W2K8 AD Configuration

7/27/2019 W2K8 AD Configuration

1/25

Windows 2008 Active DirectoryConfigurationMicrosoft Test: 70-640

Mark McCoy

MCSE, CNE, CISSP


2/25

AgendaIntroductionsMS 70-640 Test ObjectivesCertification TextStudy Group/Certification Schedule Week 1 Assignment

Week 1 Discussion Ch 1 & 2Questions & AnswersWeek 1 Homework Assignment


3/25

IntroductionsMeName: Mark McCoyEmail: [email protected]

Phone: 402-317-0507WWW: www.realmccoysystems.com Blog/Questions: realmccoysystems.Wordpress.com

YouWho Are You?Why are you attending this Group?What is your Career Goal?
mailto:[email protected]://www.realmccoysystems.com/http://www.realmccoysystems.com/mailto:[email protected]


4/25

MS 70-640 Test Objectiveshttp://www.microsoft.com/learning/en/us/exams/70-640.aspx

Configuring the Active Directory infrastructure (25 percent)Creating and maintaining Active Directory objects (24percent)Configuring Domain Name System (DNS) for Active Directory(16 percent)Maintaining the Active Directory environment (13 percent)Configuring Active Directory Certificate Services (13 percent)Configuring additional Active Directory server roles (9percent)
http://www.microsoft.com/learning/en/us/exams/70-640.aspxhttp://www.microsoft.com/learning/en/us/exams/70-640.aspxhttp://www.microsoft.com/learning/en/us/exams/70-640.aspxhttp://www.microsoft.com/learning/en/us/exams/70-640.aspxhttp://www.microsoft.com/learning/en/us/exams/70-640.aspxhttp://www.microsoft.com/learning/en/us/exams/70-640.aspx


5/25

70-640 Certification textMCTS: Windows Server 2008 ActiveDirectory Configuration (Exam 70-

640)by Will Panek and JamesChellis Sybex 2008 Virtual Library Link:http://library.books24x7.com.proxy.itt-tech.edu/toc.asp?bookid=25192
http://library.books24x7.com.proxy.itt-tech.edu/book/id_25192/search.asp?qdom=author&scol=%7ball%7d&qstr=Will%20Panekhttp://library.books24x7.com.proxy.itt-tech.edu/book/id_25192/search.asp?qdom=author&scol=%7ball%7d&qstr=James%20Chellishttp://library.books24x7.com.proxy.itt-tech.edu/book/id_25192/search.asp?qdom=author&scol=%7ball%7d&qstr=James%20Chellishttp://library.books24x7.com.proxy.itt-tech.edu/books.asp?imprintid=6http://library.books24x7.com.proxy.itt-tech.edu/toc.asp?bookid=25192http://library.books24x7.com.proxy.itt-tech.edu/toc.asp?bookid=25192http://library.books24x7.com.proxy.itt-tech.edu/toc.asp?bookid=25192http://library.books24x7.com.proxy.itt-tech.edu/toc.asp?bookid=25192http://library.books24x7.com.proxy.itt-tech.edu/toc.asp?bookid=25192http://library.books24x7.com.proxy.itt-tech.edu/books.asp?imprintid=6http://library.books24x7.com.proxy.itt-tech.edu/book/id_25192/search.asp?qdom=author&scol=%7ball%7d&qstr=James%20Chellishttp://library.books24x7.com.proxy.itt-tech.edu/book/id_25192/search.asp?qdom=author&scol=%7ball%7d&qstr=James%20Chellishttp://library.books24x7.com.proxy.itt-tech.edu/book/id_25192/search.asp?qdom=author&scol=%7ball%7d&qstr=Will%20Panek


6/25

Study Group Certification

Schedule The Group will meet three Saturdays a Month(the fourth Saturday will be for the ITProfessionals Club Meeting)We will meet after the IT Professionals Clubon the fourth Saturday to stay on ScheduleWe should plan to complete 70-640 test

preparation prior to June 15 to provide anopportunity to take the test before June 30,


