6425C ENU Beta TrainerHandbook Part2

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
6425C
Configuring and Troubleshooting
Windows Server
2008 Active
Directory
Domain Services
Volume 1
Be sure to access the extended learning content on your
Course Companion CD enclosed on the back cover of the book.

Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
2011 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Press, Access, Active Directory, ActiveX, Convergence, Excel, Forefront, Hyper-V,
Internet Explorer, MS, MSDN, MS-DOS, Outlook, PowerPoint, Segoe, SharePoint, SQL Server, Visio,
Visual Basic, Visual Studio, Windows, Windows Live, Windows Mobile, Windows NT, Windows
PowerShell, Windows Server and Windows Vista. are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.

Product Number: 6425C
Part Number:
Released:

MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER
EDITION Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the Licensed Content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
updates,
supplements,
Internet-based services, and
support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use
the Licensed Content.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. Academic Materials means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the
Licensed Content.
b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions
location, an IT Academy location, or such other entity as Microsoft may designate from time to time.
c. Authorized Training Session(s) means those training sessions authorized by Microsoft and
conducted at or through Authorized Learning Centers by a Trainer providing training to Students
solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or
MOC) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions
Courseware). Each Authorized Training Session will provide training on the subject matter of one
(1) Course.
d. Course means one of the courses using Licensed Content offered by an Authorized Learning
Center during an Authorized Training Session, each of which provides training on a particular
Microsoft technology subject matter.
e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f. Licensed Content means the materials accompanying these license terms. The Licensed
Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student
Content, (iii) classroom setup guide, and (iv) Software. There are different and separate
components of the Licensed Content for each Course.
g. Software means the Virtual Machines and Virtual Hard Disks, or other software applications that
may be included with the Licensed Content.
h. Student(s) means a student duly enrolled for an Authorized Training Session at your location.

i. Student Content means the learning materials accompanying these license terms that are for
use by Students and Trainers during an Authorized Training Session. Student Content may include
labs, simulations, and courseware files for a Course.
j. Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer
and b) such other individual as authorized in writing by Microsoft and has been engaged by an
Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its
behalf.
k. Trainer Content means the materials accompanying these license terms that are for use by
Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content
may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and
demonstration guides and script files for a Course.
l. Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as
a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single
computer or other device in order to allow end-users to run multiple operating systems concurrently.
For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content.
m. Virtual Machine means a virtualized computing experience, created and accessed using
Microsoft Virtual PC or Microsoft Virtual Server software that consists of a virtualized hardware
environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the
virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard
Disks will be considered Trainer Content.
n. you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these
license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and
electronic), Trainer Content, Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center
location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for
use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided
that the number of copies in use does not exceed the number of Students enrolled in and the
Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by
classroom Devices and only for use by Students enrolled in and the Trainer delivering the
Authorized Training Session, provided that the number of Devices accessing the Licensed
Content on such server does not exceed the number of Students enrolled in and the Trainer
delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to
use the Licensed Content that you install in accordance with (ii) or (ii) above during such
Authorized Training Session in accordance with these license terms.

i. Separation of Components. The components of the Licensed Content are licensed as a single
unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license
terms will apply to the use of those third party programs, unless other terms accompany those
programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized
Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for
your own personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own
personal training Use and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions
in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not
contain the same information and/or work the way a final version of the Licensed Content will. We
may change it for the final, commercial version. We also may not release a commercial version.
You will clearly and conspicuously inform any Students who participate in each Authorized Training
Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with
any further content, including but not limited to the final released version of the Licensed Content
for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
Microsoft, without charge, the right to use, share and commercialize your feedback in any way and
for any purpose. You also give to third parties, without charge, any patent rights needed for their
products, technologies and services to use or interface with any specific parts of a Microsoft
software, Licensed Content, or service that includes the feedback. You will not give feedback that is
subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features
and documentation that may be included with the Licensed Content, is confidential and proprietary
to Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release,
whichever is first, you may not disclose confidential information to third parties. You may
disclose confidential information only to your employees and consultants who need to know
the information. You must have written agreements with them that protect the confidential
information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or
governmental order. You must first give written notice to Microsoft to allow it to seek a

protective order or otherwise protect the information. Confidential information does not
include information that
becomes publicly known through no wrongful act;
you received from a third party who did not breach confidentiality obligations to
Microsoft or its suppliers; or
you developed independently.
d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs
you is the end date for using the beta version, or (ii) the commercial release of the final release
version of the Licensed Content, whichever is first (beta term).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta
term, and will destroy all copies of same in the possession or under your control and/or in the
possession or under the control of any Trainers who have received copies of the pre-released
version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta
version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If
Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you
for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft
Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced
Server and/or other Microsoft products which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft
Learning Lab Launcher, then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the
time indicated on the install of the Virtual Machines (between 30 and 500 days after you
install it). You will not receive notice before it stops running. You may not be able to
access data used or information saved with the Virtual Machines when it stops running and
may be forced to reset these Virtual Machines to their original state. You must remove the
Software from the Devices at the end of each Authorized Training Session and reinstall and
launch it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms
apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk.
Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized
Training Session, you will obtain from Microsoft a product key for the operating system
software for the Virtual Hard Disks and will activate such Software with Microsoft using such
product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:

You may only use the Virtual Machines and Virtual Hard Disks if you comply with
the terms and conditions of this agreement and the following security
requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or
Devices that are accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session, except those held at Microsoft Certified
Partners for Learning Solutions locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all
classroom Devices at the end of each Authorized Training Session at Microsoft Certified
Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or
downloaded from Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use,
activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents
thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the
Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip
art, animations, sounds, music, shapes, video clips and templates provided with the Licensed
Content solely in an Authorized Training Session. If Trainers have their own copy of the
Licensed Content, they may use Media Elements for their personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as
Evaluation Software may be used by Students solely for their personal training outside of the
Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft
PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for
providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree
or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of
obscene or scandalous works, as defined by federal law at the time the work is created; and
(b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training
Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those
portions of the Licensed Content that are logically associated with instruction of the Authorized
Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer
agrees: (a) that any of these customizations or reproductions will only be used for providing an
Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.

iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and
use the Academic Materials. You may not make any modifications to the Academic Materials
and you may not print any book (either electronic or print version) in its entirety. If you
reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use
You will not republish or post the Academic Materials on any network computer or
broadcast in any media;
You will include the Academic Materials original copyright notice, or a copyright notice to
Microsofts benefit in the format provided below:
Form of Notice:
2010 Reprinted for personal reference use only with permission by Microsoft
Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the US and/or other countries. Other
product and company names mentioned herein may be the trademarks of their
respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone elses use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that
only allow you to use it in certain ways. You may not
install more copies of the Licensed Content on classroom Devices than the number of Students and
the Trainer in the Authorized Training Session;
allow more classroom Devices to access the server than the number of Students enrolled in and the
Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network
server;
copy or reproduce the Licensed Content to any server or location for further reproduction or
distribution;
disclose the results of any benchmark tests of the Licensed Content to any third party without
Microsofts prior written approval;
work around any technical limitations in the Licensed Content;
reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent
that applicable law expressly permits, despite this limitation;
make more copies of the Licensed Content than specified in this agreement or allowed by applicable
law, despite this limitation;
publish the Licensed Content for others to copy;

transfer the Licensed Content, in whole or in part, to a third party;
access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not
been authorized by Microsoft to access and use;
rent, lease or lend the Licensed Content; or
use the Licensed Content for commercial hosting services or general business purposes.
Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply
to the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed
Content marked as NFR or Not for Resale.
10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as
Academic Edition or AE. If you do not know whether you are a Qualified Educational User, visit
www.microsoft.com/education or contact the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of these license terms. In the event your status as an
Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is
terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this
agreement, you must destroy all copies of the Licensed Content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed
Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have
additional consumer rights under your local laws which this agreement cannot change. To
the extent permitted under your local laws, Microsoft excludes the implied warranties of
merchantability, fitness for a particular purpose and non-infringement.

16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT
RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
anything related to the Licensed Content, software, services, content (including code) on third party
Internet sites, or third party programs; and
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre
garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont
exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation
pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de
bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte,
de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel
dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne
sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de
votre pays si celles-ci ne le permettent pas.
Thank you for taking our training! Weve worked together with our Microsoft Certied Partners
for Learning Solutions and our Microsoft IT Academies to bring you a world-class learning
experiencewhether youre a professional looking to advance your skills or a
student preparing for a career in IT.
Microsoft Certied Trainers and InstructorsYour instructor is a technical and

instructional expert who meets ongoing certication requirements. And, if instructors
are delivering training at one of our Certied Partners for Learning Solutions, they are
also evaluated throughout the year by students and by Microsoft.

Certication Exam BenetsAfter training, consider taking a Microsoft Certication
exam. Microsoft Certications validate your skills on Microsoft technologies and can help
differentiate you when finding a job or boosting your career. In fact, independent
research by IDC concluded that 75% of managers believe certications are important to
team performance
1
. Ask your instructor about Microsoft Certication exam promotions
and discounts that may be available to you.

Customer Satisfaction GuaranteeOur Certied Partners for Learning Solutions offer
a satisfaction guarantee and we hold them accountable for it. At the end of class, please
complete an evaluation of todays experience. We value your feedback!
We wish you a great learning experience and ongoing success in your career!
Sincerely,
Microsoft Learning
www.microsoft.com/learning
1
IDC, Value of Certication: Team Certication and Organizational Performance, November 2006
Welcome!
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
x Configuring and Troubleshooting Windows Server
2008 Active Directory
Domain Services

Acknowledgement
Microsoft
Learning would like to acknowledge and thank the following for their
contribution towards developing this title. Their effort at various stages in the
development has ensured that you have a good classroom experience.
Damir Dizdarevic Subject Matter Expert
Damir Dizdarevic, a MCT, MCSE, MCTS, and MCITP, is a manager of the Learning
Center at Logosoft d.o.o., in Sarajevo, Bosnia and Herzegovina. Damir specializes
in Windows Server and Exchange Server. He has worked as a subject matter
expert and technical reviewer on several Microsoft Official Curriculum (MOC)
courses, and has published more than 350 articles in various Information
Technology (IT) magazines, including Windows ITPro. Additionally, he is a
Microsoft Most Valuable Professional for Windows Server Infrastructure
Management.
Conan Kezema Subject Matter Expert
Conan Kezema, B.Ed, MCSE, MCT, is an educator, consultant, network systems
architect, and author who specializes in Microsoft technologies. As an associate of
S.R. Technical Services, Conan has been a subject matter expert, instructional
designer, and author on numerous Microsoft courseware development projects.
Nelson Ruest Technical Reviewer
Nelson Ruest is an IT expert focused on virtualization, continuous service
availability and infrastructure optimization. As an enterprise architect, he has
designed and implemented Active Directory structures that manage over one
million users. He is the co-author of multiple books, including Virtualization: A
Beginners Guide for McGraw-Hill Osborne, MCTS Self-Paced Training Kit (Exam 70-
652): Configuring Windows Server Virtualization with Hyper-V, the best-selling
MCTS Self-Paced Training Kit (Exam 70-640): and Configuring Windows Server 2008
Active Directory for Microsoft Press.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Configuring and Troubleshooting Windows Server
Domain Services xi

Contents
Module 1: Introducing Active Directory Domain Services (AD DS)
Lesson 1: Overview of Active Directory, Identity, and Access 1-4
Lesson 2: Active Directory Components and Concepts 1-21
Lesson 3: Install Active Directory Domain Services 1-46
Lab: Install an AD DS DC to Create a Single Domain Forest 1-56

Module 2: Administering Active Directory Securely and Efficiently
Lesson 1: Work with Active Directory Administration Tools 2-4
Lesson 2: Custom Consoles and Least Privilege 2-14
Lab A: Administering Active Directory Using Administrative Tools 2-25
Lesson 3: Find Objects in Active Directory 2-36
Lab B: Find Objects in Active Directory 2-53
Lesson 4: Use Windows PowerShell to Administer Active Directory 2-62
Lab C: Use Windows PowerShell to Administer Active Directory 2-81
Module 3: Managing Users
Lesson 1: Create and Administer User Accounts 3-4
Lab A: Create and Administer User Accounts 3-29
Lesson 2: Configure User Object Attributes 3-35
Lab B: Configure User Object Attributes 3-51
Lesson 3: Automate User Account Creation 3-61
Lab C: Automate User Account Creation 3-70
Lesson 4: Create and Configure Managed Service Accounts 3-61
Lab D: Create and Configure Managed Service Accounts 3-70
Module 4: Managing Groups
Lesson 1: Overview of Groups 4-4
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
xii Configuring and Troubleshooting Windows Server
Domain Services

Lesson 2: Administer Groups 4-45
Lab A: Administer Groups 4-66
Lesson 3: Best Practices for Group Management 4-74
Lab B: Best Practices for Group Management 4-88
Module 5: Managing Computer Accounts
Lesson 1: Create Computers and Join the Domain 5-4
Lab A: Create Computers and Join the Domain 5-34
Lesson 2: Administer Computer Objects and Accounts 5-42
Lab B: Administer Computer Objects and Accounts 5-62
Lesson 3: Offline Domain Join 5-71
Lab C: Offline Domain Join 5-78
Module 6: Implementing a Group Policy Infrastructure
Lesson 1: Understand Group Policy 6-4
Lesson 2: Implement Group Policy Objects 6-21
Lab A: Implement Group Policy 6-38
Lesson 3: A Deeper Look at Settings and GPOs 6-42
Lab B: Manage Settings and GPOs 6-64
Lesson 4: Group Policy Preferences 6-71
Lab C: Manage Group Policy Preferences 6-79
Lesson 5: Manage Group Policy Scope 6-85
Lab D: Manage Group Policy Scope 6-111
Lesson 6: Group Policy Processing 6-120
Lesson 7: Troubleshoot Policy Application 6-131
Lab E: Troubleshoot Policy Application 6-145
Module 7: Managing Enterprise Security and Configuration with Group Policy
Settings
Lesson 1: Delegate the Support of Computers 7-4
Lab A: Delegate the Support of Computers 7-16
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Domain Services xiii

Lesson 2: Manage Security Settings 7-20
Lab B: Manage Security Settings 7-48
Lesson 3: Manage Software with GPSI 7-61
Lab C: Manage Software with GPSI 7-80
Lesson 4: Auditing 7-88
Lab D: Audit File System Access 7-101
Lesson 5: Software Restriction Policy and AppLocker 7-107
Lab E: Configure Application Control Policies 7-121
Module 8: Securing Administration
Lesson 1: Delegate Administrative Permissions 8-4
Lab A: Delegate Administration 8-25
Lesson 2: Audit Active Directory Changes 8-33
Lab B: Audit Active Directory Changes 8-39
Module 9: Improving the Security of Authentication in an AD DS Domain
Lesson 1: Configure Password and Lockout Policies 9-4
Lab A: Configure Password and Account Lockout Policies 9-24
Lesson 2: Audit Authentication 9-30
Lab B: Audit Authentication 9-39
Lesson 3: Configure Read-Only Domain Controllers 9-43
Lab C: Configure Read-Only Domain Controllers 9-63
Module 10: Configuring Domain Name System
Lesson 1: Review of DNS Concepts, Components, and Processes 10-4
Lesson 2: Install and Configure DNS Server in an AD DS Domain 10-25
Lab A: Install the DNS Service 10-38
Lesson 3: AD DS, DNS, and Windows 10-43
Lesson 4: Advanced DNS Configuration and Administration 10-68
Lab B: Advanced Configuration of DNS 10-81
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
xiv Configuring and Troubleshooting Windows Server
Domain Services

Module 11: Administering AD DS Domain Controllers
Lesson 1: Domain Controller Installation Options 11-4
Lab A: Install Domain Controllers 11-31
Lesson 2: Install a Server Core Domain Controller 11-39
Lab B: Install a Server Core Domain Controller 11-47
Lesson 3: Manage Operations Masters 11-52
Lab C: Transfer Operations Master Roles 11-71
Lesson 4: Configure DFS-R Replication of SYSVOL 11-76
Lab D: Configure DFS-R Replication of SYSVOL 11-84
Module 12: Managing Sites and Active Directory Replication
Lesson 1: Configure Sites and Subnets 12-4
Lab A: Configure Sites and Subnets 12-22
Lesson 2: Configure the Global Catalog and Application Partitions 12-26
Lab B: Configure the Global Catalog and Application Partitions 12-41
Lesson 3: Configure Replication 12-46
Lab C: Configure Replication 12-73
Module 13: Directory Service Continuity
Lesson 1: Monitor Active Directory 13-4
Lab A: Monitor Active Directory Events and Performance 13-35
Lesson 2: Manage the Active Directory Database 13-51
Lab B: Manage the Active Directory Database 13-64
Lesson 3: Active Directory Recycle Bin 13-77
Lab C: Using Active Directory Recycle Bin 13-81
Lesson 4: Back Up and Restore AD DS and Domain Controllers 13-84
Lab D: Back Up and Restore Active Directory 13-97
Module 14: Managing Multiple Domains and Forests
Lesson 1: Configure Domain and Forest Functional Levels 14-3
Lesson 2: Manage Multiple Domains and Trust Relationships 14-15
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Domain Services xv

Lab: Administer a Trust Relationship 14-54
Lesson 3: Move Objects Between Domains and Forests 14-60

Lab Answer Keys

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
About This Course i

About This Course
This section provides you with a brief description of the course, audience,
suggested prerequisites, and course objectives.
Course Description
The purpose of this 5-day course is to teach Active Directory Technology
Specialists how to configure Active Directory Domain Services (AD DS) in a
distributed environment, implement Group Policy, perform backup and restore,
and monitor and troubleshoot Active Directoryrelated issues.After completing
this course, students will be able to implement and configure Active Directory
Domain Services in their enterprise environment.
Audience
The primary audience for this course includes Active Directory Technology
Specialists, Server Administrators, and Enterprise Administrators who want to
learn how to implement Active Directory in a distributed environment; secure
domains using Group Policy; perform backup and restore; and monitor and
troubleshoot Active Directory configuration to ensure trouble-free operation.
Student Prerequisites
This course requires that you meet the following prerequisites:
Basic understanding of networking. You should understand how TCP/IP
functions and have a basic understanding of addressing, name resolution
(Domain Name System [DNS]/Windows Internet Name Service [WINS]),
connection methods (wired, wireless, virtual private network [VPN]), and
NET+ or equivalent knowledge.
Intermediate understanding of network operating systems. You should
have an intermediate understanding ofoperating systems such as Windows
2000, Windows XP, or Windows Server 2003.An understanding ofthe
Windows Vista operating system client is nice to have.
An awareness of security best practices.You should understand file system
permissions, authentication methods, workstation, and server hardening
methods, and so forth.
Basic knowledge of server hardware.You should have an A+ or equivalent
knowledge.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
About This Course ii

Some experience creating objects in Active Directory.
Basic concepts of backup and recovery in a Windows Server
Environment.You should have basic knowledge of backup types, backup
methods, backup topologies, and so forth.

Course Objectives
After completing this course, students will be able to:
Describe the features and functionality of Active Directory Domain Services.
Perform secure and efficient administration of Active Directory.
Manage users and service accounts.
Manage groups.
Manage computer accounts.
Implement a Group Policy infrastructure.
Manage enterprise security and configuration by using Group Policy settings.
Secure administration.
Improve the security of authentication in an AD DS Domain.
Configure Domain Name System.
Administer AD DS domain controllers.
Manage sites and Active Directory.
Monitor, maintain, and back up directory Service to ensure continuity.
Manage multiple domains and forests.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
About This Course iii

Course Outline
This section provides an outline of the course:
Module 1: This module explains how to install and configure Active Directory
Domain Services and install and configure a read-only domain controller.
Module 2: This module explains how to work securely and efficiently in Active
Directory.
Module 3: This module explains how to manage and support user accounts in
Active Directory.
Module 4: This module explains how to create, modify, delete, and support group
objects in Active Directory.
Module 5: This module explains how to create and configure computer accounts.
Module 6: This module explains what Group Policy is, how it works, and howbest
to implement Group Policy in your organization.
Module 7: This module explains how to manage security and software installation
and how to audit files and folders.
Module 8: This module explains how toadminister Active Directory Domain
Services securely.
Module 9: This module explains the domain-side components of authentication,
including the policies that specify password requirements and the auditing of
authentication-related activities.
Module 10: This module explains how to implement DNS to support name
resolution both within your AD DS domain and outside your domain and your
intranet.
Module 11: This module explains how to administer domain controllers in a
forest.
Module 12: This module explains how tocreate a distributed directory service that
supports domain controllers in portions of your network that are separated by
expensive, slow, or unreliable links.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
About This Course iv

Module 13:This module explains about the technologies and tools that are
available to help ensure the health and longevity of the directory service. You will
explore tools that help you monitor performance in real time, and you will learn to
log performance over time so that you can keep an eye on performance trends in
order to spot potential problems.
Module 14:This module explains how toraise the domain and forest functionality
levels within your environment, how to design the optimal AD DS infrastructure
for your enterprise, how to migrate objects between domains and forests, and how
to enable authentication and resources access across multiple domains and forests.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
About This Course v

Course Materials
The following materials are included with your kit:
Course Handbook. The Course Handbook contains the material covered in
class. It is meant to be used in conjunction with the Course Companion CD.
Course Companion CD. The Course Companion CD contains the full course
content, including expanded content for each topic page, full lab exercises and
answer keys, and topical and categorized resources and Web links. It is meant
to be used both inside and outside the class.
Note: To access the full course content, insert the Course Companion CD into the CD-ROM
drive, and then in the root directory of the CD, double-click StartCD.exe.
Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.

To provide additional comments or feedback on the course, send e-mail to
support@mscourseware.com. To inquire about the Microsoft Certification
Program, send e-mail to mcphelp@microsoft.com.
Virtual Machine Environment
This section provides the information for setting up the classroom environment to
support the business scenario of the course.
Virtual Machine Configuration
In this course, you will use Hyper-Vdeployed on Windows Server 2008 to perform
the labs.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
About This Course vi

The following table shows the role of each virtual machine that this course uses:
Virtual machine Role
6425C-NYC-DC1 Windows Server 2008 DC in Contoso domain
6425C-NYC-DC2 Windows Server 2008 DC in Contoso domain
6425C-NYC-CL1 Windows 7 Client in Contoso domain
6425C-NYC-CL2 Windows 7 Client in Contoso domain
6425C-BRANCHDC01 Windows Server 2008 WorkGroup member
6425C-BRANCHDC02
Windows Server 2008 Server Core DC in Contoso
domain
6425C-NYC-SVR1 Windows Server 2008 WorkGroup member
6425C-NYC-SVR2 Windows Server 2008 WorkGroup member
6425C-NYC-SVR-D Windows Server 2008 WorkGroup member
6425C-TST-DC1 Windows Server 2008 DC in Tailspintoys domain

Software Configuration
The following software is installed on the virtual machines:
Windows Server 2008 R2 Enterprise
Windows 7 Enterprise

Classroom Setup
Each classroom computer will have the same virtual machine configured in the
same way. To log on to a virtual machine as a different user while performing the
labs in this course, perform the following steps.
Run an application with administrative credentials.
1. Right-click the application, and then click Run as administrator.
A User Account Control (UAC) dialog box appears.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
About This Course vii

2. The User Account Control dialog box will display one of three options. Do
the steps based on the option you see:
If the User Account Control dialog box prompts you to continue or cancel:
Click Continue.
If the User Account Control dialog box gives you the option to Use another
account:
1. Click Use another account.
2. In the User Name box, type the user name.
3. In the Password box, type the password.
4. Press Enter or click OK.
If the User Account Control dialog box does not give you the option to use
another account, and prompts you for a user name and password:
1. In the User Name box, type the user name.
2. In the Password box, type the password.
3. Press Enter or click OK.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
About This Course viii

Course Hardware Level
To ensure a satisfactory student experience, Microsoft Learning requires a
minimum equipment configuration for trainer and student computers in all
Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which
Official Microsoft Learning Product courseware are taught.
Intel Virtualization Technology (IntelVT) or AMD Virtualization (AMD-V)
processor
Dual 120 GB hard disks 7200 RM SATA or better*
4 GB RAM
DVD drive
Network adapter
Super VGA (SVGA) 17-inch monitor
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers
*Striped
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Managing Enterprise Security and Configuration with Group Policy Settings 7-1
Module7
Managing Enterprise Security and Configuration
with Group Policy Settings
Contents:
Lesson 1: Delegate the Support of Computers 7-4
Lab A: Delegate the Support of Computers 7-16
Lesson 2: Manage Security Settings 7-20
Lab B: Manage Security Settings 7-48
Lesson 3: Manage Software with GPSI 7-61
Lab C: Manage Software with GPSI 7-80
Lesson 4: Auditing 7-88
Lab D: Audit File System Access 7-101
Lesson 5: Software Restriction Policy and AppLocker 7-107
Lab E: Configure Application Control Policies 7-121

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-2 Configuring
Module
Group P
and feat
Group P
infrastru
software
Configu
configu
of files a
deploy
applicat
Object
After co
Del
Man
Man
g and Troubleshooting W
Overview
Policy can be use
tures of Window
Policy infrastruct
ucture to manage
e installation. You
uration Wizard, th
red based on a se
and folders. In th
applications by u
tions by using ap
tives
ompleting this mo
legate the suppor
nage security sett
nage software by
indows Server 2008 Ac
w
ed to manage the
s. In the previous
ture. In this modu
e several types of
u will also discov
hat make it easier
ervers roles. You
he final sections o
using Group Polic
pplication control
odule, you will be
rt of computers.
tings.
y using GPSI.
ctive Directory Domain
configuration of
s module, you lea
ule, you will learn
configuration rel
ver tools, such as
r to determine wh
u will also learn h
of the module, yo
cy, and how to re
l policies.
e able to:
Services
a variety of comp
arned how to con
n to apply that
lated to security a
the Security
hich settings sho
ow to configure a
u will learn how
estrict access to

ponents
nfigure a
and
uld be
auditing
to
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Describe the purpose and functionality of auditing
Describe the purpose of Software Restriction Policy and AppLocker.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-4 Configuring
Lesson 1
Delegate
Many en
They ar
desk pe
client co
the cred
local Ad
personn
group, s
a group
group. R
will lear
the loca
comput
adminis
systems
e the Sup
nterprises have o
e often referred t
ersonnel need to
omputers, and th
dentials used by s
dministrators gro
nel do not need th
so do not place th
p representing sup
Restricted groups
rn how to use res
al Administrators
ters to the help d
stration of any sc
s.
pport of C
one or more peop
to as the help des
troubleshoot, con
hese tasks often re
support personne
up on client com
he high level of p
hem in that group
pport personnel i
s policies enable y
stricted groups po
group of clients
esk. The same ap
ope of computer
Compute
ple dedicated to su
sk, desktop suppo
nfigure, or perfor
equire administra
el must be at the
mputers. However
privilege given to
p. Instead, config
is added to the lo
you to do just tha
olicies to add the
and, thereby, del
pproach can be us
s to the team resp
Services
rs
upporting end us
ort, or just suppo
rm other support
ative privileges. T
level of a membe
r, desktop suppor
the Domain Adm
gure client system
ocal Administrato
at, and in this les
e help desk perso
legate support of
sed to delegate th
ponsible for thos

sers.
ort. Help
t tasks on
Therefore,
er of the
rt
mins
ms so that
ors
sson, you
nnel to
f those
he
se
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Objectives
After completing this lesson, you will be able to:
Describe restricted groups.
Use Restricted Groups policies to modify or enforce the membership of
groups.
Use Group Policy Preferences to modify the membership of groups.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-6 Configuring
What
Key Po
When y
Configu
Security
in the fo
Are Restrict
oints
you edit a Group
uration node, the
y Settings node, y
ollowing screen s
ted Groups?
Policy object (GP
Policies node, th
you will find the R
shot.
PO) and expand
he Windows Setti
Restricted Group
Services
the Computer
ings node, and th
ps policy node, as

he
shown
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Restricted Groups policy settings enable you to manage the membership of groups.
There are two types of settings: This group is a member of (the Member Of setting)
and Members of this group (the Members setting).

