6432AF-En Managing and Maintaining Windows Server 2008 Active Directory Servers-TrainerManual

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

6432A Managing and Maintaining Windows Server® 2008 Active Directory® Servers

Be sure to access the extended learning content on your Course CD enclosed on the back cover of the book.

ii Managing and Maintaining Windows Server® 2008 Active Directory® Servers

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

© 2008 Microsoft Corporation. All rights reserved.

Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Technical Reviewer: Brian Stockbrugger

Product Number: 3690

Part Number: X14-94971

Released: 5/2008

MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION – Pre-Release and Final Release Versions These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft

• updates,

• supplements,

• Internet-based services, and

• support services

for this Licensed Content, unless other terms accompany those items. If so, those terms apply.

By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed Content.

If you comply with these license terms, you have the rights below.

1. DEFINITIONS.

a. “Academic Materials” means the printed or electronic documentation such as manuals, workbooks, white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content.

b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions location, an IT Academy location, or such other entity as Microsoft may designate from time to time.

c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and conducted at or through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or “MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on the subject matter of one (1) Course.

d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning Center during an Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter.

e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or analog device.

f. “Licensed Content” means the materials accompanying these license terms. The Licensed Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv) Software. There are different and separate components of the Licensed Content for each Course.

g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included with the Licensed Content.

h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.

i. “Student Content” means the learning materials accompanying these license terms that are for use by Students and Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files for a Course.

j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its behalf.

k. “Trainer Content” means the materials accompanying these license terms that are for use by Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course.

l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.

m. “Virtual Machine” means a virtualized computing experience, created and accessed using Microsoft® Virtual PC or Microsoft® Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.

n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.

2. OVERVIEW.

Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content, Student Content, classroom setup guide, and associated media.

License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer basis.

3. INSTALLATION AND USE RIGHTS.

a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you may:

i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR

ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of Devices accessing the Licensed Content on such server does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session.

iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance with these license terms.

iv. Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not separate the components and install them on different Devices.

v. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to the use of those third party programs, unless other terms accompany those programs.

b. Trainers:

i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a classroom Device to deliver an Authorized Training Session.

ii. Trainers may also Use a copy of the Licensed Content as follows:

A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may install and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and for preparation of an Authorized Training Session.

B. Portable Device. You may install another copy on a portable device solely for your own personal training Use and for preparation of an Authorized Training Session.

4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final, commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with any further content, including but not limited to the final released version of the Licensed Content for the Course.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement.

c. Confidential Information. The Licensed Content, including any viewer, user interface, features and documentation that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers.

i. Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you may not disclose confidential information to third parties. You may disclose confidential information only to your employees and consultants who need to know the information. You must have written agreements with them that protect the confidential information at least as much as this agreement.

ii. Survival. Your duty to protect confidential information survives this agreement.

iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You must first give written notice to Microsoft to allow it to seek a protective order or otherwise protect the information. Confidential information does not include information that

• becomes publicly known through no wrongful act;

• you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers; or

• you developed independently.

d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever is first (“beta term”).

e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will destroy all copies of same in the possession or under your control and/or in the possession or under the control of any Trainers who have received copies of the pre-released version.

f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you for such copies and distribution.

5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

a. Authorized Learning Centers and Trainers:

i. Software.

Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products which are provided in Virtual Hard Disks.

A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher, then these terms apply:

Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before it stops running. You may not be able to access data used or information saved with the Virtual Machines when it stops running and may be forced to reset these Virtual Machines to their original state. You must remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch it prior to the beginning of the next Authorized Training Session.

B. If the Virtual Hard Disks require a product key to launch, then these terms apply:

Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such Software with Microsoft using such product key.

C. These terms apply to all Virtual Machines and Virtual Hard Disks:

You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and conditions of this agreement and the following security requirements:

o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are accessible to other networks.

o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions locations.

o You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations.

o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from Devices on which you installed them.

o You will strictly comply with all Microsoft instructions relating to installation, use, activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.

o You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof.

o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.

ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an Authorized Training Session will be done in accordance with the classroom set-up guide for the Course.

iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations, sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their personal training use.

iv Evaluation Software. Any Software that is included in the Student Content designated as “Evaluation Software” may be used by Students solely for their personal training outside of the Authorized Training Session.

b. Trainers Only:

i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is created; and (b) to comply with all other terms and conditions of this agreement.

ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this agreement.

iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic Materials. You may not make any modifications to the Academic Materials and you may not print any book (either electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:

• The use of the Academic Materials will be only for your personal reference or training use

• You will not republish or post the Academic Materials on any network computer or broadcast in any media;

• You will include the Academic Material’s original copyright notice, or a copyright notice to Microsoft’s benefit in the format provided below:

Form of Notice:

© 2008 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved.

Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.

6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone else’s use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means.

7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not

• install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the Authorized Training Session;

• allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network server;

• copy or reproduce the Licensed Content to any server or location for further reproduction or distribution;

• disclose the results of any benchmark tests of the Licensed Content to any third party without Microsoft’s prior written approval;

• work around any technical limitations in the Licensed Content;

• reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law expressly permits, despite this limitation;

• make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this limitation;

• publish the Licensed Content for others to copy;

• transfer the Licensed Content, in whole or in part, to a third party;

• access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized by Microsoft to access and use;

• rent, lease or lend the Licensed Content; or

• use the Licensed Content for commercial hosting services or general business purposes.

• Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.

8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting.

9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content marked as “NFR” or “Not for Resale.”

10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as “Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact the Microsoft affiliate serving your country.

11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its component parts.

12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the Licensed Content and support services.

13. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply.

14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.

15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.

16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to

• anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or third party programs; and

• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French.

Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français.

EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.

Cette limitation concerne:

• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et

• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.

Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard.

EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.

Managing and Maintaining Windows Server® 2008 Active Directory® Servers x

xi Managing and Maintaining Windows Server® 2008 Active Directory® Servers

Contents

Module 1: Managing an Active Directory Server Lifecycle

Lesson 1: Planning an Active Directory Server Deployment 1-3

Lesson 2: Using Active Directory Server Deployment Technologies 1-9

Lesson 3: Adding AD DS Server Roles 1-17

Lesson 4: Removing AD DS Server Roles 1-25

Lab: Managing and Maintaining a Windows Server 2008 Domain Controller 1-29

Module 2: Creating Baselines for Active Directory Servers

Lesson 1: Baseline Methodologies for Active Directory Servers 2-3

Lesson 2: WRPM Overview 2-10

Lesson 3: Using Metrics to Create Baselines for Active Directory Servers 2-16

Lab: Creating Baselines for Active Directory Servers 2-24

Module 3: Monitoring the System Health of Active Directory Servers

Lesson 1: System Health Overview 3-3

Lesson 2: Using Long-Term Monitoring to Identify Trends 3-7

Lesson 3: Setting Thresholds and Alerts for Short-Term Monitoring 3-11

Lesson 4: Choosing the Appropriate Windows Server 2008 Monitoring

Tools 3-17

Lab: Monitoring the Active Directory Server Roles 3-27

Module 4: Managing Active Directory Domain Services

Lesson 1: Restarting and Restoring Active Directory 4-3

Lesson 2: FSMO Roles Overview 4-6

Lesson 3: Planning Sites and Replication 4-13

Lesson 4: Managing RODCs 4-17

Lesson 5: Methods for Managing Server Core 4-21

Lesson 6: Best Practices for GPOs and Links 4-26

Lesson 7: Delegating the Active Directory Administration 4-34

Lab: Managing AD DS 4-39

Managing and Maintaining Windows Server® 2008 Active Directory® Servers xii

Module 5: Maintaining Security for Active Directory Servers

Lesson 1: Server Hardening Techniques 5-3

Lesson 2: Using the MBSA to Discover and Remove Security Holes 5-9

Lesson 3: Using Fine-Grained Password Policies to Simplify Network

Organization 5-14

Lesson 4: Planning Security Auditing 5-20

Lesson 5: Enhancing Physical Security 5-23

Lab: Maintaining Security for the Active Directory Servers 5-28

Module 6: Managing Active Directory Service Roles

Lesson 1: Using Windows Server 2008 Tools for AD CS 6-3

Lesson 2: Implementing AD LDS 6-8

Lesson 3: AD FS Overview 6-12

Lesson 4: AD RMS Overview 6-18

Lab: Managing Active Directory Service Roles 6-23

xiii Managing and Maintaining Windows Server® 2008 Active Directory® Servers

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

About This Course xiv

About This Course This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.

Course Description This course provides you with the knowledge and skills to manage and maintain Windows Server® 2008 Active Directory® servers. The course focuses on the Active Directory server lifecycle by creating baselines, monitoring system health, and maintaining security. The course also focuses on managing Active Directory Domain Services (AD DS) and Active Directory service roles.

Audience This course is intended for Server Administrators who are familiar with Microsoft® Windows Server 2008 and who are, or will be, responsible for the daily management and maintenance of Windows Server 2008 Active Directory servers. It is also intended for IT professionals who could benefit from acquiring the skills required by a Windows Server 2008 Active Directory Server Administrator, such as a Server Administrator who is responsible for network application servers and works closely with the Active Directory Server Administrator, or an Enterprise Administrator who wants to understand the operational requirements of Windows Server 2008 Active Directory Servers before designing a network server infrastructure.

Student Prerequisites This course requires that you meet the following prerequisites:

• 6424 Fundamentals of Windows Server® 2008 Active Directory®

• 6425 Configuring Windows Server® 2008 Active Directory® Domain Services

• 6426 Configuring Identity and Access Solutions with Windows Server® 2008 Active Directory®

• 6430 Managing and Maintaining Windows Server® 2008 Servers

Course Objectives After completing this course, students will be able to:

• Plan and identify different approaches to Active Directory server deployment.

• Add and remove the AD DS server role.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

xv About This Course

• Identify strategies for developing, monitoring, and reviewing baselines.

• Create baselines for different Active Directory roles with the appropriate metrics using the Windows Reliability and Performance Monitor (WRPM).

• Create and evaluate a monitoring plan based on business needs and environments.

• Determine the health of Active Directory servers using performance monitoring and event log triggers.

• Configure effective alerts and responses as well as evaluate alternative recommendations for AD DS servers to meet a business goal.

• Describe and implement the methodology of maintaining Windows Server 2008 AD DS.

• Perform AD DS maintenance and administrative tasks.

• Explain and deploy proven methods to harden the Active Directory servers.

• Decide which Windows Server 2008 security features can address a given business situation.

• Add server roles to a Windows Server 2008 network.

• Deploy and operate an Active Directory Lightweight Directory Services (AD LDS) server role.

Course Outline This section provides an outline of the course:

Module 1, "Managing an Active Directory® Server Lifecycle" explains how to support and maintain Active Directory servers to meet changing business requirements in an enterprise environment.

Module 2, "Creating Baselines for Active Directory® Servers" explains how to create baselines using the WRPM and through analysis, make decisions to improve server performance.

Module 3, "Monitoring the System Health of Active Directory® Servers" explains how to create and evaluate a monitoring plan based on business needs and environments. It also explains how to determine the health of Active Directory servers using performance monitoring and even log triggers.

Module 4, "Managing Active Directory® Domain Services" explains how to implement the methodology of maintaining Windows Server 2008 AD DS.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

About This Course xvi

Module 5, "Maintaining Security for Active Directory® Servers" explains how to deploy proven methods to harden the Active Directory servers.

Module 6, "Managing Active Directory® Service Roles" explains how to add non-AD DS roles to a Windows Server 2008 network and manage those role s with supplied tools.

Course Materials The following materials are included with your kit:

• Course Handbook. The Course Handbook contains the material covered in class. It is meant to be used in conjunction with the Course CD.

• Course CD. The Course CD contains a Web page that provides you with links to resources pertaining to this course, including lab exercise answer keys, lab virtual machine build guide, and categorized resources and Web links.

Note: To open the Web page, insert the Course CD into the CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.

• Course evaluation. At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.

To provide additional comments or feedback on the course, send e-mail to [email protected]. To inquire about the Microsoft Certification Program, send e-mail to [email protected].

Virtual Machine Environment This section provides the information for setting up the classroom environment to support the business scenario of the course.

Virtual Machine Configuration In this course, you will use Microsoft Lab Launcher to perform the labs.

Important: In order to save time booting and logging in to the virtual machines, the lab directions will advise you to leave the virtual machines running throughout the course of each day. At the end of each day, you should close each virtual

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

xvii About This Course

machine and save any changes. To close a virtual machine and save the changes, simply shut down the VM as you would any physical machine, via the Start menu. Do not click the Reset or Reset All buttons unless advised to do so by your instructor.

The following table shows the role of each virtual machine used in this course:

Virtual machine Role

NYC-DC1 Domain controller

NYC-SVR1 Member server (initially; will be promoted to DC)

Software Configuration The Windows Server 2008 software is installed on each virtual machine.

Course Files There are files associated with the labs in this course. The lab files are located in the folder E:\Labfiles on the student computers.

Classroom Setup Each classroom computer will have the same virtual machines configured in the same way. The computers do not need to be networked as each one is self-contained. As to the room layout, it is up to the instructor but a "U" shaped seating arrangement may be more convenient for the lab discussion exercises.

Course Hardware Level To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.

This course requires that student computers meet or exceed hardware level 5.5, which specifies a 2.4-gigahertz (GHz) (minimum) Pentium 4 or equivalent CPU, 2 7200-rpm or faster hard disks with 40 gigabytes (GB) or more capacity, at least 2 gigabytes (GB) of RAM, and at least 16 megabytes (MB) of video RAM.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Managing an Active Directory®Server Lifecycle 1-1

Module 1 Managing an Active Directory® Server Lifecycle

Contents: Lesson 1: Planning an Active Directory Server Deployment 1-3

Lesson 2: Using Active Directory Server Deployment Technologies 1-9

Lesson 3: Adding AD DS Server Roles 1-17

Lesson 4: Removing AD DS Server Roles 1-25

Lab: Managing and Maintaining a Windows Server 2008 Domain Controller 1-29

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

1-2 Managing an Active Directory®Server Lifecycle

Module Overview

Planning for and managing an Active Directory lifecycle involves server deployment, role installation, and role removal. This module describes these steps with an emphasis on new capabilities in Windows Server® 2008.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Planning an Active Directory Server Deployment

When you plan to deploy Active Directory servers that are running Windows Server 2008, you must contemplate hardware requirements, version differences, and whether to upgrade existing systems or perform "clean" installs. Two new features of Windows Server 2008, Read-Only Domain Controllers (RODCs) and Windows® Server Core, provide more topics to think about during Active Directory planning.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Server Deployment Issues: Base Hardware

Key Points You can license Windows Server 2008 with Hyper-V or without it (the products have different SKUs) although the cost savings are minimal for the non-Hyper-V versions.

Minimum hardware requirements for Windows Server 2008 (x86) are higher than for Microsoft® Windows Server 2003:

• 1 GHz processor (32-bit), Standard edition

• 1.4 GHz processor (64-bit), Standard edition

• Minimum of 512MB RAM

• Minimum of 10GB free disk space

Web Server edition is now available in a 64-bit version.

For more information, refer to the Compare Technical Features and Specifications chart on the Microsoft Windows Server 2008 Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Server Deployment Issues: Edition Differences

Key Points CPUs in the above slide, refers to CPU sockets, not necessarily CPU cores.

Here is some additional information on specific editions:

• A Web Edition server cannot run Active Directory Domain Services (AD DS).

• The Enterprise Edition also provides rights to use four virtual instances of the product.

• The Datacenter Edition provides unlimited rights to run virtual instances.

• An Intel Itanium 2 processor is required for Windows Server 2008 for Itanium-based systems.

All editions provide for two simultaneous Remote Desktop connections.

For more information, refer to the Compare Technical Features and Specifications chart on the Microsoft Windows Server 2008 Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Server Deployment Issues: Upgrade vs. Clean Install

Key Points Because of the changes Microsoft has made to the upgrade process, you can expect fewer differences in terms of NTFS and Registry security than in upgrades to earlier versions of Windows.

The new in-place upgrade is basically an export -- clean parallel install -- import operation. Traditional cautions against performing an in-place upgrade are therefore less valid when upgrading to Windows Server 2008.

If you perform an upgrade, you can view the log files setuperr.log and setupact.log in the folder c:\windows\panther, to see any errors that might have been encountered.

For more information, refer to the Application Considerations When Upgrading to Windows Server 2008 article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Deploying RODC vs. Writeable Domain Controllers

Key Points The RODC option presents itself when running the AD DS Installation Wizard.

RODC may also run read-only DNS.

No administrative credentials are cached and only branch-office users' credentials are cached on the RODC.

RODC is conceptually similar to the Backup Domain Controller in Windows NT® Server.

For more information, refer to the AD DS: Read-Only Domain Controllers article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Deploying Windows Server Core as an Active Directory Server

Key Points Windows Server Core can run Internet Information Services (IIS), even though this capability was not present in the beta product. It can also run DHCP, DNS, and act as a file or print server.

Server Core has appeal because of lower hardware requirements, lower attack surface, lower administrative overhead, and anticipated higher reliability.

Generally, Server Core is manageable remotely using standard MMC snap-ins. However, as the reference document cited below points out, you might need to enable some firewall rules (and perform other steps as well) to permit such remote management.

For more information, refer to the Server Core blog on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 Using Active Directory Server Deployment Technologies

You can deploy Active Directory servers in your organization in several different ways. This lesson is designed to make you think about the best method or methods for your organization.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Active Directory Server Deployment: Local Installation

Key Points You have various options for deploying an Active Directory server locally:

• Install by booting a Windows Server 2008 DVD.

• Install by booting to a custom-created DVD running WinPE and using your own image files created with the Windows Automated Installation Kit (WAIK).

• Install by booting to an external USB hard drive, configured as above. These devices are often significantly faster than optical drives.

• Modify any of the above by creating an answer file in the System Image Manager (SIM) provided in the WAIK.

After the operating system is installed, if you are installing AD DS, you can script the AD DS Installation Wizard, bypassing the interactive prompts. Here is an example from TechNet:

dcpromo /unattend /InstallDns:yes /confirmGC:yes /replicaorNewDomain:replica /databasePath:"e:\ntds" /logPath:"e:\ntdslogs" /sysvolpath:"g:\sysvol" /safeModeAdminPassword:FH#3573.cK /rebootOnCompletion:yes

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Another similar method is to create an answer file and then call that file from dcpromo via the /unattend parameter. The options are similar to the command-line prompt given above.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Active Directory Server Deployment: Network Installation

Key Points If you choose to use a network-based installation method for Windows Server 2008, you again have several options:

• Create a distribution point on the network to which you connect from the target machine and then run an interactive install.

• Automate the distribution of Windows Server 2008 images over the network with Windows Deployment Services (WDSs) (see next slide for details).

• Modify the above methods with an answer file created in the SIM provided in the WAIK.

Windows Server 2008 images are likely to be much larger than Windows Server 2003 images, so their effect on network traffic is likely to be bigger.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Active Directory Server Deployment: Windows Deployment Services Installation

Key Points A boot image is an image that you use to start a computer onto which you intend to install an operating system. An install image is an image containing the operating system you want to install, plus any other applications you want to bundle into the image.

The feature set between WDS on Windows Server 2003 and WDS on Windows Server 2008 is not identical. For example, WDS on Windows Server 2008 includes the ability to network-boot 64-bit machines with Extensible Firmware Interface (EFI).

WDS can perform multicast transmissions so you can perform multiple deployments concurrently.

Plan to do performance testing before deploying large numbers of images with WDS. Windows Server 2008 and Windows Vista® images, in particular, are substantially larger than Windows Server 2003 and Windows XP images.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


For more information, refer to the Windows Deployment Services article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Active Directory Server Deployment: Installation from Backup

Key Points The main benefit of installing from backup is speed. If you are deploying only a few AD DS servers, this technique might not be as advantageous as when you are deploying many AD DS servers.

You can create a backup of relevant domain information from an existing domain controller using NTDSUTIL (no longer by backing up the system state, as in Windows Server 2003) and use that to build the new domain controller.