7/25

Week 1 AssignmentRead and be prepared to discussChapters 1 and 2 of the text


8/25

Chapter 1 Overview of

Active DirectoryThe Windows NT 4 Domain Construct (the

Roots of The Active Directory Tree andForest)The Benefits of Active DirectoryThe Logical Structure of Active DirectoryUnderstanding Active Directory ObjectsWindows 2008 Server RolesIdentity and Access (IDA) in Active DirectoryExam Essentials


9/25

The Windows NT 4 Domain

ConstructThe NT 4 Domain was used to organize users andsecure resourcesThe NT4 Domain utilized a FLAT security Database

called a Security Access Manager (SAM) DatabaseThe SAM Database was stored on Primary DomainController (PDC), Read/Write copy of the SAM, andcopied to a Backup Domain Controller (BDC), Read-Only Copy of the SAM, for redundancy

The Domain constituted a Single Administrative UnitWindows NT4 utilized both User Domains and Resource Domains due to limitations on the numberof objects a single domain could account for


10/25

The Benefits of Active

Directory Active Directory implements a Hierarchical Structure of Logical as wellas Physical Objects, which can, and often do, mimic the OrganizationalStructureThe Security Database is now stored on multiple Read/Write DomainControllers

Active Directory implements a multi -master domain controller, notPDCs or BDCs, but only Domain Controllers, each with the same

rights Active Directory can store Millions of Objects, thereby eliminating theneed for separate User and Resource Domains

Active Directory implements a Distributed, but Centralized SecurityDatabase Active Directory is actually a database, which can be extended(extensible), has a Schema (design), and can be queried forinformationThe Domain Concept has been maintained and serves as a SecurityBoundary within the database


11/25

The Logical Structure of Active

DirectoryData StoreThe term data store is used to refer to the actual structure that contains the information storedwithin Active Directory.The data store is implemented as a set of files that resides within the file system of a domaincontroller.

SchemaStructure or design of the Active Directory database

Attributes - things that describe an objectClasses a Category of Objects Global Catalog

A database that contains all of the information pertaining to objects within all domains in the ActiveDirectory environment

ReplicationThe process of copying the Active Directory Database, to include objects, permissions, logicalstructure, etc, from one Domain Controller to another

Domains, Trees, ForestsDomain The Basic Unit (Security Boundary) of Active DirectoryTree One or more domains in CONTIGUOUS name spaceForest A collection of Domains that may NOT be contiguous

Hierarchical StructureThe Active Directory Structure is Hierarchical as opposed to flat

InheritanceBy default permissions and policies within the domain flow down the hierarchy

Trust RelationshipsOne Domain/Forest must Trust the Other in order to grant permissions from one Domain/Forest to the OtherTrusts are Transitive (If A trusts B, and B trusts C, it is implied A trusts C)


12/25

Understanding Active

Directory ObjectsGUID and SID

Each object in Active Directory has a globally unique identifier (GUID) orsecurity identifier (SID)

OrganizationOrganization (O) is the company or root-level domain

Domain ComponentDomain component (DC) is a portion of the hierarchical path

Common NamesCommon name (CN) specifies the names of objects in the directory

Organizational Unit A logical grouping of User Accounts and Resources

User Accounts (Common Names CN)Users within Active DirectoryComputer Accounts

Workstations or Servers in Active DirectoryDistinguished Names

The Full Name of an Object Starting from the Root of the DomainRelative names

The Name of an Object from a Particular point within the Domain


13/25

Windows 2008 Server RolesServer Manager (New in 2008)Server Manager is a Microsoft Management Console (MMC) snap-in that allows anadministrator to view information about server configuration

Active Directory Certificate ServicesUsed to provide HTTPS, Secure FTP, etc ServicesPublic Key Encryption

Active Directory Domain Services Becoming a Domain Controller Can now configure a Read -Only Domain Controller

Active Directory Federation ServicesSingle Sign-on across multiple platformsOrganizations can set up trust relationships with other trusted organizations so a user'sdigital identity and access rights can be accepted without a secondary password

Active Directory Lightweight Directory ServicesThis type of service allows directory-enabled applications to store and retrieve datawithout needing the dependencies AD DS requires