Its very important to understand the difference between these two settings. A
Member Of setting specifies that the group specified by the policy is a member of
another group. On the left of the previous screen shot, you can see a typical
example: The CONTOSO\Help Desk group is a member of the Administrators
group. When a computer applies this policy setting, it ensures that the Help Desk
group from the domain becomes a member of its local Administrators group. If
there is more than one GPO with restricted groups policies, each Member Of
policy is applied. For example, if a GPO linked to the Client Computers
organizational unit (OU) specifies CONTOSO\Help Desk as a member of
Administrators, and a second GPO linked to the SEA OU (a sub-OU of the Client
Computers OU) specifies CONTOSO\NYC Support as a member of
Administrators, a computer in the NYC OU will add both the Help Desk and NYC
Support groups to its Administrators group in addition to any existing members of
the group, such as Domain Admins. This example is illustrated in the following
screen shot.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-8 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

As you can see, restricted groups policies that use the Member Of setting are
cumulative. The second type of restricted groups policy setting is the Members
setting, which specifies the entire membership of the group specified by the policy.
The dialog box on the right of the side-by-side dialog boxes shown earlier is a
typical example: The Administrators groups Members list is specified as
CONTOSO\Help Desk. When a computer applies this policy setting, it ensures
that the local Administrators groups membership consists only of
CONTOSO\Help Desk. Any members not specified in the policy are removed,
including Domain Admins. The Members setting is the authoritative policyit
defines the final list of members. If there is more than one GPO with restricted
group policies, the GPO with the highest priority prevails. For example, if a GPO
linked to the Client Computers OU specifies the Administrators group
membership as CONTOSO\Help Desk, and another GPO linked to the NYC OU
specifies the Administrators group membership as CONTOSO\NYC Support. The
computers in the NYC OU have only the NYC Support group in their
Administrators group. This example is illustrated in the following screen shot.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

If you use both Members and Member Of restricted groups policies, the precedent
Members policy setting sets the authoritative baseline membership for the group,
and then the cumulative memberships of Member Of policies augment that
baseline.
In your enterprise, be careful to design and test your restricted groups policies to
ensure that they achieve the desired result.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-10 Configuring
Demo
Restri
Key Po
You can
delegati
Demon
1. Star
Pa$
2. On
Pol
Pat
3. In t
and
4. Rig
5. In t
onstration: D
icted Groups
oints
n use restricted gr
ion of administra
nstration Steps
rt 6425C-NYC-DC
$$w0rd.
NYC-DC1 click S
licy Managemen
t.Coleman_Admi
the console tree, e
d then click the G
ht-click the Grou
the Name box, ty
Delegate Adm
s Policies
roups policies wi
ative privileges for
s
C1 and log on as
Start, point to Ad
t with administra
in with the passw
expand Forest:co
Group Policy Obj
up Policy Objects
ype Corporate He
ministration
ith the Member O
r computers by fo
s Pat.Coleman w
dministrative To
ative credentials.
word Pa$$w0rd.
ontoso.com, Dom
jects container.
s container, and t
elp Desk, and th
Services
by Using
Of setting to mana
ollowing these st
ith the password
ools and run Gro
Use the account
mains and conto
then click New.
en click OK.

age the
teps:
d
up
oso.com,
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6. In the details pane, right-click Corporate Help Desk, and then click Edit.
The Group Policy Management Editor appears.
7. In Group Policy Management Editor, navigate to Computer
Configuration\Policies\Windows Settings\Security Settings\Restricted
Groups.
8. Right-click Restricted Groups and click Add Group.
9. Click Browse and, in the Select Groups dialog box, type the name of the
group you want to add to the Administrators groupfor example,
CONTOSO\Help Deskand click OK.
10. Click OK to close the Add Group dialog box.
A Properties dialog box appears.
11. Click Add next to the This group is a member of section.
12. Type Administrators, and click OK.
The Properties group policy setting should look similar to the dialog box on
the left of the side-by-side dialog boxes shown earlier.
13. Click OK again to close the Properties dialog box.

Delegating the membership of the local Administrators group in this manner adds
the group specified in step 9 to that group. It does not remove any existing
members of the Administrators group. The Group Policy setting simply tells the
client, Make sure this group is a member of the local Administrators group. This
allows for the possibility that individual systems could have other users or groups
in their local Administrators group. This group policy setting is also cumulative. If
multiple GPOs configure different security principals as members of the local
Administrators group, all will be added to the group.
To take complete control of the local Administrators group, follow these steps:
Demonstration Steps
1. In Group Policy Management Editor, navigate to Computer
Configuration\Windows Settings\Security Settings\Restricted Groups.
2. Right-click Restricted Groups, and click Add Group.
3. Type Administrators, and click OK.
A Properties dialog box appears.
4. Click Add next to the Members of this group section.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5. Click Browse and enter the name of the group you want to make the sole
member of the Administrators groupfor example, CONTOSO\Help Desk
and click OK.
6. Click OK again to close the Add Member dialog box.
The group policy setting Properties should look similar to the dialog box on
the left of the side-by-side dialog boxes shown earlier.
7. Click OK again to close the Properties dialog box.

When you use the Members setting of a restricted groups policy, the Members list
defines the final membership of the specified group. The steps just listed result in a
GPO that authoritatively manages the Administrators group. When a computer
applies this GPO, it adds all members specified by the GPO and removes all
members not specified by the GPO, including Domain Admins. Only the local
Administrator account will not be removed from the Administrators group because
Administrator is a permanent and unremovable member of Administrators.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Defin
Key Po
Group P
M
e Group Me
oints
Policy Preference
Managing Enterprise Sec
mbership wi
es can also be use
curity and Configuration w
ith Group Po
ed to define the m
with Group Policy Setting
olicy Prefere
membership of gr
gs 7-13
nces

oups.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Local Group preferences are available in both Computer Configuration and User
Configuration. The settings for a Local Group preference are shown below.

The three options related to "current user" are available only in the Local Group
preference in User Configuration.
You have the ability to create, delete, replace, or modify (update) a local group. As
you can see in the previous screen shot, you can rename the group, change its
description, or make modifications to the group's membership.
Local Group preferences cannot remove members from a group if those members
were added to a group by using a restricted groups policy setting. Additionally, if a
restricted groups policy setting uses the Members method to define the
authoritative membership of a group, preferences can neither add nor remove
members.
The interactions between Members restricted groups policy settings, Member Of
restricted groups policy settings, Local Group preferences scoped as computer
settings, and Local Group preferences scoped as user settings can be complex to
understand. Be sure to thoroughly test the results if you choose to implement
multiple methods of managing group membership with Group Policy.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Discussion Questions
1. Why might you want to add the currently logged on user?
Answer: While it is not best practice for a user to be logged on as a member of
the local Administrators group, there are still applications and functions that
require administrative privileges to function properly. In these situations, you
might want to allow a user to be a member of the local Administrators group
on computers to which the user logs on. As a tip, you can implement the
Delete All Members Users option and the At The Current User option. When
the preference is processed, all existing user accounts are removed from the
group first, and then the current user is added. The user must then log off and
log on, at which point the user becomes a member of Administrators. During
the next logon policy refresh, the Delete All Member Users setting removes the
user's account, and then re-adds it. So, the user remains a member of
Administrators as long as the user is within the management scope of the
GPO.
2. In what scenario might you want to modify the membership of the local
Administrators group of a computer by using a Local Group preference in the
User Configuration node of a GPO that scopes the preference not to specific
computers, but to specific users?
Answer: Answers will vary. This is a fairly advanced question, but here's the
scenario:
There is a support organization dedicated to helping specific users, such as an
Executive Support team that is on call to support executives of an
organization. In this administrative model, when an executive has a problem,
the Executive Support team should be a member of the Administrators group
on whichever machine the executive is logged on. So, the definition of who
should be in the Administrators group (Executive Support) should "follow" the
executive users rather than be locked (scoped) to a specific set of computers.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-16 Configuring
Lab A: D
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log

elegate t
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manage
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
the Suppo
e the available vir
complete the foll
ter, click Start, po
ager.
er, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
ort of Co
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
Services
omputers
vironment. Before
rative Tools, and
n the Actions pane
tual machine star

e you
d then
e,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Lab Scenario
You have been asked by the corporate security team to lock down the membership
of the Administrators group on client computers. However, you need to provide
the centralized help desk with the ability to perform support tasks for users
throughout the organization. Additionally, you must empower the local site
desktop support team to perform administrative tasks for client computers in that
site.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise: Configure the Membership of Administrators by
Using Restricted Groups Policies
In this exercise, you will use Group Policy to delegate the membership of the
Administrators group. You will first create a GPO with a restricted groups policy
setting that ensures that the Help Desk group is a member of the Administrators
group on all client systems. You will then create a GPO that adds the SEA Support
group to Administrators on clients in the SEA OU. Finally, you will confirm that in
the SEA OU, both Help Desk and SEA Support groups are administrators.
The main tasks for this exercise are as follows:
1. Delegate the administration of all clients in the domain.
2. Create a Seattle Support group.
3. Delegate the administration of a subset of clients in the domain.
4. Confirm the cumulative application of Member Of policies.

Task 1: Delegate the administration of all clients in the domain.
1. On NYC-DC1, run Group Policy Management as an administrator, with the
user name Pat.Coleman_Admin and the password Pa$$w0rd.
2. Create a GPO named Corporate Help Desk, scoped to all computers in the
Client Computers OU.
3. Configure a Restricted Groups policy setting that ensures that the Help Desk
group is a member of the Administrators group on all client systems located in
the Client Computers OU.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Task 2: Create a Seattle Support group.
1. Run Active Directory Users and Computers as an administrator, with the
2. In the Groups\Role OU, create a global security group called SEA Support.
3. Close Active Directory Users and Computers.

Task 3: Delegate the administration of a subset of clients in the
domain.
1. Run Group Policy Management, create a GPO named Seattle Support,
scoped to all computers in the Client Computers\SEA OU.
2. Configure a Restricted Groups policy setting that ensures that the SEA
Support group is a member of the Administrators group on all client systems
in the SEA OU.

Task 4: Confirm the cumulative application of Member Of policies.
Use Group Policy Modeling to confirm that a computer in the SEA OU will
include both Help Desk and SEA Support groups in its Administrators group.

Results: In this exercise, you created a Corporate Help Desk GPO that ensures that the
Help Desk group is a member of the local Administrators group on all computers in
the Client Computers OU. Additionally, you created a Seattle Support GPO that adds
the Seattle Support group to the local Administrators group on all client computers in
the SEA OU.
Important: Do not shut down the virtual machine after you are finished with this lab because
the settings you have configured here will be used in subsequent labs.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Lab Review Question
Question: Using only restricted groups policies, what should you do to ensure that
the only members of the local Administrators group on a client computer are the
Help Desk in the site-specific Support group and to remove any other members
from the local Administrators group?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 2
Manage
Security
2008 in
ports , t
and per
of settin
depend
environ
depend
Therefo
for serv
settings
Server 2
on one
their int
M
Security
y is a primary con
ncludes several se
the network pack
rmissions of users
ngs that can be m
ds on the roles tha
nment, and the se
d on compliance r
ore, you must det
ers in your organ
s in a way that cen
2008 provides sev
or more systems
teractions.
Settings
ncern for all Wind
ettings that affect
kets that are allow
s, and the audited
managed. The app
at the server play
ecurity policies of
regulations enfor
ermine and confi
nization, and you
ntralizes and opti
veral mechanism
. In this lesson, y
dows administrat
the services that
wed into or out of
d activities. There
propriate security
s, the mix of ope
f the organization
ced from outside
igure the security
must be prepare
imizes security co
ms with which to c
you will discover t
tors. Windows Se
are running, the
f the system, the r
e is an enormous
configuration for
rating systems in
n, which themselv
e the organization
y settings that are
ed to manage tho
onfiguration. Win
configure security
these mechanism
gs 7-21

erver
open
rights
s number
r a server
n the
ves
n.
e required
se
ndows
y settings
ms and
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Objectives
Configure security settings on a computer by using the Local Security policy.
Create and apply security templates to manage security configuration.
Analyze security configuration based on security templates.
Create, edit, and apply security policies by using the Security Configuration
Wizard.
Deploy security configuration with Group Policy.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

What
Key Po
Security
and rev
A typica
servers,
configu
Before y
enterpri
policy, b
The sec
customi
and serv
M
Is Security P
oints
y policy managem
ising security set
al enterprise is lik
and domain con
rations, such as b
you even touch th
ise security policy
begin by creating
curity policy, and
izations to the de
ver operating sys
Policy Manag
ment involves des
tings for one or m
kely to have sever
ntrollers. Most en
by delineating var
he technology, yo
y requires; and if
g one.
the requirement
efault, out-of-box
stems.
gement?
signing, deployin
more configuratio
ral configurations
nterprises end up
rious types or rol
ou need to under
f you do not yet h
s it contains, will
security configur
ng, managing, ana
ons of Windows s
s: desktops and la
defining even m
les of servers.
stand what your
have a written sec
l likely require mu
ration of Window
gs 7-23

alyzing,
systems.
aptops,
ore
curity
ultiple
ws client
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
To manage security configuration, you will need to:
Create a security policy for a new application or server role not included in
Server Manager.
Use security policy management tools to apply security policy settings that are
unique to your environment.
Analyze server security settings to ensure that the security policy applied to a
server is appropriate for the server role.
Update a server security policy when the server configuration is modified.

This lesson covers the tools, concepts, and processes required to perform these
tasks. The tools you will encounter in this lesson include:
Local Group Policy
Security Configuration Wizard
Security Templates snap-in
Security Configuration and Analysis snap-in
Domain Group Policy

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Confi
Key Po
Each se
settings
GPO by
console

M
gure the Loc
oints
rver running Win
s that can be man
y using the Group
e. The available po
cal Security P
ndows Server 200
naged by using th
p Policy Object E
olicy setting categ

Policy
08 maintains a co
he local GPO. You
ditor snap-in or t
gories are shown
ollection of secur
u can configure th
the Local Security
n on the next page
gs 7-25

rity
he local
y Policy
e.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

This lesson focuses on the mechanisms with which to configure and manage
security settings rather than on the details of the settings themselves. Many of the
settingsincluding account policies, audit policy, and user rights assignmentare
discussed elsewhere in this course.
Because domain controllers do not have local user accounts and have only
domain accounts, the policies in the Account Policies container of the local GPO
on DCs cannot be configured. Instead, account policies for the domain should be
configured as part of a domain-linked GPO such as the Default Domain Policy
GPO. Account policies are discussed in further detail in Module 8.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
The settings found in the local Security Settings policies are a subset of the policies
that can be configured by using domain-based Group Policy, shown below:

As you learned in Module 6, it is a best practice to manage configuration by using
domain-based Group Policy rather than on a machine-by-machine basis by using
local Group Policy. This is particularly true for domain controllers. The Default
Domain Controllers Policy GPO is created when the first domain controller is
promoted for a new domain. It is linked to the Domain Controllers OU and should
be used to manage baseline security settings for all domain controllers in the
domain so that DCs are consistently configured.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-28 Configuring
Mana
Key Po
The sec
templat
text file
security
domain
local GP

age Security
oints
cond mechanism
te. A security tem
with the .inf exte
y template contain
n-based GPO but
PO.
Configuratio
for managing sec
plate is a collectio
ension. As you ca
ns settings that ar
a somewhat diffe

on with Secu
curity configurati
on of configuratio
an see in the follo
re a subset of the
erent subset than
Services
urity Templat
ion is the security
on settings stored
owing screen shot
e settings availabl
those managed b
tes

y
d as a
t, a
le in a
by the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

The tools used to manage security templates present settings in an interface that
enables you to save your security configurations as files and deploy them when
and where they are needed. You can also use a security template to analyze the
compliance of a computers current configuration against the desired
configuration.
There are several advantages to storing security configuration in security templates.
Because the templates are plaintext files, you can work with them manually as with
any text file, cutting and pasting sections as needed. Second, templates make it
easy to store security configurations of various types so that you can easily apply
different levels of security to computers performing different roles.
Security templates enable you to configure any of the following types of policies
and settings:
Account Policies: Enable you to specify password restrictions, account lockout
policies, and Kerberos policies.
Local Policies: Enable you to configure audit policies, user rights assignments,
and security options policies.
Event Log Policies: Enable you to configure maximum event log sizes and
rollover policies.
Restricted Groups: Enable you to specify the users who are permitted to be
members of specific groups.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
System Services: Enable you to specify the startup types and permissions for
system services.
Registry Permissions: Enable you to set access control permissions for specific
registry keys.
File System Permissions: Enable you to specify access control permissions for
NTFS files and folders.

You can deploy security templates in a variety of ways by using Active Directory
Group Policy Objects, the Security Configuration and Analysis snap-in, or
Secedit.exe. When you associate a security template with an Active Directory GPO,
the settings in the template become part of the GPO. You can also apply a security
template directly to a computer, in which case, the settings in the template become
part of the computers local policies. You will learn about each of these options in
this lesson.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Demo
Key Po
To work
Server 2
you hav
comman
Templa
folder b
templat
To creat
Rig
C:\
clic
You
serv
M
onstration: C
oints
k with security te
2008 does not inc
ve to create one y
nd. The snap-in c
ates in your Docu
becomes the temp
tes.
te a new security
ht-click the node
Users\Documen
ck New Template
u can also create
ver; youll learn h
Create and D
emplates, you use
clude a console w
yourself by using
creates a folder ca
ments folder, and
plate search path,
template:
e that represents y
nts\Administrator
e.
a template that re
how to do that lat
eploy Securi
e the Security Tem
with the Security
the MMC Add/R
alled Security and
d the Documents
, where you can s
your template sea
r\Security\Temp
eflects the curren
ter in this lesson.
ity Template
mplates snap-in. W
Templates snap-i
Remove Snap-in
d a subfolder call
s\Security\Temp
store one or more
arch path
plates, for exampl
nt configuration o
gs 7-31
es

Windows
in, so
led
lates
e security
leand
of a

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Settings are configured in the template in the same way that settings are configured
in a GPO. The Security Templates snap-in is used to configure settings in a security
template. It is just an editorit does not play any role in actually applying those
settings to a system. Configure security settings in a template by using the Security
Templates snap-in. Although the template itself is a text file, the syntax can be
confusing. Using the snap-in ensures that settings are changed through the proper
syntax.
The exception to this rule is adding Registry settings that are not already listed in
the Local Policies\Security Option portion of the template. As new security settings
become known, if they can be configured by using a Registry key, you can add
them to a security template. To do so, you add them to the Registry Values section
of the template.
Note: Be sure to save your changes to a security template by right-clicking the template and
choosing Save.
When you install a server or promote it to a domain controller, a default security
template is applied by Windows. You can find that template in the
%SystemRoot%\Security\Templates folder. On a domain controller, the template
is called DC security.inf. You should not modify this template directly, but you can
copy it to your template search path and modify the copy.
Note: In previous versions of Windows, a number of security templates were available to modify
and apply to a computer. The new role-based configuration of Windows Server 2008 and
the improved Security Configuration Manager have made these templates unnecessary.
Deploying Security Templates by Using Group Policy Objects
Creating and modifying security templates does not improve security unless you
apply those templates. To configure a number of computers in a single operation,
you can import a security template into the GPO for a domain, site, or OU object in
Active Directory.
To import a security template into a GPO:
Right-click the Security Settings node and click Import Policy.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
In the Import Policy From dialog box, if you select the Clear This Database
Before Importing check box, all security settings in the GPO will be erased prior
to importing the template settings. Therefore, the GPOs security settings will
match the templates settings. If you leave the Clear This Database Before
Importing check box cleared, the GPOs security policy settings will remain and
the template's settings will be imported. Any settings defined in the GPO that are
also defined in the template will be replaced with the templates setting.
Demonstration Steps
1. Start 6425C-NYC-DC1.
2. Log on to NYC-DC1 as Pat.Coleman with the password Pa$$w0rd.
3. Click Start and in the search box, type mmc.exe and press Enter. When
prompted, supply administrative credentials. Use the account
Pat.Coleman_Admin with the password Pa$$w0rd.
4. Click File, and then click Add/Remove Snap-in.
5. In the Available snap-ins list, select Security Templates, then click Add.
6. Click OK.
7. Click File, and then click Save.
The Save As dialog box appears.
8. Type C:\Security Management, and then press Enter.
9. In the console tree, expand Security Templates.
10. Right-click C:\Users\Pat.Coleman_Admin\Documents\Security
\Templates, and then click New Template.
11. Type DC Remote Desktop, and then click OK.
12. Click Start, point to Administrative Tools and run Group Policy
Management with administrative credentials. Use the account
13. In the console tree, expand Forest:contoso.com, Domains, and contoso.com,
and then click the Group Policy Objects container.
14. In the details pane, right-click the Corporate Help Desk, and then click Edit.
The Group Policy Management Editor appears.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
15. In the console tree, expand Computer Configuration,Policies,Windows
Settings, and then click Security Settings.
16. Right-click Security Settings, and then click Import Policy.
17. Select the DC Remote Desktop template, and then click Open.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Use S
Key Po
You can
templat
analyze
saved as
changed
organiz
As with
console
snap-in
Creatin
To use t
databas
between
your sec
M
ecurity Conf
oints
n use the Security
te to a computer i
the current syste
s a security temp
d a computers se
ations security p
the Security Tem
e with the Security
to a console you
ng a Database
the Security Conf
se that contains a
n the actual secur
curity templates.
figuration an
y Configuration a
interactively. The
em security confi
late. This enables
ecurity settings an
policies.
mplates snap-in, W
y Configuration a
urself.
figuration and An
collection of secu
rity settings on th

nd Analysis
and Analysis snap
e snap-in also pro
guration and com
s you to determin
nd whether the sy
Windows Server 2
and Analysis snap
nalysis snap-in, yo
urity settings. Th
he computer and
p-in to apply a sec
ovides the ability
mpare it with a ba
ne whether someo
ystem conforms
2008 does not in
p-in, so you must
ou must first crea
he database is the
the settings store
gs 7-35

curity
to
aseline
one has
to your
nclude a
t add the
ate a
interface
ed in
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
To create a database (or open an existing one)
Right-click the Security Configuration and Analysis node in the console tree.

You can then import one or more security templates. If you import more than one
template, decide whether to clear the database. If the database is cleared, only the
settings in the new template will be part of the database. If the database is not
cleared, additional template settings that are defined will override settings from
previously imported templates. If the settings in newly imported templates are not
defined, the settings in the database from previously imported templates will
remain.
To summarize, the Security Configuration and Analysis snap-in creates a database
of security settings composed of imported security template settings. The settings
in the database can be applied to the computer or used to analyze the computers
compliance and discrepancies with the desired state. Remember that settings in a
database do not modify the computers settings or the settings in a template until
that database is either used to configure the computer or exported to a template.
Applying Database Settings to a Computer
After you have imported one or more templates to create the database, you can
apply the database settings to the computer.
To apply database settings:
Right-click Security Configuration and Analysis and click Configure
Computer Now.

You will be prompted for a path to an error log that will be generated during the
application of settings. After applying the settings, examine the error log for any
problems.
Analyzing the Security Configuration of a Computer
Before applying the database settings to a computer, you might want to analyze the
computers current configuration to identify discrepancies.
To analyze the security configuration of a computer
Right-click Security Configuration and Analysis and click Analyze Computer
Now.

The system prompts you for the location of its error log file and then proceeds to
compare the computers current settings with the settings in the database.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
After the analysis is complete, the console produces a report such as the one
shown in the following screen shot:

Unlike the display of policy settings in the Group Policy Management Editor,
Group Policy Object Editor, Local Security Policy, or Security Templates snap-ins,
the report shows for each policy the setting defined in the database (which was
derived from the templates you imported) and the computers current setting. The
two settings are compared, and the comparison result is displayed as a flag on the
policy name. For example, the Allow Log On Locally policy setting shows a
discrepancy between the database setting and the computer setting. The meanings
of the flags are as follows:
X in a red circle. Indicates that the policy is defined both in the database and
on the computer but that the configured values do not match.
Green check mark in a white circle. Indicates that the policy is defined both in
the database and on the computer and that the configured values do match.
Question mark in a white circle. Indicates that the policy is not defined in the
database and, therefore, was not analyzed, or that the user running the analysis
did not have the permissions needed to access the policy on the computer.
Exclamation point in a white circle. Indicates that the policy is defined in the
database but does not exist on the computer.
No flag. Indicates that the policy is not defined in the database or on the
computer.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Correcting Security Setting Discrepancies
As you examine the elements of the database and compare its settings with those of
the computer, you might find discrepancies and want to make changes to the
computers configuration or to the database to bring the two settings into
alignment. You can double-click any policy setting to display its Properties dialog
box and modify its value in the database. After youve made changes to the
database, you can apply the database settings to the computer by performing the
steps described earlier, in the Manage Security Configuration with Security
Templates section. ,
Applying or Exporting Database Changes
Modifying a policy value in the Security Configuration and Analysis snap-in
changes the database value only, and not the actual computer setting. For the
changes to take effect on the computer, you must either apply the database settings
to the computer by using the Configure Computer Now command or export the
database to a new template and apply it to the computer by using a GPO or the
Secedit.exe command (discussed in the Secedit.exesection later in this lesson.)
Alternatively, you can modify the computers security settings directly by using the
Local Security Policy console, modifying the appropriate GPO, or manually
manipulating file system or registry permissions. After making such changes,
return to the Security Configuration and Analysis snap-in and choose the Analyze
Computer Now command to refresh the analysis of the computers settings
compared with the database.
Creating a Security Template
You can create a new security template from the database.
To create a security template from the database:
Right-click Security Configuration and Analysis and select Export Template.

The template contains the settings in the database, which have been imported from
one or more security templates and which you have modified to reflect the current
settings of the analyzed computer. The Export Template feature creates a new
template from the current database settings at the time you execute the command,
and not from the computers current settings.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Secedit.exe
Secedit.exe is a command-line utility that performs the same functions as the
Security Configuration and Analysis snap-in. The advantage of Secedit.exe is that
you can call it from scripts and batch files, enabling you to automate your security
template deployments. Another big advantage of Secedit.exe is that you can use it
to apply only part of a security template to a computer, and this is something you
cannot do with the Security Configuration and Analysis snap-in or with GPOs. For
example, if you want to apply the file systems permissions from a template but
leave all the other settings alone, Secedit.exe is the only way to do it.
To use Secedit.exe, you run the program from the command prompt with one of
the following six main parameters and additional parameters for each function:
Configure. Applies all or part of a security database to the local computer. You
can also configure the program to import a security template into the specified
database before applying the database settings to the computer.
Analyze. Compares the computers current security settings with those in a
security database. You can configure the program to import a security template
into the database before performing the analysis. The program stores the
results of the analysis in the database itself, which you can view later by using
the Security Configuration and Analysis snap-in.
Import. Imports all or part of a security template into a specific security
database.
Export. Exports all or part of the settings from a security database to a new
security template.
Validate. Verifies that a security template is using the correct internal syntax.
Generaterollback. Creates a security template you can use to restore a system
to its original configuration after applying another template.

For example, to configure the machine by using a template called BaselineSecurity,
use the following command.
secedit /configure /db BaselineSecurity.sdb
/cfg BaselineSecurity.inf /log BaselineSecurity.log
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
To create a rollback template for the BaselineSecurity template, use the following
command.
secedit /generaterollback /cfg BaselineSecurity.inf
/rbk BaselineSecurityRollback.inf
/log BaselineSecurityRollback.log

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Secur
Key Po
The Sec
by closi
The Sec
Manage
folder.
There is
at the co
http://g
M
rity Configur
oints
curity Configurati
ing ports and disa
curity Configurati
er, in the Security
s also a command
ommand prompt
go.microsoft.com/
ration Wizard
ion Wizard can b
abling services no
ion Wizard can b
y Information sect
d-line version of t
t. For help on the
/fwlink/?LinkId=
d
be used to enhanc
ot required for th
be launched from
tion, or from the
the tool, scwcmd
e command, visit:
=168678.
ce the security of
he servers roles.
m the home page o
Administrative T
.exe. Type scwcm
:
gs 7-41

f a server
of Server
Tools
md.exe /?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
The Security Configuration Wizard is a next-generation security management tool,
which is more advanced than the Security Configuration and Analysis snap-in. The
Security Configuration Wizard is role-based in accordance with the new role-based
configuration of Windows Server 2008. The Security Configuration Wizard creates
a security policyan .xml filethat configures:
Services
Network security including firewall rules
Registry values
Audit policy
Other settings based on the roles of a server

That security policy can then be modified, applied to another server, or
transformed into a GPO for deployment to multiple systems.
Creating a Security Policy
To create a security policy, perform the following steps:
1. Launch the Security Configuration Wizard from the Administrative Tools
folder or the Security Information section on the home page of Server
Manager.
You can open the Security Configuration Wizard Help file by clicking the
Security, Configuration Wizard link on the first page of the wizard.
2. Click Next.
3. On the Configuration Action page, click Create a New Security Policy, and
then click Next.
4. Enter the name of the server to scan and analyze, and then click Next.
The security policy will be based on the roles being performed by the specified
server. You must be an administrator on the server for the analysis of its roles
to proceed. Ensure also that all applications using inbound IP ports are
running prior to running the Security Configuration Wizard.

