO to the Miami Site, a programmer visiting that office may lose the
ability to perform his job function due to the Site-level policy.
To keep things consistent it may be a good idea for you to use caution when
linking GPOs with certain settings at the Site level. Once Site-level policies have
processed, the next policies to apply are any Domain-level GPOs. Finally, OU-level
GPOs will apply. OU-level GPOs will transmit their settings to all child objects.
So, with OU policies, depending on how deep a user or computer is in the hierarchy,
administrators may have many OU-level GPOs to apply. The last setting of a
policy always wins regardless of where it originated in the hierarchy. In Figure 5.11,
the IT Users OU is inheriting one policy, the Company Wallpaper Policy, and has
another applied, the Custom IT Policy. For a user or computer account residing in
the IT Users OU, the wallpaper setting of Disable will apply because the policies
on the lower OU will be processed after the Domain-level policy.
Understanding Group Policy Chapter 5 313
www.syngress.com
Figure 5.12 shows the Group Policy Management Console (GPMC) displaying
the Group Policy Inheritance tab for the Level 1 Support OU. The policies listed
originated from higher in the tree structure and are being inherited. Notice that
the Precedence column lists All Users Desktop Lockdown first, indicating that its
settings will override any settings that conflict in the other policies.
Figure 5.11 Inheritance Example
314 Chapter 5 Understanding Group Policy
www.syngress.com
Creating and Linking GPOs
In this section well discuss creating and linking GPOs.
Creating Stand-Alone GPOs
When creating a GPO for the first time it may worry you to think of the impact
you may have if the GPO were to be applied either with the wrong settings or
at the wrong place within Active Directory. To avoid any GPO creation mistakes,
Microsoft allows you to create stand-alone GPOs. Stand-alone GPOs are not
linked anywhere in the infrastructure upon creation. They are simply floating
Figure 5.12 GPMC Displaying Inheritance at the OU Level
Understanding Group Policy Chapter 5 315
www.syngress.com
within your Active Directory universe. Just like any other GPO, they will have a
GPT and a GPC and the settings will exist in SYSVOL for users and computers to
download, with one major difference: No one will be downloading them. Because
the policies are not linked anywhere in the Active Directory environment, users
and computers alike will not know that they exist, and therefore, any changes you
make to the policies will go unprocessed. To create a stand-alone GPO follow
these steps:
1. Click Start | Server Manager.
2. Expand Features | Group Policy Management | Forest | Domains.
3. Expand the domain namefor example, The3Bears.com.
4. Right-click on the Group Policy Objects folder and select New.
Linking Existing GPOs
Once you have created a stand-alone GPO, it will affect no person or machine in
your environment. To have your new policy have an impact on your network you
must link it somewhere in the hierarchy. You can do this at the Site, Domain, or
OU level. One of the fabulous things about GPOs is their reusability. So, if your
Accounting department has incurred administrative wrath and is locked down
from toes to chin with Desktop Policies, there isnt any reason why you cant easily
spread the joy to the Human Resources staff if they get on your nerves with the
same policy. Once you have created GPOs in your Active Directory environment,
you can link them at different places within your Active Directory infrastructure
with just a few simple clicks. Depending on the design of your Active Directory
OU structure, you may want to link a GPO to multiple OUs to effectively target
all the users for whom the policy was designed. To link an existing GPO, follow
these steps:
1. Click Start | Server Manager.
2. Expand Features | Group Policy Management | Forest | Domains.
3. Expand the domain namefor example, The3Bears.com.
4. Right-click the location where you would like to link the policy and
select Link an Existing GPO (see Figure 5.13).
316 Chapter 5 Understanding Group Policy
www.syngress.com
5. In the Select GPO dialog box, under the Group Policy Objects
section, highlight the GPO you wish to link.
6. Click OK.
Creating and Linking at One Time
In some instances, you already know where you would like a GPO to go before
you create it. In these cases, it makes sense to simply create the policy where it is
going to be linked and then configure the settings afterward (see Figure 5.14).
Figure 5.13 Linking an Existing GPO
Understanding Group Policy Chapter 5 317
www.syngress.com
For step-by-step create and link instructions, see Exercise 5.2.
EXERCISE 5.2
CREATING AND LINKING A GPO
1. Click Start | Server Manager.
2. Expand Features | Group Policy Management | Forest | Domains.
3. Expand the domain namefor example, The3Bears.com.
4. Right-click the location where you would like to create and link
the GPOin this case, the AD Admins OU.
5. Select Create a GPO in this Domain, and Link it here.
6. In the New GPO window, type in a name for the new GPO. You
can also select a Source Started GPO in this window if you want.
7. Click OK.
Figure 5.14 Creating and Linking a GPO with One Action
318 Chapter 5 Understanding Group Policy
www.syngress.com
Controlling Application of Group Policies
In every universe there is the exception to the rule. In the case of Group Policies,
it isnt a platypus or a tomato. It tends to be VPs of Finance or the CFOs secretary
or sometimes even your boss and colleagues. No matter the why behind the
need for an exception, a few different mechanisms are available to you to tweak
and adjust your policies so that everyone can be happy in your environment. Well,
within reason anyway.
Being able to bend the rules of policy application can be a fabulous tool when
exceptions crop up in your environment. Because Group Policies will naturally flow
down the Active Directory tree structure, altering that flow with Block Inheritance
is one way to change the outcome of inherited settings. Another method is to give
certain policies preference over others via Enforce. Other mechanisms include
Security and WMI Filtering, as well as Group Policy Loopback settings. We will
discuss each of these in more detail in the following sections.
Enforce
In some organizations, certain policies must be in applied to everyone in the enterprise,
period. Sometimes its a security mandate that requires all users to have the
Run line removed from their Start menus, other times its a marketing mandate
that requires all users to have the company wallpaper set at all times, or its a legal
requirement to display a disclaimer every time a user logs on. The nature of Group
Policy inheritance and the hierarchy of Active Directory can sometimes create
unfavorable conditions, causing a policy to fail to apply where it is required. Enforce
is configured in Active Directory where a GPO is linked, not on the overall policy
itself. So, there is the potential to have a policy linked at many different levels,
but to have it Enforced only where you indicate. You can see the direct effect of
Enforce in the GPMC.
To prevent a mandated policy from being overridden you must mark the link
as Enforced. This allows you to avoid the unpleasant situation of having to explain
TEST DAY TIP
Dont get caught up in the details. Reading too much into an exam
question can lead you to draw false conclusions. Take the information in
the questions at face value, and remember, you know this stuff!
Understanding Group Policy Chapter 5 319
www.syngress.com
why the marketing manager noticed two employees in the IT department with
World of Warcraft wallpaper instead of the prescribed company logo. By giving a
wallpaper policy the ability to trample on any and all policies in its way, you will
save yourself the reprimand. Enforce essentially creates a policy whose settings will
always win in the case of a conflict. Notice the policies in Figure 5.15; because all
policies are inheriting normally the Domain-level policy which is named Company
Wallpaper Policy is at the bottom of the precedence list. This policy has the potential
to have the wallpaper setting it is configured with overridden by both the
Default Domain Policy and the Custom IT Policy.
Figure 5.15 Normal Inheritance
When you enable Enforce on the Company Wallpaper Policy, the precedence is
directly impacted and now the Company Wallpaper Policy moves to the top of the
list. At this point, it will not be overridden by any of the lower precedence policies
(see Figure 5.16).
320 Chapter 5 Understanding Group Policy
www.syngress.com
In the case of two policies set to Enforce with opposing settings, the administrators
have to duel to the death and the last one standing gets to apply his policy.
Okay, so maybe it doesnt work quite that way. It actually goes something more like
this: When two policies are set to Enforce and have conflicting values, the policy
higher in the tree structure wins (see Figure 5.17). The concept is that if you have
set permissions at the Domain level to apply policies, you probably have more clout
in your Active Directory world. To reference the previous example, if both policies
to apply wallpaper were configured with Enforce, the higher Company Wallpaper
Policy would be the resultant winner. So, there is no way for a lower-level policy to
attempt to override a policy higher in the tree structure with an Enforce. Figure 5.18
shows the Company Wallpaper Policy at the Domain level, which will win in the
event of a conflict. Sorry, IT fellas.
Figure 5.16 Enforcing a GPO
Understanding Group Policy Chapter 5 321
www.syngress.com
Figure 5.17 Higher-Level Enforce Wins
Figure 5.18 Higher-Level Enforce in GPMC
322 Chapter 5 Understanding Group Policy
www.syngress.com
Block Inheritance
An additional method of manipulating default inheritance is to apply Block
Inheritance to a particular OU. When this setting is configured on an OU, it will
not inherit or apply any of the policies linked to its parent objects. The only exception
to this is the Enforce setting. Enforce will barrel through a Block Inheritance
and will allow a policy to apply to objects within that OU regardless of the existence
of Block Inheritance. If you need to isolate a lower-level OU from inheriting
GPOs from its parents, the easiest way to achieve this is via Block Inheritance.
A wonderful utilization of this feature often involves administrators like you. Lets
assume you would like to apply a policy that removes the Run line and the Control
Panel from all users in the Charlotte office. You create and configure your policy
and then link it to the Charlotte office OU in Figure 5.19.
TEST DAY TIP
Try not to panic if the exam throws a million policies at you to compare.
Just work through them one at a time.
Figure 5.19 The Charlotte Office OU Structure
Understanding Group Policy Chapter 5 323
www.syngress.com
The default behavior is for the policy to trickle down the tree structure and
apply to all objects in its path. This will include all objects in the child OUs.
If your user account or those of your fellow administrators happen to reside in the
Charlotte IT Staff OU, you will inevitably be impacted by the policy. Try to perform
your job as an administrator without a Run line or the Control Panel! The
solution in this instance could be to Block Inheritance at the Charlotte IT Staff OU.
When you configure a Block Inheritance the harmful policy will not be inherited
by objects within the Charlotte IT Staff OU and you will retain your Run line
and Control Panel. However, there can also be drawbacks to implementing this
mechanism, so you should use it only after careful planning. Suppose another policy
is configured at the Charlotte Office OU. This policy maps network drives to
home drives for all Charlotte personnel, and runs Logon scripts. By putting a Block
Inheritance in place at the Charlotte IT Staff OU, the desired policy will also be
blocked. As you can see, Block Inheritance can be a very powerful disrupter in your
environment, but when applied properly it should become a significant addition to
your administrative arsenal.
Group Policy Results
and Group Policy Modeling
When Block Inheritance and Enforce start to wreak havoc on the outcome of
the policies in your hierarchy, there are mechanisms you can employ to become
aware of conflicts and either predict or mitigate them before real trouble brews.
Microsoft provides two tools within the GPMC which will assist you in managing
and troubleshooting Group Policy in a proactive and efficient manner:
■ Group Policy Results Wizard
■ Group Policy Modeling Wizard
The Group Policy Results Wizard allows you to view the outcome of your policies
after all have been processed and applied and the dust has settled. To execute
the tool from within the GPMC simply expand the Forest node and select Group
Policy Results. Right-click on Group Policy Results and select the Group
Policy Results Wizard.
The wizard requires you to select a machine account as a first step (see Figure 5.20).
It will then connect to the machine you have indicated and will list all the user accounts
that have logged on to the machine before. You may then select the Current user
option or a user from the displayed list of accounts available for policy processing
(see Figure 5.21). The wizard will proceed to evaluate the combination of machine
324 Chapter 5 Understanding Group Policy
www.syngress.com
account and user account policies and will display the cumulative results in the Details
pane. You can exclude either the user or the computer account from the processing if
you wish. To exclude the computer policy settings select the Do not display policy
settings for the selected computer in the results (display user policy settings
only) checkbox on the Computer Selection screen, as shown in Figure 5.20.
To exclude the user policy settings select the Do not display user policy settings
in the results (display computer policy settings only) radio button visible on
the User Selection screen in Figure 5.21.
Figure 5.20 Selecting a Computer Account
Understanding Group Policy Chapter 5 325
www.syngress.com
The wizard will then gather the information it requires to generate a report
which will display in the Console window in the Details pane. The report is broken
down into three tabs:
■ Summary
■ Settings
■ Policy Events
The Summary tab is divided into user and computer sections and displays an
overview of the results (see Figure 5.22). The Settings tab contains the summation of
each policy setting from all the contributing GPOs. The Winning GPO for each
setting is also identified here. The Policy Events tab pulls from the Event Viewer of
Figure 5.21 Selecting a User Account
326 Chapter 5 Understanding Group Policy
www.syngress.com
the target machines and displays any Event Viewer messages related to Group Policy.
Using information from the three tabs you will be able to determine which settings
are applied and where they are originating. You will also be able to determine whether
any errors or warnings involving Group Policy are being logged, as well as the last
time Group Policy was successfully applied. Also, any queries you create will display
in the console, and you can rerun, rename, or delete them at any time. You can save
the query results as a report in an XML or HTML file format for later review. This is
a fabulous tool when trying to decipher issues involving Group Policy application in
your environment!
Figure 5.22 Displaying the Group Policy Results
Understanding Group Policy Chapter 5 327
www.syngress.com
So, here comes the way to attempt to avoid Group Policy issues in your environment,
instead of resolving them as they occur. Just as Group Policy Results will
evaluate the cumulative results of policies and display the results, Group Policy
Modeling will do the same. The difference is that with Group Policy Modeling
you can explore the realm of what if before you actually implement the change.
So, what if Sabrina from Accounting has her user account moved into the
Finance OU? Instead of relocating the user account in Active Directory and then
crossing your fingers and hoping for the best, you can choose to proactively employ
the Group Policy Modeling tool to perform an analysis before the move is actually
performed. The tool will tell you what Sabrinas policy outcome will be after the
move has occurred, allowing you to make an educated decision as to whether this
would be smart.
The Group Policy Modeling Wizard has flexibility in that it allows you to select
all the what if details involved in Group Policy processing to create almost any
fictional situation possible within your Active Directory environment. You launch
the wizard from within the GPMC by expanding the Forest node and selecting
Group Policy Modeling. Right-click on Group Policy Modeling and select
the Group Policy Modeling Wizard.
The first step in the wizard is to select a DC that is able to execute the simulation.
The DC you select must be running Windows 2003 or later. The next step
is to identify the targets for the simulation. You can choose to specify both user
information and computer information, or you can identify only one of the two.
Under User Information, you can select either a specific user or a container
within Active Directory. The same is true for Computer Information; you may
select either a specific computer account or a container. Once you have selected
the target for the simulation, you then have two choices in what comes next: Select
the checkbox at the bottom of the window and skip to the end of the wizard
(see Figure 5.23) to receive the analysis results, or click Next and continue to
provide criteria for the simulation.
328 Chapter 5 Understanding Group Policy
www.syngress.com
If you choose to click Next and skip the wizard, you will be asked to lay out
the scenario by providing information such as:
■ Policy implementation settings:
■ Slow link processing consideration
■ Loopback policies consideration
■ Site association
■ New network locations
■ Security group membership:
■ For the user
■ For the computer
Figure 5.23 The Group Policy Modeling Wizard
Understanding Group Policy Chapter 5 329
www.syngress.com
■ WMI Filters:
■ For the user
■ For the computer
Once you have fed the wizard all it needs to know about your hypothetical
situation, it will process the policies and display the results across three tabs. The
first two tabs are the same as with the Group Policy Results Wizard: the Summary
and Settings tabs. The third one differs. With Group Policy Modeling the third
tab contains information on the query that was executed (see Figure 5.24). So, by
reviewing the outcome of your query you can determine whether your planned
change is a wise decision. If the results of your simulation are not quite as you
expected, you can just start over again, or if you prefer, you can copy existing
queries. By using existing queries as a baseline, you can tweak the options selected
in the wizard to see what different case scenarios will yield as results until you
discover a favorable outcome.
Figure 5.24 The Group Policy Modeling Query Tab
330 Chapter 5 Understanding Group Policy
www.syngress.com
Head of the Class
Utilizing Enforce and Block Inheritance
As an administrator, the more things you can do to simply life the easier
you make your job and the better off you will be in the long run. To be a
smart administrator you have to know two things. One, you have to know
what is available to you in the features of any products you manage, and
two, you have to know when to utilize these features. In Active Directory,
you can go crazy Enforcing policies and Blocking Inheritance on OUs, but
that doesnt mean you always should. At the end of the day, by overutilizing
these features, you have just complicated your life by making the
outcome for a group of users that much more unpredictable. Granted,
there are tools in place for you to interpret what the outcome will be for
any users or computers in your organization, but the necessity to have to
interpret and use tools to figure out resultant settings will only make your
job that much more demanding.
In general, it is a good idea to use restraint when applying these
powerful features of Active Directory Group Policies. This doesnt mean
you should shy away from them entirelythere will always be exceptions
to the rule. But when applying them in a real-world environment, there
is one major guideline you will want to follow: KISS (Keep it simple silly!).
Make sure there is a good business case to apply an Enforce or a Block
Inheritance. If there is a chance you can accomplish the same function by
moving user accounts or moving OUs around in Active Directory, this is a
much easier means to an end. By documenting the heck out of any exceptions
to the rule and making sure that before you make an exception
it is absolutely necessary, you will find that keeping a handle on Group
Policy Inheritance in Active Directory becomes an easier task. And always
remember: KISS!
WMI
WMI Filtering allows you to narrow down the scope of a GPO to machines based
on information you collect about the machines. You do this by creating a WMI
Filter that identifies desired properties that will be common across the targets for
Understanding Group Policy Chapter 5 331
www.syngress.com
the GPO. For instance, you may want to identify an operating system version or
machines with a minimum amount of free space. WMI Filtering can be complex to
configure without a programming background. The interface simply allows you to
plug in a WMI query which you must construct. You may also import an existing
query if you prefer (see Figure 5.25). By default, no filtering is in place, and therefore,
the policy will apply to all machines inheriting it.
Figure 5.25 Configuring WMI Filtering
Group Policy Filtering
In some environments, users with different policy needs may be intermingled in the
same OU. Lets think about an Accounting department, for instance. Assume that
Accounts Payable and Accounts Receivable are different people in the organization;
332 Chapter 5 Understanding Group Policy
www.syngress.com
however, for administrative purposes, they have been lumped into the same OU. If a
particular software package needed to be deployed to only the Accounts Payable users,
filtering could be employed to accomplish this without the creation of additional
OUs in Active Directory.
In cases like this, it is still possible for you to single out users to receive a particular
policy via Group Policy Filtering. Filtering is simply editing the permissions of a GPO.
To download a policy the following things must be true:
■ The policy must apply to the user or the computer in the Active Directory
hierarchy.
■ You must be able to connect to a DC that has a local copy of the policy.
■ You must have permissions to the policy.
By default, authenticated users have permissions on all new policies. To apply
filtering on a policy this default must be removed and the appropriate groups or
users added to the policy. Refer to Exercise 5.3 for detailed steps.
EXERCISE 5.3
ENABLING FILTERING ON A GROUP POLICY OBJECT
1. Click Start | Server Manager.
2. Expand Features | Group Policy Management | Forest | Domains.
3. Expand your domain namefor example, The3Bears.com.
4. Expand Group Policy Objects and then click on the policy you
wish to filter.
5. On the Scope tab in the center pane, you will see the Security
Filtering section (see Figure 5.26).
Understanding Group Policy Chapter 5 333
www.syngress.com
6. Highlight Authenticated Users and click Remove.
7. In the Group Policy Management pop-up window click OK.
8. Authenticated Users is now removed from the window. Click Add.
9. In the Select User, Computer, or Group window type in the name
of the user or group you would like to add and click Check
Names and then click OK.
10. The new user or group is now able to download and apply this
GPO. Anyone not explicitly listed under Security Filtering will not
be allowed to download this GPO.
Figure 5.26 Configuring Security Filtering
334 Chapter 5 Understanding Group Policy
www.syngress.com
Group Policy Loopback
When multiple users must utilize a machine from the Active Directory environment
you may want to enforce a Group Policy Loopback to promote conformity. Loopback
processing causes the User Configuration settings for a user to apply in a different
way. The machine downloads the users GPOs as usual, but when the Loopback setting
is received the machine will take the User Configuration of the GPOs that apply
to the computer and apply that one set of settings to all users logging on to the local
machine. Local users are not affected. Loopback policy processing has two options
available when configured: Merge and Replace.
Merge mode allows for the combination of two worlds. So, in the case of
a Merge mode logon the following occurs:
1. The machines boots and Computer Configuration settings are applied.
2. The user logs on and the user accounts User Configuration Settings are
applied.
3. The user settings from the machines Computer Configuration policy are
applied.
Because the machines Computer Configuration settings are applied last they
will triumph in the case of a conflict. The result is a compilation of the two sets of
User configurations that will be set up for the user.
Replace mode simply ignores the user account policies and applies only the settings
that are obtained from the machines GPOs for both machine and user settings.
TEST DAY TIP
When going through the exam questions do not try to apply the situations
presented in the exam to your own work environment. The exam is
attempting to test your knowledge of how the product works, not how
you can make the product work for you. Your real-world experiences
and implementations may differ greatly from the textbook recommendations.
Stick to textbook recommendations for exam purposes.
GPO Templates
Group Policy Templates allow you to expand on available settings in the GPOs
in your environment. Because all environments will not have the same needs,
Microsoft includes common settings in its GPOs out of the box. So, as you deploy
Understanding Group Policy Chapter 5 335
www.syngress.com
new applications to your desktops, controlling them via Group Policy becomes
a reality with the help of GPO Templates. Traditionally, GPO Templates were
utilized for administrative control, but now with Windows Server 2008, some new
components have surfaced: Security Templates and Starter GPOs.
Administrative Templates
Administrative Templates enable you to expand the default settings for a GPO
by importing configuration files. Administrative Templates are the largest section
of a GPO that allows you to manipulate and configure settings on the machines
and users in your environment. This is where you can mold the user experience
and dictate settings and configurations for people logging on to machines in
your domains. By default, Administrative Templates exist in both the User and
the Computer Configuration sections of all Group Policies. Without additional
configuration, the number of settings available for both User and Computer
Configuration is immense. They cover almost every conceivable environment setting
for both workstations and users, and you can add to the available settings list.
As new products are deployed in your environment, you will want to be able to
administrate and configure these new products via GPOs. This is made possible with
the .adm and .admx file types. These file types allow for additional settings to be
available to you under the Administrative Templates sections of GPOs. Historically,
you would download an .adm file from the Internet and then import the file into
a GPO in your environment. The import would copy the .adm file to the GPT of
the GPO on the SYSVOL directory. SYSVOL replication would then pass the GPT
containing the .adm file around to all the DCs in the domain via File Replication
Services (FRS). In environments where many .adm files were utilized, the result
could mean a very large SYSVOL and, potentially, inconsistencies in how GPOs
are applying due to replication issues caused by the SYSVOL size. Also, traditionally,
.adm files used their own custom markup language which made it difficult to
customize these files.
With Windows Vista Microsoft introduced two new types of file for customizing
GPOs: the .admx and the .adml file types. The .adml files are language-specific whereas
the .admx files are language-neutral. The new .admx files are the same in purpose
as the old-school .adm files, but they are stored and managed in a different way.
The .admx files take advantage of XML for their formatting, which makes them much
more customizable than their predecessors. Also, they are not stored in the SYSVOL
directory with the GPO content. Instead, they are stored in SYSVOL in a Central
Store. This reduces the amount of overhead. The Central Store must be configured
manually and is not set up by default (see Exercise 5.4 for steps). It is recommended
336 Chapter 5 Understanding Group Policy
www.syngress.com
that you use the DC that hosts the PDC Emulator role for the domain as the host
for the Central Store. The Group Policy tools connect to the PDC Emulator role by
default and will use any .admx files existing in the Central Store. Once the Central
Store has been configured, the contents will be replicated to all other DCs in the
domain.
EXERCISE 5.4
CONFIGURING THE CENTRAL STORE
1. Click Start | All Programs | Accessories | Windows Explorer.
2. In the Address bar type in the following URL: \\domainFQDN\
SYSVOL\domainFQDN\policies. For example, \\The3Bears.com\
SYSVOL\The3bears.com\policies.
3. Right-click in the Details pane and click New | Folder.
4. Name the folder PolicyDefinitions (see Figure 5.27).
Figure 5.27 Creating the PolicyDefinitions Folder
Understanding Group Policy Chapter 5 337
www.syngress.com
5. Next, manually copy all .admx files from a Windows Vista client
computer to the PolicyDefinitions folder on the DC.
6. If required, copy the folders containing the .adml files. Language
files require the default folder structure to carry over when copied.
Security Templates
Securityeveryone is concerned about security, and with due cause. One nice
feature of Group Policy is the ability to configure Group Policy security settings
uniformly across server types by taking advantage of Security Templates. Security
Templates is a separate snap-in that you can access from a custom Microsoft
Management Console (MMC). The snap-in allows you to build templates, which
are stored in an .inf file format, which can be saved and later imported into GPOs
anywhere in your environment. This creates reusability for security settings, but the
snap-in does have some limitations. For instance, only a portion of the security
settings are available to configure in the .inf files. Windows 2008 has a rich set
of available settings, but because only a small portion of the settings are exposed
through the Security Templates snap-in, additional configuration of settings after an
import may be required. To add the snap-in to a custom MMC follow these steps:
1. Click Start | Run.
2. In the Open dialog box type MMC and click OK.
3. In the Console window click File | Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box select Security Templates
from the Available snap-ins: column and click Add (see Figure 5.28).
5. Click OK.
EXAM WARNING
Remember that the new file format for Administrative Templates is .admx
and that this format is XML-based. Down-level clients will not be able to
apply an .admx format, only Windows Vista and Windows Server 2008.
You can still administrate the old-school .adm files in a Windows 2008
environment. They will be given a separate subfolder in the Administrative
Templates section of a GPO.
338 Chapter 5 Understanding Group Policy
www.syngress.com
Now that you have the Security Templates snap-in in your console window
lets discuss what you are looking at. If you expand the Security Templates
node you will see that below it is a folder icon with a folder path as its name. The
default behavior of the Security Templates snap-in is to open a folder in the User
profile, called Templates. The folder is stored under the following path: C:\Users\
%username%\Documents\Security\Templates.
If you click on the folder it will not expand, because by default in Windows
Server 2008 no templates exist. You need to create your own templates. You do
this by right-clicking on the folder path and selecting New Template from the
menu (see Figure 5.29). You must name your new template; you can also input a
description if you want (see Figure 5.30). This will create an .inf file in the path
specified for you to store your configured settings. This is the file you will need to
Figure 5.28 Adding the Security Templates Snap-in to a Custom MMC
Understanding Group Policy Chapter 5 339
www.syngress.com
locate once it is time to import the settings into a GPO (see Figure 5.31). The file
path is in the logged on users hierarchy, so it would be a good idea to centrally
locate these files if they will be imported frequently. You can configure the Security
Template snap-in to point to any location in your environment. Follow these
instructions to open a new template search path:
1. Right-click on the Security Templates node in the custom console.
2. Select New Template Search Path from the menu.
3. Browse to the location of the folder you would like to search.
4. Click OK.
Figure 5.29 Adding a New Template to the Security Templates Snap-in
340 Chapter 5 Understanding Group Policy
www.syngress.com
Figure 5.31 The New Security Template and Its Corresponding .inf File
Figure 5.30 Naming and Inserting Description Text into a
New Security Template
Understanding Group Policy Chapter 5 341
www.syngress.com
Okay, now that you have a new Security Template, you can go about configuring
the settings. Not all of the GPO Security settings are available in the Security
Templates. Once you have configured your settings, be sure to save your template
by right-clicking on the template and selecting Save.
At this point, it is time to import your newly created template into the GPO of
your choice. To do so, start by opening the GPMC:
1. Click Start | Server Manager.
2. Expand Features | Group Policy Management | Forest | Domains.
3. Expand your domain namefor example, The3Bears.com.
4. Expand Group Policy Objects and then right-click on the policy into
which you wish to import your template.
5. Click Edit.
6. In the Group Policy Management Editor expand either the User
Configuration section or the Computer Configuration section.
7. Expand Policies | Windows Settings.
8. Right-click Security Settings and select Import Policy.
9. In the Import Policy From box browse to the location of your .inf file.
10. Select your .inf file and click Open.
11. Your settings have now been imported into the GPO. Browse the hierarchy
to confirm that your settings have been imported.
Starter GPOs
Administrators are more effective when they can quickly and accurately duplicate
results. For those of you who are all about recycling and reusing, Starter GPOs are
the ray of light you have been waiting for. A Starter GPO enables you to create a
GPO with baseline settings. You can then select this GPO as a template for creation
of new GPOs anytime thereafter. A limitation of the Starter GPO is that it can only
store settings for user or computer Administrative Templates, and it cannot store
Software Settings or Windows Settings. Software Settings allow you to deploy applications
whereas Windows Settings contain configurations for settings such as security
policies, scripts, and folder redirection. Most administrators shouldnt complain about
this limitation, considering that Administrative Templates are the means to manage
many major environment configurations and settings in a GPO.
342 Chapter 5 Understanding Group Policy
www.syngress.com
Starter GPOs are not enabled by default. You must enable them in each domain
by first creating a folder called StarterGPOs which is stored in the SYSVOL share on
DCs. Creating the folder is a one-time process; after the folder has been established
in a domain you can then add and remove Starter GPOs at will. The folder is created
from the GPMC (see Exercise 5.5).
EXERCISE 5.5
ENABLING STARTER GPOS IN A DOMAIN
1. Click Start | Server Manager.
2. Expand Features | Group Policy Management.
3. Expand the forest you wish to configurefor example, Forest:
The3Bears.com.
4. Expand Domains.
5. Expand the domain you wish to configurefor example,
The3Bears.com.
6. Click on the Starter GPO folder.
7. In the center pane you will see the button displayed in Figure 5.32
if you have not yet created the Starter GPO folder for this domain.
8. To create the Starter GPO folder, click the Create Starter GPOs
Folder button one time.
Understanding Group Policy Chapter 5 343
www.syngress.com
You are now ready to rock and roll with Starter GPOs. Lets
create one. Continue with these steps to create a Starter GPO:
9. Right-click the Starter GPO folder and select New.
10. In the New Starter GPO dialog box type a name for the new
Starter GPO in the Name: box.
11. If desired, type a descriptive comment in the Comment: box, and
click OK.
12. Your new Starter GPO appears below the Starter GPO node in the
GPMC and is displayed on the Contents tab in the center pane.
Starter GPOs are a fabulous springboard for building a set of reusable
policies that you can port all over your environment. Now that you can
create new policies you are ready to go off and configure them. Once
you consider your policies street-ready you can use them to create new
policies (see Figure 5.33).
Figure 5.32 Creating the Starter GPO Folder
344 Chapter 5 Understanding Group Policy
www.syngress.com
In previous incarnations of Group Policy, the ability to easily port policies
between domains was not readily available. You can export Starter
GPOs to .cab files for portability. When you select the Starter GPOs node
in the GPMC the Contents tab becomes visible in the center pane. This
tab contains the options Load Cabinet and Save as Cabinet. These allow
you to export individual Starter GPOs, port them to a new environment,
and then import them, ready to go! You also have the option of backing
up your Starter GPOs in one shot. Restoring them, though, is still a oneoff
process.
The ability to limit who can create Starter GPOs in a particular
domain is useful. To limit Starter GPO creations follow these steps:
1. Click Start | Server Manager.
2. Expand Features | Group Policy Management.
Figure 5.33 Utilizing a Starter GPO to Create a New Group Policy
Understanding Group Policy Chapter 5 345
www.syngress.com
3. Expand the forest you wish to configurefor example, Forest:
The3Bears.com.
4. Expand Domains.
5. Expand the domain you wish to configurefor example,
The3Bears.com.
6. Click on the Starter GPO folder.
7. In the center pane click on the Delegation tab.
8. Use the Add and Remove buttons to adjust the list of delegated
users or groups.
Configuring & Implementing
Enabling Starter GPOs
In many environments, multiple domains exist. In some environments,
multiple forests exist. In general, it is not recommended that you link
GPOs across domain boundaries, even though this is possible. The biggest
reason for this is that because GPOs are stored on DCs, for the GPO to
be downloaded from a different domain, authentication across the trust
relationships must be successful to gain access to the GPO on the DC in
the other domain. By having to cross the trust relationship between the
domains, you are adding processing time to the users logon or to the
machines boot-up process. Another potential issue is that if a DC is not
locally available, the wait time is extended because bandwidth would
have to be transverse to obtain the policy. These are just a few reasons
why applying GPOs across domains isnt recommended. Applying GPOs
across a forest is just impossible. So, what is the solution if you have
similar needs across the enterprise? Starter GPOs.
With Starter GPOs you now can create a baseline GPO and port it
to wherever it is needed. Once you import the .cab file into the other
domain or forest, you can use it to create GPOs in the domains in which
they will be applied. This is a huge advantage over previous implementations
of Group Policy where administrators striving for consistency in
large environments had a largely uphill battle.
346 Chapter 5 Understanding Group Policy
www.syngress.com
Summary of Exam Objectives
Group Policy is a powerful tool that you can use to lock down and configure many
different aspects of your environment. Two major kinds exist:
■ Local Group Policies
■ Non-Local Group Policies
Local Group Policies contain settings that apply to user accounts on the local
machine as well as local computer settings. With Windows Vista and Windows
Server 2008, Multiple Local Group Policies can be configured. Multiple Local
Group Policies allow you granularity by giving you additional policies based on
user type. Non-Local Group Policies exist in an Active Directory domain and are
stored on Domain Controllers. Settings within GPOs come in two flavors: User
Configuration and Computer Configuration. Within each flavor at the domain
level are Policies and Preferences. Policies are enforced and Preferences are only set.
Users can adjust preference settings after they are configured on their machines.
They cannot adjust policy settings. GPOs can be created, created and separately
linked, or created and linked in one action. GPOs can be applied at the Site,
Domain, or OU level. All policies inherit down the tree structure from where they
are appliedalways down. You can control that behavior by using GPO features
such as Block Inheritance, Enforce, and Filtering. Block Inheritance will prevent
all policies from parent OUs from inheriting. The only exception to that is a policy
configured with Enforce. Enforce is configured per policy and it will barrel through
Block Inheritance. Enforce always wins in the event of a conflict regardless of where
the Enforce originatesabove or below the conflicting policy. If two policies
configured with Enforce conflict, the one higher in the tree structure wins.
Policies are extensible and additional configuration settings are made available
through .adm and .admx files. The .adm files are the traditional administrative files
and they contain additional settings, usually application-specific. They use a custom
markup language and are stored with the policies GPT of a GPO within SYSVOL.
The .admx files use an XML format and are stored in a Central Store within
SYSVOL. Security Templates and Starter GPOs assist in duplicating administrative
effort across the enterprise. Security Templates are stored in an .inf file format and
can be imported into GPOs for uniform application of security settings. Starter
GPOs allow the creation of baseline GPOs. They can be exported to a .cab file
format and ported to different domains and forests easily.
Understanding Group Policy Chapter 5 347
www.syngress.com
Exam Objectives Fast Track
Types of Group Policies
˛ MLGPOs allow further customization of traditional LGPOs by segmenting
the User Configuration into user types. They do not affect domain users.
˛ GPOs now have Preference settings. These are set, but not enforced.
˛ Preferences can be configured to target very specific audiences for their
settings.
Group Policy Hierarchy
˛ The policy processing order is Site, Domain, and then OU.
˛ Site-level policies can span multiple domains. New policies created at the
Site are stored in the root of the forest.
˛ All policies inherit down the tree structure by default.
Creating and Linking Group Policy Objects (GPOs)
˛ Policies can be created without being linked.
˛ Policies can be linked in multiple locations within Active Directory.
˛ Permissions can be configured to restrict who can create and link.
Controlling Application of Group Policies
˛ Enforce always wins and is set at the policy level.
˛ Block Inheritance is set at the OU level and blocks all parent policies
except ones configured with Enforce.
˛ Filtering can be applied via Security or WMI.
GPO Templates
˛ ADMX files are the new Administrative Template type and are
XML-based files.
˛ Security Templates allow you to create reusable settings to be imported
into any GPOs in the environment.
˛ Starter GPOs are not enabled by default and are used as templates for
future GPOs.
348 Chapter 5 Understanding Group Policy
www.syngress.com
Exam Objectives
Frequently Asked Questions
Q: What is Group Policy and why is it used?
A: A Group Policy is a collection of settings and configurations that can apply to
either a computer or a user and works together to establish a users working
environment. Administrators can utilize Group Policy to enforce restrictions,
provide software, or even configure security settings in their environment.
Q: Can Group Policy contain application-specific content?
A: Yes, Group Policy can be extended for specific applications by either importing
.adm files or taking advantage of the new .admx file format for Windows Vista
or Windows Server 2008 to make settings available. Not all applications will
have existing available .adm or .admx files.
Q: What is a Starter GPO and what is it for?
A: A Starter GPO is a policy that allows the administrator to create a baseline which
contains frequently used settings. This policy re-creates reusability because it can
be used as a starting point when creating additional GPOs in the organization,
therefore reducing administrative effort.
Q: What is new with Group Policy in Windows 2008?
A: Windows 2008 has the following new features to offer in Group Policy:
■ Comments for GPOs and policy settings
■ New ADMX file format for Administrative Template settings
■ Starter GPO capabilities
■ Preferences
■ Network Location Awareness
■ Multiple Local Group Policies
Q: Will I actually use settings such as Block Inheritance and Enforce?
A: It depends on the environment you are administrating. Some environments are
somewhat simple and do not require these advanced configurations. Others are
more complex or may have poorly designed OU infrastructures, warranting
the need.
Understanding Group Policy Chapter 5 349
www.syngress.com
Q: What exactly is a Computer Loopback policy?
A: A Computer Loopback policy is a policy that allows you to control where user
settings come from that apply to a particular machine. The user settings applied
to the machine are pulled from the computer policy affecting the machine.
The user settings from within the computer policy are either merged with the
users settings or replace them. In environments where public machines exist,
this policy will come in very handy. Companies that commonly have kiosks and
public access computers, such as labs environments or libraries, will find these
policies handy.
350 Chapter 5 Understanding Group Policy
www.syngress.com
Self Test
1. A Charlotte user who recently transferred into the Accounts Payable department
from the Accounts Receivable department in your company submits a
help desk ticket complaining that she is not able to access her Control Panel
on her computer. Upon further questioning, you discover that the user was
able to access her Control Panel the previous week. Upon coming in Monday
morning, she logged on to her workstation and it reportedly took longer than
usual to get to the desktop. Her Group Policy infrastructure is depicted in
Figure 5.34.
Figure 5.34 Charlotte Users Accounting Hierarchy
Understanding Group Policy Chapter 5 351
www.syngress.com
What is the most probable cause for the missing Control Panel on the
users workstation?
A. The user is logged on with cached credentials. She must log off and back
on again to download the proper policy.
B. The user requires local Administrator rights on her machine to view the
Control Panel.
C. The user account has been moved into the Accounts Payable OU and is
now receiving policies that it didnt before.
D. The machine account has been moved into the Accounts Payable OU and
is now receiving policies that it didnt before.
2. A new requirement has come down from The 3 Bears, Inc. headquarters that
requires all users to have a home page of www.the3bears.org. You create a new
policy and configure the Internet Explorer Maintenance Setting which will set
the IE home page. What would be the best approach to take in applying this
new policy?
A. Link the policy to the OUs in the domain that contain user accounts
B. Link the policy to the domain and configure the machine OUs to Block
Inheritance
C. Link the policy to the domain and configure the policy to Enforce
D. Link the policy to the domain
3. In your Windows 2008 Active Directory environment, you configure printer
mappings via logon scripts. The number of printers and the complexity of
managing the scripts are getting difficult to handle as the company grows.
You have built multiple Group Policies, each with a logon script for each
set of printers. You link the policies to OUs as departments request access to
the printers. What is the best way to adjust your administration of printers to
reduce configuration issues and lower administrative overhead?
A. Create a single Group Policy, apply it at the domain level, and add a single
logon script which contains all the printers in the environment.
B. Create multiple Group Policies, apply them at the OU level for each
department, and configure Preferences for each required printer.
352 Chapter 5 Understanding Group Policy
www.syngress.com
C. Create a single Group Policy and apply it at the domain level. Configure
Preferences for each required printer. Use item-level targeting to apply the
printers to the server IP addresses.
D. Create a single Group Policy and apply it at the domain level. Configure
Preferences for each required printer. Use item-level targeting to apply the
printers to the departmental security groups.
4. Darien is a new member of the Web Services team at your company. He is
going to be responsible for running and testing scripts for an in-house homegrown
application which requires a special application that is deployed via
Group Policy. The first time he logs on to the domain he does not receive the
software package. You verify that his user account is in the proper OU. What
could be causing Darien not to receive the GPO with the software policy?
A. Security filtering has been enabled on the GPO and Darien is not a
member of the proper group
B. WMI Filtering has been enabled on the GPO and Darien is not a member
of the proper group
C. Darien must be a local administrator on his machine to download a GPO
with a software package in it
D. Dariens user account has Block Inheritance configured on it and therefore
he cannot download the policy
5. What is the difference between Policies and Preferences in a Group Policy?
A. Preferences are set, and Policies are enforced
B. Preferences can be modified only by administrators, and policies can be
modified by anyone, including users
C. Preferences are enforced, and Policies are set
D. B & C
6. Your Active Directory hierarchy is depicted in Figure 5.35. Which policies
affecting the San Fran Office OU can have their settings overwritten in the
event of a conflict?
Understanding Group Policy Chapter 5 353
www.syngress.com
A. Default Domain Policy, Desktop Lockdown Policy
B. Desktop Lockdown Policy
C. Company Wallpaper Policy, Accounting SW, Accounting Desktop Lockdown
Policy
D. Accounting SW, Accounting Desktop Lockdown Policy, Default Domain
Policy, Desktop Lockdown Policy
7. Maria is looking for the best method to standardize her GPO creation methods.
Currently she prints all the settings in GPOs she would like to duplicate and
then manually re-creates the OU. What features in Windows Server 2008 could
Maria take advantage of to assist with her GPO creation standardization?
A. Filtering
B. Starter GPOs
Figure 5.35 Active Directory Hierarchy
354 Chapter 5 Understanding Group Policy
www.syngress.com
C. Security Templates
D. A & C
E. B & C
8. SueyDog Enterprises will soon be deploying Microsoft Office Communicator
into its environment. All of its DCs are running Windows Server 2008. Their
administrator, Matthew, is attempting to prepare for the new product by creating
a GPO and exploring the available settings. He creates a new policy and proceeds
to expand each section of the policy, looking for the section containing
the Microsoft Office Communicator settings. He cant seem to locate the settings
for Microsoft Office Communicator. What should Matthew do to gain the
settings he seeks?
A. Download the appropriate .adm file and import it into the new GPO
B. Install Microsoft Office Communicator on the DC to make the setting
available
C. Download the appropriate .admx file and import it into the new GPO
D. Download the appropriate .adm file and place it in the Central Store
9. Joey is going to be migrating his Lotus Notes environment into his newly
established Windows Server 2008 forest. He has guidance on what he will
require for Group Policy settings for the different teams and departments.
He has not yet created his OU structure. How should Joey proceed in
creating the required GPOs?
A. Create stand-alone GPOs
B. Create the GPOs at the Domain level
C. Create the GPOs at the Site level
D. Wait to create the GPOs until the OU structure is in place
10. You work for a large hospital. The main users in the hospital are nurses and
doctors. Because they are always on the go, you set up kiosk stations throughout
the hospital for them to log on to and check Web mail or access applications.
The kiosks share one user logon and the nurses and doctors use their personal
accounts to gain access to resources via a browser interface which prompts them
for credentials. One morning a nurse logs onto a kiosk machine and is greeted
by extremely offensive wallpaper. How would you utilize Group Policy to
prevent this from happening in the future?
Understanding Group Policy Chapter 5 355
www.syngress.com
A. Create a Group Policy and apply it to the nurses and doctors user
accounts. Disable Display Settings.
B. Create a Group Policy and apply it to the nurses and doctors user
accounts. Configure Loopback Processing in Replace mode.
C. Create a Group Policy and apply it to the kiosk machines. Configure the
wallpaper to the company logo and disable Display Settings.
D. Create a Group Policy and apply it to the kiosk machines. Configure
Loopback Processing in Replace mode.
356 Chapter 5 Understanding Group Policy
www.syngress.com
Self Test Quick Answer Key
1. C
2. C
3. D
4. A
5. A
6. D
7. E
8. A
9. A
10. D
357
Configuring Group Policy
Chapter 6
Exam objectives in this chapter:
■ Configuring Software Deployment
■ Configuring Account Policies
■ Configuring Audit Policies
■ Configuring Additional Security-Related
Policies
Exam objectives review:
˛ Summary of Exam Objectives
˛ Exam Objectives Fast Track
˛ Exam Objectives Frequently Asked Questions
˛ Self Test
˛ Self Test Quick Answer Key
MCTS/MCITP
Exam 640
358 Chapter 6 Configuring Group Policy
www.syngress.com
Configuring Software Deployment
You can use group policy to manage the entire software life cycle, at both the user
and the computer levels. Microsoft divides this life cycle into four phases:
■ Preparation Considerable planning should go into how group policy
is used to deploy applications. Important considerations include who
should be allowed to manage the process, and at what level; where the
installation files should be located; whether the software needed for group
policy deployment is available from the software manufacturer or must be
created; whether to use existing or new Group Policy Objects (GPOs);
whether to dedicate GPOs exclusively to software deployment; where
and how to link the GPOs into the Active Directory structure to ensure
maximum effectiveness; and so forth. The good news for you is that this
is primarily a configuration exam. Although its important for you to be
aware of these types of big picture planning items, youre unlikely to be
tested on them.
■ Deployment The bulk of your test preparation should center on this
information, which deals with the actual configuration of the group policy
and file system components for software deployment. This involves creating
a software distribution point, creating the necessary GPOs, linking the
GPOs into Active Directory, and configuring them.
■ Maintenance Maintenance refers to fixing problems with, patching, or
upgrading applications that are already deployed. Software deployment
in group policy is well thought out and allows these types of issues to be
handled easily.
■ Removal The final part of the life cycle involves how to deal with software
that is no longer needed. Virtually all possible scenarios for this are
accommodated in group policy, including optional and forced removal
from users and computers.
Installation Overview
Regardless of the type of installation being performed, using group policy for
software installation requires three major steps:
1. Creation of a software distribution point
Configuring Group Policy Chapter 6 359
www.syngress.com
2. Selecting or creating a GPO
3. Configuring the GPOs properties
Unless the GPO is going to apply to only a single computer, the installation files
must be shared from a network location. Its important to ensure that the appropriate
permissions have been set up on the share. Administrators or others who will actually
maintain the installation files should have full access to the share, but the users or
computers for which the policy will be effective require only read-level access.
Generally you dont want users to be able to alter these installation files, because doing
so would affect all future installs. The share and its installation files can be located on
any computer that is accessible via Windows networking.
Head of the Class
Advanced Software Distribution Point Recommendations
Microsoft makes several advanced recommendations regarding software
distribution shares, including using a domain-based Distributed File
System (DFS) root to take advantage of its centralization, redundancy,
and load-balancing features; organization of installation folders by application
for ease of management; configuration of NTFS in addition to
share-level permissions; and auditing object access for the installer files to
make it easier to track their use.
By far, one of the most practical recommendations Microsoft makes
is the use of hidden shares. By adding a dollar sign ($) to the end of a
share name (e.g., software$), you hide the share from users who browse
the network. You can still access it directly by typing in the full path (e.g.,
\\servername\software$). Software distribution points often include installation
files for applications to which users do and do not require access. To
ease complexity, administrators typically assign read-level permissions to
the software distribution point, which enables users to access installation
files that relate to them, as well as those that dont. Under normal circumstances,
users can browse the network, find these files, and manually install
thempotentially using more licenses for an application than the organization
has purchased. Using a hidden $ share is one way to prevent this
without having to use a more complex permissions configuration.
360 Chapter 6 Configuring Group Policy
www.syngress.com
Step two deals with selecting or creating a GPO. Earlier in this book, you
learned to create and link GPOs within Active Directory. You also learned about
Active Directory hierarchy. This should be all that you really need for this type of
exam, because it is configuration-based.
Step three deals with configuring the GPOs properties. Software group policy
is powerful and can be quite complex. In addition to options for managing the
software life cycle, you can use a variety of methods for initial software deployment.
As mentioned previously, you can deploy software at the computer or user level.
You also can publish or assign it. The combinations of these two elements can get
tricky because software can be published or assigned to users, but only assigned to
computers. Lets briefly examine the differences between these two options before
exploring how to configure them.
When software is published to a user, it is not installed automatically. A user
can install published software in two ways, and group policy can be configured to
disable either or both method(s).
■ File association Clicking on a file type that is associated with a published
program will download and install it. For example, if Microsoft Excel is
published to a user but not installed on the computer being used, when
a user clicks on a file that is associated with Excel the program will be
downloaded, installed, and opened with the file displayed in it.
■ Control Panel When a file is published to a user but not installed, a user
can manually install the program from Programs and Features in Windows
Vista or Add or Remove Programs in earlier versions of Windows.
Assigned software may or may not be automatically installed by group policy.
When software is assigned to a computer it is automatically installed prior to a
user being allowed to log on. When assigned to users, the default is for it not to
automatically install; however, a configuration option is available to enable this.
If this option is selected, the software is installed before the users logon completes
and allows him or her to use the computer. If software is assigned to a
user but not automatically installed, there are three ways the user can install the
software:
■ File association Clicking on a file type that is associated with an
assigned program will download and install it. For example, if Microsoft
Excel is assigned to a user but not installed on the computer being used,
when a user clicks on a file that is associated with Excel the program will
be downloaded, installed, and opened with the file displayed in it.
Configuring Group Policy Chapter 6 361
www.syngress.com
■ Control Panel When a file is assigned to a user but not installed, a user can
manually install the program from Programs and Features in Windows
Vista or Add or Remove Programs in earlier versions of Windows.
■ Start menu and Desktop shortcuts When software is assigned to a
user, shortcuts can be added to the users Start menu and Desktop. On the
surface, it appears that the program is installed. When the user clicks one of
these shortcuts, the files download from the software distribution point and
installation begins.
EXAM WARNING
One often overlooked detail about computer software assignment is
that you cannot assign software to a domain controller (DC). Be sure to
carefully examine questions that show an Active Directory hierarchy that
includes computer accounts for DCs in it, and asks whether the computer
software assignment policy settings will apply to all computers in the
hierarchy.
Lets examine how to configure assigning and publishing software.
Publishing to Users
As discussed, publishing an application makes it available to users through file
association (also called document activation) and the Control Panel. This is a great
way to ensure that software is available if needed, but not have it be obvious to
users. If you work in an organization where users like to install software that has
not specifically been given to them, this could be an option for you to consider.
Unnecessary installed software can increase support costs. The following procedure
demonstrates how to publish software to users:
1. Create a shared folder, assign the appropriate permissions to it, and copy
your installation files to it.
2. Open the GPO you are using to publish the software for editing using the
Group Policy Management Editor.
3. Expand User Configuration | Policies | Software Settings and
right-click on Software installation.
4. Select New | Package, as shown in Figure 6.1.
362 Chapter 6 Configuring Group Policy
www.syngress.com
5. In the Open dialog box that appears, enter the location of the MSI file
in the text box on the top-left corner, as seen in Figure 6.2 (in this case,
\\syngress-server\Programs\Cosmo1). Then, select the appropriate
installation file (here, cosmo1.msi) and click Open. Remember that the
installation files, including the MSI file, should be network-accessible. If
you do not enter a network path, Windows Server 2008 will request one.
Though you can continue with the process using a local path, the installation
files will be accessible only to the server on which they are stored.
6. Ensure that the Published option is selected in the Deploy Software
dialog box, and click OK (see Figure 6.3).
Figure 6.1 The Software Installation Context Menu
Configuring Group Policy Chapter 6 363
www.syngress.com
Figure 6.2 Selecting the Installation File
Figure 6.3 Publishing the Software
364 Chapter 6 Configuring Group Policy
www.syngress.com
7. The package should appear in the right side of the Group Policy
Management Editor screen.
Assigning to Users
Generally you assign software to users for two reasons. First, you may want the
software to appear as already installed and available. You can make Start menu and
Desktop shortcuts available when assigning software to users, even though the software
isnt actually installed. In larger organizations, the demands of installing software
across the network can place a serious burden on available resources. Todays applications
can be sizable. If 200 users all boot up their computers at approximately the
same time, such as first thing in the morning when they arrive for work, initiating
a group policy software deployment on each, both the network and the server
resources can be adversely affected. Advertising the software to users ensures that the
application appears to be available, but does not initiate the installation process until
the user attempts to launch the software. If the application is not used by everyone
first thing in the morning, to continue with our example, assigning software in this
way can stagger the server and network load used during installation.
You might also want the software to automatically install and be available
on every computer a user logs on to (see Exercise 6.1). Although you have to
be careful that it does not place an undue burden on the software distribution
server or network, this option is much more user-friendly. The reality is that it
can be confusing for users when they double-click an icon for what appears
to be an installed application, and have an unfamiliar process occur that does
not appear to be opening the application. This can increase the load on support
resources if these users contact their IT support person or help desk for assistance.
Additionally, users who are not required to wait for software installation are more
productive, because the application opens immediately and they can continue
working without interruption.
Another consideration is the number of applications that are assigned per user.
It might be advisable to have the most frequently used or critical applications install
immediately, and the less frequently used applications be advertised with Desktop
or Start menu shortcuts. Assigning too many applications for automatic installation
may cause a long delay in the login process because the users desktop will not be
made available by default until all applications are installed. Installation of several
large software packages, such as Microsoft Office, could delay the users login by a
half hour or more.
Configuring Group Policy Chapter 6 365
www.syngress.com
The following steps demonstrate the default installation procedure for assigning
software to users, which does not automatically install the software prior to their
logging on:
1. Create a shared folder, assign the appropriate permissions to it, and copy
your installation files to it.
2. Open the GPO you are using to assign the software for editing using the
Group Policy Management Editor.
3. Expand User Configuration | Policies | Software Settings and
right-click on Software installation.
4. Select New | Package, as shown earlier in Figure 6.1.
5. In the Open dialog box that appears, enter the location of the MSI file
in the text box on the top-left corner, as seen earlier in Figure 6.2 (in this
case, \\syngress-server\Programs\Cosmo1). Then, select the appropriate file
(here, cosmo1.msi) and click Open. Remember that the installation files,
including the MSI file, should be network-accessible.
6. Ensure that the Assigned option is selected in the Deploy Software
dialog box, and click OK (see Figure 6.4). The package should appear in
the right side of the Group Policy Management Editor screen.