An acronym you might see in this connection is IFM, which stands for Install From Media.

You must select the Advanced Mode check box at the start of the AD DS Installation Wizard (dcpromo) to see this option.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Using SMS for Active Directory Deployment

Key Points The successor to Systems Management Server (SMS) 2003 is System Center Configuration Manager 2007. Software distribution functions very similarly in both products.

SMS 2003 and System Center Configuration Manager 2007 are built on a Microsoft SQL Server database that facilitates inventory management.

You can use these products to deploy both server and client versions of Windows.

You can obtain an evaluation version of System Center Configuration Manager 2007 on the Microsoft Web site. Unlike with SMS 2003, the evaluation version is upgradeable to the paid version.

For more information, refer to the Overview of Operating System Deployment article on the Microsoft TechNet, System Center Configuration Manager TechCenter Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Adding AD DS Server Roles

The new Server Manager console carries with it new terminology. Roles are collections of related functionality; AD DS is a role. Features, such as BitLocker™, are capabilities that do not map to a single role. Proper understanding of roles and features is essential to configuring and reconfiguring Active Directory servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Defining Active Directory Roles

Key Points You can add an AD DS role using the various methods described in this module. However, the actual promotion of a server to become a domain controller does not occur until you run the DCPROMO tool.

If you do not add the AD DS role using for example Server Manager, then when you run DCPROMO, the necessary binaries are installed for you. Unlike Windows Server 2003, the necessary binaries for the role are not present by default in Windows Server 2008.

For more information, refer to the Active Directory Domain Services, Active Directory Lightweight Domain Services, Active Directory Rights Management Services, Active Directory Certificate Services, and Active Directory Federation Services Web pages on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Planning for Combining Roles

Key Points Another potential advantage to splitting roles out onto different servers is that downtime (whether planned or unplanned) on one server has less impact on the overall role availability.

As you look at the various technical and administrative issues associated with combining and/or segregating roles on physical servers, consider the potential benefits of server consolidation through the use of virtualization.

Windows Server 2008 with Hyper-V is designed to provide the best of both worlds: the cost savings of a smaller number of physical machines, and the administrative and reliability benefits of single-purpose servers.

Having said that, you should still consider the impact of hardware failure on a physical computer that is hosting multiple virtual machines and plan for that contingency if you move towards server consolidation through virtualization.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Method Selection Criteria for Adding Server Roles

Key Points Adding and removing server roles is a major operation and should be performed by knowledgeable staff.

Windows Server 2008 does not offer the ability to create a restore point such as you can create in Windows Vista. However, you can use Windows Server Backup to back up your operating system files in case a role installation goes wrong.

Some network administrators choose to disable the Initial Configuration Tasks (ICT) console because it offers no options that are not also available via Server Manager.

For more information, refer to the Step-by-Step Guide for Windows Server Backup in Windows Server 2008 article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Using Different Methods to Add Server Roles: Server Manager

Question: Do you think that the GUI method or the command-line method puts the administrator at greater risk of making a mistake?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Using Different Methods to Add Server Roles: Remote MMC

Key Points Because Server Manager is the main MMC snap-in to add (and remove) roles, and because it is not remote-enabled, you can consider running it via a Remote Desktop session.

You can also execute the Server Manager's command-line version remotely, via Remote Desktop or other methods. Some of these are presented in the next topic.

After a role has been added to a Windows Server 2008 system, you can generally manage it by using the remote functionality of the associated MMC snap-in, as described in the slide.

You can manage roles remotely even if the underlying service is not installed by using Remote Server Administration Tools (RSAT), which is a feature in the Server Manager language of "roles" and "features."

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Using Different Methods to Add Server Roles: Other Remote Access Tools

Key Points The client component of WinRM is Windows Remote Shell (WinRS).

WMI is Microsoft's implementation of Web-Based Enterprise Management (WBEM), present in Windows since Windows 2000.

RemoteApp is a new feature of Terminal Services whereby a single application can be remoted instead of an entire desktop.

For more information, refer to the following articles: Windows Remote Management on the MSDN® Library Web site; WMI - Windows Management Instrumentation on the Windows Hardware Developer Central Web site; and Terminal Services RemoteApp (TSRemoteApp) on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Verifying Server Roles

Key Points The OCLIST command (with no qualifiers) on a Server Core system lists both installed and uninstalled roles and features.

Another way you could verify the addition of a role would be to look in the Registry for relevant keys and values. However, it is a good practice to avoid REGEDIT if easier and safer methods exist.

Specific techniques also exist for particular roles. For example, one way to verify that the AD DS role has been installed would be to try to log on to the server with local account credentials. Domain controllers do not permit the use of local accounts to log on.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 4 Removing AD DS Server Roles

You can decommission an AD DS server from the GUI or the command line, and basically use the same methods as for installing an AD DS server. You might need to decommission an AD DS server, for example, if your organization needs to shuffle server resources towards a more performance-critical task.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Removing Server Roles via the GUI

Key Points Component-Based Servicing is the system Microsoft uses to identify interdepencies between roles and features, and required "role services" which are necessary to support a given role. These dependency checks were limited in the older Add or Remove Windows Components control panel.

This architecture helps ensure that you do not accidentally remove a role or role service that is still required by the remaining roles on the server.

Removing a role via Server Manager is generally simpler than adding a role, because you will see fewer (if any) configuration options.

You can remove multiple roles in a single operation.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Removing Server Roles via the Command-Line Tool

Key Points Demoting a domain controller with DCPROMO does not remove the AD DS binaries.

Question: When might you consider using SERVERMANAGERCMD.EXE versus the MMC console?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Verifying Removed Roles

Key Points As with verifying newly added roles, the OCLIST command on a Server Core system lists both installed and uninstalled roles and features.

Do not use the presence or absence of Registry entries as authoritative evidence that a role has been successfully removed. Some keys might remain in the Registry even after the successful removal of an Active Directory role.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Managing and Maintaining a Windows Server 2008 Domain Controller

Exercise 1: Evaluating the Need for AD DS Promotion

Scenario Woodgrove Bank’s IT administrators have noticed slow logons at its branch office, where it has deployed a server named NYC-SVR1. The branch office, which is two miles away from the main New York headquarters, connects to the headquarters location over a busy, shared T-1 connection. At the corporate headquarters, NYC-DC1 acts as a domain controller and DNS server for the WoodgroveBank.com domain. The branch office is closed Friday afternoons and all day Saturday and Sunday. It is managed by a medium-sized staff, none of whom have had any server training.

Exercise Overview In this exercise, you will create a plan to add the AD DS role to NYC-SVR1.

Task: Create a plan to add the AD DS role to NYC-SVR1 • Create a plan to add the AD DS role to NYC-SVR1. The plan should consider

the following elements:

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Whether NYC-SVR1 should become a writeable domain controller or a RODC.

• When to perform the promotion of NYC-SVR1.

• Whether to perform the promotion through a remote desktop connection, on site, by telephone, or by sending e-mail instructions to the local liaison.

• Use the space below to write the key points of the plan.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Results: After this exercise, you should have a plan to promote NYC-SVR1 to be an AD DS domain controller.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Meeting the Need by Adding a Role

Exercise Overview In this exercise, you will implement the plan to add the AD DS role to NYC-SVR1.

The main tasks for this exercise are as follows:

1. Start NYC-DC1 and NYC-SVR1.

2. Check the installed roles on NYC-SVR1.

3. Run DCPROMO on NYC-SVR1.

4. Verify successful promotion.

Task 1: Start NYC-DC1 and NYC-SVR1 • Using the Lab Launcher tool, start NYC-DC1 and log on as

WoodgroveBank\Administrator with the password of Pa$$w0rd.

• Verify that the forest functional level is at least Windows Server 2003, the minimum required to support RODCs. Use Active Directory Domains and Trusts.

• Start NYC-SVR1 and log on as LocalAdmin with the password of Pa$$w0rd.

Task 2: Check the installed roles on NYC-SVR1 The Server Manager console should come up automatically. Expand the Roles node and view the installed roles. (If AD DS were already installed, you would need to re-evaluate your plan.)

Task 3: Run DCPROMO on NYC-SVR1 • On NYC-SVR1, open an administrative command prompt.

• Ping NYC-DC1 to make sure you can see it on the same virtual network.

• Run DCPROMO to start the AD DS Installation Wizard in advanced mode. You will be adding a domain controller to an existing domain in the same site. The new domain controller will also be a DNS server, a Global Catalog server, and a RODC.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• When warned about static IP assignments, modify network connections to disable IPv6.

• Complete the following steps in the wizard:

• Delegation of RODC Installation and Administration dialog box:

• Add the group NYC_BranchManagersGG

• Verify your spelling before continuing

• Install from Media dialog box: Select Replicate data over the network from an existing domain controller

• Location for Database, Log Files, and SYSVOL dialog box: Leave all the default settings

• Directory Services Restore Mode Administrator Password dialog box: Type Pa$$w0rd as the password

• The promotion and replication is a lengthy process so this would be a good time to take a break. When the wizard reports that it has finished, restart NYC-SVR1, and log on as the administrator of the WoodgroveBank domain.

Task 4: Verify successful promotion • Navigate to NYC-DC1. In Server Manager, navigate to Active Directory Users

and Computers.

• Open the Domain Controllers organizational unit. Do you see NYC-SVR1? What type of server is it? __________________________________________________________________

Results: After this exercise, you should have a new RODC in the form of NYC-SVR1. This should help alleviate the problem of slow logons in the branch office.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Managing a Change Request for an RODC by Using the Command Line

Exercise Overview In this exercise, you will update the configuration of the new RODC through a domain controller change and forced replication. The updated configuration consists of a new organizational unit, Federal Auditors that is added to the domain WoodgroveBank.com. Senior management wants to ensure that the new organizational unit replicates to the NYC-SVR1 RODC immediately.


1. Add the new organizational unit on NYC-DC1.

2. Replicate the change to NYC-SVR1.

Task 1: Add the new organizational unit on NYC-DC1 In Server Manager, use Active Directory Users and Computers to add the FederalAuditors organizational unit.

Task 2: Replicate the change to NYC-SVR1 • In Server Manager (still on NYC-DC1), navigate to Active Directory Sites and

Services, and expand the Default-First-Site-Name, the Servers node and the node for NYC-SVR1.

• Select NTDS Settings. You should see an entry in the details pane for NYC-DC1, which is a replication partner of NYC-SVR1.

• Force a replication from NYC-DC1 to NYC-SVR1.

• If you get an error message, it might be that the NYC-SVR1 domain controller is still sorting itself out. Give it five minutes or so, and then try again. You should eventually get a message that the operation completed successfully.

• Switch over to NYC-SVR1 and in Server Manager, verify that the FederalAuditors role now appears under WoodgroveBank.com.

• Close NYC-SVR1 by executing a normal shutdown, saving your changes. Leave the NYC-DC1 virtual machine running for future labs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Results: After this exercise, you should have an AD DS change on NYC-DC1 and the change replicated to NYC-SVR1.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 4: Developing a Management and Maintenance Plan

Scenario You and your colleagues in the IT department have been asked to write a first draft for a management and maintenance plan for the NYC-DC1 and NYC-SVR1 domain controllers.

Exercise Overview In this exercise, you will write a first draft for a management and maintenance plan for the NYC-DC1 and NYC-SVR1 domain controllers. (Depending on class size, the instructor may break the class into smaller groups for purposes of generating discussion.)


1. Decide which tools are better suited for each of the two domain controllers.

2. Decide whether the new RODC is meeting the business needs.

3. Decide whether delegation for certain functions might be appropriate.

Task 1: Decide which tools are better suited for each of the two domain controllers • Decide which tools are better suited for corporate headquarters and which are

better suited to the branch office scenario. Consider that Server Manager is not “remoteable” as such, but Active Directory Users and Computers is remoteable, as well as Event Viewer.

• Use the space below to write the answers.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Decide whether the new RODC is meeting the business needs • Consider the methods for determining whether the new RODC is meeting the

business needs.


______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Task 3: Decide whether delegation for certain functions might be appropriate • Consider whether delegation for certain functions might be appropriate, for

example, adding user accounts.


______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Results: After this exercise, you should have a draft document that outlines how to manage these two domain controllers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 5: Evaluating the Management and Maintenance Plan

Exercise Overview In this exercise, you will discuss the plan documents you created in Exercise 4. (Depending on class size, the instructor may break the class into smaller groups for purposes of generating discussion.)

Task: Evaluate the management and maintenance plan • Discuss the plan documents you created in Exercise 4. There is no correct or

incorrect answer, but during the discussion make sure you talk about the following points:

• Whether logons and connections to servers are now faster for Active Directory users connecting to the NYC-SVR1 domain controller.

• Lack of technical expertise at the branch office.

• The remote ability or lack of, specific management tools.

• Delegating some routine management functions for NYC-SVR1 to the branch office personnel.

• Use the space below to write the key points of the discussion.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Results: After this exercise, you should have ideas for evaluating the success of the plan developed in Exercise 4.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Review

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Creating Baselines for Active Directory® Servers 2-1

Module 2 Creating Baselines for Active Directory® Servers

Contents: Lesson 1: Baseline Methodologies for Active Directory Servers 2-3

Lesson 2: WRPM Overview 2-10

Lesson 3: Using Metrics to Create Baselines for Active Directory Servers 2-16

Lab: Creating Baselines for Active Directory Servers 2-24

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

2-2 Creating Baselines for Active Directory® Servers

Module Overview

Every organization is different. Some have more formal IT requirements than others. But most organizations can benefit by setting some baseline expectations for Active Directory performance, security, and reliability. Variances from these baselines then represent a call to action. This module explores methodologies for creating baselines, and takes a look at the primary Windows Server® 2008 tool for establishing baseline goals and measuring baseline compliance.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Baseline Methodologies for Active Directory Servers

If your organization has never established performance baselines before, or if it has, but the effort did not bear fruit, then it might be worth examining some of the different ways of planning for baselines and managing the baseline creation process.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Planning for Baselines

Key Points There are many reasons to implement baselines but probably the most significant one is to become more proactive in managing information systems, setting expectations, and matching real-world performance against those expectations.

Baselines generally only make sense for metrics that are measurable. For example, "user-friendliness" might be very important but there are no software tools for measuring it.

Some areas that are not traditionally incorporated in baseline planning might be worth considering, for example, application compatibility, which is often not a yes/no situation but a range between a fully compatibility application and one that is unusable. What metrics might you use for this area?

Choosing the operational scenarios that your baselines will cover depends on the nature of your business. For example, an accounting firm in the United States will have different demands on its information systems in March than in May.

It is important to choose a high-stress scenario because that is often when the performance of Active Directory systems is most important to the business.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Defining Baseline Server Hardware and Roles

Key Points There is no absolute baseline for server hardware because different functions have different requirements. What might be acceptable hardware for a DHCP server might be inadequate for a domain controller.

Question: What major roles do Active Directory servers assume in your organization? How many different kinds of Active Directory servers do you have?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Who Decides the Initial Performance Criteria?

Key Points Like anything else in an organization, if no person or group takes ownership of server baselining, it will never develop into a useful technique for managing an Active Directory network.

A baseline committee must include the consumers of Active Directory services as well as the providers.

It is possible to go overboard in the planning phases and create a baseline methodology that is too ambitious for the resources available. It is better to start off with a highly targeted baseline program (for example, "performance of Active Directory domain controllers at high stress times") than to set too many new goals simultaneously.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Review of the Existing History of Microsoft® Windows Server 2003

Key Points Mine your Windows Server 2003 event and PerfLog history, focusing on strong examples of the types of performance you want to baseline.

If such history is not available, consider performing some monitoring of the template systems you have selected, using objects and counters identified later in this module.

The reason for performing this type of analysis is that the published literature on Active Directory server performance baselines is quite sparse. Over time, therefore, you will need to develop your own baselines based on your own analysis and experience.

A wide variety of third-party tools can assist you in analyzing performance and event logs from existing servers.

Question: What factors do you think will determine whether existing Active Directory servers can provide relevant performance and/or event log data for using in Windows Server 2008 baselining?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Evaluating Baseline Acceptability Over Time

Key Points Periodic reviews should be realistic, considering available personnel resources. They should also reflect the speed at which your organization's network changes. More stable Active Directory environments might be fine with annual baseline reviews; Active Directory environments in rapid flux might need semiannual or even quarterly reviews at first.

Question: Do you think that in your organization customer expectations based on experience with home computers affects their expectations for performance in the Active Directory environment? How does your organization deal with that discrepancy?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Criteria for Revising Baselines vs. Starting Over

Key Points If you find yourself in a position of starting over with a new baseline plan, document why the old plan failed.

Sometimes it is necessary to start over because of a change in management, but even then you should ask whether elements of the old plan might be salvageable (for example, list of tools).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 WRPM Overview

Windows® Reliability and Performance Monitor (WRPM), first introduced in Windows Vista®, is present in Windows Server 2008 and combines a new tool (Reliability Monitor) with a traditional one (Performance Monitor). This lesson helps identify important objects and counters and helps you configure the tool for use in a baseline program.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Reliability Monitor

Key Points The Reliability Monitor also correlates the graphical System Stability Index with failures of the operating system, applications, and hardware.

The System Stability Index graph might show as dotted sections to indicate that the operating system did not have enough data to calculate a stable index.

The relevant scheduled task is RACAgent.

Recent events are weighed more heavily than older events.

Days when the system is powered down do not count.

Microsoft® does not provide details on the formulas used to calculate the System Stability Index, nor is there a mechanism for you to modify them or generate your own.

For more information, refer to the Windows Server 'Longhorn' Performance and Reliability Monitoring Step-by-Step Guide article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Performance Monitor

Key Points An object is something you want to measure; a counter is a characteristic of that object that you want to measure; and an instance is the specific occurrence of an object that might have more than one occurrence (for example, CPU).

The Data Collector Set is a method for grouping collectors together so that you can reuse the set over time; change its schedule; and/or load it into the real-time performance monitor console.

You can use a Data Collector Set for ongoing monitoring or for one-time use.

You can save your own Data Collector Sets as a template.

Caveat: The properties for a Data Collector Set are different than the properties for an individual collector.

For more information, refer to the Windows Server 'Longhorn' Performance and Reliability Monitoring Step-by-Step Guide article on Microsoft TechNet, Windows Server 2008 Technical Library Web site. Also, refer to the Compare Multiple Log Files in Performance Monitor article on the TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Essential Objects and Counters (Global)

Key Points This slide shows several performance objects and counters that are generally relevant for most server types and should be considered when setting up a performance baseline for Active Directory servers.

Using LogicalDisk instead of PhysicalDisk might be more appropriate for servers with multiple logical disks on a single physical disk.

For more information, refer to the Suggested Performance Counters to Watch article on the Microsoft TechNet, IIS 6.0 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Logging Options

Key Points The point of doing PerfMon logging with existing servers is to establish some ranges for good, fair, and poor performance.

Experiment with the logfile directory location. For example, depending on the type of testing you are doing, you might benefit from using a USB flash drive.

Also, experiment with log size limits as logs can grow at widely varying rates depending on the size of the Data Collector Set.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Report Options and Formats

Key Points The reporting features of WRPM have been borrowed from an older tool, the Server Performance Advisor from Windows Server 2003.

You can obtain some syntax for the relog command by typing relog /? in a command prompt session. For more details, see the reference below.

CSV = Comma Separated Values; TSV = Tab Separated Values.

For more information about relog, refer to the Microsoft TechNet, Microsoft Windows Server TechCenter Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Using Metrics to Create Baselines for Active Directory Servers

This lesson presents some of the more often-used metrics for particular Active Directory roles and considers issues of measurement frequency and duration. This information will be useful in building working baseline documents.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Metrics: AD DS

Key Points Domain controllers perform frequent disk reads and writes, so the physical disk object is important.

Directory Replication Agent (DRA) inbound and outbound bytes relate to Active Directory Domain Services (AD DS) replication.

There should be some Kerberos authentication activity for a functioning domain controller.

Lightweight Directory Access Protocol (LDAP) client sessions should be non-zero for a functioning domain controller.

LDAP bind time should be very low.