The Security Configuration Wizard begins the analysis of the selected servers
roles. It uses a security configuration database that defines services and ports
required for each server role supported by the Security Configuration Wizard. The
security configuration database is a set of .xml files installed in
%SystemRoot%\Security\Msscw\Kbs.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Note: In an enterprise environment, centralize the security configuration database so that
administrators use the same database when running the Security Configuration Wizard.
Copy the files in the %SystemRoot%\Security\Msscw\Kbs folder to a network folder.
Then, launch the Security Configuration Wizard with the Scw.exe command by using the
syntax scw.exe /kb DatabaseLocation. For example, the command scw.exe /kb \\NYC-
SVR1\scwkb launches the Security Configuration Wizard by using the security
configuration database in the shared folder scwkb on NYC-SVR1.
The Security Configuration Wizard uses the security configuration database to scan
the selected server and identifies the following:
Roles that are installed on the server
Roles likely being performed by the server
Services installed on the server but not defined in the security configuration
database
IP addresses and subnets configured for the server

The information discovered about the server is saved in a file named Main.xml.
This server-specific file is called the configuration database. This is not to be
confused with the security configuration database used by the Security
Configuration Wizard to perform the analysis.
To display the configuration database:
Click View Configuration Database on the Processing Security
Configuration page.

The initial settings in the configuration database are called the baseline settings.
After the server has been scanned and the configuration database has been created,
you can modify the database, which will then be used to generate the security
policy to configure services, firewall rules, registry settings, and audit policies. The
security policy can then be applied to the server or to other servers playing similar
roles. The Security Configuration Wizard presents each of these four categories of
the security policy in a sectiona series of wizard pages:
Role-based service configuration
Network security
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Registry settings
Audit policy

Security Policy
You can skip any of the last three sections you do not want to include in your
security policy.

When all the configuration sections have been completed or skipped, the Security
Configuration Wizard presents the Security Policy section. The Security Policy File
Name page, shown in the preceding screen shot, enables you to specify a path, a
name, and a description for the security policy.
To examine the settings of the security policy:
Click View Security Policy.

The settings are very well documented by the Security Configuration Wizard.
To import a security template into the security policy.
Click Include Security Templates.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Security templates, discussed earlier in this lesson, contain settings that are not
provided by Managing Security Configuration with Security Templates, including
restricted groups, event log policies, and file system and registry security policies.
By including a security template, you can incorporate a richer collection of
configuration settings in the security policy. If any settings in the security template
conflict with the Security Configuration Wizard, the settings in the Security
Configuration Wizard take precedence. When you click Next, you are given the
option to apply the security template to the server immediately or to apply the
policy later.
Editing a Security Policy
To edit a saved security policy:
1. Open the Security Configuration Wizard.
2. On the Configuration Action page, click Edit an Existing Security Policy.
3. Click Browse to locate the policy .xml file. When prompted to select a server,
select the server that was used to create the security policy.

Applying a Security Policy
To apply a security policy to a server:
2. On the Configuration Action page, click Apply an Existing Security Policy.
3. Click Browse to locate the policy .xml file.
4. On the Select Server page, select a server to which to apply the policy.

Many of the changes specified in a security policy, including the addition of
firewall rules for applications already running and the disabling of services require
that you restart the server. Therefore, as a best practice, restart a server whenever
you apply a security policy.
Rolling Back an Applied Security Policy
If a security policy is applied and it causes undesirable results, you can roll back
the changes. To roll back an applied security policy:
2. On the Configuration Action page, select Rollback the Last Applied Security
Policy.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
When a security policy is applied by the Security Configuration Wizard, a rollback
file is generated that stores the original settings of the system. The rollback process
applies the rollback file.
Modifying Settings of an Applied Security Policy
Alternatively, if an applied security template does not produce an ideal
configuration, you can manually change settings by using the Local Security Policy
console discussed at the beginning of this lesson in the Configuring the Local
Security Policy section.
Deploying a Security Policy Using Group Policy
You can apply a security policy created by the Security Configuration Wizard to a
server by using the Security Configuration Wizard itself, by using the Scwcmd.exe
command, or by transforming the security policy into a GPO.
To transform a security policy into a GPO:
Log on as a domain administrator and run Scwcmd.exe with the transform
command.
For example:
scwcmd transform /p:"Contoso DC Security.xml /g:"Contoso DC
Security GPO
This command will create a GPO called Contoso DC Security GPO with
settings imported from the Contoso DC Security.xml security policy file. The
resulting GPO can then be linked to an appropriate scopesite, domain, or
OUby using the Group Policy Management console. Be sure to type
scwcmd.exe transform /? for help and guidance about this process.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Settin
Key Po
As sugg
with wh
Security
security
settings
configu
policies
addition
.xml file
registry
templat
M
ngs, Templat
oints
gested in the intro
hich to manage se
y Policy console t
y templates, which
s on one or more
ration against the
s generated by the
n to the security c
es that define serv
settings. Security
tes and security p
tes, Policies,
oduction to the le
ecurity settings. Y
to modify settings
h have existed sin
systems and to c
e desired configu
e Security Config
configuration ma
vice startup mod
y policies can inc
policies can be de
and GPOs
esson, there are a
You can use tools
s on an individua
nce Windows 20
compare the curre
uration defined by
guration Wizard a
anagement toolse
es, firewall rules,
corporate security
eployed by using
number of mech
s such as the Loca
al system. You can
00 Server, to man
ent state of a syst
y the template. Se
are the most recen
et. They are role-b
audit policies, an
y templates. Both
Group Policy.
gs 7-47

hanisms
al
n use
nage
tems
ecurity
nt
based
nd some
h security
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
The plethora of tools available can make it difficult to identify the best practice for
managing security on one or more systems. Plan to use Group Policy whenever
possible to deploy security configuration. You can generate a GPO from a role-
based security policy produced by the Security Configuration Wizard, which itself
incorporates additional settings from a security template. After the GPO has been
generated, you can make additional changes to the GPO by using the Group Policy
Management Editor snap-in. Settings not managed by Group Policy can be
configured on a server-by-server basis by using the local GPO security settings.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab B: M
Lab Se
For this
required
1. On
clic
2. In H
clic
3. In t
4. Log

M
Manage Se
etup
s lab, you will use
d, complete the fo
the host comput
ck Hyper-V Mana
Hyper-V Manager
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
ecurity Se
e the same virtual
ollowing steps:
ager.
r, click 6425C-NY
click Connect. W
e following creden
.Coleman
$w0rd
so
ettings
l machines that w
oint to Administr
YC-DC1, and in t
Wait until the virt
ntials:
were used for Lab
rative Tools, and
the Actions pane,
tual machine star
gs 7-49

b A. If
d then
,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Lab Scenario
You are an administrator of the contoso.com domain. To secure the directory
service, you want to establish a security configuration to apply to domain
controllers that, among other things, specifies who can log on to domain
controllers by using Remote Desktop to perform administrative tasks.
Exercise 1: Manage Local Security Settings
In this exercise, you will create a group that allows you to manage who is allowed
to log on to NYC-DC1, a domain controller, by using Remote Desktop. You will do
so by configuring security settings directly on NYC-DC1.
1. Enable Remote Desktop on NYC-DC1.
2. Create a global security group named SYS_DC Remote Desktop.
3. Add SYS_DC Remote Desktop to the Remote Desktop Users group.
4. Configure the Local Security Policy to allow remote desktop connections by
SYS_DC Remote Desktop.
5. Revert the local security policy to its default setting.

Task 1: Enable Remote Desktop on NYC-DC1.
1. On NYC-DC1, run Server Manager as an administrator, with the user name
Pat.Coleman_Admin and the password Pa$$w0rd.
2. In the Server Summary section, click Configure Remote Desktop, and then
click Allow connections only from computers running Remote Desktop
with Network Level Authentication (more secure).
3. Close Server Manager.

Task 2: Create a global security group named SYS_DC Remote
Desktop.
2. In the Admins\Admin Groups\Server Delegation OU, create a global
security group named SYS_DC Remote Desktop.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Task 3: Add SYS_DC Remote Desktop to the Remote Desktop Users
group.
To connect using Remote Desktop, a user must have the user logon right to log on
through Remote Desktop Services, which you will grant to the SYS_DC Remote
Desktop group in the next task.
Additionally, the user must have permission to connect to the RDP-Tcp
connection. By default, the Remote Desktop Users group and the Administrators
group have permission to connect to the RDP-Tcp connection. Therefore, you
should add the user (or the SYS_DC Remote Desktop group in this case) to the
Remote Desktop Users group.
1. Add the SYS_DC Remote Desktop group to the Remote Desktop Users
group, found in the Builtin container.

Note: Instead of adding the group to Remote Desktop Users, you could add the SYS_DC
Remote Desktop group to the access control list (ACL) of the RDP-Tcp connection by
using the Remote Desktop Session Host Configuration console. Right-click RDP-Tcp and
click Properties. Then, click the Security tab, click the Add button, and type SYS_DC
Remote Desktop. Click OK twice to close the dialog boxes.
Task 4: Configure the Local Security Policy to allow Remote Desktop
connections by SYS_DC Remote Desktop.
On a domain member (workstation or server), the Remote Desktop Users group
has permission to connect to the RDP-Tcp connection and has user rights to log on
through Remote Desktop Services. Therefore, on a domain member server or
workstation, the easiest way to manage both the user rights and the permission on
RDP-Tcp connection is to add a user or group directly to the Remote Desktop
Users group.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Because NYC-DC1 is a domain controller, only Administrators have the right to log
on with Remote Desktop Services. Therefore, you must explicitly grant the SYS_DC
Remote Desktop group the user logon right to log on through Remote Desktop
Services.
Run Local Security Policy as an administrator, with the user name
Modify the configuration of the user rights policy setting, Allow Log on
through Remote Desktop Services, and add SYS_DC Remote Desktop.

Task 5: Revert the local security policy to its default setting.
You will now revert the policy to its default in preparation for the following
exercises.
1. Modify the configuration of the user rights policy setting, Allow log on
through Remote Desktop Services, and then remove SYS_DC Remote
Desktop.
2. Close Local Security Policy.

Results: In this exercise, you configured each of the local settings necessary to allow
SYS_DC Remote Desktop to log on to NYC-DC1 by using remote desktop.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 2: Create a Security Template
In this exercise, you will create a security template that gives the SYS_DC Remote
Desktop group the right to log on by using Remote Desktop.
1. Create a custom MMC console with the Security Templates snap-in.
2. Create a security template.

Task 1: Create a custom MMC console with the Security Templates
snap-in.
1. Run mmc.exe as an administrator, with the user name Pat.Coleman_Admin
and the password Pa$$w0rd.
2. Add the Security Templates snap-in.
3. Save the console as C:\Security Management.msc.

Task 2: Create a security template.
1. In the Security Templates snap-in, create a new security template named DC
Remote Desktop.
2. Modify the configuration of the user rights policy setting, Allow log on
through Remote Desktop Services, and then add SYS_DC Remote Desktop.
3. Using a Restricted Groups setting, configure the template to add SYS_DC
Remote Desktop to the Remote Desktop Users group.
4. Save the changes you made to the template.

Results: In this exercise, you configured a security template named DC Remote
Desktop that adds the SYS_DC Remote Desktop group to the Remote Desktop Users
group and gives the SYS_DC Remote Desktop group the user logon right to log on
through Remote Desktop Services

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 3: Use Security Configuration and Analysis
In this exercise, you will analyze the configuration of NYC-DC1 by using the DC
Remote Desktop security template to identify discrepancies between the servers
current configuration and the desired configuration defined in the template. You
will then create a new security template.
1. Add the Security Configuration and Analysis snap-in to a custom console.
2. Create a security database and import a security template.
3. Analyze the configuration of a computer by using the security database.
4. Configure security settings by using a security database.

Task 1: Add the Security Configuration and Analysis snap-in to a
custom console.
Add the Security Configuration and Analysis snap-in to a custom console
and save the change to the console.

Task 2: Create a security database and import a security template.
Create a new security database called NYC-DC1Test.
Import the DC Remote Desktop security template.

Task 3: Analyze the configuration of a computer by using the security
database.
1. In the console tree, right-click Security Configuration and Analysis, and then
click Analyze Computer Now.
2. Click OK to confirm the default path for the error log.
The snap-in performs the analysis.
3. In the console tree, expand Security Configuration and Analysis and Local
Policies, and then click User Rights Assignment.
Notice that the Allow log on through Remote Desktop Services policy is
flagged with a red circle and an X. This indicates a discrepancy between the
database setting and the computer setting.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4. Double-click Allow log on through Remote Desktop Services.
Notice the discrepancies. The computer is not configured to allow the SYS_DC
Remote Desktop Users group to log on through Remote Desktop Services.
Notice also that the Computer setting currently allows Administrators to log
on through Remote Desktop Services. This is an important setting that should
be incorporated into the database.
5. Confirm that the Define this policy in the database check box is selected.
6. Select the Administrators check box, under Database Setting.
This will add the right for Administrators to log on through Remote Desktop
Services to the database. It does not change the template, and it does not affect
the current configuration of the computer.
7. Click OK.
8. In the console tree, select Restricted Groups.
9. In the details pane, double-click CONTOSO\SYS_DC Remote Desktop.
10. Click the Member Of tab.
Notice that the database specifies that the SYS_DC Remote Desktop group
should be a member of Remote Desktop Users, but the computer is not
currently in compliance with that setting.
11. Confirm that the Define this group in the database check box is selected.
12. Click OK.
13. Right-click Security Configuration and Analysis, and then click Save.
This saves the security database, which includes the settings imported from
the template plus the change you made to allow Administrators to log on
through Terminal Services.
The hint displayed on the status bar when you hover over the Save command
suggests that you are saving the template. That is incorrect. You are saving the
database.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
14. Right-click Security Configuration and Analysis, and then click Export
Template.
The Export Template To dialog box appears.
15. Select DC Remote Desktop, and then click Save.
You have now replaced the template created in Exercise 2 with the settings
defined in the database of the Security Configuration and Analysis snap-in.

Task 4: Configure security settings by using a security database.
1. Close your Security Management console. If you are prompted to save your
settings, click Yes.
Closing and reopening the console is necessary to refresh fully the settings
shown in the Security Templates snap-in.
2. Run C:\Security Management.msc with administrative credentials. Use the
account Pat.Coleman_Admin with the password Pa$$w0rd.
3. In the console tree, expand Security Templates,
C:\Users\Pat.Coleman_Admin\Documents\Security\Templates, DC
Remote Desktop, Local Policies, and then click User Rights Assignment.
4. In the details pane, double-click Allow log on through Remote Desktop
Services.
Notice that both the Administrators and SYS_DC Remote Desktop groups are
allowed to log on through Remote Desktop Services in the security template.
5. Click OK.
6. Right-click Security Configuration and Analysis, and then click Configure
Computer Now.
7. Click OK to confirm the error log path. The settings in the database are
applied to the server. You will now confirm that the change to the user right
was applied.
8. Run Local Security Policy with administrative credentials. Use the account
9. In the console tree expand Local Policies, and then click User Rights
Assignment.
10. Double-click Allow Log On Through Remote Desktop Services.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
The Allow log on through Remote Desktop Services Properties dialog box
opens.
11. Confirm that both Administrators and SYS_DC Remote Desktop are listed.
The Local Security Policy console displays the actual, current settings of the
server.
12. Close the Local Security Policy console.
13. Close your custom Security Management console.

Results: In this exercise, you created and applied a security template that gives the
SYS_DC Remote Desktop the right to log on through Terminal Services and adds the
group as a member of the Remote Desktop Users group.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 4: Use the Security Configuration Wizard
In this exercise, you will use the Security Configuration Wizard to create a security
policy for domain controllers in the contoso.com domain based on the
configuration of NYC-DC1. You will then convert the security policy into a GPO,
which could then be deployed to all domain controllers by using Group Policy.
1. Create a security policy.
2. Transform a security policy into a Group Policy object.

Task 1: Create a security policy.
1. Run the Security Configuration Wizard in the Administrative Tools folder, with
administrative credentials. Use the account Pat.Coleman_Admin with the
password Pa$$w0rd.
2. On the Welcome to the Security Configuration Wizard page, click Next.
3. On the Configuration Action page, select Create a new security policy, and
then click Next.
4. On the Select Server page, accept the default server name, NYC-DC1, and
click Next.
5. On the Processing Security Configuration Database page, you can optionally
click View Configuration Database and explore the configuration that was
discovered on NYC-DC1.
6. Click Next.
7. On the Role Based Service Configuration section introduction page, click
Next.
8. On the Select Server Roles page, you can optionally explore the settings that
were discovered on NYC-DC1, but do not change any settings. Click Next.
9. On the Select Client Features page, you can optionally explore the settings
that were discovered on NYC-DC1, but do not change any settings. Click Next.
10. On the Select Administration and Other Options page, you can optionally
explore the settings that were discovered on NYC-DC1, but do not change any
settings. Click Next.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11. On the Select Additional Services page, you can optionally explore the
settings that were discovered on NYC-DC1, but do not change any settings.
Click Next.
12. On the Handling Unspecified Services page, do not change the default
setting, Do not change the startup mode of the service. Click Next.
13. On the Confirm Service Changes page, in the View list, select All Services.
14. Examine the settings in the Current Startup Mode column, which reflect
service startup modes on NYC-DC1, and compare them with the settings in
the Policy Startup Mode column.
15. In the View list, select Changed Services.
16. Click Next.
17. On the Network Security section introduction page, click Next.
18. On the Network Security Rules page, you can optionally examine the firewall
rules derived from the configuration of NYC-DC1. Do not change any settings.
Click Next.
19. On the Registry Settings section introduction page, click Next.
20. On each page of the Registry Settings section, examine the settings, but do
not change any of them, and then click Next. When the Registry Settings
Summary page appears, examine the settings and click Next.
21. On the Audit Policy section introduction page, click Next.
22. On the System Audit Policy page, examine but do not change the settings.
Click Next.
23. On the Audit Policy Summary page, examine the settings in the Current
Setting and Policy Setting columns. Click Next.
24. On the Save Security Policy section introduction page, click Next.
25. In the Security Policy File Name text box, click at the end of the file path and
type DC Security Policy.
26. Click Include Security Templates.
27. Click Add.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
28. Browse to locate the DC Remote Desktop template created in Exercise 3,
located in the My Documents\Security\Templates folder. When you have
located and selected the template, click Open.
Be careful that you add the Documents\Security\Templates\DC Remote
Desktop.inf file and not the DC Security.inf default security template.
29. Click OK to close the Include Security Templates dialog box.
30. Click View Security Policy.
You are prompted to confirm the use of the ActiveX control.
31. Click Yes.
32. Examine the security policy. Notice that the DC Remote Desktop template is
listed in the Templates section.
33. Close the window after you have examined the policy.
34. In the Security Configuration Wizard, click Next.
35. On the Apply Security Policy page, accept the Apply Later default setting, and
then click Next.
36. Click Finish.

Task 2: Transform a security policy into a Group Policy object.
1. Run the Command Prompt as an administrator, with the user name
2. Type cd c:\windows\security\msscw\policies, and then press Enter.
3. Type scwcmd transform /?, and then press Enter.
4. Use the scwcmd.exe command to transform the security policy named "DC
Security Policy.xml" to a GPO named "DC Security Policy."
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5. Run Group Policy Management as an administrator, with the user name
6. Examine the settings of the DC Security Policy GPO. Confirm that the
BUILTIN\Administrators and CONTOSO\SYS_DC Remote Desktop groups
are given the Allow log on through Terminal Services user right. Also,
confirm that the CONTOSO\SYS_DC Remote Desktop group is a member of
BUILTIN\Remote Desktop Users.

Results: In this exercise, you will have used the Security Configuration Wizard to create
a security policy named DC Security Policy, and transformed the security policy to a
Group Policy object named DC Security Policy.
the settings you have configured here will be used in subsequent labs

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Lab Review Question
Question: Describe the relationship between security settings on a server, Local
Group Policy, security templates, the database used in Security Configuration and
Analysis, the security policy created by the Security Configuration Wizard, and
domain-based Group Policy.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 3
Manage
You mig
organiz
predece
provide
systems
Group P
Object
After co
Dep
Des
Rem
M
Software
ght be aware of s
ation, including M
essor Microsoft Sy
e great benefits, in
s, you can effectiv
Policy software in
tives
ompleting this les
ploy software by
scribe software d
move software or
e with GP
everal tools that c
Microsoft System
ystems Managem
ncluding features
vely deploy most
nstallation (GPSI)
sson, you will be a
using GPSI.
eployment option
iginally installed
PSI
can be used to de
m Center Configu
ment Server (SMS
s to meter softwar
software without
).
able to:
ns.
with GPSI.
eploy software wi
uration Manager
). Although these
re use and invent
t these tools by u
gs 7-63

ithin an
and its
e tools
tory
using only

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-64 Configuring
Unde
Key Po
GPSI is
characte
Use
whi
Com
tech
App
org
The soft
(CSEs)
CSEs w
the initi
of the so
later in
rstand GPSI
oints
used to create a m
eristics:
ers have access to
ich computer the
mputers have the
hnical support re
plications can be
ganization.
ftware installation
that support cha
were discussed in
ial deployment, th
oftware deploym
this lesson.
managed softwar
o the applications
ey log on to.
e required applica
epresentative.
updated, mainta
n extension is one
nge and configur
Module 6. The ex
he upgrades, and
ment is managed w
re environment th
s they need to do
ations, without in
ained, or removed
e of the many clie
ration manageme
xtension enables
d the removal of s
within a GPO by u
Services
hat has the follow
their jobs, no ma
ntervention from
d to meet the nee
ent-side extension
ent by using Grou
you to manage c
software. All conf
using procedures

wing
atter
a
ds of the
ns
up Policy.
centrally
figuration
s detailed
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Windows Installer Packages
GPSI uses the Windows Installer service to install, maintain, and remove software.
The Windows Installer service manages software by using information contained
in the applications Windows Installer package. The Windows Installer package is
in a file with an .msi extension that describes the installed state of the application.
The package contains explicit instructions regarding the installation and removal
of an application. You can customize Windows Installer packages by using one of
the following types of files:
Transform (.mst) files. These files provide a means for customizing the
installation of an application. Some applications provide wizards or templates
that permit a user to create transforms. For example, Adobe provides an
enterprise deployment tool for Adobe Acrobat Reader that generates a
transform. Many enterprises use the transform to configure agreement with the
end-user license agreement and to disable certain features of the application,
such as automatic updates that involve access to the Internet.
Update (.msp) files. These files are used to update an existing .msi file for
security updates, bug fixes, and service packs. An .msp file provides
instructions about applying the updated files and registry keys in the software
patch, service pack, or software update. For example, updates to Microsoft
Office 2003 and later are provided as .msp files.

Note: You cannot deploy .mst or .msp files alone. They must be applied to an existing Windows
Installer package.
GPSI can make limited use of non-MSI application files (.zap file), also known as
down-level application packages, that specify the location of the software
distribution point (SDP) and the setup command. See knowledge base article
231747 at http://support.microsoft.com/?kbid=231747 for details. Most
organizations do not use .zap files, because the installation of the application
requires the user to have administrative privileges on the system. When GPSI
installs an application by using a Windows Installer package, the user does not
require administrative privileges, allowing for a more secure enterprise.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Note: GPSI can fully manage applications only if the applications are deployed by using
Windows Installer packages. Other tools, including Configuration Manager and SMS, can
manage applications that use other deployment mechanisms.
The .msi file, transforms, and other files required to install an application are
stored in a shared software distribution point (SDP).
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Softw
You can
publish
users or
perform
Assign
When y
includin
Start me
applicat
the user
applicat
or by op
applicat
startup
M
ware Deploy
n deploy software
hing applications
r to computers. Y
ming their jobs.
ning Application
you assign an app
ng file name exten
enu or desktop, a
tion advertisemen
r logs on to. This
tion on the comp
pening a docume
tion to the compu
process.
yment Optio
e by assigning app
for users. You ass
You publish softw
ns
plication to a user
nsions, are updat
advertising the av
nt follows the use
application is ins
puter, either by se
ent associated wit
uter, the applicat
ons
plications to user
sign required or m
ware that users mi
r, the application
ted and its shortc
vailability of the a
er, regardless of w
stalled the first ti
electing the applic
th the application
ion is installed du
rs or computers o
mandatory softw
ight find useful in
s local registry se
cuts are created o
application. The
which physical co
ime the user activ
cation on the Star
n. When you assig
uring the compu
gs 7-67

or by
ware to
n
ettings,
on the
omputer
vates the
rt menu
gn an
ters
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Publishing Applications
When you publish an application to users, the application does not appear as if it
is installed on the users computers. No shortcuts are visible on the desktop or
Start menu. Instead, the application appears as an available application for the user
to install using Add Or Remove Programs in Control Panel on a Windows XP
system or in programs and features on a Windows Server 2008, Windows Vista,
or Windows 7 system. Additionally, the application can be installed when a user
opens a file type associated with the application. For example, if Acrobat Reader is
advertised to users, it will be installed if a user opens a file with a .pdf extension.
Given that applications can be either assigned or published and targeted to users
or computers, you can establish a workable combination to meet your software
management goals. The following table details the different software deployment
options.
Software Deployment Options
Publish (User Only)

Assign (User)

Assign (Computer)
After
deployment of
the GPO, the
software is
available for
installation:
The next time a
user logs on.
The next time a user
logs on.
The next time the
computer starts.
Typically, the
user installs the
software from:
Add Or Remove
Programs in
Control Panel
(Windows XP) or
programs and
features (Windows
Server 2008,
Windows Vista,
and Windows 7).
Start menu or
desktop shortcut. An
application can also
be configured to
install automatically
at logon.
The software is
installed automatically
when the computer
starts.
If the software is
not installed and
the user opens a
file associated
with the
software, does
the software
install?
Yes (if auto-install
is enabled).
Yes. Does not apply; the
software is already
installed.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
(continued)
Publish (User Only)

Assign (User)

Assign (Computer)
Can the user
remove the
software by
using Control
Panel?
Yes, and the user
can choose to
install it again
from Control
Panel.
Yes, and the software
is available for
installation again
from the Start menu
shortcuts or file
associations.
No. Only a local
administrator can
remove the software;
a user can run a repair
on the software.
Supported
installation files:
Windows Installer
packages (.msi
files), .zap files.
Windows Installer
packages (.msi files).
Windows Installer
packages (.msi files).