Figure 6.4 Assigning the Software
366 Chapter 6 Configuring Group Policy
www.syngress.com
By default, assigning software to users does not automatically install the software
on every computer the user logs on to. In Exercise 6.1, youll configure a GPO that
assigns software to a user for automatic installation. Ideally, youll need to set up the
following before beginning the exercise:
■ A shared folder containing your installation files. Youll need at least one
file with an MSI file extension in this folder. If you cant think of one to
use, Windows Server 2008 installations generally contain a few. If you go
to Start | Computer and search for *.msi you can copy one to your
shared folder. Be sure to copy, not move, the file!
■ Youll also need a GPO which youve set up and configured for use.
EXERCISE 6.1
ASSIGNING SOFTWARE TO USERS FOR AUTOMATIC
INSTALLATION
1. Open the GPO you are using to assign the software for editing
using the Group Policy Management Editor.
2. Expand User Configuration | Policies | Software Settings and
right-click on Software installation.
3. Select New | Package, as shown earlier in Figure 6.1.
4. In the Open dialog box that appears, enter the location of the
MSI file in the text box on the top-left corner, as seen earlier in
Figure 6.2, and click Open. Remember that the installation files,
including the MSI file, should be network-accessible.
5. Ensure that the Advanced option is selected in the Deploy
Software dialog box, and click OK (see Figure 6.5).
Configuring Group Policy Chapter 6 367
www.syngress.com
Figure 6.5 Selecting the Advanced Option
6. In the Properties dialog box which comes up, select the
Deployment tab.
7. Select the following two options (see Figure 6.6):
Assigned (under Deployment type)
Install this application at logon (under Deployment options)
Figure 6.6 Configuring the Deployment Properties
368 Chapter 6 Configuring Group Policy
www.syngress.com
8. Click OK.
9. The package should appear in the right side of the Group Policy
Management Editor screen.
Assigning to Computers
Sometimes it is desirable to ensure that one or more applications are always available
on a computer, regardless of who logs on to or uses it. Some computers are not
assigned to a specific user, so the software assigned to them is not related to just one
user. These computers are often shared among members of a work area or are meant
as accessible systems for a certain class of users. Examples include a computer located
in the lobby of a large corporation that is used to look up company information and
stock data, a computer shared by personnel on a loading dock that contains shipment
tracking information, or a workstation used by students in a computer lab.
To accomplish this, assign the software to a GPO that applies to the computer
or computers it should affect. Remember, at the computer level software can be
assigned but not published. Computer policies are applied before user policies, so
assigning software to computers using group policy installs the software before
any user has the opportunity to log on. Prior to assigning the software, you should
select or create the GPO which will contain it. You may link that GPO to an Active
Directory container before or after configuring the software assignment, though it is
generally a good idea to ensure that the software assignment is made available only
after it has been thoroughly tested. The following procedure demonstrates how to
assign software to computers:
1. Create a shared folder, assign the appropriate permissions to it, and copy
your installation files to it.
2. Open the GPO you are using to assign the software for editing using the
Group Policy Management Editor.
3. Expand Computer Configuration | Policies | Software Settings
and right-click on Software installation.
4. Select New | Package, as shown in Figure 6.7.
Configuring Group Policy Chapter 6 369
www.syngress.com
5. In the Open dialog box that appears, enter the location of the MSI file
in the text box on the top-left corner, as seen earlier in Figure 6.2 (in this
case, \\syngress-server\Programs\Cosmo1). Then, select the appropriate file
(here, cosmo1.msi) and click Open. Remember that the installation files,
including the MSI file, should be network-accessible.
6. Ensure that the Assigned option is selected in the Deploy Software
dialog box, and click OK (see Figure 6.8). The package should appear in
the right side of the Group Policy Management Editor screen.
Figure 6.7 The Software Installation Context Menu
Figure 6.8 Assigning the Software
370 Chapter 6 Configuring Group Policy
www.syngress.com
Maintenance
Over the course of an applications useful life, it may be necessary to apply service
packs to the software, to upgrade it to new versions, and to repair it following virus
outbreaks or other unforeseen issues. Group policy accommodates each of these
scenarios. The two options Microsoft provides are redeploying and upgrading
software. Redeployment is commonly used to fix problems with existing installations,
such as the previous virus example, and to deploy service packs. Upgrading
is typically reserved for major new version releases of an existing, installed
software package.
Redeploying Software
When you need to reinstall software rather than upgrading versions, redeployment
is used. If you are using it to fix problems with an existing installation, such as
missing files, the original MSI file that is stored on the software distribution point
is typically used. When a service pack is being applied, this MSI file is replaced
with an updated one, and the updated or additional installation files are added to
the original software distribution point location. The MSI file tells the Windows
installer what to do, so simply adding the updated install files is not enough. The
correct instruction file must also be provided.
Software redeployment is dependant upon how the original package was
deployed. If the software was assigned or published to a user the redeployment
will occur after the users next logon, the next time he or she attempts to use the
software. If it is assigned to a computer, the redeployment will automatically occur
the next time the computer starts. The following procedure demonstrates how to
use the redeployment feature:
1. If applying a service pack, obtain the appropriate files from the software
vendor and copy them to the software distribution point. Ensure that
permissions are set so that the users or computers which will be reinstalling
the software can read them.
2. Open the GPO you are using to assign the software for editing using the
Group Policy Management Editor.
3. Navigate to and right-click on the package you want to redeploy, and
select All Tasks | Redeploy application. See Figure 6.9.
Configuring Group Policy Chapter 6 371
www.syngress.com
4. When asked to verify redeployment, click Yes (see Figure 6.10).
Figure 6.9 Selecting the Redeploy Option
Figure 6.10 Verifying Redeployment
Upgrading Software
Microsoft provides two methods for upgrading software using group policy:
mandatory and optional. Optional updates allow users to continue to use their
existing version of the software. If they choose, they can update the software using
Programs and Features in Windows Vista or Add or Remove Programs
in previous versions of Windows. Mandatory upgrades automatically trigger the
software update. If the update is assigned to a computer, it is applied the next time
the computer starts up. If it is assigned or published to a user, it occurs at the next
logon before the user is able to use the system. You can only upgrade software that
372 Chapter 6 Configuring Group Policy
www.syngress.com
was originally installed using group policy. In addition, the original deployment
object must still exist under Software installation in the GPO. The following
procedure demonstrates how to upgrade software:
1. Deploy the next version of the software by assigning it to users or computers,
or publishing it for users, as required. See the previous examples in this
chapter. When done you should have software deployment objects for both
the original and the new versions in the right pane in Group Policy
Management Editor, as shown in Figure 6.11.
2. Right-click on the upgrade package (here, Cosmo 2) and click Properties.
3. In the Properties dialog box, select the Upgrades tab and click Add. See
Figure 6.12.
Figure 6.11 Original and Upgrade Deployment Packages
Configuring Group Policy Chapter 6 373
www.syngress.com
Figure 6.12 Properties Dialog
4. In the Add Upgrade Package dialog box (see Figure 6.13), select the
deployment package for the original version of the application in the
Package to upgrade box (here, Cosmo 1). If the package you want to
upgrade does not appear, it is probably because it is configured in a different
GPO. You dont need to configure the upgrade package within the same
GPO as the version being updated. For example, you may be transitioning to
a new set of GPOs as part of the software upgrade process, with the plan to
eventually delete the older GPOs. Or you may want to have multiple GPOs
so that they can be managed by different administrators. If this is the case, you
can click Browse in the Choose a package from section at the top of the
Add Upgrade Package dialog box, and locate the package you are updating
in another GPO. Note that this dialog also contains the following two options:
Uninstall the existing package, then install the upgrade
package Some software upgrades will require that the current version of
the application be uninstalled before the upgrade is installed. If that is the
case, select this option (the default).
374 Chapter 6 Configuring Group Policy
www.syngress.com
Package can upgrade over the existing package Many upgrades
are designed to install over the top of an existing installation. This is not
the default setting for upgrades using group policy, so be sure to manually
select it here.
Figure 6.13 The Add Upgrade Package Dialog
5. Click OK to return to the Properties dialog box. It should now be
updated with the version to be updated from (see Figure 6.14).
Configuring Group Policy Chapter 6 375
www.syngress.com
Figure 6.14 The Updated Properties Dialog
6. If you want the update to be mandatory instead of optional, select
Required upgrade for existing packages. The default is unselected,
making the upgrade optional.
7. Click OK to close the Properties dialog and complete the configuration.
Removing Software
Deployed with Group Policy
The final stage of the software life cycle is removal. Group policy provides two
methods of software removal: forced and optional. As you might guess, forced removal
does not give users the option of keeping the software loaded on their computers,
whereas optional removal does. In addition to removing any installed software, both
376 Chapter 6 Configuring Group Policy
www.syngress.com
options also remove the users ability to reinstall the software through group policy,
unless it is published or assigned again through group policy. Its important to note
that this does not prevent users from installing the software manually. If they have the
installation media or can access the network location containing the install files, they
can reinstall the software. This option simply removes the option for them to use the
methods provided by software assigning and publishing in group policy.
Forced Removal
Forced removal works differently depending on whether the software was published
or assigned to a user or computer. If assigned to a computer, the software will be
removed on the next reboot before a user is allowed to log on. If assigned or published
to a user, the software will be removed during the users next logon before
he or she is fully logged on and able to use the system. The following procedure
demonstrates how to force removal of software that was assigned or published
through group policy:
1. Open the GPO for editing using the Group Policy Management Editor.
2. If the software is assigned to a computer, expand Computer
Configuration | Policies | Software Settings and right-click on
Software installation. If the software is assigned or published for users,
expand User Configuration | Policies | Software Settings and
right-click on Software installation.
3. In the right pane, right-click on the deployed application and select All
Tasks | Remove. See Figure 6.15.
Figure 6.15 Selecting Remove
Configuring Group Policy Chapter 6 377
www.syngress.com
4. In the Remove Software dialog box, choose the Immediately uninstall
the software from users and computers option (note that this is the
default option). See Figure 6.16.
Figure 6.16 Forcing Removal
5. Click OK.
Optional Removal
Optional removal leaves the software installed on the users computers until they
manually remove it, typically by using Programs and Features in Windows Vista
or Add or Remove Programs in previous versions of Windows. The following
procedure demonstrates how to use the optional removal feature for software that
was assigned or published through group policy:
1. Open the GPO for editing using the Group Policy Management
Editor.
2. If the software is assigned to a computer, expand Computer
Configuration | Policies | Software Settings and right-click on
Software installation. If the software is assigned or published for users,
expand User Configuration | Policies | Software Settings and
right-click on Software installation.
3. In the right pane, right-click on the deployed application and select All
Tasks | Remove, Refer back to Figure 6.15.
4. In the Remove Software dialog box, choose Allow users to continue
to use the software, but prevent new installations. See Figure 6.17.
378 Chapter 6 Configuring Group Policy
www.syngress.com
Figure 6.17 Selecting Optional Removal
5. Click OK.
TEST DAY TIP
One nice feature of Windows installer (MSI) files is that software
installed with them can be self-healing. If an error occurs, as long as the
original installation software is available these applications can often
compare their current state to the original and correct any differences.
Even if optional removal is used, this self-healing capability is retained
as long as the application remains installed, it was installed from an
MSI file, and it still has access to the original installation software. It is
recommended that you not remove these files from the software distribution
point, even if you have removed the software deployment from
group policy, until the application has been uninstalled from all
computers.
Configuring Account Policies
Windows Server 2008 includes a Default Domain Policy GPO that is created by
default when Active Directory is installed. This GPO is linked at the domain level
for every domain in the forest. In Windows 2000 and 2003, password and account
lockout policies could be configured only at the domain level. As well see later in
this chapter, this no longer has to be the case; however, by default, these policies are
Configuring Group Policy Chapter 6 379
www.syngress.com
still set at this level and in this GPO for each domain. Lets examine the settings
that can be configured and their defaults.
Domain Password Policy
The default domain password policy contains the following configurable settings. The
default settings for each and their location within group policy appear in Figure 6.18.
■ Enforce password history Determines how many passwords Active
Directory remembers for each user before allowing them to reuse a password.
The maximum value is 24. Setting the value to 0 disables this option.
■ Maximum password age Determines how many days a user can go
without changing his or her password. The maximum value is 999. Setting
the value to 0 disables this option and configures passwords to never expire.
■ Minimum password age Determines how many days a user has to
wait after changing his or her password before it can be changed again.
The maximum value is 998. Setting the value to 0 disables this option and
allows users to change their password right away. This setting works in conjunction
with Enforce password history to keep users from reusing a
favorite password by quickly changing their password 24 times to different
ones, and then setting their favorite for use again.
■ Minimum password length Determines the shortest length a user can
make his or her password. The maximum value is 14. Setting the value to
0 disables this option and allows blank passwords.
■ Passwords must meet complexity requirements This is a special
collection of settings which ensures that the password is at least six characters
long, doesnt contain the users account name or parts of the users full
name that exceed two characters in length, and contains characters from at
least three of the following categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Nonalphanumeric characters such as !, $, #, and %
■ Store passwords using reversible encryption Some applications require
access to users passwords. Enabling this setting is very close to storing
passwords in plain text, seriously erodes security, and is not recommended
unless absolutely necessary.
380 Chapter 6 Configuring Group Policy
www.syngress.com
Figure 6.18 Default Domain Password Policy Settings
Account Lockout Policy
Account lockout is used to prevent successful brute force password guessing.
If its not enabled, someone can keep attempting to guess username/password
combinations very rapidly using a software-based attack. The proper combination
of settings can effectively block these types of security vulnerabilities. The default
domain account lockout policy contains the following configurable settings. The
default settings for each and their location within Active Directory appear in
Figure 6.19.
■ Account lockout duration Determines the number of minutes an
account remains locked out once the Account lockout threshold has
been triggered. The maximum value is 99,999. If set to 0, the account
remains locked out until an administrator unlocks it.
■ Account lockout threshold Determines the number of failed logon
attempts before a users account is locked out, and further logon attempts
are prevented. The maximum value is 999. If set to 0, accounts will never
be locked out.
■ Reset account lockout counter after Determines the number of
minutes between the last failed logon attempt and when the Account
lockout threshold counter is reset. The minimum value is 1 and the
maximum value is 99,999.
Configuring Group Policy Chapter 6 381
www.syngress.com
Figure 6.19 Default Domain Account Lockout Policy Settings
In Exercise 6.2, youll learn to modify the Default Domain Policy settings for
passwords and account lockout. You will modify password security by decreasing the
number of stored passwords from the default 24 to 20, and increasing the minimum
password age from the default 1 to 5. Next, youll enable account lockout and set
it to be triggered after five invalid logon attempts. Youll need to have Windows
Server 2008 and Active Directory installed, and domain-level administrator rights
to complete the exercise.
TEST DAY TIP
Account lockout policies apply to every domain user except the
Administrator account. This is a practical concession. If an attacker was
brute-forcing all of your accounts, no one would be able to unlock them
if the Administrator account was also locked out.
EXERCISE 6.2
MODIFYING PASSWORD AND
ACCOUNT LOCKOUT POLICY SETTINGS
1. To open the Default Domain Policy for editing, go to Start |
Administrative Tools | Group Policy Management.
2. In the Group Policy Management utility, expand the Forest,
Domains, and your domain (here, syngress.com) nodes, right-click
on the Default Domain Policy, and select Edit, as shown in
Figure 6.20.
382 Chapter 6 Configuring Group Policy
www.syngress.com
6. In the Enforce password history Properties dialog box, change
the Keep password history for: setting to 20, and click OK.
(See Figure 6.22).
Figure 6.20 The Group Policy Management Utility
3. In the Group Policy Management Editor that appears, expand
the Computer Configuration, Policies, Windows Settings,
Security Settings, and Account Policies nodes, as shown in
Figure 6.21.
4. Select the Password Policy node in the left pane.
5. In the right pane, right-click on Enforce Password History and
select Properties. (See Figure 6.21).
Figure 6.21 The Enforce Password History Node Context Menu
Configuring Group Policy Chapter 6 383
www.syngress.com
Figure 6.22 The Enforce Password History Properties Dialog
7. In the right pane, right-click on Minimum password age and
select Properties.
8. In the Minimum password age Properties dialog box, change the
Password can be changed after: setting to 5, and click OK.
9. In the left pane, select the Account Lockout Policy node.
10. In the right pane, right-click on Account lockout threshold and
select Properties.
11. In the Account lockout threshold Properties dialog box, ensure
that Define this policy setting is selected, increase the invalid
logon attempts value to 5, and click OK. (See Figure 6.23).
Figure 6.23 The Account Lockout Threshold Properties Dialog
12. Accept the recommendations in the Suggested Value Changes
dialog box, and click OK. (See Figure 6.24).
384 Chapter 6 Configuring Group Policy
www.syngress.com
Fine-Grain Password
and Account Lockout Policies
When a GPO is used to apply password and account lockout policies, these
policies can be set for only the entire domain, and only one instance of each setting
will be applied to for all users in the domain. In other words, you cannot set different
password or account lockout policies for different types of users in a domain (such
as administrators and general users) using GPOs. You can do this only using a new
Figure 6.24 The Suggested Value Changes Dialog
13. The Group Policy Management Editor should appear similar to
Figure 6.25. Close it to complete the exercise.
Figure 6.25 The Group Policy Management Utility
Configuring Group Policy Chapter 6 385
www.syngress.com
EXAM WARNING
Its important to remember that only one set of GPO account and
lockout policies applies to a domain. This functionality is unchanged
from Windows 2000 Server and Server 2003. Although fine-grain policies
can override the settings that are configured using a GPO at the domain
level, they are not GPO-based.
feature, fine-grain password and account lockout policy. A key distinction between
group policy-based user and account lockout enforcement and fine-grain policies
is how you apply them. Unlike group policy, however, fine-grain policies are quite
complex to configure.
You can apply fine-grain policies only to users and global security groups. They
are not linked to the major Active Directory container objects: sites, domains, and
organizational units (OUs). It is common for organizations to organize users using
these traditional Active Directory container structures, so Microsoft recommends the
creation of shadow groups which map to an organizations domain and OU structure.
In this way, you can add the global security groups to the appropriate fine-grain
policy object in Active Directory one time, and use group membership to determine
to whom it applies. Its possible that a user can be a member of more than one
global security group and for these groups to be associated with different fine-grain
policies. To accommodate this, Microsoft allows you to associate a precedence value
to each fine-grain policy. A policy given a lower number will take precedence over
one given a higher number if both apply to a user.
New & Noteworthy
A Long-Awaited Password and Account Policy Solution
Fine-grain password and account lockout policy is new in Windows Server
2008. In Windows 2000 and 2003 forests, you could apply these settings only
at the domain level. A single effective set of policy settings was enforced
Continued
386 Chapter 6 Configuring Group Policy
www.syngress.com
Configuring a Fine-Grain Password Policy
Two new Active Directory object classes have been added to the Active Directory
schema to support fine-grain policies. Policies are configured under a Password
Settings Container (PSC). The actual policy objects themselves are called Password
Settings objects (PSO). Creating a PSO involves using a lower-level Active Directory
editing tool than you might be familiar with. There are two ways to do it. One is
with the ADSI Edit graphics utility. The other is by using ldifde to script the
operation at the command line. In this chapter, well be using ADSI Edit:
1. Open ADSI Edit by clicking Start | Run and type in adsiedit.msc.
2. Right-click on the ADSI Edit node in the leftmost pane, and click
Connect to. (See Figure 6.26).
Figure 6.26 Bringing Up the Connections Settings Dialog
for all users. For many mid-size to large organizations, this provided an
unacceptable level of security. The limitation led to all kinds of complicated
technical workarounds and the use of more complex domain and forest
structures, which increased management costs.
Although fine-grain policies are certainly not as easy to use as traditional
GPOs, they are a step in the right direction. Most companies will
no longer require their previous workarounds, and Microsoft expects that
many who adopted more complex domain structures will be consolidating
and simplifying their forests. Fine-grain policies also represent a major
departure from Microsofts previous instructions to administrators to
adopt a site-, domain-, and OU- based management style. They cannot be
applied to any of these Active Directory container objects.
Configuring Group Policy Chapter 6 387
www.syngress.com
3. Accept the default naming context which appears in the Name: text box
or type in the fully qualified domain name (FQDN) of the domain you
want to use. Click OK. (See Figure 6.27).
4. Expand the Default naming context node (if present), rxpand your
DC=DomainName node (here, DC=syngress, DC=com), and double-click
on the CN=System node.
5. Right-click on the CN=Password Settings Container node and select
New | Object, as shown in Figure 6.28.
Figure 6.27 The Name: Text Box
388 Chapter 6 Configuring Group Policy
www.syngress.com
6. In the Create Object dialog box, select msDS-PasswordSettings and
click Next. (See Figure 6.29).
Figure 6.28 Creating the New Object in ADSI Edit
Figure 6.29 Selecting the msDS-PasswordSettings Option
Configuring Group Policy Chapter 6 389
www.syngress.com
7. In the Create Object dialog box, enter the desired name for your PSO in
the Value: text box (here, psoUsers) and click Next. (See Figure 6.30).
Figure 6.30 Entering the PSO Name
8. Configure the appropriate value for each of the password and account
lockout policy settings. All are required. Refer to the information in the list
after Figure 6.31 for more details on each setting.
390 Chapter 6 Configuring Group Policy
www.syngress.com
Figure 6.31 Configuring the Fine-Grain Settings
■ msDS-PasswordSettingsPrecedence Sets the precedence value for
deciding conflicts when more than one fine-grain policy applies to a
user. Values greater than 0 are acceptable.
■ msDS-PasswordReversibleEncryptionEnabled Equivalent to the
Store passwords using reversible encryption group policy setting.
Acceptable values are TRUE and FALSE.
■ msDS-PasswordHistoryLength Equivalent to the Enforce password
history group policy setting. Acceptable values are 0 through 1024.
■ msDS-PasswordComplexityEnabled Equivalent to the Passwords
must meet complexity requirements group policy setting.
Acceptable values are TRUE and FALSE.
Configuring Group Policy Chapter 6 391
www.syngress.com
■ msDS-MinimumPasswordLength Equivalent to the Minimum
password length group policy setting. Acceptable values are 0
through 255.
■ msDS-MinimumPasswordAge Equivalent to the Minimum
password age group policy setting. Acceptable values are (None)
and days:hours:minutes:seconds (i.e., 1:00:00:00 equals one day)
through the value configured for msDS-MaximumPasswordAge.
■ msDS-MaximumPasswordAge Equivalent to the Maximum
password age group policy setting. Acceptable settings are (Never)
and msDS-MinimumPasswordAge value through (Never). This
value cannot be set to 0. It follows the days:hours:minutes:seconds
format (i.e., 1:00:00:00 equals one day).
■ msDS-LockoutThreshold Equivalent to the Account lockout
threshold group policy setting. Acceptable settings are 0 through
65535.
■ msDS-LockoutObservationWindow Equivalent to the Reset
account lockout counter after group policy setting. Acceptable
values are (None) and 00:00:00:01 through msDS-LockoutDuration
value.
■ msDS-LockoutDuration Equivalent to the Account lockout
duration group policy setting. Acceptable values are (None), (Never),
and msDS-LockoutObservationWindow value through (Never).
This value follows the days:hours:minutes:seconds format
(i.e., 1:00:00:00 equals one day).
9. After specifying the preceding values, click the More Attributes button,
as shown in Figure 6.32.
392 Chapter 6 Configuring Group Policy
www.syngress.com
10. Although it is not required, at this point you can specify to which users
or groups the fine-grain policy will apply. You can also do this in Active
Directory Users and Computers (covered later). To configure this during
PSO object creation:
Set Select which properties to view: to either Optional or Both.
Set Select a property to view to: to msDS-PSOAppliesTo.
Enter a distinguished name (DN) for a user or global security group
in the Edit Attribute: text box and click Add. Multiple users and groups
can be added and removed. When done, click OK. (See Figure 6.33).
Figure 6.32 The More Attributes Button
Configuring Group Policy Chapter 6 393
www.syngress.com
11. Click Finish in the Create Object dialog box. When done, ADSI Edit
should resemble Figure 6.34.
Figure 6.33 Associating Users and Global Security Groups
394 Chapter 6 Configuring Group Policy
www.syngress.com
Applying Users and Groups to a PSO
with Active Directory Users and Computers
In addition to using ADSI Edit to associate users and global security groups with
a PSO, administrators can also use Active Directory Users and Computers:
1. Open Active Directory Users and Computers by clicking Start |
Administrative Tools | Active Directory Users and Computers.
2. Ensure that View | Advanced Features is selected.
3. In the left pane, navigate to Your Domain Name | System | Password
Settings Container.
Figure 6.34 The ADSI Utility
Configuring Group Policy Chapter 6 395
www.syngress.com
4. In the right pane, right-click on the PSO you want to configure, and select
Properties, as shown in Figure 6.35.
Figure 6.35 Opening the Properties for the PSO
5. In the Properties dialog box, select the Attribute Editor tab. In the
Attributes: selection window scroll down and click on msDS-AppliesTo
followed by Edit. (See Figure 6.36).
396 Chapter 6 Configuring Group Policy
www.syngress.com
6. There are two ways to add users and global security groups using the
Multi-valued Distinguished Name With Security Principle Editor
dialog (see Figure 6.37):
Click Add Windows Account to search for or type in the object
name using a standard Select Users, Computers, or Groups dialog box.
Click Add DN to type in the DN for the object you want to add.
Figure 6.36 The Attribute Editor Tab
Configuring Group Policy Chapter 6 397
www.syngress.com
7. You can also remove accounts from the Multi-valued Distinguished
Name With Security Principle Editor dialog by highlighting the
account in the Values: selection box and clicking the Remove button.
When you are done adding and deleting accounts from this PSO,
click OK.
8. In the Properties window, click OK.
Configuring Audit Policies
The configuration settings for auditing can be a bit trickier to understand than
other group policy settings. All types of auditing use the same types of settings,
shown in Figure 6.39. You can audit the success and/or failure for a variety
of tracked events. Examples of what can be tracked include logons, changes
to policy, use of privileges, directory service or file access, and so forth
(See Figure 6.38).
Figure 6.37 The Multi-valued Distinguished Name With Security
Principle Editor Window
398 Chapter 6 Configuring Group Policy
www.syngress.com
If you audit, for example, success and failure events for logons, the system will
keep track of key details when users successfully log on to their accounts, and also
when a logon attempt fails. Once an auditing policy item has been enabled by
selecting Define these policy settings in its properties dialog box, four configuration
options become possible (see Figure 6.39):
■ Audit success is configured by selecting the Success setting.
■ Audit failure is configured by selecting the Failure setting.
■ Prevention of tracking auditing success is configured by unselecting the
Success setting.
■ Prevention of tracking auditing failures is configured by unselecting the
Failure setting.
Figure 6.38 Auditing Policies
Figure 6.39 Auditing Configuration Options
Configuring Group Policy Chapter 6 399
www.syngress.com
Logon Events
Logon events are among the most important to monitor. It is recommended that,
at a minimum, you monitor failure events for these policy options. This allows you
to spot users who are having difficulty with their logons, as well as track potentially
fraudulent attempts to log on. Microsoft provides two audit policy options for
monitoring logons:
■ Audit account logon events This policy is used for credential validation,
and the events audited relate to the computer which is authoritative for
the credentials. For most users in a domain, this will be the DC which
processes their logon, although these events can occur on any computer
and may occur on both their local workstation and the DC.
Configuring & Implementing
Configuring Auditing Policy
It is very important to understand how Microsoft wants you to think
about auditing. Keep in mind that its tests are designed for all sizes of
organizations. It might be tempting to think that you disable auditing by
deselecting the Define these policy settings option on individual audit
settings in group policy; however, this ignores that the organization may
have other group policies that are being inherited for which auditing has
been enabled. To ensure that auditing is not enabled, you must explicitly
configure individual policies to turn it off.
For example, lets say you have a domain policy with Object Access
enabled for Success and Failure auditing, but you want to turn that off
for one part of your organization. One way might be to block the inheritance
of that GPO within Active Directory; however, for this example, well
assume that other settings need to be applied. In this type of situation,
the best option may be to create and link a GPO at just the level of Active
Directory that applies to the portion of Active Directory that should have
auditing disabled. In this GPO, you would configure the Object Access
audit policy setting by selecting the option to Define these policy settings
and making sure that Success and Failure are both unselected.
400 Chapter 6 Configuring Group Policy
www.syngress.com
■ Audit logon events This policy tracks the creation and, when possible,
the destruction of logon sessions. The actual audited event relates to the
machine being accessed. If you are logging on to your local workstation
(even using a domain-based user account), the event is generated on
your local machine. If you accessing a resource on the network, such
as files in a shared folder, this generates a logon event on the computer
hosting the files.
EXAM WARNING
Dont be surprised to find an option on the exam that does not allow
you to select just Failure auditing for logon events. Microsoft often
recommends auditing both Success and Failure events for these policy
items. Many administrators choose not to audit Success events because
of the number of events generated. Hardcore security administrators,
however, prefer to audit these eventsand their feedback is often incorporated
into Microsoft exams. They make the argument that auditing
Failure does not enable you to spot potentially fraudulent successful
logons that are uncharacteristic of usersfor example, a successful logon
from an overseas Internet Protocol (IP) address for a small company with
one location in the United States.
In Exercise 6.3, we will enable Success and Failure auditing for logons. You
will need a Windows Server 2008 DC.
EXERCISE 6.3
CONFIGURING AUDITING FOR LOGON EVENTS
1. Open your domains Default Domain Policy GPO using the
Group Policy Management Editor and navigate to Computer
Configuration | Policies | Windows Settings | Security Settings |
Audit Policy, as shown earlier in Figure 6.38.
2. In the right-hand pane, right-click on Audit account logon events
and select Properties.
3. In the Audit account logon events Properties dialog that appears,
select Define these policy settings.
4. Under Audit these attempts: select Success and Failure, then click
OK. Refer back to Figure 6.39.
Configuring Group Policy Chapter 6 401
www.syngress.com
5. In the right-hand pane, right-click on Audit logon events and
select Properties.
6. In the Audit logon events Properties dialog that appears, select
Define these policy settings.
7. Under Audit these attempts: select Success and Failure, and then
click OK.
8. Close the Group Policy Management Editor.
Directory Service Access
Most Active Directory objects have their own permissions (officially called a
system access control list or SACL). Any object in Active Directory that can have
permissions set for it can be audited. By default, directory service auditing is not
enabled in group policy; however, objects in Active Directory do come already set
up with some auditing permissions assigned. For most objects this will be Success
auditing for members of the Everyone group, but this does vary. For example,
the domain object in Active Directory has additional auditing preconfigured for
it. Setting up directory service access auditing is a two-step process: configuring a
GPO to enable the directory service access auditing, and specifying what to audit
on an object-by-object basis within Active Directory.
Configuring Directory Service
Access Auditing in Group Policy
You configure directory service access in group policy using the following steps:
1. Open the GPO that will be used to configure auditing using the
Group Policy Management Editor and navigate to Computer
Configuration | Policies | Windows Settings | Security Settings |
Audit Policy, as shown earlier in Figure 6.38.
2. In the right-hand pane, right-click on Audit directory service access
and select Properties.
3. On the Security Policy Setting tab of the Audit directory service
access Properties dialog box, configure the policy as desired by:
Selecting Success to enable auditing successful object access events
Deselecting Success to disable auditing successful object access events
Selecting Failure to enable auditing failed object access events
Deselecting Failure to disable auditing failed object access events
4. Click OK and close the Group Policy Management Editor.
402 Chapter 6 Configuring Group Policy
www.syngress.com
Configuring Active Directory Object Auditing
To enable auditing of a specific object within Active Directory, follow these steps:
1. Open Active Directory Users and Computers and navigate to the
object you want to audit (here, the Authors OU).
2. Right-click on the object and select Properties from the context menu.
3. In the Properties dialog box, select the Security tab, and click
Advanced. See Figure 6.40.
Figure 6.40 The Properties Dialog
4. In the Advanced Security Settings dialog box, click on the Auditing
tab (see Figure 6.41) and note that the object has inherited auditing entries.
Configuring Group Policy Chapter 6 403
www.syngress.com
You can block these by deselecting Include inheritable auditing entries
from this objects parent. You also can modify existing entries by
clicking the Edit button.
Figure 6.41 The Advanced Security Settings Dialog
5. To add new users or groups click on the Add button.
6. In the Select User, Computer, or Group dialog box, type in or search
for the users or groups you want to audit. This is a standard dialog box that
works just like the permissions version. For this example, we will select
Domain Users.
7. In the Auditing Entry dialog, configure the types of Success and/or
Failure events you want to monitor for this group and click OK. For this
example, we will choose Read permissions, Modify permissions, and
Delete - Success and Failure events. See Figure 6.42.
404 Chapter 6 Configuring Group Policy
www.syngress.com
8. Click OK again in the Advanced Security Settings dialog box and OK
again to close the Properties dialog box.
Object Access
You also can use group policy to monitor non-Active Directory objects such as
files, folders, Registry keys, and printers. You can use this option to track resource
usage, authorized and unauthorized access, object modification and deletion, and
more. For example, most companies have servers that contain sensitive information
such as legal, human resources, and accounting information. Who accesses this
Figure 6.42 The Auditing Entry Dialog
Configuring Group Policy Chapter 6 405
www.syngress.com
information, and even how and when it is changed, is often subject to internal
policy as well as government regulation. You can use this feature to ensure that all
guidelines are being met, catch any anomalies such as unauthorized modification,
deletion, or access, and so forth. Any object that has a SACL and can thus have
permissions set for it can have auditing configured. As with directory service object
auditing, object access auditing is a two-step process: configuring a GPO to enable
the directory service access auditing, and specifying what to audit on an object-byobject
basis.
Configuring Object
Access Auditing in Group Policy
You can configure directory service access in group policy using these steps:
1. Open the GPO that will be used to configure auditing using the
Group Policy Management Editor and navigate to Computer
Configuration | Policies | Windows Settings | Security Settings |
Audit Policy, as shown earlier in Figure 6.38.
2. In the right-hand pane, right-click on Audit directory service access
and select Properties.
3. On the Security Policy Setting tab of the Audit object access
Properties dialog box, configure the policy as desired by:
Selecting Success to enable auditing successful object access events
Deselecting Success to disable auditing successful object access events
Selecting Failure to enable auditing failed object access events
Deselecting Failure to disable auditing failed object access events
4. Click OK and close the Group Policy Management Editor.
Configuring Object Level Auditing
For this example, we will configure file system auditing. A similar procedure is used
to audit other objects such as printers and Registry keys.
1. Open Windows Explorer by going to Start | Computer, and navigate
to the file system object on which you want to enable auditing. For this
example, we will use a folder named Programs.
2. Right-click on the object youve selected, and click Properties.
3. In the Properties dialog box, select the Security tab, and click
Advanced. See Figure 6.43.
406 Chapter 6 Configuring Group Policy
www.syngress.com
4. In the Advanced Security Settings dialog box, click on the Auditing
tab. Note that the object does not have any existing or inherited auditing
entries. Sometimes what needs to be audited is very object-specific. Auditing
requirements for parent objects can differ considerably from child objects.
To prevent inheritance of undesired settings, deselect Include inheritable
auditing entries from this objects parent.
5. Click the Edit button.
Figure 6.43 The Properties Dialog
Configuring Group Policy Chapter 6 407
www.syngress.com
6. A second, slightly different Advanced Security Settings dialog box
appears (see Figure 6.44). Click on the Add button.
Figure 6.44 The Second Advanced Security Settings Dialog
7. In the Select User, Computer, or Group dialog box, type in or search
for the users or groups you want to audit. For this example, we will select
Domain Users.
8. In the Auditing Entry dialog, configure the types of Success and/or
Failure events you want to monitor for this group and click OK. For
this example, we will choose Delete, Success and Failure events. See
Figure 6.45.
408 Chapter 6 Configuring Group Policy
www.syngress.com
9. Click OK again in each Advanced Security Settings dialog box and
OK again to close the Properties dialog box.
Other Audit Policies
Now lets discuss some other audit policies. This section includes brief descriptions
of the following audit policies:
■ Audit account management This audit policy tracks all account
management events. Some examples of what this policy covers include
creation, change, or deletion of user or group accounts; renaming or
enabling/disabling a users account; and changing a users password.
Figure 6.45 The Auditing Entry Dialog
Configuring Group Policy Chapter 6 409
www.syngress.com
■ Audit policy change This audit policy tracks changes made to user
rights assignment policies, audit policies, or trust policies.
■ Audit privilege use This audit policy tracks the exercise of many user
rights.
■ Audit system events This audit policy tracks when a user restarts or
shuts down his or her computer, when an event occurs that affects system
security, or when an event occurs that affects the security log.
Configuring Additional
Security-Related Policies
In this section, well discuss configuring additional security-related policies, such
user rights, security options, restricted groups, and administrative templates.
User Rights
Administrators can grant a wide array of user rights. Rights include things such as
the ability to log on to a server locally or from a network connection, the ability to
shut down a server, the ability for certain accounts to be able to log on as a service,
and many others. You should take a moment before the exam to familiarize yourself
with the range of options offered by this portion of group policy. User rights follow
the standard group processing order, but are exclusive unless otherwise noted. So,
for example, if Log on as a batch job has been specifically configured in the local
computers security policy, in a site-level GPO, in a domain-level GPO, and in an
OU-level GPO that all apply to the computer object, the settings in the OU-level
GPO will be applied. The settings are not cumulative, and all others will be ignored.
EXAM WARNING
Not all user rights are tracked when Audit privilege use is enabled. This
is because some events are so numerous that they can quickly fill up the
security log. By default, the following rights are omitted: Bypass traverse
checking, Debug programs, Create a token object, Replace process level
token, Generate security audits, Back up files and directories, and Restore
files and directories. To audit these user rights, you must enable the
FullPrivilegeAuditing Registry key.
410 Chapter 6 Configuring Group Policy
www.syngress.com
Because of this, it is very important when defining a user right policy to ensure that
all user and group accounts which require the right are identified and configured.
To configure a user right, follow these steps:
1. Open the GPO that will be used to configure auditing using the
Group Policy Management Editor and navigate to Computer
Configuration | Policies | Windows Settings | Security Settings |
User Rights Assignment.
2. In the right-hand pane, right-click on the user right you want to configure
(here, Log on as a batch job) and select Properties. See Figure 6.46.
Figure 6.46 The Properties Dialog
Configuring Group Policy Chapter 6 411
www.syngress.com
3. In the Properties dialog, select Define these policy settings: and click
the Add User or Group button. You can also select a user or group and
click the Remove button to delete them from the policy.
4. In the Add User or Group dialog box, click Browse.
5. In the standard Select Users, Computers, or Groups dialog, enter
or search for the user and/or group accounts you want to add, and then
click OK.
6. In the Add User or Group dialog box, click OK.
7. In the Properties window, click OK.
Security Options
Microsoft provides administrators with a large list of security parameters that can
be defined using group policy. Items available in the Security Options portion of
group policy include preventing users from installing printer drivers, blocking access
to the CD-ROM drive, specifying various digital signing and encryption settings,
restricting access to the Registry, and many more. You should take a moment before
the exam to familiarize yourself with the range of options offered by this portion of
group policy (see Table 6.1).
Table 6.1 Group Policy Security Options
Accounts: Administrator account status
Accounts: Guest account status
Accounts: Limit local account use of blank passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit: Audit the use of Backup and Restore privilege
Audit: Force audit policy subcategory settings (Windows Vista or later) to
override audit policy category settings
Audit: Shut down system immediately if unable to log security audits
Audit: Shut down system immediately if unable to log security audits
Continued
412 Chapter 6 Configuring Group Policy
www.syngress.com
Table 6.1 Continued. Group Policy Security Options
DCOM: Machine Access Restrictions in Security Descriptor Definition
Language (SDDL) syntax
DCOM: Machine Launch Restrictions in Security Descriptor Definition
Language (SDDL) syntax
Devices: Allow undock without having to log on
Devices: Allowed to format and eject removable media
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Devices: Unsigned driver installation behavior
Domain controller: Allow server operators to schedule tasks
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
Interactive logon: Do not display last user name
Interactive logon: Do not require CTRL+ALT+DELETE
Interactive logon: Message text for users attempting to logon
Interactive logon: Message title for users attempting to logon
Interactive logon: Number of previous logons to cache (in case domain
controller is not available)
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock
workstation
Interactive logon: Require smart card
Continued
Configuring Group Policy Chapter 6 413
www.syngress.com
Table 6.1 Continued. Group Policy Security Options
Interactive logon: Smart card removal behavior
Microsoft network client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network client: Send unencrypted password to third-party SMB servers
Microsoft network server: Amount of idle time required before
suspending session
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Disconnect clients when logon hours expire
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts
and shares
Network access: Do not allow storage of credentials or .NET Passports for
network authentication
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and subpaths
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network security: Do not store LAN Manager hash value on next
password change
Network security: Force logoff when logon hours expire
Network security: LAN Manager authentication level
Network security: LDAP client signing requirements
Continued
414 Chapter 6 Configuring Group Policy
www.syngress.com
Table 6.1 Continued. Group Policy Security Options
Network security: Minimum session security for NTLM SSP based (including
secure RPC) clients
Network security: Minimum session security for NTLM SSP based (including
secure RPC) servers
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and all folders
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
System cryptography: Use FIPS compliant algorithms for encryption, hashing,
and signing
System cryptography: Force strong key protection for user keys stored
on the computer
System objects: Default owner for objects created by members of the
Administrators group
System objects: Require case insensitivity for non-Windows subsystems
System objects: Strengthen default permissions of internal system objects
(e.g., Symbolic Links)
System settings: Optional subsystems
System settings: Use Certificate Rules on Windows Executables for Software
Restriction Policies
Admin Approval Mode for the Built-in Administrator account
Behavior of the elevation prompt for administrators in Admin Approval Mode
Behavior of the elevation prompt for standard users
Detect application installations and prompt for elevation
Only elevate executables that are signed and validated
Only elevate UIAccess applications that are installed in secure locations
Run all administrators in Admin Approval Mode
Switch to the secure desktop when prompting for elevation
Virtualize file and registry write failures to per-user locations
Allow UIAccess applications to prompt for elevation without using the
secure desktop.
Configuring Group Policy Chapter 6 415
www.syngress.com
Security Options follow the standard group processing order, but are exclusive
unless otherwise noted. So, for example, if a setting has been specifically configured
in the local computers security policy, in a site-level GPO, in a domain-level GPO,
and in an OU-level GPO that all apply to the computer object, the settings in the
OU-level GPO will be applied. The settings are not cumulative, and all others will
be ignored. To configure a user right, follow these steps:
1. Open the GPO that will be used to configure auditing using the Group
Policy Management Editor and navigate to Computer Configuration |
Policies | Windows Settings | Security Settings | Security Options.
2. In the right-hand pane, right-click on the security option you want to
configure and select Properties.
3. In the Properties window, select Define these policy settings: and
configure the policy options as desired. Unlike other types of group
policy, there are no standardized settings for Security Options policies. The
Properties tab may have Enabled or Disabled options, a drop-down box
with a variety of configuration options, or any number of other configuration
types and options.
4. In the Properties window, click OK.
Restricted Groups
The Restricted Groups object allows you to exert some control over group membership
using group policy. By default, no groups are configured for management
in any default or new GPO, so the first step is to choose which groups you want to
manage using the policy. Microsoft recommends primarily using restricted groups
to manage critical security groups such as Enterprise and Schema Admins. Once a
group as been added for management, two configuration options apply to it:
TEST DAY TIP
Group policy options such as User Rights Assignment, Security Options,
and Administrative Templates have large numbers of possible configuration
options. There is no way for a study guide to cover them all or
to know which ones Microsoft will consider important to know for the
exam. Be sure to familiarize yourself with as many as possible.
416 Chapter 6 Configuring Group Policy
www.syngress.com
■ Members of this group: This setting strictly controls who can be a
member of the group. If a group or user is listed here but is removed from
the group (e.g., with Active Directory Users and Computers), it will be
added back the next time group policy refreshes. Likewise, if an account
is added with a tool such as Active Directory Users and Computers that is
not on this list, it will be removed at refresh. The default setting is <This
group should contain no members>. This setting removes all users
from the restricted group.
■ This group is a member of: Unlike the previous setting, this setting
does not strictly enforce membership. The restricted group you are
configuring will be added to any groups you configure here. However, if
you remove a group from this configuration setting, you can still add the
group using a utility such as Active Directory Users and Computers. The
default setting is <The groups to which this group belongs should
not be modified>. This setting does not change any group memberships.
Adding a New Restricted Group
Use the following procedure to add a new restricted group:
1. Open the GPO that will be used to configure auditing using the Group
Policy Management Editor and expand Computer Configuration |
Policies | Windows Settings | Security Settings.
2. Right-click on the Restricted Groups node and click Add Group. See
Figure 6.47.
TEST DAY TIP
Microsoft has received considerable feedback on the confusing differences
between these two options. Make sure you are clear on what is
and isnt enforced by each on the exam, because Microsoft considers it
important to know. The Members of this group setting strictly controls
who can be a member of the group. The This group is a member of
setting does not strictly enforce membership. The group you are
configuring will be added to any groups you configure here.
Configuring Group Policy Chapter 6 417
www.syngress.com
3. In the Add Group dialog box, click Browse.
4. In the Select Groups dialog box, in the Enter the object names to
select (examples): text area, type the name of the group (here, Authors)
and click Check Names followed by OK.
5. In the Add Group dialog box, click OK.
6. A Properties dialog box appears with the following configuration options
(see Figure 6.48):
Members of this group: Click the Add button next to this configuration
option to specify which users and groups will be enforced as members
of this group. We will be demonstrating this option in the next step.
This group is a member of: Click the Add button next to this
configuration option to specify which other groups this group will be a
member of.
Figure 6.47 Adding a Restricted Group
418 Chapter 6 Configuring Group Policy
www.syngress.com
7. Click the Add button next to Members of this group:.
8. In the Add Member dialog box, click Browse.
9. In the Select Users or Groups dialog, type in the user(s) and/or group(s)
you want to add, click Check Names, and then click OK. For this
example, we will add two users (Author 1 and Author 2), and a global
security group (Editors).
10. In the Add Member dialog box, click OK.
11. The accounts you added should appear in the Properties dialog; see
Figure 6.49.
Figure 6.48 The Initial Properties Dialog
Configuring Group Policy Chapter 6 419
www.syngress.com
12. Click OK to complete the process.
Modifying a Restricted Group
Use the following procedure to modify a restricted group:
1. Open the GPO that will be used to configure auditing using the Group
Policy Management Editor and click on Computer Configuration |
Policies | Windows Settings | Security Settings | Restricted Groups.
2. In the right pane, right-click on the restricted group you want to modify
and click Properties.
3. A Properties dialog box appears with the following (see Figure 6.48):
Figure 6.49 The Completed Properties Dialog
420 Chapter 6 Configuring Group Policy
www.syngress.com
Members of this group: To add a user or group, click the Add
button next to this configuration option to specify which users and groups
will be enforced as members of this group. To remove a user or group,
select it and then click the Remove button.
This group is a member of: Click the Add button next to this
configuration option to specify which other groups this group will be a
member of. To remove a group from the list, select it and then click the
Remove button.
4. When you have finished making your changes, click OK to close the
Properties dialog.
Deleting a Restricted Group
Use the following procedure to delete a restricted group:
1. Open the GPO that will be used to configure auditing using the Group
Policy Management Editor and click on Computer Configuration |
Policies | Windows Settings | Security Settings | Restricted Groups.
2. In the right pane, right-click on the restricted group you want to modify
and click Delete.
3. In the Security Templates dialog box, click Yes.
Administrative Templates
The Administrative Templates group policy settings control a large number of
Registry-based settings on the workstations and servers to which they apply. You
should spend some time before the exam to familiarize yourself with the options
offered by this portion of group policy. Pre-Windows Vista versions of Windows
used proprietary ADM files to configure these settings. These files were stored within
individual GPOs, often increasing their size by 2 MB or more. For organizations
with a large number of GPOs, the traffic required for replicating this portion of
group policy could really add up.
EXAM WARNING
Its important to remember that group nesting rules apply when configuring
Restricted Groups. For example, you cannot configure a global group
in one domain to be a member of a global group in another domain.
Configuring Group Policy Chapter 6 421
www.syngress.com
Microsoft addressed this by moving to an XML-based file structure. There are
now two components: ADMX files and ADML files. ADMX files contain the actual
settings, whereas ADML files are used for language localization. You can use the new
ADMX technology only with Windows Server 2008 and Vista operating systems. You
must still manage previous versions of Windows in Administrative Templates using
ADM files. The new version of the Group Policy Management Editor that runs on
Windows Server 2008 and Vista is backward-compatible and can manage ADM-based
settings; however, you cannot use older clients to manage ADMX-based settings.
By default, ADMX files are not stored within the centralized group policy
System Volume (SYSVOL) on DCs. When you first open the Group Policy
Management Editor and select the Administrative Templates node, it will use the
ADMX files which are stored in the %systemroot%\PolicyDefinitions\ folder.
You can determine this graphically; see Figure 6.50.
Figure 6.50 Administrative Templates Using Local ADMX Files
TEST DAY TIP
Microsoft often uses default settings that are different from their recommended
settings. Its important for you to know not only what Microsoft
recommends, but also what the default settings are when they differ.
422 Chapter 6 Configuring Group Policy
www.syngress.com
ADMX Central Store
To maximize the capabilities of Microsofts new ADMX technology, you must
manually create an ADMX central store. This is simply a folder under the SYSVOL
share that contains the PolicyDefinitions folder and its ADMX and ADML files.
To create the central store, copy a Windows Server 2008 or Vista %systemroot%\
PolicyDefinitions folder to your %sysvol%\<your domain name>\policies\ folder.
When you open or restart the Group Policy Management Editor and select
Administrative Templates, youll see that a central store is now being used, as shown
in Figure 6.51.
Figure 6.51 Administrative Templates Using an ADMX Central Store
In Exercise 6.4, we will create an ADMX central store. A Windows Server 2008
DC is required to complete the exercise.
EXERCISE 6.4
CREATING AN ADMX CENTRAL STORE
1. Open Windows Explorer by clicking Start | Computer.
2. Navigate to your %systemroot% folder, probably C:\Windows.
3. Select the PolicyDefinitions folder and press CTRL+C to let
Windows know you want to copy it.
4. Navigate to your SYSVOL folders Policies folder, probably
C:\Windows\SYSVOL\sysvol\<Your Domain Name>\Policies.
5. Press CTRL+V to finish copying the PolicyDefinitions to this
location.
Configuring Group Policy Chapter 6 423
www.syngress.com
6. When the folder has finished copying, open it and verify that the
ADMX files and at least one language-based directory (here, en-US)
for the ADML files copied successfully. See Figure 6.52.
Figure 6.52 Administrative Templates Using an ADMX Central Store
7. Open a GPO for editing using the Group Policy Management Editor.
8. Expand Computer Configuration | Policies and ensure that the
Administrative Templates node says that the ADMX files are
being retrieved from a central store. Refer back to Figure 6.51.
EXAM WARNING
New features, such as the ADMX central store, that Microsoft considers to
be an improvement are often heavily tested. Pay special attention to information
and consider reading more about them on Microsofts Web site.
424 Chapter 6 Configuring Group Policy
www.syngress.com
Adding ADM Templates to a GPO
Although Microsoft is converting over to the ADMX format, ADM files are still
supported in Windows Vista and Windows Server 2008 GPOs. Although you can
add ADMX templates by simply copying them into the appropriate location in
the file system (generally the central store on an Active Directory-based network),
you still add and remove ADM files through the Group Policy Management Editor
utility. Follow these steps to add or remove an ADM file from a GPO:
1. Open the GPO that will be used to configure auditing using the Group
Policy Management Editor and expand Computer Configuration |
Policies | Administrative Templates.
2. In the right-side pane of the Group Policy Management Editor
window, right-click the Administrative Templates node and select
Add/Remove Templates. See Figure 6.53.
Figure 6.53 The Administrative Templates Context Menu
3. In the Add/Remove Templates dialog, click the Add button to add a
template or Remove to remove a template from the GPO. See Figure 6.55.
Configuring Group Policy Chapter 6 425
www.syngress.com
4. In the Policy Templates dialog, browse to the location of your ADM file,
select it, and click the Open button. See Figure 6.54. A brief dialog may
appear notifying you that the file is being copied to the proper location.
Figure 6.54 The Policy Templates Dialog
5. In the Add/Remove Templates dialog, click the Close button.
See Figure 6.55.
426 Chapter 6 Configuring Group Policy
www.syngress.com
6. Under the Administrative Templates node, the Classic Administrative
Templates node will appear. Expand this node to see your added template
(here, Microsoft Office 2007 system (machine)). See Figure 6.56.
Figure 6.55 The Add/Remove Templates Dialog
Figure 6.56 The Classic Administrative Templates Node
Configuring Group Policy Chapter 6 427
www.syngress.com
Converting ADM Files to the ADMX Format
As mentioned previously, you cannot store ADM files in the ADMX central store.
To get settings that are contained in an ADM file into the central store, you must
convert the ADM file to an ADMX file. Microsoft provides a free conversion utility
called ADMX Migrator that you can install on Windows XP, Vista, Server 2003,
and Server 2008 computers. You can download the utility from http://go.microsoft.
com/fwlink/?LinkId=103774. You can convert ADM files using the command
prompt, or a provided Microsoft Management Console (MMC) snap-in. We cover
each method in the following sections.
Converting ADM Files
to ADMX Files Using the Command Prompt
Follow these steps to convert an ADM file into an ADMX file using the
command prompt:
1. Download and install ADMX Migrator.
2. Open a command prompt by clicking Start | Command Prompt.
3. Change to the C:\Program Files\FullArmor\ADMX Migrator
directory, or wherever you specified that the software should be installed.
4. A number of options exist for the conversion that you can view by typing
faAdmxConv.exe /?. To perform a simple conversion, type the following:
faAdmxConv.exe source [targetpath]. For example:
faAdmxConv.exe C:\Downloads\Templates\ADM\en-us\
office12.adm C:\Downloads\Templates\ADM\en-us\
Converting ADM Files
to ADMX Files Using the MMC Snap-in
Follow these steps to convert an ADM file into an ADMX file using the
MMC snap-in:
1. Download and install ADMX Migrator.
2. Click Start | Run.
3. In the Run dialog box, type MMC in the Open: text box and click OK.
4. In the Console 1 window that appears, click File | Add/Remove
Snap-in. See Figure 6.57.