For more information, refer to the Counters by Object article on the Microsoft TechNet, Windows Server 2003 Technical Library Web site. (At the time of this writing, no similar article exists for Windows Server 2008.)

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Metrics: AD LDS

Key Points In addition to the PerfMon counters and objects, the REPADMIN tool is especially useful for monitoring Active Directory Lightweight Directory Services (AD LDS) replication performance.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Metrics: AD CS

Key Points The online responder requires Internet Information Services (IIS), so machines running Windows Server 2008 configured as an online responder can take advantage of IIS performance counters as well as the explicit Active Directory Certificate Services (AD CS) counters.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Metrics: AD FS

Key Points Active Directory Federation Services (AD FS) requires either AD DS or AD LDS, so the performance objects and counters for those roles will be relevant in creating a baseline for AD FS.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Metrics: AD RMS

Key Points Active Directory Rights Management (AD RMS) depends on the following roles and services:

• AD DS

• AD CS (or a standalone or third-part certificate authority)

• Microsoft Message Queuing (MSMQ)

• IIS

• SQL Server®

A performance analysis plan should consider the underlying performance of those roles and services.

For more information, refer to the Troubleshooting Performance Problems in SQL Server 2005 article on the Microsoft TechNet Web site. When available, look for a similar document on SQL Server 2008.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Frequency of Measurement

Key Points The higher the frequency, the greater the impact of performance monitoring on performance. Logging to a separate physical drive helps.

For general-purpose performance monitoring, 15 to 30 minutes is a good interval.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Duration of Measurement

Key Points Consider the business-cycle variations in your organization when developing durations. For example, if you see Active Directory activity vary throughout the day, but you do not see much variation between different days of the week or month, then a 1-day duration might be sufficient.

Activity can vary by month of the year, also. If you work for a tax consultancy, for example, certain months might exhibit dramatically more activity than others.

Your measurement durations must capture all significant business-cycle variations.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Creating Baselines for Active Directory Servers

Exercise 1: Involving Users in Baseline Development

Scenario The loan department of Woodgrove Bank has a number of users who work on shared PCs. The frequency of logons and logoffs is relatively high in this department. The department runs a small number of applications, and employees perform very few searches of Active Directory. Communications outside the local office are limited.

The research department of the bank, by contrast, is engaged in studying new banking products. Employees of this department, who generally have a PC all to themselves, perform a fair amount of market research and draw upon resources throughout the organization, including people in different locations and even in different domains. They tend to log on at the beginning of the day and log off at the end of it.

Exercise Overview The main tasks for this exercise are as follows:

1. Generate ideas for involving users in developing a baseline.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


2. Generate five questions to ask in a user survey to help IT professionals develop baseline documents.

Task 1: Generate ideas for involving users in baseline development • Working in small groups, discuss ways in which computer users can become

involved in developing a baseline. There are no correct or incorrect answers.

• Use the space below to write the results and then share your results with the class.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Task 2: Generate five questions to ask in a user survey to help IT professionals develop baseline documents • Working in the same groups, discuss what type of questions you might ask in

a user survey (for example, an e-mail survey) to help you create appropriate Active Directory baseline values. The following are some thought starters:

• What is the slowest operation you perform on your PC?

• What is the fastest operation you perform on your PC?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• How many times a day do you typically log on and off?

• How many times a day do you search the network for resources other than mapped drives and printers?

• Use the space below to write the five questions and then share your results with the class.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Results: After this exercise, you should have some ideas for involving users in what traditionally has been an IT-only activity, developing network performance baselines.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Choosing Relevant WRPM Counters and Durations

Scenario Use the same scenario as in Exercise 1.

Exercise Overview In this exercise, you will identify relevant WRPM counters for the loan department and for the research department.


1. List the counters that you would consider including in the baseline.

2. Consider differences in a baseline strategy for the two departments.

Task 1: List the counters that you would consider including in the baseline • Start NYC-DC1.

• Log on to NYC-DC1 as WoodgroveBank\Administrator with the password of Pa$$w0rd.

• In Server Manager, expand the nodes Diagnostics, Reliability and Performance, and Data Collector Sets.

• Under the System node, navigate to the Active Directory Diagnostics Data Collector Set and select Properties.

• On the General tab, read the description of this Data Collector Set.

• Take a look at the other tabs on the Data Collector Set Properties page.

• Close Data Collector Set Properties page.

• In the details pane, you should see four data collectors. What types are they?

• Open the Properties of the Performance Counter data collector. Note the PerfLog objects that Microsoft has chosen for this pre-built Data Collector Set. This list is a good starting point for exploring Active Directory performance counters in detail. Note, for example, the category DirectoryServices.

• Back in Server Manager, in the User Defined node, create a new Data Collector Set named CustomAD with the following options:

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Create from a template (recommended)

• Template: Active Directory Diagnostics

• Root directory: Default

• Finish the Data Collector Set.

• Open the Properties dialog box and type Woodgrove Bank custom AD data collector set as the description.

• Under the User Defined node, open the Properties of the Performance Counter for the new CustomAD.

• View the Counter Selection dialog box on the Performance Counters tab.

• Expand the DirectoryServices object and browse the counters and counter categories, especially:

• Asynchronous Thread Queue (ATQ)

• DRA

• Directory Service

• LDAP

• Security Accounts Manager (SAM)

• Browse the counters listed under FileReplicaSet.

• Use the space below to write any performance counters and/or objects that look relevant to you.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Task 2: Consider differences in a baseline strategy for the two departments • Using the console from Task 1, identify three performance counters that

would probably be more important for the loan department than for the research department. Use the space below to write the counters.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

• Identify three performance counters that would probably be more important for the research department than for the loan department. Use the space below to write the counters.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

• Identify three performance counters that would probably be important for both departments. Use the space below to write the counters.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

• Leave NYC-DC1 running for future labs.

Results: After this exercise, you should be familiar with some of the PerfMon Active Directory counters, and have some idea of how to adapt a baseline strategy for different business situations.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Evaluating and Revising a Baseline Document in the Face of Business Changes

Scenario The scenario is the same as in Exercise 1, but the IT department has just been informed that the domain controller is about to support twice as many users.

Exercise Overview In this exercise, you will discuss as a class whether the baseline document should be modified in view of the increased user population, and explore possible procedures and organizational standards for modifying (or suggesting modifications to) the baseline document.


1. Decide whether the baseline document should be modified.

2. Discuss the procedures and standards for modifying a baseline document.

Task 1: Decide whether the baseline document should be modified • Discuss the pros and cons of modifying the baseline document for the

upcoming change.

• What questions would you ask in order to determine whether the Active Directory performance baseline document should be modified?


______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Discuss the procedures and standards for modifying a baseline document • Discuss who in the organization should be able to initiate a baseline

modification suggestion.

• Discuss who should review such suggestions, and how often they should perform such a review.

• Discuss what happens to a baseline document that is never updated..


______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Results: After this exercise, you should have heard various perspectives and ideas on the pros and cons of modifying Active Directory baseline documentation, and on how to implement such modifications in a realistic and practical way.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Review

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Monitoring the System Health of Active Directory® Servers 3-1

Module 3 Monitoring the System Health of Active Directory® Servers

Contents: Lesson 1: System Health Overview 3-3

Lesson 2: Using Long-Term Monitoring to Identify Trends 3-7

Lesson 3: Setting Thresholds and Alerts for Short-Term Monitoring 3-11

Lesson 4: Choosing the Appropriate Windows Server 2008 Monitoring Tools 3-17

Lab: Monitoring the Active Directory Server Roles 3-27

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

3-2 Monitoring the System Health of Active Directory® Servers

Module Overview

Active Directory system health means different things to different organizations. This module will identify aspects of Active Directory system health that you should consider before getting into the details of performance and reliability monitoring. Then, the module will explore both long-term monitoring for “big picture” adjustments, and short-term monitoring for quick responses. Finally, the module explores some of the tools available, and when to use each one for both long-term and short-term monitoring.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 System Health Overview

Moving from general to specific, this lesson considers three ways to define health: overall system health, server health, and Active Directory (or service) health. Your organization's health monitoring plan should encompass all three.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Defining System Health

Key Points Users view information systems as whole systems, not as components. The system fails if any component of the overall system fails.

Active Directory is a large set of services, but managing Active Directory is ultimately only one link in a long chain of things that have to "go right" in an information system.

Question: Can you think of any aspects of system health that are important to your organization, but that the above list omits?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Defining Server Health

Key Points The above areas encompass hardware, software, administration, and user support elements.

Analyzing individual servers, while useful, is not in itself sufficient to obtain a complete picture of system health. For example, an Active Directory Domain Services (AD DS) domain controller can take much longer to boot if it cannot find its replication partners quickly on the network.

Question: Are there any aspects of server health that are important to your organization, but that the above list omits?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Defining Active Directory Health

Key Points Active Directory is more than just directory services with Windows Server® 2008.

Defining the health of an Active Directory Lightweight Directory Services (AD LDS) installation will involve both Microsoft® tools and vendor-specific tools.

The health of your DNS environment (not just whether DNS works, but whether it works optimally) has a major impact on AD DS and AD LDS.

For more information, consider discussing the "Active Directory Health Check" with your Microsoft Technical Account Manager (TAM). Also, you might want to explore the product "Spotlight on Active Directory" from Quest Software.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 Using Long-Term Monitoring to Identify Trends

Long-term monitoring is designed to identify trends in performance, security, or uptime that require improvement. Certain tools, such as System Center, focus explicitly on such "big-picture" monitoring. But whatever tools you use, your organization will need criteria for periodically reviewing your baselines and adjusting them to meet real-world expectations and potentially changing business needs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


System Center Operations Manager Features

Key Points System Center Operations Manager is the successor to Microsoft Operations Manager (MOM).

If you are not familiar with this product, Microsoft makes a 180-day evaluation version available.

Question: Do you use the System Center Operations Manager in your organization? What have you found to be its strengths and weaknesses?

For more information, refer to the Monitoring Active Directory with MOM 2005 slideshow by Alexandre Le Bienvenu, which has a great deal of content that remains useful. Also, visit the Microsoft home page for System Center Operations Manager 2007.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Re-evaluating Performance vs. Baselines

Key Points Trends in the field can arise from changes in:

• User applications

• Business practices (for example, auditing)

• User population changes

• Back-end system changes (for example, antivirus software)

• Hardware changes

• Network link traffic

Proactively survey your IT consumer community to make sure your baseline documents remain relevant by reflecting real world performance.

Question: Does your organization ever re-evaluate your baselines in the areas of performance, security, and uptime?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Adjusting Baselines

Key Points Baseline adjustment is a balancing act between 1) spending too much time updating the baseline and too little on managing the environment, and 2) risking irrelevance by never updating the baseline document(s) to reflect system evolution.

Question: Do you use baselines as a metric for determining the performance of the IT organization? If so, does it become even more important to update them?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Setting Thresholds and Alerts for Short-Term Monitoring

Short-term monitoring focuses on the quick detection and correction of performance problems that could affect the daily business activities of the organization. Although some of the tools used might be the same as for long-term monitoring, the time frame is completely different, requiring different approaches both technologically and procedurally.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Performance Threshold Basics

Key Points Mean Time To Recover (MTTR) might be more important than Mean Time Between Failures (MTBF).

Alert responses must have organizational (procedural) elements as well as technological (triggering) elements to be successful.

Question: What Active Directory-related performance, downtime, or security alerts do you currently monitor, if any?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Creating Alerts and Triggers for Short-Term Monitoring: Informational Alerts

Key Points Windows Server 2008 makes no distinction between "informational alerts" and "action alerts" but this is a useful distinction to make in your organization. For informational alerts, logging an entry in the application event log might be sufficient. It might be useful to create a filter (or view) in Event Viewer for such informational alerts.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Creating Alerts and Triggers for Short-Term Monitoring: Action Alerts

Key Points You can create scheduled tasks in Server Manager, under the Configuration node.

The task can run when PerfMon triggers it, even if you do not associate any triggers with the scheduled task when you create it.

Once you have created a scheduled task to execute an alert, if you need to rename it later, you must recreate it with the new name.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Creating Alerts and Triggers for Short-Term Monitoring: Event Log Triggers

Key Points You can use event log triggers in addition to, or instead of, PerfMon alerts.

For more information, visit the www.eventid.net website, where administrators post their experiences with specific event IDs. You can also visit the Microsoft TechNet Events and Errors Message Center.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Setting Action Plans for Alert Situations

Key Points You might want to set up different action plans for different levels of severity if you have created triggers for multiple scenarios.

Autoremediation is always preferable to manual remediation, as long as you have a mechanism in place for periodically reviewing alert type and frequency.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 4 Choosing the Appropriate Windows Server 2008 Monitoring Tools

Microsoft provides a number of tools that you can use for both long-term and short-term monitoring. This lesson will explore some of these more useful tools.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


WRPM: Resource Overview

Key Points The Windows Reliability and Performance Monitor (WRPM) is an MMC snap-in that provides tools for analyzing system performance. One of these tools is the Resource Overview.

If you run the Resource Overview with insufficient credentials, it will not show current system information.

One way to ensure that you are running with an elevated security token is to run PerfMon.exe from an administrative command prompt.

The command perfmon /res will open the Resource Overview in a separate window.

For more information, refer to the Monitoring General System Activity Using Resource View article on the Microsoft TechNet, Windows Vista® TechCenter Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


WRPM: Performance Monitor

Key Points The basic PerfMon program is an evolution of a tool that has been present in Windows® operating systems since Windows NT®.

Successive versions of Windows have added performance objects and counters.

For more information, refer to the Monitoring Specific System Activity Using Performance Monitor article on the Microsoft TechNet, Windows Vista TechCenter.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Event Viewer

Key Points Most administrators will not need to review the operational logs regularly, but it is important to know what is there.

Group Policy is now a service and has its own event log. This will be a primary troubleshooting resource in Active Directory, along with Resultant Set of Policy.

Many third-party tools exist to gather, organize, and analyze event logs.

For more information, refer to the Authoring Event Rules in OpsMgr blog on Microsoft TechNet, especially the Anatomy of a Vista/Server 2008 Event section.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Using Event Logs

Question: What benefits might you gain from making a detailed study of the complex new Event Viewer console?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Event Subscriptions and WinRM

Key Points Windows Remote Shell, or WinRS.exe, is the command-line tool for Windows Remote Management.

You can add limited Windows Remote Management (WinRM) capability to Windows Server 2003 R2 using the Windows optional components wizard.

WinRM must be started on machines to be polled (listeners) as well as on the polling machine. The usual command is winrm quickconfig.

For more information, refer to the Windows Remote Management article on the MSDN® Library under Win32 and COM Development.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Services Console

Key Points This console (services.msc) has not changed dramatically from Windows Server 2003.

Server Manager does not provide as much functionality as this console when it comes to managing services.

You do not have to know the dependent services in advance in order to stop the AD DS service from Server Manager. The Server Manager will know which ones to stop.

When doing work locally on a Windows Server Core system, use SC.EXE instead of the graphical tool.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Server Manager

Key Points You can not necessarily give up the full version of the Active Directory administrative tools contained in Server Manager.

For most of what server administrators do, Server Manager comes close to being a "one stop shop."

For more information, refer to the Server Manager topic in the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


RSAT

Key Points The following are Features in Server Manager: Remote Server Administration Tools (RSAT) and its tools.

You do not need to install an RSAT tool if you have the related service or role installed on your machine.

Unlike with previous versions of Windows, Windows Server 2008 does not ship with optional support tools or resource kit tools.

If a desired tool is not in the RSAT or in the Windows Server 2008 base distribution, an earlier version might work, but you should test it before relying on it.

For more information, refer to the online help for Remote Server Administration Tools in Server Manager.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


PKIView

Key Points The old name of Enterprise PKI (PKIView) was the PKI Health Tool. The following table lists the meanings of icons located in the PKIView console.

Console Indicator Certificate Authority State

Question mark Health state evaluation

Green indicator No problems

Yellow indicator Non-critical problem

Red indicator Critical problem

Red cross over Certificate Authority icon Offline

For more information, refer to the article AD CS: Enterprise PKI (PKIView) article on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Monitoring Active Directory Server Roles

Exercise 1: Setting a Performance Alert to Meet a Business Goal

Scenario The management at Woodgrove Bank has issued a directive to the IT department to respond more proactively when Active Directory domain controllers are overloaded beyond “normal” time-of-day spikes. The business goal is to address short-term domain performance problems before the users start calling the Help Desk to report them. The bank would prefer not to spend money on additional monitoring and alerting tools and would also like the solution to have a light footprint in terms of system overhead.

Two system administrators have offered plans for generating an alert. The plans are basically identical in terms of the performance objects and counters to be monitored, and include the following, among others:

• Processor\Percent processor time

• PhysicalDisk\Avg. disk queue length

• Network Interface\bytes received/sec

• Network Interface\bytes sent/sec

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Directory Service\LDAP searches/sec

• Directory Service\DS reads/sec

• Directory Service\DRA inbound bytes total/sec

• Directory Service\DRA outbound bytes total/sec

The plans also suggest that over-threshold events should produce an e-mail to at least one network administrator. Just creating an entry in the event log is not proactive enough to meet the management mandate. However, Plan 1 specifies a 5-second sampling interval, and Plan 2 specifies a 5-minute sampling interval.

Exercise Overview In this exercise, you will select an alert plan and implement the plan through Scheduled Tasks and the WRPM.


1. Decide which plan you would recommend, Plan 1 or Plan 2.

2. Create a scheduled task for the e-mail alert.

3. Create an alert in Performance Monitor.

Task 1: Decide which plan you would recommend, Plan 1 or Plan 2 Decide whether you would recommend Plan 1 or Plan 2. The key criteria to consider are as follows:

• The bank is interested in detecting Active Directory performance problems beyond the normal time-of-day spikes.

• The solution should have a light footprint in terms of system overhead.

• Use the space below to write your answer.

______________________________________________________________________

Task 2: Create a scheduled task for the e-mail alert • Start NYC-DC1 (if it is not already started).

• Log on to NYC-DC1 as WoodgroveBank\Administrator with a password of Pa$$w0rd.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• In Server Manager, navigate to Configuration, Task Scheduler.

• Create a new task titled Performance Alert e-mail. The action should be to send an e-mail from [email protected] to the same address. Make sure the task can be run on demand, and specify administrator credentials for the task.

Task 3: Create an alert in Performance Monitor • Under Diagnostics, Reliability and Performance, create a new user-defined

Data Collector Set titled Active Directory Performance Alert. (Use the manual creation option.)

• Create a performance counter alert. Add the DS Directory Reads/sec counter for the DirectoryServices object. Set the threshold at 5 reads/sec.

• Choose properties for the alert data collector. Set the sample interval to 5 minutes. Configure the properties to run the scheduled task you created in Task 2 when an alert is triggered.

• Try starting and stopping the Data Collector Set to see how simple these operations are.

Results: This exercise’s successful completion results in the selection of an alert plan and the implementation of that plan through Scheduled Tasks and the WRPM.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Discussing Alert Response Strategies

Exercise Overview In this exercise, you will discuss and list some of the pros and cons of different short-term alert responses. You will also discuss ideas for long-term responses to high traffic alerts. (Depending on class size, the instructor may break the class into smaller groups for purposes of generating discussion.)


1. Discuss different short-term alert responses.

2. Discuss different long-term alert responses.

Task 1: Discuss different short-term alert responses Discuss and list the pros and cons of each short-term alert response, including (but not limited to) the following:

E-mails to managers

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

E-mails to affected users

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Triggered tasks (for example, scripts)

______________________________________________________________________ ______________________________________________________________________

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


______________________________________________________________________ ______________________________________________________________________

Personal responses

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Follow-up analysis with affected users

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Other

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Discuss different long-term alert responses Discuss and list some ideas for how to address Active Directory performance alerts over the long term, including (but not limited to) the following:

Suggest changes in logon/logoff procedures

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Split out combined functionality to separate servers

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Review the number and placement of Global Catalog servers

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Maintain the Active Directory database

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Move the Active Directory database to higher-performing disk storage

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Move the Active Directory log files to higher-performing disk storage

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Other

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Results: After this exercise, you should have identified a variety of alert responses available to you and the pros and cons of each. You should have also identified the various possible long-term responses to recurring Active Directory performance alerts and shared your experiences with those methods.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Building a Case for Configuration Change

Scenario As a result of using performance alerts and monitoring, you and your colleagues have identified several possible long-term improvements that can reduce the frequency and severity of Active Directory performance problems. However, before you can bring your case to management for spending money on additional resources, whatever form those might take (some of these should have been discussed in Exercise 2), you would like to document your cause, and build a case for changing the server configuration.