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-70 Configuring
Demo
Key Po
Now th
is simpl
Create a
software
folders.
Read &
install a
change
Demon
1. Star
Pa$
2. Star
3. Swi
onstration: C
oints
at you understan
ly a shared folder
a shared folder an
e package, modif
Set appropriate p
& Execute permiss
an application fro
and delete files t
nstration Steps
rt 6425C-NYC-DC
$$w0rd.
rt 6425C-NYC-SV
itch to NYC-DC1
Create a Softw
nd GPSI at a high
r from which user
nd a separate fold
fications, and all o
permissions on th
sionthe minimu
om the SDP. The a
o maintain the SD
s
C1 and log on as
VR1, but do not l
.
ware Distrib
level, you can pr
rs and computers
der for each appli
other necessary f
he folders that al
um permission re
administrators of
DP over time.
s Pat.Coleman w
og on.
Services
ution Point
repare the SDP. T
s can install appl
ication. Then, cop
files to the applica
llow users or com
equired to success
f the SDP must b
ith the password

The SDP
ications.
py the
ation
mputers
sfully
e able to
d,
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
4. Run Active Directory Users and Computers with administrative credentials.
Use the account Pat.Coleman_Admin with the password Pa$$w0rd.
5. In the console tree, expand the contoso.com domain and the Groups OU, and
then click the Application OU.
6. Right-click the Application OU, point to New, and then click Group.
7. Type APP_XML Notepad, and then press Enter.
8. In the console tree, expand the contoso.com domain and the Servers OU, and
then click the File OU.
9. In the details pane, right-click NYC-SVR1, and then click Manage.
The Computer Management console opens, focused on NYC-SVR1.
10. In the console tree, expand System Tools and Shared Folders, and then click
Shares.
11. Right-click Shares, and then click New Share. The Create a Shared Folder
Wizard appears.
12. Click Next.
13. In the Folder Path box, type C:\Software, and then click Next.
A message appears asking if you want to create the folder.
14. Click Yes.
15. Accept the default Share name, Software, and then click Next.
16. Click Customize permissions, and then click Custom.
17. Click Security.
18. Click Advanced.
The Advanced Security Settings dialog box appears.
19. Click Change Permissions.
20. Clear the Include inheritable permissions from this object's parent option.
A dialog box appears asking if you want to Add or Remove inherited
permissions.
21. Click Add.
22. Select the first permission assigned to the Users group, and then click
Remove.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
23. Select the remaining permission assigned to the Users group, and then click
Remove.
24. Select the permission assigned to Creator Owner, and then click Remove.
25. Click OK two times to close the Advanced Security Settings dialog boxes.
26. In the Customize Permissions dialog box, click the Share Permissions tab.
27. Select the Full Control check box.
Security management best practice is to configure least privilege permissions
in the ACL of the resource, which will apply to users, regardless of how users
connect to the resource, at which point you can use the Full Control
permission on the SMB shared folder. The resultant access level will be the
more restrictive permissions defined in the ACL of the folder.
28. Click OK.
29. Click Finish.
30. Click Finish to close the wizard.
31. Click Start, click Run, type \\NYC-SVR1\c$, and then press Enter.
The Connect to NYC-SVR1 dialog box appears.
32. In the User name box, type CONTOSO\Pat.Coleman_Admin.
33. In the Password box, type Pa$$w0rd, and then press Enter.
A Windows Explorer window opens, focused on the root of the C drive on
NYC-SVR1.
34. Open the Software folder.
35. Click New folder.
A new folder is created and is in "rename mode."
36. Type XML Notepad, and then press Enter.
37. Right-click the XML Notepad folder, and then click Properties.
38. Click Security.
39. Click Edit.
40. Click Add. The Select Users, Computers, Service Accounts, or Groups dialog
box appears.
41. Type APP_XML Notepad, and then press Enter.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
The group is given the default, Read & Execute permission.
42. Click OK twice to close all open dialog boxes.
43. Open the XML Notepad folder.
44. Open the D:\Labfiles\Lab07b folder in a new window.
45. Right-click XMLNotepad.msi, and then click Copy.
46. Switch to the Windows Explorer window, displaying \\NYC-
SVR1\c$\Software\XML Notepad.
47. Right-click in the empty details pane, and then click Paste.
XML Notepad is copied into the folder on NYC-SVR1.
48. Close all open Windows Explorer windows.
49. Close the Computer Management console.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-74 Configuring
Create
Key Po
To creat
1. Use
exis
2. Edi
3. Exp
Sett
nod
4. Rig
e and Scope
oints
te a software dep
e the Group Polic
sting GPO.
it the GPO by usi
pand the console
tings\Software I
de in the User Co
ht-click Software
e a Software
ployment GPO, yo
cy Management c
ing the Group Po
nodes Compute
Installation. Alte
onfiguration bran
e Installation, ch
Deployment
ou must perform
console to create
olicy Managemen
er Configuration
ernatively, select t
nch.
hoose New, and th
Services
t GPO
the following ste
a new GPO or se
nt Editor.
n\Policies\Softw
the Software Inst
hen select Packa

eps:
elect an
are
tallation
ge.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5. Browse to locate the .msi file for the application. Click Open.
The Deploy Software dialog box appears, shown in the following screen shot:

6. Select Published, Assigned, or Advanced.
You cannot publish an application to computers, so the option will not be
available if you are creating the package in the Software Installation node in
Computer Configuration.
The Advanced option enables you to specify whether the application is
published or assigned and gives you the opportunity to configure advanced
properties of the software package. Therefore, select Advanced. The package
properties dialog box then appears. Among the more important properties that
you can configure are the following choices:
Deployment Type: On the Deployment tab, configure Published or
Assigned.
Deployment Options: Based on the selected deployment type, different
choices appear in the Deployment Options section. These options, along
with other settings on the Deployment tab, manage the behavior of the
application installation.
Uninstall This Application When It Falls Out Of the Scope Of
Management: If this option is selected, the application will be
automatically removed when the GPO no longer applies to the user or
computer.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Upgrades: On the Upgrades tab, you can specify the software that this
package will upgrade. Upgrades are discussed in the Maintain Software
Deployed with GPSI section later in this lesson.
Categories: The Categories tab enables you to associate the package with
one or more categories. Categories are used when an application is
published to a user. When the user opens the Control Panel to install a
program, applications published by using GPSI are presented in groups
based on these categories.
To create categories that are available to associate with packages, right-
click Software Installation and click Properties. Then, click the Categories
tab.
Modifications: If you have a transform (.mst file) that customizes the
package, click the Add button to associate the transform with the package.
Most tabs in the package Properties dialog box are available for you to
change settings at any time. However, the Modifications tab is available
only when you create the new package and select the Advanced option.

Managing the Scope of a Software Deployment GPO
After you have created a software deployment GPO, you can scope the GPO to
distribute the software to appropriate computers or users. In many software
management scenarios, applications should be assigned to computers rather than
to users. This is because most software licenses allow an application to be installed
on one computer, and if the application is assigned to a user, the application is
installed on each computer to which the user logs on.
You can scope a GPO by linking the GPO to an OU or by filtering the GPO so that
it applies only to a selected global security group. Many organizations have found
that it is easiest to manage software by linking an applications GPO to the domain
and filtering the GPO with a global security group that contains the users and
computers to which the application should be deployed. For example, a GPO that
deploys the XML Notepad tool (available from the Microsoft downloads site at
http://www.microsoft.com/downloads) would be linked to the domain and
filtered with a group containing developers that require the tool. The group would
have a descriptive name that indicates its purpose to manage the deployment of
XML Notepad such as APP_XML Notepad.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Maint
Key Po
After a c
package
applicat
want to
might h
To rede
Rig
App
M
tain Software
oints
computer has ins
e specified by a G
tion at each Grou
force systems to
have been made to
eploy an applicati
ht-click the packa
plication.
e Deployed w
stalled an applica
GPO, the compute
up Policy refresh.
reinstall the app
o the original Wi
ion deployed with
age in the GPO, c
with GPSI
tion by using the
er will not attemp
There might be s
plication. For exam
indows Installer p
h Group Policy:
click All Tasks, a
e Windows Instal
pt to reinstall the
scenarios in whic
mple, small chan
package.
and then select Re
gs 7-77

ller
ch you
nges
edeploy

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
You can also upgrade an application that has been deployed with GPSI.
1. Create a package for the new version of the application in the Software
Installation node of the GPO.
The package can be in the same GPO as the package for the previous version
or in any different GPO.
2. Right-click the package and click Properties.
3. Click the Upgrades tab, and then click the Add button.
The Add Upgrade Package dialog box appears.

4. Select whether the package for the previous version of the application is in the
current GPO or in another GPO. If the previous package is in another GPO,
click Browse to select that GPO.
5. Then, select the package from the Package to upgrade list.
6. Based on your knowledge of the applications upgrade behavior, choose one of
the upgrade options shown at the bottom of the dialog box.
Uninstall the existing package, and then install the upgrade package
Package can upgrade over the existing package
7. Click OK.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
You can also remove an application that was deployed with GPSI by performing
the following steps:
1. Right-click the package, click All Tasks, and then select Remove.
2. In the Remove Software dialog box, choose one of the following two options:
Immediately uninstall the software from users and computers. This
option, known as forced removal, causes computers to remove the
application. The software installation extension will remove an application
when the computer restarts if the application was deployed with a package
in the Computer Configuration portion of the GPO. If the package is in the
User Configuration portion, the application is uninstalled the next time
the user logs on.
Allows Users To Continue To Use The Software, But Prevents New
Installations. This setting, known as optional removal, causes the
software installation extension to avoid adding the package to systems
that do not yet have the package installed. Computers that had previously
installed the application do not forcibly uninstall the application, so users
can continue using it.

If you use one of these two options to remove software by using GPSI, it is
important that you allow the settings in the GPO to propagate to all computers
within the scope of the GPO before you delete, disable, or unlink the GPO. Clients
need to receive this setting, which specifies forced or optional removal. If the GPO
is deleted or no longer applied before all clients have received this setting, the
software is not removed according to your instructions. This is particularly
important in environments with mobile users on laptop computers that might not
connect to the network on a regular basis.
If, when creating the software package, you chose the Uninstall this application
when it falls out of the scope of management option, you can simply delete,
disable, or unlink the GPO, and the application will be forcibly removed by all
clients that have installed the package with that setting.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-80 Configuring
GPSI a
Key Po
When a
network
default
to proce
default,
installat
You can
extensio
\Admin
the beh
over a s
and Slow Lin
oints
a client performs
k to determine w
as 500 kilobits p
ess Group Policy
GPSI does not p
tion of software o
n change the slow
on by using polic
nistrative Templat
avior of the softw
slow link.
nks
a Group Policy re
hether it is conne
er second (kbps)
or to skip the ap
process Group Po
over a slow link c
w link policy proc
cy settings located
tes\System\Grou
ware installation e
efresh, it tests the
ected by using a s
). Each client-side
pplication of settin
olicy settings over
could cause signif
cessing behavior o
d in Computer C
up Policy. For exa
extension so that
Services
e performance of
slow link defined
e extension is con
ngs on a slow lin
r a slow link beca
ficant delays.
of each client-sid
onfiguration\Pol
ample, you could
t it does process p

f the
d by
nfigured
k. By
ause the
e
licies
d modify
policies
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
You can also change the connection speed threshold that constitutes a slow link.
By configuring a low threshold for the connection speed, you can convince the
client-side extensions that a connection is not a slow link, even if it actually is.
There are separate Group Policy Slow Link Detection policy settings for computer
policy processing and user policy processing. The policies are in the Administrative
Templates\System\Group Policy folders in Computer Configuration and User
Configuration.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-82 Configuring
Lab C: M
Lab Se
For this
labs. If r
1. On
clic
2. In H
clic
3. In t
4. Log

5. Rep
unt
Manage So
etup
s lab, you will use
required, you mu
the host comput
ck Hyper-V Mana
Hyper-V Manager
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
peat steps 2 and 3
til directed to do
oftware w
e the same virtual
ust complete the f
ager.
r, click 6425C-NY
click Connect. W
e following creden
.Coleman
$w0rd
so
3 for 6425C-NYC
so.
with GPSI
l machine environ
following steps:
oint to Administr
YC-DC1, and in t
Wait until the virt
ntials:
C-SVR1. Do not lo
Services
I
nment used in pr
rative Tools, and
the Actions pane,
tual machine star
og on to the mach

revious
d then
,
rts.
hine
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Lab Scenario
You are an administrator at Contoso, Ltd. Your developers require XML Notepad
to edit XML files, and you want to automate the deployment and life cycle
management of the application. You decide to use Group Policy Software
Installation. Most applications are licensed per computer, so you will deploy XML
Notepad to the developers' computers, rather than associating the application with
their user accounts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 1: Deploy Software with GPSI
In this exercise, you will use GPSI to deploy XML Notepad to computers, including
NYC-CL1.
1. Create a software distribution folder.
2. Create a software deployment GPO.
3. Deploy software to computers.
4. Confirm the successful deployment of software.

Task 1: Create a software distribution folder.
1. On NYC-DC1, run Active Directory Users and Computers as an
administrator, with the user name Pat.Coleman_Admin and the password
Pa$$w0rd.
2. In the Groups\Application OU, create a new global security group named
APP_XML Notepad.
3. In the Servers\File OU, right-click NYC-SVR1, and then click Manage.
4. Use the Shared Folders snap-in to create a new shared folder, C:\Software,
with a share name of Software. Configure the NTFS permissions as described
below:
System:Allow:Full Control
Administrators:Allow:Full Control
Then, configure the Share permission such that the Everyone group is allowed
Full Control.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Security management best practice is to configure least privilege permissions
in the ACL of the resource, which will apply to users, regardless of how users
connect to the resource, at which point you can use the Full Control
permission on the SMB shared folder. The resultant access level will be the
more restrictive permissions defined in the ACL of the folder.
5. Open the administrative share for drive C on NYC-SVR1 (\\NYC-SVR1\c$) as
6. Inside the Software folder on NYC-SVR1, create a folder called XML Notepad.
7. Add permission to the XML Notepad folder so that the APP_XML Notepad
group is allowed Read & Execute permission.
8. Copy XML Notepad.msi from D:\Labfiles\Lab07b to \\NYC-
SVR1\c$\Software\XML Notepad.
9. Close any open Windows Explorer windows.
10. Close the Computer Management console.

Task 2: Create a software deployment GPO.
2. In the Group Policy Objects container, create a new GPO called XML
Notepad. Edit that GPO.
3. Expand Computer Configuration, Policies, Software Settings, and then click
Software Installation.
4. Right-click Software Installation, point to New, and then click Package.
5. In the File name text box, type the network path to the software distribution
folder, \\NYC-SVR1\software\XML Notepad, and then press Enter.
6. Select the Windows Installer package, XmlNotepad.msi; and then click Open.
After a few moments, the Deploy Software dialog box appears.
7. Click Advanced, and then click OK.
8. On the General tab, note that the name of the package includes the version,
XML Notepad 2007.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
9. Click the Deployment tab.
Note that when deploying software to computers, Assigned is the only option.
Examine the options that would be available if you were assigning or
publishing the application to users.
10. Select Uninstall This Application When It Falls Out Of The Scope Of
Management.
11. Click OK.
12. Close the Group Policy Management Editor.
13. Scope the GPO to apply only to members of APP_XML Notepad, and not to
Authenticated Users.
14. Link the GPO to the Client Computers OU.

Task 3: Deploy software to computers.
1. Add NYC-CL1 to the APP_XML Notepad group.
2. Start 6425C-NYC-CL1, but do not log on.

Task 4: Confirm the successful deployment of software.
1. Log on to NYC-CL1 as Pat.Coleman with the password Pa$$w0rd.
2. Confirm that XML Notepad installed successfully.

Note: When verifying the deployment of the xml notepad, and it may take two startups to be
successful. That is, if you do not see Notepad installed, restart the virtual machine. You
may need to do this a couple of times.
Results: In this exercise, you deployed XML Notepad to NYC-CL1.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 2: Upgrade Applications with GPSI
In this exercise, you will simulate deploying an upgraded version of XML Notepad.
The main task for this exercise is as follows:
Create an upgrade package by using GPSI.

Task 1: Create an upgrade package by using GPSI.
1. Switch to NYC-DC1.
2. In the Group Policy Management console tree, right-click the XML Notepad
GPO in the Group Policy Objects container, and then click Edit.
The Group Policy Management Editor opens.
3. In the console tree, expand Computer Configuration, Policies, Software
Settings, and then click Software Installation.
4. Right-click Software Installation, point to New, and then click Package.
5. In the File name text box, type the network path to the software distribution
folder, \\NYC-SVR1\software\XML Notepad, and then press Enter.
This exercise will use the existing XmlNotepad.msi file as if it is an updated
version of XML Notepad.
6. Select the Windows Installer package, XmlNotepad.msi, and then click Open.
The Deploy Software dialog box appears.
7. Click Advanced, and then click OK.
8. On the General tab, change the name of the package to suggest that it is the
next version of the application. Type XML Notepad 2011.
9. Click the Deployment tab. Because you are deploying the application to
computers, Assigned is the only deployment type option.
10. Click Upgrades.
11. Click Add.
12. Click the Current Group Policy Object (GPO) option.
13. In the Package to upgrade list, select the package for the simulated earlier
version, XML Notepad 2007.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
14. Click the Uninstall the existing package and then select then install the
upgrade package option.
15. Click OK.
16. Click OK.
If this were an actual upgrade, the new package would upgrade the previous
version of the application as clients applied the XML Notepad GPO. Because
this is only a simulation of an upgrade, you can remove the simulated upgrade
package.
17. Right-click XML Notepad 2011, which you just created to simulate an
upgrade, point to All Tasks, and then select Remove.
18. In the Remove Software dialog box, click Immediately uninstall the software
from users and computers, and then click OK.

Results: In this exercise, you simulated an upgrade of XML Notepad by using GPSI.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Lab Review Questions
Question: Consider the NTFS permissions you applied to the Software and XML
Notepad folders on NYC-SVR1. Explain why these least privilege permissions are
preferred to the default permissions.

Question: Consider the methods used to scope the deployment of XML Notepad:
Assigning the application to computers, filtering the GPO to apply to the APP_XML
Notepad group that contains only computers, and linking the GPO to the Client
Computers OU. Why is this approach advantageous for deploying most software?
What would be the disadvantage of scoping software deployment to users rather
than to computers?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-90 Configuring
Lesson 4
Auditing
Auditin
your en
underst
Auditin
also log
Auditin
objects,
auditing
Object
After co
Con
Con
View
g
g is an important
nterprise to the W
tand those activit
g can log success
g failed and poten
g involves up to t
and the Security
g to address seve
tives
ompleting this les
nfigure audit poli
nfigure auditing s
w the Security lo
t component of s
Windows Security
ties and identify i
sful activities to p
ntially malicious a
three managemen
y log. In this lesso
ral common scen
sson, you will be a
icy.
settings on file sy
g using the Even
ecurity. Auditing
log, which you c
ssues that warran
provide documen
attempts to acces
nt tools: audit po
on, you will learn
narios.
able to:
ystem objects.
t Viewer snap-in.
Services
logs specified ac
can then monitor
nt further investig
ntation of changes
s enterprise resou
olicy, auditing set
how to configur

ctivities in
to
gation.
s. It can
urces.
tings on
e
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Overv
Key Po
Audit Po
not enab
shows t
M
view of Aud
oints
olicy configures a
bled, a server wil
the Audit Policy n
it Policies
a system to audit
ll not audit those
node of a GPO ex
categories of acti
activities. The fo
xpanded:
ivities. If Audit Po
ollowing screen sh
gs 7-91

olicy is
hot
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

To configure auditing, you must define the policy setting. Double-click any policy
setting and select the Define These Policy Settings check box. Then, select
whether to enable auditing of Success events, Failure events, or both.
The following table defines each audit policy and its default settings on a Windows
Server 2008 domain controller.
Audit Policies

Audit Policy Setting

Explanation
Default Setting for
Windows Server 2008
Domain Controllers
Audit Account Logon
Events
Creates an event when a user or
computer attempts to
authenticate using an Active
Directory account. For example,
when a user logs on to any
computer in the domain, an
account logon event is
generated.
Successful account logons
are audited.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
(continued)


Explanation
Default Setting for
Windows Server 2008
Domain Controllers
Audit Logon Events Creates an event when a user
logs on interactively (locally) to a
computer or over the network
(remotely). For example, if a
workstation and a server are
configured to audit logon events,
the workstation audits a user
logging on directly to that
workstation. When the user
connects to a shared folder on
the server, the server logs that
remote logon. When a user logs
on, the domain controller records
a logon event because logon
scripts and policies are retrieved
from the domain controller.
Successful logons are
audited.
Audit Account
Management
Audits events, including the
creation, deletion, or
modification of user, group, or
computer accounts and the
resetting of user passwords.
Successful account
management activities
are audited.
Audit Directory
Service Access
Audits events that are specified in
the system ACL (SACL), which is
seen in an Active Directory
objects Properties Advanced
Security Settings dialog box. In
addition to defining the audit
policy with this setting, you must
also configure auditing for the
specific object or objects by
using the SACL of the object or
objects. This policy is similar to
the Audit Object Access policy
used to audit files and folders,
but this policy applies to Active
Directory objects.
Successful directory
service access events are
audited, but few objects
SACLs specify audit
settings.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
(continued)


Explanation
Default Setting for
Windows Server 2008
Domain Controllers
Audit Policy Change Audits changes to user rights
assignment policies, audit
policies, or trust policies.
Successful policy changes
are audited.
Audit Privilege Use Audits the use of a privilege or
user right. See the explanatory
text for this policy in the Group
Policy Management Editor
(GPME).
No auditing is performed
by default.
Audit System Events Audits system restart, shutdown,
or changes that affect the system
or security log.
Successful system events
are audited.
Audit Process
Tracking
Audits events such as program
activation and process exit. See
the explanatory text for this
policy in the GPME.
No events are audited.
Audit Object Access Audits access to objects such as
files, folders, registry keys, and
printers that have their own
SACLs. In addition to enabling
this audit policy, you must
configure the auditing entries in
objects SACLs.
No events are audited.
As you can see, most major Active Directory events are already audited by domain
controllers, assuming that the events are successful. Therefore, the creation of a
user, the resetting of a users password, the logon to the domain, and the retrieval
of a users logon scripts are all logged.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
However, not all failure events are audited by default. You might need to
implement additional failure auditing based on your organizations IT security
policies and requirements. Auditing failed account logon events, for example,
exposes malicious attempts to access the domain by repeatedly trying to log on as
a domain user account without yet knowing the accounts password. Auditing
failed account management events can reveal someone attempting to manipulate
the membership of a security-sensitive group.
One of the most important tasks you must perform is to balance and align the
audit policy with your corporate policies and reality. Your corporate policy might
state that all failed logons and successful changes to Active Directory users and
groups must be audited. Thats easy to achieve in Active Directory. But how,
exactly, are you going to use that information? Verbose auditing logs are useless if
you dont know how or dont have the tools to manage those logs effectively. To
implement auditing, you must have the business requirement to audit a well-
configured audit policy and the tools with which to manage audited events.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-96 Configuring
Specif
Key Po
Many o
resourc
granula
perform
steps: sp
security
You can
access c
1. Op
tab
2. Clic
fy Auditing S
oints
rganizations elec
e usage and pote
ar auditing based
med by those acco
pecify auditing se
y log.
n audit access to a
control list (SACL
en the properties
.
ck Advanced.
Settings on a
ct to audit file sys
ential security issu
on user or group
ounts. To configu
ettings, enable au
a file or folder by
L).
s dialog box of th
a File or a Fo
tem access to pro
ues. Windows Se
p accounts and th
ure auditing, you
udit policy, and ev
y adding auditing
he file or folder, an
Services
older
ovide insight into
rver 2008 suppo
he specific actions
must complete th
valuate events in
entries to its sys
nd then click the

o
orts
s
hree
the
tem
e Security
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3. Click Auditing.
The Advanced Security Settings dialog box of a folder named Confidential
Data is shown in the following screen shot:

4. To add an entry, click Edit to open the Auditing tab in Edit mode.
5. Click Add to select the user, group, or computer to audit.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6. In the Auditing Entry dialog box shown in the following screen shot, indicate
the type of access to audit:

You can audit for successes, failures, or both as the specified user, group, or
computer attempts to access the resource by using one or more of the granular
access levels.
You can audit successes for the following purposes:
To log resource access for reporting and billing.
To monitor access that would suggest users are performing actions greater
than what you had planned, indicating that permissions are too generous.
To identify access that is out of character for a particular account, which might
be a sign that a user account has been breached by a hacker.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Auditing failed events enables you:
To monitor for malicious attempts to access a resource to which access has
been denied.
To identify failed attempts to access a file or folder to which a user does
require access. This would indicate that the permissions are not sufficient to
achieve a business requirement.

Auditing entries directs Windows to audit the successful or failed activities of a
security principal (user, group, or computer) to use a specific permission. The
example in the screenshot of the Auditing Entry dialog box, shown previously,
audits for unsuccessful attempts by users in the Consultants group to access data
in the Confidential Data folder at any level. It does that by configuring an auditing
entry for Full Control access. Full Control includes all individual access levels, so
this entry covers any type of access. If a Consultant group member attempts access
of any kind and fails, the activity will be logged.
Typically, auditing entries reflect the permission entries for the object. In other
words, you would configure the Confidential Data folder with permissions that
prevent Consultants from accessing its contents. You would then use auditing to
monitor Consultants who nonetheless attempt to access the folder. Keep in mind,
of course, that a member of the Consultants group can also belong to another
group that does have permission to access the folder. Because that access will be
successful, the activity is not logged. Therefore, if you really are concerned about
keeping users out of a folder and making sure they do not access it in any way,
monitor failed access attempts. However, you should also audit successful access
to identify situations in which a user is accessing the folder through another group
membership that is potentially incorrect.
Important: Audit logs have the tendency to get quite large rapidly. Therefore, a golden rule for
auditing is to configure the bare minimum required to achieve the business task.
Specifying to audit the successes and failures on an active data folder for the Everyone
group by using Full Control (all permissions) generates enormous audit logs that could
affect the performance of the server and make locating a specific audited event almost
impossible.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-100 Configuring
Enabl
Key Po
Configu
in itself,
access s

e Audit Polic
oints
uring auditing en
, enable auditing.
setting shown on
cy
tries in the securi
. Auditing must b
the following pa

ity descriptor of a
be enabled by def
age:
Services
a file or folder do
fining the Audit o

oes not,
object
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

After auditing is enabled, the security subsystem begins to pay attention to the
audit settings and log access as directed by those settings.
The policy setting must be applied to the server that contains the object being
audited. You can configure the policy setting in the servers local GPO or use a
GPO scoped to the server.
You can define the policy then to audit Success events, Failure events, or both. The
policy setting (shown above) must specify auditing of Success or Failure attempts
that match the type of auditing entry in the objects SACL (shown in the previous
topic). For example, to log a failed attempt by Consultants to access the
Confidential Data folder, you must configure the Audit object access policy to audit
failures, and you must configure the SACL of the Confidential Data folder to audit
failures. If the audit policy audits successes only, the failure entries in the folders
SACL will not trigger logging.
Note: Remember that access that is audited and logged is the combination of the audit entries
on specific files and folders and the settings in Audit policy. If you've configured audit
entries to log failures, but the policy enables only logging for successes, your audit logs
will remain empty.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-102 Configuring
Evalua
Key Po
After yo
access y
accordin
of the se
Window
ate Events in
oints
ou have enabled t
you want to audit
ng to the audit en
erver. Open the E
ws Logs\Security
n the Securit
the Audit object a
t by using object
ntries. You can vi
Event Viewer con
y.
y Log
access policy setti
SACLs, the system
iew the resulting
nsole from Admin
Services
ing and specified
m begins to log a
events in the Sec
nistrative Tools. E

d the
access
curity log
Expand
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab D: A
Lab Se
For this
labs. If r
1. On
clic
2. In H
clic
3. In t
4. Log

5. Rep
unt
M
Audit File
etup
s lab, you will use
required, you mu
the host comput
ck Hyper-V Mana
Hyper-V Manager
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
peat steps 2 and 3
til directed to do
System A
e the same virtual
ust complete the f
ager.
r, click 6425C-NY
click Connect. W
e following creden
.Coleman
$w0rd
so
3 for 6425C-NYC
so.
Access
l machine environ
following steps:
oint to Administr
YC-DC1, and in t
Wait until the virt
ntials:
C-SVR1. Do not lo
nment used in pr
rative Tools, and
the Actions pane,
tual machine star
og on to the mach
gs 7-103

revious
d then
,
rts.
hine
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Lab Scenario
In this lab, you will configure auditing settings, enable audit policies for object
access, and filter for specific events in the Security log. The business objective is to
monitor a folder containing confidential data that should not be accessed by users
in the Consultants group.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 1: Configure Permissions and Audit Settings
In this exercise, you will configure permissions on the Confidential Data folder to
deny access to consultants. You will then enable auditing of attempts by
consultants to access the folder.
1. Create and secure a shared folder.
2. Configure auditing settings on a folder.

Task 1: Create and secure a shared folder.
1. Switch to NYC-DC1.
3. In the Groups\Role OU, create a new global security group named
Consultants.
4. Add Mike.Danseglio to the Consultants group.
5. Create a new folder in \\NYC-SVR1\c$\data called Confidential Data.
6. Configure NTFS permissions that deny the Consultants group all access to the
folder.
Task 2: Configure auditing settings on a folder.
Configure auditing settings on the Confidential Data folder to audit for any
failed access by the Consultants group.