428 Chapter 6 Configuring Group Policy
www.syngress.com
5. In the Add or Remove Snap-ins dialog, under Available Snap-ins, select
FullArmor ADMX Migrator and click the Add button. See Figure 6.58.
Figure 6.57 Adding a Snap-in
Figure 6.58 Selecting the ADMX Migrator Snap-in
Configuring Group Policy Chapter 6 429
www.syngress.com
6. Click OK.
7. In the Console 1 window, select the ADMX Editor node in the
right-hand pane.
8. In the right-hand pane, click Generate ADMX from ADM. See Figure 6.59.
Figure 6.59 Selecting the Generate ADMX from ADM Option
9. In the Open dialog box, browse to and select the ADM file you want to
convert, and then click the Open button. See Figure 6.60.
430 Chapter 6 Configuring Group Policy
www.syngress.com
10. In the ADM to ADMX Conversion Results dialog, review the provided
information and click Close. See Figure 6.61.
Figure 6.60 Specifying the ADM File to Convert
Configuring Group Policy Chapter 6 431
www.syngress.com
11. In the ADMX Migrator dialog, note where the converted files are and
click the No button. See Figure 6.62.
Figure 6.61 The ADMX Conversion Results Dialog
Figure 6.62 The ADMX Migrator Dialog
12. Close the MMC.
13. To use the newly created ADMX files, copy them into the appropriate
folder on a Windows Vista or Windows Server 2008 computer, or into the
ADMX central store.
432 Chapter 6 Configuring Group Policy
www.syngress.com
Summary of Exam Objectives
You can use group policy to deploy, maintain, and remove software in Windows
2000 and later computers. Three elements are necessary for software deployment:
a software distribution point to make the software available across the network,
a GPO to link to the appropriate containers in Active Directory to manage which
users and computers receive the software, and a properly configured deployment
package within the GPO. In addition to initial deployment, you can use group
policy to redeploy software with service packs and to fix issues, as well as upgrade
software to new versions. Redeployment is mandatory but upgrades can be forced
or optional. If forced, software is removed at the next computer startup or user
logon. If optional, users can remove the software at any time using the Control Panel.
Group polices can be published or assigned to users, and assigned to computers.
Publishing allows users to install software from document activation and the
Control Panel. Assignment includes these as well as the capability to advertise the
availability of the uninstalled application through the Start menu and Desktop icons,
even though they are not actually installed on the system.
You can use group policy settings to enforce security-related settings across
multiple Windows 2000 and later computers. Password and account lockout group
policy items must be linked at the domain level to be effective. Windows Server
2008 creates a Default Domain Policy GPO and links it to the domain level for
each domain in the forest. The domain password policy allows administrators to
specify a combination of password security options, including how frequently
users change their passwords, how long passwords must be, how many unique
passwords must be used before a user can reuse one, and how complex passwords
must be. Account lockout is used to prevent successful brute force password
guessing. If it is not enabled, an attacker can continue to guess username and
password combinations very rapidly using software. The proper combination of
settings can effectively block these types of security vulnerabilities by either locking the
account out permanently or requiring long waiting times between a low number
of incorrect guesses.
Only one password and account lockout policy will be effective for all users and
computers in the domain unless fine-grain policies are used. Although more difficult
to create than standard GPOs, these fine-grain policy objects, called Password Settings
objects, allow administrators to apply different password and account lockout settings
to user accounts and global security groups. You can create them using ldifde or ADSI
Edit, and you can modify them using either of these tools as well as Active Directory
Users and Computers.
Configuring Group Policy Chapter 6 433
www.syngress.com
You can also use group policy objects to enable auditing. Auditing is used to
track authorized and unauthorized resource access, usage, and change. Administrators
can audit the success and/or failure for a number of tracked events. Examples of
what can be tracked include logons, changes to policy, use of privileges, directory
service or file access, and so forth. Some objects such as the Active Directory
directory service, the file system, Registry keys, and printers require two steps to
enable auditing. Administrators must enable auditing in group policy and on the
specific objects they want to track. You can configure these resources to track individual
and group accounts, as well as specific actions such as changing permissions
on or deleting the object. Most objects have a sizable number of possible auditing
options. Unlike the other items in the previous list, some Active Directory objects
already have auditing configured for them. Despite this convenience, administrators
should always double-check the objects they specifically want to audit and ensure
that the settings are appropriate for the information they want to receive.
Additional security-related policies include User Rights Assignment, Security
Options, Restricted Groups, and Administrative Templates. Administrators can grant
or revoke a significant number of user rights, including the ability to log on to
a server locally or from a network connection, the ability to shut down a server, the
ability for certain accounts to be able to log on as a service, and many others.
In addition, Microsoft provides administrators with a large list of security parameters
that can be defined using group policy, including preventing users from installing
printer drivers, blocking access to the CD-ROM drive, specifying various digital
signing and encryption settings, restricting access to the Registry, and many more.
The Restricted Groups GPO allows an administrator to exert control over
group membership using group policy. You can use it to strictly enforce the
membership of groups it is configured to manage, and to add the managed groups
to other groups. The Administrative Templates group policy settings control a large
number of Registry-based settings on the workstations and servers to which they
apply. Pre-Windows Vista computers exclusively used ADM files, which were stored
within each GPO in an Active Directory environment. You can still use ADM files
with Windows Vista and Server 2008; however, Microsoft recommends using the
newer ADMX and ADML file formats. You can create a central store for ADMX
and ADML files under the sysvol%\<your domain name>\policies\ folder. You can
convert ADM files to ADMX using the ADMX Migrator utility.
434 Chapter 6 Configuring Group Policy
www.syngress.com
Exam Objectives Fast Track
Configuring Software Deployment
˛ Three things must occur for any software deployment using group policy:
The software distribution point must be created, the GPO that will be
used must be created or decided upon, and the GPO must be configured
for the deployment.
˛ You can use group policy to manage the entire software life cycle:
preparation, deployment, maintenance, and removal. The maintenance
cycle includes the ability to redeploy software with service packs and to fix
issues, as well as being able to upgrade to new versions. Redeployment is
mandatory but upgrades can be mandatory or optional.
˛ Group policies can be published or assigned to users, and assigned to
computers. Publishing allows users to install software from document
activation and the Control Panel. Assignment includes these as well as
the capability to advertise the availability of the uninstalled application
through the Start menu and Desktop icons.
˛ Administrators can specify whether software removal will be forced or
optional. If forced, software is removed at the next computer startup or
user logon. If optional, users can remove the software at any time using the
Control Panel.
Configuring Account Policies
˛ Windows Server 2008 creates a Default Domain Policy GPO for every
domain in the forest. This domain is the primary method used to set
some security-related policies such as password expiration and account
lockout.
˛ You can use fine-grain password and account lockout policy to apply
custom password and account lockout policy settings to individual users
and global security groups within a domain.
˛ The domain password policy allows you to specify a range of password
security options, including how frequently users change their passwords,
Configuring Group Policy Chapter 6 435
www.syngress.com
how long passwords must be, how many unique passwords must be used
before a user can reuse one, and how complex passwords must be.
˛ You can use account lockout to prevent successful brute force password
guessing. If its not enabled, someone can keep attempting to guess
username/password combinations very rapidly using a software-based
attack. The proper combination of settings can effectively block these types
of security vulnerabilities.
Configuring Audit Policies
˛ Auditing is used to track authorized and unauthorized resource access,
usage, and change within Windows Server 2008.
˛ You can audit the success and/or failure for a variety of tracked events.
Examples of what can be tracked include logons, changes to policy, use of
privileges, directory service or file access, and so forth.
˛ Some objects such as directory services, the file system, Registry keys, and
printers require two steps to enable auditing. You must enable auditing in
group policy and on the specific objects you want to track.
Configuring Additional Security-Related Policies
˛ Administrators can grant a wide array of user rights, including the ability
to log on to a server locally or from a network connection, the ability to
shut down a server, the ability for certain accounts to be able to log on as
a service, and many others.
˛ Microsoft provides administrators with a large list of security parameters
that can be defined using group policy, including preventing users from
installing printer drivers, blocking access to the CD-ROM drive, specifying
various digital signing and encryption settings, restricting access to the
Registry, and many more.
˛ The Restricted Groups object allows you to exert some control over
group membership using group policy. You can use it to strictly enforce the
membership of groups it is configured to manage, and to add the managed
groups to other groups.
436 Chapter 6 Configuring Group Policy
www.syngress.com
˛ The Administrative Templates group policy settings control a large number
of Registry-based settings on the workstations and servers to which they
apply. Pre-Windows Vista computers exclusively used ADM files, which
were stored within each GPO in an Active Directory environment.
You can still use ADM files with Windows Vista and Server 2008; however,
Microsoft recommends using the newer ADMX and ADML file formats.
You can create a central store for ADMX and ADML files under the
sysvol%\<your domain name>\policies\ folder.
˛ You can convert ADM files to ADMX using the ADMX Migrator utility.
Configuring Group Policy Chapter 6 437
www.syngress.com
Exam Objectives
Frequently Asked Questions
Q: What methods of software deployment are available at the user level?
A: Administrators can assign and publish software to users, but only assign software
to computers.
Q: What permissions should be set for the software distribution point?
A: At a minimum, share-level permissions should be set with those responsible for
administering the files having full control of them, and users having read-only
access. NTFS permissions are preferred over share-level permissions and should
be set similarly.
Q: What is the difference between software redeployment and upgrades?
A: Redeployment is used when the current application version needs to be
reinstalled, or when a service pack needs to be applied. Upgrades are used to
move from one version of the software to another.
Q: What options are available when removing software using group policy?
A: Software can be removed if it was installed using group policy. Administrators
can force removal at the next computer start or user logon, or allow users to
determine when they uninstall the software.
Q: I created a GPO with specific password and account lockout settings and
applied it to an OU in my Active Directory domain. Why werent the settings
applied?
A: A GPO with password and account lockout settings is applied only when linked
at the domain level of Active Directory.
Q: My security administrator is concerned about brute force password attacks. Are
there any Windows Server 2008 features which can help to manage those risks?
A: Account lockout can be used to minimize risks from brute force password
attacks by setting an appropriate combination of values for the Account
lockout duration, Account lockout threshold, and Reset account
lockout counter after options.
438 Chapter 6 Configuring Group Policy
www.syngress.com
Q: Im concerned about users going for too long without changing their passwords,
or using passwords that are really simple and easy to guess. What can I do about
this in Windows Server 2008?
A: Windows Server 2008 group policy allows you to specify a range of password
security options, including how frequently users change their passwords, how
long passwords must be, how many unique passwords must be used before
a user can reuse one, and how complex passwords must be when initially specified
or changed.
Q: How can I apply a different set of password and account lockout policy to
administrators?
A: In Windows Server 2008, a new feature called fine-grain password and account
lockout policy can be used to apply custom password and account lockout
policy settings to individual users and global security groups within a domain.
Q: What can I monitor using auditing in Windows Server 2008?
A: Auditing can be used to track successful and failed resource access, usage, and
change, including logon events, directory service objects, file system objects,
Registry objects, printers, exercise of user privileges and rights, system events,
account management changes, and much more.
Q: It seems like auditing file system and directory service objects would produce
too many log entries to sort through. Is there a way to limit this?
A: In addition to enabling auditing of these types of objects, you can also specify
exactly what you want to track on an object-by-object basis. This includes both
who changed an object and what was specifically changed.
Q: I see that two types of logon events can be audited. What is the difference
between them?
A: The Audit account logon events policy is used for credential validation, and
the events audited relate to the computer which is authoritative for the
credentials. For most users in a domain, this will be the DC which processes
their logon regardless of the location of the resources being accessed. The Audit
logon events policy relates directly to where the resources being accessed are
located.
Configuring Group Policy Chapter 6 439
www.syngress.com
Q: Id like to restrict some users from being able to change their workstations
time, shut down servers, and so forth. This doesnt seem to be configurable with
permissions. How can I accomplish this?
A: The User Rights Assignment node in group policy can be used to configure
options such as this. Administrators can grant a wide array of user rights,
including the ability to log on to a server locally or from a network connection,
the ability to shut down a server, the ability for certain accounts to be able to
log on as a service, and many others.
Q: How can I set the logon, signing, and encryption options for all of my Windows
Server 2008 servers and Windows Vista Enterprise workstations at once, rather
than having to configure the Local Security Policy on each computer?
A: Group policy can be used to enforce these types of settings across a wide range
of Windows 2000 and later workstations and servers using the Security Options
node in a GPO. A significant range of security settings can be defined, including
preventing users from installing printer drivers, blocking access to the CD-ROM
drive, specifying various digital signing and encryption settings, restricting access
to the Registry, and many more.
Q: It seems like my organization is constantly having problems with inappropriate
accounts being added to sensitive groups within Active Directory. What can be
done to help prevent this?
A: The group policy Restricted Groups node can be used to strictly enforce the
membership of groups it is configured to manage, and to add the managed
groups to other groups.
Q: I looked for the ADMX central store on my server under %sysvol%\<your
domain name>\policies\ but did not find the PolicyDefinitions folder. Was my
Active Directory installation completed properly?
A: No ADMX central store is created by default in Windows Server 2008.
To manually create one, copy a Windows Server 2008 or Vistas %systemroot%\
PolicyDefinitions folder to your %sysvol%\<your domain name>\policies\
folder.
440 Chapter 6 Configuring Group Policy
www.syngress.com
Self Test
1. The CIO has asked you to configure a GPO that will ensure that antivirus
software is installed on every computer in the company. You are the most
senior administrator in the company and have full access to every computer,
and to Active Directory. Your company has a single domain and site. Which
one of the following actions do you take?
A. You configure a GPO at the domain level, and publish the application to
all computers.
B. You configure a GPO at the site level, and assign the application to all
computers.
C. You create a GPO with the required settings and link it into all OUs that
have computer accounts in it. You set the options to assign the application
to computers.
D. You tell him it cannot be done.
2. Youve just taken over the domain-level administration for a mid-size company.
The previous administrator did not use group policy software deployment. You
have just configured and tested your first published application to users. The
application was designed to be used by all users in the accounting department.
You created the software distribution point and copied the installation files
over to it. You then created the GPO and linked it to the AcctgUsers OU,
which contains all user accounts for the department. When the users log on
to their computers, the application is visible in Control Panel | Add or
Remove Programs, but when users attempt the installation it fails. When
you log on from a computer in accounting, you are able to access the
installation files and run them manually. Which one of the following is most
likely the problem?
A. The application files are corrupt.
B. The permissions on the software distribution point are configured
incorrectly.
C. The GPO is corrupt.
D. The GPO is linked to the wrong place within Active Directory.
3. Youve been asked by a senior administrator to deploy an update to an existing
application that is assigned to users. The senior administrator created and tested
the upgrade, and has given you all information required, including in which
GPO to configure the upgrade package. You create the package in the GPO,
Configuring Group Policy Chapter 6 441
www.syngress.com
right-click on it, and attempt to configure the update, but the current version
is not listed for selection. Which of the following should you do next?
A. Notify the senior administrator that the application failed to detect that it
was an upgrade to an existing version.
B. Manually enter the name of the package for the existing version and check
the Required upgrade for existing packages box.
C. Deploy the upgrade as a new software installation instead of an upgrade.
D. Ask the senior administrator which GPO the existing versions package is
located in, browse to it, and select it.
4. Microsoft has released a new service pack for Microsoft Word, along with the
necessary MSI file for deploying it via group policy. Youve copied the files
over to the correct software distribution point and verified their permissions.
The application is assigned to all workstation computers in the company via
a domain-level GPO. After configuring the files, you selected the redeployment
option for the Microsoft Word software deployment package. Only some
computers seem to be getting the service pack. The computers are a mix of
Windows XP and Vista. Which of the following is the most likely cause?
A. All computers have not been rebooted since the redeployment.
B. Redeployment does not work with operating systems earlier than
Windows Vista.
C. Service packs should be treated as upgrades, not reinstallations.
D. All users have not logged off and back on since the redeployment.
5. Your company decided not to renew the license agreement for its contact
management software. The software is deployed on systems across many client
computers in the company. A single GPO was configured to install the software,
and was linked into multiple places in the Active Directory hierarchy to
accommodate the various user groups that needed the program. Youve gone
into the GPO and removed the published object for the software. Now, the
object is gone from the GPO but the application is still installed on the client
computers. Which one of the following most likely explains what happened?
A. You left the default option for removal enabled.
B. You selected the option to make the removal optional.
C. You selected the option to force removal.
D. You deleted the software object from the GPO but forgot to select the
uninstall options first.
442 Chapter 6 Configuring Group Policy
www.syngress.com
6. The application testing team at your company has given you the approval to
deploy an upgrade to an existing software package. The team testing it has
revealed that the upgrade works best when the software is installed over the
existing software. They ask you if it is possible to upgrade the software using
group policy in a way which meets their recommendations, or if they should
write a script to push out the installation. Which one of the following do you
tell them?
A. You tell them that the default in group policy is to install over the previous
version of the software.
B. You tell them that group policy requires the previous version of the software
to be removed.
C. You tell them that it is an optional configuration setting, but that it is possible.
D. You recommend a script, saying that you dont trust group policy for such
a complex deployment scenario.
7. This morning you deployed an application by assigning it to computers, and
then many of the applications failed. On some systems the application installed
just fine, on others it only partially installed, and on still others it failed very
early in the process. You figured out what went wrong, and have modified the
MSI file. Which one of the following should you do to correct the problem?
A. You should do a forced removal of the software.
B. You should delete and re-create the deployment object in group policy.
C. You should redeploy the software.
D. You should begin manually troubleshooting the workstations that had
problems.
8. You are a mid-level administrator for a large multinational company. Each
major company office has its own domain. The technical services manager at
your office is tired of receiving complaints from the VP-level employees who
work at your location. She has asked you to allow passwords to be as short as
four characters, and to be all lowercase letters. Which of the following do you
do? (Select all that apply).
A. You tell her that the Default Domain Password Policy supports these settings
by default.
B. You tell her that you will create a custom GPO and link it in to the OU
containing the VPs user accounts.
Configuring Group Policy Chapter 6 443
www.syngress.com
C. You tell her that you will disable the Passwords must meet complexity
requirements option.
D. You tell her that you will set the Minimum password length option to 4.
9. Recently the security for your network was taken over by the firewall and
UNIX administrator. He has requested that you increase your password history
setting from the Windows Server 2008 default setting to remember the maximum
number of passwords. Which one of the following do you tell him?
A. You tell him that you will increase the Enforce password history setting
to 48.
B. You tell him that you will increase the Enforce password history setting
to 24.
C. You tell him that the default setting is the maximum.
D. You tell him that there is no maximum setting, and ask him to provide
a specific value.
10. You work for a small accounting firm. Recently your boss, the owner of the
company, read an article about weaknesses in password security. Hes asked that
you require everyone in the company to change his or her password every
30 days, and to have to use at least 12 different passwords per year. Which of
the following settings do you configure in the Default Domain Policy? (Select
all that apply).
A. You set the Maximum password age option to 30.
B. You set the Enforce password history option to 12.
C. You set the Minimum password age option to 15.
D. You disable the Passwords must meet complexity requirements option.
444 Chapter 6 Configuring Group Policy
www.syngress.com
Self Test Quick Answer Key
1. D
2. B
3. D
4. A
5. B
6. C
7. C
8. C, D
9. C
10. A, C
445
Exam objectives in this chapter:
■ What Is PKI?
■ Analyzing Certificate Needs within
the Organization
■ Working with Certificate Services
■ Working with Templates
Chapter 7
Exam objectives review:
˛ Summary of Exam Objectives
˛ Exam Objectives Fast Track
˛ Exam Objectives Frequently Asked Questions
˛ Self Test
˛ Self Test Quick Answer Key
MCTS/MCITP
Exam 640
Configuring Certificate
Services and PKI
446 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
Introduction
Computer networks have evolved in recent years to allow an unprecedented sharing
of information between individuals, corporations, and even national governments.
The need to protect this information has also evolved, and network security has
consequently become an essential concern of most system administrators. Even in
smaller organizations, the basic goal of preventing unauthorized access while still
allowing legitimate information to flow smoothly requires the use of more and
more advanced technology.
That being stated, all organizations today rely on networks to access information.
These sources of information can range from internal networks to the Internet. Access
to information is needed, and this access must be configured to provide information
to other organizations that may request it. When we need to make a purchase, for
example, we can quickly check out vendors prices through their Web pages. In order
not to allow the competition to get ahead of our organization, we must establish our
own Web page for the advertising and ordering of our products. Within any organization,
many sites may exist across the country or around the globe. If corporate data is
available immediately to employees, much time is saved. In the corporate world, any
time saved is also money saved.
In the mid 1990s, Microsoft began developing what was to become a comprehensive
security system of authentication protocols and technology based on
already developed cryptography standards known as public key infrastructure (PKI).
In Windows 2000, Microsoft used various standards to create the first Windowsproprietary
PKIone that could be implemented completely without using thirdparty
companies. Windows Server 2008 expands and improves on that original
design in several significant ways, which well discuss later in this chapter.
PKI is the method of choice for handling authentication issues in large
enterprise-level organizations today. Windows Server 2008 includes the tools
you need to create a PKI for your company and issue digital certificates to users,
computers, and applications. This chapter addresses the complex issues involved
in planning a certificate-based PKI. Well provide an overview of the basic
terminology and concepts relating to the public key infrastructure, and youll learn
about public key cryptography and how it is used to authenticate the identity of
users, computers, and applications/services. Well discuss different components of
PKI, including private key, public key, and a trusted third party (TTP) along with
PKI enhancements in Windows Server 2008. Well discuss the role of digital
certificates and the different types of certificates (user, machine, and application
certificates).
Configuring Certificate Services and PKI Chapter 7 447
www.syngress.com
Youll learn about certification authorities (CAs), the servers that issue
certificates, including both public CAs and private CAs, such as the ones you
can implement on your own network using Server 2008s certificate services.
Next, well discuss the CA hierarchy and how root CAs and subordinate CAs act
together to provide for your organizations certificate needs. Youll find out how the
Microsoft certificate services work, and well walk you through the steps involved in
implementing one or more certification authorities based on the needs of the
organization. Youll learn to determine the appropriate CA typeenterprise or
stand-alone CAfor a given situation and how to plan the CA hierarchy and
provide for security of your CAs. Well show you how to plan for enrollment
and distribution of certificates, including the use of certificate requests, role-based
administration, and autoenrollment deployment.
Next, well discuss how to implement certificate templates, different types of
templates that you can use in your environment. Finally, well discuss the role of key
recovery agent and how it works in a Windows Server 2008 environment.
What Is PKI?
The rapid growth of Internet use has given rise to new security concerns. Any
company that does not configure a strong security infrastructure is literally putting
the company at risk. An unscrupulous person could, if security were lax, steal information
or modify business information in a way that could result in major financial
disaster. To protect the organizations information, the middleman must be eliminated.
Cryptographic technologies such as public key infrastructure (PKI) provide
a way to identify both users and servers during network use.
PKI is the underlying cryptography system that enables users or computers that
have never been in trusted communication before to validate themselves by referencing
an association to a trusted third party (TTP). Once this verification is complete,
the users and computers can now securely send messages, receive messages,
and engage in transactions that include the interchange of data.
PKI is used in both private networks (intranets) and on the World Wide Web
(the Internet). It is actually the latter, the Internet, that has driven the need for
better methods for verifying credentials and authenticating users. Consider the vast
number of transactions that take place every day over the internetfrom banking
to shopping to accessing databases and sending messages or files. Each of these
transactions involves at least two parties. The problem lies in the verification of who
those parties are and the choice of whether to trust them with your credentials and
information.
448 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
The PKI verification process is based on the use of keys, unique bits of data
that serve one purpose: identifying the owner of the key. Every user of PKI actually
generates or receives two types of keys: a public key and a private key. The two
are actually connected and are referred to as a key pair. As the name suggests, the
public key is made openly available to the public while the private key is limited
to the actual owner of the key pair. Through the use of these keys, messages can be
encrypted and decrypted, allowing data to be exchanged securely (this process will be
covered in a few sections later in this chapter).
The use of PKI on the World Wide Web is so pervasive that it is likely that every
Internet user has used it without even being aware of it. However, PKI is not simply
limited to the Web; applications such as Pretty Good Privacy (PGP) also leverage
the basis of PKI technology for e-mail protection; FTP over SSL/TLS uses PKI, and
many other protocols have the ability to manage the verification of identities through
the use of key-based technology. Companies such as VeriSign and Entrust exist as
trusted third-party vendors, enabling a world of online users who are strangers to
find a common point of reference for establishing confidentiality, message integrity,
and user authentication. Literally millions of secured online transactions take place
every day leveraging their services within a public key infrastructure.
Technology uses aside, PKI fundamentally addresses relational matters within
communications. Specifically, PKI seeks to provide solutions for the following:
■ Proper authentication
■ Trust
■ Confidentiality
■ Integrity
■ Nonrepudiation
By using the core PKI elements of public key cryptography, digital signatures,
and certificates, you can ensure that all these equally important goals can be met
successfully. The good news is that the majority of the work involved in implementing
these elements under Windows Server 2008 is taken care of automatically by
the operating system and is done behind the scenes.
The first goal, proper authentication, means that you can be highly certain that an
entity such as a user or a computer is indeed the entity he, she, or it is claiming to be.
Think of a bank. If you wanted to cash a large check, the teller will more than likely
ask for some identification. If you present the teller with a drivers license and the
picture on it matches your face, the teller can then be highly certain that you are that
personthat is, if the teller trusts the validity of the license itself. Because the drivers
Configuring Certificate Services and PKI Chapter 7 449
www.syngress.com
license is issued by a government agencya trusted third partythe teller is more
likely to accept it as valid proof of your identity than if you presented an employee
ID card issued by a small company that the teller has never heard of. As you can see,
trust and authentication work hand in hand.
When transferring data across a network, confidentiality ensures that the data
cannot be viewed and understood by any third party. The data might be anything
from an e-mail message to a database of social security numbers. In the last 20 years,
more effort has been spent trying to achieve this goal (data confidentiality) than
perhaps all the others combined. In fact, the entire scientific field of cryptology is
devoted to ensuring confidentiality (as well as all the other PKI goals).
NOTE
Cryptography refers to the process of encrypting data; cryptanalysis is
the process of decrypting, or cracking cryptographic code. Together,
the two make up the science of cryptology.
As important as confidentiality is, however, the importance of network data
integrity should not be underestimated. Consider the extreme implications of a
patients medical records being intercepted during transmission and then maliciously
or accidentally altered before being sent on to their destination. Integrity gives
confidence to a recipient that data has arrived in its original form and hasnt been
changed or edited.
Finally we come to nonrepudiation. A bit more obscure than the other goals,
nonrepudiation allows you to prove that a particular entity sent a particular piece
of data. It is impossible for the entity to deny having sent it. It then becomes
extremely difficult for an attacker to masquerade as a legitimate user and then send
malevolent data across the network. Nonrepudiation is related to, but separate from
authentication.
The Function of the PKI
The primary function of the PKI is to address the need for privacy throughout
a network. For the administrator, there are many areas that need to be secured.
Internal and external authentication, encryption of stored and transmitted files, and
e-mail privacy are just a few examples. The infrastructure that Windows Server 2008
450 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
provides links many different public key technologies in order to give the IT
administrator the power necessary to maintain a secure network.
Most of the functionality of a Windows Server 2008-based PKI comes from a
few crucial components, which are described in this chapter. Although there are
several third-party vendors such as VeriSign (www.verisign.com) that offer similar
technologies and components, using Windows Server 2008 can be a less costly and
easier to implement optionespecially for small and medium-sized companies.
Components of PKI
In todays network environments, key pairs are used in a variety of different functions.
This series will likely cover topics such as virtual private networks (VPNs),
digital signatures, access control (SSH), secure e-mail (PGPmentioned already
and S/MIME), and secure Web access (Secure Sockets Layer, or SSL). Although
these technologies are varied in purpose and use, each includes an implementation
of PKI for managing trusted communications between a host and a client.
While PKI exists at some level within the innards of several types of communications
technologies, its form can change from implementation to implementation.
As such, the components necessary for a successful implementation can vary
depending on the requirements, but in public key cryptography there is always:
■ A private key
■ A public key
■ A trusted third party (TTP)
Since a public key must be associated with the name of its owner, a data structure
known as a public key certificate is used. The certificate typically contains the
owners name, their public key and e-mail address, validity dates for the certificate,
the location of revocation information, the location of the issuers policies, and possibly
other affiliate information that identifies the certificate issuer with an organization
such as an employer or other institution.
In most cases, the private and public keys are simply referred to as the private
and public key certificates, and the trusted third party is commonly known as the
certificate authority (CA). The certificate authority is the resource that must be
available to both the holder of the private key and the holder of the public key.
Entire hierarchies can exist within a public key infrastructure to support the use
of multiple certificate authorities.
In addition to certificate authorities and the public and private key certificates
they publish, there are a collection of components and functions associated with the
Configuring Certificate Services and PKI Chapter 7 451
www.syngress.com
management of the infrastructure. As such, a list of typical components required
for a functional public key infrastructure would include but not be limited to the
following:
■ Digital certificates
■ Certification authorities
■ Certificate enrollment
■ Certificate revocation
■ Encryption/cryptography services
Although we have already covered digital certificates and certificate authorities
at a high level, it will be well worth our time to revisit these topics. In the sections
to follow, we will explore each of the aforementioned topics in greater detail.
New & Noteworthy
PKI Enhancements in Windows Server 2008
Windows Server 2008 introduces many new enhancements that allow
for a more easily implemented PKI solution and, believe it or not, the
development of such solutions. Some of these improvements extend to
the clients, such as the Windows Vista operating system. Overall, these
improvements have increased the manageability throughout Windows
PKI. For example, the revocations services have been redesigned, and
the attack surface for enrollment has decreased. The following list items
include the major highlights:
■ Enterprise PKI (PKIView) PKIView is a Microsoft Management
Console (MMC) snap-in for Windows Server 2008. It can be
used to monitor and analyze the health of the certificate
authorities and to view details for each certificate authority
certificate published in Active Directory Certificate Servers.
■ Web Enrollment Introduced in Windows Server 2000, the new
Web enrollment control is more secure and makes the use of
Continued
452 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
How PKI Works
Before we discuss how PKI works today, it is perhaps helpful to understand the term
encryption and how PKI has evolved. The history of general cryptography almost
certainly dates back to almost 2000 B.C. when Roman and Greek statesmen used
simple alphabet-shifting algorithms to keep government communication private.
Through time and civilizations, ciphering text played an important role in wars and
politics. As modern times provided new communication methods, scrambling
information became increasingly more important. World War II brought about
the first use of the computer in the cracking of Germanys Enigma code. In 1952,
scripts much easier. It is also easier to update than previous
versions.
■ Network Device Enrollment Service (NDES) In Windows Server
2008, this service represents Microsofts implementation of the
Simple Certificate Enrollment Protocol (SCEP), a communication
protocol that makes it possible for software running on network
devices, such as routers and switches that cannot
otherwise be authenticated on the network, to enroll for X.509
certificates from a certificate authority.
■ Online Certificate Status Protocol (OCSP) In cases where
conventional CRLs (Certificate Revocation Lists) are not an
optimal solution, Online Responders can be configured on a
single computer or in an Online Responder Array to manage
and distribute revocation status information.
■ Group Policy and PKI New certificate settings in Group Policy
now enable administrators to manage certificate settings from
a central location for all the computers in the domain.
■ Cryptography Next Generation Leveraging the U.S. governments
Suite B cryptographic algorithms, which include
algorithms for encryption, digital signatures, key exchange,
and hashing, Cryptography Next Generation (CNG) offers a
flexible development platform that allows IT professionals
to create, update, and use custom cryptography algorithms
in cryptography-related applications such as Active Directory
Certificate Services (AD CS), Secure Sockets Layer (SSL), and
Internet Protocol Security (IPsec).
Configuring Certificate Services and PKI Chapter 7 453
www.syngress.com
President Truman created the National Security Agency at Fort Meade, Maryland.
This agency, which is the center of U.S. cryptographic activity, fulfills two important
national functions: It protects all military and executive communication from being
intercepted, and it intercepts and unscrambles messages sent by other countries.
Although complexity increased, not much changed until the 1970s, when the
National Security Agency (NSA) worked with Dr. Horst Feistel to establish the Data
Encryption Standard (DES) and Whitfield Diffie and Martin Hellman introduced the
first public key cryptography standard. Windows Server 2008 still uses Diffie-Hellman
(DH) algorithms for SSL, Transport Layer Security (TLS), and IPsec. Another major
force in modern cryptography came about in the late 1970s. RSA Labs, founded
by Ronald Rivest, Adi Shamir, and Leonard Adleman, furthered the concept of
key cryptography by developing a technology of key pairs, where plaintext that is
encrypted by one key can be decrypted only by the other matching key.
There are three types of cryptographic functions. The hash function does not
involve the use of a key at all, but it uses a mathematical algorithm on the data
in order to scramble it. The secret key method of encryption, which involves the
use of a single key, is used to encrypt and decrypt the information and is sometimes
referred to as symmetric key cryptography. An excellent example of secret
key encryption is the decoder ring you may have had as a child. Any person who
obtained your decoder ring could read your secret information.
There are basically two types of symmetric algorithms. Block symmetric
algorithms work by taking a given length of bits known as blocks. Stream symmetric
algorithms operate on a single bit at a time. One well-known block algorithm
is DES. Windows 2000 uses a modified DES and performs that operation on 64-bit
blocks using every eighth bit for parity. The resulting ciphertext is the same length as
the original cleartext. For export purposes the DES is also available with a 40-bit key.
One advantage of secret key encryption is the efficiency with which it takes a
large amount of data and encrypts it quite rapidly. Symmetric algorithms can also
be easily implemented at the hardware level. The major disadvantage of secret key
encryption is that a single key is used for both encryption and decryption. There
must be a secure way for the two parties to exchange the one secret key.
In the 1970s this disadvantage of secret key encryption was eliminated through
the mathematical implementation of public key encryption. Public key encryption,
also referred to as asymmetric cryptography, replaced the one shared key with each
users own pair of keys. One key is a public key, which is made available to everyone
and is used for the encryption process only. The other key in the pair, the private
key, is available only to the owner. The private key cannot be created as a result of
the public keys being available. Any data that is encrypted by a public key can be
454 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
decrypted only by using the private key of the pair. It is also possible for the owner
to use a private key to encrypt sensitive information. If the data is encrypted by using
the private key, then the public key in the pair of keys is needed to decrypt the data.
DH algorithms are known collectively as shared secret key cryptographies, also
known as symmetric key encryption. Lets say we have two users, Greg and Matt,
who want to communicate privately. With DH, Greg and Matt each generate a random
number. Each of these numbers is known only to the person who generated it.
Part one of the DH function changes each secret number into a nonsecret, or public,
number. Greg and Matt now exchange the public numbers and then enter them into
part two of the DH function. This results in a private keyone that is identical to
both users. Using advanced mathematics, this shared secret key can be decrypted only
by someone with access to one of the original random numbers. As long as Greg and
Matt keep the original numbers hidden, the shared secret key cannot be reversed.
It should be apparent from the many and varied contributing sources to PKI
technology that the need for management of this invaluable set of tools would
become paramount. If PKI, like any other technology set, continued to develop
without standards of any kind, then differing forms and evolutions of the technology
would be implemented ad hoc throughout the world. Eventually, the theory
holds that some iteration would render communication or operability between
different forms impossible. At that point, the cost of standardization would be
significant, and the amount of time lost in productivity and reconstruction of PKI
systems would be immeasurable.
Thus, a set of standards was developed for PKI. The Public-Key Cryptography
Standards (PKCS) are a set of standard protocols sued for securing the exchange
of information through PKI. The list of these standards was actually established by
RSA laboratoriesthe same organization that developed the original RSA encryption
standardalong with a group of participating technology leaders that included
Microsoft, Sun, and Apple.
PKCS Standards
Here is a list of active PKCS standards. You will notice that there are gaps in the
numbered sequence of these standards, and that is due to the retiring of standards
over time since they were first introduced.
■ PKCS #1: RSA Cryptography Standard Outlines the encryption of
data using the RSA algorithm. The purpose of the RSA Cryptography
Standard is in the development of digital signatures and digital envelopes.
PKCS#1 also describes a syntax for RSA public keys and private keys.
Configuring Certificate Services and PKI Chapter 7 455
www.syngress.com
The public-key syntax is used for certificates, while the private-key syntax
is used for encrypting private keys.
■ PKCS #3: Diffie-Hellman Key Agreement Standard Outlines
the use of the Diffie-Hellman Key Agreement, a method of sharing
a secret key between two parties. The secret key used to encrypt
ongoing data transfer between the two parties. Whitefield Diffie and
martin Hellman developed the Diffie-Hellman algorithm in the 1970s
as the first public asymmetric cryptographic system (asymmetric
cryptography was invented in the United Kingdom earlier in the same
decade, but was classified as a military secret). Diffie-Hellman overcomes
the issue of symmetric key system, because management of the keys is
less difficult.
■ PKCS #5: Password-based Cryptography Standard A method for
encrypting a string with a secret key that is derived from a password. The
result of the method is an octet string (a sequence of 8-bit values). PKCS
#8 is primarily used for encrypting private keys when they are being
transmitted between computers.
■ PKCS #6: Extended-certificate Syntax Standard Deals with
extended certificates. Extended certificates are made up of the X.509 certificate
plus additional attributes. The additional attributes and the X.509
certificate can be verified using a single public-key operation. The issuer
that signs the extended certificate is the same as the one that signs the
X.509 certificate.
■ PKCS #7: Cryptographic Message Syntax Standard The foundation
for Secure/Multipurpose Internet Mail Extensions (S/MIME) standard.
It is also compatible with Privacy-Enhanced Mail (PEM) and can be used
in several different architectures of key management.
■ PKCS #8: Private-key Information Syntax Standard Describes
a method of communication for private-key information that includes
the use of public-key algorithm and additional attributes (similar to
PKCS #6). In this case, the attributes can be a DN or a root CAs
public key.
■ PKCS #9: Selected Attribute Types Defines the types of attributes for
use in extended certificates (PKCS #6), digitally signed messages (PKCS #7),
and private-key information (PKCS #8).
456 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
■ PKCS #10: Certification Request Syntax Standard Describes a
syntax for certification request. A certification request consists of a DN,
a public key, and additional attributes. Certification requests are sent to a
CA, which then issues the certificate.
■ PKCS #11: Cryptographic Token Interface Standard Specifies an
application program interface (API) for token devices that hold encrypted
information and perform cryptographic functions, such as smart cards and
Universal Serial Bus (USB) pigtails.
■ PKCS #12: Personal Information Exchange Syntax Standard
Specifies a portable format for storing or transporting a users private keys
and certificates. Ties into both PKCS #8 (communication of private-key
information) and PKCS #11 (Cryptographic Token Interface Standard).
Portable formats include diskettes, smart cards, and Personal Computer
Memory Card International Association (PCMCIA) cards. On Microsoft
Windows platforms, PKCS #12 format files are generally given the extension
.pfx. PKCS #12 is the best standard format to use when exchanging private
keys and certificates between systems.
TEST DAY TIP
On the day of the test, do not concern yourself too much with what the
different standard numbers are. It is important to understand why they
are in place and what PKCS stands for.
RSA-derived technology in its various forms is used extensively by Windows
Server 2008 for such things as Kerberos authentication and S/MIME. In practice,
the use of the PKI technology goes something like this: Two users, Dave and
Dixine, wish to communicate privately. Dave and Dixine each own a key pair
consisting of a public key and a private key. If Dave wants Dixine to send him an
encrypted message, he first transmits his public key to Dixine. She then uses Daves
public key to encrypt the message. Fundamentally, since Daves public key was
used to encrypt, only Daves private key can be used to decrypt. When he receives
the message, only he is able to read it. Security is maintained because only public
keys are transmittedthe private keys are kept secret and are known only to their
owners. Figure 7.1 illustrates the process.
Configuring Certificate Services and PKI Chapter 7 457
www.syngress.com
Figure 7.1 Public/Private Key Data Exchange
EXAM WARNING
In a Windows Server 2008 PKI, a users public and private keys are stored
under the users profile. For the administrator, the public keys would
be under Documents and Settings\Administrator\System Certificates\
My\Certificates and the private keys would be under Documents and
Settings\Administrator\Crypto\RSA (where they are double encrypted by
Microsofts Data Protection API, or DPAPI). Although a copy of the public
keys is kept in the registry, and can even be kept in Active Directory, the
private keys are vulnerable to deletion. If you delete a user profile, the
private keys will be lost!
458 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
RSA can also be used to create digital signatures (see Figure 7.2). In the communication
illustrated in Figure 7.1, a public key was used to encrypt a message and
the corresponding private key was used to decrypt. If we invert the process,
a private key can be used to encrypt and the matching public key to decrypt. This
is useful, for example, if you want people to know that a document you wrote is
really yours. If you encrypt the document using your private key, then only your
public key can decrypt it. If people use your public key to read the document and
they are successful, they can be certain that it was signed by your private key and
is therefore authentic.
Figure 7.2 Digital Signatures
Configuring Certificate Services and PKI Chapter 7 459
www.syngress.com
Head of the Class
Modern Cryptography 101
Thanks to two mathematical concepts, prime number theory and modulo
algebra, most of todays cryptography encryption standards are considered
intractablethat is, they are unbreakable with current technology
in a reasonable amount of time. For example, it might take 300 linked
computers over 1,000 years to decrypt a message. Of course, quantum
computing is expected to some day change all that, making calculations
exponentially faster and rendering all current cryptographic algorithms
uselessbut we wont worry about that for now.
First, an explanation of the modulo operator. Lets go back to elementary
school where you first learned to do division. You learned that
19/5 equals 3 with a remainder of 4. You also probably concentrated on
the 3 as the important number. Now, however, we get to look at the
remainder. When we take the modulus of two numbers, the result is the
remaindertherefore 19 mod 5 equals 4. Similarly, 24 mod 5 also equals
4 (can you see why?). Finally, we can conclude that 19 and 24 are congruent
in modulo 4. So how does this relate to cryptography and prime
numbers?
The idea is to take a message and represent it by using a sequence of
numbers. Well call the sequence xi. What we need to do is find three numbers
that make the following modulo equation possible: (xe)d mod y = x.
The first two numbers, e and d, are a pair and are completely interchangeable.
The third number, y, is a product of two very large prime
numbers (the larger the primes, the more secure the encryption). Prime
number theory is too complex for an in-depth discussion here, but in a
nutshell, remember that a prime number is only divisible by the number
1 and itself. This gives each prime number a uniqueness.
Once we have found these numbers (although we wont go into how
because this is the really deep mathematical part), the encryption key
becomes the pair (e, y) and the decryption key becomes the pair (d, y).
Now it doesnt matter which key we decide to make public and which key
we make private because theyre interchangeable. Its a good thing that
Windows Server 2008 does all of the difficult work for us!
460 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
How Certificates Work
Before we delve into the inner workings of a certificate, lets discuss what a certificate
actually is in laymans terms. In PKI, a digital certificate is a tool used for
binding a public key with a particular owner. A great comparison is a drivers
license. Consider the information listed on a drivers license:
■ Name
■ Address
■ Date of birth
■ Photograph
■ Signature
■ Social security number (or another unique number such as a state issued
license number)
■ Expiration date
■ Signature/certification by an authority (typically from within the issuing
states government body)
The information on a state license photo is significant because it provides crucial
information about the owner of that particular item. The signature from the state
official serves as a trusted authority for the state, certifying that the owner has been
verified and is legitimate to be behind the wheel of a car. Anyone, like an officer,
who wishes to verify a drivers identity and right to commute from one place to
another by way of automobile need only ask for and review the drivers license. In
some cases, the officer might even call or reference that license number just to ensure
it is still valid and has not been revoked.
A digital certificate in PKI serves the same function as a drivers license. Various
systems and checkpoints may require verification of the owners identity and
status and will reference the trusted third party for validation. It is the certificate
that enables this quick hand-off of key information between the parties involved.
The information contained in the certificate is actually part or the X.509
certificate standard. X.509 is actually an evolution of the X.500 directory standard.
Initially intended to provide a means of developing easy-to-use electronic directories
of people that would be available to all Internet users, it became a directory and mail
standard for a very commonly known mail application: Microsoft Exchange 5.5. The
X.500 directory standard specifies a common root of a hierarchical tree although the
tree is inverted: the root of the tree is depicted at the top level while the other
Configuring Certificate Services and PKI Chapter 7 461
www.syngress.com
branchescalled containersare below it. Several of these types of containers
exist with a specific naming convention. In this naming convention, each portion of
a name is specified by the abbreviation of the object type or a container it represents.
For example, a CN= before a username represents it is a common name, a
C= precedes a country, and an O= precedes organization. These elements are
worth remembering as they will appear not only in discussions about X.500 and
X.509, but they are ultimately the basis for the scheme of Microsofts premier
directory service, Active Directory.
X.509 is the standard used to define what makes up a digital certificate. Within
this standard, a description is given for a certificate as allowing an association
between a users distinguished name (DN) and the users public key. The DN is specified
by a naming authority (NA) and used as a unique name by the certificate authority
(CA) who will create the certificate. A common X.509 certificate includes the following
information (see Table 7.1 and Figures 7.3 and 7.4):
Table 7.1 X.509 Certificate Data
Item Definition
Serial Number A unique identifier.
Subject The name of the person or company that is being
identified, sometimes listed as Issued To.
Signature Algorithm The algorithm used to create the signature.
Issuer The trusted authority that verified the information
and generated the certificate, sometimes listed as
Issued By.
Valid From The date the certificate was activated.
Valid To The last day the certificate can be used.
Public Key The public key that corresponds to the private key.
Thumbprint Algorithm The algorithm used to create the unique value of a
certificate.
Thumbprint The unique value of every certificate, which
positively identifies the certificate. If there is ever
a question about the authenticity of a certificate,
check this value with the issuer.
462 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
Figure 7.3 A Windows Server 2008 Certificate Field and Values
Configuring Certificate Services and PKI Chapter 7 463
www.syngress.com
Public Key Functionality
Public key cryptography brings major security technologies to the desktop in the
Windows 2000 environment. The network now is provided with the ability to
allow users to safely:
■ Transmit over insecure channels
■ Store sensitive information on any commonly used media
■ Verify a persons identity for authentication
Figure 7.4 A Windows Server 2008 Certificate Field and Values
464 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
■ Prove that a message was generated by a particular person
■ Prove that the received message was not tampered with in transit
Algorithms based on public keys can be used for all these purposes. The most
popular public key algorithm is the standard RSA, which is named after its three
inventors: Rivest, Shamir, and Adleman. The RSA algorithm is based on two prime
numbers with more than 200 digits each. A hacker would have to take the ciphertext
and the public key and factor the product of the two primes. As computer processing
time increases, the RSA remains secure by increasing the key length, unlike the DES
algorithm, which has a fixed key length.
Public key algorithms provide privacy, authentication, and easy key management,
but they encrypt and decrypt data slowly because of the intensive computation
required. RSA has been evaluated to be from 10 to 10,000 times slower than DES
in some environments, which is a good reason not to use public key algorithms for
bulk encryption.
Digital Signatures
Document letterhead can be easily created on a computer, so forgery is a security
issue. When information is sent electronically, no human contact is involved. The
receiver wants to know that the person listed as the sender is really the sender and
that the information received has not been modified in any way during transit.
A hash algorithm is implemented to guarantee the Windows 2000 user that the data
is authentic. A hash value encrypted with a private key is called a digital signature.
Anyone with access to the corresponding public key can verify the authenticity of a
digital signature. Only a person having a private key can generate digital signatures.
Any modification makes a digital signature invalid.
The purpose of a digital signature is to prevent changes within a document from
going unnoticed and also to claim the person to be the original author. The document
itself is not encrypted. The digital signature is just data sent along with the data guaranteed
to be untampered with. A change of any size invalidates the digital signature.
When King Henry II had to send a message to his troops in a remote location,
the letter would be sealed with wax, and while the wax was still soft the king
would use his ring to make an impression in it. No modification occurred to the
original message if the seal was never broken during transit. There was no doubt
that King Henry II had initiated the message, because he was the only person possessing
a ring that matched the waxed imprint. Digital signatures work in a similar
fashion in that only the senders public key can authenticate both the original
sender and the content of the document.
Configuring Certificate Services and PKI Chapter 7 465
www.syngress.com
The digital signature is generated by a message digest, which is a number
generated by taking the message and using a hash algorithm. A message digest is
regarded as a fingerprint and can range from a 128-bit number to a 256-bit number.
A hash function takes variable-length input and produces a fixed-length output. The
message is first processed with a hash function to produce a message digest. This
value is then signed by the senders private key, which produces the actual digital
signature. The digital signature is then added to the end of the document and sent to
the receiver along with the document.
Since the mere presence of a digital signature proves nothing, verification must
be mathematically proven. In the verification process, the first step is to use the
corresponding public key to decrypt the digital signature. The result will produce
a 128-bit number. The original message will be processed with the same hash
function used earlier and will result in a message digest. The two resulting 128-bit
numbers will then be compared, and if they are equal, you will receive notification
of a good signature. If a single character has been altered, the two 128-bit numbers
will be different, indicating that a change has been made to the document, which
was never scrambled.
Authentication
Public key cryptography can provide authentication instead of privacy. In Windows
2000, a challenge is sent by the receiver of the information. The challenge can be
implemented one of two ways. The information is authenticated because only the
corresponding private key could have encrypted the information that the public
key is successfully decrypting.
In the first authentication method, a challenge to authenticate involves sending
an encrypted challenge to the sender. The challenge is encrypted by the receiver,
using the senders public key. Only the corresponding private key can successfully
decode the challenge. When the challenge is decoded, the sender sends the plaintext
back to the receiver. This is the proof for the receiver that the sender is truly the
sender.
For example, when Alice receives a document from Bob, she wants to authenticate
that the sender is really Bob. She sends an encrypted challenge to Bob, using
his public key. When he receives the challenge, Bob uses his private key to decrypt
the information. The decrypted challenge is then sent back to Alice. When Alice
receives the decrypted challenge, she is convinced that the document she received
is truly from Bob.
The second authentication method uses a challenge that is sent in plaintext.
The receiver, after receiving the document, sends a challenge in plaintext to the
466 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
sender. The sender receives the plaintext challenge and adds some information
before adding a digital signature.
The challenge and digital signature now head back to the sender. The digital
signature is generated by using a hash function and then encrypting the result with
a private key, so the receiver must use the senders public key to verify the digital
signature. If the signature is good, the original document and sender have at this
point been verified mathematically.
Secret Key Agreement via Public Key
The PKI of Windows 2000 permits two parties to agreed on a secret key while they
use nonsecure communication channels. Each party generates half the shared secret
key by generating a random number, which is sent to the other party after being
encrypted with the other partys public key. Each receiving side then decrypts the
ciphertext using a private key, which will result in the missing half of the secret key.
By adding both random numbers together, each party will have an agreed-upon
shared secret key, which can then be used for secure communication even though
the secret key was first obtained through a nonsecure communication channel.
Bulk Data Encryption without Prior Shared Secrets
The final major feature of public key technology is that it can encrypt bulk data
without generating a shared secret key first. The biggest disadvantage of using
asymmetric algorithms for encryption is the slowness of the overall process, which
results from the necessary intense computations; the largest disadvantage of using
symmetric algorithms for encryption of bulk data is the need for a secure
communication channel for exchanging the secret key. The Windows 2000
operating system combines symmetric and asymmetric algorithms to get the best
of both worlds at just the right moment.
For a large document that must be kept secret, because secret key encryption
is the quickest method to use for bulk data, a session key is used to scramble the
document. To protect the session key, which is the secret key needed to decrypt the
protected data, the sender encrypts this small item quickly by using the receivers
public key. This encryption of the session key is handled by asymmetric algorithms,
which use intense computation, but do not require much time due to the small size
of the session key. The document, along with the encrypted session key, is then sent
to the receiver. Only the intended receiver will possess the correct private key to
decode the session key, which is needed to decode the actual document. When the
session key is in plaintext, it can be applied to the ciphertext of the bulk data and
then transform the bulk data back to plaintext.
Configuring Certificate Services and PKI Chapter 7 467
www.syngress.com
EXERCISE 7.1
REVIEWING A DIGITAL CERTIFICATE
Lets take a moment to go on the Internet and look at a digital certificate.
1. Open up your Web browser, and go to www.syngress.com.
2. Select a book and add it to your cart.
3. Proceed to the checkout.
4. Once you are at the checkout screen, you will see a padlock in
your browser. In Internet Explorer 7, this will be to the right of
the address box; older browsers place the padlock in the bottom
right of the window frame. Open the certificate properties. In
Internet Explorer 7, you do this by clicking on the padlock and
selecting View Certificates from the prompt; older browsers
generally let you double-click the padlock.
5. Move around the tabs of the Properties screen to look at the
different information contained within that certificate.
The Windows Server 2008 PKI does many things behind the scenes. Thanks in
part to auto enrollment (discussed later in this chapter) and certificate stores (places
where certificates are kept after their creation), some PKI-enabled features such as
EFS work with no user intervention at all. Others, such as IPsec, require significantly
less work than would be required without an advanced operating system.
Even though a majority of the PKI is handled by Server, it is still instructive to
have an overview of how certificate services work.
1. First, a system or user generates a public/private key pair and then
a certificate request.
2. The certificate request, which contains the public key and other
identifying information such as user name, is forwarded on to a CA.
3. The CA verifies the validity of the public key. If it is verified, the CA
issues the certificate.
4. Once issued, the certificate is ready for use and is kept in the certificate
store, which can reside in Active Directory. Applications that require a
certificate use this central repository when necessary.
In practice, it isnt terribly difficult to implement certificate services, as Exercise 7.2
shows. Configuring the CA requires a bit more effort, as does planning the structure
468 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
and hierarchy of the PKIespecially if you are designing an enterprise-wide solution.
Well cover these topics later in this chapter.
EXERCISE 7.2
INSTALLING CERTIFICATE SERVICES
1. After logging on with administrative privileges, click Start, click
All Programs, click Administrative Tools, and then click Server
Manager.
2. In the Roles Summary section, click Add Roles.
3. On the Before You Begin page, click Next (see Figure 7.5).
Figure 7.5 Before You Begin Page
Configuring Certificate Services and PKI Chapter 7 469
www.syngress.com
5. On the Introduction to Active Directory Certificate Services page,
click Next.
6. On the Select Role Services page, click the Certification Authority
check box, as shown in Figure 7.7. Click Next.
4. On the Select Server Roles page, click the Active Directory
Certificate Services (see Figure 7.6). Click Next.