Exercise Overview In this exercise, you will explore the different tools for building a case for changing the server configuration.


1. Explore the new Event Viewer operational logs.

2. Create an Event Viewer subscription.

3. List other documentation that would support your request for configuration changes and/or new resources.

Task 1: Explore the Event Viewer operational logs • Start NYC-DC1 (if it is not already started).

• In Server Manager, navigate to Diagnostics, Event Viewer, Applications and Services Logs, and expand Applications and Services Logs.

• Which of these logs would be potentially relevant for an Active Directory server?

• Select the Directory Service log. In a moment, the details pane will populate with events. Do you see any errors or warnings?

• In the navigation pane, under Microsoft Windows, expand the logs. Spend some time looking through these logs. Do you see any logs that would be helpful when you are evaluating the performance of an Active Directory server?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Create an Event Viewer subscription • In Event Viewer, create a new subscription titled Active Directory events for

NYC.

• Specify NYC-SVR1 as the machine you would like to collect events from.

• Specify that you would like to collect only Critical and Error events, from the Directory Service log.

Task 3: List other documentation that would support your request for configuration changes and/or new resources Use the space below to list other documentation that would support your request for configuration changes and/or new resources.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Results: After this exercise, you should have identified some of the new capabilities of the Windows Server 2008 Event Viewer, including operational logs and event subscriptions, both of which might be useful in building a case for configuration change. You should have also created a list of other documentation, both from Windows Server 2008 tools and other sources, that could help support a campaign for making configuration and/or resource changes in response to Active Directory performance monitoring.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Review

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Managing Active Directory® Domain Services 4-1

Module 4 Managing Active Directory® Domain Services

Contents: Lesson 1: Restarting and Restoring Active Directory 4-3

Lesson 2: FSMO Roles Overview 4-6

Lesson 3: Planning Sites and Replication 4-13

Lesson 4: Managing RODCs 4-17

Lesson 5: Methods for Managing Server Core 4-21

Lesson 6: Best Practices for GPOs and Links 4-26

Lesson 7: Delegating Active Directory Administration 4-34

Lab: Managing AD DS 4-39

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

4-2 Managing Active Directory® Domain Services

Module Overview

Active Directory Domain Services (AD DS) is by far the most popular of the various Active Directory roles in Windows Server® 2008. This module looks at various aspects of managing AD DS, including a special focus on the features that are new to Windows Server 2008: Read-Only Domain Controllers (RODCs), Windows® Server Core, and Group Policy enhancements.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Restarting and Restoring Active Directory

Certain maintenance operations require shutting down Active Directory. Windows Server 2008 no longer demands a restart cycle to accomplish this. Additionally, it is now possible to restore the AD DS database without restarting in the special DSRM. Both features mean that you can maintain Windows Server 2008 AD DS with less disruption.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Restarting AD DS Without Rebooting

Key Points You must be a member of the domain controller's Administrators group.

All the dependent services will start again when you restart the AD DS service.

Caveat: You must run DCPROMO with the /forceremoval qualifier to demote a domain controller if the AD DS service is in the stopped state.

If a client contacts the domain controller to log on during stoppage of the directory service, the server acts like a member server and the client will log on to another domain controller.

For more information, refer to the Windows Server 2008 Restartable Active Directory Step-by-Step Guide article on the Microsoft® TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Restoring Active Directory Without Entering Directory Services Restore Mode (DSRM): DSAMAIN

Key Points Windows Server 2008 allows you to create "snapshots" of the directory using NTDSUTIL, providing a backup mechanism.

Other third-party AD DS backup tools might be preferable for convenience and features.

Caveat: Windows Server 2008 Server Backup does not support backing up to tape, unlike its predecessor, NTBACKUP.

Question: What tool does your organization use to perform AD DS backups? Have you ever tested the restore feature of that tool?

For more information, refer to the How to Restore Deleted User Accounts and Their Group Memberships in Active Directory knowledge base article 84001 on the Microsoft Help and Support Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 FSMO Roles Overview

Managing AD DS involves being aware of (and, perhaps, transferring) the non-replicated Flexible Single Master Operations (FSMO) roles. These roles are basically the same in Windows Server 2008 as in Microsoft Windows Server 2003, so this lesson reviews them briefly.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Schema Master

Key Points Transferring the schema master is a little tricky because the schema console automatically connects to the current role holder. Connect to the target domain controller first and then transfer the role using the console.

A general best practice when temporarily transferring a FSMO role is to transfer it back to its original location when you are done with the operation that prompted the transfer. This way, you do not need to modify your documentation.

Before you install your first Windows Server 2008 domain controller into a Windows Server 2003 or Microsoft Windows Server 2000 forest, you must extend the schema. Refer to the TechNet article below for detailed information.

Question: What would be the impact of performing an application installation that requires schema modification, with the schema master being located at the other end of a WAN link?

For more information, refer to the Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 article on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


RID Master

Key Points Restoring the RID master from an image backup raises the possibility of duplicate identifiers. That could (for example) prevent two servers from both becoming domain controllers.

If your RID master fails, and you are not adding large numbers of accounts to the Active Directory database at the time, you might be able to "ride out" the failure and operate without a RID master temporarily. Each domain controller maintains a local cache of RIDs, so you can still add some accounts without having the RID master available.

For more information, refer to the Planning Operations Role Placement article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Domain Naming Master

Key Points The Domain Naming Master role must be present and available when creating any new domains, including child domains as well as new domain trees.

If your Forest Functional Level (FFL) is less than Windows Server 2003, the Domain Naming master should be on a machine that also acts as a Global Catalog server.

Putting this role on the same machine as the schema master might simplify FSMO role administration. Neither role is generally very busy in day-to-day activity.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Infrastructure Master

Key Points The infrastructure master role does not need to be on a fast machine in a one-domain forest.

The infrastructure operations master for a domain maintains a list of the security principals from other domains that are members of groups within its domain.

If a change occurs, for example a user in domain A belongs to a security group in domain B and the user's name changes, domain B would never hear about the change if not for the infrastructure master.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


PDC Emulator

Key Points The PDC Emulator stresses a server more than the other FSMO roles. Normally, this role should be on a relatively fast machine.

You can lighten the authentication load of a busy PDC emulator by modifying the weight of its DNS SRV records. Refer to the article below for detailed information.

For more information, refer to the Configuring Operations Master Roles article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Global Catalog

Key Points Adding global catalog servers can be a mixed blessing: global catalogs create more replication traffic, but offload other global catalogs.

Only domain controllers that are designated as global catalogs can respond to global catalog queries on port 3268. This includes directory searches for people and printers.

Your application mix can affect the number of global catalogs you need. For example, Microsoft Exchange needs fast, local access to a global catalog.

For more information, refer to the Planning Global Catalog Server Placement article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Planning Sites and Replication

The site is the only major AD DS structure that is designed to map to a network's physical layout as opposed to its logical layout. You can manage replication across WAN links with sites; you can also use them as a (preferably temporary) method for deploying Group Policy settings that do not map to existing organizational unit boundaries.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Creating Sites

Key Points There is no necessary mapping between sites and domains. A site might contain a part of a domain, an entire domain, multiple domains, or parts of multiple domains.

The relevant tool is Active Directory Sites and Services, which is a component of the Remote Server Administration Tools (RSAT).

You can also use Active Directory Sites and Services to manage replication for an Active Directory Lightweight Directory Services (AD LDS) instance.

Question: Does your organization configure Active Directory sites? Why or why not? Have you encountered any problems with this capability?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Default Replication Settings

Key Points These settings pertain to site replication traffic using the preferred transport, RPC over IP. They do not apply to site links that use SMTP.

When you have multiple site links, and multiple possible replication paths between sites, you can use the Cost parameter to set preferences for particular paths.

Bridgehead servers are the points of contact between sites. You have the option to fine-tune performance by designating preferred bridgehead servers, but this might interfere with the automatic distribution of replication connections.

When a bridgehead server is added to a central (or "hub") site, Windows Server 2008 (unlike Windows Server 2003) dynamically redistributes replication connections to take advantage of the new bridgehead server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Intersite Replication

Question: Would you be more likely to need to reconfigure the replication interval when two sites are geographically nearby or when they are geographically far apart?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 4 Managing RODCs

The RODC is one of the more significant new features in Windows Server 2008. This lesson provides an overview of the technology and should inspire some discussion about when and how your organization might deploy RODCs to your advantage.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Unidirectional Replication

Key Points An RODC has everything that a writeable domain controller has, except account passwords.

A writeable domain controller provides credentials based on password replication policy settings.

The RODC encrypts cached credentials.

You can make an RODC a Global Catalog server, for example, if you have Microsoft Exchange clients.

Consider BitLocker™ for additional security in locations with low physical security where you might consider RODCs.

Consider delegation for RODC administrators to offload central IT staff. RODC administrators do not need to be domain administrators.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Read-Only DNS

Key Points If a client tries to update its DNS record, the RODC's DNS will issue the client a referral to a writeable DNS server. The writeable DNS server will make the change and then replicate it back to the RODC.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Multi-RODC Installations

Key Points The benefits of distributing the DNS query load might outweigh the disadvantages of any possible inconsistencies.

If you have a large enough branch office that you need two or more RODCs, you might consider whether you should have a writeable domain controller in that office.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 5 Methods for Managing Server Core

Server Core presents some unique management problems due to its lack of an integrated GUI. This lesson presents several tools and techniques for managing Server Core Active Directory servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Command-Line Tools

Key Points Some details on command-line utilities:

• control timedate.cpl (run date-and-time applet)

• cscript (to activate scripts, for example, cscript slmgr.vbs)

• net user administrator * (set admin password)

• net localgroup administrators /add (add user to admins)

• net start, net stop (start and stop services)

• netsh (for example, to set static IP configuration, configure firewall)

• netdom (for example, to join a domain, rename the computer)

• oclist (to list installed roles and features)

• ocsetup (to install or remove roles and features)

• pnputil (to inject device drivers for Plug and Play)

• sc (to manage services)

• shutdown (to shut down or restart the machine)

• slmgr.vbs (to activate Windows)

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• wevtutil (to manage event logs)

Many other commands are available (for example, cacls, defrag, nslookup, pathping, etc.)

A special built-in, core-only script (scregedit.wsf) handles the following tasks:

• Enables automatic updates

• Sets Windows Error Reporting settings

• Allows Remote Administration connections

• Manages IPsec Monitor remotely

You can invoke a few GUI tools from the command line:

• Notepad

• Task Manager

• RegEdit

For more information, refer to the Windows Server Core Installation Option of Windows Server 2008 Step-By-Step Guide article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Remote-Enabled Administrative Tools

Key Points The RSAT tools require either Windows Server 2008 or Windows Vista® SP1.

Server Core does not support Internet Information Services (IIS), Active Directory Certificate Services (AD CS), Active Directory Federation Services (AD FS), and Active Directory Rights Management Services (AD RMS).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Group Policy

Key Points WMI filters can work for the purpose of targeting GPOs. However, they are not as easily discoverable as using a descriptively-named organizational unit for your Server Core systems.

You can also use WMI filters on Windows XP and Windows Server 2003 systems (but not Windows 2000).

For more information, refer to the WMI Filtering Using GPMC article on the Microsoft TechNet, Microsoft Windows Server TechCenter Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 6 Best Practices for GPOs and Links

Group Policy is at the heart of Active Directory administration. This lesson explores some of the new features of Longhorn group policy, most of which apply both to Windows Server 2008 and to Windows Vista.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


When to Link to Domains, Sites, and Organizational Units

Key Points GPO links permit the settings in a GPO to take effect and apply to an Active Directory structure.

You cannot directly link a GPO to a group, despite the name. Typically, GPOs are linked to domains, organizational units, or sites.

There is no "forest" object in Active Directory to which you can link a GPO.

Question: Does your organization generally link its GPOs to the domain or to organizational units?

For more information, refer to the Designing a Group Policy Infrastructure article on the Microsoft TechNet, Microsoft Windows Server TechCenter Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


GPMC

Key Points The version of the Group Policy Management Console (GPMC) that ships with Windows Server 2008 includes some new features that were not available before.

You can add comments to GPOs as well as to individual policy settings, as long as the settings are in the Administrative Templates node.

The filter capability improves the searchability of the GPO structure.

Windows Vista SP1 unbundles the GPMC from the Windows Vista operating system so that future GPMC updates may be downloaded and installed on both Windows Vista and Windows Server 2008.

If your organization has multiple Group Policy administrators, you might want to explore the Advanced Group Policy Management tools from Microsoft, which enhances the GPMC with more advanced delegation, check-in and check-out, and GPO rollback features. Refer to the reference below for more information.

For more information, refer to the Group Policy Management Console Sample Scripts on the Microsoft Download Center Web site. Also, to learn more about AGPM, refer to the Step-by-Step Guide for Microsoft Advanced Group Policy Management article on the Microsoft TechNet, Resources for IT Professionals Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Central Store for ADMX Files

Key Points ADMX files use XML formatting conventions, like many text files in Windows Server 2008.

The new file structure also splits out the language-specific code (*.ADML) from language-independent code (*.ADMX).

For more information, refer to the How to Create a Central Store for Group Policy Administrative Templates in Window Vista article, Microsoft Knowledge Base article #929841 on the Microsoft Help and Support Web site. Also, refer to the ADMX Migrator article on the Microsoft Download Center Web site. Finally, refer to the Managing Group Policy ADMX Files Step-by-Step Guide article on the MSDN®, Windows Vista Developer Center Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Group Policy Troubleshooting Tools

Key Points You can run Resultant Set of Policy (RSOP) as a standalone console or from within the GPMC or Server Manager. This tool can run in two modes: "what happened" (logging) and "what if" (planning). However, this tool appears to be compromised.

Microsoft advises that beginning with Vista SP1, the RSOP report does not show all group policy settings. (It is not clear if Windows Server 2008 is affected nor is it clear which group policy settings are omitted.) Microsoft recommends using the command-line tool gpresult (which comes with Windows Server 2008) to see the full set of group policy settings applied for a computer or user.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Group Policy as an Operating System Service

Key Points The Group Policy operations log replaces the USERENV.LOG file.

Messages that use to appear in the Application log in Windows Server 2003 now appear in the System log in Windows Server 2008.

Now that Group Policy is a service, the events that it logs may be used as the basis for triggering a scheduled task.

New Group Policy templates can be applied without restarting the server.

Processing is less resource-intensive than when Group Policy was not a service.

The Group Policy service runs under the SVCHOST process.

For more information, refer to the Troubleshooting Group Policy Using Event Logs on the Microsoft Windows Vista TechCenter Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Group Policy "Preferences"

Question: Can you think of some Group Policy settings that you might want to implement as preferences instead of traditional policies?

For more information, refer to the Group Policy Preferences Overview article on the Microsoft Download Center Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 7 Delegating Active Directory Administration

Although it is purely optional, organizations may choose to delegate Active Directory management to particular groups or users in order to reduce the load on the central IT department. Windows Server 2008 provides a special method for delegating management of an RODC.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Active Directory Delegation

Key Points To create a delegation, in Active Directory Users and Computers, right-click the object that you want to delegate and then click Create Delegation.

After you have created a delegation using the Active Directory Delegation Wizard, you can create a custom console that displays only desired tasks, as explained in the reference listed below.

Question: Does your organization delegate any Active Directory functions? Which ones?

For more information, refer to the Create a Delegation Console article on the Microsoft Certified Professional Magazine Online Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Active Directory Delegation

Question: Suppose you have just gone to work for a new company and are in charge of re-evaluating its delegation model. How could you look at each domain and organizational unit and determine whether those structures are presently in a delegated state?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Editing Delegations

Key Points You will need to access the Advanced security properties for the delegated domain or organizational unit to see the relevant Access Control Entries (ACEs).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Delegating Management of an RODC

Key Points You can create a delegated administrator for an RODC after building the RODC, also. Refer to the article listed below for more information.

This technique adheres to the principle of Least Required Privilege. A user or group does not need to belong to Domain Admins to manage an RODC, for example, to modify the machine's device driver configuration.

For more information, refer to the Administrator Role Separation Configuration article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Managing AD DS

Exercise 1: Offline Defragging of the Active Directory Database

Scenario New management has taken over at Woodgrove Bank and the new directors are eager to make changes in the organization. Four specific goals have been set for the Active Directory team:

• Improve the Active Directory server uptime

• Reduce logon times

• Reduce replication delays between sites

• Improve the coordination of Group Policy management

Exercise Overview In this exercise, you will perform an offline defragmentation of the NTDS database. In conjunction with the new directive to improve Active Directory server uptime, you need to minimize server downtime during this regularly-scheduled maintenance activity. Windows Server 2008 enables you to reduce downtime by stopping and starting AD DS without bringing down the entire server. Therefore,

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


other services provided by any given domain controller (such as DNS) do not have to be interrupted while the Active Directory database is being maintained.


1. Stop AD DS via Server Manager.

2. Perform a defragmentation without rebooting.

3. Restart AD DS via Server Manager.

Task 1: Stop AD DS via Server Manager • Start NYC-DC1.

• Log on to NYC-DC1 as WoodgroveBank\Administrator with the password of Pa$$w0rd.

• In the Server Manager navigation pane, expand Roles and select Active Directory Domain Services.

• Stop the AD DS service and its dependent services.

Task 2: Perform a defragmentation without rebooting • Open a command prompt and run ntdsutil.

• Run the activate instance ntds command.

• Run the files command.

• Run the info command. Note the size of the database NTDS.DIT.

• To begin the compaction procedure, run the compact to c:\windows command.

• Quit ntdsutil.

• Open a command prompt and copy ntds.dit from c:\windows to c:\windows\ntds. Overwrite the existing version.

• Exit the command prompt.

Task 3: Restart AD DS via Server Manager • Back in the Server Manager window, start the AD DS service.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Results: The successful completion of the exercise results in a properly defragmented Active Directory database with minimal server downtime.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Evaluating an RODC with Read-Only DNS Solution

Scenario The scenario is the same as in Exercise 1, but more details have been provided about a new branch opening in Miami, Florida. The branch will connect to the NYC domain over a WAN link that is planned to operate at sub-T1 speeds. The new branch office will have 140 employees, all of whom will be domain members in Active Directory. Many of the employees will be in service positions where quick logon and logoff performance will be desired to minimize customer wait time.

Exercise Overview In this exercise, you will discuss some of the questions that might meet the second goal laid out in the IT goals document. The goal is to reduce logon times, specifically for employees in the new Miami branch. (Depending on class size, the instructor may break the class into smaller groups for purposes of generating discussion.)

Task: Discuss the following questions • Generally speaking, where should you consider installing an RODC?

• Do all RODCs need to be running DNS?

• Should more than one RODC be running DNS in a given location?

• Should Woodgrove Bank consider a caching-only DNS server before an RODC?

• Use the space provided below to write the key points of the discussion.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Results: The successful completion of this exercise results in you having explained the pros and cons of using RODCs to reduce logon times.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Making Site Replication Decisions

Scenario The scenario is the same as in Exercise 1, but you need to reduce replication delays, specifically between the NYC and the Miami sites.


1. Create a site for the Miami location.

2. Move the MIA-RODC server to the Miami site.

3. Modify the replication schedule to the Miami site to reduce latency.

Task 1: Create a site for the Miami location • On NYC-DC1, in the Server Manager navigation pane, expand Roles, Active

Directory Domain Services, Active Directory Sites and Services, and Sites. (If you receive an error, stop and restart Server Manager.)

• Expand Default-First-Site-Name and Servers.