Results: In this exercise, you configured permissions and audit settings for a folder.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 2: Configure Audit Policy
In this exercise, you will enable auditing of file system access on file servers using
Group Policy.
Enable auditing of file system access using Group Policy.

Task 1: Enable auditing of file system access by using Group Policy.
2. Create a new GPO named File Server Auditing.
3. Configure the GPO to audit for failed object access.
4. Link the GPO to the Servers\File OU.

Results: In this exercise, you configured for auditing of failed access to file system
objects on servers in the Servers\File OU.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 3: Examine Audit Events
In this exercise, you will generate audit failure events and then examine the
resulting security event log messages.
1. Generate audit events.
2. Examine audit event log messages.

Task 1: Generate audit events
1. Log on to NYC-SVR1as Pat.Coleman with the password Pa$$w0rd.
2. Run the Command Prompt as an administrator, with the user name
3. Refresh Group Policy to apply the new auditing settings by executing the
command gpupdate.exe /force.
4. Log off of NYC-SVR1.
5. Log on to NYC-CL1 as Mike.Danseglio with the password Pa$$w0rd.
6. Attempt to open \\NYC-SVR1\data\Confidential Data. You will receive an
Access Denied message.

Task 2: Examine audit event log messages
1. Switch to NYC-SVR1.
2. Run Event Viewer as an administrator, with the user name
3. Locate the audit failure events related to Mike Danseglio's access to the
Confidential Data folder.

Question: What is the Task Category for the event? What is the Event ID? What
type of access was attempted?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Results: In this exercise, you validated the auditing of failed access to the Confidential
Data folder by members of the Consultants group.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Question: What are the three major steps required to configure auditing of file
system and other object access?

Question: What systems should have auditing configured? Is there a reason not to
audit all systems in your enterprise? What types of access should be audited, and
by whom should they be audited? Is there a reason not to audit all access by all
users?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-110 Configuring
Lesson 5
Software
In a larg
prevent
policies
installed
Object
After co
Des
Des
Pol
Com
Con

e Restrict
ge network enviro
ting access to una
s and application
d on workstation
tives
ompleting this les
scribe Software R
scribe how to con
icies.
mpare Applocker
nfigure Applocke
ion Polic
onment, one of th
authorized softwa
control polices c
ns.
sson, you will be a
Restriction Policy.
ntrol access to ap
r and Software Re
er.

y and Ap
he challenges of n
are on workstatio
can be used to con
able to:

pplications by usin
estriction Policies
Services
pplocker
network security
ons. Software rest
ntrol access to so
ng Application C
s

is
triction
oftware
Control
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

What
Key Po
A prima
availabl
that me
unwant
uninten
Introdu
operatin
identify
SRP sett
set com
M
Is a Softwar
oints
ary security conce
le on each compu
eet their specific n
ted applications g
ntionally or for m
uced in the Windo
ng system, Softwa
y and specify whic
tings are configur
mprises the follow
re Restriction
ern for client com
uter. To do their j
needs. There is th
get installed on th
malicious or nonbu
ows XP operating
are Restriction Po
ch applications ar
red and deployed
wing key compone
n Policy?
mputers is the cur
obs, users need a
he possibility, how
he client compute
usiness purposes
g system and the
olicies (SRPs) allo
re permitted to ru
d to clients by usi
ents.
rrent applications
access to the app
wever, that unnee
ers, whether
s.
Windows Server
ow an administra
un on client com
ing Group Policy
gs 7-111

s
lications
eded or
r 2003
ator to
mputers.
y. An SRP
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Rules
Rules govern how an SRP responds to an application being run or installed. Rules
are the key constructs within an SRP, and a group of rules together determine how
an SRP will respond to applications being run. Rules can be based on one of the
following criteria that apply to the primary executable file for the application
in question.
Hash. A cryptographic fingerprint of the file.
Certificate. A software publisher certificate used to digitally sign a file.
Path. The local or Universal Naming Convention (UNC) path of where the file
is stored.
Zone. The Internet zone.

Security Levels
Each applied SRP is assigned a security level that governs the way the operating
system reacts when the application that is defined in the rule is run. The three
available security levels are as follows.
Disallowed. The software identified in the rule will not run, regardless of the
access rights of the user.
Basic User. Allows the software identified in the rule to run as a standard,
nonadministrative user.
Unrestricted. Allows the software identified in the rule to run unrestricted
by SRP.

Default Security Level
The way a system behaves in general is determined by the Default Security Level,
which governs how the operating system reacts to applications without any SRP
rules defined. The following three points outline a system default behavior, based
on the Default Security Level applied in the SRP:
Disallowed. No applications will be allowed to run unless an SRP rule is
created that allows each specific application or a set of applications to run.
Basic User. All applications will run under the context of a basic user,
regardless of the permissions of the user who is logged on, unless an SRP rule
is created to modify this behavior for a specific application or a set of
applications.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Unrestricted. All applications will run as if SRP was not enabled, unless
specifically defined by an SRP rule.

Based on these three components, there are two primary ways to use SRPs:
If an administrator knows all the software that should be allowed to run on
clients, the Default Security Level can be set to Disallowed. All applications
that should be allowed to run can be identified in SRP rules that would apply
either the Basic User or Unrestricted security level to each individual
application, depending on the security requirements.
If an administrator does not have a comprehensive list of the software that
should be allowed to run on clients, the Default Security Level can be set to
Unrestricted or Basic User, depending on security requirements. Any
applications that should not be allowed to run can then be identified by using
SRP rules, which would use a security level setting of Disallowed.

Software Restriction Policy settings can be found in Group Policy at the following
location: Computer Configuration\Windows Settings\Security Settings\Software
Restriction Policies.
Note: Software Restriction Policies are not enabled by default in Windows
Server 2008 R2.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-114 Configuring
Overv
Key Po
Note: The cont
Applica
operatio
Policies
Applock
Window
the func
with a v
applicat
AppLoc
organiz
individu
view of Appl
oints
tent in this section
tion Control Poli
ons of application
are controlled by
ker, which was in
ws Server 2008 R
ctionality previou
variety of method
tions to which th
cker is applied thr
ational unit. In ad
ual AD DS users o
ication Cont
n only applies to W
icies represent th
ns within your do
y AppLocker.
ntroduced in the W
R2, provides a num
usly provided by
ds for quickly and
hey may want to r
rough Group Pol
ddition, individu
or groups.
trol Policies
Windows Server 200
he next evolution
omain environme
Windows 7 oper
mber of enhancem
SRP. AppLocker
d concisely determ
restrict or permit
licy to computer
al AppLocker rul
Services
08 R2.
of control over th
ent. Application C
ating system and
ments that impro
provides adminis
mining the identi
access.
objects within an
les can be applied

he
Control
d
ove upon
strators
ty of
n
d to
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
AppLocker also contains options for monitoring or auditing the application of
rules, both as rules are being enforced and in an audit-only scenario.
AppLocker can help organizations prevent unlicensed or malicious software from
running, and can selectively restrict ActiveX controls from being installed. It can
also reduce the total cost of ownership by ensuring that workstations are
standardized across their enterprise and that users are running only the software
and applications that are approved by the enterprise.
Specifically, the following scenarios provide examples of where AppLocker can be
used to provide some level of application management:
Your organization implements a policy to standardize the applications used
within each business group, so you need to determine the expected usage
compared with the actual usage.
The security policy for application usage has changed, and you need to
evaluate where and when those deployed applications are being accessed.
Your organization's security policy dictates the use of only licensed software,
so you need to determine which applications are not licensed or prevent
unauthorized users from running licensed software.
An application is no longer supported by your organization, and you need to
prevent it from being used by everyone.
A new application or a new version of an application is deployed, and you
need to allow certain groups to use it.
Specific software tools are not allowed within the organization, or only specific
users have access to those tools.
A single user or a small group of users needs to use a specific application that
is denied for all others.
Some computers in your organization are shared by people who have different
software usage needs.

AppLocker is available in the following editions of Windows:
Windows Server 2008 R2 Standard operating system
Windows Server 2008 R2 Enterprise operating system
Windows Server 2008 R2 Datacenter operating system
Windows Server 2008 R2 for Itanium-based Systems operating system
Windows 7 Ultimate operating system
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Windows 7 Enterprise operating system

Note: Applocker is not enabled by default in Windows Server 2008 R2.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Comp
Key Po
When im
difficult
updates
and the
updated
combin
simplifi
specific
Certifica
publish
publish
level, th
For exa
content
M
pare Applock
oints
mplementing SRP
t to create policie
s were applied. Th
e fragility of hash
d. To resolve this
nes a certificate an
es your ability to
product name ca
ate rules in SRP a
her; however, App
her rules, you can
he executable leve
mple, with SRP, y
t signed by Micro
ker and Softw
Ps in previous W
s that were secur
his was due to th
rules that becam
issue, AppLocke
nd a product nam
specify that anyt
an run.
allow you to trust
pLocker gives you
trust the publish
el, and even the v
you can create a r
osoft. With AppL
ware Restrict
Windows versions
re and remained f
he lack of granula
me invalid when an
er enables you to
me, file name, and
thing signed by a
t all software sign
u greater flexibilit
her, and also drill
version.
rule that effective
Locker, you furthe
tion Policies
, it was particular
functional after s
arity of certificate
n application bin
create a rule that
d file version. This
a particular vendo
ned by a specific
ty. When creating
l down to the pro
ely reads Trust a
er refine the rule
gs 7-117
s

rly
oftware
rules
nary was
t
s
or for a
g
oduct
all
to
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
specify: Trust the Microsoft Office 2007 Suite if it is signed by Microsoft and the
version is greater than 12.0.0.0.
The AppLocker enhancements over the SRP feature can be summarized as follows:
The ability to define rules based on attributes derived from a files digital
signature, including the publisher, product name, file name, and file version.
SRP supports certificate rules, but they are less granular and more difficult
to define.
A more intuitive enforcement model; only a file that is specified in an
AppLocker rule is allowed to run.
A new, more accessible user interface that is accessed through a new Microsoft
Management Console (MMC) snap-in extension to the Group Policy
Management Console snap-in.
An audit-only enforcement mode that allows administrators to determine which
files will be prevented from running if the policy were in effect.
The following table outlines other key differences between AppLocker and SRPs.
Feature SRP AppLocker
Rule scope Specific user or group (per
Group Policy object [GPO])
Specific users or groups
(per rule)
Rule conditions provided File hash, path, certificate,
registry path, Internet zone
File hash, path, publisher
Rule types provided Allow and Deny Allow and Deny
Default Rule action Allow and deny Implicit Deny
Audit only mode No Yes
Wizard to create multiple
rules at one time
No Yes
Policy import or export No Yes
Rule collection No Yes
Windows PowerShell
support
No Yes
Custom error messages No Yes

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Implementing AppLocker and SRPs
Prior to Windows Server 2008 R2 and Windows 7, Windows operating systems
were only able to use SRP rules. In Windows Server 2008 R2 and Windows 7, you
can apply SRP or AppLocker rules, but not both. This allows you to upgrade an
existing implementation to Windows 7 and still take advantage of the SRP rules
defined in group policies.
However, if Windows Server 2008 R2 or Windows 7 have both AppLocker and
SRP rules applied in a group policy, only the AppLocker rules are enforced and the
SRP rules are ignored.
When you add a single AppLocker rule in Windows Server 2008 R2 or
Windows 7, all processing of SRP rules stops. Therefore, if you are replacing SRP
rules with AppLocker rules, you must implement all AppLocker rules that you
require at one time. If you implement the AppLocker rules incrementally, you will
lose the functionality provided by SRP rules that have not yet been replaced with
corresponding AppLocker rules.
Note: SRP is still the standard method to restrict software usage in versions of Windows prior to
Windows Server 2008 and Windows 7.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-120 Configuring
Demo
Polici
Key Po
In this d
Cre
App
Tes

onstration: H
es
oints
demonstration, y
eate a GPO to enf
ply the GPO to th
st the AppLocker
How to Confi
ou will see how t
force the default A
he domain.
rule.

igure Applica
to:
AppLocker Execu
Services
ation Contro
utable rules.
ol

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Demonstration Steps
1. Open the Group Policy Management Console.
2. Create a new GPO.
3. Configure the AppLocker default rules in the GPO.
4. Link the GPO to the Contoso.com domain
5. Switch to NYC-CL1.
6. Attempt to open Wordpad.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-122 Configuring
Lab E: Co
Lab Se
For this
labs. If r
1. On
clic
2. In H
clic
3. In t
4. Log

5. Rep
dire
onfigure
etup
s lab, you will use
required, you mu
the host comput
ck Hyper-V Mana
Hyper-V Manager
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
peat steps 2 and 3
ected to do so.
Applicati
e the same virtual
ust complete the f
ager.
r, click 6425C-NY
click Connect. W
e following creden
.Coleman
$w0rd
so
3 for 6425C-NYC
ion Contr
l machine environ
following steps:
oint to Administr
YC-DC1, and in t
Wait until the virt
ntials:
C-CL1. Do not log
Services
rol Policie
nment used in pr
rative Tools, and
the Actions pane,
tual machine star
g on to the mach
es

revious
d then
,
rts.
ine until
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Lab Scenario
You have been asked to ensure that a widely used application in the environment
that has been recently replaced by a new software suite is no longer used at
Contoso, Ltd.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 1: Configuring Application Control Policies
Scenario
Microsoft Office 2007 has recently been installed in the Research department at
Contoso, Ltd on all client computers. Previously, WordPad was used for word-
processing tasks in the Research department. To encourage users to use the new
word-processing capabilities of Office Word 2007, you have been asked to restrict
users in the Research department from running WordPad on their computers.
1. Create a GPO to enforce the default AppLocker Executable rules.
2. Apply the GPO to the Contoso.com domain.
3. Test the AppLocker rule.

Task 1: Create a GPO to enforce the default AppLocker Executable
rules.
1. On NYC-DC1, in the Group Policy Management console, create a new GPO
entitled, Wordpad Restriction Policy. If necessary, use the account
2. Edit the new GPO with the following settings:
Application Control Policy: Under Executable Rules, create a new
executable publisher rule for C:\Program Files\Windows NT
\Accessories\wordpad.exe that denies Everyone access to run any
version of wordpad.exe.
Configure Executable rules to be enforced.
Configure the Application Identity service to run and set it to Automatic.

Task 2: Apply the GPO to the Contoso.com domain.
Apply the WordPad Restriction Policy GPO to the Contoso.com domain
container.
Task 3: Test the AppLocker rule.
1. Restart and then log on to NYC-CL1 as Contoso\Alan.brewer with the
password, Pa$$w0rd.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2. Refresh Group Policy by running gpudate /force from the command prompt.
3. Try to run Start - All Programs - Accessories WordPad.
Note: The AppLocker policy should restrict you from running this application. If
the application runs, log off from NYC-CL1 and log on again. It may take a few
minutes for the policy setting to apply to NYC-CL1. After the policy setting is
applied, the application will be restricted.

Results: In this exercise, you restricted an application by using AppLocker.
To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To do this,
complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. Right-click 6425C-NYC-DC1 in the Virtual Machines list, and then
click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 6425C-NYC-SVR1 and6425C-NYC-CL1.

Lab Review Question
Question: How could you permit access to only a specific set of applications for a
set of computers in your environment?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7-126 Configuring
Module
Review
1. In w
use
2. Des
3. Wh
Windo
Windo
AppLo
Review a
w Questions
what scenarios, o
ers, or groups?
scribe the proced
hy must AppLock
ows Server 2008
ows Server 2008 R
ocker
and Takea
r for what reason
dure used to apply
ker rules be defin
8 R2 Features I
R2 feature Des
Use
ap
aways
ns might you wan
y a security temp
ed in a GPO sepa
Introduced in T
scription
ed to control how
plications
Services
nt to delete all me
plate to a compute
arate from SRP ru
This Module
users can access a

embers,
er.
ules?

and use

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Securing Administration 8-1
Module 8
Securing Administration
Contents:
Lesson 1: Delegate Administrative Permissions 8-4
Lab A: Delegate Administration 8-25
Lesson 2: Audit Active Directory Changes 8-33
Lab B: Audit Active Directory Changes 8-39
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
8-2 Configuring
Module
Today, s
not only
users on
privileg
Director
adminis
Object
After co
Del
Aud
Overview
security is the im
y removing the u
n their workstatio
es given to admin
ry administratio
strative tasks and
tives
ompleting this mo
legate administra
dit Active Directo
w
mportant priority i
unnecessary admi
ons, but also are
nistrators themse
on, you need to u
d audit changes th
odule, you will be
ative permissions.
ory administration
in most organizat
inistrative privileg
striving to lock d
elves. To manage
nderstand how t
hat are made to th
e able to:
.
n.
Services
tions. Organizati
ges that were assi
down and manage
the security of A
o delegate specifi
he directory.

ons are
igned to
e the
Active
ic
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 1
Delegate
In previ
organiz
objects.
in the g
desk tea
built-in
can ena
tasks re
adminis
(ACLs)
Object
After co
Des
Ass
inte
e Adminis
ious modules, yo
ational units (OU
Your ability to p
roups with admin
am need not be a
groups just to re
able the help desk
equired of the role
strative tasks with
on Active Directo
tives
ompleting this les
scribe the busine
sign permissions
erfaces and the D
strative P
u learned how to
Us). You also lear
perform those acti
nistrative privileg
a member of the d
eset user passwor
k and each role in
e. In this lesson,
hin Active Directo
ory objects.
sson, you will be a
ss purpose of del
to Active Directo
Delegation of Con
S
Permissio
o create users, gro
rned to access the
ions was depend
ges in the domain
domains Admini
ds and unlock us
n your organizatio
you will learn to
ory by changing t
able to:
legation.
ry objects using t
ntrol Wizard.
Securing Administratio
ons
oups, computers,
e properties of th
dent on your mem
n. Every user on t
strators group or
ser accounts. Inst
on to only perfor
o delegate specific
the access contro
the security edito
n 8-3

, and
hose
mbership
the help
r other
tead, you
rm the
c
ol lists
or user
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
View and report permissions on Active Directory objects by using user-
interface and command-line tools.
Reset the permissions on an object to its default.
Describe the relationship between delegation and OU design.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Unde
Key Po
In most
grow, ad
support
user pas
the help
The hel
changes
granula
In most
user acc
Therefo
rstand Deleg
oints
t organizations, th
dministrative task
t organizations. F
sswords and unlo
p desk is a delega
p desk cannot us
s to existing user
ar.
t organizations, th
counts, but not to
ore, the delegation
gation
here is more than
ks are often distr
For example, in m
ock the user acco
ated administrativ
sually create new
accounts. The ca
he help desk's ab
o accounts used f
n is said to be sco
S
n one administrat
ibuted among th
many organization
ounts that are loc
ve task.
user accounts, b
apability that is d
bility to reset pass
for administration
oped to standard
tor, and as organi
e administrators
ns, the help desk
ked out. This cap
but can make spec
elegated is specif
swords applies to
n or service accou
user accounts.
n 8-5

izations
or
can reset
pability of
cific
fic or
o normal
unts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
All Active Directory objects, such as the users, computers, and groups you created
in the previous module, can be secured by using a list of permissions. Therefore,
you can give your help desk permission to reset passwords on user objects. The
permissions on an object are called access control entries (ACEs), and they are
assigned to users, groups, or computers, which are also known as security
principals. ACEs are saved in the objects discretionary access control list (DACL).
The DACL is a part of the objects ACL, which also contains the system access
control list (SACL) that includes auditing settings.
The delegation of administrative control involves assigning permissions that
manage access to objects and properties in Active Directory. Just as you can give a
group the ability to change files in a folder, you can give the group the ability to
reset passwords on user objects.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

View
Key Po
Each ob
you can
Director
1. Op
2. Clic
3. Rig
4. Clic
Note: If Advan
Properti
5. Clic
the ACL of a
oints
bject in Active Dir
n modify the perm
ry object. To view
en the Active Dir
ck the View menu
ht-click an object
ck the Security ta
ced Features are n
es dialog box.
ck Advanced.
an Active Dir
rectory has its ow
missions to contro
w the ACL on an
rectory Users an
u and click Adva
t and click Prope
ab.
not enabled, you w
S
rectory Obje
wn ACL. If you ha
ol the level of acc
object, perform t
nd Computers sn
anced Features.
erties.
will not see the Sec
ct
ave sufficient perm
cess on a specific
the following step
nap-in.
curity tab in an obj
n 8-7

missions,
Active
ps:
jects
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
The Security tab shows a very high-level overview of the security principals
that have been given permissions to the object. However, in the case of Active
Directory ACLs, the Security tab is rarely detailed enough to provide the
information you need to interpret or manage the ACL. To see a more detailed
permission list, click Advanced to open the Advanced Security Settings dialog
box.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
The Advanced Security Settings dialog box appears, as shown in the following
image.

The Permissions page of the Advanced Security Settings dialog box shows the
DACL of the object. The screen shot shows ACEs summarized on a line of the
Permission entries list. In this dialog box, you do not see the granular ACEs of
the DACL. For example, the permission entry that is highlighted actually
consists of two ACEs.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
To see the granular ACEs of a permission entry, select the entry and click Edit.
The Permission Entry dialog box appears, detailing the specific ACEs that make
up the entry.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Prope
and O
Key Po
The DA
an objec
email op
include
permiss
more gr
telepho
Permiss
resettin
importa
the curr
passwor
Finally,
permiss
erty Permissi
Object Permi
oints
ACL of an object a
ct. For example, y
ptions. This is, in
s multiple specifi
sions to common
ranular permissio
ne number or the
sions can also be
g a password. Th
ant. If you have th
rent password be
rd, you need not
permissions can
sions on an objec
ions, Propert
ssions
allows you to assi
you can allow (or
n fact, not just one
ic properties. Usi
nly used collection
ons and allow or
e street address.
assigned to contr
he difference betw
he right to change
efore making the
know the previo
n be assigned to o
ct is controlled by
S
ty Sets, Cont
ign permissions t
r deny) permissio
e property; it is a
ing property sets,
ns of properties.
deny permission
rol access rights,
ween those two co
e a password, you
change. If you ha
ous password.
objects. For examp
y the Allow Modif
trol Access R
to specific proper
on to change pho
property set that
, you can easily m
But, you could as
n to change just th
such as changing
ontrol access righ
u must know and
ave the right to re
ple, the ability to
fy Permissions ac
n 8-11
Rights,

rties of
one and
t
manage
ssign
he mobile
g or
hts is
d enter
eset a
change
ccess
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
control entry (ACE). Object permissions also control whether you are able to
create child objects. For example, you might give your desktop support team
permissions to create computer objects in the Client Computers OU. The Allow
Create Computer Objects ACE would be assigned to the desktop support team at
the OU.
You can manage the type and scope of permissions by using the Object tab and the
Properties tab, and the Apply To drop-down lists on each tab.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Demo
Secur
Key Po
Conside
Ford's u
way firs
learn to
users. F
Demon
Ena
Op
Del

onstration: A
rity Settings
oints
er that you want
user account. In t
st. You will assign
o delegate by usin
Finally, you will se
nstration Steps:
able Advanced V
en Advanced Sec
legate permission
Assign a Perm
Dialog Box
to allow the help
this section, you w
n the ACE on the
ng the Delegation
ee why this latter
View in Active Dir
curity Properties
n to reset the pass
S
mission by U
p desk to change t
will learn to do it
DACL of the use
n of Control Wiza
r practice is recom
rectory Users and
s of the user acco
sword.
sing the Adv
the password onl
t in the most com
er object. Then, yo
ard for the entire
mmended.
d Computers con
ount object.
n 8-13
vanced

ly on Jeff
mplicated
ou will
OU of
sole.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
8-14 Configuring
Unde
Key Po
Assignin
object is
permiss
level of
by all ob
passwor
users, a
you can
Child ob
or OU i
level co
reason c
new obj
parent o
Howeve
inherite
rstand and M
oints
ng the help desk
s tedious. But, in
sions to individua
organizational un
bjects in the OU.
rds for user objec
ll user objects wi
n delegate that ad
bjects inherit the
in turn inherits it
ntainer or OU, it
child objects inhe
ject is created wit
option enabled.
er, note that as th
ed by the child ob
Manage Perm
permission to re
Active Directory,
al objects. Instead
nits. The permiss
Therefore, if you
cts and attach tha
ithin that OU will
dministrative task
e permissions of t
s permissions fro
inherits the perm
erit permissions f
th the Include inh
he option indicate
bject. Not all perm
missions with
set passwords fo
, it is not a good p
d, you should ass
sions you assign t
u give the help de
at permission to t
l inherit that perm
k.
the parent contain
om its parent con
missions from the
from their parent
heritable permiss
es, only inheritab
missions are inhe
Services
h Inheritance
r each individual
practice to assign
sign permissions
to an OU will be
esk permission to
the OU that cont
mission. In just o
ner or OU. That c
ntainer OU. If it is
e domain itself. T
ts is that, by defau
sions from this ob
le permissions w
eritable. For exam
e

l user
n
at the
inherited
o reset
tains the
one step,
container
s a first-
The
ult, each
bjects
will be
mple, the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
permission to reset passwords, when assigned to an OU, would not be inherited by
group objects because group objects do not have a password attribute. So,
inheritance can be scoped to specific object classes: passwords are applicable to
user objects, not groups. Additionally, you can use the Apply To box of the
Permission Entry dialog box to scope the inheritance of a permission. The
conversation can start to get very complicated. What you should know is that, by
default, new objects inherit inheritable permissions from their parent object
usually, an OU or a container.
What if the permission that is being inherited is not appropriate? You can do the
following three things to modify the permissions that a child object is inheriting:
First, you can disable inheritance by deselecting the Include Inheritable
Permissions From This Objects Parent option in the Advanced Security
Settings dialog box. When you do, the object will no longer inherit any
permissions from its parent; all permissions will be explicitly defined for the
child object. This is generally not a good practice, because it creates an
exception to the rule that is created by permissions of parent containers.
The second option is to allow inheritance, but to override the inherited
permission with a permission assigned specifically to the child objectan
explicit permission. Explicit permissions always override permissions that are
inherited from parent objects. This has an important implication: an explicit
permission that allows access will actually override an inherited permission
that denies the same access. The rule (Deny) is being defined by a parent, but
the child object has been configured to be an exception (Allow).
Finally, you can change the scope of inheritance on the parent permission
itself by changing the option in the Apply To drop-down list in the
Permission Entry dialog box. In most cases, this is the best practice. What you
are doing, in effect, is defining the security policy in the form of the ACL more
accurately at its source, rather than trying to override it further down the tree.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
8-16 Configuring
Demo
Deleg
Key Po
You hav
permiss
Luckily
but usin
several p
answeri
complet
procedu
Demon
Run
Del
the
onstration: D
gation of Con
oints
ve seen the comp
sions by using the
, the best practice
ng the Delegation
permissions on t
ing questions in a
tes, it initiates a s
ure details the us
nstration Steps
n Delegation of C
legate permission
OU level.
Delegate Adm
ntrol Wizard
plexity of the DAC
e Permission En
e is not to manag
n Of Control Wiz
the OU level, with
a wizard. Howeve
script that edits th
e of the wizard.
s:
Control Wizard on
ns to reset the pas
ministrative T
d
CL and understoo
ntry dialog box is
ge permissions by
ard. This wizard
hout editing the D
er, the result is th
he DACL of the O
n an OU.
ssword and force
Services
Tasks with th
od that managing
not a simple task
y using security in
allows you to de
DACL directly, bu
he same. After the
OU. The following
e a password chan
he

g
k.
nterfaces,
legate
ut by
e wizard
g
nge on
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Repor
Key Po
There a
know w
the DAC
boxes.
DSACLs
director
name of
the follo
User Ac
dsacls
DSACLs
help reg
rt and View
oints
re several other w
who can do what.
CL by using the A
s (dsacls.exe) is a
ry service objects
f an object you w
owing command
ccounts OU:
s.exe "ou=User
s can also be use
garding the synta
Permissions
ways to view and
You have already
Advanced Securit
also available as a
. If you type the c
will see a report of
produces a repo
Accounts,dc=con
d to set permissio
ax and utilization
S
report permissio
y seen that you c
ty Settings and Pe
a command-line t
command followe
f the objects perm
rt of the permissi
ntoso,dc=com"
onsto delegate.
of DSACLs.
ons when you nee
an view permissi
ermission Entry d
tool that reports o
ed by the disting
missions. For exa
ions associated w
Type dsacls.exe /
n 8-17

ed to
ons on
dialog
on
uished
ample,
with the
/? for
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
8-18 Configuring
Remo
Key Po
How do
there is
Op
rem
If y
the
defa
obj
per
DSA
defa
and
and
ds
ove or Reset
oints
o you remove or r
no undelegate co
en the Advanced
move permissions
ou want to reset
Advanced Securi
fault permissions
ect. After restorin
rmissions you wa
ACLs also provid
faults, and the /t s
d all of its child ob
d all of its child O
sacls "ou=User A
Permissions
reset permissions
ommand. You mu
Security Settings
s.
the permissions
ity Settings dialog
are defined by th
ng the defaults, yo
ant to add to the D
des the /s switch t
switch to make th
bjects. For examp
OUs and objects, y
Accounts,dc=con
on an Objec
s that have been d
ust do one of the
s and Permission
on the object bac
g box and click R
he Active Director
ou can reconfigur
DACL.
to reset permissio
he change for the
ple, to reset perm
you would enter:
ntoso,dc=com" /
Services
ct
delegated? Unfor
e following:
n Entry dialog box
ck to the defaults
Restore Defaults.
ry schema for the
re the explicit
ons to the schem
e entire treethe
missions on the Pe
:
s /t

rtunately,
xes to
, open
The
e class of
ma-defined
e object
eople OU
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Unde
Key Po
Effective
a user o
Your ab
member
several
to which
Your eff
permiss
multiple
Permiss
belong,
practice
possible
been as
importa
rstand Effect
oints
e permissions are
or group, based o
bility to reset a us
rship in a group
levels above the u
h you belong resu
fective permission
sions, explicit and
e groups, each of
sions, whether as
are equivalent. In
e is to manage per
e to assign ACEs
signed directly to
ant than a permis
tive Permiss
e the resulting pe
n the cumulative
ers password, fo
that is allowed th
user object. The i
ults in an effectiv
ns can be compli
d inherited ACEs
f which may be as
signed to your us
n the end, an AC
rmissions by assi
to individual use
o you, the user, is
ssion assigned to
S
ions
ermissions for a s
e effect of each inh
or example, may b
he Reset Password
inherited permiss
ve permission of A
icated when you
, and the fact tha
ssigned different
ser account or a g
E applies to you,
igning them to gr
ers or computers.
s neither more im
a group to which
security principal
herited and expli
be due to your
d permission on
sion assigned to a
Allow:Reset Passw
consider Allow a
at you may belong
permissions.
group to which y
the user. The be
roups, but it is als
A permission th
mportant nor less
h you belong.
n 8-19