Figure 7.6 Select Server Roles Page
470 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
7. On the Specify Setup Type page, click Enterprise, as shown in
Figure 7.8. Click Next.
Figure 7.7 Select Role Services Page
Figure 7.8 Specify Setup Type Page
Configuring Certificate Services and PKI Chapter 7 471
www.syngress.com
8. On the Specify CA Type page, click Root CA, as shown in
Figure 7.9. Click Next.
Figure 7.9 Specify CA Type Page
9. On the Set Up Private Key page, either accept the default value
or configure optional configuration settings. For this exercise,
choose the default settings as shown in Figure 7.10. Click Next.
472 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
10. On the Configure Cryptography for CA page, either accept the
default value or configure optional configuration settings as
per project requirements. For this exercise, choose the default
settings as shown in Figure 7.11. Click Next.
Figure 7.10 Set Up Private Key Page
Configuring Certificate Services and PKI Chapter 7 473
www.syngress.com
11. In the Common name for this CA box, type the common name of
the CA. For this exercise, type MyRootCA as shown in Figure 7.12.
Click Next.
Figure 7.11 Configure Cryptography for CA Page
474 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
12. On the Set the Certificate Validity Period page, you can change
the default five-year validity period of the CA. You can set the
validity period as a number of days, weeks, months or years.
Accept the default validity duration for the root CA as shown in
Figure 7.13, and then click Next.
Figure 7.12 Configure CA Name Page
Configuring Certificate Services and PKI Chapter 7 475
www.syngress.com
Figure 7.13 Set Validity Period Page
14. On the Configure Certificate Database page, for this exercise,
accept the default values or specify other storage locations for
the certificate database and the certificate database log (see
Figure 7.14). Click Next.
476 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
15. On the Confirm Installation Selections page, click Install
(see Figure 7.15).
Figure 7.14 Configure Certificate Database Page
Configuring Certificate Services and PKI Chapter 7 477
www.syngress.com
16. On the Installation Results page, review the information and
make sure it read Installation succeeded.
17. Click Close to close the Add Roles Wizard.
Figure 7.15 Confirm Installation Selections Page
478 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
In our previous discussion of public and private key pairs, two users wanted to
exchange confidential information and did so by having one user encrypt the data
with the other users public key. We then discussed digital signatures, where the
sending user signs the data by using his or her private key. Did you notice the
security vulnerability in these methods?
In this type of scenario, there is nothing to prevent an attacker from intercepting
the data mid-stream, and replacing the original signature with his or her own,
using of course his or her own private key. The attacker would then forward the
replacement public key to the unsuspecting party. In other words, even though the
data is signed, how can you be sure of who signed it? The answer in the Windows
PKI is the certificate.
Think of a certificate as a small and portable combination safe. The primary
purpose of the safe is to hold a public key (although quite a bit of other information
is also held there). The combination to the safe must be held by someone you
trustthat trust is the basis for the entire PKI system. If I am a user and want to
send you my public key so that you can encrypt some data to send back to me,
I can just sign the data myself, but I am then vulnerable to the attack mentioned
above. However if I allow a trusted third party entity to take my public key (which
I dont mind because theyre trustworthy), lock it away in the safe and then send the
safe to you, you can ask the trusted party for the combination. When you open the
safe, you can be certain that the public key and all other information inside really
belongs to me, because the safe came from a trustworthy source. The safe is really
nothing more than a digital signature, except that the signature comes from a universally
trusted third party and not from me. The main purpose of certificates, then,
is to facilitate the secure transfer of keys across an insecure network. Figure 7.16
shows the properties of a Windows certificatenotice that the highlighted public
key is only part of the certificate.
TEST DAY TIP
Pay special attention to the above exercise as you may be asked questions
about the distinguished name of the CA.
Configuring Certificate Services and PKI Chapter 7 479
www.syngress.com
User Certificates
Of the three general types of certificates found in a Windows PKI, the user certificate
is perhaps the most common. User certificates are certificates that enable the
user to do something that would not be otherwise allowed. The Enrollment Agent
certificate is one example. Without it, even an administrator is not able to enroll
smart cards and configure them properly at an enrollment station. Under Windows
Server 2008, required user certificates can be requested automatically by the client
and subsequently issued by a certification authority (discussed below) with no user
intervention necessary.
Figure 7.16 A Windows Server 2008 Certificate
480 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
Machine Certificates
Also known as computer certificates, machine certificates (as the name implies) give
the systeminstead of the userthe ability to do something out of the ordinary.
The main purpose for machine certificates is authentication, both client-side and
server-side. As stated earlier, certificates are the main vehicle by which public keys are
exchanged in a PKI. Machine certificates are mainly involved with these behindthe-
scenes exchanges, and are normally overseen by the operating system. Machine
certificates have been able to take advantage of Windows autoenrollment feature since
2000 Server was introduced. We will discuss auto-enrollment later in this chapter.
Application Certificates
The term application certificate refers to any certificate that is used with a specific PKIenabled
application. Examples include IPsec and S/MIME encryption for e-mail.
Applications that need certificates are generally configured to automatically request
them, and are then placed in a waiting status until the required certificate arrives.
Depending upon the application, the network administrator or even the user might
have the ability to change or even delete certificate requests issued by the application.
TEST DAY TIP
Certificates are at the very core of the Windows PKI. Make certain that
you understand what certificates are, and why they are needed when
using public keys. Also, be familiar with the types of certificates listed in
this section and the differences between them.
Analyzing Certificate
Needs within the Organization
Weve just concluded a tour of most of the properties associated with a CA, but
knowing what you can do does not mean that we know what you should do. To find
out more about what you should do, you need to analyze the certificate needs of
your organization, and then move on to create an appropriate CA structure.
According to Microsofts TechNet, the analysis of certificate needs springs
primarily from the analysis of business requirements and the analysis of applications
that benefit from PKI-based security. In other words, when designing a PKI/CA
Configuring Certificate Services and PKI Chapter 7 481
www.syngress.com
structure, you will need to understand the different uses for certificates and whether
your organization needs to use certificates for each of these purposes. Examples
include SSL for a secure Web server, EFS for encryption of files, and S/MIME for
encryption of e-mail messages. The use of S/MIME might dictate that your CA hierarchy
have a trust relationship with external CAs, and the use of SSL might lead you
to implement a stand-alone CA instead of an enterprise CA. Thus, analyzing these
needs before you implement your PKI can save you a lot of time and trouble.
Working with Certificate Services
Certificate Services in Windows Server 2008 is an easier venture than ever before.
As we look at what is entailed in the components involved in establishing and
supporting a PKI in Windows Server 2008 we need to quickly discuss what
Certificate Services do for us.
In Active Directory and Windows Server 2008, Certificate Services allow
administrators to establish and manage the PKI environment. More generally, they
allow for a trust model to be established within a given organization. The trust
model is the framework that will hold all the pieces and components of the PKI
in place. Typically, there are two options for a trust model within PKI: a single CA
model and a hierarchical model. The certificate services within Windows Server 2008
provide the interfaces and underlying technology to setup and manage both of
these type of deployments.
Configuring a Certificate Authority
By definition, a certificate authority is an entity (computer or system) that issues
digital certificates of authenticity for use by other parties. With the ever increasing
demand for effective and efficient methods to verify and secure communications,
our technology market has seen the rise of many trusted third parties into the
market. If you have been in the technology field for any length of time, you
are likely familiar with many such vendors by name: VeriSign, Entrust, Thawte,
GeoTrust, DigiCert and GoDaddy are just a few.
While these companies provide an excellent and useful resource for both the
IT administrator and the consumer, companies and organizations desired a way to
establish their own certificate authorities. In a third-party, or external PKI, it is up
to the third-party CA to positively verify the identity of anyone requesting a
certificate from it. Beginning with Windows 2000, Microsoft has allowed the
creation of a trusted internal CApossibly eliminating the need for an external
third party. With a Windows Server 2008 CA, the CA verifies the identity of the
482 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
user requesting a certificate by checking that users authentication credentials (using
Kerberos or NTLM). If the credentials of the requesting user check out, a certificate
is issued to the user. When the user needs to transmit his or her public key to
another user or application, the certificate is then used to prove to the receiver that
the public key inside can be used safely.
Certificate Authorities
Certificates are a way to transfer keys securely across an insecure network. If any
arbitrary user were allowed to issue certificates, it would be no different than that
user simply signing the data. In order for a certificate to be of any use, it must be
issued by a trusted entityan entity that both the sender and receiver trust. Such
a trusted entity is known as a Certification Authority (CA). Third-party CAs such as
VeriSign or Entrust can be trusted because they are highly visible, and their public
keys are well known to the IT community. When you are confident that you hold
a true public key for a CA, and that public key properly decrypts a certificate, you
are then certain that the certificate was digitally signed by the CA and no one else.
Only then can you be positive that the public key contained inside the certificate is
valid and safe.
In the analogy we used earlier, the state drivers licensing agency is trusted
because it is known that the agency requires proof of identity before issuing a drivers
license. In the same way, users can trust the certification authority because they
know it verifies the authentication credentials before issuing a certificate. Within an
organization leveraging Windows Server 2008, several options exist for building this
trust relationship. Each of these begins with the decisions made around selecting and
implementing certificate authorities. With regard to the Microsoft implementation of
PKI, there are at least four major roles or types of certificate authorities to be aware of:
■ Enterprise CA
■ Standard CA
■ Root CA
■ Subordinate CA
Believe it or not, beyond this list at least two variations exist: intermediate CAs
and leaf CAs, each of which is a type of subordinate CA implementation.
Standard vs. Enterprise
An enterprise CA is tied into Active Directory and is required to use it. In fact,
a copy of its own CA certificate is stored in Active Directory. Perhaps the biggest
Configuring Certificate Services and PKI Chapter 7 483
www.syngress.com
difference between an enterprise CA and a stand-alone CA is that enterprise CAs
use Kerberos or NTLM authentication to validate users and computers before
certificates are issued. This provides additional security to the PKI because the
validation process relies on the strength of the Kerberos protocol, and not a human
administrator. Enterprise CAs also use templates, which are described later in this
chapter, and they can issue every type of certificate.
There are also several downsides to an enterprise CA. In comparison to a
stand-alone CA, enterprise CAs are more difficult to maintain and require a much
more in-depth knowledge about Active Directory and authentication. Also, because
an enterprise CA requires Active Directory, it is nearly impossible to remove it
from the network. If you were to do so, the Directory itself would quickly become
outdatedmaking it difficult to resynchronize with the rest of the network when
brought back online. Such a situation would force an enterprise CA to remain
attached to the network, leaving it vulnerable to attackers.
Root vs. Subordinate Certificate Authorities
As discussed earlier, there are two ways to view PKI trust models: single CA and
hierarchical. In a single CA model PKIs are very simplistic; only one CA is used
within the infrastructure. Anyone who needs to trust parties vouched for by the CA
is given the public key for the CA. That single CA is responsible for the interactions
that ensue when parties request and seek to verify the information for a given
certificate.
In a hierarchical model, a root CA functions as a top-level authority over one or
more levels of CAs beneath it. The CAs below the root CA are called subordinate
CAs. Root CAs serve as a trust anchor to all the CAs beneath it and to the users
who trust the root CA. A trust anchor is an entity known to be trusted without
requiring that it be trusted by going to another party, and therefore can be used as
a base for trusting other parties. Since there is nothing above the root CA, no one
can vouch for its identity; it must create a self-signed certificate to vouch for itself.
With a self-signed certificate, both the certificate issuer and the certificate subject
are exactly the same. Being the trust anchor, the root CA must make its own certificate
available to all of the users (including subordinate CAs) that will ultimately
be using that particular root CA.
Hierarchical models work well in larger hierarchical environments, such as large
government organizations or corporate environments. Often, a large organization also
deploys a Registration Authority (RA, covered later in this chapter), Directory Services
and optionally Timestamping Services in an organization leveraging a hierarchical
approach to PKI. In situations where different organization are trying to develop a
484 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
hierarchical model together (such as post acquisition or merger companies or those
that are partnered for collaboration), a hierarchical model can be very difficult to
establish as both parties must ultimately agree upon a single trust anchor.
When you first set up an internal PKI, no CA exists. The first CA created is
known as the root CA, and it can be used to issue certificates to users or to other
CAs. As mentioned above, in a large organization there usually is a hierarchy where
the root CA is not the only certification authority. In this case, the sole purpose of
the root CA is to issue certificates to other CAs in order to establish their authority.
Any certification authority that is established after the root CA is a subordinate
CA. Subordinate CAs gain their authority by requesting a certificate from either the
root CA or a higher level subordinate CA. Once the subordinate CA receives the
certificate, it can control CA policies and/or issue certificates itself, depending on
your PKI structure and policies.
Sometimes, subordinate CAs also issue certificates to other CAs below them
on the tree. These CAs are called intermediate CAs. Is most hierarchies, there is
more than one intermediate CA. Subordinate CAs that issue certificates to end
users, server, and other entities but do not issue certificates to other CAs are called
leaf CAs.
Certificate Requests
In order to receive a certificate from a valid issuing CA, a clientcomputer or
usermust request a certificate from a CA.
There are three ways that this request can be made:
■ Autoenrollment
■ Use of the Certificates snap-in
■ Via a web browser
It is very likely that the most common method for requesting a certificate is
autoenrollment, and well discuss its deployment shortly. A client can also request
a certificate by use of the Certificates snap-in. The snap-in, shown in Figure 7.17,
can be launched by clicking Start | Run, and then typing in certmgr.msc
and pressing Enter. Note that the Certificates snap-in does not appear in the
Administrative Tools folder as the Certification Authority snap-in does after
installing certificate services. Once you open the Certificate Snap-in, expand the
Personal container, and then right-clicking the Certificates container beneath it.
You can start the Certificate Request Wizard by choosing All Tasks | Request
New Certificate , as shown in the following figure:
Configuring Certificate Services and PKI Chapter 7 485
www.syngress.com
Next, you will receive the Before You Begin welcome screen, as shown in
Figure 7.18. Click Next.
Figure 7.17 Certificates Snap-in
Figure 7.18 Before You Begin
486 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
Next to Welcome screen, the wizard prompts you to choose the certificate
enrollment type. Figure 7.19 shows you the available options. You can choose only
a type for which the receiving CA has a template. Once you choose an appropriate
template, click Enroll.
Figure 7.19 Request Certificates
Next to Certificate Enrollment screen, verify it reads, STATUS: Succeeded,
as shown in Figure 7.20. Click Finish to complete the request.
Configuring Certificate Services and PKI Chapter 7 487
www.syngress.com
The last method for requesting a certificate is to use a Web browser on the
client machine. Note that if you use this option, IIS must be installed on the CA.
Exercise 7.3 shows the steps for requesting a certificate using a client machine in
this manner.
Figure 7.20 Certificate Installation Results
TEST DAY TIP
The order of component installation can be important when dealing
with CAs. If you install certificate services before you install IIS, a client
will not be able to connect as in the exercise below until you run the
following from the command line: certutil vroot. This establishes the
virtual root directories necessary for Web enrollment. Note also that you
must have selected the Web enrollment support option during the certificate
services installation procedure that we completed in Exercise 7.1.
488 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
EXERCISE 7.3
REQUEST A CERTIFICATE FROM A WEB SERVER
1. On any computer for which you want to request a certificate,
launch Internet Explorer (version 5.0 or later) by clicking Start |
Programs or All Programs | Internet Explorer.
2. In the address bar, type http://servername/certsrv, where servername
is the name of the issuing CA.
3. When the welcome screen appears, as shown in Figure 7.21, click
Request a Certificate.
Figure 7.21 Welcome Screen of the CAs Web Site
4. Click User Certificate, then Submit when the next screen appears.
5. When the Certificate Issued page appears, click Install This
Certificate. Close the browser.
Configuring Certificate Services and PKI Chapter 7 489
www.syngress.com
Certificate Practice Statement
As the use of X.509-based certificates continues to grow it becomes increasingly
important that the management an organization of certificates be as diligent as
possible. We know what a digital certificate is and what its critical components are,
but a CA can issue a certificate for a number of different reasons. The certificate,
then, must indicate exactly what the certificate will be used for. The set of rules
that indicates exactly how a certificate may be used (what purpose it can e trusted
for, or perhaps the community for which it can be trusted) is called a certificate
policy. The X.509 standard defines certificate policies as a named set of rules that
indicates the applicability of a certificate to a particular community and/or class of
application with common security requirements.
Different entities have different security requirements. For example, users want a
digital certificate for securing e-mail (either encrypting the incoming messages signing
outgoing mail), Syngress (as other Web vendors do) wants a digital certificate for their
online store, etc. Every user will want to secure their information, and a certificate
owner will use the policy information to determine if they want to accept a certificate.
It is important to have a policy in place to state what the appropriate protocol
is for use of certificateshow they are requested, how and when they may be used,
etc.but it is equally as important to explain exactly how to implement those
policies. This is where the Certificate Practice Statement (CPS) comes in. A CPS
describes how the CA plans to manage the certificates it issues.
Key Recovery
Key recovery is compatible with the CryptoAPI architecture of Windows 2008, but
it is not a necessary requirement. For key recovery, an entitys private key must be
stored permanently. The storage of private keys guarantees that critical information
will always be accessible, even if the information should get corrupted or deleted.
On the other hand, there is a security issue in the backup of the private keys. The
archived private key should be used to impersonate the private key owner only if
corruption occurs on your system.
Backup and Restore
Microsoft recommends that you back up your entire CA server. By backing up the
system state data on your CA, you will automatically get a backup of the certificate
store, the registry, system files, and Active Directory (if your CA is a domain controller).
Sometimes, you may want to just back up the certificate services portion of
your computer without doing a full backup of everything else.
490 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
Exercise 7.4 walks you through backing up Certificate Services. Your backups
are only useful if you can restore themExercise 7.5 walks you through restoring
Certificate Services.
EXERCISE 7.4
BACKING UP CERTIFICATE SERVICES
1. On any computer for which you want to take a backup, Log on
with administrative privileges.
2. Click Start, click All Programs, click Administrative Tools, and then
click Certification Authority.
3. Right-click the name of your CA, and choose All Tasks | Back up
CA from the pop-up menu, as shown in Figure 7.22.
Figure 7.22 Certificate Authority Page
4. On the Welcome to the Certification Authority Backup Wizard
page, click Next to continue.
Configuring Certificate Services and PKI Chapter 7 491
www.syngress.com
5. On Items to Back Up page, click Private key and CA certificate
and Certificate database and certificate database log. Type in the
path of back up location, and then click Next (see Figure 7.23).
Figure 7.23 Items to Back Up
6. Type in the backup password twice and click Next.
7. On Completing the Certification Authority Backup Wizard page,
verify it reads as follows: You have successfully completed the
Certification Authority Backup Wizard, as shown in Figure 7.24.
492 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
8. Click Finish to close the wizard.
EXERCISE 7.5
RESTORING CERTIFICATE SERVICES
1. On any computer for which you want to take a restore, Log on
with administrative privileges.
2. Click Start, click All Programs, click Administrative Tools, and then
click Certification Authority.
3. Right-click the name of your CA, and choose All Tasks | Restore
CA from the pop-up menu, as shown in Figure 7.25.
Figure 7.24 Completing the CA Backup Wizard
Configuring Certificate Services and PKI Chapter 7 493
www.syngress.com
4. Click OK to stop Certificate Services from running and start
the wizard.
5. On the Welcome to the Certification Authority Restore Wizard
page, click Next to continue.
6. On Items to Restore page, click Private key and CA certificate and
Certificate database and certificate database log to restore the
backup of Private key, CA certificate, Certificate database and
database log file (see Figure 7.26). Alternatively, you can choose
only few components as per your requirements. Type in the path
of back up location, and then click Next.
Figure 7.25 Certificate Authority page
494 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
7. On the Provide Password page, type in the restore password,
and then click Next.
8. On Completing the Certification Authority Restore Wizard page,
verify it reads as You have successfully completed the Certification
Authority Restore Wizard, as shown in Figure 7.27.
Figure 7.26 Items to Restore
Configuring Certificate Services and PKI Chapter 7 495
www.syngress.com
9. Click Finish to complete the wizard.
10. You will now be prompted to restart the certificate services,
as shown in Figure 7.28. Click Yes to restart the services.
Figure 7.27 Completing the CA Restore Wizard
Figure 7.28 Certification Authority Restore Wizard
496 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
Assigning Roles
In a small network of one or two servers and just a handful of clients, administration
is generally not a difficult task. When the size of the network increases, however,
the complexity of administration seems to increase exponentially. Microsofts
recommendations for a large network include dividing administrative tasks among
the different administrative personnel. One administrator may be in charge of
backups and restores, whereas another administrator may have complete control
over a certain domain and so on. The role of each administrator is defined by the
tasks that he or she is assigned to, and individual permissions are granted based
on those tasks. PKI administration, which can be as daunting as general network
administration, can be similarly divided. Microsoft defines five different roles that
can be used within a PKI to facilitate administration:
■ CA Administrator
■ Certificate Manager
■ Backup Operator
■ Auditor
■ Enrollee
At the top of the hierarchy is the CA administrator. The role is defined by
the Manage CA permission and has the authority to assign other CA roles and
to renew the CAs certificate. Underneath the CA administrator is the certificate
manager. The certificate manager role is defined by the Issue and Manage Certificates
permission and has the authority to approve enrollment and revocation requests.
The Backup Operator and the Auditor roles are actually operating system roles,
and not CA specific. The Backup Operator has the authority to backup the CA and
the Auditor has the authority to configure and view audit logs of the CA. The final
role is that of the Enrollees. All authenticated users are placed in this role, and are
able to request certificates from the CA.
Enrollments
In order for a PKI client to use a certificate, two basic things must happen. First, a CA
has to make the certificate available and second, the client has to request the certificate.
Only after these first steps can the CA issue the certificate or deny the request.
Configuring Certificate Services and PKI Chapter 7 497
www.syngress.com
Making the certificate available is done through the use of certificate templates and is
a topic that we discuss in detail below.
Like Windows Server 2003, Windows Server 2008 PKI also supports autoenrollment
for user certificates as well as for computer certificates. The request
and issuance of these certificates may proceed without user intervention. Group
policies are used in Active Directory to configure autoenrollment. In Computer
Configuration | Windows Settings | Security Settings | Public Key
Policies, there is a group policy entitled Automatic Certificate Request
Settings. The Property sheet for this policy allows you to choose to either Enroll
certificates automatically or not. Also, you will need to ensure that Enroll
subject without requiring any user input option is selected on the Request
Handling tab of the certificate template Property sheet. Finally, be aware that doing
either of the following will cause autoenrollment to fail:
■ Setting the This number of authorized signatures option on the
Issuance Requirements tab to higher than one.
■ Selecting the Supply in the request option on the Subject Name tab.
TEST DAY TIP
Remember that autoenrollment is only available for user certificates if
the client is Windows XP, Windows Server 2003, or Windows Server 2008.
Revocation
A CAs primary duty is to issue certificates, either to subordinate CAs, or to PKI
clients. However, each CA also has the ability to revoke those certificates when
necessary. Certificates are revoked when the information contained in the certificate
is no longer considered valid or trusted. This can happen when a company
changes ISPs (Internet Service Providers), moves to a new physical address or when
the contact listed on the certificate has changed. Essentially, a certificate should be
revoked whenever there is a change that makes the certificates information stale
and no longer reliable from that point forward.
498 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
In addition to the changes in circumstance that can cause a certification
revocation, certain owners may have their certificate revoked upon terminating
employment. The most important reason to revoke a certificate is if the private key
as been compromised in any way. If a key has been compromised, it should
be revoked immediately.
EXAM WARNING
Certificate expiration is different from certificate revocation. A certificate
is considered revoked if it is terminated prior to the end date of the
certificate.
Along with notifying the CA of the need to revoke a certificate, it is equally
important to notify all certificate users of the date that the certificate will no longer
be valid. After notifying users and the CA, the CA is responsible for changing the
status of the certificate and notifying users that it has been revoked.
When a certificate revocation request is sent to a CA, the CA must be able to
authenticate the request with the certificate owner. Once the CA has authenticated
the request, the certificate is revoked and notification is sent out. CAs are not the
only ones who can revoke a certificate. A PKI administrator can revoke a certificate,
but without authenticating the request with the certificate owner. This allows for
NOTE
Information that has already been encrypted using the public key in a
certificate that is later revoked is not necessarily invalid. Maintaining the
example of a drivers license, checks that are written and authenticated
by a cashier using your drivers license one week are not automatically
voided if you lose your license or move states the next.
Configuring Certificate Services and PKI Chapter 7 499
www.syngress.com
the revocation of certificates in cases where the owner is no longer accessible or
available as in the case of termination.
The X.509 standard requires that CAs publish certificate revocation lists
(CRLs). In their simplest form, a CRL is a published form listing the revocation
status of certification that the CA manages. There are several forms that revocation
lists may take, but the two most noteworthy are simple CRLs and delta CRLs.
A simple CRL is a container that holds a list of revoked certificates with the
name of the CA, the time the CRL was published, and when the next CRL will
be published. It is a single file that continues to grow over time. The fact that only
information about the certificates is included and not the certificate itself helps to
manage the size of a simple CRL.
Delta CRLs can handle the issues that simple CRLs cannot- size and distribution.
While simple CRLs contain only certain information about a revoked certificate, it
can still become a large file. How, then, do you continually distribute a large file to all
parties that need to see the CRL? The solution is in Delta CRLs. In an environment
leveraging delta CRLs, a base CRL is sent to all end parties to initialize their copies
of the CRL. Afterwards, updates know as deltas are sent out on a periodic basis to
inform the end parties of any changes.
In practice within Windows Server 2008, the tool that the CA uses for revocation
is the certificate revocation list, or CRL. The act of revoking a certificate is
simple: from the Certification Authority console, simply highlight the Issued
Certificates container, right-click the certificate and choose All | Revoke
Certificate. The certificate will then be located in the Revoked Certificates
container.
When a PKI entity verifies a certificates validity, that entity checks the CRL
before giving approval. The question is: how does a client know where to check for
the list? The answer is the CDPs, or CRL Distribution Points. CDPs are locations
on the network to which a CA publishes the CRL; in the case of an enterprise
CA under Windows Server 2008, Active Directory holds the CRL, and for a standalone,
the CRL is located in the certsrv\certenroll directory. Each certificate has a
location listed for the CDP, and when the client views the certificate, it then understands
where to go for the latest CRL. Figure 7.29 shows the Extensions tab of the
CA property sheet, where you can modify the location of the CDP.
500 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
Figure 7.29 Extensions Tab of the CA Property Sheet
TEST DAY TIP
On the day of the test, be clear as to which types of CRLs are consistently
made available to users in Windows Server 2008. Since Server 203, Delta
CRLs have been used to publish only the changes made to an original
CRL for the purposes of conserving network traffic.
In order for a CA to publish a CRL, use the Certificate Authority console to
right-click the Revoked Certificates container and choose All Tasks | Publish.
From there, you can choose to publish either a complete CRL, or a Delta CRL.
Configuring Certificate Services and PKI Chapter 7 501
www.syngress.com
Whether you select a New CRL or a Delta CRL, you are next prompted to enter
a publication interval (the most frequent intervals chosen are one week for full CRLs
and one day for Delta CRLs). Clients cache the CRL for this period of time, and then
check the CDP again when the period expires. If an updated CDP does not exist or
cannot be located, the client automatically assumes that all certificates are invalid.
Working with Templates
A certificate template defines the policies and rules that a CA uses when a request for
a certificate is received. Often when someone refers to building and managing a
PKI for their enterprise, they are usually only thinking of the Certificate Authority
and the associated infrastructure needed to support the authentication and authorization
required to support the function of the CA. While this is certainly important
for the proper function of the PKI, it is only half of the picturethe certificates
themselves must be carefully planned to support the business goals that are driving
the need to install and configure the PKI.
When you consider that certificates are flexible and can be used in scores of
different scenarios, the true power of the certificate becomes apparent. While these
different uses can all coexist within a single PKI, the types and functions of the
certificates can be very different. Certificates that are used to support two-factor
authentication on smart cards can be very different than those used to establish
SSL connections to web servers, sign IPsec traffic between servers, support 802.1x
wireless access through NAP, or even certificates used to sign e-mail communication.
In all of these cases, the CA and the PKI it supports are the same, but it is
the certificate itself that is changing. For each of these different uses, it is important
for the certificate to contain appropriate data to facilitate in the function that
the designer of the PKI has intended and no more. While additional data could
be provided in the certificate, the fact that these are intended to mediate security
exchanges makes it inappropriate to include any more information than is necessary
to complete the certificates objective. It is the Certificate Template that specifies the
data that must be included in a certificate for it to function as well as to ensure that
all of the needed data are provided to ensure the certificates validity.
EXAM WARNING
Many different types of certificates can be used together within a single
Public Key Infrastructure. It is the Certificate Templates that allow the
certificates to differentiate themselves for different purposes ensuring
that the appropriate information is stored in the cert.
502 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
For an individual certificate, there are a number of properties and settings that
go into the certificate template specification. Each of these combine to build the
final template that will determine the settings for the resulting Certificate.
There are many built-in templates that can be viewed using the Certificate
Templates snap-in (see Figure 7.30). The snap-in can be run by right-clicking the
Certificate Templates container located in the Certification Authority console
and clicking Manage. You can use one of the built-in templates or create your own.
Figure 7.30 Certificate Templates Snap-in
When creating your own template, you have multiple options that will guide
the CA in how to handle incoming requests. The first step in the creation process is
to duplicate an existing template. You do this by using the Certificate Templates
snap-in, then right-clicking the template you wish to copy and selecting Duplicate
Template. On the General tab that appears by default (seen in Figure 7.31), there
are time-sensitive options such as validity period and renewal period. Note the
default validity period of one year, and the default renewal period of six weeks.
There are also general options such as the template display name and a checkbox
for publishing the certificate in Active Directory.
Configuring Certificate Services and PKI Chapter 7 503
www.syngress.com
General Properties
Now well describe the following settings under the General tab of the new
certificate template:
■ Template Display Name It is important that the certificate that you
are creating has a descriptive name accurately describes the function of the
certificate. This name cannot be changed once it is assigned, but you can
always recreate the certificate from another template later.
■ Validity Period This is the period for which the derived certificates are
valid. This time should be long enough so as not to create a burden on the
end user, but not so long as to create a security problem.
Figure 7.31 General Tab of the New Template Property Sheet
504 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
■ Renewal Period This is the period in which the certificate is notified of
its expiration and that it will attempt to renew if this is an option for the
certificate.
■ Publish in Active Directory Some certificates can be stored in the
active directory tied to security principals there. This generally applies to
User certificates that are not ties to specific hardware.
The Request Handling tab, shown in Figure 7.32, has options to enroll
without user interaction.
Figure 7.32 Request Handling Tab of the New Template Property Sheet
Configuring Certificate Services and PKI Chapter 7 505
www.syngress.com
Request Handling
The Request Handling tab includes the following settings:
■ Purpose It is important to consider the activities for which this new
certificate will be responsible. Some keys can be used just to validate
identity while others can also provide signing for encryption.
■ The private key can also be archived or shared with the CA so that it
may be recovered in the event of loss. Otherwise, the certificate must
be recreated.
■ Enrollment Actions Different notification actions can be specified when
the private key for this certificate is used. This can range from transparent
usage of the key to full notification prompting the certificate owner for
permission.
The Cryptography tab seen in Figure 7.33, gives you the choice of algorithms
that can be used.
506 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
Cryptography
The Cryptography tab includes the following settings:
■ Algorithm Name There are a number of cryptographic Algorithms that
can be used to provide encryption for the keys. Valid methods under server
2008 are RSA, ECDH_P256, ECDH_P384, ECDH_P521.
Figure 7.33 Cryptography Tab
Configuring Certificate Services and PKI Chapter 7 507
www.syngress.com
■ Note: If the Purpose is changed to Signature, additional algorithms
become available: ECDSA_P256, ECDSA_P384, ECDSA_P521.
■ Hash Algorithm To provide one-way hashes for key exchanges,
a number of algorithms are available. These include: MD2, MD4, MD5,
SHA1, SHA256, SHA384, SHA512.
The Subject Name tab seen in Figure 7.34, gives you the choice of obtaining
subject name information from Active Directory or from the certificate request
itself. In the latter case, autoenrollment (which well discuss later in the chapter) is
not available.
Figure 7.34 Subject Name Tab of the New Template Property Sheet
508 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
Subject Name
The Subject Name tab includes the following settings:
■ Supply in the Request Under this option, the CA will expect to get
additional subject information in the certificate request. As noted, this will
not permit autoenrollment, requiring intervention to issue the certificate.
■ Build from this AD Information Under this option, the Active
Directory will be queried and the certificate will be built based on the
AD files you specify.
Usually the default of the Distinguished Name is adequate for most purposes,
but the common name will sometime be preferable.
The Issuance Requirements tab seen in Figure 7.35 allows you to suspend automatic
certificate issuance by selecting the CA certificate manager approval checkbox.
Figure 7.35 Issuance Requirements Tab of the New Template Property Sheet
Configuring Certificate Services and PKI Chapter 7 509
www.syngress.com
Issuance Requirements
These settings can be used to manage the approval requirements in order for
a certificate to be issued. These settings allow for a workflow or approval chain to
be applied to the certificate type.
■ CA Certificate Manager Approval Using this setting will require that
the CA Manager assigned in the CA approve of the certificate before it is
released to the end-user of the certificate.
■ Number of Authorized Signatures Under these settings, additional
approvals steps may be required to release the certificate. In these scenarios,
two or more approval authorities will have to consent before the certificate
is generated.
■ Require the Following for Reenrollment These settings specify the
approval and prerequisites that are in place for renewal of the certificate.
This gives the network administrator to allow subjects with valid
certificates to renew without having to go through the approval chain.
The Superseded Templates tab, as shown in Figure 7.36, is used to define
which certificates are superseded by the current template. Usually, this tab is used
to configure a template that serves several functions, e.g. IPsec and EFS. In this case,
a template used only for IPsec or a template used only for EFS would be placed
on the superseded templates list. This section allows the network administrator to
specify other templates that are superseded by the new template type. This allows
control of both versioning and wholesale template replacement.
As templates evolve, it may be useful to replace templates that are already
deployed in the wild with a new template.
510 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
In addition to the standard usage patterns that are inherited from the parent
certificate, it is sometimes important to specify new circumstances and roles that
a certificate will fill. In this case, additional extensions to the certificate will be
applied to provide this new functionality.
Under these settings, a new ability such as code signing can be applied to all
derivative certificates to allow these new subjects the ability to complete multiple tasks.
The Extensions tab as seen in Figure 7.37 can be used to add such things as the
Application Policies extension, which defines the purposes for which a generated
Figure 7.36 Superseded Templates Tab of the New Template
Property Sheet
Configuring Certificate Services and PKI Chapter 7 511
www.syngress.com
certificate can be used. The Issuance Policies extension is also worth mentioning,
because it defines when a certificate may be issued.
Figure 7.37 Extensions Tab of the New Template Property Sheet
The Security tab is similar to the Security tab that we saw in Figure 7.38,
except that this tab is used to control who may edit the template and who may
request certificates using the template. Figure 7.38 shows the default permission
level for the Authenticated Users group. In order for a user to request a certificate,
however, the user must have at least the Enroll permission assigned to them
for manual requests, and the Autoenroll permission for automatic requests.
512 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
Security
The security settings control the actions that different types of users are able to perfume
on a certificate template.
■ Enroll These subjects are able to request that a certificate be created from
this template and assigned to them. This enrollment process will abide by
the constraints listed under the Issuance Requirements tab.
■ Autoenroll These subjects are able to make a request to the CA and
will be automatically issued the certificate if the subject meets the
Issuance Requirements. In this case, the certificate will be applied without
administrator intervention or assistance.
Figure 7.38 Security Tab of the New Template Property Sheet
Configuring Certificate Services and PKI Chapter 7 513
www.syngress.com
After you have configured a particular template, it still cannot be used by the
CA to issue certificates until it is made available. To enable a template, you use the
Certification Authority console and right-click the Certificate Templates
container. Selecting New | Certificate Template to Issue completes the
process.
Types of Templates
There are a number of different templates that are included with Windows Server
2008 that provide basic signing and encryption services in the Enterprise Windows
PKI role. In addition to these pre-built templates, the network administrator also has
the option to build custom templates to address needs that might not be covered by
the standard templates or to provide interoperation with other systems.
The Subject Field of the Certificate templates determines the scope of action
and the types of objects to which the resulting certificates can be bound.
User Certificate Types
User Certificate Templates are intended to be bound to a single user to provide
identity and/or encryption services for that single entity.
■ Administrator This certificate template provides signature and encryption
services for administrator accounts providing account identification
and trust list (CTL) management within the domain. Certificates based on
the Administrator Template are stored in the Active Directory.
■ Authenticated Session This certificate template allows users to authenticate
to a web server to provide user credentials for site logon. This is often
deployed for remote users as a way to validate identity without storing
formation insecurely in a cookie while avoiding the need for a user to log
on to the site each time.
■ Basic EFS Certificates derived from this template are stored in Active
Directory with the associated user account and are used to encrypt data
using the Encrypting File System (EFS).
■ Code Signing These certificate templates allow developers to create
certificates that can be used to sign application code. This provides a check
on the origin of software so that code management systems and end-users
can be sure that the origin of the software is trusted.
■ EFS Recovery Agent Certificates of this type allow files that have been
encrypted with the EFS to be decrypted so that the files can be used again.
514 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
EFS Recovery Agent certificates should be a part of any disaster recovery
plan when designing an EFS implementation.
■ Enrollment Agent Certificates derived from this template are used to
request and issue other certificates from the enterprise CA on behalf of
another entity. For example, the web enrollment application uses these
certificates to manage the certificate requests with the CA.
■ Exchange Enrollment Agent These certificates are used to manage
enrollment services form within exchange to provide certificates to other
entities within the exchange infrastructure.
■ Exchange Signature Certificates derived from the Exchange Signature
template are user certificates used to sign e-mail messages sent from within
the Exchange system.
■ Exchange User Certificates based on the Exchange User template are
user certificates that are stored in the Active Directory used to encrypt
e-mail messages sent from within the Exchange system.
■ Smartcard Logon These certificates allow the holder of the smart card
to authenticate to the active directory and provides identity and encryption
abilities. This is usually deployed as a part of a two-factor security schema
using smart cards as the physical token.
■ Smartcard User Unlike the Smartcard Logon certificate template, these
types of certificates are stored in the Active Directory and limit the scope
of identity and encryption to e-mail systems.
■ Trust List Signing These certificates allow the signing of a trust list to help
manage certificate security and to provide affirmative identity to the signer.
■ User This template is used to create general User Certificatesthe kind
that are usually thought of when talking about user certificates. These
are stored in the Active Directory and are responsible for user activities
in the AD such as authentication, EFS encryption, and interaction with
Exchange.
■ User Signature Only These certificates allow users to sign data and
provide identification of the origin of the signed data.
Computer Certificate Types
Computer Certificate Templates are intended to be bound to a single computer
entity to provide identity and/or encryption services for that computer. These are
Configuring Certificate Services and PKI Chapter 7 515
www.syngress.com
often the cornerstone of workstation authentication systems like NAP and 802.1x
which might require computer certificates for EAP authentication.
■ CA Exchange These certificates are bound to Certificate Authorities to
mediate key exchange between CAs allowing for PK sharing and archival.
■ CEP Encryption Certificates of this type are bound to servers that are
able to respond to key requests through the Simple Certificate Enrollment
Protocol (SCEP).
■ Computer This template is used to generate standard Computer certificates
that allow a physical machine to assert its identity on the network.
These certificates are extensively used in EAP authentication in identifying
endpoints in secured communication tunnels.
■ Domain Controller Authentication Certificates of this type are used
to authenticate users and computers in the active directory. This allows a
Domain Controller to access the directory itself and provide authentication
services to other entities.
■ Enrollment Agent (Computer) These certificates allow a computer to
act as an enrollment agent against the PKI so that they can offer computer
certificates to physical machines.
■ IPsec Certificates based on this template allow a computer to participate
in IPsec communications. These computers are able to assert their identity
as well as encrypt traffic on the network. This is used in IPsec VPN tunnels
as well as in Domain and Server Isolation strategies.
■ Kerberos Authentication These certificates are used by local
computers to authenticate with the Active Directory using the Kerberos
v5 protocol.
■ OCSP Response Signing This is a unique certificate type to Windows
Server 2008 allowing a workstation to act as an Online Responder in the
validation of certificate request queries.
■ RAS and IAS Server These certificates are used to identify and provide
encryption for Routing and Remote Access Server (RRAS) as well as
Internet Authorization Servers (IAS) to identify themselves in VPN and
RADIUS communications with RADIUS Clients.
■ Router This is also a new role to Windows Server 2008 providing services
to provide credentials to routers making requests through SCEP to a CA.
516 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
■ Web Server These certificates are commonly used by servers acting as
web servers to provide end=point identification and traffic encryption
to their customers. These kinds of certificates are used to provide Secure
Socket Layer (SSL) encryption enabling clients to connect to the web
server using the HTTPS protocol.
■ Workstation Authentication Like general computer certificates, the
workstation certificate allows computers that are domain members the
ability to assert their identity on the network and encrypt traffic that they
send across the network.
Other Certificate Types
There are a number of other certificate types that are not directly tied to either user
or computer entities. These are usually infrastructure-based certificate types that are
used to manage the domain or the Certificate Authorities themselves.
■ Cross-Certification Authority These certificates are used within the
Certificate Authority Infrastructure to cross -certify CAs to validate the
hierarchy that makes up the PKI.
■ Directory E-mail Replication Certificates that are derived from this
type are used within the larger Exchange infrastructure to allow for the
replication of e-mail across the directory service.
■ Domain Controller This kind of certificate is only held by the Domain
Controllers in the domain. These differentiate from the Domain Controller
Authentication certificates as they identify the individual DC rather than
facilitate authorization of inbound authentication requests.
■ Root CA These certificates are only issued to Root Certificate
Authorities to assert its identity in the Public Key Infrastructure.
■ Subordinate CA This certificate type is used to assert the identity of
Subordinate Certificate Authorities in the PKI. This type of certificate can
only be issued by a computer holding the Root CA certificate or another
Subordinate CA that is the direct parent of the on to which the new
certificate is being issued.
Custom Certificate Templates
In some circumstances, it might be necessary to create a custom certification type
that can be used to support a specific business need. If you are using a version of
Configuring Certificate Services and PKI Chapter 7 517
www.syngress.com
Windows Server 2008 that is not either the WEB or Standard edition, you can
create your own templates.
EXERCISE 7.6
CREATING A CUSTOM TEMPLATE
In this exercise, we will create a new User Template based on the
existing default user template. This new template will be valid for
10 years rather than the default 1-year expiration date.
1. Log in to your domain with an account that is a member of the
Domain Admins group.
2. Navigate to Start | Administrative Tools | Certificate Authority.
3. Right-click the Certificate Templates folder on the left pane. Choose
Manage to open the Certificate Templates Console (see Figure 7.39).
Figure 7.39 Creating a Custom Template
518 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
4. Right-click the User Template. Choose Duplicate Template.
5. On the Duplicate Template page, choose Server 2008 versioning
as all of our CAs are running Server 2008 (see Figure 7.40).
Click OK.
Figure 7.40 Creating a Custom Template
6. In the Template display name, enter Long-term User.
7. Change the Validity Period to 10 Years (see Figure 7.41).
Configuring Certificate Services and PKI Chapter 7 519
www.syngress.com
Figure 7.41 Creating a Custom Template
8. Click OK.
The new Long-term User certificate template has now been created on this CA
and is ready to be used to create new derivative certificates.
Securing Permissions
With the wide set of configuration options that are available when creating a
new Certificate Template, it might come as a surprise that the permissions model
is relatively simple. All of the more complicated security controlling the approval
520 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
process and revocation is already built into the Certificate Template itself, so there
is little left to control through the more traditional Access Control Entries on the
templates Access Control List.
■ Full Control Users with this permission have access to do anything with
the Certificate Template. Users with this right should be confined to the
Domain Administrators and CA Managers who will be maintaining the
CA and the associated Templates.
■ Read These users will be able to read the template and view its contents.
It is important for users to be able to Read the template if they are to
apply it and continue to use the associated certificates issued from the template.
■ Write Users who are able to modify and manage the template will need
to have write permissions on the template. Again, this should be confined
to Domain Administrators and CA Managers who will be responsible for
maintaining the Templates.
■ Enroll Users who will request certificates of this type or who already
have these certs will need to have Enroll privileges.
■ AutoEnroll Subjects that will request new certificates through the
autoenrollment process will need to have autoenrollment privileges in
addition to the enroll and read permissions.
NOTE
In order to keep the Certificate Authority communicating with the Active
Directory, it is important that the Cert Publishers group be protected.
Make sure that this group is not inadvertently destroyed or changed.
Versioning
Certificates are all tagged with version information allowing them to evolve over
time. Without this feature, when a Certificate Template would get updated, all of the
certificates based on the old template would have to be revoked forcing the endusers
to apply for new certificates again. This is disruptive to business and introduces
a large amount of risk to business continuity as the certificates are brought into
compliance again.
Configuring Certificate Services and PKI Chapter 7 521
www.syngress.com
With versioning, a new version of the Certificate Template can be issued into the
production environment. Then using the autoenrollment process, these certificates can
be superseded bring all of the certificate holding subjects into compliance quickly and
with a minimum of both disruption to the business and administrative intervention.
EXAM WARNING
In an environment that has been upgraded from a previous version
of Windows Server into the Server 2008 platform, an update to the
certificate templates may be required to bring the templates into
compliance. This should be done before the domain is upgraded to
ensure continuity with the active directory.
Key Recovery Agent
Sometimes it is necessary to recover a key from storage. One of the problems that
often arise regarding PKI is the fear that documents will become lost forever
irrecoverable because someone loses or forget their private key. Lets say that
employees use Smart Cards to hold their private keys. If a user were to leave his
smart card in his wallet which was left in the pants that he accidentally threw into
the washing machine, then that user might be without his private key and therefore
incapable of accessing any documents or e-mails that used his existing private key.
Many corporate environments implement a key recovery server solely for the
purpose of backing up and recovering keys. Within an organization, there is at least
one key recovery agent. A key recovery agent is an employee who has the authority to
retrieve a users private key. Some key recover servers require that two key recovery
agents retrieve private user keys together for added security. Some key recovery
servers also have the ability to function as a key escrow server, thereby adding the
ability to split the keys onto two separate recovery servers, further increasing security.
Luckily, Windows Server 2008 provides a locksmith of sorts (called a Registration
Authority, or RA) that earlier versions of Windows did not have. A key recovery
solution, however, is not easy to implement and requires several steps. The basic
method follows:
1. Create an account to be used for key recovery.
2. Create a new template to issue to that account.
3. Request a key recovery certificate from the CA.
522 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
4. Have the CA issue the certificate.
5. Configure the CA to archive certificates by using the Recovery Agents
tab of the CA property sheet (shown in Figure 7.42).
6. Create an archive template for the CA.
Figure 7.42 Recovery Agents Tab of the CA Property Sheet
Each of these steps requires many substeps, but can be well worth the time
and effort. It is worth noting again that key recovery is not possible on
a stand-alone CA, because a stand-alone cannot use templates. It is also worth
noting that only encryption keys can be recoveredprivate keys used for digital
signatures cannot.
Configuring Certificate Services and PKI Chapter 7 523
www.syngress.com
Summary of Exam Objectives
The purpose of a PKI is to facilitate the sharing of sensitive information such as
authentication traffic across an insecure network. This is done with public and private
key cryptography. In public key cryptography, keys are generated in pairs so
that every public key is matched to a private key and vice versa. If data is encrypted
with a particular public key, then only the corresponding private key can decrypt
it. A digital signature means that an already encrypted piece of data is further
encrypted by someones private key. When the recipient wants to decrypt the data,
he or she must first unlock the digital signature by using the signers public key,
remembering that only the signers public key will work. This might seem secure,
but because anyone at all can sign the data, how does the recipient know for certain
the identity of the person who actually signed it?
The answer is that digital signatures need to be issued by an authoritative
entity, one whom everyone trusts. This entity is known as a certification authority.
An administrator can use Windows Server 2008, a third-party company such as
VeriSign, or a combination of the two to create a structure of CAs. Certification
authorities, as the name implies, issue certificates. In a nutshell, certificates are
digitally signed public keys. Certificates work something like this: party A wants to
send a private message to party B, and wants to use party Bs public key to do it.
Party A realizes that if Bs public key is used to encrypt the message, then only Bs
private key can be used to decrypt it and since B and no one else has Bs private
key, everything works out well. However, A needs to be sure that hes really using
Bs public key and not an imposters, so instead of just asking B for Bs public key,
he asks B for a certificate. B has previously asked the CA for a certificate for just
such an occasion (B will present the certificate to anyone who wants to verify Bs
identity). The CA has independently verified Bs identity, and has then taken Bs
public key and signed it with its own private key, creating a certificate. A trusts the
CA, and is comfortable using the CAs well-known public key. When A uses the
CAs public key to unlock the digital signature, he can be sure that the public key
inside really belongs to B, and he can take that public key and encrypt the message.
The I in PKI refers to the infrastructure, which is a system of public key
cryptography, certificates, and certification authorities. CAs are usually set up in a
hierarchy, with one system acting as a root and all the others as subordinates at one
or more levels deep. By analyzing the certificate requirements for your company, you
can design your CA structure to fit your needs. Most organizations use a three-tier
model, with a root CA at the top, an intermediate level of subordinates who control
CA policy, and a bottom level of subordinates who actually issue certificates to users,
524 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
computers, and applications. In addition to choosing root and subordinate structure
for the CA hierarchy, each CA during installation needs to be designated as either an
enterprise or a stand-alone. Each of these choices has distinct advantages and disadvantages.
Most CA configuration after installation is done through the Certification
Authority snap-in. In addition to issuing certificates, CAs are also responsible for
revoking them when necessary. Revoked certificates are published to a CRL that
clients can download before accepting a certificate as valid.
Enterprise CAs use templates to know what to do when a certificate request
is received and how to issue a certificate if approved. There are several built-in
templates included in Server 2008, or you can configure new ones. Once a CA
is ready to issue certificates, clients need to request them. Autoenrollment, Web
enrollment, or manual enrollment through the Certificates snap-in are the three
ways by which a client can request a certificate. Autoenrollment is available for
computer certificates, and in Windows Server 2008, for user certificates as well.
Exam Objectives Fast Track
Planning a Windows
Server 2008 Certificate-Based PKI
˛ A PKI combines public key cryptography with digital certificates to create
a secure environment where network traffic such as authentication packets
can travel safely.
˛ Public keys and private keys always come in pairs. If the public key is used
to encrypt data, only the matching private key can decrypt it.
˛ When public key-encrypted data is encrypted again by a private key, that
private key encryption is called a digital signature.
˛ Digital signatures provided by ordinary users arent very trustworthy, so
a trusted authority is needed to provide them. The authority (which can
be Windows-based) issues certificates, which are basically digitally signed
containers for public keys and other information.
˛ Certificates are used to safely exchange public keys, and provide the basis
for applications such as IPsec, EFS, and smart card authentication.
Configuring Certificate Services and PKI Chapter 7 525
www.syngress.com
Implementing Certification Authorities
˛ Certificate needs are based on which applications and communications an
organization uses and how secure they need to be. Based on these needs,
CAs are created by installing certificate services and are managed using the
Certification Authority snap-in.
˛ A CA hierarchy is structured with a root and one or more level of
subordinatesthree levels are common. The bottom level of subordinates
issues certificates. The intermediate level controls policies.
˛ Enterprise CAs require and use Active Directory to issue certificates,
often automatically. Stand-alone CAs can be more secure, and need an
administrator to manually issue or deny certificate requests.
˛ CAs need to be backed up consistently and protected against attacks. Keys
can be archived and later retrieved if they are lost. This is a new feature for
Windows Server 2008.
˛ CAs can revoke as well as issue certificates. Once a certificate is revoked, it
needs to be published to a CRL distribution point. Clients check the CRL
periodically before they can trust a certificate.
Planning Enrollment and Distribution of Certificates
˛ Templates control how a CA acts when handed a request, and how to
issue certificates. There are a quite a few built-in templates, or you can
create your own using the Certificate Template snap-in. Templates must
be enabled before a CA can use them.
˛ Certificates can be requested with the Certificates snap-in or by using
Internet Explorer and pointing to http://servername/certsrv on the CA.
˛ Machine and user certificates can be requested with no user intervention
requirement by using autoenrollment. Autoenrollment for user certificates
is new to Windows Server 2008.
˛ Role-based administration is recommended for larger organizations. Different
users can be assigned permissions relative to their positions, such as certificate
manager.
526 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
Exam Objectives
Frequently Asked Questions
Q: In what format do CAs issue certificates?
A: Microsoft certificate services use the standard X.509 specifications for issued
certificates and the Public Key Cryptography Standard (PKCS) #10 standard for
certificate requests. The PKCS #7 certificate renewal standard is also supported.
Windows Server 2003 also supports other formats, such as PKCS #12, DER
encoded binary X.509, and Base64 Encoded X.509, for exporting certificates to
computers running non-Windows operating systems.
Q: If certificates are so important in a PKI, why dont I see more of them?
A: Many portions of a Windows PKI are hidden to the end user. Thanks to features
such as autoenrollment, some PKI transactions can be completely done by
the operating system. Most of the work in implementing a PKI comes in the
planning and design phase. Operations such as encrypting data via EFS use
certificates, but the user does not see or manually handle the certificates.
Q: Ive heard that I cant take my laptop overseas because it uses EFS. Is this true?
A: Maybe. The backbone of any PKI-enabled application such as EFS is encryption.
Although the U.S. government now permits the exporting of high encryption
standards, some countries still do not allow their import. The Windows Server
2008 PKI can use high encryption, and so the actual answer depends on the
country in question. For information on the cryptographic import and export
policies of a number of countries, see http://www.rsasecurity.com/rsalabs/
faq/6-5-1.html.
Q: Can I create my own personal digital signature and use it instead of a CA?
A: Not if you need security. The purposes behind digital signatures are privacy
and security, and a digital signature at first glance seems to fit the bill. The
problem, however, is not the signature itself, but the lack of trust in a recipient.
Impersonations become a looming security risk if you cant guarantee that the
digital signatures you receive came from the people with whom they were
supposed to have originated. For this reason, a certificate issued by a trusted
third party provides the most secure authentication.
Configuring Certificate Services and PKI Chapter 7 527
www.syngress.com
Q: Can I have a CA hierarchy that is five levels deep?