• Open the Servers node and view the results in the details pane.

• Create a new site named FloridaSite and associate it with the DEFAULTIPSITELINK.

Task 2: Move the MIA-RODC server to the Miami site Drag and drop the MIA-RODC server object from Default-First-Site-Name into FloridaSite.

Task 3: Modify the replication schedule to the Miami site to reduce latency • Under the Sites node, expand Inter-Site Transports and select the IP

container.

• Navigate to the properties page for DEFAULTIPSITELINK. In the Replicate every field, change the value from 180 minutes to 60 minutes.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Modify the replication schedule to exclude the time period from noon to 4:00pm for all days.


Results: After this exercise, the replication schedule between the default site and the Florida site has been modified to reduce latencies in the propagation of Active Directory information between the sites.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 4: Group Policy Link Strategies

Exercise Overview In this exercise, you will discuss the pros and cons of linking GPOs at different levels.

Task: Discuss the pros and cons of linking GPOs at different levels • Pros and cons of linking GPOs at the domain level.

• Pros and cons of linking GPOs at the site level.

• Pros and cons of linking GPOs at the organizational unit level.


______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Results: The successful completion of this exercise results in you having explained the pros and cons of linking GPOs at different levels in the Active Directory structure.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Review

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Maintaining Security for Active Directory® Servers 5-1

Module 5 Maintaining Security for Active Directory® Servers

Contents: Lesson 1: Server Hardening Techniques 5-3

Lesson 2: Using the MBSA to Discover and Remove Security Holes 5-10

Lesson 3: Using Fine-Grained Password Policies to Simplify Network Organization 5-15

Lesson 4: Planning Security Auditing 5-21

Lesson 5: Enhancing Physical Security 5-24

Lab: Maintaining Security for Active Directory Servers 5-29

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

5-2 Maintaining Security for Active Directory® Servers

Module Overview

Active Directory security is a process. It involves server hardening, periodic retesting and auditing, taking advantage of new features Microsoft® has built into Windows Server® 2008, and improving the physical security of Active Directory servers. This module looks at all of these aspects of the Active Directory security process.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Server Hardening Techniques

Windows Server 2008 represents an advance over Microsoft Windows Server 2003 in that server roles, including Active Directory roles, are more secure after having been installed via Server Manager. However, every organization's needs are different, and many ways exist to secure Active Directory servers beyond the default settings.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Manual Hardening Techniques

Key Points Although the Security Configuration Wizard (SCW) is still present in the Windows Server 2008 distribution, its use is less urgent than with Windows Server 2003 and Microsoft considers it optional now.

You can apply manual hardening techniques to the creation of Active Directory server images, or deploy settings "after the fact" via Group Policy.

Microsoft has already done some hardening behind the scenes with techniques such as Address Space Layout Randomization (ASLR), per-service Security Identifiers (SIDs), and Windows® Resource Protection (WRP).

For more information, refer to the WS2008: Dynamic Link Library Loader and Address Space Load Randomization article on the Microsoft TechNet Askperf blog Web site. Also, refer to the Windows Resource Protection article on the MSDN® Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Applying Security Templates

Key Points The Group Policy Object (GPO) Accelerator debuted in the Windows Vista® Security Guide (see reference below). The tool is essentially unchanged in the Windows Server 2008 Security Guide.

The GPOAccelerator saves a lot of time compared to the older method of using INF templates and the Security snap-ins.

You should run the GPOAccelerator on test machines because it creates organizational units and GPOs that you might not want to deploy on a production system.

Question: Has your organization ever used custom security templates with Windows Server 2003 or Windows XP? If so, why?

For more information, refer to the Windows Vista Security Guide on the Microsoft Download Center Web site. Also, refer to the Windows Server 2008 Security Guide on the Microsoft Download Center Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


For more information on the GPOAccelerator, refer to the Microsoft Download Center, the GPOAccelerator Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Server Organizational Unit Placement

Key Points Most organizations do not dedicate servers to one specific function; however, many templates and security tools presume this to be the case.

You can use a modified organizational unit model that takes practical realities into account. For example, you could design an organizational unit named "Infrastructure Servers" that would include settings relevant for DNS and DHCP systems.

Active Directory servers are more likely to benefit, from the security standpoint, from being segregated by role from other functions such as infrastructure services. This is why Microsoft, for example, provides a default domain controller policy object in a "vanilla" Active Directory installation.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


ACL Deployment via Group Policy

Key Points Group Policy-based Access Control List (ACL) changes provide a way of bringing consistency to Active Directory servers that might exhibit inconsistent file system security due to different source images and/or installation methods (clean versus upgrade).

Active Directory Rights Management Services (AD RMS) integrates with Active Directory Federation Services (AD FS), so you can deploy rights management restrictions to federated users in a separate Active Directory forest.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Group Policy Device Restrictions

Key Points Device driver installation restrictions do not affect users with systems that have already had the subject device drivers installed. Therefore, you will normally want to deploy both device driver installation restrictions, and removable device use restrictions. These are two separate areas in Windows Server 2008 Group Policy. These restrictions are especially relevant for Active Directory servers due to the importance of the data they contain (for example, NTDS.DIT).

For more information, refer to the Step-By-Step Guide to Controlling Device Installation Using Group Policy article on the MSDN Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 Using the MBSA to Discover and Remove Security Holes

For years, organizations have used the Microsoft Baseline Security Analyzer (MBSA) as a method for auditing patch currency and identifying system vulnerabilities. It remains a useful tool for those purposes.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


MBSA Overview

Key Points The "other Windows Update Agent (WUA) tools" include the following:

• Microsoft Update

• Windows Software Update Service (WSUS)

• Systems Management Server (SMS) Inventory Tool for Microsoft Updates (ITMU), although ITMU does not rely on MBSA for scanning as of SMS 2003 SP1.

Various versions of MBSA are in circulation:

• 2.1: All versions from Windows 2000 to Windows Vista, including 64-bit

• 2.0.1: Compatible with new-format offline scan file wsusscn2.cab, but not with Longhorn

• 1.2.1: Use only if you have Windows NT4, Windows Exchange 5.5 or 5.0, Microsoft Office 2000

Different ways you can use MBSA include:

• When building custom security templates.

• As a last check to make sure nothing significant has been forgotten.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• As a periodic check to make sure that security updates are propagating through your network.

Although MBSA does not scan multiple systems simultaneously, you can make a list and use the following command to scan systems in the list:

mbsacli/listfile <name of file>

For more information, refer to the MBSA newsgroup "microsoft.public.security.baseline_analyzer" on news.microsoft.com.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Managing Windows Server 2008 Updates

Key Points You can perform offline scans but be aware that a new offline scan file is available (wsusscn2.cab) that supersedes the previous Windows Update offline scan file, Wsusscan.cab.

For more information, refer to the Windows Server Update Services 3.0 article on the Microsoft TechNet, Microsoft Windows Server TechCenter Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Proper Hardening Procedures

Key Points Some of the administrative vulnerabilities that MBSA flags include Windows Firewall status, automatic updates status, enforcement of strong passwords, and the presence of enabled but unsecured Guest accounts.

For more information, refer to the MBSA 2.0 Frequently Asked Questions page on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Using Fine-Grained Password Policies to Simplify Network Organization

Many organizations have deployed multiple domains in order to meet the requirement to have more than one set of password policies. Windows Server 2008 permits administrators, for the first time, to deploy multiple sets of password policies within a single domain. Given that fewer domains generally means easier administration and simpler Active Directory management, this new capability could be significant for many Active Directory-based organizations.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Password Policies in Windows Server 2003

Key Points Technically, you could create GPOs with password policy settings that you could link to individual organizational units. However, such GPOs would never take effect in the presence of domain-based password policies.

In Windows Server 2003 and Windows Server 2000, password policies and account lockout policies were made at the domain level via the default domain policy object.

One can debate the meaning of "security boundary" (the forest is the true security boundary in many ways) but the domain was the boundary for setting password policies in Active Directory.

Question: Has your organization wrestled with unifying its password policies in order to keep the total number of Active Directory domains to a minimum?

For more information, refer to the Security Watch: Windows Domain Password Policies article on the Microsoft TechNet, TechNet Magazine, December 2007 Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Implementing Fine-Grained Password Policies Overview

Key Points Caveat: The major constraint for many organizations will be the DFL requirement.

Tip: You do not have to create a shadow group that mirrors the membership of an organizational unit. That is simply the recommended practice. The thing to remember is that fine-grained password policies do not apply directly to an Active Directory structural unit (domain, organizational unit, or site), so in that sense they are not like traditional group policy settings.

For more information, refer to the AD DS: Fine-Grained Password Policies article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site. Also, refer to the Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration article, which is also on the Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Password Policy Defaults

Key Points The time formats used by the above password policy settings are days:hours:minutes:seconds.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Managing Effective Passwords

Key Points Password security is becoming ever more important in Active Directory environments because user account credentials are used in more ways. For example, to access shares in another organization's forest via AD FS.

Your organization might also need to consider identity integration products that can manage accounts and passwords for multiple systems in a single "clearinghouse" such as Microsoft Identity Lifecycle Manager (ILM) 2007.

ILM 2007 extends the previous Microsoft Identity Integration Server (MIIS) 2003 product and provides account and password synchronization, user provisioning, and certificate management.

Question: What password policies does your organization use? Do your users find these easy or difficult to comply with?

For more information, refer to the Account Lockout and Password Concepts article on the Microsoft TechNet, Microsoft Windows Server TechCenter, Windows Server 2003 R2 Technical Library Web site. Also,

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


refer to the Microsoft Identity Lifecycle Manager 2007 FP1 article, on the Microsoft Identify Lifecycle Manager Home Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 4 Planning Security Auditing

Security auditing in Active Directory is an important component of an overall Active Directory security management plan. Windows Server 2008 brings new and useful auditing capabilities but requires knowledge of a command-line tool to implement them.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


New AD DS Auditing Capabilities

Key Points You must be an administrator to modify auditing settings.

The global policy "Audit directory service access" controls whether directory service auditing is on or off (the default for Windows Server 2008 is "on").

You control what Active Directory Domain Services (AD DS) objects get audited by setting a Security Access Control List (SACL) for those objects via the Security tab on the object's properties page.

Windows Server 2000 and Windows Server 2003 only logged the name of a changed attribute. Windows Server 2008 can log the old and new values of a changed attribute.

Modifications to Directory Services objects were logged in those versions with ID 566. Windows Server 2008 logs modifications with ID 4662.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Using AUDITPOL.EXE

Key Points All four audit subcategories are enabled when you enable the global policy "Audit directory service access."

The subcategory "Directory service changes" encompasses four types of changes:

• Modify (event ID 5136)

• Create (event ID 5137)

• Undelete (event ID 5138)

• Move (event ID 5139)

You could use AUDITPOL to disable the "Directory service changes" subcategory if the additional information is not useful to your organization, but you still want to log Directory Services object changes as was done in Windows Server 2003 and Windows Server 2000.

For more information, refer to the Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 5 Enhancing Physical Security

Active Directory servers might contain a great deal of data about an organization's network. The consequences of having that data compromised could be severe. One component of any Active Directory security plan should be a physical security plan.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


RODC and Physical Security

Key Points Even though a Read-Only Domain Controller (RODC) might require less physical security than a writeable domain controller, you should consider the impact on user downtime if an RODC is compromised.

Any organization that uses RODCs should have a procedure in place for quickly putting a new RODC online if something happens to an existing RODC. For example, a step-by-step guide for running DCPROMO with appropriate options on a member server.

At least one writeable domain controller in the domain must be running Windows Server 2008 before an RODC can be deployed.

Although physical security concerns might be a prime reason to consider deploying RODCs, remember that logon performance can be another reason, especially if the branch office has poor network connectivity to a hub site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


RODC and Cached Credentials

Key Points Only the members of the Allowed RODC Password Replication group are allowed to replicate authentication information to RODCs. Furthermore, RODCs do not store administrator credential information.

Remember that any application that stores data in Active Directory could conceivably replicate that data to an RODC and create a security risk. In such cases, consider setting schema attributes for such data so that they will not replicate to an RODC. (These attributes are known as the RODC filtered attribute set. You might need guidance from the application developer to set these properly.)

For more information, refer to the Appendix D: Steps to Add an Attribute to the RODC Filtered Attribute Set article, on the Microsoft TechNet, Windows Server 2008 Technical Library, Active Directory Domain Services, Step-by-Step Guide for Read-Only Domain Controllers Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Physical Security for Writeable Domain Controllers

Key Points Other physical security issues include the following:

• Preventing domain controllers from booting into alternate operating systems

• Securing networking infrastructure

• Preventing remote restart of domain controllers

Question: What steps does your organization take to secure writeable domain controllers? Do you feel these steps are adequate?

For more information, refer to the Maintaining Physical Security article on the Microsoft TechNet, Microsoft Windows Server TechCenter, Windows Server 2003 Technical Library Web site. Although the article was written based on Windows Server 2003, most of the points remain valid for Windows Server 2008.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Physical Security for Backups

Key Points Onsite backups should only be available in an area where access is auditable. Similarly, there should be procedures in place for auditing the return of any backup media from offsite to onsite.

Microsoft recommends that backup media should only be in the backup device during actual backup or restore operations.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Maintaining Security for Active Directory Servers

Exercise 1: Manually Implementing AD DS Server Hardening

Scenario Woodgrove Bank wants to improve Active Directory security for all its domain controllers. However, the bank does not want to start “from scratch” but wants to use best practice tools from Microsoft, if possible. The corporate accounts division (Organization Unit=CorpAccts) has stricter requirements than the loan division (Organizational Unit=Loans).


1. Install the GPOAccelerator tool.

2. Create new GPOs with the GPOAccelerator.

3. Examine the settings with the Group Policy Management Console (GPMC).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 1: Install the GPOAccelerator tool • Open NYC-DC1 and log on as Administrator with the password of

Pa$$w0rd.

• Navigate to the E:\labfiles folder and run the GPO Accelerator.msi file.

• Install the program, accepting all defaults.

Task 2: Create new GPOs with the GPOAccelerator • Run the GPOAccelerator that you just installed as an administrator.

• At the command prompt, type: cscript gpoaccelerator.wsf /wssg /enterprise /lab which will create the following Group Policy Objects:

• WSSG EC Domain Policy (WSSG stands for Windows Server Security Guide, which incorporates the GPOAccelerator tool; EC stands for Enterprise Client, intended to be a fairly typical corporate environment where security needs and functionality must be balanced)

• WSSG EC Domain Controller Baseline Policy

• WSSG EC Member Server Baseline Policy

• <server role> Policy (there are several of these)

• Read the various dialog boxes and progress messages, and then close the Command Prompt window.

Task 3: Examine the settings with the Group Policy Management console • From the Administrative Tools menu, open the Group Policy Management

console.

• Expand the navigation tree and highlight the WSSG EC Domain Policy GPO.

• In the details pane, click the Settings tab.

• Spend a few minutes navigating the settings that Microsoft feels are appropriate for securing Active Directory Domain Services (AD DS) servers.

• Similarly, explore settings for the following GPOs:

• WSSG EC Active Directory Certificate Services Servers Policy

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• WSSG EC DNS Servers Policy

• WSSG EC Domain Controller Baseline Policy

• To see the new organizational units that you built with the GPOAccelerator script, expand the WSSG EC Member Servers OU GPMC node, and note the various sub-organizational units that exist under that node.

Results: After this exercise, you should have installed the GPOAccelerator tool, created new GPOs with the GPOAccelerator, and examined the settings with the GPMC.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Assessing Ongoing Security Requirements

Scenario The scenario is the same as in Exercise 1.

Exercise Overview In this exercise, you will install the MBSA and perform a sample run.


1. Install the MBSA 2.1 Beta 2.

2. Perform an MBSA analysis of NYC-DC1.

Task 1: Install the MBSA 2.1 Beta 2. In the E:\Labfiles folder, run the mbsasetup.msi file. Accept all defaults.

Task 2: Perform an MBSA analysis of NYC-DC1. • Run the Microsoft Baseline Security Analyzer 2.1 you just installed.

• Click the Scan a computer icon.

• Our virtual machines do not have Internet connectivity, so you will not perform the security-patch portion of the scan, which requires MBSA to download a catalog file from the Net. So, select only the top three check boxes:

• Check for Windows administrative vulnerabilities

• Check for weak passwords

• Check for IIS administrative vulnerabilities

• Start the scan.

• Review the resultant report. Are there any vulnerabilities on NYC-DC1?

______________________________________________________________________

Results: After this exercise, you should you should have installed the MBSA 2.1 Beta 2 and performed an MBSA analysis of NYC-DC1.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Deploying Fine-Grained Password Policies


Exercise Overview In this exercise, you will discuss how to deploy fine-grained password policies. (Depending on class size, the instructor may break the class into smaller groups for purposes of generating discussion.)

Task: Discuss deploying fine-grained password policies • Discuss how to deploy fine-grained password policies. There is no correct or


• How many of you envision a use for fine-grained password policies, that is, for making password and account lockout policies apply at the organizational unit level rather than the domain level?

• What do you see as the pros and cons of following Microsoft’s suggested practice and creating “shadow groups” to mirror the membership of organizational units?

• What do you perceive as some of the benefits of having fewer domains, now that it is not necessary to create a domain boundary only because a constituency in your organization needs different password policies?

• How many people in your organization are conversant with the Active Directory Service Interfaces (ADSI) Edit and LDAP Data Interchange Format Data Exchange (LDIFDE) tools?

• Use the space below to write the key points of the discussion. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ __________________________________________________________________

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


__________________________________________________________________ __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ __________________________________________________________________

Results: After this exercise, you should have discussed how to deploy fine-grained password policies and some of the implications such restructuring could have for your overall Active Directory design.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Review

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Managing Active Directory® Service Roles 6-1

Module 6 Managing Active Directory® Service Roles

Contents: Lesson 1: Using Windows Server 2008 Tools for AD CS 6-3

Lesson 2: Implementing AD LDS 6-8

Lesson 3: AD FS Overview 6-12

Lesson 4: AD RMS Overview 6-18

Lab: Managing Active Directory Service Roles 6-23

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

6-2 Managing Active Directory® Service Roles

Module Overview

This module provides an overview of four Active Directory roles that were formerly not considered Active Directory roles: Certificate Services, Lightweight Domain Services, Federation Services, and Rights Management Services. The module also describes some of the management challenges that these roles create, and some new features of Windows Server® 2008 that might help to address those challenges.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Using Windows Server 2008 Tools for AD CS

Active Directory Certificate Services (AD CS) (formerly known simply as "Certificate Services") can form the basis of a Public Key Infrastructure (PKI) for organizations that want to deploy certificate-based security, for example, via smart cards. Windows Server 2008 brings some new management tools that this lesson introduces.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Benefits of OCSP and Online Responders

Key Points Certificate Revocation Lists (CRLs) can become large over time. This can become a performance issue, affecting network bandwidth and authentication times.

An online responder does not need to be a Certification Authority.

There is a new Microsoft® Management Console (MMC) snap-in for managing online responders. This is in addition to the other snap-ins you might already be familiar with (Certification Authority, Certificates, and Certificate Templates).

For more information, refer to the Installing, Configuring, and Troubleshooting the Online Responder (Microsoft's OCSP Responder) article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site. Also, refer to the Windows Server 2008 Active Directory Certificate Services Step-by-Step Guide article on the Microsoft Download Center Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


New Restricted Enrollment Agent Overview

Key Points Use the Certificate Services snap-in to create a permissions list for each enrollment agent, naming the users and groups on behalf of whom the agent can enroll.

The performance of a Certification Authority will be slower if you use enrollment agent restrictions; however, you can mitigate the slowdown by:

• Minimizing the number of enrollment agent accounts

• Minimizing the list of accounts in the permissions list

• Using group accounts instead of user accounts

In addition to the new ability to restrict enrollment agents, you can also now enroll network devices (for example, routers) that do not have domain accounts, via Network Device Enrollment Service (NDES ).