, such as
icit ACE.
an OU
a group
word.
nd Deny
g to
you
st
so
at has
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Allow permissions, which allow access, are cumulative. When you belong to
several groups, and those groups have been granted permissions that allow a
variety of tasks, you will be able to perform all of the tasks assigned to all of those
groups, as well as tasks assigned directly to your user account.
Deny permissions, which deny access (), override equivalent Allow permissions. If
you are in one group that has been allowed the permission to reset passwords, and
another group that has been denied permission to reset passwords, the Deny
permission prevents you from resetting passwords.
Note: It is unnecessary to assign Deny permissions. If you simply do not assign an Allow
permission, users cannot perform the task. Before assigning a Deny permission, check to
see if you could achieve your goal by removing an Allow permission instead. Use Deny
permissions rarely. For example, if you want to delegate an Allow permission to a group,
but exempt only one member from that group, you can use a Deny permission on that
specific user account while the group will still have Allow permission.
Each permission is granular. Even if you have been denied the ability to reset
passwords, you may still have the ability, through other Allow permissions, to
change the users logon name or email address.
In this lesson, you learned that child objects inherit the inheritable permissions of
parent objects by default, and that explicit permissions can override inheritable
permissions. This means that an explicit Allow permission will actually override an
inherited Deny permission.
Unfortunately, the complex interaction of user, group, explicit, inherited, Allow,
and Deny permissions can make evaluating effective permissions tedious. You can
use the permissions reported by the DSACLs command or on the Permissions tab
of the Advanced Security Settings dialog box to begin evaluating effective
permissions, but it will be a manual task.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Desig
Key Po
OUs are
share si
now un
adminis
users in
desk pe
OU. An
object w
your Hu
employ
Accoun
gn an OU Stru
oints
e, as you now kn
imilar requiremen
nderstand the firs
strators administe
n a single OU per
ermission to chan
ny other permissio
would be assigned
uman Resources
ees termination.
ts OU.
ucture to Su
ow, administrativ
nts for administra
t of those require
er should be con
haps called User
nge all users pass
ons that affect wh
d in the User Acc
managers to disa
You would deleg
S
pport Deleg
ve containers. Th
ation, configurati
ements: administr
tained within a si
Accounts, you co
swords by assigni
hat an administra
counts OU. For e
able user account
gate that permiss
gation
hey contain object
ion, and visibility
ration. Objects th
ingle OU. By plac
ould delegate the
ing one permissio
ator can do to a u
xample, you mig
ts in the event of
ion, again, to the
n 8-21

ts that
y. You
hat
cing your
e help
on to one
user
ht allow
an
e User
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Remember that administrators should be logging on to their systems with user
credentials and launching administrative tools with the credentials of a secondary
account that has appropriate permissions to perform administrative tasks.
Secondary accounts are the administrative accounts of the enterprise. It is not
appropriate for the front-line help desk to be able to reset passwords on such
privileged accounts, and you probably would not want Human Resources
managers to disable administrative accounts. Therefore, administrative accounts
should be administered differently than normal user accounts. Thats why you
would have a separate OU, such as Admins, for administrative user objects, which
would be delegated quite differently than the User Accounts OU.
Similarly, you might delegate to the desktop support team the ability to add
computer objects to an OU called Client Computers, which contains your
desktops and laptops, but not to the Servers OU, where only the Server
Administration group has permissions to create and manage computer objects.
The primary role of OUs is to efficiently scope delegationto apply permissions to
objects and sub-OUs. When you design an Active Directory environment, you
always begin by designing an OU structure that makes delegation efficienta
structure that reflects the administrative model of your organization. Rarely does
object administration in Active Directory look like your organizational chart.
Typically, all normal user accounts are supported the same way, by the same
teamso, user objects are often found in a single OU or a single OU branch. Quite
often, an organization that has a centralized help desk function to support users
will also have a centralized desktop support function. In this case, all client
computer objects would be within a single OU or a single OU branch. But, if
desktop support is decentralized, it would be likely the Client Computers OU are
divided into sub-OUs representing geographic locations. Each location would be
delegated to allow the local support team to add computer objects to the domain
in that location.
Design OUs first to enable the efficient delegation of objects in the directory. After
you have achieved that design, you can refine the design to facilitate the
configuration of computers and users through Group Policy.
Also, you can consider placing access permissions groups within separate OUs. As
a best practice, access permissions groups should be placed in OUs that deny read
permissions to standard users so that these groups do not appear in search results
when standard users search the directory. By using this approach, you can make
these groups visible only to administrators and people who can manage their
group membership.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab A: D
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log

5. Op
elegate A
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
en Windows Exp
Administr
e the available vir
complete the foll
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
plorer and then b
S
ration
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
browse to D:\Lab
vironment. Before
rative Tools, and
n the Actions pan
tual machine star
bfiles\Lab08a.
n 8-23

e you
d then
ne,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6. Run Lab08a_Setup.bat with administrative credentials. Use the account
7. The lab setup script runs. When it is complete, press any key to continue.
8. Close the Windows Explorer window, Lab08a.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Lab Scenario
The enterprise security team at Contoso, Ltd has asked you to lock down the
administrative permissions delegated to support personnel.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 1: Delegate Permission to Create and Support User
Accounts
In this exercise, you will delegate permission to the help desk to unlock user
accounts, reset passwords, and force users to change passwords at the next logon.
This permission will scope only to standard user accounts and will not allow the
help desk to change passwords of administrative accounts. You will also delegate
permission to the User Account Admins group to create and delete user accounts,
as well as full control over user accounts.
1. Create security groups for role-based management.
2. Delegate control of user support with the Delegation of Control Wizard.
3. Delegate permission to create and delete users with the Access Control List
Editor interface.
4. Validate the implementation of delegation.

Task 1: Create security groups for role-based management.
1. On NYC-DC1, run Active Directory Users and Computers with
administrative credentials. Use the account Pat.Coleman_Admin with the
password Pa$$w0rd.
2. In the Groups\Role OU, create the following role groups:
Help Desk (global security group)
User Account Admins (global security group)
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3. Add the following users' administrative accounts to the Help Desk group. Be
careful not to add the users' standard, non-privileged account.
Aaron M. Painter
Elly Nkya
Julian Price
Holly Dickson
4. Add the following users' administrative accounts to the User Account Admins
group. Be careful not to add the users' standard, non-privileged account.
Pat Coleman
April Meyer
Max Stevens
5. In the Admins\Admin Groups\AD Delegation OU, create the following
administrative access management groups:
AD_User Accounts_Support (domain local security group).
AD_User Accounts_Full Control (domain local security group).
6. Add the Help Desk as a member of AD_User Accounts_Support.
7. Add User Account Admins as a member of AD_User Accounts_Full Control.

Task 2: Delegate control of user support with the Delegation Of
Control Wizard.
Right-click the User Accounts OU and then click Delegate Control. Delegate
to the AD_User Accounts_Support group the permission to reset user
passwords and force users to change passwords at next logon.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Task 3: Delegate permission to create and delete users with the Access
Control List Editor interface.
1. Turn on the Advanced Features view of the Active Directory Users and
Computers snap-in.
2. Right-click the User Accounts OU, and then click Properties. Click the
Security tab, and then click Advanced.
3. Add permissions that give AD_User Accounts_ Full Control the ability to
create and delete users and full control over user objects. Be careful to limit the
Full Control permission to descendant user objects only.

Task 4: Validate the implementation of delegation.
user name Aaron.Painter_Admin and the password Pa$$w0rd.
3. Confirm that you can reset the password for Jeff Ford, in the Employees OU,
and that you can force him to change his password at the next logon.
4. Confirm that you cannot disable Jeff Ford's account.
5. Confirm that you cannot reset the password for Pat Coleman (Admin) in the
Admin Identities OU.
user name April.Meyer_Admin and the password Pa$$w0rd.
8. Confirm that you can create a user account in the Employees OU by creating
an account with your own first and last name, the user name First.Last, and
the password Pa$$w0rd.

Results: In this exercise, you delegated to the help desk the permission to unlock user
accounts, reset passwords, and force users to change passwords at next logon through
the help desk's membership in the AD_User Accounts_Support group. You have also
delegated full control of user objects to User Account Admins through its membership
in the AD_User Accounts_Full Control group. And, you tested both delegations to
validate their functionality.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 2: View Delegated Permissions
In this exercise you will view, report, and evaluate the permissions that have been
assigned to Active Directory objects.
1. View permissions in the Access Control List Editor interfaces.
2. Report permissions by using DSACLs.
3. Evaluate effective permissions.

Task 1: View permissions in the Access Control List Editor interfaces.
3. Sort so that permissions are displayed according to the group to which they
are assigned.

Question: How many permission entries were created for the AD_User
Accounts_Support group by the Delegation Of Control Wizard? Is it easy to tell
what permissions were assigned in the Permission Entries list? List the permissions
assigned to AD_User Accounts_Support.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Task 2: Report permissions by using DSACLs.
From the command prompt, use DSACLs to report the permissions assigned
to the User Accounts OU. Type the following command, and then press Enter.
dsacls "ou=User Accounts,dc=contoso,dc=com"

Question: What permissions are reported for AD_User Accounts_Support by the
DSACLs command?
Task 3: Evaluate effective permissions.
2. Using the Advanced Security Settings dialog box, evaluate the Effective
Permissions for April.Meyer_Admin. Locate the permissions that allow the
user to create and delete users.
Question: Do you see the Reset Password in this list?
3. In the Employees OU, right-click the user account for Aaron Lee, and then
click Properties. Click the Security tab, and then click Advanced.
4. Using the Advanced Security Settings dialog box, evaluate the Effective
Permissions for Aaron.Painter_Admin. Locate the permissions that allow the
user to reset the password for Aaron Lee.

Results: In this exercise, you confirmed that the permissions you assigned in the
previous exercise were applied successfully.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 3: Remove and Reset Permissions
In this exercise, you will remove delegated permissions and will reset an OU to its
schema-defined default ACL.
1. Remove permissions assigned to AD_User Accounts_Support.
2. Reset the User Accounts OU to its default permissions.

Task 1: Remove permissions assigned to AD_User Accounts_Support.
2. Sort so that permissions are displayed according to the group to which they
are assigned.
3. Remove the permissions assigned to AD_User Accounts_Support.

Task 2: Reset the User Accounts OU to its default permissions.
2. Click Restore defaults, and then click Apply.

Question: What do you achieve by clicking Reset To Default? What permissions
remain?
Results: In this exercise, you have reset the permissions on the User Accounts OU to its
schema-defined defaults.
Note: Do not shut down the virtual machine after you are finished with this lab, because the
settings you have configured here will be used in the subsequent lab.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Question: When you evaluated the effective permissions for April Meyer on the
User Accounts OU, why didn't you see permissions such as Reset Password in this
list? Why did the permission appear when you evaluated effective permissions for
Aaron Painter on Aaron Lee's user account?
Question: Does Windows make it easy to answer the following questions:
Who can reset user passwords?
What can XXX do as an administrator?
Question: What is the impact of resetting the ACL of an OU back to its schema-
defined default?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 2
Audit Ac
Just as a
types of
attempt
another
addition
Window
deploym
Object
After co
Con
Spe
Ide
Serv
ctive Dire
auditing file and f
f objects, the Aud
ts to access objec
r class of auditing
n, there are sever
ws7 that increase
ment and manage
tives
ompleting this les
nfigure audit poli
ecify auditing sett
ntify event log en
vice Changes aud
ectory Ad
folder access allo
dit Directory Serv
ts in Active Direc
g for Active Direct
al auditing enhan
e the level of detai
ement of auditing
sson, you will be a
icy to enable Dire
tings on Active D
ntries created by D
diting.
S
ministrat
ows you to log att
ice Access policy
ctory. Windows S
tory: Directory Se
ncements in Win
il in security audi
g policies.
able to:
ectory Service Ch
irectory objects.
Directory Access
tion
tempts to access t
allows you to log
Server 2008 intro
ervice Changes. I
dows Server2008
iting logs and sim
hanges auditing.
auditing and Dir
n 8-33

those
g
oduces
n
8 R2 and
mplify the
rectory
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Describe Advanced Audit Policies.
Describe Global Object Access auditing.
Describe the reason for Access Reporting.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Enabl
Key Po
Just as t
such as
log attem
You con
SACL o
As an ex
sensitiv
Service
Domain
modific
the defa
audit all
In Wind
service
object, h
e Audit Polic
oints
the Audit Object A
files and folders,
mpts to access ob
nfigure the policy
f the Active Direc
xample, if you wa
e group, such as
Access policy to
n Admins group a
cations of the grou
ault configuration
l changes to the D
dows Server 2003
access, and you w
had been change
cy
Access policy allo
, the Audit Direct
bjects in Active D
y to audit Success
ctory object to sp
ant to monitor ch
Domain Admins
audit Success eve
and configure an
ups Members att
n is to audit Succe
Domain Admins
3 and Windows 2
would be notified
d, but you could
S
ows you to log at
tory Service Acces
Directory. The sam
s or Failure follow
ecify the types of
hanges to the mem
, you can enable
ents. Then, you c
auditing entry fo
tribute. In fact, in
ess events for Dir
group!
2000 Server, you
d that an object, o
not identify the p
ttempts to access
ss policy allows y
me basic principle
wed by configurin
f access you want
mbership of a sec
the Audit Directo
can open the SAC
or successful
n Windows Serve
rectory Service Ac
could audit direc
or the property of
previous and new
n 8-35

objects,
you to
es apply.
ng the
t to audit.
curity-
ory
CL of the
r 2008,
ccess and
ctory
f an
w values
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
of the attribute that had changed. For example, an event could be logged indicating
that a particular user changed an attribute of Domain Admins, but you could not
easily identify which attribute was changed, and there was no way to determine
from the audit log exactly what change was made to that attribute.
Windows Server 2008 adds an auditing category called Directory Service Changes.
The important distinction between Directory Service Changes and Directory
Service Access is that with Directory Service Changes auditing, you can identify the
previous and current values of a changed attribute.
Directory Service Changes is not enabled in Windows Server 2008 by default.
Instead, Directory Service Access is enabled to mimic the auditing functionality of
previous versions of Windows. To enable auditing of successful Directory Service
Changes, open a command prompt on a domain controller and enter this
command.
auditpol /set /subcategory:"directory service changes" /success:enable
Although you can use the preceding command to enable Directory Service
Changes auditing in a lab and explore the events that are generated, we
recommend that you dont implement this in a domain until you evaluate this
feature in test environment.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Specif
Key Po
You mu
audited
To acce
1. Op
2. Clic
3. Clic
4. Clic
fy Auditing S
oints
ust still modify th
d.
ss the SACL and
en the Propertie
ck the Security ta
ck the Advanced
ck the Auditing t
Settings for
he SACL of object
its audit entries,
s dialog box of th
ab.
button.
tab.
S
Directory Se
s to specify which
perform the follo
he object you wis
ervice Chang
h attributes shou
owing steps:
sh to audit.
n 8-37
ges

uld be

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
To add an audit entry, perform the following steps:
1. Click the Add button.
2. Select the user, group, or computer to audit. Often, this will be the Everyone
group.
3. In the Auditing Entry dialog box, indicate the type of access to audit.
You can audit for successes, failures, or both as the specified user, group, or
computer attempts to access the resource by using one or more of the granular
access levels.

You can audit Successes to perform the following tasks:
Log resource access for reporting and billing
Monitor access that would suggest users are performing actions greater than
what you had planned, indicating that permissions are too generous
To identify access that is out of character for a particular account, which might
be a sign that a user account has been breached by a hacker

Auditing failed events allows you to:
Monitor for malicious attempts to access resources to which access has been
denied.
Identify failed attempts to access a file or a folder to which a user does require
access. This would indicate that the permissions are not sufficient to achieve a
business requirement.

Note: Audit logs have the tendency to get large quite rapidly, so a golden rule for auditing is to
configure the bare minimum required to achieve the task. Specifying to audit the
successes and failures on an active data folder for the Everyone group by using Full
Control (all permissions) generates enormous audit logs that could affect the
performance of the server and make locating a specific audited event impossible.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

View
Key Po
After yo
audit by
entries.
the Even
select Se
When D
configu
Security
made. In
the chan

Audited Eve
oints
ou enable the des
y using object SA
You can view the
nt Viewer consol
ecurity Log.
Directory Service
red in the SACL o
y Log that clearly
n most cases, eve
nged attribute.
ents in the Se
ired audit policy
ACLs, the system b
e resulting events
le from Administr
Changes auditin
of directory servi
indicate the attri
ent log entries wil

S
ecurity Log
setting and speci
begins to log acce
s in the Security L
rative Tools. Exp
g is enabled and
ice objects, events
ibute that was ch
ll show the previ
ify the access you
ess according to
Log of the server.
and Windows Lo
auditing entries
s are logged to th
hanged and the ch
ous and current v
n 8-39

u want to
audit
. Open
ogs, and
are
he
hange
value of
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
8-40 Configuring
Advan
Key Po
Note: The cont
In the p
2003, n
category
failed at
and can
large nu
Group P
In Wind
expand
the num
XP even
only be
nced Audit P
oints
tent in this topic is
previous versions
nine categories for
y to perform aud
ttempts for specif
n be triggered by
umber of event lo
Policy.
dows Vista and W
ed from nine to 5
mber and types of
nts, these new au
deployed by usin
Policies
s specific to Windo
of Windows, suc
r auditing existed
iting and monito
fic tasks and even
a variety of simila
og entries. This ty
Windows Server
53, which enable
f events to audit.
dit events are not
ng logon scripts g
ows Server 2008 R2
ch as Windows X
d. Administrators
or successful, faile
nts. These events
ar actions; some o
ype of auditing wa
2008, the numb
s an administrato
However, unlike
t integrated with
generated with th
Services
2.
XP and Windows
s could configure
ed, or both succes
are fairly broad i
of which can gen
as configured by
er of auditable ev
or to be more sele
e the nine basic W
Group Policy an
he Auditpol.exe

Server
each
ssful and
in scope
nerate a
using
vents is
ective in
Windows
d can
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
command-line tool. This was somewhat inconvenient because several tools were
used to manage auditing.
In Windows Server 2008 R2 and Windows 7, all auditing capabilities have been
integrated with Group Policy. This allows administrators to configure, deploy, and
manage these settings in the Group Policy Management Console (GPMC) or Local
Security Policy snap-in for a local computer, domain, site, or OU. Windows Server
2008 R2 and Windows 7 make it easier for IT professionals to track when precisely
defined, significant activities take place on the network.
Audit policy enhancements in Windows Server 2008 R2 and Windows 7 allow
administrators to connect business rules and audit policies. Using these new
policies, you can easily configure auditing that will comply with company policy.
These new policies for auditing now have a specific node in the Security settings
part of Group Policy objectthey are located in Security Settings\Advanced Audit
Policy Configuration\Audit Policies. Within this node, there are 10 categories for
auditing with several options within each category. At the same time, the legacy
audit policy node still exists.
Basic Audit policies vs. Advanced Audit Policies
The basic security audit policy settings (located in Security Settings\Local
Policies\Audit Policy) and the advanced security audit policy settings (located in
Security Settings\Advanced Audit Policy Configuration\Audit Policies) appear to
overlap, but they are recorded and applied differently.
When you apply basic audit policy settings to the local computer by using the
Local Security Policy, you are editing the effective audit policy, so changes made to
basic audit policy settings appear exactly as configured in Auditpol.exe.
There are several additional differences between the security audit policy settings
in these two locations.
A new set of advanced audit policies allow administrators to be more selective in
the number and types of events to audit. For example, where a basic audit policy
provides a single setting for account logon, advanced audit policy provides four.
Enabling the single basic account logon setting would be the equivalent of setting
all four advanced account logon settings. In comparison, setting a single advanced
audit policy setting does not generate audit events for activities you are not
interested in. Additionally, if you enable success auditing for the basic Audit
account logon events setting, only success events will be logged for all account
logonrelated behaviors. In comparison, you can configure success auditing for
one advanced account logon setting, failure auditing for a second advanced
account logon setting, success and failure auditing for a third advanced account
logon setting, or no auditing, depending on the needs of your organization.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
The nine basic settings under Security Settings\Local Policies\Audit Policy were
introduced in Windows 2000, and therefore are available to all versions of
Windows released since then. The advanced audit policy settings were introduced
in Windows Vista and Windows Server 2008. The advanced settings can be used
only on computers running Windows 7, Windows Vista, Windows Server 2008, or
Windows Server 2008 R2.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Globa
Key Po
Note: The cont
To enab
configu
for a sp
approac
all admi
because
object le
The new
manage
With Gl
per obje
automa
al Object Acc
oints
ble object access a
re this option in
ecific security pri
ch sometime was
inistrative write a
e you cannot turn
evel.
w audit category i
e object access au
lobal Object Acce
ect type for either
tically applied to
cess Auditing
s specific to Windo
auditing, in previ
basic audit polici
incipal on SACL o
not so easy to ad
activity on servers
n on object access
in Windows Serv
uditing in a much
ess Auditing, adm
r the file system o
every object of th
S
g
ows Server 2008 R2
ious Windows ve
ies (in GPOs), an
of object which y
djust with compa
s containing Fina
s audit logging on
ver 2008 R2 allow
wider scope.
ministrators can d
or registry. The sp
hat type.
2.
ersions, you had t
nd also turn on au
you want to audit
any policies such
ance information,
n server level but
ws administrators
define computer S
pecified SACL is t
n 8-43

to
uditing
t. This
as Log
,
t only on
s to
SACLs
then
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
A global object access audit policy can be used to enforce the object access audit
policy for a computer, file share, or registry without configuring and propagating
conventional SACLs. Configuring and propagating SACLs is a more complex
administrative task, and it is difficult to verify, particularly if you need to verify to
an auditor that security policy is being enforced.
Auditors will be able to prove that every resource in the system is protected by an
audit policy by just viewing the contents of the Global Object Access Auditing
policy setting.
Resource SACLs are also useful for diagnostic scenarios. For example, setting a
Global Object Access Auditing policy to log all activity for a specific user and
enabling the Access Failures audit policies in a resource (file system, registry) will
help administrators quickly identify which object in a system is denying a user
access.
Global Object Access Auditing includes the following subcategories: File system
and registry.
File System
This security policy setting allows you to configure a global SACL on the file
system for an entire computer.
If you select the Configure security check box, you can add a user or group to the
global SACL.
Registry
This security policy setting allows you to configure an SACL on the registry for a
computer. If you select the Configure security check box, you can add a user or
group to the global SACL. This policy setting must be used in combination with
the Registry security policy setting under Object Access.

Note: If both a file or folder SACL and a Global Object Access Auditing policy (or a single
registry setting SACL and a Global Object Access Auditing policy) are configured on a
computer, the effective SACL is derived from combining the file or folder SACL and the
Global Object Access Auditing policy. This means that an audit event is generated if an
activity matches either the file or folder SACL or the Global Object Access Auditing
policy.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Reaso
Key Po
Note: The cont
One of
folder. T
operatio
object, a
or denie
Howeve
folder w
such as
may als
Server 2
addition
feature
on for Access
oints
the most commo
There are several
on was successfu
and the operation
ed.
er, it is often not e
was accessed by a
a user writing to
o want to know w
2008 R2 and Win
nal information a
is called Reason f
s Reporting
s specific to Windo
on auditing needs
events in Windo
l or unsuccessful
n, but they lack th
enough to know
a user. For examp
o a file that he or s
why the user was
ndows 7 improve
about why someo
for Access auditin
S
ows Server 2008 R2
s is to track acces
ows to audit when
l. The events usua
he reason why th
simply that an ob
ple, you might ne
she should not h
s able to access th
e this forensics an
one had access to
ng (or reporting)
2.
s to a particular f
never an object ac
ally include the u
he operation was
bject such as a fil
ed to identify an
ave had access to
his resource. Win
nalysis by providi
a specific resour
.
n 8-45

file or
ccess
user, the
allowed
le or a
activity
o. You
ndows
ing
rce. This
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
By enabling Reason for Access auditing, in addition to tracking this type of activity,
you will also be able to identify the exact ACE that allowed the undesired access.
This can significantly simplify the task of modifying access control settings to
prevent similar undesired object access in the future.
In Windows Server 2008 R2 and Windows 7, you can obtain this forensic data by
configuring the Audit Handle Manipulation setting along with either the Audit File
System or Audit Registry audit settings in Advanced Audit Policy Configuration.
In Windows 7 and Windows Server 2008 R2, the reason why someone has been
granted or denied access is added to the open handle event. This makes it possible
for administrators to understand why someone was able to open a file, folder, or
file share for a specific access.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Demo
Key Po
In this d
policies
Demon
Star
Edi
Bro
Bro
Con
ove
onstration: A
oints
demonstration, y
s
nstration Steps
rt Group Policy M
it the Default Dom
owse to Advanced
owse to subcatego
nfigure that Adva
erwritten.
Advanced Au
ou will see how t
s:
Management Co
main Policy GPO
d Audit Policy C
ories.
anced Audit Polic
S
udit Policies
to locate and con
onsole.
.
onfiguration.
cy Configuration s
nfigure Advanced
settings are not
n 8-47

Audit

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
8-48 Configuring
Lab B: Au
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log

udit Activ
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
ve Direct
e the available vir
complete the foll
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
ory Chan
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
Services
nges
vironment. Before
rative Tools, and
n the Actions pan
tual machine star

e you
d then
ne,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Lab Scenario
The enterprise security team at Contoso, Ltd has asked you to provide detailed
reports regarding changes to the membership of security-sensitive groups,
including Domain Admins. The reports must show the change that was made, who
made the change, and when.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 1: Audit Changes to Active Directory by Using
Default Audit Policy
In this exercise, you will see the Directory Service Access auditing that is enabled
by default in Windows Server 2008 and Windows Server 2003.
1. Confirm that the Domain Admins group is configured to audit changes to its
membership.
2. Make a change to the membership of Domain Admins.
3. Examine the events that were generated.