A: Yes, but thats probably overkill for most networks. Microsofts three-tier model
of root, intermediate, and issuing CAs will more than likely meet your requirements.
Remember that your hierarchy can be wide instead of deep.
Q: Do I have to have more than one CA?
A: No. Root CAs have the ability to issue all types of certificates and can assume
responsibility for your entire network. In a small organization, a single CA
might be sufficient for your purposes. For a larger organization, however, this
structure would not be suitable.
Q: How can I change the publishing interval of a CRL?
A: From the Certification Authority console, right-click the Revoked
Certificates container and choose Properties. The CRL Publishing
Parameters tab allows you to change the default interval for full and Delta CRLs.
Q: Why cant I seem to get autoenrollment for user certificates to work?
A: Remember that autoenrollment for machines is a feature that has been
around since Windows 2000, but autoenrollment for user certificates is new
to Windows Server 2003. In order to use this feature, you need to be running
either a Windows Server 2003 or XP client and you must log on to a Windows
Server 2003 domain. Finally, autoenrollment must be enabled through Active
Directorys group policy. Also, you wont be able to autoenroll a user unless the
user account has been assigned an e-mail address.
Q: What is the default validity period for a new certificate?
A: The default, which can be changed on the General tab of a new templates
Property sheet, is one year. Other important settings, such as minimum key
size and purpose of the certificate, can be found on the sheets other tabs.
Q: If my smart card is lost or stolen, can I be reissued one?
A: Yes. The enrollment agent can enroll a new card for you at the enrollment
station. Although most smart card providers allow cards to be reused (such as
when they are found), a highly secure company may require old cards to be
destroyed. For similar security reasons, PINs should not be reused on a newly
issued card although it is possible. Remember that a card is only good to a thief
if the corresponding PIN is obtained as well.
528 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
Q: When setting up smart cards for my company, can I use the MS-CHAP or
MS-CHAP v2 protocols for authentication?
A: No. EAP is the only authentication method you can use with smart cards. It is
considered the pinnacle of the authentication protocols under Windows Server
2003. MS-CHAP v2 is probably the most secure of the password-based protocols,
but still does not provide the level of protection that smart cards using EAP do.
This is because EAP is not really an authentication protocol by itself. It interfaces
with other protocols such as MD5-CHAP, and is therefore extremely flexible. As
a result it has been widely implemented by many different vendors. MS-CHAP
and MS-CHAP v2 are Microsoft proprietary, and do not enjoy the same popularity
or scrutiny applied to EAP. It is this scrutiny over the last several years that
gives EAP the reputation of a highly secure protocol.
Q: How can I determine the length of time for which a certificate should be valid?
A: It is important to plan out your PKI implementation before it goes into
production. In the case of certificate validity, youll want to choose a time
period that will cover the majority of your needs without being so long as
to open your environment up to compromise.
If you are planning a certificate to support a traveling workforce that only
connects to the corporate infrastructure once a quarter, it would be detrimental
to expire certificates once a month. At the same time, specifying a certificate to be
valid for 20 years might open your business up to compromise by an ex-employee
long after his employment has been terminated.
Finally, you will want to ensure that your certificate lifetime is less than the
lifetime for the lifetime of the CAs own cert. If the issuing CA will only be valid
for a year, having a subordinate cert that is good for 5 years will lead to problems
when the parent authority is revoked.
Q: My domain has been active for some time, but I have only recently implemented
a Certificate Authority in my domain. I am now getting messages that my
Domain Controllers do not have appropriate certificates. What should I do?
A: Make sure that you have enabled auto enrollment on your Domain Controller
certificate templates. This step is often missed and can lead to a number of
secondary problems, the least of which is annoying messages in the Event Logs.
Configuring Certificate Services and PKI Chapter 7 529
www.syngress.com
Self Test
1. You have been asked to provide an additional security system for your companys
internet activity. This system should act as an underlying cryptography
system. It should enable users or computers that have never been in trusted
communication before to validate themselves by referencing an association
to a trusted third party (TTP). The method of security the above example is
referencing is?
A. Certificate Authority (CA)
B. Nonrepudiation
C. Cryptanalysis
D. Public Key Infrastructure (PKI)
2. You are engaged in an exercise that is meant to demonstrate the Public-Key
Cryptography Standards (PKCS). You arrive at a portion of the exercise dealing
with encrypting a string with a secret key based on a password. Which of the
following PKCS does this exercise address?
A. PKCS #5
B. PKCS #1
C. PKCS #8
D. PKCS #9
3. You are working in a Windows Server 2008 PKI and going over various user
profiles that are subject to deletion due to company policy. The public keys for
these users are stored under Documents and Settings\Administrator\System
Certificates\My\Certificates and the private keys would be under Documents
and Settings\Administrator\Crypto\RSA. You possess copies of the public keys
in the registry, and in Active Directory. What effect will the deletion of the
user profile have on the private key?
A. It will have no effect.
B. It will be replaced by the public key that is stored.
C. The Private Key will be lost.
D. None of the above.
4. Two users, Dave and Dixine, wish to communicate privately. Dave and Dixine
each own a key pair consisting of a public key and a private key. If Dave wants
530 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
Dixine to send him an encrypted message, which of the following security
measures occurs first?
A. Dave transmits his public key to Dixine.
B. Dixine uses Daves public key to encrypt the message.
C. Nothing occurs the message is simply sent.
D. Dixine requests a access to Daves private key.
5. You are browsing your companys e-commerce site using Internet Explorer 7
and have added a number of products to the shopping cart. You notice that
there is a padlock symbol in the browser. By right clicking this symbol you
will be able to view information concerning the sites:
A. Private Key.
B. Public Key.
C. Information Architecture.
D. Certificates.
6. You are engaged in an exercise that is meant to demonstrate the Public-Key
Cryptography Standards (PKCS) used in modern encryption. You arrive at a
portion of the exercise which outlines the encryption of data using the RSA
algorithm. Which of the following PKCS does this exercise address?
A. PKCS #5
B. PKCS #1
C. PKCS #8
D. PKCS #9
7. You are the administrator of your companys Windows Server 2008-based
network and are attempting to enroll a smart card and configure it at an
enrollment station. Which of the following certificates must be requested in
order to accomplish this action?
A. A machine certificate.
B. An application certificate.
C. A user certificate.
D. All of the above.
8. Dave and Dixine each own a key pair consisting of a public and private key.
A public key was used to encrypt a message and the corresponding private
Configuring Certificate Services and PKI Chapter 7 531
www.syngress.com
key was used to decrypt. Dave wants Dixine to know that a document he
is responding with was really written by him. How is this possible using the
given scenario?
A. Daves private key can encrypt the document and the matching public key
can be used to decrypt it.
B. Dave can send Dixine his private key as proof.
C. Dixine can allow Dave access to her private key to encrypt the document.
D. None of the above.
9. You are administrating a large hierarchal government environment in which a
trust model needs to be established. The company does not want external CAs
involved in the verification process. Which of the following is the best trust
model deployment for this scenario?
A. A hierarchal first party trust model.
B. A third party single CA trust model.
C. A first party single CA trust Model.
D. None of these will meet the needs of the company.
10. Two users, Dave and Dixine, wish to communicate privately. Dave and Dixine
each own a key pair consisting of a public key and a private key. A public key
was used to encrypt a message and the corresponding private key was used to
decrypt. What is the major security issue with this scenario?
A. Private keys are revealed during the initial transaction.
B. Information encrypted with a public key can be decrypted too easily with
out the private key.
C. An attacker can intercept the data mid-stream, and replace the original
signature with his or her own, using his private key.
D. None of the Above.
532 Chapter 7 Configuring Certificate Services and PKI
www.syngress.com
Self Test Quick Answer Key
1. D
2. A
3. C
4. A
5. C
6. B
7. C
8. A
9. A
10. C
533
Exam objectives in this chapter:
■ Backup and Recovery
■ Offline Maintenance
■ Monitoring Active Directory
Maintaining an Active
Directory Environment
Chapter 8
MCTS/MCITP
Exam 640
Exam objectives review:
˛ Summary of Exam Objectives
˛ Exam Objectives Fast Track
˛ Exam Objectives Frequently Asked Questions
˛ Self Test
˛ Self Test Quick Answer Key
534 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Introduction
Being able to implement a Windows Server 2008 Active Directory environment is
only half the battle. You must also be able to maintain the environment to provide
minimum downtime and optimum performance of your enterprise. Various solutions
and strategies come into play as part of maintenance. Some can be seen as larger
disaster recovery components, whereas others may simply be tweaking the
environment to improve user experience.
In some situations, maintenance may fall somewhere in betweena user
account is accidentally deleted, a file is accidentally deleted, or replication is underperforming
or not performing at all! In this chapter, you will learn about the many
maintenance and management tools offered as a part of Windows Server 2008, as well
as some solutions to better improve your Windows Active Directory environment.
These topics will be critical not only to your exam success, but also to your success
as an IT professional. We will begin this section with a discussion of Windows Server
Backup and how it has changed drastically from earlier versions of the Windows
server product.
Backup and Recovery
Most people never think about backup and recovery until they need it. Microsoft
has been shipping a simple backup solution with Windows since Windows NT 3.1
back in 1993. The technology used today has changed since then, but the needs are
still the same. Administrators need the ability to effectively back up servers, data, and
the system state while also having an easy way to restore when needed.
Windows Server 2008 does not support the old NTBackup.exe tool or its
backup format. It now uses a backup feature called Windows Server Backup. This
feature cannot read the old .bkf files. Therefore, it cannot restore any backups from
NTBackup.exe. Windows Server Backup is primarily intended for use by small
businesses and companies that do not have full-time or a highly technical IT staff.
Windows Server Backup uses the same backup technology found in Windows
Vista, which is a block-level image. It uses .vhd image files just like those found in
Microsoft Virtual Server. After the first full backup is complete, Windows Server
Backup can be configured to automatically run incremental backups, therefore
saving only the data that has changed and not the entire object over and over again.
Restoration is also simplified in that an administrator no longer has to manually
restore from multiple backups if an item was stored on an incremental backup.
They can now restore items by choosing a backup to recover from and then select
Maintaining an Active Directory Environment Chapter 8 535
www.syngress.com
the item(s) to restore. One thing that you cannot do in Windows Server Backup,
however, is back up to tape. Tape is not a supported medium for Windows Server
Backup. You can back up to disks, DVDs, and network shares.
New and Noteworthy
Windows Server Backup
Although you cannot use Windows Server Backup to recover files from
a .bkf format, you can download a version of Windows Backup for
Windows Server 2008. It is for use by administrators who need to recover
data from backups taken using NTBackup. The downloadable version
cannot be used to create additional backups on Windows Server 2008. To
download NTBackup for Windows Server 2008 go to http://go.microsoft.
com/fwlink/?LinkId=82917.
Using Windows Server Backup
Before using Windows Server Backup, you must install the feature. Just like many of
the features within Windows Server 2008, Windows Server Backup is installed via
a wizard through Server Manager. Installing the Windows Server Backup feature is
easy and simple; just follow the steps in Exercise 8.1.
EXERCISE 8.1
INSTALLING WINDOWS SERVER BACKUP
1. Log on to Windows Server 2008 as an administrator (domain
admin or local admin).
2. Click Start | Administrative Tools | Server Manager. Server
Manager should come up.
3. In Server Manager, on the left window pane also known as the
Console Tree, click on the top icon where it reads Server Manager
<server name>. In our case, it reads Server Manager (SIGMA).
536 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
4. Youll now see a list of different options. Go to Features and click
on it. Server Manager will show the different features installed
on that particular server in the Details pane to the right of the
console tree. Figure 8.1 is an example of what an administrator
would see after doing this.
Figure 8.1 The List of Features Installed
5. In the console tree, right-click Features and choose Add Features.
You will now come to the Select Features window via the Add
Features Wizard. Scroll down the list to where you see Windows
Server Backup Features and put a check beside it and click Next.
In Figure 8.2, youll notice that you are installing the Windows
Server Backup and the Command-line Tools.
Maintaining an Active Directory Environment Chapter 8 537
www.syngress.com
Head of the Class
Command-Line Tools
If you want to install the Command-line Tools with the Windows Server
Backup Features, you must also install the Windows PowerShell. The
Windows PowerShell is a command-line and scripting language that allows
IT professionals to better control system administration and automation.
It is built on top of the .NET Framework and uses cmdlets (command lets),
which is a single-function command-line tool built into the shell.
Figure 8.2 Selecting Windows Server Backup Features
538 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
6. Now you will come to the Confirm Installation Selections screen.
Once youve verified that the feature(s) you plan to install are
shown in the confirmation list, click Install.
7. Once the installation has completed, you will come to the
Installation Results screen, as shown in Figure 8.3. Notice that
we installed the Windows PowerShell and the Windows Server
Backup Features successfully. Once the installation is complete,
click on Close.
Figure 8.3 Installation Results
8. Back in Server Manager, you will see the list of features installed,
and in the list you will see Windows Server Backup Features, just
as you see in Figure 8.4.
Maintaining an Active Directory Environment Chapter 8 539
www.syngress.com
To use the newly installed Windows Server Backup, simply click Start |
Administrative Tools | Windows Server Backup. As you can see in Figure 8.5,
Windows Server Backups interface is pretty straightforward. Information about
backups and messages is shown in the left pane, and options such as the following
are shown in the right pane:
■ Backup Schedule
■ Backup Once
■ Recover
■ Configure Performance Settings
■ Connect To Another Computer
Figure 8.4 The List of Features Installed
540 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Scheduling a Backup
Windows Server Backup allows administrators and operators with sufficient rights
to schedule backups to take place at certain times on a regular basis. In scheduling
a backup, you need to decide what you want to back up, how often and when the
backup(s) are to take place, and where to store the backup(s). To schedule a backup,
follow the steps in Exercise 8.2.
EXERCISE 8.2
SCHEDULING A BACKUP
1. In Windows Server Backup go to the Actions pane and select
Backup Schedule. This will kick off the Backup Schedule Wizard
which you see in Figure 8.6.
Figure 8.5 Windows Server Backup
Maintaining an Active Directory Environment Chapter 8 541
www.syngress.com
2. Next youre asked what type of configuration you want to
schedule. You can select Full Server or you can select Custom, as
shown in Figure 8.7. The full server configuration will back up all
data, applications, and system state. Selecting Custom, though,
allows you to select which items you would prefer to back up.
For our example, we will choose to conduct a Full Server backup.
After you have made your decision just click Next.
Figure 8.6 The Backup Schedule Wizards Getting Started Screen
542 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
3. The next thing we need to do in scheduling our backup is decide
how often we want to conduct a backup and what time(s) to run
it. In Figure 8.8, you see we have decided to kick off our backup
once a day at midnight. After deciding when and how often
backups are to take place, click Next to continue.
Figure 8.7 Selecting Backup Configuration
Maintaining an Active Directory Environment Chapter 8 543
www.syngress.com
4. Now we need to tell Windows Server Backup where we want to
store the backup. For scheduled backups, we have to use a locally
attached drive. This can be a DVD drive, a USB flash drive, or
even an externally attached drive. It cannot be a network drive.
Although Windows Server Backup does allow you to back up to a
network drive, you are not allowed to schedule a job that does.
On our system, we have a second drive listed as volume E. We
will have our scheduled backup job use this as the destination; to
continue we just click Next. Youll notice a pop-up from Windows
Server Backup, letting you know that it will reformat the destination
drive you selected and that it will only be dedicated to
backing up files and will not show up in Windows Explorer.
Figure 8.8 Specifying the Backup Time
544 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
To continue, just click Yes. Figure 8.9 shows that we have chosen
the E drive as our destination disk and Figure 8.10 informs us that
the destination drive will be reformatted, among other things.
Figure 8.9 Selecting the Destination Disk
Figure 8.10 The Destination Drive Will Be Reformatted
Maintaining an Active Directory Environment Chapter 8 545
www.syngress.com
5. Windows Server Backup will now label the destination disk. The
default name will be in the form of <server name> year_month_
date <military time>. As you see in Figure 8.11, our label will be
SIGMA 2008_01_10 14:08. After confirming this, you can click Next.
Figure 8.11 Labeling the Destination Disk
EXAM WARNING
It is highly recommended that administrators and backup operators
alike write the label name on the destination drive. During recovery
Windows Server Backup may specify a disk holding backups with a specific
label name.
546 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
6. The final step in scheduling a backup is to confirm your selections.
The Confirmation screen will show you what you have chosen
at the backup items, times, and the destination, as you see in
Figure 8.12. After youve confirmed your choices, click Finish.
Figure 8.12 The Backup Schedule Confirmation
Now that we have a scheduled backup, we can just wait for it to kick off
at midnight. In Figure 8.13, youll notice in Windows Server Backup we went
ahead and ran a full backup. Youll see under Messages and Status that we have
conducted a successful backup. We did this by going into the Actions pane and
selecting Backup Once. This gave us a chance to test the backup configuration.
Maintaining an Active Directory Environment Chapter 8 547
www.syngress.com
As youve seen, weve gone through installing Windows Server Backup, and gone
over the media it supports, how to schedule a backup, and how to immediately start
one. What we have not covered, which you will be tested on, is how to use the
wbadmin command.
Wbadmin.exe is the command-line utility that comes with Windows Server
Backup. It can be used to perform backups and restores from the command line or via
batch files and scripts. Table 8.1 is a list of the commands supported by wbadmin.exe.
Figure 8.13 A Successful Backup
Table 8.1 The wbadmin.exe Command
Command Description
wbadmin enable backup Enables or configures scheduled daily
backups
wbadmin disable backup Disables running scheduled daily backups
wbadmin start backup Runs a backup job
Continued
548 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Backing Up to Removable Media
Windows Server 2008, WBS can back up to removable media such as DVD and
USB-based flash drives. Although the wizard-driven GUI interface cannot back up
to removable media, wbadmin.exe can. One of the big advantages of being able to
back up to removable media is that you can easily take it offsite. One disadvantage
to using removable media with WBS is that recovery can be done only at the
volume level. It cannot be done by recovering individual files or folders that can
Table 8.1 Continued. The wbadmin.exe Command
Command Description
wbadmin stop job Stops a running backup or recovery job
wbadmin get versions Reports information about the available
backups
wbadmin get items Lists the items included in a backup based
on parameters you specify
wbadmin start recovery Runs a recovery of the volumes,
applications, or files and folders specified
wbadmin get status Gives the status of a backup or
recovery job
wbadmin get disks Lists disks that are currently online
wbadmin start systemstaterecovery Recovers the system state from a backup
wbadmin start systemrecovery Runs a full system recovery. Available
only if you are using the Windows
Recovery environment.
wbadmin start recovery Runs a recovery
wbadmin restore catalog Recovers a catalog that has been
corrupted. Helpful in times if the
recovery from the backup catalog has
been corrupted.
wbadmin delete catalog Deletes a catalog that has been corrupted
wbadmin start systemstatebackup Runs a system state backup
wbadmin delete systemstatebackup Deletes a system state backup(s)
Maintaining an Active Directory Environment Chapter 8 549
www.syngress.com
be done only via the GUI which does not support removable media. So, how do we
back up to removable media? Thats a good question. In Exercise 8.3, we will back
up a server to DVDs.
EXERCISE 8.3
BACKING UP TO DVD
1. Make sure your system has a DVD burner either attached to it or
internal to the server.
2. Log on as either the Administrator or a member of the Backup
Operators.
3. Put a blank DVD in the DVD burner.
4. Open a command prompt (Start | Command Prompt); at the
prompt type wbadmin start backup backupTarget:E: -include:C:
and then press Enter. You should see a screen similar to that
shown in Figure 8.14 (if your DVD drive is another drive letter
instead of E, use that drive letter for the backupTarget argument).
Figure 8.14 Backing Up the Server to DVD
5. At the Do you want to start the backup operation? prompt, type Y
for yes and press Enter.
6. Now you are told to insert new media, which in this case is a
DVD, which we will label as SIPOC 2008_01_14 23:19 DVD_01,
as shown in Figure 8.15. The naming standard is <server name>
550 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
<year_month_date> <time (in military time)> <type of media_
number of media just used>. So, take the first DVD out, write
down the proper label, and put in a newly blank DVD and type
C to continue. For our example, we are also asked to submit a
third DVD. The second DVD will have the name SIPOC 2008_01_14
23:19 DVD_02 and any additional DVDs will have the same name
except for the DVD_##.
Figure 8.15 Labeling the First DVD and Continuing
7. Once the backup is complete, you will get a summary by
wbadmin similar to the one in Figure 8.16. After youre finished
with the backup, just take the last DVD out of the DVD burner.
Figure 8.16 The Completed Backup
Maintaining an Active Directory Environment Chapter 8 551
www.syngress.com
Backing Up System State Data
The components that make up the system state in Windows Server 2008 depend
on the role(s) that are installed on a server and which volumes host the critical files
that the operating system and the installed roles use. The system state for all servers
at a minimum includes the Registry, the COM+ Class Registration database,
system files, boot files, and files under Windows Resource Protection (WRP). WRP
is the new name for what was known as Windows File Protection under Windows
Server 2003 and earlier. Servers that are domain controllers (DCs) also include the
Active Directory Domain Services database and the System Volume (SYSVOL)
directory. Other servers, depending on their roles, may also include the Active
Directory Certificate Services database, cluster service information, and the Internet
Information Server (IIS) metadirectory.
Backing up the System State in Windows Server 2008 creates a point-in-time
snapshot that you can use to restore a server to a previous working state. It does this
using the Volume Shadow Copy Service (VSS). VSS helps to prevent inadvertent
data loss. It creates shadow copies of files and/or folders stored on network file
shares set up at predetermined time intervals. It is essentially a previous version of
the file or folder at a specific point in time.
Without a copy of the System State, recovery of a crashed server would be
impossible. The System State is always backed up when full backups are invoked,
whether through the WBS Wizard or wbadmin. To back up the System State by
itself you must use the wbadmin command, though, and it cannot be scheduled
unless you create a script that forces it to. In Exercise 8.4, we will back up the
system state to our E drive.
Head of the Class
Unformatted DVDs
If a DVD is unformatted, Windows Server 2008 will automatically format
it during the backup.
552 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
EXERCISE 8.4
PERFORMING A SYSTEM STATE BACKUP
1. Log on to a Windows Server 2008 server and open a command
prompt (Start | Command Prompt).
2. In the command prompt, type wbadmin.exe Start
SystemStateBackup backuptarget:E:.
3. We are told that This would backup the system state from
volume(s) Local Disk (C:) to E:. Do you want to start the backup
operation? Type Y for yes.
Next, wbadmin creates the shadow copy of the C drive. After
it does this it identifies the system state files to back up. Once
it has completed its search for system state files, it begins the
backup. Figure 8.17 shows that we have finished performing a
system state backup.
Figure 8.17 The System State Backup Is Complete
Maintaining an Active Directory Environment Chapter 8 553
www.syngress.com
As you can see, once the backup is complete, wbadmin
creates a log with a naming convention of SystemStateBackup
13-01-2008 00-55-41.log. Opening the log you see the different
files that were backed up. Figure 8.18 is a view of our log.
Figure 8.18 A SystemStateBackup Log
Our system state backup resides at E:\WindowsImageBackup\
SIGMA\SystemStateBackup\Backup 2008-01-13 055541. The E drive
here is another fixed disk within our local server. Figure 8.19 shows
the files in this directory. Notice that the system state backup
alone is around 6 GB and that it is a .vhd file, the new format for
Windows Backup Server, and no longer a .bkf file.
554 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Figure 8.19 The System State VHD File
EXAM WARNING
System state backups must have local drives as targets. They are not
supported on DVDs, removable media, or remote/network drives. You
can back up to a local drive and then copy the SystemStateBackup
directory to another drive or device once the system state backup has
been completed.
Maintaining an Active Directory Environment Chapter 8 555
www.syngress.com
Backing Up Key Files
Windows Server Backup does not allow you to back up specific files or directories.
In other words, you must specify the volume you plan to back up. For example, if
I wanted to back up the Users directory on a server, I would need to back up that
entire volume so that any other files and folders are automatically backed up. So, if
the Users directory resides on the C drive of the server, performing a backup on
that volume will back up that directory and the files within it. On our server, in
Figure 8.20, you see that the user swhitley has numerous files in the Users\swhitley\
lab results directory. To back this up we can do a full backup of the server or a
backup of the volume where this users data resides. As we showed earlier, to manually
back up the server, just open Windows Server Backup, go to the Actions
pane and select Backup Once.
After the backup, well run through a scenario where we will need to restore
this data. Lets walk through backing up the drive to DVD using wbadmin.exe.
Figure 8.20 swhitleys User Directory
556 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Backing Up Critical Volumes
Disks and volumes in a Windows Server 2008 system are divided into two
categories: critical and noncritical. Critical volumes are those containing system
state or operating system components. They include the boot and system volumes.
A volume containing the Active Directory database (ntds.dit) on a DC is also an
example of a critical volume. Critical disks are those that contain critical volumes.
Here are two ways to back up critical volumes; the first uses the Windows Server
Backup utility and the second uses wbadmin.
To back up critical volumes with the GUI:
1. Click Start | Administrative Tools | Windows Server Backup.
2. In the Action pane, select Backup Once.
3. In the wizard, at the Backup options screen, select Different options
and then click Next.
4. If this is the first backup of the DC, select Yes to confirm that this is the
first backup.
5. On the Select backup configuration screen, select Custom and then
Next.
6. On the Select backup items screen, select the Enable system recovery
checkbox, or you can clear that checkbox and select the individual
volumes that you want to include. If you do this, you must select the
volume(s) that store the operating system, ntds.dit, and SYSVOL.
7. On the Specify destination type screen, select Local drives or
Remote shared folder and then click Next.
8. On the Select backup destination screen, select the backup location.
If you are backing up to a local drive, in the Backup destination select
a drive and click Next. If youre backing up to a remote shared folder, type
the path using the UNC name and click Next.
9. On the Specify advanced option screen, select VSS copy backup
(default) then click Next.
10. At the Summary screen, review your selections and click Backup.
11. After the backup is complete choose Close.
Maintaining an Active Directory Environment Chapter 8 557
www.syngress.com
To back up critical volumes using wbadmin.exe do the following:
1. Click Start | Command Prompt.
2. At the command prompt type wbadmin start backup allCritical
backuptarget: targetdrive: -quiet.
The quiet switch allows you to bypass having to type Y when asked to
proceed with the backup operation.
Recovering System State Data
Sometimes the operating system may become corrupt or unstable. Maybe a role
or service needs to be rolled back to a previously backed up state. The fastest
and easiest method to do this is to perform a system state recovery. As we already
know, the only way to back up system state independently is to use wbadmin.exe.
This is the same for recovery. You must use wbadmin to independently restore
the system state. In our example in backing up the system state, we saved the
system state on another local hard drive on the server (the E drive). The .vhd file,
which is the actual backup file, resides in E:\WindowsImageBackup\SIGMA\
SystemStateBackup\Backup 2008-01-13 055541. Exercise 8.5 walks you through
the steps in recovering the system state for a member server.
EXERCISE 8.5
RECOVERING SYSTEM STATE FOR MEMBER SERVER
1. To recover a system state we must log on to the server as the
administrator.
2. Pull up the command prompt (Start | Command Prompt).
3. In the command prompt type wbadmin get versions. Youll see a list
of the backups youve made on that server. They will be arranged
by date and time. Youll also see what you can recover with each
backup. At the bottom of the list in Figure 8.21, notice that the last
backups time of backup, its target, the version identifier, and what
it can recover match our example earlier in the chapter. That is the
backup we will recover.
558 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
4. In the command prompt, select your desired backup by highlighting
the version identifier, which in our case is 01/13/2008-05:55, and
pressing Enter. This stores it in the Clipboard.
5. At the prompt, type wbadmin Start SystemStateRecovery -version:
01/13/2008-05:55 and press Enter (remember that you can paste
the version identifier by clicking on the upper-left corner of the
command prompt and selecting Edit | Paste).
6. Next, wbadmin will prompt you with Do you want to start the
system state recovery operation? Type Y for yes and press Enter.
7. The system state recovery takes a few minutes to complete. After
its finished, reboot the server and thats it. Youve recovered the
system state.
Figure 8.21 The Command Prompt
EXAM WARNING
To recover the system state for a DC, you must be in Directory Services
Restore Mode (DSRM).
Maintaining an Active Directory Environment Chapter 8 559
www.syngress.com
Recovering Key Files
With WSB, we can recover individual files and folders as long as the backup
resides on a local drive with the system. In other words, if a full backup was made
to a network drive, DVD, or any other remote/removable media we would have
to restore the entire volume. In the Backing Up Key Files section earlier in this
chapter, we showed that the user swhitley had a directory called lab results within
her Users directory (refer back to Figure 8.20). As we all know, sometimes files
and, worse, directories are deleted accidentally. Well, one day swhitley gets to work
and notices her lab results directory is gone, as shown in Figure 8.22. She needs
this directory ASAP. One option with Windows Server 2008 is to use WSB to
individually recover directories and/or files. Exercise 8.6 shows how to do this.
EXERCISE 8.6
RECOVERING FILES AND DIRECTORIES
Figure 8.22 An Accidentally Deleted Directory
560 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
1. Pull up WSB (Start | Administrative Tools | Windows Server
Backup).
2. In the Actions pane select Recover.
3. At the Getting Started screen, youre asked Which server do you
want to recover data from? For our scenario, we will select This
server (SIGMA). Click Next.
4. In Figure 8.23, you see that we must select the date of a backup
we want to use for the recovery. We will select a backup done on
01/14/2008 at 6:45 P.M. located on the E drive. Click Next.
Figure 8.23 Selecting the Backup Date
5. We now need to select a recovery type. We have three options:
File and Folders, Applications (grayed out), and Volumes. If we
select Volumes, we can restore the entire volume, such as drive C,
but we will not be able to individually select files or folders to
Maintaining an Active Directory Environment Chapter 8 561
www.syngress.com
recover. Applications are available when an applications plug-ins
are registered. Currently we do not have any; therefore, this
option is grayed out. Files and Folders will allow us to individually
select what files or folders we want to recover. Because we want
to recover swhitleys lab results folder, we will choose this option,
as shown in Figure 8.24. Click Next.
Figure 8.24 Selecting the Recovery Type
6. We must now choose what items we want to recover. We need to
get to swhitleys Users directory and choose Lab Results, as shown
in Figure 8.25, and then click Next.
562 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
7. Figure 8.26 shows that we have to specify recovery options such
as recovery destination, how to handle conflicts, and whether
to restore security settings. We will be recovering the lab results
folder in its original destination. We will also select Create copies
so I have both versions of the file or folder. This is the safest
option we have. Finally, we want the original security settings
that were there before the folder was deleted in place. Once
weve done that we can click Next.
Figure 8.25 Selecting Items to Recover
Maintaining an Active Directory Environment Chapter 8 563
www.syngress.com
8. WSB will now ask us to confirm what we want to recover, as
shown in Figure 8.27. Once weve done that we can click Recover.
Figure 8.26 Specifying Recovery Options
564 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
9. After the recovery process is over, just click Close.
We can now check swhitleys Users directory to see whether the lab results
directory was recovered and whether the files that resided there are restored as well.
Figure 8.28 shows that we have a successful recovery of her directory and the files
that reside there.
Figure 8.27 Confirming What We Want to Recover
Maintaining an Active Directory Environment Chapter 8 565
www.syngress.com
Directory Services Restore Mode
Directory Services Restore Mode (DSRM) is a special boot mode in Windows
Server 2008. You use it to log on to a DC when either Active Directory has failed
or an object needs to be restored. During setup, you were asked to provide a
password for the DSRM administrator. This administrator account (Administrator)
is separate from the domain administrator account. This account is used once you
boot into DSRM.
If you have forgotten the DSRM password, you can reset it by doing the
following:
1. Click Start | Command Prompt.
2. In the command prompt, type ntdsutil then press Enter.
3. At the ntdsutil prompt, type set dsrm password and press Enter.
Figure 8.28 Verifying That the Directory and Files Have Been Restored
566 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
4. At the Reset DSRM Administrative Password prompt, type reset
password on server null (if you are resetting the DSRM password on
a remote server, type reset password on server <servername>).
5. Type in the new password, press Enter, and then retype the password for
verification and press Enter again.
6. After you receive the Password has been set successfully message, type quit
at both the Reset DSRM Administrator Password prompt and the ntdsutil
prompt.
To access DSRM, you must restart the DC and then press F8 immediately
after the BIOS POST screen and before the Windows Server 2008 logo appears.
Once youve done this, you will see the Advanced Boot Options screen shown
in Figure 8.29. To restore Active Directory you would choose Directory Services
Restore Mode and then perform either an authoritative or a nonauthoritative
restore, which we will cover in more detail in the next section.
Figure 8.29 Choosing Directory Services Restore Mode
So, what if you dont remember the password for the DSRM administrator?
No problem; Microsoft anticipated this. Just follow the steps in Exercise 8.7.
Maintaining an Active Directory Environment Chapter 8 567
www.syngress.com
EXERCISE 8.7
RESETTING THE DSRM ADMINISTRATOR PASSWORD
1. Open a command prompt (Start | Command Prompt).
2. At the C prompt, type ntdsutil and press Enter.
3. At the ntdsutil prompt, type set dsrm password and press Enter.
4. You will now come to the Reset DSRM Administrator Password
prompt. Type reset password on server null and press Enter.
Configuring and Implementing
Resetting DSRM Administrator Passwords
You can reset the DSRM Administrator password on another server by
typing reset password on server <servernames FQDN> at the Reset
DSRM Administrator Password prompt.
5. At the Please type password for DS Restore Mode Administrator
Account type the new password. You will notice that you will not
see the characters that you are typing. After you do this, press
Enter.
6. You will now be prompted to confirm the password; do so and
press Enter.
7. After you have done this correctly, ntdsutil will confirm that the
password has been reset.
8. Now type q and press Enter at the Reset DSRM Administrator
Password prompt.
9. At the ntdsutil prompt, type q and press Enter. You have now
reset the DSRM Administrators password, which you can see in
Figure 8.30.
568 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Performing Authoritative
and Nonauthoritative Restores
One day you may find yourself with a DC that has a corrupted copy of ntds.dit.
To resolve issues such as this you would need to perform a nonauthoritative
restore, which we will cover soon. Other times you may have accidentally deleted
an object (user, computer, printer, etc.) from Active Directory and you have no
way to restore it within Active Directory. This is usually because after the object is
deleted, the change has already been replicated to the other DCs in the domain.
To fix this you need to perform an authoritative restore, which we will discuss in
the next section.
Authoritative Restore
As just mentioned, one of the reasons to perform an authoritative restore is when
an object is accidentally deleted in Active Directory and the deletion has already
replicated to the remaining DCs. If you simply did a nonauthoritative restore,
the object would restore but would be deleted after the other DCs replicated
with the recovered system. Exercise 8.8 provides the steps for conducting an
authoritative restore.
Figure 8.30 Successfully Resetting the DSRM Administrators Password
Maintaining an Active Directory Environment Chapter 8 569
www.syngress.com
EXERCISE 8.8
PERFORMING AN AUTHORITATIVE RESTORE
In this example, we are going to accidentally delete the user Alan T.
Jackson. As you see in Figure 8.31, you Alans user account is in the Users
organizational unit (OU). We will now accidentally delete it.
Figure 8.31 User Alan T. Jackson before Deletion
In Figure 8.32, you can see that Alans user account has been deleted.
570 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Here are the steps to follow to perform an authoritative restore so
that we can restore Alans user account:
1. First we need to get the version identifier for the most recent
backup. Go into a command prompt (Start | Command Prompt)
and type wbadmin Get Versions and press Enter. You should see
a list of the backups that have been performed on that server.
At the bottom is the backup about which we need to get the
information. The Version identifier for the backup we want is
01/15/2008-01:05. Also notice that it is stored on the servers E
drive in Figure 8.33.
Figure 8.32 User Alan T. Jackson Deleted
Maintaining an Active Directory Environment Chapter 8 571
www.syngress.com
2. Restart the server and press F8 to open the Advanced Boot
Options. However, in the Advanced Boot Options, select Directory
Services Restore Mode and press Enter.
3. DSRM will boot up into safe mode and will check the file system
on all locally attached drives (except for DVDs). Press Ctrl + Alt +
Del when asked. At the logon screen, click on Switch User so that
you dont try to log on as the domain administrator, and then
click on Other User, as shown in Figure 8.34.
Figure 8.33 Getting Backup Information
572 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
4. For the username, type in the DSRMs administrator account
and its password. Notice in Figure 8.35 that we have typed it as
sigma\administrator. Click on the blue button with the white
arrow next to where the password is typed to continue.
Figure 8.34 Selecting Other User
Maintaining an Active Directory Environment Chapter 8 573
www.syngress.com
5. Once in safe mode, open the command prompt. Because all we
need to do is restore the system state, we can type wbadmin start
SystemStateRecovery version:01/15/2008-01:05. This is the same
format we covered earlier in recovering the system state.
6. You are then asked whether you want to start the system state
recovery. Type Y for yes and press Enter. Recovery may take a few
minutes or longer.
7. Once recovery is finished, you are asked to restart your computer,
as shown in Figure 8.36. For an authoritative restore you do not
restart the system.
Figure 8.35 Logging On As the DSRM Administrator
574 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
8. As this is an authoritative restore, we must pull up ntdsutil to
restore the user ajackson. At the command prompt, type ntdsutil
and press Enter.
9. At the ntdsutil prompt, type activate instance ntds and press
Enter.
10. The ntdsutil prompt will return. At the prompt, type authoritative
restore and press Enter.
11. This will bring up an authoritative restore prompt. At the
prompt, type restore subtree CN=ajackson,CN=Users,DC=MMA,
DC=LOCAL and press Enter. Note there are no spaces between the
commas and the next entry.
12. You will now be asked whether you are sure you want to perform
the authoritative restore. Click Yes.
13. One record will be found and will be successfully updated. You
will see the message Authoritative Restore completed successfully.
At the authoritative restore prompt just type q for quit and do the
same at the ntdsutil prompt. You can now restart the computer
and let it come to the normal logon screen.
14. Log on as the domain administrator and let the system state
recovery finish. Once its done, you can examine Active Directory
Users and Computers (ADUC) and go to the Users OU and see
that the user Alan T. Jackson has been restored.
Figure 8.36 The System State Recovery Is Complete
Maintaining an Active Directory Environment Chapter 8 575
www.syngress.com
Nonauthoritative Restore
Nonauthoritative restores are used to bring back Active Directory Domain Services
to a working state on a DC. The prerequisite for a nonauthoritative restore is that
a critical-volume backup exists. A nonauthoritative restore is in order for situations
such as lost data that can include updates to passwords for user accounts, computer
accounts, and even trusts. Updates to group memberships, policies, the replication
topology, and its schedules to name a few. To conduct a nonauthoritative restore
follow the same procedures we outlined for the authoritative restore. After the
system state is restored, you can go ahead and restart the server when prompted
instead of loading ntdsutil. Once a nonauthoritative restore is complete, any changes
to Active Directory objects are replicated to the server from .. that has just gone
through a nonauthoritative restore.
Linked Value Replication
When the forest level is at Windows Server 2003 or above, linked value replication
(LVR) is available. Previously in Active Directory, primarily with Windows 2000,
when an attribute changed the entire attribute was replicated to all other DCs on
the network. Now, with LVR, changes in group membership to store and replicate
values for individual members instead of replicating the entire membership as a single
unit. LVR lowers the amount of bandwidth used in replication and the amount of
processor power used during replication.
Backing Up and Restoring GPOs
Backing up a Group Policy Object (GPO) consists of making a copy of the GPO
data to the file system. The backup consists of the following data:
■ Domain where the GPO resides
■ Owner of the GPO
■ Date created
■ Date modified
■ User revisions
■ Computer revisions
■ Globally unique identifier (GUID)
■ GPO status
Exercise 8.9 takes you through the steps of backing up a GPO.
576 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
EXERCISE 8.9
BACKING UP THE GPO
You must back up GPOs from the Group Policy Management Console
(GPMC). You can get to it by clicking on Start | Administrative Tools |
Group Policy Management. Lets walk through the process of backing
up GPOs:
1. Open the GPMC.
2. In the console tree, click on the plus sign (+) next to the forest. In
our case, we click on the plus sign next to Forest:MMA.LOCAL.
3. Scroll down the tree Domains | <Domain Name> | Group Policy
Objects. In Figure 8.37, you see that we have four GPOs. In reality,
you would probably have significantly more, but for demonstration
purposes well keep it simple.
Figure 8.37 The GPMC
Maintaining an Active Directory Environment Chapter 8 577
www.syngress.com
4. Highlight Group Policy Objects and right-click it. Select Back Up
All, as shown in Figure 8.38.
Figure 8.38 Selecting Back Up All
5. When the Back Up Group Policy Object screen comes up, as
shown in Figure 8.39, set the location to a directory either on a
local drive or on a mapped drive on a remote server. In our case,
we are backing up our GPOs to the directory C:\GPO Backups.
As for a description, you can type anything you want that will
remind you what this certain backup pertains to. After youve
done this, you can click on Back Up.
578 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
6. Next youll see the backup progress take place. Once its finished,
it will provide you with the status of the backup for each GPO.
As you can see in Figure 8.40, our four GPOs were successfully
backed up. Once your GPOs have backed up successfully, just click
OK to finish.
Figure 8.39 Location to Store Backups
Maintaining an Active Directory Environment Chapter 8 579
www.syngress.com
Figure 8.40 Backup Status
EXAM WARNING
With Windows Server 2008 comes a new type of GPO called Starter
GPOs. Starter GPOs are not included in the backup of GPOs; you have
to back them up separately. To do so, highlight the Starter GPOs folder,
right-click it, select Backup Up All, and follow the same procedure we
went through in Exercise 8.9.
580 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
In the directory where we backed up our GPOs, you see that each GPO has a
folder with a GUID as the name, as shown in Figure 8.41. Inside each folder will be
two XML documentsone named Backup and the other named gpreportalong
with a folder called DomainSysvol. The DomainSysvol folder holds a GPO folder
with two subfoldersone for machine settings and the other for user settings.
If there are settings, say, for a machine and none for a user a registry.pol file will
exist in that folder and vice versa, or if the GPO has settings for both each folder
will contain a registry.pol file.
Figure 8.41 The Folder Layout for GPO Backups
In Figure 8.38, you can see that we have a GPO named Tagged. How would
we restore that GPO if it were accidentally deleted? The process is quite simple; lets
walk through it in Exercise 8.10.
Maintaining an Active Directory Environment Chapter 8 581
www.syngress.com
EXERCISE 8.10
RESTORING A GPO
1. Open the GPMC (Start | Administrative Tools | Group Policy
Management).
2. In the GPMC, go to Forest:MMA.LOCAL | Domains | MMA.LOCAL |
Group Policy Objects and verify that the GPO has been deleted.
In Figure 8.42, you see that the Tagged GPO is no longer there.
Figure 8.42 The Tagged GPO Deleted
3. In the GPMC, right-click Group Policy Objects and select Manage
Backups, as shown in Figure 8.43.
582 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
4. In the Manage Backups screen shown in Figure 8.44, select the
Tagged GPO and click Restore. You will be asked whether you
want to restore the selected backup; choose OK. As youll notice
here, we could show only the most up-to-date backups if we
wanted to, or we could have all backups come up. We can delete
the backup of the GPO(s) and we can view settings from the
GPO itself. In the settings you will see items such as the GPOs
GUID, whether it is enabled, any links, Security Filtering, WMI
Filtering, delegation, and computer and user configuration. The
settings will come up as an .htm file and will be shown in Internet
Explorer.
Figure 8.43 Selecting Manage Backups
Maintaining an Active Directory Environment Chapter 8 583
www.syngress.com
5. Once the restore is complete, the status window should read
Tagged Succeeded. If so, just click OK. Then click Close in the
Manage Backups screen.
6. Now looking at the GPOs via the GPMC, you should see that the
Tagged GPO has been restored, as shown in Figure 8.45.
Figure 8.44 The Manage Backups Screen
584 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Offline Maintenance
In the past, with Windows 2000 and Windows Server 2003, to do any offline
maintenance such as defragging the Active Directory database you would have to
reboot and go into the DSRM. If users relied on services such as file and print, the
Dynamic Host Configuration Protocol (DHCP), and others they were out of luck
until the server was back online. That has now changed under Windows Server
2008. Windows Server 2008 now supports the use of restartable Active Directory
Domain Services which brings offline maintenance to a whole new level.
Restartable Active Directory
Restartable Active Directory Domain Services is a new feature in Windows Server
2008. It allows administrators to perform routine maintenance tasks on a DC far
quicker and with less interruption than ever before. The key is that Active Directory
Figure 8.45 The Tagged GPO Restored
Maintaining an Active Directory Environment Chapter 8 585
www.syngress.com
Table 8.2 Three States of Server 2008 DCs
State Description
Active Directory Domain Active Directory Domain Services is running.
Services Started Services provided by a DC are running.
Active Directory Domain Active Directory Domain Services has been
Services Stopped stopped. From an administrators point of
view, this provides the ability to perform
offline maintenance just like running in
DSRM. Maintenance is much faster than
having to use DSRM. This primarily will act as
a member server while the service is stopped.
Directory Services Restore This is unchanged from Windows Server
Mode 2003, except that an administrator can run
dcpromo /forceremoval to remove Active
Directory Domain Services from that
particular DC.
There are some things to keep in mind regarding restartable Active Directory
Domain Services. A DC cannot start up with Active Directory Domain Services
stopped. If you set the startup type to Disabled and reboot the server, it will come
back with Active Directory Domain Services started and set back to automatic.
Stopping Active Directory Domain Services also stops the File Replication Service
(FRS), Kerberos Key Distribution Center (KDC), intersite messaging, the domain
name system (DNS) server (if installed), and Distributed File System (DFS) replication.
Restarting Active Directory Domain Services, though, will automatically restart
those services as well.
You can stop and start restartable Active Directory Domain Services using
the Microsoft Management Console (MMC) via Services or by using the net.exe
command. Exercise 8.11 runs through stopping and starting Active Directory
Domain Services in Windows Server 2008.
Domain Services can be stopped without affecting other services on a DC, such
as DHCP and file/print. With the advent of restartable Active Directory Domain
Services, DCs running Windows Server 2008 now have three possible states to run
in, as shown in Table 8.2.
586 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
EXERCISE 8.11
STOPPING AND STARTING
RESTARTABLE ACTIVE DIRECTORY DOMAIN SERVICES
1. Log on to a DC as an administrator.
2. Click Start | Administrative Tools | Services.
3. In the list of services, highlight and right-click on Active Directory
Domain Services and click Properties.
4. The service status should read Started; just click Stop.
5. After you click Stop, a window will pop up titled Stop Other
Services, which you can see in Figure 8.46. This window will
inform you of the other services that will also be stopped. Click
Yes and then OK.
Figure 8.46 Services That Stop with Active Directory Domain Services
6. Now you will see that Active Directory Domain Services has
stopped (see Figure 8.47).
Maintaining an Active Directory Environment Chapter 8 587
www.syngress.com
Offline Defrag and Compaction
Active Directorys database file is ntds.dit, and it is based on the Extensible Storage
Engine (ESE) and is located in C:\Windows\NTDS. One of the biggest reasons, if
not the only reason, to defrag/compact the ntds.dit file is if you are running low on
disk space. Depending on the size of your environment, the ntds.dit file can grow
Figure 8.47 Active Directory Domain Services Stopped
EXAM TIP
In step 3 of Exercise 8.11, you could simply right-click on the Active
Directory Domain Services service and select Stop. This will stop the
service just as well.
588 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
to more than 6 GB in size, even though the database within it may only be 1 GB.
Back in the days of Windows 2000 and Windows Server 2003, we had to perform
offline defrags in the DSRM because there was no way to easily shut down Active
Directory and perform the defrag. As youve already seen, that has changed, and for
the better, in Windows Server 2008. We simply go into Services and stop Active
Directory Domain Services. Exercise 8.12 lists the steps involved in defragging
Active Directory in Windows Server 2008.
EXERCISE 8.12
DEFRAGGING ACTIVE
DIRECTORY DOMAIN SERVICES
1. Before performing a defrag of ntds.dit, perform a system state
backup of the DC or perform a full server backup. Even though
we can move or rename the old ntds.dit file, having a backup is
essential in case of catastrophe.
2. Go to C:\Windows\NTDS and note the size of the ntds.dit file.
In our case, because this is a lab machine our ntds.dit file is only
12 MB. Create a new directory to initially hold the new ntds.dit file
that will be created during the defragging process. Our directory
is C:\Windows\NTDS\defragged.
3. Log on to the server as an administrator and stop the Active
Directory Domain Services service, as discussed in the preceding
section.
4. After Active Directory Domain Services has stopped, open a
command prompt (Start | Command Prompt), type ntdsutil, and
press Enter.
5. At the ntdsutil prompt, type Activate Instance ntds and press
Enter. You will get a message stating Active instance set to ntds.
6. At the ntdsutil prompt, type files and press Enter. This will pull up
the file maintenance prompt.
7. At the file maintenance prompt, type info and press Enter. This
provides you with information about the location of the ntds.dit
file, the backup directory, the working directory, and the log
directory. Figure 8.48 shows an example.
Maintaining an Active Directory Environment Chapter 8 589
www.syngress.com
8. At the file maintenance prompt, type compact to c:\windows\
ntds\defragged and press Enter. The defrag process will run. The
larger your ntds.dit file is, the longer the defrag process will take.
Figure 8.49 shown an example of a successful defrag.
Figure 8.48 The Drive and DS Path Information
Figure 8.49 A Successful Defrag
590 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
9. After the defrag has completed, type q at the file maintenance
prompt and do the same at the ntdsutil prompt. This should bring
you back to a normal C prompt; you can close the command
prompt at this time.
10. Go to the C:\Windows\NTDS folder and either rename the ntds.dit
file there or delete it.
11. Go to the defragged directory and move the ntds.dit file from
there to the C:\Windows\NTDS directory.
12. In the C:\Windows\NTDS directory, rename or delete the edb.log file.
13. Go back to Services and restart Active Directory Domain Services.
After it restarts, youre finished.
Active Directory Storage Allocation
As youve learned, the ntds.dit file can get quite large. With this comes concern
regarding available drive space. To conserve drive space, weve already walked
through defragging and compacting the ntds.dit file. Sometimes thats not enough,
and you have to move it and its log files to another drive or partition. Before doing
this, you have to confirm the size of the files in the C:\Windows\NTDS folder.
You need to check the amount of drive space used by the files in the directory
when Active Directory Domain Services is online and offline, because the files that
are offline are what you will actually move, but when Active Directory Domain
Services is back online the amount of drive space increases.
So, why is there a difference in the amount of space used in C:\Windows\NTDS
when Active Directory Domain Services is offline versus online? The answer is
quite simple: Active Directory will create a temp.edb file and you have to consider
that when determining the amount of space to allocate to Active Directory. Here
are some scenarios in which you would determine storage allocation for Active
Directory:
■ NTDS.DIT only The size of the file plus an additional 20% of the current
file size or 500 MB, whichever is greater
■ Log files only The combined size of the log files plus 20% of the combined
logs or 500 MB, whichever is greater
Maintaining an Active Directory Environment Chapter 8 591
www.syngress.com
■ NTDS.DIT and log files If the database file and the logs are located on
the same partition, the free space should be at least 20% of the combined
NTDS.DIT and log files, or 1 GB, whichever is greater
Monitoring Active Directory
Monitoring Active Directory is a key in making sure that objects and attributes
are up-to-date and consistent among DCs, whether they are local to each other
or located at different sites. One area to monitor is replication between the DCs.
To do this we use tools such as Network Monitor, the Event Viewer, replmon, and
repadmin. We also need to ensure the performance of the DCs so that they are able
to authenticate and replicate in a timely manner by using tools such as the Task
Manager, systems resource manager, reliability and performance monitor, and the
Event Viewer. Lets examine each of these tools.
The Network Monitor
Its important for administrators to keep tabs on network traffic thats flowing across
the network. Monitoring the network has allowed administrators to have a better
understanding of how the bandwidth on their networks is being utilized. Network
Monitor from Microsoft is such a tool. It is a protocol analyzer that allows administrators
to capture network traffic, and then view and analyze it. Administrators
can see things such as DHCP requests, DNS name resolutions, Hypertext Transfer
Protocol (HTTP), and so on. As of this writing, Network Monitor Version 3.1 runs
on Windows Server 2008. It does not ship with Active Directory, but you can
download it from www.microsoft.com/downloads/details.aspx?FamilyID=18b1d59df4d8-
4213-8d17-2f6dde7d7aac&displaylang=en.
To start Network Monitor just click Start | Microsoft Network Monitor 3.1 |
Microsoft Network Monitor 3.1. You will see the Start Page shown in Figure
8.50. Here you can create a new capture or open an existing one. You will also
notice the Welcome screen to the right, which will mention all the changes in
Network Monitor. In addition to the Start Page tab, you will see the Parsers tab,
which allows you to parse packs. Network Monitor applies knowledge of the
structure of the various protocols to the hex data contained in the packets and
displays the resultant interpretation.
592 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Although we cant actually see the information transmitted across the wire for
Active Directory replication, we can see things such as when a new DC comes up
and queries DNS for an existing Lightweight Directory Access Protocol (LDAP)
server at the Default-First-Site-Name sight. Figure 8.51 shows this in the
Display Filter.
Figure 8.50 The Network Monitor
Maintaining an Active Directory Environment Chapter 8 593
www.syngress.com
Figure 8.51 represents a snapshot of what was happening when a member
server was running DCPROMO and was being promoted to a DC. In the figure,
the new DC (192.168.1.6) performs a DNS query to SIGMA.MMA.LOCAL,
wanting the information about the LDAP server at that site. The DNS server, in
this case SIGMA.MMA.LOCAL, responds with the A record and a type SRV of
_ldap._tcp.Default-First-Site-Name. As you can see in Figure 8.52, it informs the
new DC (192.168.1.6) that the resource name is SIGMA.MMA.LOCAL and that
the Internet Protocol (IP) address is 10.10.10.8. In this example, it just so happens
that the LDAP server at this site is also the DNS server. In some instances it may
not be, depending on the environment.
Figure 8.51 The Display Filter in Network Monitor 3.1
594 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
To get the view in Figure 8.52, we highlighted the Frame Number in the
Frame Summary and right-clicked on it, and then chose View Selected
Frame(s) in a New Window. This made it easier for us to read the DNS servers
response. Alternatively, we could have right-clicked the Frame Number and selected
Copy, Copy Cell Value, Copy Cell as Filter, Add Cell to Display Filter,
Parse Frame as XML, View Selected Frame(s) in a New Window, or Add
Selected Frame(s) To.