For more information, refer to the Active Directory Certificate Server Enhancements in Windows Server Code Name 'Longhorn' article on the Microsoft Download Center Web site. Also, refer to the AD CS: Restricted Enrollment Agent article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Using the New Enterprise PKI Console (PKIView)

Key Points Enterprise PKI analyzes the health of Certification Authorities running Windows Server 2008 or Microsoft Windows Server 2003. It no longer requires a separate download.

Caveat: Remember that AD CS may not be installed on Windows Server Core systems.

The Cryptography API 2 (CAPI2) diagnostics events reside in Event Viewer under Applications and Services Logs - Microsoft - Windows - CAPI2.

For more information, refer to the Troubleshooting PKI Problems on Windows Vista article on the Microsoft Windows Vista TechCenter Web site. Also, refer to the AD CS: Enterprise PKI article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Group Policy Settings for Certificate Services in Windows Server 2008

Key Points The four bullets in the slides correspond to tabs on the Certificate Path Validation Settings dialog box.

New policy store categories under Public Key Policies as of Windows Server 2008 include:

• Trusted Publishers

• Untrusted Certificates

• Trusted People

• Intermediate Certification Authorities

Caveat: If you allow users to have a high degree of control over trust decisions and management of their certificates, plan for some user training in these areas.

For more information, refer to the AD CS: Policy Settings article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 Implementing AD LDS

Active Directory Lightweight Directory Services (AD LDS), formerly known as Active Directory Application Mode (ADAM), provides the data replication platform of Active Directory for application developers to leverage in their products.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How AD LDS Differs from AD DS

Key Points You can think of AD LDS as Active Directory but without any user, group, or computer account information, and therefore no domains or Group Policy settings. It basically exposes the Active Directory replication engine for use by application developers.

AD LDS does provide partitioning, multi-master replication, and Lightweight Directory Access Protocol (LDAP) access.

You can provide AD LDS access to business partners without exposing your AD DS database.

AD LDS can leverage AD DS for user authentication purposes.

Question: What types of applications do you think might benefit from their own private replication ring? Can you think of any applications that might require authentication via a database separate from AD DS? How about a unique and separate directory store?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


For more information, refer to the Active Directory Lightweight Directory Services Overview article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Managing an AD LDS Instance

Key Points Active Directory Service Interface (ADSI) Edit is specific to the Microsoft implementation of Active Directory, whereas LDP can work with any LDAP provider.

ADSI Edit is a console; LDP is a standalone executable.

LDP exposes some objects that you cannot see in ADSI Edit.

The new auditing capabilities of AD DS in Windows Server 2008, for example, recording old and new attributes in the audit log after an attribute change, are also available to AD LDS.

You can also use the snapshot tool DSAMAIN with AD LDS.

You can adapt an AD LDS instance for management with Active Directory Sites and Services by running MS-ADLDS-DisplaySpecifiers.LDF against the instance schema.

Question: Why does it make sense that Active Directory Users and Computers and Active Directory Domains and Trusts do not work with AD LDS?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 AD FS Overview

Active Directory Federation Services (AD FS) is an alternative to a forest-to-forest trust when one organization wants to grant network access to a subset of the population of another organization.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


AD FS Refresher

Key Points AD FS is based on Web Services Architecture. You can read more about it at the www.w3.org site. The architecture is designed to facilitate interoperability between Web services.

AD FS is designed to relieve the requirement of a secondary credentials request when trusted users from outside your network access a Web application in your network.

The resource partner manages access to its network's application(s) for trusted partners.

The account partner authenticates users and issues cookies for use later, when users access applications on the resource partner's network.

For more information, refer to the A Developer's Introduction to Active Directory Federation Services article on the MSDN® Magazine Web site. Also, refer to the Active Directory Federation Services Overview article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


AD FS Management Console

Key Points Using Server Manager to manage AD FS, you can set up the following role services, as required, depending on the location and function of the server:

• The Federation Service, which performs user authentication routing from trusted users in other networks.

• The Federation Service Proxy, which resides in a perimeter network or perimeter network and passes credentials along to an internal server running the Federation Service.

• The Claims-Aware Agent, which installs on an IIS server hosting a claims-aware application that you want to make available to trusted external users.

As an alternative to Server Manager, you can run the Federation Services snap-in as a separate console. Use the IIS Manager snap-in to manage the Claims-Aware Agent.

For more information, refer to the Step-by-Step Guide for AD FS in Windows Server 2008 article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Defining Web-Based Single Sign-On Mode

Key Points Single Sign-On (SSO) mode refers to a system in which users who have authenticated to one network may access applications on a different network without providing an extra set of credentials.

You can integrate AD FS with Microsoft Office SharePoint® Server 2007 and extend the SSO benefits to that system. Doing so will require a strong knowledge of both products.

For more information, refer to the Configure Web SSO authentication by using AD FS (Office SharePoint Server) article on the Microsoft TechNet, Microsoft Office System, Office SharePoint Server 2007 Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


AD FS Dependent Services Overview

Key Points The dependencies are made possible by what Microsoft calls "Component-Based Servicing."

Removal of AD FS will prompt for removal of subsidiary roles and services.

Office SharePoint Server 2007 is not a dependent service but can interoperate with AD FS.

Active Directory Rights Management Services (AD RMS) is also not a dependent role, but can interoperate with AD FS to share rights-protected content across network boundaries.

For more information, refer to the Active Directory Federation Services Role article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


New Import/Export Capabilities

Key Points Windows Server 2003 R2 had limited ability to import and export trust policy settings, but Windows Server 2008 makes the process more streamlined.

In Windows Server 2008, the Add Partner Wizard not only permits importing of trust policy settings, but modifying those settings before actually importing them.

For more information, refer to the Active Directory Federation Services Role article, the section "Better administrative experience when establishing federated trusts" on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 4 AD RMS Overview

AD RMS was introduced in Windows Server 2003 and in Windows Server 2008 is now a server role. It provides a form of Digital Rights Management (DRM) with selected applications.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


AD RMS Refresher

Key Points NTFS provides some control over what users can do with documents; however, such documents must remain on NTFS volumes or lose those restrictions. Additionally, NTFS does not provide for permissions such as "forward," nor does it permit (as AD RMS does) the creation of time periods during which the controls will be valid.

In addition to Office 2007 (but only Enterprise, Professional Plus, or Ultimate), Windows Office SharePoint Server 2007 is also RMS-aware.

The AD RMS server resides on a member server, not a domain controller.

You can experiment with AD RMS using a Microsoft server for a trial period.

For more information, refer to the Event Review: RMS in Windows Server 2008 article on the Microsoft TechNet, Resources for IT Professionals, Events and Webcasts Web site. Also, refer to the Active Directory Rights Management Services Overview article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


New Administrative Groups

Key Points A lot of software has to be properly configured to use AD RMS. Before implementing AD RMS, make sure dependent roles and services are up and running correctly.

AD RMS can integrate with AD FS to provide rights management for documents shared with trusted users in a federated external network.

AD RMS can also integrate with Windows Office SharePoint Server.

For more information, refer to the Windows Server Active Directory Rights Management Services Step-by-Step Guide article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

If you will be using AD RMS with Federation Services, refer to the Using Identity Federation with Active Directory Rights Management Services Step-by-Step Guide article located on the Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


If you want to integrate AD RMS and SharePoint, refer to the Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server 2007 Step-by-Step Guide article, which is also located on the Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


AD RMS Dependent Services Overview

Key Points The user who installs AD RMS must not use the same account as the AD RMS service account.

You must be in the AD RMS Enterprise Administrators group as well as the local administrators group to change the AD RMS service account.

AD RMS Enterprise Administrators can do anything in the AD RMS console. The installing user is automatically added to this group.

AD RMS Auditors can use the AD RMS console but only the reporting features.

For more information, refer to the Administer AD RMS by Using the Active Directory Rights Management Services Console article on the Microsoft TechNet, Windows Server 2008 Technical Library Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Managing Active Directory Service Roles

Exercise 1: Installing the AD LDS Role

Scenario Woodgrove Bank is deploying a new customer relations database package that leverages the Active Directory replication engine. The new software requires AD LDS. Some of the management functions for the new application will be handled by utilities provided by the vendor. However, IT personnel will be responsible for occasional use of Active Directory utilities to help manage the AD LDS instance.


1. Install the AD LDS role on NYC-DC1.

2. Configure the AD LDS service for a new instance.

Task 1: Install the AD LDS role on NYC-DC1 • Start NYC-DC1, if it is not already started, and open Server Manager.

• Add the Active Directory Lightweight Directory Services role. Accept all defaults.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Configure AD LDS for a new instance • Start the AD LDS Setup Wizard for the new role.

• Create a new instance named CustApp1 with the default port values.

• Create an application directory partition named: CN=Custapp1,DC=woodgrovebank,DC=com.

• Accept the defaults for file locations and service account selection.

• At the AD LDS Administrators screen, browse to select the ITAdmins_WoodgroveGG security group.

• In the Importing LDIF Files screen, select MS-ADLDS-DisplaySpecifiers.LDF and MS-User.LDF.

• When prompted for credentials, type woodgrovebank\thomas and Pa$$w0rd.

• Close the page.

Results: This exercise’s successful completion results in the installation of the AD LDS service and the configuration of one instance of the Custapp directory.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Identifying Ongoing Management Concerns


Exercise Overview In this exercise, you will discuss the ongoing management issues for the new customer relations database application. (Depending on class size, the instructor may break the class into smaller groups for purposes of generating discussion.)

Task: Discuss ongoing management concerns • Generate a list of issues to go over with the application vendor to determine

which management and administration tasks will be managed by vendor software and which tasks will be managed by tools bundled with Windows Server 2008.

• Use the space below to write the list of issues.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Results: After this exercise, you will have identified a number of management concerns for an AD LDS application.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Using Windows Server 2008 Tools for Managing AD LDS

Scenario The scenario is the same as in Exercise 1. You need to become familiar with how to use Active Directory tools in the context of AD LDS, rather than in the context of managing AD DS.


1. Use ADSI Edit to view an AD LDS instance.

2. Use LDP to view an AD LDS instance.

3. Use the Schema Console to view the schema for an AD LDS instance.

Task 1: Use ADSI Edit to view an AD LDS instance • In the Server Manager details pane, with the Active Directory Lightweight

Directory Services node highlighted, find and click the ADSI Edit link.

• Connect to the Distinguished Name: CN=CustApp1,DC=woodgrovebank,DC=com. You will need to specify port 50000 and specify credentials of Thomas and Pa$$w0rd.

• On the ADSI Edit console, in the navigation pane, expand the nodes. You should see three containers. You would see more containers after initializing the application that needs to use the LDS instance.

• In the navigation pane, select CN=Roles.

• In the details pane, look at the properties for CN=Users. Select the different attributes by clicking them. Note that in some cases you have a View button available, and in other cases the button becomes an Edit button. This tells you that you can use ADSI Edit to modify data in the LDS directory.

• Close the CN=Users Properties window and then close ADSI Edit.

Task 2: Use LDP to view an AD LDS instance • In the Server Manager details pane, with the Active Directory Lightweight

Directory Services node highlighted, find and click the LDP.exe link.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Perform a connection operation to server NYC-DC1.woodgrovebank.com at port 50000. The details pane should populate with information.

• At the top of the details pane, view the ldap_open command.

• Bind with credentials, using Thomas, Pa$$w0rd, and woodgrovebank.com.

• View the results of the bind operation at the bottom of the details pane. You have just authenticated to LDP.

• Navigate to the Tree view for the BaseDN of CN=custapp1,DC=woodgrovebank,DC=com. You should see the same structure appear that you saw in the ADSI Edit tool in Task 1. View the properties of the three CN entries that appear under the base DN, to get a feel for the kind of information that you can view in LDP.

Task 3: Use the Schema Console to view the schema for an AD LDS instance • Register the schema console DLL in a command prompt with the command

regsvr32 schmmgmt.dll.

• Close the Command Prompt window.

• Use fast user switching to log on as Thomas, who has already been set up as a Schema Admin.

• Open the MMC shell and add the Active Directory Schema snap-in.

• In the navigation pane, from the Active Directory Schema node open Change Active Directory Domain Controller.

• Specify NYC-DC1.woodgrovebank.com:50000 and wait for the status column to show Online.

• You should see new nodes for classes and attributes. (If you do not, close the console and try re-creating it.) Expand the Classes node and scroll down until you see the entry for User. (This is the object class that was added when you created the instance in Exercise 1 and specified the LDIF script MS-User.LDF.)

• Open the Properties for the User entry and navigate to the Attributes tab. These are the attributes for the user object in this instance of AD LDS. They are now completely separate from the attributes for the user object in AD DS.

• Close all open dialog boxes and consoles, and then close the virtual machine.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Results: After this exercise, you will have seen three tools that you can use to manage an AD LDS instance, and have some understanding of when to use each.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Review

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Course Evaluation

Your evaluation of this course will help Microsoft understand the quality of your learning experience.

Please work with your training provider to access the course evaluation form.

Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Managing and Maintaining a Windows Server 2008 Domain Controller L1-1

Module 1: Managing an Active Directory Server Lifecycle

Lab: Managing and Maintaining a Windows Server 2008 Domain Controller Logon Information: • Virtual Machines: NYC-SVR1, NYC-DC1

• User Name: WoodgroveBank\Administrator

• Password: Pa$$w0rd

Estimated time: 80 minutes

Exercise 1: Evaluating the Need for an AD DS Promotion

Scenario Woodgrove Bank’s IT administrators have noticed slow logons at its branch office, where it has deployed a server named NYC-SVR1. The branch office, which is two miles away from the main New York headquarters, connects to the headquarters location over a busy, shared T-1 connection. At the corporate headquarters, NYC-DC1 acts as a domain controller and DNS server for the WoodgroveBank.com domain. The branch office is closed Friday afternoons and all day Saturday and Sunday. It is managed by a medium-sized staff, none of whom have had any server training.

Exercise Overview In this exercise, you will create a plan to add the Active Directory® Domain Services (AD DS) role to NYC-SVR1.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L1-2 Module 1: Managing an Active Directory Server Lifecycle

Task: Create a plan to add the AD DS role to NYC-SVR1 • Create a plan to add the AD DS role to NYC-SVR1. The plan should consider

the following elements:

• Whether NYC-SVR1 should become a writeable domain controller or a Read-Only Domain Controller (RODC).

• When to perform the promotion of NYC-SVR1.

• Whether to perform the promotion through a remote desktop connection, on site, by telephone, or by sending e-mail instructions to the local liaison.

Answers will vary.

Results: After this exercise, you should have a plan to promote NYC-SVR1 to be an AD DS domain controller.

Exercise 2: Meeting the Need by Adding a Role

Exercise Overview In this exercise, you will implement the plan to add the AD DS role to NYC-SVR1.

Task 1: Start NYC-DC1 and NYC-SVR1 1. Start NYC-DC1 using the Lab Launcher tool.

2. Log on to NYC-DC1 as WoodgroveBank\Administrator with the password of Pa$$w0rd.

3. Verify that the forest functional level is at least Microsoft Windows Server 2003, the minimum required to support RODCs. Look for Active Directory Domains and Trusts in Server Manager. If you do not find it, open it from Administrative Tools. You can view the FFL via the context menu of the topmost node in the console's navigation pane; click Raise Forest Functional Level and click past the warning message.

4. In the Lab Launcher tool on your host operating system, start NYC-SVR1. It will start faster, as it is not a domain controller.

5. Log on to NYC-SVR1 as LocalAdmin with the password of Pa$$w0rd.

6. Close the Initial Configuration Tasks window, if it opens.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Check the installed roles on NYC-SVR1 • The Server Manager console should come up automatically (it may take a few

moments). Expand the Roles node and view the installed roles. (If AD DS were already installed, you would need to re-evaluate your plan.)

Task 3: Run DCPROMO on NYC-SVR1 1. On NYC-SVR1, open an administrative command prompt.

2. Ping NYC-DC1 to make sure you can see it on the same virtual network. If the ping command fails, troubleshoot your virtual network, or contact your instructor.

3. To start the AD DS Installation Wizard, run DCPROMO. What message do you see as the process begins? (Answer: “Active Directory Domain Services binaries are being installed.”)

4. When the Welcome page appears, select the Use advanced mode installation check box and then proceed to the next page.

5. In the Operating System Compatibility dialog box, click Next.

6. In the Choose a Deployment Configuration dialog box, click Existing forest and Add a domain controller to an existing domain, and then click Next.

7. In the Network Credentials dialog box, type WoodgroveBank.com for the domain name. Click the Set button on the same dialog box and type administrator and Pa$$w0rd for the domain credentials. Click OK and then Next.

8. In the Select a Domain dialog box, leave the forest root domain highlighted and click Next.

9. In the Select a Site dialog box, leave the default site highlighted and click Next.

10. On the Additional Domain Controller Options page, select all three boxes to ensure that the new domain controller is also a DNS server, a Global catalog server, and an RODC, and then click Next.

11. In the warning about static IP assignments, click No, I will assign static IP addresses to all physical network adapters.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


12. Note that nothing happens. The wizard wants you to assign the IP version 6 address but does not provide a dialog box for you to do so. On the Start menu, right-click the Network entry and click Properties.

13. In the task pane, click Manage network connections.

14. Right-click Local Area Connection and click Properties.

15. Note that the IP version 4 address is already configured as static. Remove support for IP version 6 by deselecting the check box, and click OK. Close the Network Connections control panel and the Network and Sharing Center.

16. Back at the Active Directory Domain Services Installation Wizard, click Next.

17. In the Specify the Password Replication Policy dialog box, review the settings but do not change any of them, and then click Next.

18. In the Delegation of RODC Installation and Administration dialog box, click the Set button and add the group NYC_BranchManagersGG. Verify it with the Check Names button. Click OK and then Next.

19. In the Install from Media dialog box, make sure that Replicate data over the network from an existing domain controller is selected, and click Next.

20. In the Source Domain Controller dialog box, make sure that Let the wizard choose an appropriate domain controller is selected, and click Next.

21. In the Location for Database, Log Files, and SYSVOL dialog box, leave all the default settings and click Next.

22. In the Directory Services Restore Mode Administrator Password dialog box, type Pa$$w0rd as the password (you must type it twice), and click Next.

23. Review the Summary page. If everything looks good, click Next.

24. At this point, the actual promotion and replication of domain data takes place. It is a lengthy process so this would be a good time to take a break. When the wizard reports that it has finished, restart the NYC-SVR1 virtual machine, and log on as the administrator of the domain WoodgroveBank.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Verify successful promotion 1. Navigate to the NYC-DC1 virtual machine. In Server Manager, navigate to

Active Directory Users and Computers.

2. Open the Domain Controllers organizational unit. Do you see NYC-SVR1? What type of server is it?

Results: After this exercise, you should have a new RODC in the form of NYC-SVR1. This should help alleviate the problem of slow logons in the branch office.

Exercise 3: Managing a Change Request for an RODC by Using the Command Line

Exercise Overview In this exercise, you will update the configuration of the new RODC through a domain controller change and forced replication. The updated configuration consists of a new organizational unit, Federal Auditors that is added to the domain WoodgroveBank.com. Senior management wants to ensure that the new organizational unit replicates to the NYC-SVR1 read-only domain controller immediately.

Task 1: Add the new organizational unit on NYC-DC1 1. On NYC-DC1, in Server Manager, navigate to Active Directory Users and

Computers.

2. In either the navigation pane or the details pane, right-click the WoodgroveBank.com domain icon, and click New and Organizational Unit.

3. Name the new organizational unit as FederalAuditors and click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Replicate the change to NYC-SVR1 1. In Server Manager (still on NYC-DC1), navigate to Active Directory Sites and

Services.

2. Expand Sites and Default-First-Site-Name.

3. Expand the Servers node and the node for NYC-SVR1.

4. Click NTDS Settings. You should see an entry in the details pane for NYC-DC1, which is a replication partner of NYC-SVR1.

5. In the details pane, right-click the entry for NYC-DC1, and click Replicate Now. This will force a replication from NYC-DC1 to NYC-SVR1. (In this console, replication occurs from right to left.) If you get an error message, it may be that the NYC-SVR1 domain controller is still sorting itself out. Give it five minutes or so, and then try again. You should eventually get a message that the replication operation completed successfully.