Task 1: Confirm that the Domain Admins group is configured to audit
changes to its membership.
Run Active Directory Users and Computers as an administrator, with the
Open the Audit Settings properties of the Domain Admins group.
Locate the entry that specifies the auditing of successful attempts to modify
properties of the group such as membership.

Question: What is the Auditing Entry that achieves this goal?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Task 2: Make a change to the membership of Domain Admins.
Add Stuart Munson (user logon name Stuart.Munson) to the Domain
Admins group. Be sure to apply your change.
Remove Stuart Munson from the Domain Admins group.
Make a note of the time when you made the changes. That will make it easier
to locate the audit entries in the event logs.

Task 3: Examine the events that were generated.
Run Event Viewer as an administrator, with the user name
Click Security Log and locate the events that were generated when you added
and removed Stuart Munson.

Question: What is the Event ID of the event logged when you made your changes?
What is the Task Category?
Question: Examine the information provided on the General tab. Can you identify
the following in the event log entry?
Who made the change?
When the change was made?
Which object was changed?
What type of access was performed?
Which attribute was changed? How is the changed attribute identified?
What change was made to that attribute?

Results: In this exercise, you generated and examined Directory Service Access audit
entries.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 2: Audit Changes to Active Directory by Using
Directory Service Changes Auditing
In this exercise, you will implement the new Directory Services Changes auditing
of Windows Server 2008 to reveal details about changes to the Domain Admins
group.
1. Enable Directory Services Changes auditing
2. Make a change to the membership of Domain Admins
3. Examine the events that were generated

Task 1: Enable Directory Services Changes auditing.
Run the command prompt as an administrator, with the user name
Type the following command, and then press Enter.
auditpol /set /subcategory:"directory service changes"
/success:enable

Task 2: Make a change to the membership of Domain Admins.
Add Stuart Munson (user logon name Stuart.Munson) to the Domain
Admins group. Be sure to apply your change.
Remove Stuart Munson from the Domain Admins group.
Make note of the time when you made the changes. That will make it easier to
locate the audit entries in the event logs.

Task 3: Examine the events that were generated.
Run Event Viewer as an administrator, with the user name
Click Security Log and locate the new types of events that were generated
when you added and removed Stuart Munson.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Question: What are the Event IDs of the event logged when you made your
changes? What is the Task Category?
Question: Examine the information provided on the General tab. Can you identify
the following in the event log entry?
What type of change was made?
Who made the change?
Which member was added or removed?
Which group was affected?
When the change was made?

Results: In this exercise, you generated Directory Services Changes auditing entries.
click Revert.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Question: What details are captured by Directory Services Changes auditing that
are not captured by Directory Service Access auditing?
Question: Which type of administrative activities would you want to audit by
using Directory Services Changes auditing?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Module
Review
Questio
that you
Questio
structur
Note: Role-bas
manage
member
suppose
other pe
permissi
Questio
Review a
w Questions
on: How does the
u do not have per
on: What is the b
re when assigning
sed management i
ment such as disci
rs of a group such
ed to have. You als
ermissions, and tha
ons.
on: What is the m
and Takea
e Active Directory
rmissions to perf
benefit of a two-tie
g permissions in
is a detailed topic.
ipline and auditing
as AD_User Accou
o need to ensure t
at no other users o
main benefit of us
S
aways
y Users and Com
form a particular
ered, role-based m
Active Directory?
There are other a
g that are required
unts_Support have
that the members
or groups have bee
sing new Advance
mputers console in
administrative ta
management grou
?
spects of role-base
d to ensure that th
e the permissions t
of this group have
en delegated the s
ed Audit Policies?
n 8-55

ndicate
ask?
up
ed
e
hey are
e no
same
?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Common Issues related to Secure Administration
Issue Troubleshooting tip
There is no un-delegate command or
wizard after you finish delegation of
control

Reason for Access auditing is not
working

Best Practices Related to Secure Administration

Use Delegation of Control Wizard to delegate administrative control instead of
placing users in built-in administrative groups.
Use Advanced Audit Policies for better and more granular audit control.
Avoid using the block inheritance option when configuring permissions.
Tools
Tool Used for Where to find it
Group Policy
Management Console
Editing security policy Administrative Tools
Delegation of Control
Wizard
Delegating administrative
control over OU
Active Directory Users
and Computers
Auditpol Configuring auditing Command-line utility

Content Specific to Windows Server 2008 R2
Feature Version Module Reference
Advanced Audit Policies
Global Object Access Auditing
Reason for access reporting

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Improving the Security of Authentication in an AD DS Domain 9-1
Module 9
Improving the Security of Authentication in an
AD DS Domain
Contents:
Lesson 1: Configure Password and Lockout Policies 9-4
Lab A: Configure Password and Account Lockout Policies 9-24
Lesson 2: Audit Authentication 9-30
Lab B: Audit Authentication 9-39
Lesson 3: Configure Read-Only Domain Controllers 9-43
Lab C: Configure Read-Only Domain Controllers 9-63
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
9-2 Configuring
Module
When u
passwor
users id
how to
passwor
authent
auditing
introdu
authent
settings
domain
Overview
users log on to an
rd. Then, the clie
dentities against t
create and manag
rds. In this modu
tication, including
g of authenticatio
ced by Windows
tication in an Acti
s objects (better k
n controllers (ROD
w
n Active Directory
ent computer use
their Active Direc
ge user accounts
ule, you will explo
g the policies tha
on-related activitie
s Server 2008 th
ive Directory Dom
known as fine-gra
DCs).
y domain, they e
s those credentia
ctory accounts. In
and their proper
ore the domain-s
at specify passwor
es. You will also d
hat can significant
main Services (AD
ained password p
Services
enter their user n
als to authenticate
n Module 3, you l
rties, including
ide components
rd requirements
discover two feat
tly improve the se
D DS) domain, P
policy) and read-o

ame and
e the
learned
of
and the
tures
ecurity of
assword
only
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Objectives
After completing this module, you will be able to:
Configure password and account lockout policies.
Configure auditing of authentication-related activity.
Configure RODCs.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
9-4 Configuring
Lesson 1
Configur
In a Win
change
characte
characte
in an Ac
passwor
complex
passwor
changed
implem
Default
re Passwo
ndows Server 20
their password e
ers long and mee
er types: upper ca
ctive Directory do
rd policiesmaxi
xity. Rarely do th
rd security requir
d more or less fre
ment your enterpri
Domain Policy G
ord and L
08 or Windows S
every 42 days, and
et complex requir
ase, lower case, n
omain, administr
imum password a
hese default settin
rements. Your or
equently, or to be
ises password an
Group Policy obje
Lockout P
Server 2008 R2 d
d a password mu
rements, includin
numeric, and non
ators and users fi
age, password len
ngs align precisely
ganization might
e longer. In this le
nd lockout polici
ect (GPO).
Services
Policies
domain, users nee
ust be at least seve
ng the use of thre
n-alphanumeric. T
first encounter thr
ngth, and passwo
y with an organiz
t require passwor
esson, you will le
es by modifying t

ed to
en
e of four
Typically,
ree
ord
zations
rds to be
earn to
the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
As you know, there are exceptions to every rule, and you may exceptions to your
password policies. To enhance your domains security, you can place more
restrictive password requirements for accounts assigned to administrators, for
accounts used by services such as Microsoft SQL Server, or for a backup utility.
In earlier versions of Windows, this was not possiblea single password policy
applied to all accounts in the domain. In this lesson, you will learn to configure
fine-grained password policies. This is a new feature in Windows Server 2008 that
allows you to assign different password policies to users and groups in your
domain.
Objectives
Understand password and account lockout policies.
Implement your domain password and account lockout policy.
Configure and assign fine-grained password policies.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
9-6 Configuring
Unde
Key Po
Your do
Within
Configu
Policies
configu
Policy n
rstand Passw
oints
omains password
the GPO, in the G
uration, Policies, W
. In the Account
re the policy setti
node is shown in
word Policies
d policy is configu
Group Policy con
Windows Setting
Policies node, acc
ings that determi
the following scr
s
ured by a GPO sc
nsole tree, expand
gs, Security Settin
cess the Passwor
ine password req
reen shot.
Services
coped to the dom
d Computer
ngs, and then Acc
d Policy node to
quirements. The P

main.
count
Password
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

You can understand the effect of the policies by considering the life cycle of a user
password. A user needs to change the password within the number of days
specified by the Maximum Password Age policy setting. When the user enters a
new password, the length of the new password will be compared with the number
of characters in the Minimum Password Length policy. If the Password and Must
Meet Complexity Requirements policy is enabled, the password must contain at
least three of four character types:
Upper case: A to Z
Lower case: a to z
Numeric: 0 to 9
Non-alphanumeric symbols: !, #, %, or &

According to the new password meets requirements, Active Directory puts the
password through a mathematical algorithm that produces a representation of the
password called the hash code. The hash code is uniqueno two different
passwords can create the same hash code. The algorithm used to create the hash
code is called a one-way function. You cannot put the hash code through a reverse
function to derive the password. The fact that it is a hash code and not the
password itself that is stored in Active Directory helps increase the user accounts
security.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Occasionally, some applications require the ability to read a user's password. This
is not possible because, by default, only the hash code is stored in Active Directory.
To support such applications, you can enable the Store Passwords Using
Reversible Encryption policy setting. This policy setting is not enabled by default. If
you enable the policy, user passwords are stored in an encrypted form that can be
decrypted by the application. Reversible encryption significantly reduces a
domains security, so it is disabled by default, and you should strive to eliminate
applications that require direct access to passwords.
Additionally, Active Directory can check the cache of the users previous hash
codes to ensure that the new password is not the same as the users previous
passwords. The number of previous passwords against which a new password is
evaluated is determined by the Enforce Password History policy. By default,
Windows maintains the previous 24 hash codes, which means that a user cannot
use the last 24 passwords when entering a new one.
If a user is determined to reuse the same password when the password expiration
period occurs, the user could simply change the password 25 times to work
around the password history. To prevent that from happening, the Minimum
Password Age policy specifies an amount of time that must pass between password
changes. By default, it is one day. Therefore, the determined user would have to
change the password once per day for 25 days to reuse a password. This serves as
an effective deterrent of such behavior.
These policy settingshistory, minimum age, and maximum ageaffect only a user
who changes the password. The settings do not affect an administrator who uses
the Reset Password command to change another user's password.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Unde
Key Po
An intru
user nam
organiz
combin
the intru
or by re
logon is
rstand Accou
oints
uder can gain acc
me and password
ations create user
nations of first and
uder must determ
epeatedly logging
s successful.
Improving t
unt Lockout
cess to the resour
d. User names ar
r names from an
d last names, or e
mine the correct p
g on with combin
the Security of Authentica
Policies
rces in your doma
e relatively easy t
employee's emai
employee IDs. Aft
password. This ca
ations of characte
ation in an AD DS Domai
ain by determinin
to identify, becau
il address, initials
ter a user name is
an be done by gu
ers or words unti
n 9-9

ng a valid
se most
s,
s known,
uessing,
il the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
This type of attack, called brute force, can be thwarted by limiting the number of
incorrect logons that are allowed. That is what account lockout policies achieve.
Account lockout policies are located in the node of the GPO directly below the
Password Policy. The Account Lockout Policy node is shown in the following
screen shot.

There are three settings related to account lockout. The Account Lockout
Threshold setting determines the number of invalid logon attempts permitted
within a time specified by the Reset account lockout counter after policy. If an
attack results in more unsuccessful logons within that time frame, the user account
is locked out. When an account is locked out, Active Directory denies logon to that
account, even if the correct password is specified. The account will remain locked
out for the period of time specified in the Account lockout duration setting. If you
set this to a value of 0, only the administrator can manually unlock a locked user
account by using the Active Directory Users and Computers console.
Note: Although account lockout policies can be useful in preventing brute force attacks, some
organizations choose not to define account lockout policies, because they can actually
create denial of service scenarios. If a hacker performs a brute force attack against an
account used by a service accountyour SQL servers, for exampleand the account is
locked, eventually the service will fail. Many organizations choose to use auditing,
intrusion detection, and other monitoring approaches to mitigate brute force attacks.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Confi
Key Po
Active D
These p
domain
domain
lockout
Domain
The bes
policy s
Policy G
the Defa
other w
lockout
passwor
gure the Do
oints
Directory support
policies are config
n contains a GPO
n and that include
t, and Kerberos p
n Policy GPO.
st practice is to ed
settings for your o
GPO to specify ac
ault Domain Poli
words, the Default
t, and Kerberos p
rd, account locko
Improving t
main Passwo
ts one set of pass
gured in a GPO th
called the Defau
es the default pol
olicies. You can c
dit the Default Do
organization. You
ccount lockout po
icy GPO to deplo
t Domain Policy G
olicies for the do
out, or Kerberos p
ord and Lock

word and lockou
hat is scoped to th
lt Domain Policy
licy settings for p
change the setting
omain Policy GPO
u should also use
olicies and Kerbe
y any other custo
GPO only defines
omain. Additional
policies for the d
kout Policy
ut policies for a d
he domain. A new
y that is linked to
assword, accoun
gs by editing the
O to specify the p
the Default Dom
eros policies. Do n
om policy setting
s the password, a
lly, do not define
omain in any oth
n 9-11

omain.
w
the
t
Default
password
main
not use
s. In
account
her GPO.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
The password settings configured in the Default Domain Policy affect all user
accounts in the domain. The settings can be overridden, however, by the password-
related properties of the individual user accounts. On the Account tab of a user's
Properties dialog box, you can specify settings such as Password Never Expires or
Store Passwords Using Reversible Encryption. For example, if five users have an
application that requires direct access to their passwords, you can configure the
accounts for those users to store their passwords by using reversible encryption.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Demo
Key Po
In this d
meet th
A m
Com
Use
Use
A u
Demon
1. In t
For
onstration: C
oints
demonstration, y
he following requi
minimum of eight
mply with Windo
ers must change t
ers cannot chang
user cannot reuse
nstration Steps
the Group Policy
rest:contoso.com
Improving t
Configure Do
ou see how to co
irements for pass
t characters long.
ows default comp
their password ev
e their own passw
a password with
s
Management con
m, Domains, and
omain Accou
onfigure the doma
swords:
plexity requireme
very 90 days.
word more than o
hin a one-year tim
nsole, in the cons
contoso.com.
unt Policies
ain account polic
ents.
once a week.
me.
sole tree, expand
n 9-13

cies to

d
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
2. Right-click Default Domain Policy underneath the domain, contoso.com and
click Edit.
3. In the Group Policy Management Editor console tree, expand Computer
Configuration, Policies, Windows Settings, Security Settings, and Account
Policies, and then click Password Policy.
4. Double-click the following policy settings in the console details pane and
configure the settings as indicated:
Enforce password history: 53 passwords remembered
Maximum password age: 90 days
Minimum password age: 7 days
Minimum password length: 8 characters
Password must meet complexity requirements: Enabled
5. Close the Group Policy Management Editor window.
6. Close the Group Policy Management window.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Fine-G
Key Po
Having
possible
differen
adminis
other us
is to mo
adminis
users.co
adminis
solves th
using a
lockout
grained
more gr
function
of objec
Grained Pass
oints
more than one p
e. Therefore, you
nt group of users.
strators to have p
sers to have at lea
ove administrator
strators usually cr
ontoso.com. How
strative cost to su
his problem. You
new feature of W
t policy, often sho
d password policy
roups or users in
nality by using G
ct and some addit
Improving t
sword and Lo
password and/or
cannot configure
For example, co
passwords with a
ast 7 or more cha
rs (or users) to an
reate two domain
wever, it can cause
upport two doma
u can override the
Windows Server 2
ortened to simply
y allows you to co
your domain. Ho
roup Policy. You
tional attributes t
ockout Polic
account lockout
e different passw
nsider a scenario
minimum length
aracters. The only
nother domain. In
ns such as contos
e additional main
in structures. Wi
e domain passwo
2008 called fine-g
y fine-grained pas
onfigure a policy
owever, you cann
can apply it only
to user and group
cy
policy in a doma
word requirement
o where you want
h of 14 characters
y way to accompl
n such scenarios,
so.com and
ntenance and
indows Server 20
ord and lockout p
grained password
ssword policy. A f
that applies to on
not apply this
y by defining a ne
p objects.
n 9-15

ain is not
s for
t your
s and
lish this
,
008
policy by
d and
fine-
ne or
ew type
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
A fine-grained password policy is a highly anticipated addition to Active Directory.
There are several scenarios for which a fine-grained password policy can be used to
increase the security of your domain. Accounts used by administrators are
delegated privileges to modify objects in Active Directory. Therefore, if an intruder
compromises an administrator's account, more damage can be done to the domain
than could be done with the account of a standard user. Therefore, consider
implementing stricter password requirements for administrative accounts. For
example, you might require a greater password length and more frequent
password changes.
Another type of account that requires special treatment in a domain is an account
used by services such as SQL Server. A service performs its tasks with credentials
that must be authenticated with a user name and password just like those of a
human user. However, most services are not capable of changing their own
password, so administrators configure service accounts with the Password Never
Expires option enabled. When an accounts password will not be changed, you
should ensure that the password is difficult to compromise. You can use fine-
grained password policies to specify an extremely long minimum password length.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Unde
Key Po
The sett
Passwor
passwor
applied
Director
Passwor
Most Ac
interfac
You ma
Service
rstand Passw
oints
tings managed by
rd Policy and Acc
rd policies are ne
as part of a GPO
ry that maintains
rd Settings Objec
ctive Directory ob
e (GUI) tools, su
anage PSOs, howe
Interface Editor (
Improving t
word Setting
y fine-grained pas
counts Policy nod
either implement
O. Instead, there is
s the settings for f
ct (PSO).
bjects can be man
uch as the Active D
ever, with low-lev
(ADSIEdit).
s Objects
ssword policy are
des of a GPO. Ho
ed as part of Gro
s a separate class
fine-grained passw
naged with user-f
Directory Users a
vel tools, includin
e identical to thos
owever, fine-grain
oup Policy nor are
of object in Activ
word policythe
friendly graphical
and Computers sn
ng Active Director
n 9-17

se in the
ned
e they
ve
l user
nap-in.
ry
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
You can create one or more PSOs in your domain. Each PSO contains a complete
set of password and lockout policy settings. A PSO is applied by linking the PSO to
one or more global security groups or users. Actually, by linking a PSO to a user or
a group, youre modifying an attribute called msDS-PSOApplied, which is empty by
default. This approach now treats password and account lockout settings not as
domain-wide requirements, but as attributes to a specific user or a group. For
example, to configure a strict password policy for administrative accounts, create a
global security group, add the service user accounts as members, and link a PSO to
the group. Applying fine-grained password policies to a group in this manner is
more manageable than applying the policies to each individual user account. If you
create a new service account, you simply add it to the group, and the account
becomes managed by the PSO.
To use a fine-grained password policy, your domain must be at the Windows
Server 2008 domain functional level, which means that all of your domain
controllers in the domain are running Windows Server 2008, and the domain
functional level has been raised to Windows Server 2008.
To confirm and modify the domain functional level:
1. Open Active Directory Domains and Trusts.
2. In the console tree, expand Active Directory Domains and Trusts, and then
expand the tree until you can see the domain.
3. Right-click the domain, and then click Raise domain functional level.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Demo
Key Po
In this d
to enha
Demon
Ver
Run
Cre
>DC
sett

onstration: C
oints
demonstration, y
nce the security o
nstration Steps
rify that the doma
n the ADSI Edit u
eate a new PSO, n
C=com->CN=Syst
tings:
Password stored
Password histor
Password comp
Minimum passw
Improving t
Configure Fin
ou will see how t
of accounts in the
s
ain functional lev
utility on a domai
named My Doma
tem->CN=Passwo
d with reversible
ry : Enabled
plexity requireme
word age : 1 day
ne-Grained P
to configure a fine
e Domain Admin
vel is Windows Se
in controller.
ain Admins PSO
ord Settings Cont
encryption : Fals
nt : Enabled
Password Pol
e-grained passwo
ns group.
erver 2008.
in DC=Contoso
tainer, with follow
se
n 9-19
licy

ord policy
-
wing
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Maximum password age : 45 days
Account lockout threshold : 5
Account lockout duration : 1 day
Account lockout counter reset : 1 hour
Assign a new PSO to Domain Admins group.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

PSO P
Key Po
A PSO c
can hav
So, whic
and onl
is called
precede
1 indica
the high
follows:
If m
high
If o
ign
pre
Precedence a
oints
can be linked to m
ve more than one
ch fine-grained p
ly one PSO determ
d the resultant PS
ence. The precede
ates the highest p
hest precedence t
:
multiple PSOs app
hest precedence
ne or more PSOs
ored, regardless o
ecedence wins.
Improving t
and Resultan
more than one gr
PSO linked to it,
assword and lock
mines the passwo
SO. Each PSO has
ence value is any
precedence. If mu
takes effect. The r
ply to groups to w
wins.
s are linked direc
of their preceden
nt PSO
roup or user, an i
, and a user can b
kout policy settin
ord and lockout s
s an attribute that
number greater
ultiple PSOs apply
rules that determ
which the user be
tly to the user, PS
nce. The user-link
ndividual group
belong to multipl
ngs apply to a use
settings for a user
t determines the
than 0, where the
y to a user, the PS
mine precedence a
elongs, the PSO w
SOs linked to gro
ked PSO with the
n 9-21

or user
le groups.
er? One
r, which
PSOs
e number
SO with
are as
with the
oups are
highest
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
If one or more PSOs have the same precedence value, Active Directory must
choose. It picks the PSO with the lowest globally unique identifier (GUID).
GUIDs are like serial numbers for Active Directory objectsno two objects
have the same GUID. GUIDs have no particular meaningthey are just
identifiersso picking the PSO with the lowest GUID is, in effect, an arbitrary
decision. You should configure PSOs with unique, specific precedence values
so that you avoid this scenario.

These rules determine the resultant PSO. Active Directory exposes the resultant
PSO in a user object attribute, msDS-ResultantPSO, so you can readily identify the
PSO that will affect a user. PSOs contain all password and lockout settings, so
there is no inheritance or merging of settings. The resultant PSO is the
authoritative PSO.
To view the msDS-ResultantPSO attribute of a user:
1. Ensure that Advanced Features is enabled on the View menu.
2. Open the properties of the user account.
3. Click the Attribute Editor tab.
4. Click Filter and ensure that Constructed is selected.
5. Locate the msDS-ResultantPSO attribute.

PSOs, OUs, and Shadow Groups
PSOs can be linked to global security groups or users. PSOs cannot be linked to
organizational units (OUs). If you want to apply password and lockout policies to
users in an OU, you must create a global security group that includes all of the
users in the OU. This type of group is called a shadow groupits membership
shadows, or mimics, the membership of an OU.
Note: There is no graphical tool in Windows Server 2008 to create shadow groups. However,
you can create and manage them by using a very simple script that will run periodically.
This script should enumerate user objects in the desired OU and put them in a group.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab A: Co
Lockout
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log

onfigure
Policies
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
Improving t
Password
e the available vir
complete the foll
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
d and Ac
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
count
vironment. Before
rative Tools, and
n the Actions pan
tual machine star
n 9-23

e you
d then
ne,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Lab Scenario
The security team at Contoso, Ltd has tasked you with increasing the security and
monitoring of authentication against the enterprises AD DS domain. Specifically,
you must enforce a specified password policy for all user accounts, and a more
stringent password policy for security sensitive, administrative accounts.
Exercise 1: Configure the Domains Password and Lockout
Policies
In this exercise, you will modify the Default Domain Policy GPO to implement a
password and lockout policy for users in the contoso.com domain.
Configure the domain account policies.

Task: Configure the domain account policies.
2. Edit the Default Domain Policy GPO.
3. Configure the following password policy settings. Leave other settings at their
default values.
Maximum password age: 90 days
Minimum password length: 10 characters
5. Configure the following account lockout policy setting. Leave other settings at
their default values.
Account lockout threshold: 5 Invalid Logon Attempts.
6. Close Group Policy Management Editor and Group Policy Management.

Results: In this exercise, you configured new settings for the domain account policies.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 2: Configure Fine-Grained Password Policy
In this exercise, you will create a PSO that applies a restrictive, fine-grained
password policy to user accounts in the Domain Admins group. You will identify
the PSO that controls the password and lockout policies for an individual user.
Finally, you will delete the PSO that you created.
1. Create a PSO.
2. Link a PSO to a group.
3. Identify the Resultant PSO for a user.
4. Delete a PSO.

Task 1: Create a PSO.
1. Click Start, point to Administrative Tools, right-click ADSI Edit, and click
Run as administrator.
3. In the User name box, type Pat.Coleman_Admin.
4. In the Password box, type Pa$$w0rd, and then press Enter. The ADSI Edit
console opens.
5. Right-click ADSI Edit and click Connect To.
6. Accept all defaults. Click OK.
7. Click Default Naming Context in the console tree.
8. Expand Default Naming Context and click DC=contoso,DC=com.
9. Expand DC=contoso,DC=com and click CN=System.
10. Expand CN=System and click CN= Password Settings Container.
All PSOs are created and stored in the Password Settings Container (PSC).
11. Right-click CN=Password Settings Container and choose New, Object. The
Create Object dialog box appears.
It prompts you to select the type of object to create. There is only one choice:
msDS-PasswordSettingsthe technical name for the object class referred to as a
PSO.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
12. Click Next. You are then prompted for the value for each attribute of a PSO.
The attributes are similar to those found in the domain account policies.
13. Configure each attribute as indicated below. Click Next after each attribute.
cn: My Domain Admins PSO. This is the friendly name of the PSO.
msDS-PasswordSettingsPrecedence: 1. This PSO has the highest possible
precedence.
msDS-PasswordReversibleEncryptionEnabled: False. The password is
not stored by using reversible encryption.
msDS-PasswordHistoryLength: 30. The user cannot reuse any of the last
30 passwords.
msDS-PasswordComplexityEnabled: True. Password complexity rules
are enforced.
msDS-MinimumPasswordLength: 15. Passwords must be at least 15
characters long.
msDS-MinimumPasswordAge: 1:00:00:00. A user cannot change the
password within one day of a previous change. The format is d:hh:mm:ss
(days, hours, minutes, seconds).
msDS-MaximumPasswordAge: 45:00:00:00. The password must be
changed every 45 days.
msDS-LockoutThreshold: 5. Five invalid logons within the time frame
specified by XXX (the next attribute) will result in account lockout.
msDS-LockoutObservationWindow: 0:01:00:00. Five invalid logons
(specified by the previous attribute) within one hour will result in account
lockout.
msDS-LockoutDuration: 1:00:00:00. An account, if locked out, will
remain locked for one day, or until it is unlocked manually. A value of zero
will result in the account remaining locked out until an administrator
unlocks it.
14. Click Finish.
15. Close ADSI Edit.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Task 2: Link a PSO to a Group.
2. In the console tree, expand the System container.
If you do not see the System container, click the View menu of the MMC
console, and ensure that Advanced Features is selected.
3. In the console tree, click the Password Settings Container.
4. Right-click My Domain Admins PSO, and then click Attribute Editor.
5. In the Attributes list, click msDS-PSOAppliesTo, and then click Edit.
The Multi-valued Distinguished Name With Security Principal Editor dialog
box appears.
6. Click Add Windows Account.
The Select Users, Computers, or Groups dialog box appears.
7. Type Domain Admins, and then press Enter.
8. Click OK two times to close the open dialog boxes.

Task 3: Identify the Resultant PSO for a user.
1. Run Active Directory Users and Computers as an administrator with the user
name Pat.Coleman_Admin and the password Pa$$w0rd.
2. Open Attribute Editor in the Properties dialog box for the account
Pat.Coleman_Admin.
3. Click Filter and ensure that Constructed is selected.
The attribute you will locate in the next step is a constructed attribute,
meaning that the resultant PSO is not a hard-coded attribute of a user; rather it
is calculated by examining the PSOs linked to a user in real time.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Question: What is the resultant PSO for Pat Coleman (Administrator)?
Task 4: Delete a PSO.
1. With Advanced Features enabled on the View menu of Active Directory
Users and Computers, open the System container and the Password Settings
Container.
2. Delete the My Domain Admins PSO, which you created.