As you can see, a tool such as Network Monitor can be valuable in determining
what is actually happening on the wire and where problems may arise.
The Task Manager
You can monitor the load and performance of DCs through the Task Manager,
which hasnt changed much since Windows Server 2003. The Task Manager shown
in Figure 8.53 can show administrators what may be causing slow logons for users,
Figure 8.52 The Response to the DNS Query
Maintaining an Active Directory Environment Chapter 8 595
www.syngress.com
along with what processes and executables are using resources, causing strain on
a DC. You can pull up the Task Manager in quite a few ways. The easiest way is
to just click Start | Run and type taskmgr.exe and press Enter. Other ways to
launch the Task Manager include right-clicking the task bar and selecting Task
Manager, pressing Ctrl + Shift + Esc, and pressing Ctrl + Alt + Delete and
selecting Start Task Manager.
Figure 8.53 The Task Manager
The Task Manager is very useful for administrators looking for an immediate
view of resources such as processor activity, process activity, network activity, memory
usage, resource consumption, and even user information. A Services tab has been
added to the Task Manager, along with a Services button that allows administrators
596 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
to pull up the Services Management Console. Another big change is the Resource
Monitor button within the Performance tab. Lets briefly go over each tab in the
Task Manager.
The Applications Tab
The first tab in the Task Manager is the Applications tab, which lists all the tasks and
programs currently running on the server and their status. The status of programs
will be either Running or Not Responding. However, when an applications status
is at Not Responding, it may be waiting for a process to respond, in which case it
could return to a Running state. If an application remains at a Not Responding state
for some time, an administrator can simply right-click the application in the list and
choose End Task, as shown in Figure 8.54.
Figure 8.54 Ending a Task
Maintaining an Active Directory Environment Chapter 8 597
www.syngress.com
Figure 8.54 shows other options as well. By selecting Switch To you can
switch to a different running task. Selecting Bring To Front will bring that
application/task to the front of the desktop. You can use Create Dump File for
a point-in-time snapshot of whatever process you need to examine for more
advanced troubleshooting.
The Processes Tab
The Processes tab provides a list of processes that are currently running on the
server. These processes are measured by performance by such things as CPU, User
Name (or the context under which the image is running), and Memory (Private
Working Set), among others. Administrators can sort out what processes are using
the most or least CPU cycles by clicking on CPU and Memory column headers.
You can shut down a process by right-clicking the process name and selecting End
Process. You also can add other columns; for instance, you can add a PID column
by clicking on View | Select Columns and choosing PID (Process Identifier),
and then clicking OK. Figure 8.55 shows the results.
Figure 8.55 Adding a PID Column
598 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
The Services Tab
The newest tab in the Task Managerbut one thats been overdueis the Services
tab. With this tab, administrators can quickly assess and troubleshoot a specific service
by viewing its status. By default, it shows the services name, PID, description, status,
and group. As mentioned earlier, you can even launch the Services Console by clicking
on the Services button in the bottom-right corner, as shown in Figure 8.56.
Figure 8.56 The Services Tab
The Performance Tab
The Performance tab allows administrators to view CPU and physical memory
usage in an easier-to-understand/graphical manner. It is very useful when an administrator
needs a quick analysis of how the system is running. The Performance tab
shows CPU usage in a real-time manner, while also showing a brief usage history.
Maintaining an Active Directory Environment Chapter 8 599
www.syngress.com
It does the same for memory usage as well. By default, the Performance tab shows
usage by User Mode processes and threads. If you want to see Kernel Mode usage
as well, all you have to do is click on View | Show Kernel Times. You will
then see kernel mode operations in red in the CPU Usage area. If your server
has multiple processors, you will be able to view each individual processor and its
corresponding graph. Notice in Figure 8.57 a button in the bottom right labeled
Resource Monitor. By clicking on this, you can perform even more analysis. We
will cover the System Resource Monitor a little later.
Figure 8.57 The Performance Tab
The Networking Tab
The Networking tab provides information about network traffic for each adapter in
a particular server. Multiple adapters and adapter types are supported. For instance,
600 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
you could have a LAN connection, a virtual private network (VPN) connection,
and a dial-up connection all showing up as separate adapters. The Networking tab
will show a graphical comparison of the traffic for any connection a server has.
Administrators are able to get information about network utilization, link speed,
and even the state of the connection. You can examine network traffic in the graph
in terms of bytes sent, bytes received, and the total number of bytes simply by
clicking View | Network Adapter History and selecting what you want.
As with many of the other tabs in the Task Manager, you can add more columns
to widen your analysis. Simply click View | Select Columns and select the
column(s) you need. In Figure 8.58, you see that we have added the column
Adapter Description.
Figure 8.58 The Networking Tab
Maintaining an Active Directory Environment Chapter 8 601
www.syngress.com
The Users Tab
The last tab in the Task Manager is the Users tab. It displays the users who are
connected to or logged on to the server. It provides user, ID, status, client name,
and session information by default. Although there are no additional columns to
add, you can remove any you feel are unnecessary. Figure 8.59 shows that the only
user connected to this server is the administrator and that he is at the console.
EXAM WARNING
You may be asked on the exam about a problem with a server and youll
need to quickly gather data. You should start up the Task Manager and
look at key indicators such as CPU utilization, process utilization, available
memory, and network utilization. Look for skewed numbers around 70%
or higher that might be causing performance issues.
Figure 8.59 The Users Tab
602 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
The Event Viewer
The Event Viewer is traditionally the first place to look when troubleshooting
anything in Windows (see Figure 8.52). You can access the Event Viewer by clicking
on Start | Administrative Tools | Event Viewer. This tool which has stood the
test of time since the days of NT 3.1 has been completely rewritten and is based on
XML. Many new features, functionality, and even a new interface have been added
to the Event Viewer in Windows Server 2008. Figure 8.60 shows the new interface
for the Event Viewer, taken from MMC Version 3.0.
Figure 8.60 The Event Viewer
Looking at Figure 8.60, youll notice that the Event Viewer consists of Custom
Views, Windows Logs, Applications and Services Logs, and Subscriptions. Lets
examine each of these more closely.
Custom Views
Custom Views in the Event Viewer are filters created by either Windows Server
2008 or an administrator to the system. Custom views created by Windows
Maintaining an Active Directory Environment Chapter 8 603
www.syngress.com
Server 2008 can happen when a server takes on a new role such as a DC running
Active Directory Domain Services or installs a feature such as DNS. Administrators
are able to create filters that target only the events they are interested in viewing.
In Exercise 8.13, well create a custom view in the Event Viewer. To create a
custom view in the Event Viewer, right-click Custom Views and select Create
Custom View.
EXERCISE 8.13
CREATING A CUSTOM VIEW
1. Open the Event Viewer by clicking Start | Administrative Tools |
Event Viewer.
2. In the Event Viewer, right-click Custom Views and select Create
Custom View.
3. Next, the Create Custom View form comes up. In the Logged
drop-down list choose when you want events logged. For instance,
you can choose to do Any time, Last hour, Last 12 hours, Last
24 hours, Last 7 days, Last 30 days, or a Custom range. When
choosing Custom range you decide the date and time from the
first event to the date and time of the last event. You can even
choose the actual time. For our example, we chose Last 30 days
for this exercise.
4. Next, choose the Event level you want to include. These are the
same old standbys weve seen in previous versions of Windows:
Critical, Warning, Verbose, Error, and Information. For our
example, well select only Warning.
5. After you have decided on the Event level, you need to choose
the event log(s) or the specific event sources to filter by. Well
simply choose By log and select System found beneath Windows
Logs.
6. If you know exactly what event IDs you want to filter you can
do that by simply typing the event ID(s). Because we dont,
well leave it at <All Event IDs>. For Keywords, we can click on
the pull-down menu and see a list of keywords from which to
choose. We can enter any particular user or computer we like.
For our example, we will only specify the server SIGMA in the
Computer(s) line. Your Create Custom View should appear like
the one in Figure 8.61. When youre done, click OK.
604 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
7. Next, you come to Save Filter to Custom View. You can choose
a name to call your filter and provide a description if you like.
You also get to choose where you want your custom view saved.
For our example, the name will be SIGMA SysLog Warn and well
allow it to be saved in the default location.
In Figure 8.62, you see we have created our custom view SIGMA
SysLog Warn and that there are five events in it. Your server will probably
have different warnings than the one shown in the figure.
Figure 8.61 Creating a Custom View
Maintaining an Active Directory Environment Chapter 8 605
www.syngress.com
Windows Logs
Underneath the Windows Logs folder are the traditional logs weve seen before,
with two new ones added. Table 8.3 provides a brief description of each log.
Figure 8.62 A Newly Created Custom View
Table 8.3 Windows Logs
Log Description
Application Contains events from applications residing on the system
Security Captures authentication and object access events that
are audited
Setup New log that captures events tailored around the
installation of applications, server roles, and features
System Events built around Windows system components are
logged here
Forwarded Events Consolidates and stores events that were captured from
remote systems and sent to a single log to facilitate the
identification, isolation, and solving of problems
606 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Applications and Services Logs
There is a new category of event logs in Windows Server 2008: the Applications
and Services logs. In Figure 8.62, you can see them just below the Windows Logs
folder. These logs store events from a single application or component rather events
like the logs underneath Windows Logs. You can find four subtypes of logs here:
Admin, Operational, Analytic, and Debug. Admin logs are tailored more for users
and administrators looking to troubleshoot problems. The events in the Admin
log will provide administrators with information and guidance regarding how to
respond. Events found in the Operational log are more likely to require more
interpretation but can be helpful as well.
The Analytic and Debug logs are not user-friendly. You can use Analytic
logs to trace an issue, and therefore a high number of events are logged.
Developers use the Debug logs when debugging applications. The Analytic
and Debug logs are hidden and disabled by default in Windows Server 2008.
To show these logs select Event Viewer | View | Show Analytic and
Debug Logs. Remember that this only shows the logs; it does not enable them.
To enable the Analytic and Debug logs, make sure they are not hidden and then
highlight the Analytic or Debug log you want to enable. Click on Action |
Properties and in the Log Properties screen, shown in Figure 8.63, select
Enable logging and click OK. You can also enable these logs via the command
line by typing wevutil sl <logname> /e:true.
Maintaining an Active Directory Environment Chapter 8 607
www.syngress.com
Subscriptions
The last folder shown in the Event Viewer is also a new feature in Windows Server
2008, called Subscriptions. The Subscriptions folder allows remote servers to forward
events so that they can be locally viewed at a central station. A subscription specifies
exactly what events will be collected and to which log they will be stored. Once
collected, data from a subscription can be viewed and manipulated just as though
it came directly from the server from which youre examining them. To use subscriptions,
you must configure both the forwarding and collecting servers. Both the
Windows Remote Management (WinRM) and Windows Event Collector (Wecsvc)
services are required. Exercise 8.14 teaches how to create a new subscription.
Figure 8.63 Enabling an Analytic Log
608 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
EXERCISE 8.14
CREATING A NEW SUBSCRIPTION
1. Go to the collector computer and run the Event Viewer as an
administrator.
2. In the Event Viewer click Subscriptions in the console tree.
If the Windows Event Collector service is not running, you will
be prompted to run it; if you receive this message click Yes.
3. Click Actions | Create Subscription. The Subscription Properties
box appears, as shown in Figure 8.64.
Figure 8.64 The Subscription Properties Box
4. In the Subscription name box, type a name for the subscription.
For our example, we chose Test as the name.
Maintaining an Active Directory Environment Chapter 8 609
www.syngress.com
5. In the Description box, type an optional description for the
subscription. We typed Test subscription for ours.
6. At the Destination log drop-down list, select the log file where
the collected events are to be stored. The default, as you see in
Figure 8.64, is Forwarded Events. For our example, we will accept
the default.
7. Under Subscription type and source computers, choose the default
of Collector initiated and click Select Computers.
8. In the Computers screen, click Add Domain Computers. You will
now be asked to type the name of the computer(s) from which
you would like to collect information. For our scenario, we typed
FMEA. Click Check Names to verify and then click OK to continue.
9. Now the Computers screen will look like Figure 8.65, and you will
see the computer we just selected. If it is correct click OK then OK
again at the Subscription Properties screen.
Figure 8.65 The Computer Selected for Subscription
10. Now click Select Events and you should see the Query Filter. The
Query Filter will be exactly like the Create Custom View you saw
in Figure 8.61. For our example, we will choose Any time for
610 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Logged, and Critical, Warning, and Error for Event Level. We will
choose By log and the Application for Event logs. Everything else
will remain the same, as shown in Figure 8.66. Now click OK.
Figure 8.66 The Query Filter
11. Now just go to the source server (the one that will forward
events) and open a command prompt. In the command prompt,
type winrm quickconfig and press Enter. On the collector server,
at a command prompt type wecutil qc and press Enter.
Maintaining an Active Directory Environment Chapter 8 611
www.syngress.com
12. Now add the collector server to the Administrators local group of
the computer, and thats it!
Replmon
Replication Monitor, better known as Replmon, is a GUI tool that you can install
with the Support Tools found on the Windows Server 2008 DVD. This tool enables
administrators to view the detailed status of Active Directory replication. It also
allows administrators to force synchronization between DCs, view the topology in
an easier-to-understand graphical format, and monitor the status and performance
of DC replication. Replmon is useful but not limited to the following:
■ Noticing when a replication partner fails
■ Viewing the history of both failed and successful replication
■ Viewing the properties of directory replication partners
■ Generating status reports including direct and transitive replication partners
along with detailing a record of changes
■ Displaying replication topology
■ Forcing replication
■ Triggering the Knowledge Consistency Checker (KCC) to recalculate the
replication topology
■ Displaying a list of trust relationships maintained by a DC that is being
monitored
■ Monitoring the replication status of DCs from multiple forests
Using Replmon
To use replmon you must be logged on to a DC. Once logged on, select Start |
Run and type replmon.exe and press Enter. Replmon will then come up with
a fairly blank page, as shown in Figure 8.67.
612 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Right-click on the Monitored Servers icon in the upper left. You now have
the option to Add Monitored Server. In the Add Monitored Server Wizard
you have the choice to explicitly type in the name of the DC you want to add or
enter a name of a domain within the forest from which to read site data. Figure 8.68
shows that we have decided to search the directory for a server and that our
domain is MMA.LOCAL. Once youve done this select Next.
Figure 8.67 Replmons Default Screen
Maintaining an Active Directory Environment Chapter 8 613
www.syngress.com
At the next screen, you see a list of sites that are available from Active Directory.
You can expand a site and select any particular server located there. In Figure 8.69,
you see that we have chosen to monitor a DC out of the South-Region called
FMEA. Once youve done this you can click Finish.
Figure 8.68 The Add Monitored Server Wizard
Figure 8.69 Selecting a DC to Monitor
614 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
In Figure 8.70, you see that the DC were monitoring has five directory partitions
displayed. Underneath each partition you see this DCs replication partner. In this
case, it is a DC called SIGMA. Normally, if there are any replication issues you will
see a red X underneath the partition(s) where the problem exists. In Figure 8.71, we
show the replication status of the Schema and the Update Sequence Number (USN).
Figure 8.70 Directory Partitions
Figure 8.71 Viewing the Logs Pane in Replmon
Maintaining an Active Directory Environment Chapter 8 615
www.syngress.com
If you right-click the server, you will see a list of options you have in replmon,
as shown in Figure 8.72.
Figure 8.72 Replmon Options
Table 8.4 lists the options and their descriptions.
Table 8.4 Replmon Options Described
Option Description
Update Status (only for this server) Rechecks the replication status of the
server. The time of the updated status
is logged and displayed.
Check Replication Topology Causes the KCC to recalculate the
replication topology for the server
Synchronize Each Directory Partition Starts an immediate replication for all
with All Servers of the servers directory partitions
with each replication partner
Show Domain Controllers in Domain Lists all known DCs
Continued
616 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Table 8.4 Continued. Replmon Options Described
Option Description
Show Replication Topologies Shows a graphical view of the
replication topology
Show Group Policy Object Status Lists all the Domains Group Policies
and their respective Active Directory
and SYSVOL version numbers
Show Global Catalog Servers in Lists all Global Catalog servers
Enterprise
Show Bridgehead Servers Two options are available: In This
Servers Site and In the Enterprise.
Will show bridgehead servers based
on information provided by the
monitored DC.
Show Trust Relationships Will show all trusts with this domain
Show Attribute Meta-Data for Shows attribute data for a particular
Active Directory Object object specified using that objects
distinguished name (DN)
Clear Log Clears the <site-dcname>.log file
Delete Deletes the DC from the monitored
servers list
Properties Shows server properties of the
monitored DC. Provides information
such as Flexible Single Manager
Operation (FSMO) roles for the
domain (shown in Figure 8.73),
inbound replication connections,
Transmission Control Protocol/Internet
Protocol (TCP/IP) configuration, server
flags, and other general information.
Maintaining an Active Directory Environment Chapter 8 617
www.syngress.com
Replmon is a very useful and powerful tool in troubleshooting replication issues
and for just finding information about a domain.
Figure 8.73 The FSMO Roles Tab in Server Properties
Head of the Class
Support Tools
After installing Windows Server 2008, it is highly recommended that you
install the support tools that reside on the installation media, allowing
you immediate access to tools such as replmon.
618 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
RepAdmin
Another tool that comes with the installation of Windows Server 2008 is the
command-line tool RepAdmin. Administrators can use RepAdmin to view replication
topology, create replication topology, and force replication, whether it is for the entire
directory or for specific portions of it. You also can use RepAdmin for monitoring
an Active Directory forest. You must run the RepAdmin command in an elevated
prompt, either by right-clicking the Command Prompt and then clicking Run as
administrator or simply by logging on as an administrator and running it. You must
also have administrative rights on every DC that RepAdmin targets. For instance,
Domain Admins can run RepAdmin on any DC in the domain. Enterprise Admins
can run RepAdmin on any DC in the forest. Here is the syntax for RepAdmin;
Table 8.5 lists the commands:
Repadmin <cmd> <args> [/u: {domain\user}] [/pw:{password | ∗}] [/retry
[:<retries>] [:<delay>] ] [/csv]
Table 8.5 RepAdmin Commands
Command/Parameters Description
Repadmin /kcc Forces the KCC to immediately recalculate
the inbound replication topology from the
targeted DCs.
Example: repadmin /kcc site:south
The preceding command triggers the KCC to
run on each DC in the south site.
Repadmin /prp Specifies the Password Replication Policy (PRP)
for read-only DCs (RODCs).
Example: repadmin /prp view SIGMA reveal
The preceding command lists the users whose
passwords are currently cached on the DC
named SIGMA.
Repadmin /queue Shows the inbound replication requests that
the DC must issue to become consistent with
its source replication partners.
Example: repadmin /queue FMEA
The preceding command returns the queue of
inbound replication requests that a bridgehead
server named FMEA has yet to process.
Continued
Maintaining an Active Directory Environment Chapter 8 619
www.syngress.com
Table 8.5 Continued. RepAdmin Commands
Command/Parameters Description
Repadmin /replicate Triggers immediate replication of the specified
directory partition to a target DC from a
source DC.
Example: repadmin /replicate SIGMA FMEA
DC=MMA, DC=com
The preceding command replicates the MMA
naming context from the SIGMA DC to the
FMEA DC.
Repadmin /replsingleobj Replicates a single object between two DCs
that share common directory partitions.
Example: repadmin /replsingleobj SIGMA FMEA
cn=swhitley, ou=sales, dc=MMA, dc=com
The preceding command triggers replication
of the swhitley object from the SIGMA DC to
the FMEA DC.
Repadmin /replsummary Identifies DCs that are failing inbound
replication or outbound replication and
summarizes the results in a report.
Example: repadmin /replsum ∗ /bysrc /bydest
/sort:delta
The preceding command targets all DCs in the
forest to retrieve summary replication status
from each.
Repadmin /rodcpwdrepl Triggers the replication of passwords for the
specified users from the source DC to one or
more RODCs.
Example: repadmin /rodcpwdrepl dest-rodc∗
source-dc cn=swhitley, ou=sales, dc=MMA,
dc=com
The preceding command triggers replication
of the passwords for the user swhitley from
the source DC named source-dc to all RODCs
that have the name prefix dest-rodc.
Repadmin /showattr Displays the attributes of an object
Example: repadmin /showattr SIGMA
cn=accountants, cn=users, dc=MMA, dc=com
Continued
620 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Table 8.5 Continued. RepAdmin Commands
Command/Parameters Description
The preceding command queries the SIGMA
DC and shows all attributes for the above
object using its DN.
Repadmin /showobjmeta Displays the replication metadata for a
specified object in Active Directory Domain
Services. It can be an attribute ID, version
number, originating and local USNs, the GUID
of the originating server, and even a date and
timestamp
Example: repadmin /showobjmeta SIGMA
<GUID=6f3427ba-g25c-5e85-c129-
125bbc897d23>
The preceding command targets the SIGMA
DC and requests the replication metadata for
an object by specifying its GUID.
Repadmin /showrepl Displays the replication status when the
specified DC last attempted to perform inbound
replication on Active Directory partitions.
Example: repadmin /showrepl ∗ /errorsonly
The preceding command reports inbound replication
status for all DCs in the forest that are
experiencing a replication error.
Repadmin /showutdvec Displays the highest committed USN that
Active Directory Domain Services, on the targeted
DC, shows as committed for itself and
its transitive partners.
Example: repadmin /showutdvec dc=MMA,
dc=com
The preceding command shows the highest
committed USN on the local DC for the MMA.
com directory partition.
Repadmin /syncall Synchronizes a specified DC with all replication
partners.
Continued
Maintaining an Active Directory Environment Chapter 8 621
www.syngress.com
Table 8.5 Continued. RepAdmin Commands
Command/Parameters Description
Example: repadmin /syncall FMEA dc=MMA,
dc=com /d /e /a
The preceding command synchronizes the
target DC with all its partners, including DCs
at other sites.
Windows System Resource Manager
Sometimes an application, process, or service will take up a majority of the CPU
cycles to the point that it affects everything else running on the server. To combat
that Microsoft has provided a feature in Windows Server 2008 called Windows System
Resource Manager (WSRM). WSRM provides an interface where administrators
can configure how both processor and memory resources are allocated among
applications, services, and processes. The ability to do this allows administrators to
ensure server stability. To install WSRM do the following:
1. Log on to a Windows Server 2008 system and launch Server Manager.
2. In Server Manager, click Features in the console pane on the left side
and choose Add Features in the Details pane.
3. Next, the Select Features box opens. Scroll down to Windows System
Resource Manager and select it. Then click Next.
4. At the Confirm Installation Selections screen, verify the feature you
are installing and then click Install.
5. After the installation is finished, just click Close and youre done.
WSRM uses resource allocation policies to allocate CPU time and memory
usage among applications, services, processes, and even users. These resource
allocation policies can be in effect all the time or you can run them on a scheduled
basis. WSRM policies, though, are enforced only when CPU usage goes above
70% and are never active on processes owned by the operating system or items in
the exclusion list.
If and when certain events take place or the system behaves differently,
WSRM can switch to a different policy and ensure system stability. If accounting
is enabled in WSRM, administrators of the servers can examine the data collected
and determine when and why resource allocation policies were either too restrictive
622 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
or too lax. Administrators can adjust resource allocation policies using the information
obtained by accounting.
There are four predefined resource allocation policies with WSRM in Windows
Server 2008. These predefined policies make it easy for administrators to quickly
allocate resources. Table 8.6 shows the predefined resource allocation policies.
Table 8.6 WSRM Predefined Policies
Policy Description
Equal per Process Resources are equally allocated among all
running processes, thus preventing one
process from monopolizing all available
CPU and memory resources.
Equal per User Resources are equally allocated among all users,
thus preventing one user from monopolizing
all available CPU and memory resources.
Equal per Session Resources are equally allocated among all
Terminal Services sessions, thus preventing one
session from monopolizing all available CPU
and memory resources.
Equal per IIS Resources are allocated equally among all
Application Pool IIS application pools, thus preventing one
application pool from monopolizing all
available CPU and memory resources.
Matching criteria is a common task performed with WSRM. Administrators
use these rules to include or exclude processes, services, or applications that
WSRM needs to monitor. These rules are used later in the WSRM management
process.
Custom resource allocation policies are similar to matching criteria rules in that
they look for specific processes, services, and application criteria. The custom resource
allocation policy provides an administrator with the ability to define how much of a
resource should be allocated to a specific process, service, or application. For instance,
if only 15% of the system processing should be reserved to the sqlwriter.exe process,
the resource allocation would be defined to limit the allocation of resources to that
process.
Maintaining an Active Directory Environment Chapter 8 623
www.syngress.com
The calendar in WSRM is used to schedule policy enforcement on a set basis
by one time event or recurring event(s). Its possible, for instance, that policy
enforcement may be necessary only during business hours.
Administrators can allocate system resources to sessions or users who are
active on Terminal Services. Configuring a policy can ensure that the sessions will
behave correctly and that system availability will be stable for all users of Terminal
Services. You can do this using the Equal per User or Equal per Session policy
within WSRM.
The Windows Reliability
and Performance Monitor
The Windows Reliability and Performance Monitor allows administrators to
monitor application and hardware performance in real time and customize data
they want to collect in logs, predefined thresholds for alerts, and automatic actions.
Administrators can generate reports and view past performance data in a variety
of ways. The Windows Reliability and Performance Monitor is a combination of
pervious tools such as Performance Logs and Alerts, Server Performance Advisor,
and System Monitor. It provides a graphical interface for the customization of Data
Collector Sets and Event Trace Sessions. The Windows Reliability and Performance
Monitor consists of three monitoring tools:
■ Resource Overview
■ Performance Monitor
■ Reliability Monitor
There are two ways to start the Windows Reliability and Performance
Monitor. One way is to click Start | Administrative Tools | Reliability and
Performance Monitor; the other is to simply click Start | Run, type perfmon,
and then press Enter. Figure 8.74 is a view of the Windows Reliability and
Performance Monitor console.
624 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Resource Overview
The Resource Overview screen is also known as the Home Page in the Details
pane. The Resource Overview screen presents data about the system in a real-time
graphical manner. You see similar categories as those you saw in the Task Manager:
CPU, Network, Memory, and Disk (the latter which is not shown in the Task
Manager).
You can expand the subsections by clicking on the white down arrow to the far
right of the bar. When you do you will see additional, more detailed information.
For instance, if you expand CPU, you will see information such as the image, PID,
description, threads, CPU, and average CPU. Table 8.7 lists the subsections and their
associated headings.
Figure 8.74 The Windows Reliability and Performance Monitor
Maintaining an Active Directory Environment Chapter 8 625
www.syngress.com
The Performance Monitor
Under Monitoring Tools is the Performance Monitor, which provides a display
of built-in performance counters, in real time or viewed as historical data. The
Performance Monitor allows administrators the ability to analyze system data,
research performance, and bottlenecks. To open the Performance Monitor you can
click on it underneath Monitoring Tools. The Performance Monitor is just like the
System Monitor before it. The System Monitor in Windows Server 2003 allowed
you to measure the performance of your own system or that of other Windows
systems on the network. It allowed you to collect and view real-time performance
data. With the Performance Monitor in Windows Server 2008, you have objects,
counters, and instances. Table 8.8 provides a quick description of each.
Table 8.7 Subsections and Headings
Subsection Headings
CPU Image, PID, Description, Threads, CPU, Average CPU
Disk Image, PID, File, Read, Write, IO Priority, Response Time
Network Image, PID, Address, Send, Receive, Total
Memory Image, PID, Hard Faults, Commit, Working Set,
Shareable, Private
Table 8.8 Components of the Performance Monitor
Component Description
Object System components are grouped into objects. They are
grouped according to system functionality. Depending
on the configuration, the number of objects depends
on the system.
Counter Provides a subset of objects. Also provides more detailed
information about an object. Examples are queue length,
session % used, and pages converted.
Instances If more than one similar object is on a server, each one is
considered an instance. Servers with multiple processors
have an instance for each.
626 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Exercise 8.15 takes you through the steps of counters in the Performance
Monitor.
EXERCISE 8.15
ADDING COUNTERS IN
THE PERFORMANCE MONITOR
1. Open Reliability and Performance Monitor either by clicking Start |
Administrative Tools | Reliability and Performance Monitor or
Start | Run. Type perfmon and press Enter.
2. In the console tree, click Monitoring Tools | Performance Monitor.
This will open the Performance Monitor.
3. Click the green plus sign in the Details pane and the Add
Counters screen should come up and start loading a list of
counters.
4. Now its time to select the counters. We will be setting up counters
to help us set up a baseline for the system. To do that the
counters we need are Memory-Pages/sec, Physical Disk-Avg. Disk
Queue Length, and Processor-%Processor Time.
5. To add Memory-Pages/sec, go down the list of counters and
click on Memory. Now go down its list and select Pages/sec and
then click Add. Do the same for Physical Disk-Avg. Disk Queue
Length and Processor-%Processor Time. Once youre done adding
your counters, click on OK. You may get a message letting you
know that one of the counters is already present. That is the
%Processor Time. Just click OK.
6. Now you should see the Performance Monitor with the counters
you just added, similar to Figure 8.75. Notice that if you highlight
any one of the lines on the chart you get the value at that point
in time.
Maintaining an Active Directory Environment Chapter 8 627
www.syngress.com
The Reliability Monitor
The Reliability Monitor provides a system stability overview and information
about events that impact reliability. It is great for troubleshooting the root cause
associated with any reduced reliability of the system. For instance, we may have
a server that is slow to perform read and write requests. By using the Reliability
Monitor, we can examine the servers trend over a period of time and examine
failure types with details. The Reliability Monitor calculates the Stability Index
which is shown in the System Stability Chart, and helps in diagnosing items that
might be impacting the system. An index of 1 means the system is in its least
stable stage, whereas an index rating of 10 indicates the system is at its most stable
state. The index number is derived from the number of specified failures seen over
a historical period. Figure 8.76 shows the System Stability Chart of the server
called SIGMA.
Figure 8.75 The Performance Monitor with Baseline Counters
628 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Notice that this servers Index seems to have headed toward a downward slope.
The current index is 7.24; although it is not the worst it could be, there are obviously
some problems that need to be addressed. When you examine any of the System
Stability Reports below the chart, you see information such as Failure Type, Version,
Failure Detail, and Date. In Figure 8.77, we have opened the latest error that took
place; the failure type is OS Stopped working and the failure detail is a group of
hex values.
Figure 8.76 The System Stability Chart
Maintaining an Active Directory Environment Chapter 8 629
www.syngress.com
The failure detail here is one that is shown in a blue screen crash. The next
thing this administrator should do is look for a file named memory.dmp and then
contact Microsoft Product Support Services to have the file examined.
Data Collector Sets
A Data Collector Set organizes multiple data collection points into a single component
that you can use to review or log performance. It can be created and then
recorded separately, grouped with other sets, and incorporated into logs. Data
Collector Sets can contain the following types of data collectors: performance
counters, event trace data, and system configuration information. There are two
types of Data Collector Sets: User Defined and System. User Defined are customized
by the user/administrator whereas System Collector Data Sets are predefined and
are broken down into Active Directory Diagnostics, LAN Diagnostics, System
Diagnostics, and System Performance.
Data Collector Sets can be created from templates, existing sets of data
collectors in a Performance Monitor view, or by selecting individual Data
Figure 8.77 A Windows Failure in the System Stability Report
630 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Collectors and setting each individual option in the Data Collector Set properties.
Exercise 8.16 walks you through the process of creating a User Defined Data
Collector Set.
EXERCISE 8.16
CREATING A USER-DEFINED DATA COLLECTOR SET
1. First go into the Reliability and Performance Monitor as you did
in the previous exercise.
2. In the console tree, go to Data Collector Sets | User Defined.
3. Right-click on User Defined and select New | Data Collector Set.
4. At the first Create a new Data Collector Set screen type in a
descriptive name. For our example, we called ours AD DS Set.
Select Create from a template and press Next.
5. In the next screen, you are asked which template you would
like to use. Because ours is called AD DS Set, we obviously want
to select Active Directory Diagnostics, so well select that and
click Next. The Active Directory Diagnostics will collect data on
this local server that includes Registry keys, performance counters,
and trace events that are helpful in troubleshooting Active
Directory Domain Services performance issues.
6. Next we are asked where we would like the data to be saved.
Accept the default, which in this case is %systemdrive%\Perflogs\
Admin\AD DS Set, and then click Next.
7. Now we are asked whether we want to create the data collector
set. Select the default of Save and Close and click Finish.
8. Now under User Defined beneath Data Collector Sets, you should
see the newly created Data Collector Set AD DS Set, as shown in
Figure 8.78.
Maintaining an Active Directory Environment Chapter 8 631
www.syngress.com
Reports
The last folder in the Windows Reliability and Performance Monitor is Reports.
Reports support administrators who need to troubleshoot and analyze system
performance and issues. Reports are based on Data Collector Sets and are also
broken down into User Defined and System. Once youve created the Data
Collector Set, its corresponding reports folder is available, as shown in Figure 8.79.
Figure 8.78 Newly Created User-Defined Data Collector Set
632 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Figure 8.79 A User-Defined Report Automatically Created
Maintaining an Active Directory Environment Chapter 8 633
www.syngress.com
Summary of Exam Objectives
Maintaining an Active Directory environment constitutes 13% of the total exam for
70640. It covers areas concerning backup and recovery, offline maintenance, and
monitoring Active Directory. With the release of Windows Vista, backup and recovery
have changed since Windows 2003 and those changes are further evident in Windows
Server 2008. No longer is backup performed using ntbackup.exe, but rather through
the Windows Server Backup interface or by using the wbadmin command-line tool.
One of the changes in the new backup is DVD support. Also, after the first full
backup all future jobs automatically run incremental backups by default. You can
back up to removable media such as DVD only via the command prompt and not
through the GUI. Restoration is also simplified in that administrators no longer have
to restore from a multitude of media if the backup was done via an incremental
backup. One thing that is no longer supported is the ability to back up to tape.
Microsoft has removed this capability.
You install Windows Backup in Server 2008 via Server Manager and adding it
as a feature. The command-line tools are not installed by default, so you must select
them and they must be accompanied by the installation of the Windows PowerShell.
Windows Server Backup is more conducive for personnel not heavily savvy in
Windows or IT as a whole. The interface is easy to navigate and creating jobs is
wizard-based. Specific backups such as only including the system state must be done
via the wbadmin command. Full backups scheduled through the GUI do include the
system state, but restoring just the system state is only done via the command line,
and on a DC the administrator must be in DSRM.
DSRM is a special boot mode in Windows Server 2008. If the Active Directory
database file (ntds.dit) becomes corrupt, for instance, it is through DSRM that an
administrator can restore an uncorrupted version. You can access DSRM via the
boot process before loading Windows and just after the BIOS POST. To enter
DSRM, you must press F8 during the boot-up procedure and choose Directory
Services Restore Mode from the list of options. It is in DSRM that authoritative
and nonauthoritative restores are done.
Just as in previous versions of Windows Server, both authoritative and nonauthoritative
restores are supported. In the case mentioned earlier regarding a
corruption in ntds.dit, an administrator would perform a nonauthoritative restore
of ntds.dit and any discrepancies between the restored copy and those residing on
the other DCs in the domain would be updated or removed via the replication
process. In some situations, thoughfor instance, accidentally removing an object
such as a user account in Active Directoryperforming a nonauthoritative restore
634 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
will do nothing to bring back the previously deleted object. This is where performing
an authoritative restore is required. An authoritative restore is performed
in DSRM and the object being restored is restored at the authoritative restore
prompt. After an authoritative restore, the object is then replicated back to all the
DCs in the domain.
Linked Value Replication is performed when the forest level is at a Windows
Server 2003 level or above. LVR replicates individual values of an objectnot the
entire object or an entire attribute, but just the value that has changedthus reducing
the amount of bandwidth consumed during replication.
Backing up a Group Policy Object consists of making a copy of the GPO data
to the file system. Backups and restores are performed within the Group Policy
Management Console. Another type of GPO that can be backed up is the Starter
GPO. These GPOs are not included in the backup of regular GPOs and must be
specifically backed up within the GPMC.
Offline maintenance has changed under Windows Server 2008. No longer do
tasks such as defragging and compacting require booting into DSRM; with the
advent of Restartable Active Directory end-user productivity is less affected than
before. Restartable Active Directory runs as a service known as Active Directory
Domain Service and is seen in the Services console in Windows Server 2008.
Services such as DHCP and file/print are unaffected by stopping the Active
Directory Domain Service. Stopping the Active Directory Domain Service, though,
will stop services such as the Kerberos Key Distribution Center (KDC), intersite
messaging, DNS server, and DFS replication. Restarting the Active Directory Domain
Service does restart those services as well. To defrag the ntds.dit file just stop the
Active Directory Domain Service and run the ntdsutil command, activate the ntds
instance, pull up the File Maintenance prompt, and then type the compact command.
Once finished, there is no need to reboot the server; just restart the Active Directory
Domain Service.
Making sure that objects and attributes are up-to-date and consistent among
DCs is a key in monitoring Active Directory. Tools such as the Network Monitor
(netmon), Event Viewer, Replication Monitor (replmon), and Replication
Administrator (repadmin) are key. Performance of DCs is also of concern and
tools such as the Task Manager, Windows System Resource Manager, Windows
Reliability and Performance Monitor, and Event Viewer are used to monitor them.
Maintaining an Active Directory Environment Chapter 8 635
www.syngress.com
Exam Objectives Fast Track
Backup and Recovery
˛ Windows Server 2008 backup uses block-level images and .vhd files.
˛ Tape is no longer supported.
˛ Windows Server Backup is the new GUI for backup in Windows
Server 2008.
˛ Backups can be scheduled more than once a day and at specific times.
˛ Wbadmin.exe is the new command-line interface for backup.
˛ Backup and restore of just the system state must be done using wbadmin.exe.
˛ Directory Services Restore Mode (DSRM) is used to perform authoritative
and nonauthoritative restores.
˛ Authoritative restores should be performed after an object in Active
Directory has been accidentally deleted and replication to the other DCs
has taken place.
˛ Nonauthoritative restores are good for lost updates such as a password for
a user account and corruption found in the ntds.dit file.
˛ Linked Value Replication (LVR) is used when changes in group membership
occur and only the individual member(s) is replicated and not the entire
membership group as a whole.
˛ GPOs and Startup GPOs are backed up separately.
Offline Maintenance
˛ Active Directory Domain Services runs as a service under Windows Server
2008 and can be started and stopped at will but can never be paused.
˛ Because of restartable Active Directory Domain Services routine tasks can
be performed without affecting other services such as DHCP and file/
print services.
˛ The three states that a Windows Server 2008 DC runs in are AD DS
Started, AD DS Stopped, and Domain Services Restore Mode (DSRM).
˛ Offline defrag and compaction shrink the size of ntds.dit, thus saving
disk space.
636 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
˛ If ntds.dit and its logs are located on the same partition, free space should
be at least 20% of the combined database file and logs or 1 GB, whichever
is greater.
Monitoring Active Directory
˛ Tools used to monitor Active Directory are the Network Monitor, Event
Viewer, replmon, and repadmin.
˛ DC performance and stability are monitored using the Task Manager,
Windows System Resource Manager (WSRM), Windows Reliability and
Performance Monitor, and Event Viewer.
˛ Network Monitor (netmon) Version 3.0 and later are supported on
Windows Server 2008 and must be downloaded to install.
˛ Netmon is very useful in verifying that traffic is flowing as its supposed to
along with making sure name resolution is occurring correctly.
˛ The Task Manager is ideal for immediate viewing of resources being used
on a server.
˛ The Event Viewer is typically the first place to start troubleshooting anything
that has to do with the server or Active Directory.
˛ The Event Viewer is now based on XML.
˛ Replmon (Replication Monitor) is a GUI tool used to examine replication
among DCs and view the replication topology.
˛ RepAdmin (Replication Administrator) is a command-line version of
Replmon.
˛ The Windows System Resource Manager (WSRM) allows an administrator
to configure how processor and memory resources are allocated among
applications.
˛ The Windows Reliability and Performance Monitor allows administrators
to monitor application and hardware performance in real time.
Maintaining an Active Directory Environment Chapter 8 637
www.syngress.com
Exam Objectives
Frequently Asked Questions
Q: Since Windows Server Backup doesnt read .bkf files, is there any way to restore
any information from one in Windows Server 2008?
A: Yes. You can download a version of ntbackup for Windows Server 2008 for
the sole purpose of restoring items that were backed up with the old software,
but you cannot back up with it. You can download the ntbackup for Windows
Server 2008 from http://go.microsoft.com/fwlink/?LinkId=82917.
Q: Does Windows Server Backup support tape?
A: No. It supports backing up to disk, removable media such as DVD, and network
drives.
Q: Does Windows Server Backup come preinstalled with Windows Server 2008?
A: No. You must add it as a feature.
Q: Can you back up just the system state with Windows Server Backup?
A: No. Windows Server Backup backs up at the volume level and does not include
an option for choosing just the system state or a particular directory or file. You
can use wbadmin.exe via a command prompt to back up just the system state.
Q: Since Windows Server 2008 supports backing up to DVD, can you also back up
to USB-based flash drives as well?
A: Yes. To back up to any removable media such as DVD or USB flash drives, you
must do so using the wbadmin.exe command-line tool.
Q: If I forget the Directory Services Restore Mode (DSRM) administrators password,
can I still get in DSRM?
A: No, but if you change the DSRM Administrators password at the ntdsutil
prompt in Windows Server 2008, you can.
Q: What is the difference between an authoritative restore and a nonauthoritative
restore?
A: An authoritative restore restores a directory object, such as a user account
that may have been deleted accidentally, and flags it so that its restoration is
638 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
replicated among the other DCs. A nonauthoritative restore is useful for when
the Active Directory database file (ntds.dit) has become corrupt and you need
to restore it. After restoration, directory replication brings it up-to-date with all
the other DCs.
Q: Does Windows Server Backup back up GPOs?
A: No. You must back up GPOs and Starter GPOs via the Group Policy
Management Console (GPMC).
Q: Do you still have to boot into DSRM to perform offline defragging?
A: No. You can simply stop Active Directory Domain Services in the Services
console and perform it without going into the DSRM. Functions such as
DHCP and file/print are unaffected and are still operational.
Q: Can I monitor Active Directory replication using the Network Monitor
(netmon)?
A: You cannot see the actual replication itself, but you can verify that the DCs
are talking to each other. A better alternative would be to use either the
Replication Monitor (replmon) or Replication Administrator (repadmin).
Q: What are some of the new benefits of the Event Viewer?
A: The Event Viewer is now XML-based, so its even easier to import information
from it into different applications. You can create subscriptions, which allows
remote servers to forward events to a centrally located server so that they can be
examined in one place.
Q: What does the Windows Reliability and Performance Monitor actually do?
A: It allows administrators to monitor application and hardware performance in
real time as well as customize the data they collect in logs. Its made up of three
primary monitoring tools: the Resource Overview, Performance Monitor,
and Reliability Monitor. You can customize the data you log by creating Data
Collector Sets which you can examine via Reports in the tool.
Maintaining an Active Directory Environment Chapter 8 639
www.syngress.com
Self Test
1. Youve just finished installing a new Windows Server 2008 DC. It is the
policy of the IT department to perform a full backup of newly installed DCs.
You click on Start | Administrative Tools | Windows Server Backup.
When Windows Server Backup loads you see the following screen.
What do you need to do to ensure that the backup takes place?
A. Run DCPROMO
B. Install the Windows Server Backup feature
C. Go to a command prompt and run wbadmin.exe
D. Boot into DSRM and conduct the backup from there
640 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
2. You are responsible for performing backups on the DCs on your network.
Your boss has requested that you conduct system state backups to DVD. How
do you accomplish this?
A. Run the Windows Server Backup Wizard, select System State
Backup, and set your target to the DVD drive
B. Run the Windows Server Backup Wizard, select a local drive as the
target, and then copy the system state backup to the DVD drive
C. Run the wbadmin.exe command with the start systemstatebackup command
and target it to the DVD drive
D. Run the wbadmin.exe command with the start systemstatebackup command,
set the target to a local fixed drive, and then copy the system state backup
to a DVD
3. You are the network administrator for your company. Last night you successfully
performed a system state backup of one of your DCs. Do to an unforeseen issue,
you now need to perform a system state restore. What do you need to do to
conduct a system state restore on a DC?
A. Reboot the DC, go into DSRM, and run wbadmin.exe to perform the
system state restore
B. Log on to the DC as usual and run wbadmin.exe to restore the system
state
C. Stop Active Directory Domain Services and then run the wbadmin.exe
command to restore the system state
D. Just restore the system state via the Windows Server Backup Wizard
4. You are the network administrator for your company. You have a scheduled
backup job run three times a day: 10:00 a.m., 4:00 p.m., and 11:00 p.m. At 4:50 p.m.,
you get a call that user Janet Harrell has deleted the company budget on the
server. There are no previous versions available. What should you do to restore
the company budget?
A. Run ntbackup, select the company budget from the list of files backed up,
and choose Restore
B. Run Windows Server Backup, select Recover from the Actions
pane, choose Files and Folders as the recovery type. Select the company
budget from the Available items list. Choose Original location for
recovery destination, create copies so that you have both versions of the
Maintaining an Active Directory Environment Chapter 8 641
www.syngress.com
file or folder under When the wizard find files and folders in the
recovery destination, and choose Restore security settings.
C. Go into DSRM, run wbadmin.exe, and conduct a system state recovery
D. Stop Active Directory Domain Services, load ntbackup, select the company
budget, and choose Restore
5. You are the network administrator at your company. The Active Directory
database file on one of your DCs is corrupt. You decide to perform a nonauthoritative
restore on the DC. You reboot the server into DSRM and try to
log on as the domain administrator but you cannot. You need to get this DC
back up and functioning as soon as possible. What can you do to achieve this?
A. Log on to the server with another domain administrators account
B. Log on to the server using the local administrators account
C. Change the domain administrators password from another DC and then
log on using the account with the new password
D. Log on using the DSRM administrators account and password
6. You are the domain admin for your company. You have tasked Susan, a member
of the Account Operators group, to delete Amber Chambers user account
because she quit yesterday. Susan accidentally deletes Andy Chambers account.
Before she realizes whats happened the change is replicated to the other DCs.
What can you do to bring back Andy Chambers user account?
A. Reboot the DC into DSRM, restore the system state, and conduct a
nonauthoritative restore on Andy Chambers user account from the most
recent backup using wbadmin.exe
B. Reboot the DC into DSRM, restore the system state, and conduct an
authoritative restore on Andy Chambers user account from the most
recent backup using wbadmin.exe
C. Log on to the DC in normal mode, stop Active Directory Domain Services,
load Windows Server Backup, restore the system state, and perform an
authoritative restore of Andy Chambers user account
D. Log on to the DC in normal mode, stop Active Directory Domain Services,
load Windows Server Backup, restore the system state, and perform a nonauthoritative
restore of Andy Chambers user account
7. You are the domain administrator for your company. Examining one of the
DCs, you notice that the file ntds.dit is almost 6 GB in size. You decide that
642 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
to save disk space and increase performance you will defrag Active Directory
Domain Services. How would you accomplish this?
A. Log on to the server as an administrator. Perform a system state backup of
the DC. Create a new directory on the system drive called C:\defrag. Stop
Active Directory Domain Services. Start an instance of ntdsutil and activate
Instance ntds. At the ntdsutil prompt pull up the file maintenance prompt
and type compact to c:\defrag. Go to the %systemdrive%\Windows\
NTDS directory and delete the old ntds.dit file as well as any .log files.
Copy the ntds.dit file in the C:\defrag folder to %systemroot%\Windows\
NTDS, and then restart Active Directory Domain Services.
B. Log on to the server as an administrator. Perform a system state backup of
the DC. Create a new directory on the system drive called C:\defrag. Start
an instance of ntdsutil and activate Instance ntds. At the ntdsutil prompt,
pull up the file maintenance prompt and type compact to c:\defrag.
Go to the %systemdrive%\Windows\NTDS directory and delete the old
ntds.dit file as well as any .log files. Copy the ntds.dit file in the C:\defrag
folder to the %systemroot%\Windows\NTDS.
C. Log on to the server as an administrator in DSRM. Perform a system state
backup of the DC. Create a new directory on the system drive called
C:\defrag. Stop Active Directory Domain Services. Start an instance of
ntdsutil and activate Instance ntds. At the ntdsutil prompt, pull up the
file maintenance prompt and type compact to c:\defrag. Go to the
%systemdrive%\Windows\NTDS directory and delete the old ntds.dit file
as well as any .log files. Copy the ntds.dit file in the C:\defrag folder to the
%systemroot%\Windows\NTDS, and then restart Active Directory Domain
Services.
D. Log on to the server as an administrator. Perform a system state backup
of the DC. Create a new directory on the system drive called C:\defrag.
Stop Active Directory Domain Services. Start an instance of ntdsutil and
activate Instance ntds. At the ntdsutil prompt, pull up the file maintenance
prompt and type compact to c:\defrag. Go to the %systemdrive%\
Windows\NTDS directory and delete the old ntds.dit file as well as any
.log files. Copy the ntds.dit file in the C:\defrag folder to %systemdrive%\
Windows\NTDS.
8. You are the domain administrator for your company. Your network consists of
three DCs, each running Windows Server 2008. Two are at site A, and the third
Maintaining an Active Directory Environment Chapter 8 643
www.syngress.com
is located at site B. There seems to be a replication problem between the DCs
at site A and the DC at site B. What is the best tool to use in troubleshooting
directory replication?
A. Network Monitor
B. Task Manager
C. RepAdmin
D. Event Viewer
9. You are the domain administrator for your company. Your network consists
of multiple DCs at multiple sites. A DC at your local site is having problems
with replicating. You need to know when this DC last attempted to perform
an inbound replication on the Active Directory partitions. How would you
accomplish this?
A. Open a command prompt on the DC and run ntdsutil
B. Open a command prompt on the DC and run repadmin /replicate
C. Open a command prompt on the DC and run repadmin /rodcpwdrepl
D. Open a command prompt on the DC and run repadmin /showrepl
10. You are the domain administrator for your company. At your site you have a
single DC that also acts as an application server. From 10:00 a.m. to 4:00 p.m.,
users complain about slow logons to the network and that accessing resources
from this DC is incredibly slow during most of the workday. You log on to the
DC, pull up the Task Manager, and notice that a process called CustApp.exe
is using just more than 90% of the CPU cycles. The application must remain
running during the day, but you also need to resolve the slow logon issues.
There is no money in the budget for additional hardware. What is the best way
to handle this situation?
A. Go into the Windows System Resource Manager on the DC, and create
a new recurring calendar event to start at 8:00 a.m. and end at 5:00 p.m.
daily. Associate the event with the Equal_Per_Process policy.
B. Go into the Task Manager and into the Processes tab. Find CustApp.exe
and set the priority to Below Normal.
C. Go into the Task Manager and into the Process tab. Find CustApp.exe and
end the process.
D. Purchase a second server to run only the CustApp.exe application
644 Chapter 8 Maintaining an Active Directory Environment
www.syngress.com
Self Test Quick Answer Key
1. B
2. D
3. A
4. B
5. D
6. B
7. A
8. C
9. D
10. A
645
Self Test Appendix
Appendix
MCTS/MCITP
Exam 640
646 Appendix Self Test Appendix
www.syngress.com
Chapter 1: Configuring
Server Roles in Windows 2008
1. You are the administrator for a nationwide company with over 5,000 employees.
Your main office has approximately 4,500 employees, while the companys ten
remote offices have 50 users residing in each. You are often unaware of the
physical security in place at these offices. However, since there is a fairly sizable
amount of users at each office, you must provide them with directory services.
What is the BEST option to use for directory services when security is often an
unknown?
A. Lightweight Directory Services
B. Read-only domain controllers
C. Active Directory Federation Services
D. Active Director Rights Management Services
Correct Answer & Explanation: B. This is essentially the ideal scenario for the
use of a read-only domain controller, since only the accounts of users authenticating
from the remote office will be cached on the server.
Incorrect Answers & Explanations: A, C, and D. Answer A is incorrect because
LDS is used in situations when all of the features of a full Active Directory
are not required. Answers C and D are incorrect because these are used for
authentication between domains and document security, respectively.
2. is a format and application-agnostic technology, which
provides services to enable the creation of information-protection solutions.
A. Lightweight Directory Services
B. Read-only domain controllers
C. Active Directory Federation Services
D. Active Director Rights Management Services
Correct Answer & Explanation: D. Active Directory Rights Management
Services, or AD RMS, is a technology now available as part of Windows Server
2008 that protects documents (such as e-mails and spreadsheets) by assigning
Active Directorybased credentials to the documents.
Incorrect Answers & Explanations: A, B, and C. Answer A is incorrect because
LDS is used in situations when all of the features of a full Active Directory
Appendix Self Test Appendix 647
www.syngress.com
are not required. Answer B is incorrect because RODCs are used as a secure
Directory Services solution in remote offices, and C is incorrect because AD
FS is used for synchronizing external Active Directory domains for authentication
purposes.
3. You are the administrator for a nationwide company with over 5,000
employees. Your director tells you your company has just signed into a
partnership with another organization, and that you will be responsible for
ensuring that authentication can occur between both organizations without
the need for additional sign-on accounts. Your boss mentions that the partner
has a variety of Directory Services installed throughout their organizations.
Which of the following can Active Directory Federation Services NOT
connect to?
A. Lightweight Directory Services
B. Windows Server 2003 Directory Services
C. Windows Server 2003 R2 Directory Services
D. All of the above
Correct Answer & Explanation: B. Active Directory Federation Services was
not introduced until the R2 release of Windows Server 2003.
Incorrect Answers & Explanations: A, C, and D. Answers A and C are incorrect
because AD FS can connect to both LDS and Windows Server 2003 DS.
Answer D is incorrect because AD FS can connect to both LDS and Windows
Server 2003 R2.
4. You are the administrator for a nationwide company with over 5,000
employees. Your main office has approximately 4,500 employees, while your
companys ten remote offices have 50 users each residing in them. You are
often unaware of the physical security in place at these offices. However, since
there is a fairly sizable amount of users at each office, you need to provide
them with directory services. What is the BEST option to use for directory
services when security is often an unknown?
A. Lightweight Directory Services
B. Read-only domain controllers
C. Active Directory Federation Services
D. Active Director Rights Management Services
648 Appendix Self Test Appendix
www.syngress.com
Correct Answer & Explanation: B. This is essentially the ideal scenario for the
use of a read-only domain controller since only the accounts of users authenticating
from the remote office will be cached on the server.