6. Switch over to NYC-SVR1 and, in Server Manager, navigate to Active Directory Users and Computers.

7. Verify that the FederalAuditors role now appears under WoodgroveBank.com.

8. Close NYC-SVR1 by executing a normal shutdown, saving your changes. (You do not want to close the virtual machine and discard changes, which may appear as an option.)

9. Leave the NYC-DC1 virtual machine running for future labs.

Results: After this exercise, you should have an AD DS change on NYC-DC1 and the change replicated to NYC-SVR1.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 4: Developing a Management and Maintenance Plan

Scenario You and your colleagues in the IT department have been asked to write a first draft of a management and maintenance plan for the NYC-DC1 and NYC-SVR1 domain controllers.

Exercise Overview In this exercise, you will write a first draft of a management and maintenance plan for the NYC-DC1 and NYC-SVR1 domain controllers.

Task 1: Decide which tools are better suited for each of the two domain controllers • Decide which tools are better suited for corporate headquarter and which are

better suited to the branch office scenario. Consider that Server Manager is not “remoteable” as such, but Active Directory Users and Computers is remoteable, as well as Event Viewer.

Answers will vary.

Task 2: Decide whether the new RODC is meeting the business needs • Consider the methods for determining whether the new RODC is meeting the

business needs.

Answers will vary.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Decide whether delegation for certain functions might be appropriate • Consider whether delegation for certain functions might be appropriate, for

example, adding user accounts.

Answers will vary.

Results: After this exercise, you should have a draft document that outlines how to manage these two domain controllers.

Exercise 5: Evaluating the Management and Maintenance Plan

Exercise Overview In this exercise, you will discuss the plan documents you created in Exercise 4.

Task: Evaluate the management and maintenance plan • Discuss the plan documents you created in Exercise 4. There is no correct or


• Whether logons and connections to servers are now faster for Active Directory users connecting to the NYC-SVR1 domain controller.

• Lack of technical expertise at the branch office.

• The remotability, or lack of, specific management tools.

• Delegating some routine management functions for NYC-SVR1 to the branch office personnel.

Answers will vary.

Results: After this exercise, you should have ideas for evaluating the success of the plan developed in Exercise 4.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Creating Baselines for Active Directory Servers L2-9

Module 2: Creating Baselines for Active Directory Servers

Lab: Creating Baselines for Active Directory Servers Logon Information: • Virtual Machines: NYC-DC1

• User Name: WoodgroveBank\Administrator



Exercise 1: Involving Users in Baseline Development

Scenario The loan department of Woodgrove Bank has a number of users who work on shared PCs. The frequency of logons and logoffs is relatively high in this department. The department runs a small number of applications, and employees perform very few searches of Active Directory. Communications outside the local office are limited.

The research department of the bank, by contrast, is engaged in studying new banking products. Employees of this department, who generally have a PC all to themselves, perform a fair amount of market research and draw upon resources throughout the organization, including people in different locations and even in different domains. They tend to log on at the beginning of the day and log off at the end of it.

Task 1: Generate ideas for involving users in baseline development • Working in small groups, discuss ways in which computer users can become

involved in developing a baseline.

Answers will vary.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L2-10 Module 2: Creating Baselines for Active Directory Servers

Task 2: Generate five questions to ask in a user survey to help IT professionals develop baseline documents • Working in the same groups, discuss what type of questions you might ask in

a user survey (for example, an e-mail survey) to help you create appropriate Active Directory baseline values. The following are some thought starters:

• What is the slowest operation you perform on your PC?

• What is the fastest operation you perform on your PC?

• How many times a day do you typically log on and off?

• How many times a day do you search the network for resources other than mapped drives and printers?

Answers will vary.

Results: After this exercise, you should have some ideas for involving users in what traditionally has been an IT-only activity, developing network performance baselines.

Exercise 2: Choosing Relevant WRPM Counters and Durations

Scenario Use the same scenario as in Exercise 1.

Exercise Overview In this exercise, you will identify relevant Windows® Reliability and Performance Monitor (WRPM) counters for the loan department and for the research department.

Task 1: List the counters that you would consider including in the baseline 1. Open the Microsoft® Lab Launcher, if it is not already open.

2. Start NYC-DC1, if it is not already started.


4. In Server Manager, expand the nodes Diagnostics, Reliability and Performance, and Data Collector Sets.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. Expand the System node beneath Data Collector Sets. Here are several Data Collector Sets that Microsoft has pre-built for you as a way to get you started with the system diagnostics tools.

6. Right-click the Active Directory Diagnostics Data Collector Set, and click Properties. These properties apply to the Data Collector Set as a whole, even though it has various components that can be configured separately.

7. On the General tab, read the description of this Data Collector Set.

8. Take a look at the other tabs on the Data Collector Set properties page.

9. To close the page, click the Cancel button.

10. In the details pane, you should see four data collectors. What types are they?

Answer: Trace, Trace, Performance Counter, and Configuration

11. Right-click the Performance Counter data collector and click Properties. Note the PerfLog objects that Microsoft has chosen for this pre-built Data Collector Set. This list is a good starting point for exploring Active Directory performance counters in detail. Note, for example, the category DirectoryServices.

12. To return to Server Manager, click Cancel.

13. Now you will see where you would create your own Data Collector Set. In the navigation pane, right-click the User Defined node, click New, and then Data Collector Set.

14. In the Create new Data Collector Set dialog box, type the name CustomAD, click the Create from a template (Recommended) option button, and click Next.

15. Click Active Directory Diagnostics as the template that you will use as the starting point for your new custom Data Collector Set, CustomAD, and click Next.

16. Leave the Root directory selection as the default value and click Next.

17. In the Create new Data Collector Set window, click the Open properties for this data collector set option button, and click Finish.

18. In the Description field, type Woodgrove Bank custom AD data collector set.

19. If you would like to, look at the other tabs and then click OK.

20. Expand the User Defined node.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


21. With CustomAD highlighted in the Server Manager navigation pane, right-click Performance Counter in the details pane and click Properties.

22. To display the (untitled) counter selection dialog box, on the Performance Counters tab, click the Add button (this button was grayed out when you were viewing the system template).

23. To display the counters in this category, find the DirectoryServices object in the upper left list box, and click the + next to its name.

24. Browse the counters listed under DirectoryServices. Can you find any context-sensitive help to assist you in understanding their meaning? (There is a description field which you can activate by checking the Show description box, but it varies from very helpful, for some counters, to a mere restatement of the counter name, for others. You will need some good books, magazine articles, and online references to help you understand these counters.)

25. Can you locate the following counter categories:

• ATQ (Asynchronous Thread Queue)

• DRA (Directory Replication Agent)

• DS (Directory Service)

• LDAP

• SAM (Security Accounts Manager)

26. Browse the counters listed under FileReplicaSet. In the course handbook, you should have written performance counters and/or objects that look relevant to you.

Task 2: Consider differences in a baseline strategy for the two departments 1. Using the console from Task 1, identify three performance counters that

would probably be more important for the loan department than for the research department. (The answer should reflect the fact that loan department employees perform frequent logons and logoffs.) Answers will vary.

2. Identify three performance counters that would probably be more important for the research department than for the loan department. (The answer should reflect the fact that the research department performs more Active Directory search operations.) Answers will vary.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. Identify three performance counters that would probably be important for both departments. Answers will vary.

4. Leave NYC-DC1 running for future labs.

Results: After this exercise, you should be more familiar with some of the PerfMon Active Directory counters, and have some idea of how to adapt a baseline strategy for different business situations.

Exercise 3: Evaluating and Revising a Baseline Document in the Face of Business Changes

Scenario The scenario is the same as in Exercise 1, but the IT department has just been informed that the domain controller is about to support twice as many users as it does presently.

Exercise Overview In this exercise, you will discuss as a class whether the baseline document should be modified in view of the increased user population, and explore possible procedures and organizational standards for modifying (or suggesting modifications to) the baseline document.

Task 1: Decide whether the baseline document should be modified 1. Discuss the pros and cons of modifying the baseline document for the

upcoming change.

2. What questions would you ask in order to determine whether the Active Directory performance baseline document should be modified? Examples:

• Is the increase in the user population permanent or temporary?

• Will the new users be domain users?

• Will the new users be running AD LDS?

Answers will vary.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Discuss the procedures and standards for modifying a baseline document 1. Discuss who in the organization should be able to initiate a baseline

modification suggestion.

2. Discuss who should review such suggestions, and how often they should perform such a review.

3. Discuss what happens to a baseline document that is never updated.

Answers will vary.

Results: After this exercise, you should have heard various perspectives and ideas on the pros and cons of modifying Active Directory baseline documentation, and on how to implement such modifications in a realistic and practical way.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Monitoring Active Directory Server Roles L3-15

Module 3: Monitoring the System Health of Active Directory Servers

Lab: Monitoring Active Directory Server Roles Logon Information: • Virtual Machine: NYC-DC1

• User Name: Administrator



Exercise 1: Setting a Performance Alert to Meet a Business Goal

Scenario The management at Woodgrove Bank has issued a directive to the IT department to respond more proactively when Active Directory® domain controllers are overloaded beyond “normal” time-of-day spikes. The business goal is to address short-term domain performance problems before users start calling the Help Desk to report them. The bank would prefer not to spend money on additional monitoring and alerting tools and would also like the solution to have a light footprint in terms of system overhead.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L3-16 Module 3: Monitoring the System Health of Active Directory Servers

Two system administrators have offered plans for generating an alert. The plans are basically identical in terms of the performance objects and counters to be monitored, and include the following, among others:

• Processor\Percent processor time

• PhysicalDisk\Avg. disk queue length

• Network Interface\bytes received/sec

• Network Interface\bytes sent/sec

• Directory Service\LDAP searches/sec

• Directory Service\DS reads/sec

• Directory Service\DRA inbound bytes total/sec

• Directory Service\DRA outbound bytes total/sec

The plans also suggest that over-threshold events should produce an e-mail to at least one network administrator. Just creating an entry in the event log is not proactive enough to meet the management mandate. However, Plan 1 specifies a 5-second sampling interval, and Plan 2 specifies a 5-minute sampling interval.

Exercise Overview In this exercise, you will select an alert plan and implement the plan through Scheduled Tasks and the Windows® Reliability and Performance Monitor.

Task 1: Decide which plan you would recommend, Plan 1 or Plan 2 • Decide whether you would recommend Plan 1 or Plan 2. The key criteria to

consider are as follows:

• The bank is interested in detecting Active Directory performance problems beyond the normal time-of-day spikes.

• The solution should have a light footprint in terms of system overhead.

These criteria suggest that Plan 2 is preferable, because the higher sampling interval makes false alarms less likely and also puts less of a burden on the server. When developing a monitoring/alerting architecture, consider that every CPU cycle that goes towards system overhead is one CPU cycle that is not available for production work.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Create a scheduled task for the e-mail alert 1. If it is not already open, open the Microsoft® Lab Launcher.

2. If it is not already started, start the NYC-DC1 virtual machine.

3. Log on to NYC-DC1 as WoodgroveBank\Administrator with a password of Pa$$w0rd.

4. In Server Manager, navigate to Configuration and Task Scheduler. (You could also run Task Scheduler by typing taskschd.msc in the Start menu’s search field, but Windows Server® 2008 Server Manager is close to a one-stop shop for administrative work.)

5. Right-click Task Scheduler and click Create Task.

6. The General tab should appear. Name your task Performance alert e-mail, and click Run whether user is logged on or not.

7. Click the Actions tab and then click the New button.

8. In the Action drop-down list, click Send an e-mail.

9. For the e-mail, type the following information and click OK:

• From: [email protected]

• To: [email protected]

• Subject: Active Directory Performance Alert

• Text: NYC-DC1 is reporting a performance alert. Please check the server for abnormal activity.

• SMTP Server: smtp.woodgrovebank.com

10. Click the Settings tab and make sure the Allow task to be run on demand check box is selected.

11. To close the Create Task dialog box, click OK..

12. Enter the credentials of the administrator account (password = Pa$$w0rd) so that the task knows what security context it should use, and then click OK.

13. In the Server Manager navigation pane, expand Task Scheduler and click the Task Scheduler Library node. You should see your new task in the details pane. If not, press the F5 key (refresh) and try again.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Create an alert in Performance Monitor 1. In Server Manager, open the Diagnostics, Reliability and Performance, Data

Collector Sets, and User Defined nodes.

2. Right-click the User Defined node, click New, and then click Data Collector Set.

3. Name the new Data Collector Set Active Directory Performance Alert, click the Create manually (advanced) option button, and then click Next.

4. Click the Performance Counter Alert option button (not Performance counter!) and click Next.

5. To open a new window where you can add performance counters, click the Add button.

6. Using the Add button, add the DS Directory Reads/sec counter for the DirectoryServices object and click OK. (We will not take the time here to add all the performance counters that you would create in real life.)

7. Set the dialog box options so that the alert will be raised when the value of this counter exceeds 5 reads/sec and click Next. (This value might be based on your observations of stressed servers in your organization.)

8. Click the Open properties for this data collector set option button and then click Finish. In a few moments, the new Data Collector Set properties page will appear.

9. Click the Task tab.

10. Note that this is the location where you can specify a task to run when the Data Collector Set stops. That’s not what we want, so click Cancel.

11. You should see the Data Collector Set (Active Directory Performance Alert) in the navigation pane and the DataCollector01 alert in the details pane. Right-click the alert data collector icon and click Properties.

12. On the Alerts tab, set the sample interval to 5 minutes. Is the alert threshold value set correctly? It should be. This property was created when you created the new Data Collector Set.

13. Click the Alert Action tab. Does this provide a means for starting a scheduled task when the alert triggers? (The answer here is “no.”)

14. Click the Alert Task tab. Under Run this task when an alert is triggered, type the name of the scheduled task that you created in Task 2 of this exercise (it should be Performance alert e-mail), and click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


15. Right-click the Active Directory Performance Alert Data Collector Set and click Start.

16. In Server Manager, click the Task Scheduler Library node and then look at the details pane. Has the Performance alert e-mail task executed yet? (Most likely it has not. To test its performance in the real world, you could perform some heavy Active Directory search activity, for example with the help of a script, and see if the task triggers. If it triggers but the e-mail is not delivered, troubleshoot the task and double check the parameters.)

17. Right-click the Active Directory Performance Alert Data Collector Set, and click Stop.

18. Leave the NYC-DC1 virtual machine running if your instructor indicates that you will be doing another lab today. Otherwise, close the virtual machine by performing a normal server shutdown, and save the changes.

Results: This exercise’s successful completion results in the selection of an alert plan and the implementation of that plan through Scheduled Tasks and the Windows® Reliability and Performance Monitor.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Discussing Alert Response Strategies

Exercise Overview In this exercise, you will discuss and list some of the pros and cons of different short-term alert responses. You will also discuss ideas for long-term responses to high traffic alerts.

Task 1: Discuss different short-term alert responses • Discuss and list some of the pros and cons of different short-term alert

responses that server administrators can make, such as the following:

• E-mails to managers

• E-mails to affected users

• Triggered tasks (for example, scripts)

• Personal responses

• Follow-up analysis with affected users

Answers will vary.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Discuss different long-term alert responses • Discuss and list some ideas for how to address Active Directory performance

alerts over the long term, including (but not limited to) the following:

• Suggest changes in logon/logoff procedures

• Split out combined functionality to separate servers

• Review the number and placement of Global Catalog servers

• Maintain the Active Directory database

• Move the Active Directory database to higher-performing disk storage

• Move the Active Directory log files to higher-performing disk storage

Answers will vary.

Results: After this exercise, you should have identified a variety of alert responses available to you and the pros and cons of each. You should have also identified the various possible long-term responses to recurring Active Directory performance alerts and shared your experiences with those methods.

Exercise 3: Building a Case for Configuration Change

Scenario As a result of using performance alerts and monitoring, you and your colleagues have identified several possible long-term improvements that can reduce the frequency and severity of Active Directory performance problems. However, before you can bring your case to management for spending money on additional resources, whatever form those might take (some of these should have been discussed in Exercise 2), you would like to document your cause, and build a case for changing the server configuration.

Exercise Overview In this exercise, you will explore the different tools for building a case for changing the server configuration.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 1: Explore the Event Viewer operational logs 1. If it is not already started, start NYC-DC1.

2. In Server Manager, navigate to Diagnostics, Event Viewer, Applications and Services Logs, and expand Applications and Services Logs.

3. Which of the logs in this category would be potentially relevant for an Active Directory server? The answer should include the following:

• Directory Service

• DNS Server

• File Replication Service

4. Click the Directory Service log. In a moment, the details pane will populate with events. Do you see any errors or warnings? (You should. There will be errors indicating that the NYC-DC1 domain controller could not find some of its replication partners. If you cannot easily see the details of a specific event as displayed in the console, double-click that event.)

5. In the navigation pane, expand the logs under Microsoft, Windows. Look at these logs. Would any of the logs in this category be helpful when you are evaluating the performance of an Active Directory server? The answer should include the following:

• CAPI2 (for a certificate server)

• CertificateServicesClient

• Diagnostics-Networking

• GroupPolicy

• MemoryDiagnostics-Results

• Resource-Exhaustion-Detector

• ServerManager

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Create an Event Viewer subscription 1. Under Event Viewer, click the Subscriptions node.

2. To start the Event Collector service, click the Yes button when prompted.

3. Right-click the Subscriptions node and click Create Subscription.

4. For the subscription name, type Active Directory events for NYC.

5. Leave the destination log set to Forwarded Events.

6. To choose systems from which you would like to collect events, click the Select Computers button.

7. Click the Add Domain Computers button.

8. Type NYC-SVR1 and verify the spelling with the Check Names button.

9. To get back to the subscription properties page, click OK twice.

10. To choose which events you would like to collect, click the Select Events button.

11. Select the Critical and Error check boxes.

12. Click the Event Logs drop-down list, navigate to Applications and Services Logs, select the Directory Service check box, and click OK.

13. To close the properties page for the subscription, click OK. You should now see the subscription in the details pane of Server Manager.

14. Leave the NYC-DC1 virtual machine running if your instructor indicates that you will be doing another lab today. Otherwise, close the virtual machine by executing a normal shutdown, saving your changes.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: List other documentation that would support your request for configuration changes and/or new resources • List other documentation that would support your request for changing the

server configuration and/or new resources. Possibilities might include:

• Performance monitor logs

• Help Desk trouble tickets

• Maintenance logs

• Specific experiments with simulated network loads

• “Best practices” magazine articles

• TechNet articles

• White papers

Answers will vary.

Results: After this exercise, you should have identified some of the new capabilities of the Windows Server 2008 event viewer, including operational logs and event subscriptions, both of which may be useful in building a case for configuration change. You should have also created a list of other documentation, both from Windows Server 2008 tools and other sources, that could help support a campaign for making configuration and/or resource changes in response to Active Directory performance monitoring.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Managing AD DS L4-25

Module 4: Managing Active Directory Domain Services

Lab: Managing AD DS Logon Information: • Virtual Machine: NYC-DC1




Exercise 1: Offline Defragging of the Active Directory Database

Scenario New management has taken over at Woodgrove Bank and the new directors are eager to make changes in the organization. Four specific goals have been set for the Active Directory team:

• Improve the Active Directory server uptime

• Reduce logon times

• Reduce replication delays between sites

• Improve the coordination of Group Policy management

Exercise Overview In this exercise, you will perform an offline defragmentation of the NTDS database. In conjunction with the new directive to improve Active Directory server uptime, you need to minimize server downtime during this regularly-scheduled maintenance activity. Windows Server® 2008 enables you to reduce downtime by stopping and starting Active Directory Domain Services (AD DS) without bringing down the entire server. Therefore, other services provided by any given domain controller (such as DNS) do not have to be interrupted while the Active Directory database is being maintained.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L4-26 Module 4: Managing Active Directory Domain Services

Task 1: Stop AD DS via Server Manager 1. Start NYC-DC1, if it is not already running.