Active Directory Rights Management Services Active Directory Rights Management Services (AD RMS), included with MicrosoftWindows Server 2008, allows administrators or users to determine what access (open,read, modify, etc.) they give to other users in an organization. This access can be usedto secure email messages, internal websites, and documents


14/25

Identity and Access (IDA) in

Active DirectoryUsers may have to access resources on different types of hardware, software, and devices.Many of these systems and devices do not always communicatewith each other, it is not unusual for users to have multipleidentities on multiple systems.IDA Provides a means to manage Identity and Access onMultiple SystemsIDA solutions can be categorized into five distinct areas:

Directory servicesStrong authenticationFederated IdentitiesInformation protectionIdentity Lifecycle Management


15/25

Chapter 1 Exam EssentialsUnderstand the problems that Active Directory is designed tosolve.

The creation of a single, centralized directory service can make network operations and management much simpler. Active Directory solves manyshortcomings in Windows NT's domain model.

Understand Active Directory design goals. Active Directory should be structured to mirror an organization's logicalstructure. Understand the factors that you should take into account,including business units, geographic structure, and future businessrequirements.

Understand Windows Server 2008 server roles. Understand what the five Active Directory Windows Server 2008 serverroles AD CS, AD DS, AD FS, AD LDS, and AD RMS do for an organizationand its users.

Understand identity and access (IDA) solutions. Understand how IDA can help organizations solve the problems associatedwith multiple usernames and passwords. Understand how the ActiveDirectory Windows Server 2008 server roles work with and affect IDA.


16/25

Chapter 2 Domain NameSystem (16% of Test)

Introducing DNSIntroducing DNS Zones

New Functionality in Windows Server 2008DNSIntroducing DNS Record Types

Configuring DNSMonitoring and Troubleshooting DNSExam Essentials


17/25

Introducing DNSThe Domain Name System (DNS):

A service designed to resolve Internet Protocol (IP) addresses to hostnamesDNS Roles:

DNS Server: Provides DNS ServiceDNS Client: Requests DNS ServiceResolver: Software Process to Determine IP Address from Host Address

Dynamic versus Non-Dynamic DNSDynamic DNS (RFC 2136) allows clients to update DNS Entry automatically (via DHCPServer)In Non-Dynamic DNS, the client systems do not have the ability to update to DNS.Updates must be made manuallyNon-Secure Dynamic DNS

Computers that are not part of Active Directory can Dynamically Update DNSEntry

Secure Dynamic DNSOnly members of the Active Directory Domain can dynamically update their DNSEntry

DNS QueriesIterative: Client Queries DNS Servers in turn until IP address is found Recursive: Client makes request of his local DNS Server. The DNS Server performs theremaining queries.Inverse Queries: Use pointer records (IP Address) to find the Host


18/25

Introducing DNS ZonesPrimary Zones

The primary zone is responsible for maintaining all of the records for the DNS zone. All record updates occur on the primary zone.

Secondary ZonesSecondary zones are non-editable copies of the DNS database.

Used for load balancing (also referred to as load sharing) A secondary zone gets its database from a primary zone. Active Directory Integrated Zones

All Zone Information is maintained in Active DirectoryZone Information is replicated with that of Active DirectoryZone information is more secure

Stub ZonesOnly contain the IP Address of the Primary Zone DNS ServerStub zones work a lot like secondary zones the database is a non-editable copy of aprimary zone.The stub zone's database contains only the information necessary (three record types)to identify the authoritative DNS servers for a zone

Zone TransfersFull Zone Transfer AXZR Incremental Transfer IXFR

Replication Active Directory Integrated Zone Transfers are part of the Replication Process
http://library.books24x7.com.proxy.itt-tech.edu/viewer.asp?bkid=25192&destid=1235http://library.books24x7.com.proxy.itt-tech.edu/viewer.asp?bkid=25192&destid=1211http://library.books24x7.com.proxy.itt-tech.edu/viewer.asp?bkid=25192&destid=1211http://library.books24x7.com.proxy.itt-tech.edu/viewer.asp?bkid=25192&destid=1235


19/25

New Functionality in WindowsServer 2008 DNS

Background zone loadingIf an organization had to restart a DNS server with an extremely large Active DirectoryIntegrated DNS zones database in the past, it could take hours for DNS data to beretrieved from Active Directory. During this time, the DNS server was unable to serviceany client requests.To address this issue, Microsoft Windows Server 2008 DNS has implementedbackground zone loading. As the DNS restarts, the Active Directory zone datapopulates the database in the background This allows the DNS server to service clientrequests for data from other zones almost immediately after a restart.