Incorrect Answers & Explanations: A, C, and D. Answer A is incorrect because
LDS is used in situations when all of the features of a full Active Directory are not
required. Answers C and D are incorrect because these are used for authentication
between domains and document security, respectively.
5. The Web development team has requested that you implement a new Web
server in a DMZ that will be used for presenting Web sites to customers.
Which of the following is NOT a reason for using Windows Server 2008
Core Server?
A. A Core installation does not require a Windows Server 2008 license.
B. A Core installation does not provide GUIs, which limits console access.
C. Core Server installs fewer services than a full installation of Windows
Server 2008.
D. Core Server uses fewer resources than a full installation of Windows Server
2008.
Correct Answer & Explanation: A. Although Core Server looks nothing like
the full installation, it still requires the appropriate server license.
Incorrect Answers & Explanations: B, C, and D. Answer B is incorrect because
Core Server offers absolutely no GUIs by default. Answers C and D are
incorrect because there are both fewer services and fewer hardware resources
(memory, CPU, and disk space) than a full installation.
6. You have a Windows Server 2003 R2 domain currently running in your organization.
You would like to install a read-only domain controller into your
Directory Services structure, but you do not want to completely upgrade your
domain to Windows Server 2008 Directory Services just yet. What do you
need to do in order to add an RODC?
A. Change the domain functional level to Windows Server 2008 mixed mode.
B. Change the forest functional level to Windows Server 2008 mixed mode.
C. Run adprep on a Windows Server 2003 R2 domain controller.
D. An RODC cannot be added until the entire domain is a Windows Server
2008 Directory Services domain.
Appendix Self Test Appendix 649
www.syngress.com
Correct Answer & Explanation: C. adprep must be run on a Windows Server 2003
R2 domain controller using Windows Server 2008 media.
Incorrect Answers & Explanations: A, B, and D. Answers A and B are incorrect
because a Windows 2003 R2 domain and forest would not have an option to
raise the functional levels to 2008. Answer D is incorrect because an RODC can
be added to a Windows Server 2003 R2 domain.
7. You are looking to upgrade your environment to Windows Server 2008, and
you are explaining the new Server Manager console to your boss. Which three of
the following answers correctly describe ways that Server Manager can be used?
A. Server Manager can be used to add new server roles.
B. Server Manager can be used to add new server features.
C. Server Manager can be used to configure server failover.
D. Server Manager can be used for scripting commands.
Correct Answers & Explanation: A, B, and C. These three are functions available
via Server Manager. For a more complete list, see Table 1.1.
Incorrect Answer & Explanations: D. Answer D is incorrect because scripting
is done through command lines and PowerShell.
8. You are attempting to install Directory Services on a Windows Server 2008
Server Core installation. You type dcpromo at the command prompt, but the
server fails to install Directory Services. What is the MOST LIKELY reason
for this?
A. Directory Services are not supported on a Server Core installation, only
read-only domain controllers.
B. You must use an unattended file to complete the Directory Services
installation.
C. You must use the Server Manager from another Windows Server 2008
system to complete the installation.
D. Your servers chipset does not support Directory Services in a Server Core
installation.
Correct Answer & Explanation: B. An unattended file (a text file with information
about the planned installation) must be referenced during the installation
procedure.
650 Appendix Self Test Appendix
www.syngress.com
Incorrect Answers & Explanations: A, C, and D. Answer A is incorrect. Directory
Services can be installed on a Server Core installation. Answer C is incorrect
because Directory Services cannot be installed from another server. Answer D is
incorrect because the chipset would not cause Directory Services to fail during
installation.
9. Which of the following Directory Services administration tools can be used in
a Windows Server 2008 Lightweight Directory Services installation?
A. Active Directory Users and Computers
B. Active Directory Sites and Services
C. Active Directory Domains and Trusts
D. Active Directory Licensing Manager
Correct Answer & Explanation: B. Active Directory Sites and Services can be used
for configuring sites, which is particularly useful in configuring geographically
disbursed LDS implementations.
Incorrect Answers & Explanations: A, C, and D. Answers A and C are incorrect
because these tools are not supported in an LDS implementation. Answer D is
incorrect because no such tool exists.
10. BitLocker is a new technology that is available in Windows Server 2008 as well
as Windows Vista. Which is NOT an advantage of using BitLocker?
A. BitLocker can be used to prevent a hacker from detecting my password.
B. BitLocker prevents someone from removing a hard drive from a system
and reading it by installing it on another system.
C. BitLocker prevents someone from loading another operating system onto the
server and reading the contents of the disk using this additional operating
system.
D. All of the above selections are an advantage of using BitLocker.
Correct Answer & Explanation: A. BitLocker does not prevent someone from
booting your system normally and cracking your password using brute force.
Incorrect Answers & Explanations: B, C, and D. Answer B is incorrect because
BitLocker prevents someone from reading an encrypted hard drive on another
system. Answer C is incorrect because even if another operating system is loaded
onto the server, the encrypted drive can still not be read.
Appendix Self Test Appendix 651
www.syngress.com
Chapter 2: Configuring Network Services
1. You are the administrator for a nationwide company that currently runs
Windows Server 2008 DNS and are reviewing the resource records in your
Active Directoryintegrated DNS zone. You notice there are hostnames that
do not meet your companys naming convention and verify that the computers
are not members of your Active Directory domain. What must you do to
ensure these hosts cannot create records in your DNS zone?
A. Disable DNS and enable DHCP.
B. Configure your zone to enable secure dynamic updates.
C. Disable dynamic updates in your zone.
D. You cannot prevent this from occurring in DNS.
Correct Answer & Explanation: B. By enabling secure updates in your
AD-integrated zone, only computers that have authenticated with your Active
Directory domain can dynamically create and update their DNS records.
Incorrect Answers & Explanations: A, C, and D. Answer A is incorrect. DHCP
is used for automatic IP address assignment. Answer C is incorrect because this
would disable even authorized computers from updating their records. Answer
D is incorrect since you can prevent this by using answer B.
2. You are creating a new standard primary zone for the company you work for,
Name Resolution University, using the domain nru.corp. You create the zone
through the DNS management console, and now you want to view the corresponding
DNS zone file, nru.corp.dns. Where do you need to look in order to
find this file?
A. You cannot view the zone file because it is stored in Active Directory.
B. You can look in the %systemroot%\system32\dns folder.
C. You cannot view the DNS file except by using the DNS management
console.
D. The DNS zone file is actually just a key in the Windows Registry. You
need to use the Registry Editor if you want to view the file.
Correct Answer & Explanation: B. Since this is a standard zone, it is stored in a
text-based file. If it was Active Directoryintegrated, you would not be able to
view or modify the file this way.
652 Appendix Self Test Appendix
www.syngress.com
Incorrect Answers & Explanations: A, C, and D. Answer A is incorrect since
this is a standard (not integrated) zone. Answer C is incorrect because, as we
discussed earlier in this chapter, standard DNS files are text-based. Answer D is
incorrect because DNS files have nothing to do with the system Registry.
3. You have removed WINS from your environment, but still have at least one
legacy PC and application that requires NetBIOS resolution. What solution
can you use in place of WINS to address NetBIOS resolution?
A. GlobalNames zones.
B. Reverse zones.
C. Dynamic updates.
D. None of the above. You need WINS for NetBIOS.
Correct Answer & Explanation: A. The GlobalNames zone GNZ was introduced
to help phase out the Windows Internet Naming Service. The GlobalNames zone
GNZ requires the creation of a zone named GlobalNames.
Incorrect Answers & Explanations: B, C, and D. Answer B is incorrect because
reverse lookup zones are used for resolving IP addresses to hostnames. Answer
C is incorrect because dynamic updates are used for automatic population of
DNS records. Answer D is incorrect because GlobalNames zones can be used
in place of WINS.
4. Youve just created a new zone in DNS on a Windows Server 20083based
computer. You check the zone and notice that the only records in it are the
SOA and NS RRs. Checking the configuration, you see that the zone is
configured to accept dynamic updates. What should you do next?
A. Manually add all RRs for the zone, including A, CNAME, PTR, and SRV
records.
B. Manually add A records for all hosts that cannot use dynamic updating.
C. Manually add A RRs and PTR RRs for all hosts that will be using
dynamic updating.
D. Manually initiate a zone transfer to replicate all the needed RR to the
new zone.
Correct Answer & Explanation: B. The example does not mention DHCP
support for legacy clients, so we would need to update records for any computer
that does not support dynamic updatestypically legacy Windows clients or
non-Windows clients.
Appendix Self Test Appendix 653
www.syngress.com
Incorrect Answers & Explanations: A, C, and D. Answer A is incorrect because
these records will not assist in the population of the zone. Answer C is incorrect
because dynamic update will create records for all hosts that support it. Answer D
is incorrect because we said this is a new zone, so there is nothing to replicate from.
5. A DNS server, Aspen, has been successfully resolving queries but with the
wrong information. You use the Monitoring function in the DNS Management
Console for Aspen and test the simple and recursive queries. Both work fine.
What is the most likely cause of the problem?
A. Aspen is not authoritative for the zone in which the wrong information is
being returned.
B. Aspen is not configured to perform iterative queries.
C. Some clients do not support dynamic updates, or manually entered RRs
have errors.
D. The clients that received the wrong information do not support the OPT
record type.
Correct Answer & Explanation: C. Client IP addresses may have changed and
not been updated in DNS, or it is possible static entries have been entered into
the DNS database and are incorrect.
Incorrect Answers & Explanations: A, B, and D. Answer A is incorrect because
authorization has nothing to do with the scenario. Answer B is incorrect
because iterative name queries are issued by the client computer and allow
the DNS server to return the best answer it can based on its caches. Answer
D is incorrect because OPT is related to enhanced DNS resolution.
6. Your company has recently migrated from Windows NT 4.0 to Windows
Server 2008 on all of its networked servers, including those running the
DHCP and DNS server services. During the migration, you implemented
Active Directoryintegrated zones. A colleague says you cannot do this because
the zones converted from non-AD-aware operating systems will not allow
secure updates, creating a significant security risk to the organization. What is
your response?
A. When any zone is integrated into AD, it takes on the security features of AD.
B. If the zone is created outside of the AD, it will be configured for no secure
updates and must be re-created to allow for secure updates.
C. If the zone is created outside of AD, it will not be configured for secure
updates but can be modified via the DNS Management Console.
654 Appendix Self Test Appendix
www.syngress.com
D. When any zone created before Windows 2000 is integrated into AD, it will
use whatever update type other zones are configured to use.
Correct Answer & Explanation: C. DNS zones can be migrated from legacy
DNS servers to Windows Server 2008 servers as primary zones, and then configured
to be integrated with Active Directory and enabled for secure updates.
Incorrect Answers & Explanations: A, B, and D. Answer A is incorrect because
secure zones have nothing to do with the security level of AD. Answer B is
incorrect because we can indeed modify the zone. Answer D is incorrect because
every zone is configured separately to allow for flexibility.
7. You have been tasked with designing a new Windows Server 2008 Active
Directory forest. The network is currently a combination of Windows 2000
Professional, Windows XP, Windows Vista, and Macintosh clients. You want
to reduce the administration of IP addresses. Which of the following services
would you implement to accomplish this?
A. DHCP
B. DNS
C. WINS
D. DDNS
Correct Answer & Explanation: A. Implementing DHCP scopes will eliminate
the need for most static assignments of IP addresses to client systems.
Incorrect Answers & Explanations: B, C, and D. Answer B is incorrect because
DNS is needed for name resolution. Answer C is incorrect because WINS is used
for legacy NetBIOS name resolution. Answer D is incorrect because DDNS is
used for dynamic updates of host records in DNS.
8. Your company has a Windows Server 2008 domain. All of your servers run
Windows Server 2008 and all of your workstations run Windows Vista Business.
Your DHCP server is configured with the default settings and all of your
Windows Vista machines are configured as DHCP clients with the default DHCP
client settings. You want to use DNS dynamic updates to automatically register
the host record and PTR record for all of your workstations. Which of the
following must you do to accomplish your goal?
A. None. The default settings are sufficient.
B. Configure the DHCP server to always Dynamically Update DNS And
PTR Records.
Appendix Self Test Appendix 655
www.syngress.com
C. Configure the DHCP server to Dynamically Update DNS And PTR
Records Only If Requested By The DHCP Clients.
D. Configure the workstation to use dynamic updates.
Correct Answer & Explanation: A. Any Windows-based client system that runs
Windows 2000, XP, or Vista does not need additional settings in DHCP.
Incorrect Answers & Explanations: B, C, and D. Answers B and C are incorrect
since these settings do not exist. Answer D is incorrect because Vista clients
automatically are set to use dynamic updates.
9. Your network contains a mix of Windows 2003 and Windows Server 2008. You
have three domain controllers running Windows Server 2003. Your file server,
print server, and Exchange server are running Windows 2000 Server. Your DNS,
DHCP, and WINS servers are running Windows Server 2008. All of your clients
are running Windows XP Professional with Service Pack 2. All machines, other
than the servers that require a static IP address, are configured as DHCP clients
with the default settings. Your DNS server has been configured to allow dynamic
updates. Which of the following records will be registered in DNS automatically?
(Choose all that apply.)
A. MX
B. Host (A)
C. SRV
D. PTR
Correct Answers & Explanation: B, C, and D. Dynamic updates will create
A and PTR records for any 2000, 2003, or 2008 host. Likewise, it will create
SRV records for hosts that are providing a particular service.
Incorrect Answers & Explanations: A. Answer A is incorrect because Mail
Exchanger (MX) records must be created manually, regardless of whether the
host IP is set manually or via DHCP.
10. You have implemented DNS on a Windows Server 2008 Core Server installation.
You want to list the DNS zones on this server. What command-line utility would
you use to accomplish this?
A. ocsetup.
B. netsh.
C. dnscmd.
656 Appendix Self Test Appendix
www.syngress.com
D. None of the above. You must use the GUI from another Windows Server
2008 host.
Correct Answer & Explanation: C. DNS zones can be managed from the
command line by using the dnscmd utility. The command syntax would be
dnscmd /enumzones.
Incorrect Answers & Explanations: A, B, and D. Answer A is incorrect. The
ocsetup utility is used to install server roles. Answer B, netsh, is used for a number
of network-related commands, including changing local IP information. Answer
D is incorrect because dnscmd can, in fact, be used.
Chapter 3: Working with
Users, Groups, and Computers
1. You have just installed a Windows Server 2008 domain controller in your
environment. Which of the following default containers holds the default
groups?
A. Users
B. Computers
C. Built-in
D. Default Groups
Correct Answer & Explanations: Answer C is correct because the Built-in
group contains the default groups.
Incorrect Answers & Explanations: Answers A and B are incorrect because the
Users container holds the users, while the computer container holds the computer
accounts. Answer D is incorrect because the Default Group does not exist.
2. You tried to reset a password, but received a message that your password does
not meet the password complexity requirements. What might be the problem?
A. The user password is not complex enough.
B. The user is accessing a domain from a Windows 98 workstation machine.
C. The user is accessing a domain from a Windows MT workstation machine.
D. The user is accessing a domain from a Windows NT 4.0 machine.
Correct Answer & Explanations: Answer A is correct because it seems that
your password is not complex enough according to password security policies.
Appendix Self Test Appendix 657
www.syngress.com
Incorrect Answers & Explanations: Answers B, C, and D are incorrect because
the message is simple enough, indicating that this is a problem with password
characters. Make sure your password does not contain dictionary words, a username,
real names, pet names, family member names, or the companys name.
It should be between 7 and 14 characters long and should be different from
previous passwords. Best practices state that it should be a combination of
uppercase and lowercase letters, numbers, and special characters. An example of
a strong password is Sh4$$n0n87r67}D.
3. Your organization has one Active Directory domain in the Active Directory
forest. You are responsible for creating accounts for all users in your domain.
Your company just bought another company with 5000 user accounts, and
you are required to create their new user accounts without using a third-party
tool. Which of the following commands should be used to achieve this?
A. dsadd
B. dsuseradd
C. adduser
D. adduser.ps
Correct Answer & Explanations: Answer A is correct because you can use
dsadd in addition to other built-in commands to create user accounts, as per
your requirements.
Incorrect Answers & Explanations: Answers B, C, and D are incorrect because
they dont exist.
4. You suspect that a user may be able to log on after office hours. From which
tab on a users Properties dialog box can you set logon hours?
A. The Account tab
B. The Security tab
C. The General tab
D. The Profile tab
Correct Answer & Explanations: Answer A is correct because when you click
the Accounts tab, and then click Logon Hours, you can set the logon hours of
any user.
Incorrect Answers & Explanations: Answers B, C, and D are incorrect because
when you click the Security, General, or Profile tab there is no option to set
logon hours.
658 Appendix Self Test Appendix
www.syngress.com
5. You are at a branch office of your company assisting a user on his PC. While
assisting the user, you receive a phone call from your boss who wants to know
why all the users are required to change their passwords the first time they log
on? What would be the best way to answer his question?
A. Its a default Active Directory group and domain policy to enforce user
passwords set by the administrator.
B. Its a default Active Directory group policy and cannot be modified.
C. This is a new feature in Active Directory 2008 to introduce extra security.
D. This is just a check box for user account properties to force users to change
the default passwords set by the administrator at the time of the creation of
their account. This then forces users to pick their own password.
Correct Answer & Explanations: Answer D is correct because selecting User Must
Change Password At Next Logon will enforce the user to change his password
the next time when he logs on. This way, only the user knows the password.
Incorrect Answers & Explanations: Answer A is incorrect because there is no
Active Directory group and domain policy to enforce a user password set by
an administrator. Answer B is incorrect because no such policies exist in Active
Directory. Answer C is incorrect because this is not a new feature or an option.
It has been around in Windows operating systems for a while.
6. Lisa works as a branch office administrator for your organization. She receives
a call from her manager, Dina, asking which of the following characteristics
make up a strong password. Which one is correct?
A. Contains a username or pets name.
B. Contains dictionary words.
C. Contains place names.
D. Is a combination of letters and numbers.
Correct Answer & Explanations: Answer D is correct because strong passwords
must not contain usernames, pets names, family names, or dictionary words.
Ideally, they should be alphanumeric and should be more than eight characters
in length.
Incorrect Answers & Explanations: Answer A, B, and C are incorrect because
strong passwords must not contain usernames, pets names, family names,
or dictionary words.
Appendix Self Test Appendix 659
www.syngress.com
7. Which of the following options require administrative privileges to change the
password?
A. User must change password at next logon.
B. User cannot change password.
C. Password never expires.
D. Store password using reversible encryption.
Correct Answer & Explanations: Answer B is correct because it makes certain
the accounts password can only be changed with Administrator privileges,
which means it will prevent the user from creating a new password or altering
an existing password.
Incorrect Answers & Explanations: Answer A is incorrect because it forces the
user to change his or her password the first time they log on. This provides a
higher level of security by ensuring that the user is the only person who knows
the password. Answer C is incorrect because it forces the user not to change
their password periodically. In other words, it does not force any time restrictions
on the life of the passwordfor example, for a domain user account used by
Windows Server 2008 services. Answer D is incorrect because using reversible
encryption enhances the security of a password.
8 You are attempting to describe the purpose of a template account to
a co-worker. What should you tell them?
A. A template account exists only for Novell users.
B. A template account exists only for Unix users.
C. A template account exists only for Windows NT 4.0 users.
D. A template account simplifies the creation of a large number of user
accounts. In a template, you can define all the account parameters you
need to for your users. You can then use this template to create user
accounts by simply filling in the Name, Full Name and Description
Password, and Confirm Password fields.
Correct Answer & Explanations: Answer D is correct because template
accounts simplify the creation of a large number of user accounts.
Incorrect Answers & Explanations: Answer A, B, and C are incorrect because
a template account is not linked with any specific users migrating from other
operating systems to a Windows operating system.
660 Appendix Self Test Appendix
www.syngress.com
9. Joanna is responsible for administering a small Active Directory domain.
Recently, your company has acquired a small company where all the computers
are installed in a workgroup. Which of the following operations must
she perform in order to create the computer accounts? (Choose all that
apply.)
A. Select Start | Run, and then type in the joinallwks /user:administrator
command.
B. Select Start | Programs | Administrative Tools | Active Directory Users
and Computers, and then right-click the computer container and create
the computer objects.
C. Rename the existing computers in a workgroup.
D. Query for resources.
Correct Answer & Explanations: Answer B. You will need to create computer
accounts using Active Directory Users and Computers. This is called
provisioning. Alternatively, you can create computer accounts at the time of
joining computers with the domain. However, you need permissions in Active
Directory to perform such an operation.
Incorrect Answers & Explanations: Answer A is incorrect because joinallwks
does not exist. Answer C is incorrect because there is no need to rename
existing computers unless you are looking to follow certain naming conventions.
Answer D is incorrect because there is no need to query for resources.
10. What is the purpose of resetting an account?
A. Helps you reset a computer password stored in Active Directory so the
computer can make a trusted connection with Active Directory.
B. Helps you reboot the computer.
C. Helps you restart netlogon services.
D. Helps you change the authentication protocol from NTML to Kerberos.
Correct Answer & Explanations: Answer A is correct because you can use dsadd
in addition to other built-in commands to create user accounts, as per your
requirements.
Incorrect Answers & Explanations: Answer B, C, and D are incorrect because
it is not possible to reboot the computer, restart the netlogon services, or
change the authentication protocol by resetting the computer account.
Appendix Self Test Appendix 661
www.syngress.com
Chapter 4: Configuring the
Active Directory Infrastructure
1. A large company has just merged with yours. This organization has recently
converted its internal network from IPv4 addressing to IPv6 to support a
number of new network applications that required it. You must now begin to
plan for IPv6 support on your own internal network. You are creating training
materials for your junior networking staff. Which of the following features is
built into IPv6 that was not required in IPv4?
A. Classless Inter-Domain Routing (CIDR)
B. IP Security through the use of IPSec
C. Network address translator (NAT)
D. Loopback IP addressing
Correct Answer & Explanation: B. Answer B is correct because IPSec is a
mandatory component of IPv6, whereas its use is optional in IPv4.
Incorrect Answers & Explanations: A, C, and D. Answer A is incorrect
because CIDR notation is used to express IP addresses for both IPv4 and
IPv6 TCP/IP addresses. Answer C is incorrect because NAT is not a mandatory
component of IPv6. Answer D is incorrect because the loopback IP address is
available in both IPv4 and IPv6. In IPv4, the loopback address is 127.0.0.1; in
IPv6 the loopback address is ::1.
2. Your IT manager wants you to link four divisions of the company through a
ring of eight unidirectional cross-forest trusts. He uses this reasoning: If multiple
forest trusts are established, authentication requests made in any domain of any
forest can pass through multiple forest trusts, hence multiple Kerberos domains,
on their way to their destination. Why is he wrong?
A. Although each cross-forest trust is transitive at the forest level, where all
domains in both forests can authenticate, they are not transitive at the federated
forest level as he suggests. The trust path cannot include more than
one cross-forest trust.
B. Cross-forest trusts are not transitive, and will not allow pass-through
authentication.
C. To create a mesh trust relationship between four forests, you need only
four cross-forest trusts.
662 Appendix Self Test Appendix
www.syngress.com
D. Cross-forest trusts are bidirectional, so only three trusts are needed to link
all four forests. Completing the ring is not necessary.
Correct Answer & Explanation: A. Answer A is correct because cross-forest
trusts are transitive only between the source and destination forests. This means
that every domain in Forest A will automatically trust every domain in Forest B.
This transitivity does not extend to multiple forests: If a cross-forest trust exists
between Forest A and Forest B, and a second cross-forest trust exists between
Forest B and Forest C, this does not automatically create a trust relationship
between Forest A and Forest C.
Incorrect Answers & Explanations: B, C, and D. Answer B is incorrect because
cross-forest trusts are transitive between the source and domain forests, and will
allow pass-through authentication between them. Answer C is incorrect because
in order to create a mesh trust relationship between four forests, you would
need to create a total of six cross-forest trusts: between Forest A and Forest B,
Forest A and Forest C, Forest B and Forest D, Forest C and Forest D, Forest A
and Forest D, and Forest B and Forest C. Answer D is incorrect because in order
to create a mesh trust relationship between four forests, you would need to
create a total of six cross-forest trusts: between Forest A and Forest B, Forest
A and Forest C, Forest B and Forest D, Forest C and Forest D, Forest A and
Forest D, and Forest B and Forest C.
3. What FSMO roles should exist in a child domain in a Windows Server 2008
forest? (Choose all that apply).
A. Schema Master
B. Domain Naming Master
C. PDC Emulator
D. RID Master
E. GC
F. Infrastructure Master
Correct Answers & Explanations: C, D, and F. Answer C is correct because the
PDC Emulator FSMO role exists in each domain in an Active Directory forest.
Answer D is correct because the RID Master FSMO role exists in each domain
in an Active Directory forest. Answer F is correct because the Infrastruc ture
Master FSMO role exists in each domain in an Active Directory forest.
Incorrect Answers & Explanations: A, B, and E. Answer A is incorrect because
the Schema Master FSMO role exists only in the forest root domain. Answer B
Appendix Self Test Appendix 663
www.syngress.com
is incorrect because the Domain Naming Master FSMO role exists only in the
forest root domain. Answer E is incorrect because the Global Catalog is not a
FSMO role.
4. Your network operations center has identified excessive bandwidth utilization
caused by authentication traffic in the root domain subnet, especially between
Calico.cats.com and Labs.dogs.com. Your logical network is set up as shown in the
diagram. What type of trust or trusts would you set up to alleviate the situation?
Question #4 Diagram
A. Set up a bidirectional transitive parent and child trust between Calico.cats.
com and Labs.dogs.com.
B. Set up a shortcut trust between Calico.cats.com and the forest root, and set
up a second shortcut trust between Labs.dogs.com and the forest root.
C. Set up a shortcut trust between Calico.cats.com and Labs.dogs.com.
D. Set up two shortcut trusts between Calico.cats.com and Labs.dogs.com.
E. Set up a realm trust between Calico.cats.com and Labs.dogs.com.
Correct Answer & Explanation: C. Answer C is correct because this solution will
allow authentication traffic to pass directly between Calico.cats.com and Labs.
dogs.com rather than walking the tree through the forest root domain.
Incorrect Answers & Explanations: A, B, D, and E. Answer A is incorrect because
parent-child trust relationships are created automatically by Active Directory; you
cannot manually create one between domains that do not already exist in a
664 Appendix Self Test Appendix
www.syngress.com
parent-child relationship. Answer B is incorrect because this solution will not
improve how authentication traffic is transmitted on your network in this situation.
Answer D is incorrect because in this scenario, only a single shortcut trust
relationship is required, as all authentication requests are being sent in a single
direction. Answer E is incorrect because realm trusts are configured between an
Active Directory domain and an MIT Kerberos realm, not between two Active
Directory domains within a single forest as described in this scenario.
5. Your company, mycompany.com, is merging with the yourcompany.com company.
The details of the merger are not yet complete. You need to gain access to the
resources in the yourcompany.com company before the merger is completed.
What type of trust relationship should you create?
A. Forest trust
B. Shortcut trust
C. External trust
D. Tree Root trust
Correct Answer & Explanation: C. Answer C is correct because an external
trust is a one-way, nontransitive trust that can be configured between separate
Active Directory forests, especially if the two-way transitivity of a cross-forest
trust relationship is not desired for a particular scenario.
Incorrect Answers & Explanations: A, B, and D. Answer A is incorrect because
a forest trust is a two-way transitive trust and will likely create more access
between the two domains than is desired before the merger is completed.
Answer B is incorrect because a shortcut trust is configured between two domains
within the same Active Directory forest and is not appropriate for this scenario.
Answer D is incorrect. There is no such thing as a tree root trust within Active
Directory.
6. Your boss just informed you that your company will be participating in a joint
venture with a partner company. He is very concerned about the fact that a
trust relationship needs to be established with the partner company. He fears
that an administrator in the other company might be able to masquerade as one
of your administrators and grant himself privileges to resources. You assure him
that your network and its resources can be protected from an elevated privilege
attack. Along with the other security precautions that you will take, what will
you tell your boss that will help him rest easy about the upcoming scenario?
Appendix Self Test Appendix 665
www.syngress.com
A. The permissions set on the Security Account Manager (SAM) database
will prevent the other administrators from being able to make changes.
B. The SIDHistory attribute tracks all access from other domains. Their activities
can be tracked in the System Monitor.
C. The SIDHistory attribute from the partners domain attaches the domain SID
for identification. If an account from the other domain tries to elevate its own
or another users privilege, the SID filtering removes the SID in question.
D. SID filtering tracks the domain of every user who accesses resources.
The SIDHistory records this information and reports the attempts to the
Security log in the Event Viewer.
Correct Answer & Explanation: C. Answer C is correct because SID filtering
can be configured on an Active Directory trust relationship to prevent administrators
from one domain from maliciously elevating their privileges within
another domain.
Incorrect Answers & Explanations: A, B, and D. Answer A is incorrect because
without SID filtering, an Active Directory trust relationship is susceptible to
elevation of privilege attacks. Answer B is incorrect because SID filtering prevents
elevation of privilege attacks between domains, but is not an attribute
that can be monitored using System Monitor. Answer D is incorrect because
SID filtering prevents elevation of privilege attacks between domains, but
does not track user access to resources.
7. You recently completed a merger with yourcompany.com. Corporate decisions
have been made to keep the integrity of both of the original companies; however,
management has decided to centralize the IT departments. You are now responsible
for ensuring that users in both companies have access to the resources in the
other company. What type of trust should you create to solve the requirements?
A. Forest trust
B. Shortcut trust
C. External trust
D. Tree root trust
Correct Answer & Explanation: A. Answer A is correct because a forest trust
is a two-way transitive trust, which will allow users in each company to access
resources in the other company.
666 Appendix Self Test Appendix
www.syngress.com
Incorrect Answers & Explanations: B, C, and D. Answer B is incorrect because
a shortcut trust is used to shorten the authentication path between domains
within a single Active Directory forest. Answer C is incorrect because an external
trust is a one-way nontransitive trust that can only be configured between a
single domain in each direction; it will not allow transitive access to all resources
in both forests. Answer D is incorrect because this term does not describe a
type of trust relationship that can be configured within Active Directory.
8. Robin is managing an Active Directory environment of a medium-size company.
He is troubleshooting a problem with the Active Directory. One of the
administrators made an update to a user object and another reported that he
had not seen the changes appear on another DC. It was more than a week since
the change was made Robin checks the problem by making a change to another
Active Directory object. Within a few hours, the change appears on a few DCs,
but not on all of them. Which of the following is a possible cause for this
problem?
A. Connection objects are not properly configured.
B. Robin has configured one of the DCs for manual updates.
C. There might be different DCs for different domains.
D. Creation of multiple site links between the sites.
Correct Answer & Explanation: A. Answer A is correct because if Active Directory
connection objects are not configured between DCs, changes on one DC will not
be reflected on one or more other DCs in your environment.
Incorrect Answers & Explanations: B, C, and D. Answer B is incorrect because
Active Directory DCs cannot be configured for manual updates; connection
objects must be created to allow DCs to be automatically updated with changes
from other DCs. Answer C is incorrect because Active Directory replication
can take place between DCs belonging to different domains. Answer D is incorrect
because creating multiple site links between sites will not prevent Active
Directory replication from taking place.
9. James is a systems administrator for an Active Directory environment that consists
of two dozen sites. The physical network environment is not fully routed, and
James has disabled automatic site link transitivity. He now wants to set up three
site links to be transitive, as they are physically connected to one another.
Appendix Self Test Appendix 667
www.syngress.com
Which of the following Active Directory objects is responsible for representing
a transitive relationship between sites?
A. Additional sites
B. Additional site links
C. Bridgehead servers
D. Site link bridges
Correct Answer & Explanation: D. Answer D is correct because configuring
site link bridges will allow specific site links to be considered transitive when
automatic site link bridging has been disabled.
Incorrect Answers & Explanations: A, B, and C. Answer A is incorrect because
configuring additional sites does not affect site link transitivity in a network
that is not fully routed. Answer B is incorrect because configuring additional
site links does not affect site link transitivity in a network that is not fully
routed. Answer C is incorrect because configuring bridgehead servers does not
affect site link transitivity in a network that is not fully routed.
10. Steffi is an administrator of a medium-size organization responsible for managing
Active Directory replication traffic. She finds an error in the replication configuration.
How can she look for specific error messages related to replication?
A. Use the Active Directory Sites and Services administrative tool
B. Use the Disk Management tool
C. View the System log option in the Event Viewer
D. View the Directory Service log option in the Event Viewer
Correct Answer & Explanation: D. Answer D is correct because error messages
related to Active Directory replication appear in the Directory Services log in
the Windows Event Viewer.
Incorrect Answers & Explanations: A, B, and C. Answer A is incorrect because
the Active Directory Sites and Services MMC snap-in does not provide any
visibility into any error messages related to Active Directory replication. Answer B
is incorrect because the Disk Management MMC snap-in does not provide
any visibility into any error messages related to Active Directory replication.
Answer C is incorrect because error messages related to Active Directory
replication do not appear in the System log in the Windows Event Viewer.
668 Appendix Self Test Appendix
www.syngress.com
Chapter 5: Understanding Group Policy
1. A Charlotte user who recently transferred into the Accounts Payable department
from the Accounts Receivable department in your company submits a help desk
ticket complaining that she is not able to access her Control Panel on her
computer. Upon further questioning, you discover that the user was able to access
her Control Panel the previous week. Upon coming in Monday morning, she
logged on to her workstation and it reportedly took longer than usual to get to
the desktop. Her Group Policy infrastructure is depicted in the following figure.
Charlotte Users Accounting Hierarchy
What is the most probable cause for the missing Control Panel on the users
workstation?
A. The user is logged on with cached credentials. She must log off and back
on again to download the proper policy.
B. The user requires local Administrator rights on her machine to view the
Control Panel.
Appendix Self Test Appendix 669
www.syngress.com
C. The user account has been moved into the Accounts Payable OU and is
now receiving policies that it didnt before.
D. The machine account has been moved into the Accounts Payable OU and
is now receiving policies that it didnt before.
Correct Answer & Explanation: C. Because the person just transferred into the
Accounts Payable department the user account in Active Directory was moved
into the corresponding OU as part of the transfer. Because the Accounts Payable
department has an Accounts Payable Security Policy in place, the user account
would inherit the policy and apply the settings. It most likely contains a setting
to remove the Control Panel. The Accounts Receivable OU has no such policy.
Incorrect Answers & Explanations: A, B, D. Answer A is incorrect, because
cached credentials would potentially prevent Group Policies from refreshing,
and this is a situation where a new policy is in effect. Logging on and off of a
computer will not change the policies affecting the user account. Answer B
is incorrect, because local Administrator rights are not required to view the
Control Panel. Regular users have access to the Control Panel by default.
Answer D is incorrect, because the machine account would not be affected
by the user account being moved in Active Directory, and the way the OU
structure is depicted in this example, there would not be a reason to move
the machine account.
2. A new requirement has come down from The 3 Bears, Inc. headquarters that
requires all users to have a home page of www.the3bears.org. You create a new
policy and configure the Internet Explorer Maintenance Setting which will set
the IE home page. What would be the best approach to take in applying this
new policy?
A. Link the policy to the OUs in the domain that contain user accounts
B. Link the policy to the domain and configure the machine OUs to Block
Inheritance
C. Link the policy to the domain and configure the policy to Enforce
D. Link the policy to the domain
Correct Answer & Explanation: C. Linking the policy to the domain is the
simplest way to apply the setting to all users. By enforcing the policy you
eliminate the risk of a lower-level policy overriding the IE settings.
Incorrect Answers & Explanations: A, B, D. Answer A is incorrect, because
although this approach may work, it is not the best approach. Linking the
670 Appendix Self Test Appendix
www.syngress.com
policy multiple times in the domain creates additional overhead where it is not
required. Also, because you are only linking and not enforcing the policy, there
is a chance that the policy may be overwritten by a conflicting policy somewhere
else in the domain. Answer B is incorrect, because although linking the
policy to the domain level is the right approach, without enforcing the policy
there is a chance that the policy may be overwritten by a conflicting policy
somewhere else in the domain. Also, Block Inheritance is an unnecessary step.
Answer D is incorrect, because although this would also work, it is not the best
approach because without enforcing the policy, there is a chance that the policy
may be overwritten by a conflicting policy somewhere else in the domain.
3. In your Windows 2008 Active Directory environment, you configure printer
mappings via logon scripts. The number of printers and the complexity of
managing the scripts are getting difficult to handle as the company grows.
You have built multiple Group Policies, each with a logon script for each
set of printers. You link the policies to OUs as departments request access to
the printers. What is the best way to adjust your administration of printers to
reduce configuration issues and lower administrative overhead?
A. Create a single Group Policy, apply it at the domain level, and add a single
logon script which contains all the printers in the environment
B. Create multiple Group Policies, apply them at the OU level for each
department, and configure Preferences for each required printer
C. Create a single Group Policy and apply it at the domain level. Configure
Preferences for each required printer. Use item-level targeting to apply the
printers to the server IP addresses.
D. Create a single Group Policy and apply it at the domain level. Configure
Preferences for each required printer. Use item-level targeting to apply the
printers to the departmental security groups.
Correct Answer & Explanation: D. A single Group Policy is easier to administrate.
By moving printer administration to Preferences, you increase the consistency
of printer mapping and can reduce the overhead of logon scripts.
Incorrect Answers & Explanations: A, B, C. Answer A is incorrect, because a
single logon script for the entire environment would create many unnecessary
printers on each workstation. The script would take a very long time to run
and the risk of configuration problems increases. Answer B is incorrect, because
even though this would work, in the long run the administration of multiple
GPOs and linking them all over the enterprise remains the same. The only
difference is the use of Preferences which would reduce configuration issues due
Appendix Self Test Appendix 671
www.syngress.com
to the scripts. Answer C is incorrect, because utilizing Preferences to configure
the printers for servers does not meet the objective of simplifying script-based
administration for user-based printers.
4. Darien is a new member of the Web Services team at your company. He is going
to be responsible for running and testing scripts for an in-house homegrown
application which requires a special application that is deployed via Group Policy.
The first time he logs on to the domain he does not receive the software
package. You verify that his user account is in the proper OU. What could be
causing Darien not to receive the GPO with the software policy?
A. Security filtering has been enabled on the GPO and Darien is not a
member of the proper group
B. WMI Filtering has been enabled on the GPO and Darien is not a member
of the proper group
C. Darien must be a local administrator on his machine to download a GPO
with a software package in it
D. Dariens user account has Block Inheritance configured on it and therefore
he cannot download the policy
Correct Answer & Explanation: A. Security Filtering utilizes Active Directory
user and group objects to filter who is allowed to apply a GPO. If the default
of Authenticated User has been removed from the GPO and the Web Services
team group has been added, Darien will need to become a member of the Web
Services team group to be able to apply the policy and receive the software
package. Once he is added to the group he will have to log off and back on
again to refresh his logon token.
Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because
WMI Filtering targets machines, not users. Answer C is incorrect, because Group
Policies are processed with System accounts and users do not require any special
permission to apply them. Answer D is incorrect, because Block Inheritance is
not configured at the user object level. It is configurable at the OU level.
5. What is the difference between Policies and Preferences in a Group Policy?
A. Preferences are set, and Policies are enforced
B. Preferences can be modified only by administrators, and policies can be
modified by anyone, including users
C. Preferences are enforced, and Policies are set
D. B & C
672 Appendix Self Test Appendix
www.syngress.com
Correct Answer & Explanation: A. Preferences allow you to configure
settings on workstations that traditionally were accomplished via scripting
and other methods. The values are only set and the user can always adjust the
configuration after the policy has applied if desired. Policies are locked down
and are enforced. Users will not be able to edit settings configured by policies.
They will appear grayed out.
Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because
Preferences are configurable by users even after configured via a GPO.
Policies enforce their configuration and all policy-enforced values will be
grayed out. Answer C is incorrect, because Preferences are set, not enforced.
All Preferences configured can be edited by users. Policies are not configurable
after policy application. Answer D is incorrect, because it included two
incorrect answers.
6. Your Active Directory hierarchy is depicted in the following figure. Which
policies affecting the San Fran Office OU can have their settings overwritten
in the event of a conflict?
Active Directory Hierarchy
Appendix Self Test Appendix 673
www.syngress.com
A. Default Domain Policy, Desktop Lockdown Policy
B. Desktop Lockdown Policy
C. Company Wallpaper Policy, Accounting SW, Accounting Desktop
Lockdown Policy
D. Accounting SW, Accounting Desktop Lockdown Policy, Default Domain
Policy, Desktop Lockdown Policy
Correct Answer & Explanation: D. The only policy that doesnt have a chance
to be overwritten is the last one applied. In this case, the Company Wallpaper
Policy will be the last one applied, and because it has an Enforce setting it
will always win in the event of a conflict. The other policies configured with
Enforce will lose if the conflict exists with the Company Wallpaper Policy.
Incorrect Answers & Explanations: A, B, C. Answer A is incorrect, because these
two policies are at the bottom of the Precedence list. They will be overwritten
by any higher policy. Answer B is incorrect, because this policy is at the bottom
of the Precedence list and it has the least amount of priority. All other policies
in the list will win if a conflict occurs. Answer D is incorrect, because even
the Enforce policies can be overwritten by the higher Precedence Enforce. All
policies have the chance to be overwritten in a conflict except the very last
one applied.
7. Maria is looking for the best method to standardize her GPO creation methods.
Currently she prints all the settings in GPOs she would like to duplicate and
then manually re-creates the OU. What features in Windows Server 2008 could
Maria take advantage of to assist with her GPO creation standardization?
A. Filtering
B. Starter GPOs
C. Security Templates
D. A & C
E. B & C
Correct Answer & Explanation: E. Starter GPOs can be used to create reusable
baseline GPOs. Security Templates can be used to create .inf files to be applied
to be imported into GPOs with certain needs across the enterprise. Both of
these tools would help in standardizing a GPO creation mechanism.
Incorrect Answers & Explanations: A, B, C, D. Answer A is incorrect, because
Filtering is used to restrict which users and machines can apply a policy. It doesnt
674 Appendix Self Test Appendix
www.syngress.com
apply to policy creation. Answer B is incorrect, because although it represents
part of the solution it is not the complete answer. Answer D is incorrect, because
although it represents part of the solution it is not the complete answer.
8. SueyDog Enterprises will soon be deploying Microsoft Office Communicator
into its environment. All of its DCs are running Windows Server 2008. Their
administrator, Matthew, is attempting to prepare for the new product by creating
a GPO and exploring the available settings. He creates a new policy and proceeds
to expand each section of the policy, looking for the section containing the
Microsoft Office Communicator settings. He cant seem to locate the settings
for Microsoft Office Communicator. What should Matthew do to gain the
settings he seeks?
A. Download the appropriate .adm file and import it into the new GPO
B. Install Microsoft Office Communicator on the DC to make the setting
available
C. Download the appropriate .admx file and import it into the new GPO
D. Download the appropriate .adm file and place it in the Central Store
Correct Answer & Explanation: A. By default, Group Policies hold mostly
operating system settings. They can be customized with the use of either .adm
or .admx files. The .adm file format is imported directly into a GPO, and the
.admx file format is placed into a Central Store that exists on SYSVOL.
Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because
installing a product does not make the settings for the product available in
Group Policy. Answer C is incorrect, because although .admx files could be
utilized to gain access to the applications settings, these files are not imported
into a GPO. They are placed in the Central Store and the Group Policy tools
discover them there. Answer D is incorrect, because .admx files belong in the
Central Store, not .adm files.
9. Joey is going to be migrating his Lotus Notes environment into his newly
established Windows Server 2008 forest. He has guidance on what he will
require for Group Policy settings for the different teams and departments. He
has not yet created his OU structure. How should Joey proceed in creating the
required GPOs?
A. Create stand-alone GPOs
B. Create the GPOs at the Domain level
Appendix Self Test Appendix 675
www.syngress.com
C. Create the GPOs at the Site level
D. Wait to create the GPOs until the OU structure is in place
Correct Answer & Explanation: A. Stand-alone GPOs are a way of staging GPOs
so that when you are ready to link them they are ready to go. The advantage of a
stand-alone GPO is that is it not in use until linked, so the settings can be readily
changed on the fly without impacting users or computers.
Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because linking
the GPOs at the Domain level would apply all the settings to all users and
machines. The GPOs have specific target groups and linking all the policies at
the domain would defeat their function. Answer C is incorrect, because linking at
the Site is typically not recommended. Also, at this stage the Site structure might
not be completed and to minimize the risk of the wrong user receiving a policy
they should not be linked at the Site. Answer D is incorrect, because although the
administrator can wait to create the GPOs until the OU structure is in place, there
isnt any reason to do so. Stand-alone GPOs will fill the need for GPO creation.
10. You work for a large hospital. The main users in the hospital are nurses and
doctors. Because they are always on the go, you set up kiosk stations throughout
the hospital for them to log on to and check Web mail or access applications.
The kiosks share one user logon and the nurses and doctors use their personal
accounts to gain access to resources via a browser interface which prompts
them for credentials. One morning a nurse logs onto a kiosk machine and is
greeted by extremely offensive wallpaper. How would you utilize Group Policy
to prevent this from happening in the future?
A. Create a Group Policy and apply it to the nurses and doctors user
accounts. Disable Display Settings.
B. Create a Group Policy and apply it to the nurses and doctors user
accounts. Configure Loopback Processing in Replace mode.
C. Create a Group Policy and apply it to the kiosk machines. Configure the
wallpaper to the company logo and disable Display Settings.
D. Create a Group Policy and apply it to the kiosk machines. Configure
Loopback Processing in Replace mode.
Correct Answer & Explanation: D. Loopback processing mode will not allow
user-specific settings to remain. Each time a user logs on to the machine, the
user configuration from the machine policy is applied to the computer. In
Replace mode, the user accounts policies are ignored.
676 Appendix Self Test Appendix
www.syngress.com
Incorrect Answers & Explanations: A, B, C. Answer A is incorrect, because
applying the GPO to the nurses and doctors would affect them when they
log on locally with their own accounts. The kiosk machines have a shared user
account for local logon. Answer B is incorrect, because applying the GPO to
the nurses and doctors would affect them when they log on locally with their
own accounts. The kiosk machines have a shared user account for local logon.
Also, Loopback Processing is a computer configuration setting. Answer C is
incorrect, because locking down just wallpaper settings doesnt prevent people
from creating other offensive settings, such as a default Web page with an
offensive target for, instance.
Chapter 6: Configuring Group Policy
1. The CIO has asked you to configure a GPO that will ensure that antivirus
software is installed on every computer in the company. You are the most
senior administrator in the company and have full access to every computer,
and to Active Directory. Your company has a single domain and site. Which
one of the following actions do you take?
A. You configure a GPO at the domain level, and publish the application to
all computers
B. You configure a GPO at the site level, and assign the application to all
computers
C. You create a GPO with the required settings and link it into all OUs that
have computer accounts in it. You set the options to assign the application
to computers.
D. You tell him it cannot be done.
Correct Answer & Explanation: D. The CIO has asked for the application to
be installed on all computers, but group policy cannot be used to install software
on DCs.
Incorrect Answers & Explanations: A, B, C. Answer A is incorrect. In
addition to the fact that you cannot use group policy to install software on
DCs, you also cannot publish applications to computers. Answers B and C are
also incorrect. If DCs had been excluded from the CIOs request, either of
these answers would have met the requirements.
2. Youve just taken over the domain-level administration for a mid-size company.
The previous administrator did not use group policy software deployment.
Appendix Self Test Appendix 677
www.syngress.com
You have just configured and tested your first published application to users.
The application was designed to be used by all users in the accounting department.
You created the software distribution point and copied the installation files
over to it. You then created the GPO and linked it to the AcctgUsers OU, which
contains all user accounts for the department. When the users log on to their
computers, the application is visible in Control Panel | Add or Remove
Programs, but when users attempt the installation it fails. When you log on
from a computer in accounting, you are able to access the installation files and
run them manually. Which one of the following is most likely the problem?
A. The application files are corrupt
B. The permissions on the software distribution point are configured incorrectly
C. The GPO is corrupt
D. The GPO is linked to the wrong place within Active Directory
Correct Answer & Explanation: B. The most likely reason is that the installation
files are not accessible, and the only answer that addresses why this might be
the case is B.
Incorrect Answers & Explanations: A, C, D. Answer A is unlikely because you
are able to manually install from the same files being used to deploy the software
using group policy. Answers C and D are also unlikely because the users are
seeing the application displayed in Add or Remove Programs. This is handled
by group policy, so it appears to be functioning and linked to an appropriate
level of Active Directory for them.
3. Youve been asked by a senior administrator to deploy an update to an existing
application that is assigned to users. The senior administrator created and tested
the upgrade, and has given you all information required, including in which
GPO to configure the upgrade package. You create the package in the GPO,
right-click on it, and attempt to configure the update, but the current version
is not listed for selection. Which of the following should you do next?
A. Notify the senior administrator that the application failed to detect that it
was an upgrade to an existing version
B. Manually enter the name of the package for the existing version and check
the Required upgrade for existing packages box
C. Deploy the upgrade as a new software installation instead of an upgrade
D. Ask the senior administrator which GPO the existing versions package is
located in, browse to it, and select it
678 Appendix Self Test Appendix
www.syngress.com
Correct Answer & Explanation: D. When the current package doesnt appear
in the Package to upgrade box on the Add Upgrade Package dialog, its
usually because it is located in another GPO. The most expedient thing for you
to do is ask where it is located, and then browse to and select it.
Incorrect Answers & Explanations: A, B, C. It is tempting to think that answer A
is correct; however, a quick check of the GPO in which youve been assigned
to configure the update should reveal that the original versions package is not
there. Because you know the upgrade was tested, it is likely that it exists somewhere
within Active Directory. Answer B is also incorrect. You cannot manually
enter the name of a package. Finally, answer C is incorrect because you have
been explicitly told that it is an upgrade. Configuring the deployment as a new
software install could cause serious problems for current users of the application.
4. Microsoft has released a new service pack for Microsoft Word, along with the
necessary MSI file for deploying it via group policy. Youve copied the files
over to the correct software distribution point and verified their permissions.
The application is assigned to all workstation computers in the company via a
domain-level GPO. After configuring the files, you selected the redeployment
option for the Microsoft Word software deployment package. Only some
computers seem to be getting the service pack. The computers are a mix of
Windows XP and Vista. Which of the following is the most likely cause?
A. All computers have not been rebooted since the redeployment
B. Redeployment does not work with operating systems earlier than
Windows Vista
C. Service packs should be treated as upgrades, not reinstallations
D. All users have not logged off and back on since the redeployment
Correct Answer & Explanation: A. When software is assigned at the computer
level, redeployment occurs at the next computer startup. Because some computers
are getting the update and others arent, it is likely that not all computers
have been rebooted since the redeployment.
Incorrect Answers & Explanations: B, C, D. Answer B is incorrect.
Redeployment works with Windows 2000, XP, and Vista. Answer C is also
incorrect because, unless a version upgrade occurs at the same time, service
packs should be considered reinstallations, not upgrades. Finally, answer D
would be correct if the application was assigned or published to users; however,
it was assigned to computers.
Appendix Self Test Appendix 679
www.syngress.com
5. Your company decided not to renew the license agreement for its contact
management software. The software is deployed on systems across many client
computers in the company. A single GPO was configured to install the software,
and was linked into multiple places in the Active Directory hierarchy to
accommodate the various user groups that needed the program. Youve gone
into the GPO and removed the published object for the software. Now, the
object is gone from the GPO but the application is still installed on the client
computers. Which one of the following most likely explains what happened?
A. You left the default option for removal enabled
B. You selected the option to make the removal optional
C. You selected the option to force removal
D. You deleted the software object from the GPO but forgot to select the
uninstall options first
Correct Answer & Explanation: B. The most likely answer is that you selected
the option to leave the application in place, rather than force its removal.
Incorrect Answers & Explanations: A, C, D. Answers A and C are identical.
The default option is to force removal of the software. Because the software
remained on the client systems, this option was most likely not selected. Answer D
is also incorrect. The only way to remove the object from the Software
installation settings is to request forced or optional removal of the software.
6. The application testing team at your company has given you the approval to
deploy an upgrade to an existing software package. The team testing it has
revealed that the upgrade works best when the software is installed over the
existing software. They ask you if it is possible to upgrade the software using
group policy in a way which meets their recommendations, or if they should
write a script to push out the installation. Which one of the following do you
tell them?
A. You tell them that the default in group policy is to install over the previous
version of the software
B. You tell them that group policy requires the previous version of the
software to be removed
C. You tell them that it is an optional configuration setting, but that it is
possible
D. You recommend a script, saying that you dont trust group policy for such
a complex deployment scenario
680 Appendix Self Test Appendix
www.syngress.com
Correct Answer & Explanation: C. The Package can upgrade over the
existing package is an optional setting that can be configured to ensure that a
software upgrade is installed over an existing version of the application.
Incorrect Answers & Explanations: A, B, D. Answer A is incorrect. The default
setting, Uninstall the existing package, then install the upgrade package,
removes the previous software version before beginning the installation. Answer B
is also incorrect; group policy does not require removal of existing applications
prior to an upgrade. Answer D is incorrect because group policy is highly reliable
for software deployment, management, maintenance, and removal.
7. This morning you deployed an application by assigning it to computers,
and then many of the applications failed. On some systems the application
installed just fine, on others it only partially installed, and on still others it
failed very early in the process. You figured out what went wrong, and have
modified the MSI file. Which one of the following should you do to correct
the problem?
A. You should do a forced removal of the software
B. You should delete and re-create the deployment object in group policy
C. You should redeploy the software
D. You should begin manually troubleshooting the workstations that had
problems
Correct Answer & Explanation: C. When a deployment fails and leaves installations
in inconsistent states the first attempted fix should be to redeploy the
software.
Incorrect Answers & Explanations: A, B, D. Answer A is incorrect. Forced
removal of software that did not get fully installed will not be effective. Answer B
is also incorrect. Deleting the deployment package in Active Directory leaves
you with no ability to further manage the botched installation using group policy.
Answer D is incorrect. Although it may ultimately be necessary to troubleshoot
workstations one at a time, the first thing to try is redeployment.
8. You are a mid-level administrator for a large multinational company. Each major
company office has its own domain. The technical services manager at your
office is tired of receiving complaints from the VP-level employees who work
at your location. She has asked you to allow passwords to be as short as four
characters, and to be all lowercase letters. Which of the following do you do?
(Select all that apply.)