3. If Server Manager does not start automatically in a few moments, run it from the Start menu.

4. In the Server Manager navigation pane, expand Roles and click Active Directory Domain Services. The details pane should populate with information relevant to this role.

5. In the details pane, under System Services, click Active Directory Domain Services, and then click the Stop button to the right.

6. Click the Stop Dependent Services button that appears, which informs you of the dependent services the console will also stop.

Task 2: Perform a defragmentation without rebooting 1. With Server Manager open, click Start and then click Command Prompt.

2. Type ntdsutil and press Enter.

3. Type activate instance ntds and press Enter. This tells the program that you wish to work with the NTDS database, not some other database (such as one you may be using with Active Directory Lightweight Domain Services (AD LDS)).

4. Type files and press Enter.

5. Type info and press Enter. Note the size of the database NTDS.DIT.

6. To begin the compaction procedure, type compact to c:\windows. As a best practice, you would probably create a special folder for this purpose, but for now, we know that the Windows® directory exists.

7. After a few moments, read the advice that the NTDSUTIL program provides. To quit NTDSUTIL, type quit twice.

8. At the command prompt, type copy c:\windows\ntds.dit c:\windows\ntds.

9. To overwrite the existing version of the database, type Y and then press Enter.

10. Exit the command prompt.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Restart AD DS via Server Manager 1. Go back to the Server Manager window.

2. In the details pane, under System Services, click Active Directory Domain Services, and then click the Start button on the right.

3. Wait a moment until the service (and its dependent services) show as running. You have restarted AD DS.


Results: The successful completion of the exercise results in a properly defragmented Active Directory database with minimal server downtime.

Exercise 2: Evaluating an RODC with Read-Only DNS Solution

Scenario The scenario is the same as in Exercise 1, but more details have been provided about a new branch opening in Miami, Florida. The branch will connect to the NYC domain over a WAN link that is planned to operate at sub-T1 speeds. The new branch office will have 140 employees, all of whom will be domain members in Active Directory. Many of the employees will be in service positions where quick logon and logoff performance will be desired to minimize customer wait time.

Exercise Overview In this exercise, you will discuss some of the questions that might meet the second goal laid out in the IT goals document. The goal is to reduce logon times, specifically for employees in the new Miami branch.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task: Discuss the following questions • Generally speaking, where should you consider installing a Read-Only Domain

Controller (RODC)? (The answer should include situations with limited physical security and where experienced domain administrators are not on-site.)

• Do all RODCs need to be running DNS? (The answer is no. If there is only one RODC at a given site, it will often be advantageous to have that machine running DNS, due to the frequency of DNS lookups performed by a domain controller.)

• Should more than one RODC be running DNS in a given location? (This is open to debate, but there may be benefits in terms of DNS consistency if only one RODC per site is actually running DNS.)

• Should Woodgrove Bank consider a caching-only DNS server before an RODC? (Generally, yes. A caching-only DNS server is easy to set up and does not need to be a powerful machine. It is also easier to administer and maintain than an RODC.)

Results: The successful completion of this exercise results in you having explained the pros and cons of using RODCs to reduce logon times.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Making Site Replication Decisions

Scenario The scenario is the same as in Exercise 1, but you need to reduce replication delays, specifically between the NYC and the Miami sites.

Task 1: Create a site for the Miami location 1. In the Server Manager navigation pane, expand Roles, expand Active

Directory Domain Services, Active Directory Sites and Services, and Sites. If you receive one or more error messages, and you performed Exercise 1 of this lab, close and re-open Server Manager, and then try again.

2. Expand Default-First-Site-Name and Servers. Click the Servers node and view the results in the details pane.

3. You are going to create a new site and move the MIA-RODC server into that new site. Right-click the Sites container and click New Site.

4. Name the site FloridaSite. Click DEFAULTIPSITELINK to highlight it and then click OK.

5. Click OK at the informational message.

Task 2: Move the MIA-RODC server to the Miami site 1. From the Servers folder, under Default-First-Site-Name, drag the MIA-RODC

server object and drop it into the Servers folder under FloridaSite.

2. Read the warning and click Yes. The MIA-RODC server should now appear under the FloridaSite container.

Note: You will not take the time here to create the subnet definitions for FloridaSite and for Default-First-Site-Name, but be aware that these steps would be necessary in an actual network.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Modify the replication schedule to the Miami site to reduce latency 1. Under the Sites node, expand Inter-Site Transports and click the IP

container.

2. In the details pane, right-click DEFAULTIPSITELINK and click Properties.

3. In the Replicate every field, change the value from 180 minutes to 60 minutes and click the Apply button. This is the frequency with which the sites joined by this site link will replicate. Decreasing the interval complies with one of the management directives in the scenario and will bring the two sites up-to-date more rapidly (at the cost of some increase in replication traffic across the WAN link).

4. Click the Change Schedule button.

5. Modify the replication schedule to exclude the time period from noon to 4:00pm for all days.

6. To close the open dialog boxes, click OK twice.


Results: After this exercise, the replication schedule between the default site and the Florida site has been modified to reduce latencies in the propagation of Active Directory information between the sites.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Maintaining Security for Active Directory Servers L5-31

Module 5: Maintaining Security for Active Directory Servers

Lab: Maintaining Security for Active Directory Servers Logon Information: • Virtual Machine: NYC-DC1




Exercise 1: Manually Implementing AD DS Server Hardening

Scenario Woodgrove Bank wants to improve Active Directory security for all its domain controllers. However, the bank does not want to start “from scratch” but wants to use best practice tools from Microsoft®, if possible. The corporate accounts division (Organization Unit = CorpAccts) has stricter requirements than the loan division (Organizational Unit = Loans).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L5-32 Module 5: Maintaining Security for Active Directory Servers

Task 1: Install the GPOAccelerator tool 1. Open NYC-DC1, if it is not already started, and log on as Administrator with

the password of Pa$$w0rd.

2. Click Start, right-click the Computer item, and click Explore.

3. Navigate to the E:\Labfiles folder and run the GPO Accelerator.msi file.

4. When prompted by theRun.

5. At the Welcome screen, click Next.

6. Click I accept the terms in the License Agreement and then click Next.

7. In the Features to Install dialog box, click Next.

8. In the Ready to install dialog box, click Install.

9. When you see the completion dialog box, click Finish.

10. Close the Windows® Explorer window.

Task 2: Create new GPOs with the GPOAccelerator 1. To open the GPO Accelerator folder, click Start, All Programs, and GPO

Accelerator.

2. Right-click GPO Accelerator Command-line and click Run as Administrator.

3. At the command prompt, type: cscript gpoaccelerator.wsf /wssg /enterprise /lab which will create the following Group Policy Objects:

a. WSSG EC Domain Policy (WSSG stands for Windows Server® Security Guide, which incorporates the GPOAccelerator tool; EC stands for Enterprise Client, intended to be a fairly typical corporate environment where security needs and functionality must be balanced.)

b. WSSG EC Domain Controller Baseline Policy

c. WSSG EC Member Server Baseline Policy

d. <server role> Policy (there are several of these)

4. Read the warning about the fact that you are about to modify your Active Directory environment and click Yes to continue.

5. After a couple of minutes, click OK at the message that the Enterprise lab environment has been created.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


6. Click OK when the message urging you to link the Enterprise Domain Policy to your domain appears.

7. Close the Command Prompt window.

Task 3: Examine the settings with the Group Policy Management console 1. Click Start, Administrative Tools, and Group Policy Management.

2. In the Group Policy Management console, expand the topmost node for the forest, expand the Domains node, expand WoodgroveBank.com, and then expand the Group Policy Objects node.

3. Click the WSSG EC Domain Policy GPO.

4. To display the settings contained in this GPO, in the GPMC details pane, click the Settings tab.

5. If you see an Internet Explorer security warning, click Close.

6. Spend a few minutes navigating the settings that Microsoft feels are appropriate for securing an Active Directory domain.

7. Repeat Steps 3 - 6 for at least the following GPOs:

a. WSSG EC AD Certificate Services Servers Policy

b. WSSG EC DNS Servers Policy

c. WSSG EC Domain Controller Baseline Policy

8. To see the new organizational units that you built with the GPOAccelerator script, expand the WSSG EC Member Servers OU GPMC node, and note the various sub-organizational units that exist under that node.

9. Close the Group Policy Management console.

Results: After this exercise, you should have installed the GPOAccelerator tool, created new GPOs with the GPOAccelerator, and examined the settings with the Group Policy Management console.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Assessing Ongoing Security Requirements


Exercise Overview In this exercise, you will install the Microsoft Baseline Security Analyzer (MBSA) and perform a sample run.

Task 1: Install the MBSA 2.1 Beta 2 1. In Windows Explorer, open the E:\Labfiles folder and double-click the

mbsasetup.msi file.

2. Click Run to proceed.

3. At the Welcome screen, click Next.

4. Click I accept the license agreement and click Next.

5. In the Destination Folder dialog box, leave the default settings and click Next.

6. In the Start Installation dialog box, click Install. It will take a few moments for the program to install.

7. At the success message, click OK.

8. Close Windows Explorer.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Perform an MBSA analysis of NYC-DC1 1. Click Start, All Programs, and Microsoft Baseline Security Analyzer 2.1.

2. Click the Scan a computer icon.

3. Our virtual machines do not have Internet connectivity, so you will not perform the security-patch portion of the scan, which requires MBSA to download a catalog file from the Internet. So, select only the top three check boxes:

a. Check for Windows administrative vulnerabilities

b. Check for weak passwords

c. Check for IIS administrative vulnerabilities

4. Click the Start Scan button.

5. Review the resultant report. Are there any vulnerabilities on NYC-DC1?

6. Close the MBSA window.

Results: After this exercise, you should have installed the MBSA 2.1 Beta 2 and performed an MBSA analysis of NYC-DC1.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Deploying Fine-Grained Password Policies


Exercise Overview In this exercise, you will discuss how to deploy fine-grained password policies.

Task: Discuss deploying fine-grained password policies • Discuss how to deploy fine-grained password policies. There is no correct or


• How many of you envision a use for fine-grained password policies, that is, for making password and account lockout policies apply at the organizational unit level rather than the domain level?

• What do you see as the pros and cons of following Microsoft’s suggested practice and creating “shadow groups” to mirror the membership of organizational units? (For example, one “con” would be that it requires extra administration to periodically synchronize the shadow group membership with organizational membership, although that operation could be scripted.)

• What do you perceive as some of the benefits of having fewer domains, now that it is not necessary to create a domain boundary only because a constituency in your organization needs different password policies? (One example might be that you could have fewer cross-domain references to slow down Active Directory operations.)

• How many people in your organization are conversant with the ADSI Edit and LDIFDE tools?

Results: After this exercise, you should have discussed how to deployed fine-grained password policies and some of the implications such restructuring could have for your overall Active Directory design.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Managing Active Directory® Service Roles L6-37

Module 6: Managing Active Directory® Service Roles

Lab: Managing Active Directory®

Service Roles Logon Information: • Virtual Machine: NYC-DC1




Exercise 1: Installing the AD LDS Role

Scenario Woodgrove Bank is deploying a new customer relations database package that leverages the Active Directory replication engine. The new software requires Active Directory Lightweight Directory Services (AD LDS). Some of the management functions for the new application will be handled by utilities provided by the vendor. However, IT personnel will be responsible for occasional use of Active Directory utilities to help manage the AD LDS instance.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L6-38 Module 6: Managing Active Directory® Service Roles

Task 1: Install the AD LDS role on NYC-DC1 1. Start NYC-DC1, if it is not already started.

2. Start Server Manager, if it is not already running.

3. In the navigation pane, right-click the Roles node and click Add Roles.

4. In the Before You Begin dialog box, read the text and click Next.

5. Select the Active Directory Lightweight Directory Services check box and click Next.

6. At the introduction screen, read the content, and then click Next.

7. At the confirmation screen, click Install.

8. At the Installation Results screen, click Close. You should now see the new role in the Roles list in the Server Manager navigation pane.

Task 2: Configure AD LDS for a new instance 1. In the Server Manager navigation pane, under Roles, click the Active

Directory Lightweight Directory Services node. In a moment, the details pane should populate with information.

2. In the details pane, under Advanced Tools, click AD LDS Setup Wizard.

3. On the Welcome page, click Next.

4. On the Setup Options page, click A unique instance and click Next.

5. Name the new instance CustApp1 and click Next.

6. Accept the default port values of 50000 and 50001 and click Next.

7. On the Application Directory Partition page, click Yes, create an application directory partition.

8. Name the partition as CN=Custapp1,DC=woodgrovebank,DC=com and click Next.

9. On the File Locations page, accept the defaults and click Next.

10. On the Service Account Selection page, leave Network service account selected and click Next.

11. On the AD LDS Administrators page, click This account and click the Browse button.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


12. Click Advanced and click Find now.

13. Click the ITAdmins_WoodgroveGG group and click OK.

14. Back on the Select User or Group page, click OK.

15. Back on the AD LDS Administrators page, click Next.

16. On the Importing LDIF Files page, select the MS-ADLDS-DisplaySpecifiers.LDF and MS-User.LDF check boxes and click Next.

17. On the Ready to Install page, click Next.

18. When prompted for credentials, type woodgrovebank\thomas and Pa$$w0rd, and click OK. (Thomas Andersen is a member of ITAdmins_WoodgroveGG, the group you specified earlier to have administration rights to You can verify this if you like, with Active Directory Users and Computers.)

19. On the completion page, click Finish.

Results: This exercise’s successful completion results in the installation of the AD LDS service and the configuration of one instance of the Custapp directory.

Exercise 2: Identifying Ongoing Management Concerns


Exercise Overview In this exercise, you will discuss the ongoing management issues for the new customer relations database application.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task: Discuss ongoing management concerns • Generate a list of issues to go over with the application vendor to determine

which management and administration tasks will be managed by vendor software, and which tasks will be managed by tools bundled with Windows Server 2008. There is no absolute correct answer, but the following issues would normally be part of lifecycle management for an AD LDS application:

• Security/authorization

• Backup/restore and disaster recovery methods, including performing a test restore periodically

• Partition management

• Replication management

• Schema management

• Performance monitoring

• Organizational unit management

The customer organization would normally review each of the above areas with the AD LDS application vendor to determine whether vendor software, Windows Server 2008 Active Directory tools, or some combination, should be used to manage each area.

Besides the above, answers will vary.

Results: After this exercise, you will have identified a number of management concerns for an AD LDS application.

Exercise 3: Using Windows Server 2008 Tools for Managing AD LDS

Scenario The scenario is the same as in Exercise 1. You need to become familiar with how to use Active Directory tools in the context of AD LDS, rather than in the context of managing Active Directory Domain Services (AD DS).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 1: Use ADSI Edit to view an AD LDS instance ADSI Edit is a tool that you can use to view and modify objects in the AD LDS database.

1. In the Server Manager details pane, click the Active Directory Lightweight Directory Services node.

2. Scroll down to the Advanced Tools area and click the ADSI Edit link.

3. In the ADSI Edit console, in the navigation pane, right-click the topmost node, and then click Connect to.

4. Under Connection point, click the Select or type a Distinguished Name or Naming Context option button.

5. Just below the option button, type CN=Custapp1,DC=woodgrovebank,DC=com.

6. Click the Advanced button, in the Advanced window, select the Specify Credentials check box and type Thomas and Pa$$w0rd. (Remember, Thomas is a member of the group that is allowed to manage the instance.)

7. In the Advanced window type the port number for this instance of AD LDS, namely 50000, and then click OK.

8. In the Connection Settings window, click OK. You should now be placed back in the ADSI Edit console, with the naming context for the AD LDS instance loaded.

9. In the ADSI Edit console, in the navigation pane, expand the nodes. You should see three containers beneath the node: CN=Custapp1,DC=woodgrovebank,DC=com. You would see more containers after initializing the application that needs to use the LDS instance.

10. In the navigation pane, click the CN=Roles node.

11. In the details pane, right-click the CN=Users node and click Properties.

12. Explore the properties for this node. Select different attributes by clicking them. Note that in some cases (such as the attribute distinguishedName) you have a View button available, and in other cases (such as the attribute description) the button becomes an Edit button. This tells you that you can use ADSI Edit to modify data in the LDS directory.

13. Close the CN=Users Properties window and then close ADSI Edit.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Use LDP to view an AD LDS instance LDP is an executable, not an MMC snap-in like ADSI Edit, and it is usable with any LDAP directory service. It also provides access to some LDAP operations that ADSI Edit does not.

1. In the Server Manager details pane, with the Active Directory Lightweight Directory Services node highlighted, scroll down to the Advanced Tools area and click the LDP.exe link. The LDP console should open.

2. On the Connection menu, click Connect.

3. In the Server field, type NYC-DC1.woodgrovebank.com.

4. In the Port field, type 50000.

5. Click OK. The details pane of the LDP tool should populate with information.

6. Scroll to the top of the details pane and view the ldap_open command.

7. On the Connection menu, click Bind and the Bind with credentials option button.

8. Type the credentials for Thomas Andersen as follows and click OK:

a. User name: Thomas

b. Password: Pa$$w0rd

c. Domain: woodgrovebank.com

9. View the results of the bind operation at the bottom of the details pane. You have just authenticated to LDP.

10. On the View menu, click Tree.

11. In the BaseDN field, type CN=custapp1,DC=woodgrovebank,DC=com and click OK.

12. In the navigation pane, you should see the same structure appear that you saw in the ADSI Edit tool in Task 1. To get a feel for the kind of information that you can view in LDP, in the navigation pane, under the base DN, double-click the three CN entries and view the properties in the details pane.

13. Close the LDP window.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Use the Schema Console to view the schema for an AD LDS instance In order to use the schema console, either with AD DS or with AD LDS, the DLL must first be registered, just as with Microsoft® Windows Server 2003.

1. Click Start and open a command prompt.

2. Type regsvr32 schmmgmt.dll and press Enter.

3. Close the success message that appears.

4. Close the Command Prompt window.

5. In order to manage the AD LDS schema, you need to be logged on as Thomas Andersen. So click Start, click the arrow at the lower right, and click Switch User. (Note that in the domain environment, Windows Server 2008 permits you to use Fast User Switching, something that Windows Server 2003 did not permit.)

6. Click the Other User icon, then log on as user Thomas and password Pa$$w0rd. (The domain should default to WoodgroveBank.) Because Thomas Andersen has not logged on to this computer before, it will take a few moments to build the new user profile. By the way, Thomas Andersen needs to be a Schema Admin to perform the rest of these tests; he has already been set up as a member of that group.

7. Close the Server Manager window.

8. Click Start, in the search field, type MMC, and press Enter.

9. When prompted by User Account Control, click Continue.

10. In the generic MMC console, click File and then Add/Remove Snap-In….

11. In the left column, highlight Active Directory Schema, click the Add button, and click OK.

12. In the new console, in the navigation pane, right-click the Active Directory Schema node and click Change Active Directory Domain Controller.

13. In the Change Directory Server dialog box, under the Name column, click <Type a Directory Server name [:port] here>, and type NYC-DC1.woodgrovebank.com:50000.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


14. Press Enter, wait for the status column to show Online, and then click OK.

15. In the confirmation dialog box, which is asking you if you want to change the database you are managing, click Yes. The server and port number should reflect in the navigation pane of the schema console. You should see new nodes for classes and attributes.

Note: If you do not see these nodes, close the Schema console and reopen it by repeating Steps 8 through 11, and if necessary, Steps 12 through 14.)

16. Expand the Classes node and scroll down until you see the User entry. (This is the object class that was added when you created the instance in Exercise 1 and specified the LDIF script MS-User.LDF.)

17. Right-click the User entry, click Properties and click the Attributes tab. These are the attributes for the user object in this instance of AD LDS. They are now completely separate from the attributes for the user object in AD DS.

18. Close all open dialog boxes and consoles. When prompted to save console settings for Console, click No.

19. Close the virtual machine by performing a normal shutdown.

Results: After this exercise, you will have seen three tools that you can use to manage an AD LDS instance, and have some understanding of when to use each.

Documents

6432AF-En Managing and Maintaining Windows Server 2008 Active Directory Servers-TrainerManual