Support for TCP/IP version 6 (IPv6)IP Version 6 is a 128 bit Hexadecimal NumberFour Sets of 32 Bits

Read-only domain controllersFunctions as a Domain Controller to support Logon Authentication and resourcelocation, but is read-only

GlobalName zoneIntended to assist in the transition from WINS resolution to DNSThese use single-label names (DNS names that do not contain a suffix such as .com,.net, etc.) the same way WINS does.GlobalName zones are not intended to support peer-to-peer networks and workstationname resolution, nor do they support dynamic DNS updates.


20/25


21/25

Configuring DNSInstalling DNS Through Server ManagerLoad Balancing through Round Robin

You set up round robin load balancing by creating multiple resource recordswith the same hostname but different IP addresses for multiple computersIf round robin is enabled, when a client requests name resolution, the firstaddress entered in the database is returned to the resolver and is then sentto the end of the list. The next time a client attempts to resolve the name,the DNS server returns the second name in the database (which is now thefirst name) and then sends it to the end of the list, and so on.

Configuring a Caching-Only ServerSetting Zone Properties

SOA, Named Servers, WINS, Zone Transfers, Security, EtcConfiguring Dynamic UpdatesCreating Delegated DNS ZonesManually Creating Records


22/25

Monitoring andTroubleshooting DNS

Monitoring DNS with the DNS Snap-InTroubleshooting DNS

Using NslookupWindows Server 2008. Windows Server 2008 gives you the ability to launch nslookup from theDNS snap-in.Using Nslookup on the Command Line

nslookup DNS_name_or_IP_address server_IP_address Using Nslookup in Interactive Mode Using Nslookup in Interactive Mode

Using DNSLintdnslint /d helps diagnose reasons that cause "lame delegation" and other related DNSproblems.dnslint /ql helps verify a user-defined set of DNS records on multiple DNS servers.dnslint /ad helps verify DNS records pertaining to Active Directory replication. Here is thesyntax for DNSLint:

Using Ipconfigipconfig /all Displays additional information about DNS, including the FQDN and the DNS suffixsearch list.ipconfig /flushdns Flushes and resets the DNS resolver cache. For more information about thisoption, see the section "Configuring DNS" earlier in this chapter.ipconfig /displaydns Displays the contents of the DNS resolver cache. For more informationabout this option, see "Configuring DNS" earlier in this chapter.ipconfig /registerdns


23/25

Chapter 2 Exam EssentialsUnderstand the purpose of DNS.

Resolve Host name to IP AddressUnderstand the different parts of the DNS database

SOA, MX, Host, PTR, SVR, NS recordsKnow how DNS resolves names Understand the differences among DNS servers, clients,and resolvers Know how to install and configure DNS. Know how to create new forward and reverse lookup

zones. Know how to configure zones for dynamic updates Know how to delegate zones for DNS Understand the tools that are available for monitoringand troubleshooting DNS.


24/25

Questions and Answers


25/25

Week 2 Assignment/Homework

Week 2 Lab Preparation:Download Lab Softw are fromwww.DreamSpark.com

Download Windows 2008 Server ISO (FREE)Download Microsoft Virtual PC 2007 Install (FREE)

Get HD (those who havent gotten theirs yet)From IT Chair Can also use personal laptops

Week 2 Reading:Read Chapter 3: Planning and Installation of

Active DirectoryRead Chapter 4: Installing and Managing Treesand Forests
http://www.dreamspark.com/http://www.dreamspark.com/http://www.dreamspark.com/

Documents

W2K8 AD Configuration