Appendix Self Test Appendix 681
www.syngress.com
A. You tell her that the Default Domain Password Policy supports these
settings by default
B. You tell her that you will create a custom GPO and link it in to the OU
containing the VPs user accounts
C. You tell her that you will disable the Passwords must meet complexity
requirements option
D. You tell her that you will set the Minimum password length option to 4
Correct Answer & Explanation: C, D. Though it is not recommended to erode
these settings, your managers request can be fulfilled by disabling the Passwords
must meet complexity requirements option, and setting the Minimum
password length option to 4 in the Default Domain Password Policy.
Incorrect Answers & Explanations: A, B. Answer A is incorrect. The Default
Domain Password Policy supports seven characters, complex passwords by default.
Answer B is also incorrect. Group policy Password Policy and Account Lockout
Policy settings can be applied only at the domain level, unless fine-grain password
policy is used. A GPO linked to an OU or site with different settings will be
ignored.
9. Recently the security for your network was taken over by the firewall and
UNIX administrator. He has requested that you increase your password history
setting from the Windows Server 2008 default setting to remember the
maximum number of passwords. Which one of the following do you tell him?
A. You tell him that you will increase the Enforce password history
setting to 48
B. You tell him that you will increase the Enforce password history
setting to 24
C. You tell him that the default setting is the maximum
D. You tell him that there is no maximum setting, and ask him to provide
a specific value
Correct Answer & Explanation: C. When Active Directory is installed the default
value for the Enforce password history option is set to the maximum, 24.
Incorrect Answers & Explanations: A, B, D. Answer A is incorrect; the maximum
value of the Enforce password history option is 24. Answer B is also incorrect.
By default, the Enforce password history is set to the maximum value, 24,
at installation. Answer D is incorrect, because 24 is the maximum value.
682 Appendix Self Test Appendix
www.syngress.com
10. You work for a small accounting firm. Recently your boss, the owner of the
company, read an article about weaknesses in password security. Hes asked that
you require everyone in the company to change his or her password every 30
days, and to have to use at least 12 different passwords per year. Which of the
following settings do you configure in the Default Domain Policy? (Select all
that apply.)
A. You set the Maximum password age option to 30
B. You set the Enforce password history option to 12
C. You set the Minimum password age option to 15
D. You disable the Passwords must meet complexity requirements
option
Correct Answer & Explanation: A. C. Setting the Maximum password age
option to 30 ensures that users must change their passwords every 30 days.
Setting the Minimum password age option to 15 prevents users from changing
their passwords until 15 days after their last change. When combined with the
default Enforce password history of 24, this ensures that users will be required
to use at least 12 unique passwords per year.
Incorrect Answers & Explanations: B, D. Answer B is incorrect. Setting the
Enforce password history to 12, in conjunction with answers A and C,
would allow users to only use six unique passwords per year, because they
could change their password twice a month. Answer D is also incorrect.
Passwords must meet complexity requirements does not affect how
often users must change their passwords or how many passwords the system
remembers.
Chapter 7: Configuring
Certificate Services and PKI
1. You have been asked to provide an additional security system for your companys
internet activity. This system should act as an underlying cryptography system.
It should enable users or computers that have never been in trusted communication
before to validate themselves by referencing an association to a trusted third
party (TTP). The method of security the above example is referencing is?
A. Certificate Authority (CA)
B. Nonrepudiation
Appendix Self Test Appendix 683
www.syngress.com
C. Cryptanalysis
D. Public Key Infrastructure (PKI)
Correct Answer & Explanation: D. Answer D is correct because an
underlying cryptography system that enables users or computers that have
never been in trusted communication before to validate themselves by referencing
an association to a trusted third party (TTP) is called a Public Key
Infrastructure (PKI).
Incorrect Answers & Explanations: A, B, C. Answer A is incorrect, because
Certificate Authority (CA) is a term that refers to the TTP in the PKI transaction.
Answer B is incorrect, because it describes only one single goal of PKI. Answer C
is incorrect; it refers to the process of decrypting or cracking data, not
securing it.
2. You are engaged in an exercise that is meant to demonstrate the Public-Key
Cryptography Standards (PKCS). You arrive at a portion of the exercise dealing
with encrypting a string with a secret key based on a password. Which of the
following PKCS does this exercise address?
A. PKCS #5
B. PKCS #1
C. PKCS #8
D. PKCS #9
Correct Answer & Explanation: A. PKCS #5 is correct because it is a Passwordbased
Cryptography Standard that deals with the method for encrypting a string
with a secret key that is derived from a password. The result of the method is an
octet string (a sequence of 8-bit values).
Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because PKCS
#1deals with RSA Cryptography Standards and outlines the encryption of data
using the RSA algorithm. The purpose of the RSA Cryptography Standard is in
the development of digital signatures and digital envelopes. Answer C is incorrect,
because PKCS #8 is the Private-key Information Syntax Standard and describes
a method of communication for private-key information that includes the use of
public-key algorithm and additional attributes (similar to PKCS #6). Answer C is
incorrect, because PKCS #9 deals with Selected Attribute Types and defines the
types of attributes for use in extended certificates (PKCS #6), digitally signed
messages (PKCS #7), and private-key information (PKCS #8).
684 Appendix Self Test Appendix
www.syngress.com
3. You are working in a Windows Server 2008 PKI and going over various user
profiles that are subject to deletion due to company policy. The public keys for
these users are stored under Documents and Settings\Administrator\System
Certificates\My\Certificates and the private keys would be under Documents
and Settings\Administrator\Crypto\RSA. You possess copies of the public keys
in the registry, and in Active Directory. What effect will the deletion of the
user profile have on the private key?
A. It will have no effect.
B. It will be replaced by the public key that is stored.
C. The Private Key will be lost.
D. None of the above.
Correct Answer & Explanation: C. The private key will be lost if the user
profile is deleted. The private keys are vulnerable to deletion and are stored
under the users profile.
Incorrect Answers & Explanations: A, B, D. Answer A is incorrect, because the
private keys are vulnerable to deletion and are stored under the users profile,
so deletion of the user profile will effect the private key. Answer B is incorrect,
because the public key can not be used to replace the private key in any
instance. Answer D is incorrect, because answer C is the correct answer.
4. Two users, Dave and Dixine, wish to communicate privately. Dave and Dixine
each own a key pair consisting of a public key and a private key. If Dave wants
Dixine to send him an encrypted message, which of the following security
measures occurs first?
A. Dave transmits his public key to Dixine.
B. Dixine uses Daves public key to encrypt the message.
C. Nothing occurs the message is simply sent.
D. Dixine requests a access to Daves private key.
Correct Answer & Explanation: A. Dave transmits his public key to Dixine is
the correct answer because Dixine must receive Daves public key to be able to
encrypt the message so that Dave can use his private key to decrypt it.
Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because Dave
must transmit his public key for Dixine to have access to it. This is the second
step in the process not the first. Answer C is incorrect, because the encryption
process is not automatic and an exchange of public and private keys must occur
Appendix Self Test Appendix 685
www.syngress.com
for communication to be encrypted. Answer D is incorrect because private keys
are never transmitted or shared and are used only to decode message encrypted
with a matching public key pair.
5. You are browsing your companys e-commerce site using Internet Explorer 7
and have added a number of products to the shopping cart. You notice that there
is a padlock symbol in the browser. By right clicking this symbol you will be
able to view information concerning the sites:
A. Private Key.
B. Public Key.
C. Information Architecture.
D. Certificates.
Correct Answer & Explanation: C. Certificates is the correct answer because by
clicking on the padlock you access the view Certificate information tab. This
allows you to verify certain aspects of the certificate.
Incorrect Answers & Explanations: A, B, C. Answer A is incorrect, because you
can never access another partys private key. Answer B is incorrect, because the
public key has already been transmitted and is not accessible in this manner.
Answer C is incorrect because information architecture (IA) of the site has
nothing to do with the encryption process or PKI.
6. You are engaged in an exercise that is meant to demonstrate the Public-Key
Cryptography Standards (PKCS) used in modern encryption. You arrive at a
portion of the exercise which outlines the encryption of data using the RSA
algorithm. Which of the following PKCS does this exercise address?
A. PKCS #5
B. PKCS #1
C. PKCS #8
D. PKCS #9
Correct Answer & Explanation: B. Answer B is correct, because PKCS #1 deals
with RSA Cryptography Standards and outlines the encryption of data using
the RSA algorithm. The purpose of the RSA Cryptography Standard is in the
development of digital signatures and digital envelopes.
Incorrect Answers & Explanations: A, C, D. Answer A is incorrect; PKCS #5
is a Password-based Cryptography Standard that deals with the method for
686 Appendix Self Test Appendix
www.syngress.com
encrypting a string with a secret key that is derived from a password. The result
of the method is an octet string (a sequence of 8-bit values). Answer C is
incorrect, because PKCS #8 is the Private-key Information Syntax Standard and
describes a method of communication for private-key information that includes
the use of public-key algorithm and additional attributes (similar to PKCS #6).
Answer D is incorrect, because PKCS #9 deals with Selected Attribute Types
and defines the types of attributes for use in extended certificates (PKCS #6),
digitally signed messages (PKCS #7), and private-key information (PKCS #8).
7. You are the administrator of your companys Windows Server 2008-based
network and are attempting to enroll a smart card and configure it at an
enrollment station. Which of the following certificates must be requested in
order to accomplish this action?
A. A machine certificate.
B. An application certificate.
C. A user certificate.
D. All of the above.
Correct Answer & Explanation: C. Answer C is correct because user certificates
are certificates that enable the user to do something that would not be
otherwise allowed. The Enrollment Agent certificate is one example of a user
certificate. Without it, even an administrator is not able to enroll smart cards
and configure them properly at an enrollment station.
Incorrect Answers & Explanations: A, B, D. Answer A is incorrect, because
machine certificates (as the name implies) give the systeminstead of the user
the ability to do something out of the ordinary. The main purpose for machine
certificates is authentication, both client-side and server-side. Answer B is incorrect,
because the term application certificate refers to any certificate that is
used with a specific PKI-enabled application. Examples include IPSec and
S/MIME encryption for e-mail. Applications that need certificates are generally
configured to automatically request them, and are then placed in a waiting
status until the required certificate arrives. Answer D is incorrect because it is
generally never required to for all of the listed certificates to be requested from
a single action.
8. Dave and Dixine each own a key pair consisting of a public and private key.
A public key was used to encrypt a message and the corresponding private
key was used to decrypt. Dave wants Dixine to know that a document he
Appendix Self Test Appendix 687
www.syngress.com
is responding with was really written by him. How is this possible using the
given scenario?
A. Daves private key can encrypt the document and the matching public key
can be used to decrypt it.
B. Dave can send Dixine his private key as proof.
C. Dixine can allow Dave access to her private key to encrypt the
document.
D. None of the above.
Correct Answer & Explanation: A. Daves private key can be used to encrypt
the document and the matching public key can be used to decrypt is the
correct answer because if a user uses your public key to read the document
and they are successful, they can be certain that it was signed by your private
key and is therefore authentic.
Incorrect Answers & Explanations: B, C, D. Answer B and C are incorrect,
because private keys should never be shared with other users. Answer D is
incorrect, as stated a private key can be used to encrypt a document so that
the matching public key can be used to decrypt it.
9. You are administrating a large hierarchal government environment in which a
trust model needs to be established. The company does not want external CAs
involved in the verification process. Which of the following is the best trust
model deployment for this scenario?
A. A hierarchal first party trust model.
B. A third party single CA trust model.
C. A first party single CA trust Model.
D. None of these will meet the needs of the company.
Correct Answer & Explanation: A. Choice A is correct because Hierarchical
models work well in larger hierarchical environments, such as large government
organizations or corporate environments and use multiple levels of subordinate
CAs that are governed by a root CA. First party CAs are internal and administered
by the company deploying them.
Incorrect Answers & Explanations: B, C, D. Answer B and C are incorrect,
because hierarchal models are better suited for larger hierarchal environments
because they offer more layers of verification. Answer D is incorrect, because
as stated choice A will meet the needs of this example.
688 Appendix Self Test Appendix
www.syngress.com
10. Two users, Dave and Dixine, wish to communicate privately. Dave and Dixine
each own a key pair consisting of a public key and a private key. A public key
was used to encrypt a message and the corresponding private key was used to
decrypt. What is the major security issue with this scenario?
A. Private keys are revealed during the initial transaction.
B. Information encrypted with a public key can be decrypted too easily with
out the private key.
C. An attacker can intercept the data mid-stream, and replace the original
signature with his or her own, using his private key.
D. None of the Above
Correct Answer & Explanation: C. Answer C is correct because there is
nothing to prevent an attacker from intercepting the data mid-stream, and
replacing the original signature with his or her own, using his private key.
The solution to this problem in Windows PKI is the certificate.
Incorrect Answers & Explanations: A, B, D. Answer A is incorrect, because
private keys arte never accessible to other users. Answer B is incorrect, because
while the encryption process is not completely impervious to cracking with
out the private key to decrypt the data an attacker would have an incredibly
hard time decrypting the transmission. Answer D is incorrect because as stated
an attacker can intercept the data mid-stream, and replace the original signature
with his or her own, using his private key.
Chapter 8: Maintaining
an Active Directory Environment
1. Youve just finished installing a new Windows Server 2008 DC. It is the policy
of the IT department to perform a full backup of newly installed DCs. You
click on Start | Administrative Tools | Windows Server Backup. When
Windows Server Backup loads you see the following screen.
Appendix Self Test Appendix 689
www.syngress.com
What do you need to do to ensure that the backup takes place?
A. Run DCPROMO
B. Install the Windows Server Backup feature
C. Go to a command prompt and run wbadmin.exe
D. Boot into DSRM and conduct the backup from there
Correct Answer & Explanation: B. Even though Windows Server Backup
appears in the list of Administrative Tools doesnt mean its been installed.
Install the feature via Server Manager.
690 Appendix Self Test Appendix
www.syngress.com
Incorrect Answers & Explanations: A, C, D. Answer A is incorrect, because
DCPROMO is used to convert a server into a DC; it has nothing to do with
the backup software. Answer C is incorrect, because wbadmin.exe is a part of
the Windows Server Backup feature. Simply running it will provide you with
the same message popping up. Answer D is incorrect, because with the backup
software not being installed you cannot conduct the backup regardless of what
mode youve booted in on the DC.
2. You are responsible for performing backups on the DCs on your network.
Your boss has requested that you conduct system state backups to DVD.
How do you accomplish this?
A. Run the Windows Server Backup Wizard, select System State
Backup, and set your target to the DVD drive
B. Run the Windows Server Backup Wizard, select a local drive as the
target, and then copy the system state backup to the DVD drive
C. Run the wbadmin.exe command with the start systemstatebackup command
and target it to the DVD drive
D. Run the wbadmin.exe command with the start systemstatebackup command,
set the target to a local fixed drive, and then copy the system state backup
to a DVD
Correct Answer & Explanation: D. System state backups are done using the
wbadmin.exe command and must have local drives as targets. To back up to
DVD, you must manually copy the system state backup to the DVD drive and
burn the backup onto disk.
Incorrect Answers & Explanations: A, B, C. Answers A and B are incorrect,
because Windows Server Backup cannot specifically back up the system state.
You must use the wbadmin.exe command. Answer C is incorrect, because
system state backups must have a local drive as the target.
3. You are the network administrator for your company. Last night you successfully
performed a system state backup of one of your DCs. Do to an unforeseen
issue, you now need to perform a system state restore. What do you need
to do to conduct a system state restore on a DC?
A. Reboot the DC, go into DSRM, and run wbadmin.exe to perform the
system state restore
B. Log on to the DC as usual and run wbadmin.exe to restore the system state
Appendix Self Test Appendix 691
www.syngress.com
C. Stop Active Directory Domain Services and then run the wbadmin.exe
command to restore the system state
D. Just restore the system state via the Windows Server Backup Wizard
Correct Answer & Explanation: A. To recover the system state for a DC, you
must be in DSRM and then run the wbadmin.exe command.
Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because you
cannot restore the system state of a DC in normal mode. Answer C is incorrect,
because stopping Active Directory Domain Services will not allow you to restore
the system state on a DC. Answer D is incorrect, because the Windows Server
Backup Wizard does not restore the system state specifically.
4. You are the network administrator for your company. You have a scheduled
backup job run three times a day: 10:00 a.m., 4:00 p.m., and 11:00 p.m.
At 4:50 p.m., you get a call that user Janet Harrell has deleted the company
budget on the server. There are no previous versions available. What should
you do to restore the company budget?
A. Run ntbackup, select the company budget from the list of files backed up,
and choose Restore
B. Run Windows Server Backup, select Recover from the Actions
pane, choose Files and Folders as the recovery type. Select the company
budget from the Available items list. Choose Original location for
recovery destination, create copies so that you have both versions of the
file or folder under When the wizard find files and folders in the
recovery destination, and choose Restore security settings.
C. Go into DSRM, run wbadmin.exe, and conduct a system state recovery
D. Stop Active Directory Domain Services, load ntbackup, select the company
budget, and choose Restore
Correct Answer & Explanation: B. You would run through the restore wizard
in Windows Server Backup, choose the budget file, and restore to the original
location along with the original security settings. Windows Server Backup
provides the ability to individually choose which files and/or directories to
restore.
Incorrect Answers & Explanations: A, C, D. Answers A and D are incorrect,
because ntbackup is no longer the backup and restore software that comes
with Windows Server 2008. The ntbackup version for Windows Server 2008
that you can download can recover only .bkf files and not the .vhd files that
692 Appendix Self Test Appendix
www.syngress.com
Windows Server Backup creates. Answer C is incorrect, because you do not
have to go into DSRM to recover key files.
5. You are the network administrator at your company. The Active Directory
database file on one of your DCs is corrupt. You decide to perform a nonauthoritative
restore on the DC. You reboot the server into DSRM and try to
log on as the domain administrator but you cannot. You need to get this DC
back up and functioning as soon as possible. What can you do to achieve this?
A. Log on to the server with another domain administrators account
B. Log on to the server using the local administrators account
C. Change the domain administrators password from another DC and then
log on using the account with the new password
D. Log on using the DSRM administrators account and password
Correct Answer & Explanation: D. You must log on using the DSRM administrators
account and password which you created during the DCPROMO
wizard while converting this server into a DC.
Incorrect Answers & Explanations: A, B, C. Answer A is incorrect, because you
must log on using the DSRM account. A domain admin account cannot log on
to the server in DSRM mode. Answer B is incorrect, because you must log on
using the DSRM administrators account and there are no local administrator
accounts on a DC. Answer C is incorrect for the same reasons as answer A.
6. You are the domain admin for your company. You have tasked Susan,
a member of the Account Operators group, to delete Amber Chambers user
account because she quit yesterday. Susan accidentally deletes Andy Chambers
account. Before she realizes whats happened the change is replicated to the
other DCs. What can you do to bring back Andy Chambers user account?
A. Reboot the DC into DSRM, restore the system state, and conduct a
nonauthoritative restore on Andy Chambers user account from the most
recent backup using wbadmin.exe
B. Reboot the DC into DSRM, restore the system state, and conduct an
authoritative restore on Andy Chambers user account from the most
recent backup using wbadmin.exe
C. Log on to the DC in normal mode, stop Active Directory Domain Services,
load Windows Server Backup, restore the system state, and perform an
authoritative restore of Andy Chambers user account
Appendix Self Test Appendix 693
www.syngress.com
D. Log on to the DC in normal mode, stop Active Directory Domain Services,
load Windows Server Backup, restore the system state, and perform a
nonauthoritative restore of Andy Chambers user account
Correct Answer & Explanation: B. Only an authoritative restore can restore the
user account and prevent it from being overwritten by directory replication.
To perform an authoritative restore you must boot up into the DSRM, run
wbadmin.exe to restore the system state, and then perform an authoritative
restore.
Incorrect Answers & Explanations: A, C, D. Answer A is incorrect, because
a nonauthoritative restore would bring the user account back but it would be
deleted once directory replication took place. Answers C and D are incorrect,
because you must be in DSRM to restore the user account. Windows Server
Backup has no way of performing an authoritative restore via the GUI.
7. You are the domain administrator for your company. Examining one of the
DCs, you notice that the file ntds.dit is almost 6 GB in size. You decide that
to save disk space and increase performance you will defrag Active Directory
Domain Services. How would you accomplish this?
A. Log on to the server as an administrator. Perform a system state backup of
the DC. Create a new directory on the system drive called C:\defrag. Stop
Active Directory Domain Services. Start an instance of ntdsutil and activate
Instance ntds. At the ntdsutil prompt pull up the file maintenance prompt
and type compact to c:\defrag. Go to the %systemdrive%\Windows\
NTDS directory and delete the old ntds.dit file as well as any .log files.
Copy the ntds.dit file in the C:\defrag folder to %systemroot%\Windows\
NTDS, and then restart Active Directory Domain Services.
B. Log on to the server as an administrator. Perform a system state backup of
the DC. Create a new directory on the system drive called C:\defrag. Start
an instance of ntdsutil and activate Instance ntds. At the ntdsutil prompt,
pull up the file maintenance prompt and type compact to c:\defrag.
Go to the %systemdrive%\Windows\NTDS directory and delete the old
ntds.dit file as well as any .log files. Copy the ntds.dit file in the C:\defrag
folder to the %systemroot%\Windows\NTDS.
C. Log on to the server as an administrator in DSRM. Perform a system state
backup of the DC. Create a new directory on the system drive called
C:\defrag. Stop Active Directory Domain Services. Start an instance of ntdsutil
and activate Instance ntds. At the ntdsutil prompt, pull up the file maintenance
694 Appendix Self Test Appendix
www.syngress.com
prompt and type compact to c:\defrag. Go to the %systemdrive%\
Windows\NTDS directory and delete the old ntds.dit file as well as any
.log files. Copy the ntds.dit file in the C:\defrag folder to the %systemroot%\
Windows\NTDS, and then restart Active Directory Domain Services.
D. Log on to the server as an administrator. Perform a system state backup
of the DC. Create a new directory on the system drive called C:\defrag.
Stop Active Directory Domain Services. Start an instance of ntdsutil and
activate Instance ntds. At the ntdsutil prompt, pull up the file maintenance
prompt and type compact to c:\defrag. Go to the %systemdrive%\
Windows\NTDS directory and delete the old ntds.dit file as well as any
.log files. Copy the ntds.dit file in the C:\defrag folder to %systemdrive%\
Windows\NTDS.
Correct Answer & Explanation: A. These are the steps in performing a defrag/
compact of the Active Directory Domain Services database file. Although the
system state backup is not required, it is highly recommended.
Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because
you never stopped Active Directory Domain Services. Answer C is incorrect,
because you no longer need to boot into DSRM to defrag the database. Answer
D is incorrect, because you never restarted Active Directory Domain Services.
8. You are the domain administrator for your company. Your network consists of
three DCs, each running Windows Server 2008. Two are at site A, and the third
is located at site B. There seems to be a replication problem between the DCs
at site A and the DC at site B. What is the best tool to use in troubleshooting
directory replication?
A. Network Monitor
B. Task Manager
C. RepAdmin
D. Event Viewer
Correct Answer & Explanation: C. RepAdmin can be used for monitoring
Active Directory replication, topology, and even force replication.
Incorrect Answers & Explanation: A, B, D. Answer A is incorrect, because it
doesnt show whats actually being replicated. It can show that the DCs are
communicating, but it cannot truly tell whether replication is taking place.
Answer B is incorrect, because the Task Manager is more for administrators to
get a real-time view of the performance of the server and not that of directory
Appendix Self Test Appendix 695
www.syngress.com
replication. Answer D is incorrect, because it doesnt show the topology, nor
can it initiate replication. It is probably the best place to start, but not to finish.
9. You are the domain administrator for your company. Your network consists
of multiple DCs at multiple sites. A DC at your local site is having problems
with replicating. You need to know when this DC last attempted to perform
an inbound replication on the Active Directory partitions. How would you
accomplish this?
A. Open a command prompt on the DC and run ntdsutil
B. Open a command prompt on the DC and run repadmin /replicate
C. Open a command prompt on the DC and run repadmin /rodcpwdrepl
D. Open a command prompt on the DC and run repadmin /showrepl
Correct Answer & Explanation: D. Running repadmin /showrepl displays the
replication status when a specified DC has last attempted to perform inbound
replication on Active Directory partitions.
Incorrect Answers & Explanations: A, B, C. Answer A is incorrect, because
ntdsutil does not provide information about directory replication. Answer B is
incorrect, because the /replicate switch triggers immediate replication and does
not provide information about when a particular DC last attempted to perform
an inbound replication. Answer C is incorrect, because the /rodcpwdrepl switch
triggers the replication of passwords for specified users from a source DC to
one or more RODCs.
10. You are the domain administrator for your company. At your site you have a
single DC that also acts as an application server. From 10:00 a.m. to 4:00 p.m.,
users complain about slow logons to the network and that accessing resources
from this DC is incredibly slow during most of the workday. You log on to the
DC, pull up the Task Manager, and notice that a process called CustApp.exe
is using just more than 90% of the CPU cycles. The application must remain
running during the day, but you also need to resolve the slow logon issues.
There is no money in the budget for additional hardware. What is the best way
to handle this situation?
A. Go into the Windows System Resource Manager on the DC, and create
a new recurring calendar event to start at 8:00 a.m. and end at 5:00 p.m.
daily. Associate the event with the Equal_Per_Process policy.
B. Go into the Task Manager and into the Processes tab. Find CustApp.exe
and set the priority to Below Normal.
696 Appendix Self Test Appendix
www.syngress.com
C. Go into the Task Manager and into the Process tab. Find CustApp.exe and
end the process.
D. Purchase a second server to run only the CustApp.exe application
Correct Answer & Explanation: A. The Windows System Resource Manager
(WSRM) allows administrators to set policies and thresholds on applications
and processes on the number of CPU cycles they can max out at and the
amount of memory they are allowed to consume. Setting a calendar policy
allows the administrator to allow the application to run at high CPU levels
if needed after hours; that way, it doesnt affect the end-users at work.
Incorrect Answers & Explanations: B, C, D. Answer B is incorrect, because by
setting the priority level to below normal it is possible that the threads within
the CustApp.exe will never execute depending on whether there are a large
number of threads with higher-priority numbers in the queue. Answer C is
incorrect, because it completely stops the CustApp.exe process which may
belong to a mission-critical application, thereby affecting productivity in a
highly negative manner. Answer D is incorrect, because the scenario clearly
states that there is no money in the budget for additional hardware.
697
A
Account lockout policy, 380394, 437, 438
Account Policies, confi guration of. See
Confi guration of Account Policies
Accounts. See Computer accounts; User
accounts
Active Directory
Application Mode (ADAM), 2, 23
bandwidth and network traffi c, 217218
confi guring event logging, 265266
directory service access, 401404
Domain Services (ADDS), 23,
584587
Domain Services Role installation, 1215
editing attributes of objects, 189
Federation Services. See ADFS (Active
Directory Federation Services)
Lightweight Directory Service. See LDS
(Active Directory Lightweight
Directory Service)
navigation of, 189
records, 8586
restartable, 584587
Rights Management Service. See RMS
(Active Directory Rights
Management Service)
Users and Computers administration tool,
126129
See also Backing up; Computer accounts;
Monitoring Active Directory; Offl ine
maintenance; Recovering; User
accounts; Users and Computers
console
AD-integrated zones, 81, 118
ADAM (Active Directory Application
Mode), 2, 23
Add Role Wizard, 68
ADDS (Active Directory Domain Services),
23, 584587
ADFS (Active Directory Federation
Services)
confi guration, 3951
description, 3, 3738
federating with Windows Server 2003
R2 forest, 54
structure, 38
use of, 38
ADLDS (Active Directory Lightweight
Directory Service). See LDS (Active
Directory Lightweight Directory
Service)
Adlem, Leonard, 453
ADM (Administrative Template) templates,
adding to GPOs, 424432
Admin logs, 606
Administrative Templates, 420421
Administrator account, built-in, 130, 189
ADMX (XML-based format)
central store, 422423, 439
fi les, 421
adprep, 17, 54
ADRMS (Active Directory Rights
Management Service). See RMS
(Active Directory Rights
Management Service)
ADSIEdit.msc graphical console, 189
Allocation for Active Directory, 590591
Analytic logs, 606
Application certifi cates, 480
Application-push technologies, 81
Application-specifi c content in Group
Policies, 348
Applications, monitoring, 596597
Applications logs, 606
Index
698 Index
www.syngress.com
Assigning software to computers, 368369
Assigning software to users, 364368
Attacks, elevation-of-privilege, 275
Attributes of objects, editing, 189
Audit Policies, confi guration of. See
Confi guration of Audit Policies
Auditing
changes from ADAM, 23
logon events, 438
in Windows Server 2008, 438
Authentication of UPNs, 212
Authoritative restoring, 568574,
637638
Autoenrollment for user certifi cates, 527
Automatic partner confi guration, 105106
B
Backing up
CA servers, 489492
critical volumes, 556557
description, 534535
Group Policy objects (GPOs), 575580,
638
key fi les, 555
Starter GPOs, 579, 638
system state data, 551554, 637
Volume Shadow Copy Service (VSS),
551
See also Windows Server Backup
Bandwidth and network traffi c in Global
Catalog (GC), 217218
BIND servers, 117
BitLocker Drive Encryption, 12
.bkf fi les, 534535, 553, 637
Block Inheritance in GPOs,
322323, 330
Block symmetric algorithms, 453
Bridgehead servers, 259
Brute force password attacks, 437
Bulk data encryption without prior shared
secrets, 466479
C
Caching, Universal Group, 218220
Cards, smart, 140, 479, 514, 527528
CAs (certifi cation authorities)
Certifi cate Practice Statement (CPS),
484485
certifi cate requests, 484489
confi guring, 481482
description, 482
hierarchy, 527
root vs. subordinate, 483484
standard vs. enterprise, 482483
Certifi cate Practice Statement (CPS),
484485
Certifi cate requests, 484489
Certifi cate revocation lists (CRLs),
499501, 524, 527
Certifi cate Services
installing, 468477
See also CAs (certifi cation authorities);
Certifi cate templates; Certifi cates;
Key recovery
Certifi cate templates
cryptography, 506507
custom, 516519
description, 501502
general properties, 503504
issuance requirements, 509512
key recovery agent, 521522
permissions model, 519520
request handling, 505
security settings, 512513
subject information, 508
types of, 513516
versioning, 520521
Certifi cates
application certifi cates, 480
computer certifi cates, 514516
description, 460463
EFS and overseas travel, 526
formats, 526
www.syngress.com
Index 699
machine certifi cates, 480
needs, analyzing, 480481
reviewing, 467468
types of, 513516
user certifi cates, 479, 513514
validity period, 527, 528
visibility, 526
Certifi cation authorities (CAs). See CAs
(certifi cation authorities)
Client-management technologies, 81
CNG (Cryptography Next
Generation), 452
Compaction, 587590
Computer accounts
creating, 161162
description, 160161
modifying, 162167
password storage limit, 190
purpose, 190
resetting, 167168
Computer certifi cates, 514516
Computer confi guration in GPOs,
308309
Confi dentiality, 449
Confi guration
Active Directory event logging, 265266
ADFS (Active Directory Federation
Services), 3951
CAs (certifi cation authorities), 481482
DHCP (Dynamic Host Confi guration
Protocol), 9899
directory service access in group policy,
405
Directory Services role, 12
directory services role, 1215
DNS (Domain Name System), 7376
fi ne-grain policies, 384394
LDS (Active Directory Lightweight
Directory Service), 2326
object level auditing, 405408
replication between sites, 263
resolution of zones, 91
restricting some users, 439
reverse lookup zones, 8791
RMS (Active Directory Rights
Management Service), 3037
RODC (read-only domain controllers),
1621
site link costs, 252254
Universal Group caching, 219
WINS (Windows Internet Naming
Service), 103105, 111, 112113
WMI (Windows Management
Instrumentation) fi ltering, 331
See also Confi guration of Account
Policies; Confi guration of
Audit Policies; Confi guration
of security-related policies;
Software confi guration and
Group Policies
Confi guration Manager, System Center, 81
Confi guration of Account Policies
account lockout policy, 380394,
437, 438
Default Domain Policy GPO, 378
domain password policy, 379380,
381384
fi ne-grain policies, 384394
PSO, applying users and groups to,
394397
Confi guration of Audit Policies
description, 397399
directory service access, 401404
logon events, 399401
object access, 404408
other audit policies, 408409
Confi guration of security-related policies
ADM (Administrative Template)
templates, adding to GPOs, 424432
Administrative Templates, 420421
ADMX central store, 422423
Restricted Groups objects, 415420
700 Index
www.syngress.com
Confi guration of security-related policies
(Continued)
security options, 411415
users rights, 409411
Confi guration partition, 202
CPS (Certifi cate Practice Statement),
484485
Creating GPOs, 314315, 316318
CRLs (certifi cate revocation lists), 499501,
524, 527
Cryptography
algorithms, types of, 453
basics, 459
certifi cate templates, 506507
symmetric key, 453
Cryptography Next Generation
(CNG), 452
Custom certifi cate templates, 516519
Custom Views in Event Viewer, 602605
D
Data Collector Sets, 629631
Data encryption without prior shared
secrets, 466479
Database fi les for DNS, 6465
Database Mounting Tool, 23
DCs (domain controllers)
Global Catalog (GC), 210211
master roles, 220221
refreshing cache, 219
schema partition, 202
software, not assigning to DCs, 361
UPN authentication, 212
See also RODCs (read-only domain
controllers)
Debug logs, 606
Default settings, Microsoft, 421
Default trusts, 272
Defragmenting, 587590, 638
Delegating tasks, 177183, 191
Delegation of Control Wizard, 178183
Desktop settings for user accounts, 189
Destination disk, labeling, 545
DH (Diffi e-Hellman) algorithms, 453454
DHCP (Dynamic Host Confi guration
Protocol)
confi guring, 9395, 9899, 102103
description, 62
design principles, 9597
DNS (Domain Name System), 102103
installing, 97
Server Core, 100102
servers and placement, 9697
Diffi e-Hellman (DH) algorithms, 453454
Digital certifi cates, reviewing, 467468
Digital rights management (DRM) in Vista,
2930, 54
Digital signatures, 464465, 526
Directory information search in GC,
212214
Directory service access, 401404
Directory Services Restore Mode (DSRM),
565568, 637
Directory Services role
confi guring, 12
omitting, 55
Distinguished names (DNs), 202
Distribution groups, 170
DNs (distinguished names), 202
DNS (Domain Name System)
BIND and Windows servers, 117
confi guration, 6368, 7376
database fi les, 6465
description, 62
design, 90
DHCP (Dynamic Host Confi guration
Protocol), 102103
domain suffi xes, 6667, 117
installation, 7273
record types, 6364
Resource Records (RRs), 6872
root domain (.), 118
www.syngress.com
Index 701
Server Core, 7679
WINS (Windows Internet Naming
Service), 112113
zone transfer, 8283
zones, confi guring, 7982
zones, creating, 8385
Domain controllers. See DCs
(domain controllers)
Domain functional levels
description, 202
list of, 203
raising, 281
use of, 203204
Windows 2000, 204
Windows 2003, 204205
Windows 2008, 205206
Domain local groups, 171
Domain Name System (DNS).
See DNS (Domain Name
System)
Domain Naming DC, 220
Domain partition, 202
Domain password policy, 379380,
381384
Domain Services, Active Directory
(ADDS), 23, 584587
Domain user accounts, 189
Domains
description, 199202
sites, relationship with, 234235
suffi xes, 6667, 117
DRM (digital rights management) in Vista,
2930, 54
dsadd tool, 190
DSRM (Directory Services Restore Mode),
565568, 637
DVD, backing up to, 548551
Dynamic Host Confi guration Protocol
(DHCP). See DHCP (Dynamic
Host Confi guration Protocol)
Dynamic Updates, Secure, 81
E
EAP (Extensible Authentication
Protocol), 528
Editing attributes of objects, 189
EFS (Encrypting File System) and
overseas travel, 526
Elevation-of-privilege attacks, 275
Encrypting File System (EFS) and
overseas travel, 526
Encryption, secret key, 453
Encryption without prior shared secrets,
466479
Enforcing
Group Policies, 318322, 330
membership of groups, 439
Enterprise CAs (certifi cation authorities),
482483
Enterprise PKI (PKIView), 451
Event logging in Active Directory, 265266
Event Viewer
Applications and Services logs, 606
Custom Views, 602605
description, 602
new benefi ts, 638
subscriptions, 607611
Windows logs, 605
Exchange Server and Global Catalog (GC),
217
Explicit trusts, 271, 282
Extensible Authentication Protocol (EAP),
528
External trusts, 267, 273274, 281
F
Federating with Windows Server 2003
R2 forest, 54
Federation Services. See ADFS (Active
Directory Federation Services)
Filtering
Group Policy objects (GPOs), 331333
SIDs (Security Identifi ers), 275276
702 Index
www.syngress.com
Filtering (Continued)
WMI (Windows Management
Instrumentation), 304305,
330331
Fine-grain policies, 384394
Flash drives, backing up to, 548, 637
Flexible Single Manager Operation roles.
See FSMO (Flexible Single Manager
Operation) roles
Forcing replication, 261
Foreign travel and EFS (Encrypting
File System), 526
Forest functional levels
description, 202
list of, 203
raising, 208209, 281
Windows 2000, 206207
Windows 2003, 207208
Windows 2008, 208
Forest trusts, 272273
Forests, 199200
FSMO (Flexible Single Manager
Operation) roles
description, 220
Domain Naming role, locating and
transferring, 227228
Infrastructure, RID, and PDC
Operations Master Roles,
locating and transferring,
228230
master roles, 220221
master roles, seizing, 230231
placing in Active Directory
environment, 232
role holders, seizing, 223224
role holders, transferring, 223
Schema Master role, locating
and transferring, 224227
valid authorization levels, 221222
Functional levels. See Domain functional
levels; Forest functional levels
G
GC. See Global Catalog (GC)
Global Catalog (GC)
attributes, 215216
bandwidth and network traffi c, 217218
description, 202, 210212
directory information search, 212214
Exchange Server, 217
placing GC servers within sites, 216217
replication, 214215
server, number of users for, 283
Universal Group membership, 214, 215
UPN authentication, 212
Global groups, 171
GlobalNames zone, 9193, 117
GPMC (Group Policy Management
Console), 638
GPO. See Group Policy objects (GPOs)
Group Policies. See Confi guration of
Account Policies; Group Policy
Modeling Wizard; Group Policy
objects (GPOs); Group Policy
Results Wizard; Software
confi guration and Group Policies
Group Policy Management Console
(GPMC), 638
Group Policy Modeling Wizard, 327330
Group Policy objects (GPOs)
ADM (Administrative Template)
templates, adding to GPOs, 424432
application-specifi c content, 348
backing up, 575580, 638
Block Inheritance, 322323, 330
computer confi guration, 308309
creating, 314315, 316318
Default Domain Policy GPO, 378
enforcing, 318322, 330
features, 348
fi ltering, 331333
Group Policy description, 348
hierarchy, 309311
www.syngress.com
Index 703
linking, 315318
Local Group Policies, 293296
loopback, 334, 349
modeling, 327330
Multiple Local GPOs (MLGPOs),
293296
network location awareness, 306307
non-local, 296306
Preferences, 303306
processing priority, 311314
recovering, 581585
results, 323325
Starter GPOs, 341345, 348, 579
Templates, Administrative, 335337
Templates, Security, 335337, 337341
types, 292293
user confi guration, 307308
Windows 2008 new features, 348
WMI (Windows Management
Instrumentation) fi ltering, 304305,
330331
Group Policy Results Wizard, 323325
Groups
creating by scripts, 176177
creating by Users and Computers
console, 172173
description, 169
enforcing membership of, 439
managing, 190191
modifying by Users and Computers
console, 173176
scopes of, 170171
strategies, 171172
types of, 170
Guest account, built-in, 131
H
Hash function, 453
Hierarchy
CAs (certifi cation authorities), 527
Group Policies, 309311
Hub-and-spoke models for WINS
(Windows Internet Naming Service),
109110
Hybrid replication models for WINS
(Windows Internet Naming
Service), 110
I
IANA (Internet Assigned Numbers
Authority), 72
Implicit trusts, 271, 282
Implied trusts, 282
Incoming trusts, 270
Infrastructure Master DC, 220
Installation
Certifi cate Services, 468477
DHCP (Dynamic Host Confi guration
Protocol), 97
DNS (Domain Name System), 7273
Domain Services Role, 1215
software confi guration and Group
Policies, 358361
Windows Server Backup, 535540
WINS (Windows Internet Naming
Service), 111
Internet Assigned Numbers Authority
(IANA), 72
Intersite or intrasite replication, 217
IP replication, 262
IPv6, 245246
K
KCC (Knowledge Consistency Checker),
207, 215, 255258, 282
Key fi les
backing up, 555
recovering, 559565
Key infrastructure. See PKI (public key
infrastructure)
Key recovery
agent, 521522
704 Index
www.syngress.com
Key recovery (Continued)
backing up CA servers, 489492
restoring CA servers, 492495
Knowledge Consistency Checker (KCC),
207, 215, 255258, 282
L
Labeling the destination disk, 545
LDS (Active Directory Lightweight
Directory Service)
confi guration, 2326
description, 23
managing, 2627
running AD internally, 54
use of, 22
Linked value replication (LVR), 575
Linking GPOs, 315318
LMHOSTS fi les, static entries in, 110111
Local Group Policies, 293296
Local user accounts, 189
Local user profi les, 145
Lockout policy, 380394, 437, 438
Logon events, auditing, 438
Logs
Applications, 606
Services, 606
Windows, 605
Loopback, Group Policy, 334, 349
Loopback address in IPv6, 246
LVR (linked value replication), 575
M
Machine certifi cates, 480
Maintenance, offl ine. See Offl ine
maintenance
Maintenance, software, 370375
Mandatory profi les, 145, 189
Masks, 244245
Master roles, FSMO, 220221
Membership of groups, enforcing, 439
Microsoft default settings, 421
MLGPOs (Multiple Local GPOs), 293296
Modeling, Group Policy, 327330
Monitoring Active Directory
description, 591
Event Viewer, 602608
Network Monitor (netmon), 591594
Task Manager, 594601
See also Windows Reliability and
Performance Monitor
MS-CHAP protocols, 528
MSI (Windows installer) fi les, 378
Multiple Local GPOs (MLGPOs), 293296
N
Navigation of Active Directory, 189
Network Device Enrollment Service
(NDES), 452
Network location awareness and Group
Policies, 306307
Network Monitor (netmon), 591594
Network traffi c in Global Catalog (GC),
217218
Networking, monitoring, 599600
New Zone Wizard, 8385
Non-local GPOs, 296306
Nonauthoritative restoring, 575, 637638
Nonrepudiation, 449
O
OCSP (Online Certifi cate Status
Protocol), 452
Offl ine maintenance
defragmenting and compaction,
587590, 638
restartable Active Directory, 584587
storage allocation, 590591
One-way trusts, 269270
Online Certifi cate Status Protocol
(OCSP), 452
Operational logs, 606
Organizational units (OUs)
www.syngress.com
Index 705
Block Inheritance, 322323
defaults, 128
description, 198
permissions, 178
OU. See Organizational units (OUs)
Outgoing trusts, 270
Overseas travel and EFS (Encrypting File
System), 526
P
Partner confi guration, automatic, 105106
Password Settings objects (PSOs). See PSOs
(Password Settings objects)
Passwords
brute force password attacks, 437
domain password policy, 379380,
381384
DSRM (Directory Services Restore
Mode), 637
options, 139141
resetting, 157
storage limit for computer accounts, 190
strength traits, 132, 190, 438
Users and Computers administration tool,
134135
PDC Emulator DC, 221
Performance, monitoring, 598599
Performance Monitor, 625627
PKCS (Public-Key Cryptography
Standards), 454458
PKI (public key infrastructure)
application certifi cates, 480
authentication, 465466
bulk data encryption without prior
shared secrets, 466479
certifi cate services, installing, 468477
components, 450452
description, 446449
digital certifi cates, reviewing,
467468
digital signatures, 464465, 526
enhancements in Windows Server 2008,
450452
function of, 449450
history of, 452453
machine certifi cates, 480
user certifi cates, 479
See also CAs (certifi cation authorities);
Certifi cate templates; Key recovery
PKIView, 451
Preferences for Group Policies, 303306
Primary zones, 79
Processes, monitoring, 597
Processing priority in Group Policies,
311314
Profi les
mandatory, 189
public and private keys, 457
Terminal Service, 154
types of, 145
Users and Computers administration tool,
144145
WS-Federation Passive Requestor Profi le
(WS-F PRP), 37
Protocols for replication, 261262
PSOs (Password Settings objects)
applying users and groups to, 394397
description, 386
Public-Key Cryptography Standards
(PKCS), 454458
Public key infrastructure. See PKI
(public key infrastructure)
Publishing software to users, 361364
Pull partnerships, 107
Push partnerships, 106107
Push/pull partnerships, 108
R
Raising functional levels, 208210, 281
Read-only domain controllers. See RODCs
(read-only domain controllers)
Realm trusts, 281
706 Index
www.syngress.com
Record types for DNS, 6364
Recovering
authoritative restoring, 568574,
637638
.bkf fi les, 534535, 553, 637
CA servers, 492495
description, 534535
Directory Services Restore Mode
(DSRM), 565568, 637
Group Policy objects (GPOs), 581585
key fi les, 559565
nonauthoritative restoring, 575, 637638
Recovery, key. See Key recovery
Redeploying software, 370371, 437
Relative ID (RID) Master DC, 221
Reliability and Performance Monitor.
See Windows Reliability and
Performance Monitor
Reliability Monitor, 627629
Removable media, backing up to, 548551
Removal
RODC (read-only domain controllers),
2122
software, 375378
Renaming sites, 242243, 283
RepAdmin command, 618621
Replication
bridgehead servers, 259
confi guring between sites, 263
description, 255256
forcing, 261
intersite, 217, 258259
intrasite, 217, 256
monitoring, 638
protocols, 261262
ring topology, 257
RODCs, 54
scheduling, 260261
three-hop rule, 258
topology, 262263
transitive site links, 259
troubleshooting, 264266
Universal Group, 171
Replication and WINS (Windows Internet
Naming Service), 105110
Replication Monitor (Replmon),
611617
Reports, 631632
Resource Records (RRs) for DNS, 6872
Restartable Active Directory, 584587
Restoring. See Recovering
Restricted Groups objects
adding, 416419
deleting, 420
description, 415416
enforcing membership of groups, 439
modifying, 419420
Restricting some users, 439
Results, Group Policy, 323325
Reverse lookup zones
confi guration, 8791
description, 80, 86
security considerations, 87
Ring models for WINS (Windows Internet
Naming Service), 109
Ring topology for replication, 257
Rivest, Ronald, 453
RMS (Active Directory Rights
Management Service)
confi guration, 3037
description, 3
digital rights management (DRM)
in Vista, 2930, 54
features, 2829
Roaming user profi les, 145
RODCs (read-only domain controllers)
confi guration, 1621
description, 2, 184, 191
features, 16
mixed-mode (Windows 2003 and 2008)
domain, 54
purpose, 1516
www.syngress.com
Index 707
removal, 2122
replication, 54
Role deployment
Add Role Wizard, 68
directory services role confi guration, 1215
Server Manager, 55
Windows Server 2008 new roles, 23
Root CAs (certifi cation authorities),
483484
Root domain (.) in DNS, 118
RRs (Resource Records) for DNS, 6872
RSA Labs, 453
S
SACL (system access control list), 401
Scheduling replication, 260261
Schema Master DC, 220
Schema partition, 202
Scripts
computer accounts, creating, 167
eased by Web Enrollment, 451452
groups, creating, 176
logon, 145
role deployment, 9, 55
user accounts, creating, 157158
Windows PowerShell, 537
Searching Global Catalog (GC), 212214
Secondary zones, 79
Secret key agreement, 466
Secret key encryption, 453
Secure Dynamic Updates, 81
Security groups, 170
Security options, 411415
Security principals, 276
Server Backup, Windows. See Windows
Server Backup
Server Core
32-bit and 64-bit editions, 55
description, 3, 1012
DHCP (Dynamic Host Confi guration
Protocol), 100102
directory services role, confi guring,
1215
DNS (Domain Name System), 7679
WINS (Windows Internet Naming
Service), 111112
Server Manager
description, 3
features, 5
implementing roles, 39
role deployment, 55
Services, monitoring, 598
Services logs, 606
Settings, Microsoft default, 421
Shamir, Adi, 453
Shared secret key cryptography, 454
Shortcut trusts, 267, 274275, 281
SIDs (Security Identifi ers)
fi ltering, 275276, 282
RID Masters, 221
Signatures, digital, 464465, 526
Site link bridges, 259260
Site links, transitive, 259260, 283
Sites
associating subnets with, 247249
creating, 238242
creating links, 249252
description, 233235
domains, relationship with, 234235
link costs, 252254
planning, 237242
renaming, 242243, 283
servers, 282283
subnets, 236
Slash notation, 244245
Smart cards, 140, 479, 514, 527528
SMTP replication, 261262
Software, redeploying, 370371, 437
Software confi guration and Group Policies
assigning to computers, 368369
assigning to users, 364368
deployment, 358, 437
708 Index
www.syngress.com
Software confi guration and Group Policies
(Continued)
installation overview, 358361
maintenance, 370375
publishing to users, 361364
redeploying, 370371, 437
removing, 375378, 437
software distribution point
recommendations, 359, 437
upgrading, 371375
Software distribution point
recommendations, 359, 437
Standard CAs (certifi cation authorities),
482483
Starter GPOs
backing up, 638
description, 341342, 348
enabling, 342345
not included in GPOs backup, 579
State data, backing up, 551554, 637
Static entries in LMHOSTS fi les, 110111
Storage allocation for Active Directory,
590591
Stream symmetric algorithms, 453
Stub zones, 7981
Subnets
associating with sites, 247249
description, 233, 236
masks and slash notation, 244245
Subordinate CAs (certifi cation authorities),
483484
Subscriptions in Event Viewer, 607611
Suffi xes, domain, 6667, 117
Symmetric algorithms, types of, 453
Symmetric key cryptography, 453
System access control list (SACL), 401
System Center Confi guration
Manager, 81
System state data
backing up, 551554, 637
recovering, 557558
T
Tape, backing up to, 637
Task Manager
applications, 596597
description, 594596
networking, 599600
performance, 598599
processes, 597
services, 598
users, 601
Tasks, delegating, 177183, 191
Technologies, application-push, 81
Templates, GPO, Administrative, 335337
Templates, SPO, Security, 335337,
337341
Templates for user accounts, 158159
Temporary user profi les, 145
Terminal Service profi le, 154
Three-hop rule of intrasite replication, 258
Thumb drives, backing up to, 548, 637
Topology, replication, 262263
Transferring zones, 8283, 91
Transitive site links, 259260, 283
Travel and EFS (Encrypting File
System), 526
Trees
description, 199
Troubleshooting replication, 264266
Trust relationships
default trusts, 272
description, 198199, 266271
direction and transitivity, 267
external trusts, 267, 273274, 281
forest trusts, 272273
implicit or explicit trusts, 271, 282
implied trusts, 282
incoming or outgoing trusts, 270
nontransitive trusts, 268
one-way trusts, 269270
realm trusts, 281
shortcut trusts, 267, 274275, 281
www.syngress.com
Index 709
transitive trusts, 268269
two-way trusts, 267269
Trusted third parties (TTPs), 446
Two-way trusts, 267269
U
Universal Group
caching, 218220
membership, maintaining, 215
membership information, 214
replication impact, 171
Updates, Secure Dynamic, 81
Upgrading software, 371375
UPNs (user principal names)
authenticating, 212
confi guring, 159160
USB-based fl ash drives, backing up to,
548, 637
User accounts
administrator account, built-in,
130, 189
creating by scripts, 157158
creating by Users and Computers
console, 133136
description, 129
desktop settings, 189
domain and local, 189
guest account, built-in, 131
management actions, 156157
mandatory profi les, 189
modifying, 136156
monitoring, 601
restricting, 439
rules and practices, 131132
templates for, 158159
types, 129130
See also Passwords
User certifi cates
autoenrollment, 527
description, 479
types of, 513514
User confi guration in GPOs, 307308
User principal names. See UPNs
(user principal names)
Users and Computers administration tool,
126129
ADSIEdit.msc graphical console, 189
profi les, 144145
PSO, applying users and groups to,
394397
See also Computer accounts
Users and Computers console
creating user accounts, 133136
managing user accounts, 156157
modifying user accounts, 136156
V
Validity period of certifi cates, 527, 528
Versioning of certifi cate templates,
520521
Views, custom, in Event Viewer, 602605
Vista digital rights management (DRM),
2930, 54
Volume Shadow Copy Service (VSS), 551
W
wbadmin.exe command, 547548, 551
WBS Wizard, 551
Web Enrollment, 451452
Windows File Protection (WFP), 551
Windows installer (MSI) fi les, 378
Windows Internet Naming Service
(WINS). See WINS (Windows
Internet Naming Service)
Windows logs, 605
Windows Management Instrumentation
(WMI) fi ltering, 304305, 330331
Windows PowerShell, 537
Windows Reliability and Performance
Monitor
Data Collector Sets, 629631
description, 623624, 638
710 Index
www.syngress.com
Windows Reliability and Performance
Monitor (Continued)
Performance Monitor, 625627
Reliability Monitor, 627629
reports, 631632
Resource Overview screen, 624625
Windows Resource Protection
(WRP), 551
Windows Server 2003 Active Directory
Application Mode (ADAM), 2, 23
Windows Server 2008, new roles in, 23
Windows Server Backup
critical volumes, backing up, 556557
destination disk, labeling, 545
installing, 535540
removable media, 548551
scheduling, 540548
tape, 637
wbadmin.exe command, 547548
Windows System Resource Manager
(WSRM), 621623
WINS (Windows Internet Naming
Service)
automatic partner confi guration, 105106
confi guration, 103105, 111, 112113
description, 62
DNS (Domain Name System), 112113
GlobalNames zone, 9193, 117
installation, 111
phasing out, 91
pull partnerships, 107
push partnerships, 106107
push/pull partnerships, 108
replication, 105110
Server Core, 111112
static entries in LMHOSTS fi les,
110111
Wizards
Add Role Wizard, 68
Delegation of Control Wizard, 178183
Group Policy Modeling Wizard, 327330
Group Policy Results Wizard, 323325
New Zone Wizard, 8385
WBS Wizard, 551
WMI (Windows Management
Instrumentation) fi ltering, 304305,
330331
WRP (Windows Resource
Protection), 551
WSRM (Windows System Resource
Manager), 621623
Z
Zones
confi guring in DNS, 7982
confi guring resolution of, 91
creating, 8385
transferring, 8283, 91