Results: In this exercise, you created a PSO, applied it to Domain Admins and
confirmed its application, and then deleted the PSO.
Note: Do not shut down the virtual machine after you are finished with this lab because the
settings you have configured here will be used in subsequent labs in this module
Question: What are the best practices for managing PSOs in a domain?
Question: How can you define a unique password policy for all the service
accounts in the Service Accounts OU?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 2
Audit Au
Window
By audi
used at
intruder
intruder
auditing
Object
After co
Con
Dis
Ide
uthentica
ws Server 2008 al
ting successful lo
unusual times or
r is logging on to
rs to compromise
g logon authentic
tives
ompleting this les
nfigure auditing o
tinguish between
ntify authenticati
Improving t
tion
llows you to audi
ogons, you can lo
r in unexpected l
o the account. Aud
e an account. In t
cation.
sson, you will be a
of authentication
n account logon a
ion-related events
it the logon activi
ook for instances
ocations, which m
diting failed logo
this lesson, you w
able to:
n-related activity.
and logon events
s in the Security l
ity of users in a d
in which an acco
may indicate that
ns can reveal atte
will learn to confi
.
log.
n 9-29

domain.
ount is
t an
empts by
gure

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
9-30 Configuring
Accou
Key Po
This les
Audit L
similarly
When a
account
account
The com
a logon
passed
howeve
event is
unt Logon an
oints
sson examines tw
ogon Events. You
y named policy s
a user logs on to a
t, a domain contr
t. This generates
mputer to which
event. The comp
the account to a d
er, allow the user
a logon event.
nd Logon Ev
wo specific policy
u need to unders
settings.
any computer in
roller authenticat
an account logon
the user logs on
puter did not auth
domain controlle
to log on interac
vents
settings, Audit A
tand the differen
the domain by u
es the attempt to
n event on the do
for example, the
henticate the user
er for validation. T
tively to the comp
Services
Account Logon Ev
ce between these
sing a domain us
log on to the do
omain controller.
e users laptopge
r against the acco
The computer di
puter. Therefore,

vents and
e two
ser
main
enerates
ountit
d,
, the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
When the user connects to a folder on a server in the domain, that server
authorizes the user for a type of logon called a network logon. Again, the server
does not authenticate the userit relies on the ticket given to the user by the
domain controller. But, the connection by the user generates a logon event on the
server.
Note: The content in the following section is specific to Windows Server 2008 R2.
In Windows Server 2008 R2, the Advanced Audit Policy configuration includes
new categories in Group Policy for auditing logon and account logon events. You
learned about these advanced audit policies in Module 8. This provides
administrators with the ability to have much more granular and more detailed
control over the logon process and obtain information about very specific events
that happen during the logon or logoff process.
For an account logon event, you can now define four different settings for audit:
Credential Validation. Audit events generated by validation tests on user
account logon credentials.
Kerberos Service Ticket Operations. Audit events generated by Kerberos
service ticket requests.
Other Account Logon Events. Audit events generated by responses to
credential requests submitted for a user account logon that are not credential
validation or Kerberos tickets.
Kerberos Authentication Service. Audit events generated by Kerberos
authentication ticket-granting ticket (TGT) requests.
You can audit the following logon and logoff events:
Logon. Audit events generated by user account logon attempts on a computer.
Logoff. Audit events generated by closing a logon session. These events occur
on the computer that was accessed. For an interactive logon, the security audit
event is generated on the computer that the user account logged on to.
Account Lockout. Audit events generated by a failed attempt to log on to an
account that is locked out.
IPsec Main Mode. Audit events generated by Internet Key Exchange protocol
(IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode
negotiations.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
IPsec Quick Mode. Audit events generated by IKE and AuthIP during Quick
Mode negotiations.
IPsec Extended Mode. Audit events generated by IKE and AuthIP during
Extended Mode negotiations.
Special Logon. Audit events generated by special logons.
Other Logon/Logoff Events. Audit other events related to logon and logoff that
are not included in the Logon/Logoff category.
Network Policy Server. Audit events generated by RADIUS (IAS) and Network
Access Protection (NAP) user access requests. These requests can be Grant,
Deny, Discard, Quarantine, Lock, and Unlock.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Confi
Key Po
Accoun
settings
> Policie
node. T
screen s
gure Authen
oints
t logon and logon
s that manage aud
es > Windows Se
The Audit Policy n
shot.
Improving t
ntication-Rel
n events can be a
diting are located
ettings > Security
node and the two
lated Audit P
audited by Windo
d in a GPO in the
Settings > Local
o settings are show
Policies
ows Server 2008.
Computer Confi
Policies > Audit P
wn in the followi
n 9-33

These
iguration
Policy
ing

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
9-34 Configuring
In Wind
Advanc

To conf
Then, it
Propert
be confi
Not
pol
on
Def
sele
not
Aud
sele
eve
Aud
and
its S
A server
applied
In Wind
events a
entered
auditing
dows Server 2008
ed Audit Policy C
figure an audit po
ts properties dialo
ties dialog box is
igured to one of t
t Defined: If the D
icy setting is not
its default setting
fined for no aud
ected, but the Suc
t audit the event.
dit successful ev
ected, and the Su
nts in its Security
dit failed events:
d the Failure che
Security log.
rs audit behavior
as the resultant s
dows Server 2008
and successful log
d in the servers Se
g, you will need t
8 R2, you can con
Configuration nod
olicy, both basic a
og box appears. T
shown in the foll
the following fou
Define These Po
defined. In this c
gs or on the settin
iting: If the Defin
ccess and Failure
vents: If the Defin
uccess check box
y log.
: If the Define Th
ck boxes selected
r is determined b
set of policy (RSo
8, the default sett
gon events. So, b
ecurity log. If you
to define the appr
nfigure additiona
de, as shown in t
and advanced, do
The Audit Accoun
lowing screen sho
ur states:
olicy Settings che
case, the server w
ngs specified in a
ne These Policy S
e check boxes are
ne These Policy S
is selected, the se
hese Policy Settin
d, the server will l
by the one of thes
oP).
ting is to audit su
both types of even
u want to audit fa
ropriate setting in
Services
al audit policies in
he following scre
ouble-click the po
nt Logon Events
ot. The policy set
eck box is cleared
will audit the even
nother GPO.
Settings check b
e cleared, the serv
Settings check bo
erver will log suc
ngs check box is
log unsuccessful
e four settings th
uccessful account
nts are, if successf
ailures or to turn
n the audit policy
n the
eenshot:

olicy.
tting can
d, the
nt based
ox is
ver will
ox is
ccessful
selected,
events in

hat is
t logon
ful,
off
y.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Scopi
Key Po
As with
affect th
connect
event, a
servers.
your hu
GPO lin
that dom
generat
Only do
Remem
authent
audit lo
to affect
ng Audit Po
oints
all policy setting
he correct system
t to remote deskt
auditing in a GPO
If, on the other h
uman resources d
nked to the OU c
main users loggin
e a logon eventn
omain controllers
mber that an accou
ticates a domain u
ogons to domain a
t only domain co
Improving t
licies
gs, you should be
ms. For example, if
top servers in you
O linked to the OU
hand, you want to
department, you c
ontaining human
ng on to a client c
not an account lo
s generate accoun
unt logon event o
user, regardless o
accounts, you sh
ntrollers. In fact,

careful to scope
f you want to aud
ur enterprise, you
U that contains y
o audit logons by
can configure log
n resources comp
computer or conn
ogon eventon th
nt logon events fo
occurs on the dom
of where that user
ould scope accou
the Default Dom
settings so that t
dit attempts by us
u can configure lo
your remote desk
y users to desktop
gon event auditing
puter objects. Rem
necting to a serve
hat system.
or domain users.
main controller th
r logs on. If you w
unt logon event a
main Controllers G
n 9-35

they
sers to
ogon
top
ps in
g in a
member
er will
hat
want to
auditing
GPO that
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
is created when you install your first domain controller is an ideal GPO in which to
configure account logon audit policies.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

View
Key Po
Accoun
system
So, if yo
the even
unsucce
entered
need to
picture
Logon Event
oints
t logon and logon
that generated th
ou are auditing lo
nts are entered in
essful account log
d in each domain
examine the Sec
of account logon
Improving t
ts
n events, if audite
he event. An exam
ogons to compute
n each computers
gons to identify p
controllers Secu
curity logs of all d
n events in your d
ed, appear in the
mple is shown in
ers in the human
s Security log. Sim
potential intrusio
urity log. This mea
domain controller
domain.
Security log of th
the following scr
resources depart
milarly, if you are
n attempts, the e
ans, by default, y
rs to get a comple
n 9-37

he
reen shot.

tment,
e auditing
events are
ou will
ete
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
As you can imagine, in a complex environment with multiple domain controllers
and many users, auditing account logons or logons can generate a tremendous
number of events. If there are too many events, it can be difficult to identify
problematic events worthy of closer investigation. You should balance the amount
of logging you perform with the security requirements of your business and the
resources you have available to analyze logged events.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab B: Au
The virt
A. Howe
be unab
1. Star
2. Log
3. Op
6. Run
Pat
7. The
8. Clo

udit Auth
tual machines sho
ever, if they are n
ble to successfully
rt 6425C-NYC-DC
g on to NYC-DC1
en Windows Exp
n Lab09b_Setup
t.Coleman_Admi
e lab setup script
ose the Windows
Improving t
henticatio
ould already be s
not, you should co
y complete Lab B
C1.
1 as Pat.Coleman
plorer and then b
.bat with admini
in, with the passw
runs. When it is
Explorer window
on
started and availa
omplete Lab A be
B unless you have
n, with the passw
browse to D:\Lab
strative credentia
word, Pa$$w0rd
complete, press
w, Lab09b.
able after complet
efore continuing.
e completed Lab A
word, Pa$$w0rd.
bfiles\Lab09b.
als. Use the accou
d.
any key to contin
n 9-39

ting Lab
You will
A.
unt
nue.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Lab Scenario
The security team at Contoso, Ltd has tasked you with increasing the security and
you need to create an audit trail of logons.
Exercise: Audit Authentication
In this exercise, you will use Group Policy to enable auditing of both successful
and unsuccessful logon activity by users in the contoso.com domain. You will then
generate logon events and view the resulting entries in the event logs.
1. Configure auditing of account logon events.
2. Configure auditing of logon events.
3. Force a refresh Group Policy.
4. Generate account logon events.
5. Examine account logon events.
6. Examine logon events.

Task 1: Configure auditing of account logon events.
2. Modify the Default Domain Controllers Policy GPO to enable auditing events
for both successful and failed account logon events.
3. Close Group Policy Management Editor.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Task 2: Configure auditing of logon events.
1. Create a Group Policy Object (GPO) linked to the Servers\Important Project
OU. Name the GPO Server Lockdown Policy.
2. Modify the Server Lockdown Policy to enable auditing events for both
successful and failed logon events.
3. Close Group Policy Management Editor and Group Policy Management.

Task 3: Force a refresh Group Policy.
1. Start 6425C-NYC-SVR1. As the computer starts, it will apply the changes you
made to Group Policy.
2. On NYC-DC1, run the Command Prompt as an administrator, with the user
name Pat.Coleman_Admin and the password Pa$$w0rd, and then run the
command gpupdate.exe /force. Close the command prompt.

Task 4: Generate account logon events.
1. Log on to NYC-SVR1 as Pat.Coleman, but enter an incorrect password. The
following message appears: The user name or password is incorrect.
2. After you have been denied logon, log on again with the correct password,
Pa$$w0rd.

Task 5: Examine account logon events.
1. On NYC-DC1, run Event Viewer as an administrator, with the user name
2. Identify the failed and successful events in the Security log.

Question: Which Event ID is associated with the account logon failure events?
(Hint: Look for the earliest of a series of failure events at the time you logged on
incorrectly to NYC-SVR1.)
Question: Which Event ID is associated with the successful account logon? (Hint:
Look for the earliest of a series of events at the time you logged on incorrectly to
NYC-SVR1.)
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Task 6: Examine logon events
1. On NYC-SVR1, run Event Viewer as an administrator, with the user name
2. Identify the failed and successful events in the Security log.

Question: Which Event ID is associated with the logon failure events? (Hint: Look
for the earliest of a series of failure events at the time you logged on incorrectly to
NYC-SVR1.)
Question: Which Event ID is associated with the successful logon? (Hint: Look for
the earliest of a series of events at the time you logged on incorrectly to NYC-
SVR1.)
Results: In this exercise, you established and reviewed auditing for successful and
failed logons to the domain and to servers in the Important Project OU.
Note: Do not shut down the virtual machine after you are finished with this lab because the
settings you have configured here will be used in subsequent labs in this module.
Question: You have been asked to audit attempts to log on to desktops and
laptops in the Finance division by using local accounts such as Administrator.
What type of audit policy do you set, and in what GPO(s)?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 3
Configur
Branch
technol
area net
office? I
simple.
controll
will exp
controll
office R
Objecti
After co
Ide
Inst
Con
re Read-O
offices present a
ogy (IT) staff: If a
twork (WAN) lin
In the previous ve
Windows Server
lerthe RODCth
plore the issues re
ler placement, an
ODC.
ives
ompleting this les
ntify the busines
tall an RODC.
nfigure password
Improving t
Only Dom
unique challenge
a branch office is
nk, should you pla
ersions of Windo
r 2008, however,
hat makes the qu
elated to branch o
nd you will learn h
sson, you will be a
s requirements fo
d replication polic
main Con
e to an enterprise
separated from t
ace a domain con
ows, the answer to
introduces a new
uestion easier to a
office authenticat
how to implemen
able to:
or RODCs.
cy.
trollers
es information
the hub site by a w
ntroller in the bra
o this question w
w type of domain
answer. In this les
tion and domain
nt and support a
n 9-43

wide
anch
was not
sson, you
branch-
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Configure password RODC credentials caching.
Monitor the caching of credentials on an RODC.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Authe
Branc
Key Po
Conside
several b
that ma
must be
Should
In branc
which is
may inc
which n
presenc
to hous
the serv
entication an
ch Office
oints
er a scenario in w
branch offices. Th
ay be congested, e
e authenticated b
a DC be placed i
ch office scenario
s carefully mainta
clude a robust da
no data center exi
ce other than a ha
e branch office se
vers.
Improving t
nd Domain C
which an enterpri
he branch offices
expensive, slow, o
y Active Director
in the branch offi
os, many of the IT
ained by the IT st
tacenter. Branch
ists. In fact, many
andful of servers.
ervers. There may
Controller Pla
se is characterize
s connect to the h
or unreliable. Use
ry to access resou
ice?
T services are cen
taff. In larger orga
offices, however,
y branch offices h
There may be no
y be few, if any, lo
acement in a
ed by a hub site an
hub site over WA
ers in the branch
urces in the doma
ntralized in the hu
anizations, the hu
, are often smalle
have no significan
o physically secur
ocal IT staff to su
n 9-45
a

nd
AN links
h office
ain.
ub site,
ub site
r sites in
nt IT
re facility
upport
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
If a domain controller is not placed in the branch office, authentication and service
ticket activities will be directed to the hub site over the WAN link. Authentication
occurs when users first log on to their computers in the morning. Service tickets
are a component of the Kerberos authentication mechanism used by the Windows
Server 2008 domains. You can think of a service ticket as a key issued by the
domain controller to a user. The key allows the user to connect to a service, such as
the File and Print service, on a file server. When a user first tries to access a specific
service, the users client requests what is called a service ticket from the domain
controller. Because users typically connect to multiple services during a work day,
service ticket activity happens regularly. Authentication and service ticket activity
over the WAN link between a branch office and a hub site can result in slow or
unreliable performance.
If a domain controller is placed in the branch office, authentication is much more
efficient but there are several potentially significant risks. A domain controller
maintains a copy of all attributes of all objects in its domain, including secrets such
as information related to user passwords. If a domain controller is accessed or
stolen, it becomes possible for a determined expert to identify valid user names
and passwords, at which point the entire domain is compromised. You must at
least reset the passwords of every user account in the domain. Because the security
of servers at branch offices is often less than ideal, a branch office DC poses a
considerable security risk.
A second concern is that changes to the Active Directory database on a branch
office DC replicate to the hub site and to all other DCs in the environment.
Therefore, corruption to the branch office DC poses a risk to the integrity of the
enterprise directory service. For example, if a branch office administrator performs
a restore of the DC from an outdated backup, there can be significant
repercussions for the entire domain.
The third concern relates to administration. A branch office domain controller may
require maintenance such as a new device driver. To perform maintenance on a
standard domain controller, you must log on as a member of the Administrators
group on the domain controller, which means you are effectively an administrator
of the domain. It may not be appropriate to grant that level of capability to a
support team at a branch office.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

What
Key Po
The sec
enterpri
RODC,
RODC i
maintai
such as
in the b
domain
You can
account
passwor
time au
who are
cache o
Usually
passwor
Are Read-O
oints
curity, directory se
ises with a difficu
which is designe
is a domain contr
ns a copy of all o
password-related
branch office logs
n controller in the
n configure a pass
ts the RODC is al
rd replication po
thentication is re
e included in the
f credentials so th
y, you will add us
rd replication po
Improving t
Only Domain
ervice integrity, a
ult choice to mak
ed specifically to a
roller, typically p
objects in the dom
d properties. If yo
on, the RODC re
e hub site for auth
sword replication
llowed to cache. I
licy, the RODC c
equested, the ROD
password replica
hat it can perform
ers located in the
licy.
Controllers?
and administratio
e. Windows Serv
address the branc
laced in the bran
main and all attrib
ou do not configu
eceives the reque
hentication.
n policy for the R
If the user loggin
caches that users
DC can perform t
ation policy log o
m authentication
e same physical s
?
on concerns left m
ver 2008 introduc
ch office scenario
nch office, which
butes except for s
ure caching, when
est and forwards i
ODC that specifi
ng on is included
credentials, so th
the task locally. A
on, the RODC bui
locally for those
ite as an RODC t
n 9-47

many
ces the
o. An
secrets
n a user
it to a
ies user
in the
he next
As users
ilds its
users.
to the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Because the RODC maintains only a subset of user credentials, if the RODC is
compromised or stolen, the effect of the security exposure is limited. Only the user
accounts that had been cached on the RODC must have their passwords changed.
The RODC replicates changes to Active Directory from DCs in the hub site.
Replication is one way. No changes to the RODC are replicated to any other
domain controller. This eliminates the exposure of the directory service to
corruption due to changes made to a compromised branch office DC. Finally,
RODCs have the equivalent of a local Administrators group. You can give one or
more local support personnel the ability to fully maintain an RODC without
granting them the equivalent rights of Domain Admins.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Deplo
Key Po
To depl
level ste
1. Ens
2. If th
/ro
3. Ens
Win
4. Inst
Each of
oy an RODC
oints
loy an RODC, you
eps to install an R
sure the forest fun
he forest has any
odcprep.
sure there is at lea
ndows Server 200
tall the RODC.
f these steps is de
Improving t

u first must perfo
RODC are as follo
nctional level is W
DCs running Wi
ast one writable D
08 R2
etailed in the follo
orm some prepar
ows:
Windows Server 2
indows Server 20
DC running Win
owing sections.
ation steps. The h
2003 or higher.
003, run adprep
dows Server 200
n 9-49

high-
8 or

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Verifying and Configuring Forest Functional Level of Windows Server
2003 or Higher
Functional levels enable features unique to specific versions of Windows, and are
therefore dependent on the versions of Windows running on domain controllers.
If all domain controllers are Windows Server 2003 or later, the domain functional
level can be set to Windows Server 2003. If all domains are at the Windows Server
2003 domain functional level, the forest functional level can be set to Windows
Server 2003. Domain and forest functional levels are discussed in detail in another
module.
RODCs require that the forest functional level is Windows Server 2003 or later so
that the linked-value replication (LVR) is available. This provides a higher level of
replication consistency. The domain functional level must be Windows Server
2003 or later so that Kerberos constrained delegation is available. This means all
domain controllers in the entire forest must be running Windows Server 2003 or
later.
Constrained delegation supports security calls that must be impersonated under
the context of the caller. Delegation makes it possible for applications and services
to authenticate to a remote resource on behalf of a user. Because delegation
provides powerful capabilities, typically only domain controllers are enabled for it.
For RODCs, applications and services must be able to delegate, but only
constrained delegation is allowed because it prevents the target from
impersonating again and making another hop. The user or computer must be
cacheable at the RODC for constrained delegation to work. This restriction places
limits on how a rogue RODC may be able to abuse cached credentials.
To determine the functional level of your forest:
1. Open Active Directory Domains and Trusts.
2. Right-click the name of the forest, and then click Properties.
3. Verify the forest functional level, as shown below. Any user can verify the
forest functional level in this way. No special administrative credentials are
required to view the forest functional level.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

If the forest functional level is not at least Windows Server 2003, examine the
properties of each domain to identify any domains for which the domain
functional level is not at least Windows Server 2003. If you find such a domain,
ensure that all domain controllers in the domain are running Windows Server
2003. Then, in Active Directory Domains and Trusts, right-click the domain and
click Raise Domain Functional Level. After you have raised each domain
functional level to at least Windows Server 2003, right-click the root node of the
Active Directory Domains And Trusts snap in and click Raise Forest Functional
Level. In the Select An Available Forest Functional Level drop-down list, click
Windows Server 2003, and click Raise. You must be an administrator of a domain
to raise the domain's functional level. To raise the forest functional level, you must
be either a member of the Domain Admins group in the forest root domain or a
member of the Enterprise Admins group.
Running ADPrep /RODCPrep
If you are upgrading an existing forest to include domain controllers running
Windows Server 2008, you must run adprep /rodcprep. This command configures
permissions so that RODCs are able to replicate DNS application directory
partitions. DNS application directory partitions are discussed in another module. If
you are creating a new Active Directory forest, and it will have only domain
controllers running Windows Server 2008, you do not need to run adprep
/rodcprep.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
The command is found in the \sources\adprep folder of the Windows Server 2008
installation DVD. Copy the folder to the domain controller acting as the schema
master. The schema master role is discussed in another module. Log on to the
schema master as a member of the Enterprise Admins group, open a command
prompt, change directories to the adprep folder, and type adprep /rodcprep.
Before running adprep /rodcpep, you must run adprep /forestprep and adprep
/domainprep. See Module 14 for more information about preparing a Windows
Server 2003 domain and forest for the first Windows Server 2008 domain
controller.
Placing a Writable Windows Server 2008 Domain Controller
An RODC must replicate domain updates from a writable domain controller
running Windows Server 2008 or Windows Server 2008 R2. It is critical that an
RODC is able to establish a replication connection with a writable Windows Server
2008 domain controller. Ideally, the writable Windows Server 2008 domain
controller should be in the closest sitethe hub site. If you want the RODC to act
as a DNS server, the writable Windows Server 2008 domain controller must also
host the DNS domain zone.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Installing an RODC
After completing the preparatory steps, you can install an RODC. An RODC can be
either a full or Server Core installation of Windows Server 2008. With a full
installation of Windows Server 2008, you can use the Active Directory Domain
Services Installation Wizard to create an RODC. Simply click Read-only Domain
Controller (RODC) on the Additional Domain Controller Options page of the
wizard, as shown in the following screen shot.

Alternatively, you can use the dcpromo.exe command with the /unattend switch to
create the RODC. On a Server Core installation of Windows Server 2008, you must
use the dcpromo.exe /unattend command.
You can complete the installation of an RODC in two stages, each performed by a
different individual. The first stage of the installation, which requires Domain
Admin credentials, creates an account for the RODC in AD DS. The second stage of
the installation attaches the actual server that will be the RODC in a remote
location, such as a branch office, to the account that was previously created for it.
You can delegate the ability to attach the server to a nonadministrative group or
user.
During this first stage, the Active Directory Domain Services Installation Wizard
records all data about the RODC that will be stored in the distributed Active
Directory database, such as its domain controller account name and the site in
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
which it will be placed. This stage must be performed by a member of the Domain
Admins group.
The administrator who creates the RODC account can also specify at that time
which users or groups can complete the next stage of the installation. The next
stage of the installation can be performed in the branch office by any user or group
who was delegated the right to complete the installation when the account was
created. This stage does not require any membership in built-in groups, such as the
Domain Admins group. If the user who creates the RODC account does not specify
any delegate to complete the installation and administer the RODC, only a member
of the Domain Admins or Enterprise Admins groups can complete the installation.
You can perform a staged installation of an RODC by using several approaches.
You can pre-create an RODC account by using Active Directory Users and
Computers console, which is appropriate for a smaller number of accounts. You
can also use the dcpromo command-line utility with appropriate switches, or you
can use the answer file to perform an unattended installation of an RODC.
It is also possible to use a Windows PowerShell script to create an RODC account.
To use Windows PowerShell for this task, you should perform the following steps:
Create a comma-separated-value (CSV) file. You can use Microsoft Excel to create a
CSV file. For example, create a file with the following script and save it as test.csv.
domainFQDN;RODCName;DelegatedAdmin;ReplicationPartner;SiteName
corp.contoso.com;RODC1;corp\RODC1AdminGroup;DC1.corp.contoso.com;Branc
h1corp.contoso.com;RODC2;corp\RODC2AdminGroup;DC2.corp.contoso.com;Bra
nch2
corp.contoso.com;RODC3;corp\RODC3AdminGroup;DC3.corp.contoso.com;Branc
h3
You can use this test.csv file to create three RODC accounts. Each RODC account
specifies a delegated RODC administration account, a designated replication
partner to use during the installation, and a site name.
In a Windows PowerShell command window, run the following command to
create the three RODC accounts.
Import-csv test.csv -Delimiter ';' | foreach -process { $domainFQDN =
$_.domainFQDN; $RODCName = $_.RODCName ; $delegatedAdmin =
$_.delegatedAdmin ; $ReplicationPartner = $_.ReplicationPartner;
$SiteName = $_.SiteName ;
Dcpromo /unattend /createDCaccount /ReplicaDomainDNSName:$domainFQDN
/DCAccountName:$RODCName /InstallDNS:Yes /ConfirmGC:Yes
/delegatedAdmin:$delegatedAdmin
/ReplicationSourceDC:$ReplicationPartner /SiteName:$SiteName }
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Demo
Key Po
A passw
on a spe
user's cr
process
authent
domain
of the d
Passwor
determi
attribut
account
groups
have the
and the
precede
onstration: C
oints
word replication p
ecific RODC. If a
redentials, the au
sed by the RODC
tication and servi
n controller. To ac
domain controller
rd Replication Po
ined by two mult
es are commonly
t is on the Allowe
on the Allowed L
eir credentials ca
e Denied List, the
ence.
Improving t
Configure a P
policy determines
password replica
uthentication and
. If a user's creden
ice ticket activitie
ccess the passwor
r in the Domain C
olicy tab. The pas
tivalued attribute
y known as the Al
ed List, the user's
List, in which cas
che on the RODC
user's credential
Password Rep
s which users cre
ation policy allow
d service ticket act
ntials cannot be c
s are referred by
rd replication po
Controllers OU a
ssword replication
s of the RODC's c
llowed List and t
credentials are c
e all users who b
C. If the user is bo
s will not be cach
plication Pol
edentials can be c
ws an RODC to ca
tivities of that use
cached on RODC
the RODC to a w
licy, open the pro
nd then click the
n policy of an RO
computer accoun
the Denied List. If
cached. You can in
elong to the grou
oth on the Allow
hedthe Denied L
n 9-55
licy

cached
ash a
er can be
C, the
writable
operties
e
ODC is
nt. These
f a user's
nclude
up can
ed List
List takes
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Configure Domain-Wide Password Replication Policy
To facilitate the management of password replication policy, Windows Server 2008
creates two domain local security groups in the Users container of Active Directory.
The first one, named Allowed RODC Password Replication Group, is added to the
Allowed List of each new RODC. By default, the group has no members. Therefore,
by default, a new RODC will not cache any users credentials. If there are users
whose credentials you want to be cached by all domain RODCs, add those users to
the Allowed RODC Password Replication Group.
The second group is named Denied RODC Password Replication Group. It is
added to the Denied List of each new RODC. If there are users whose credentials
you want to ensure are never cached by domain RODCs, add those users to the
Denied RODC Password Replication Group. By default, this group contains
security-sensitive accounts that are members of groups including Domain Admins,
Enterprise Admins, and Group Policy Creator Owners.
Note: Remember that it is not only users that generate authentication and service ticket activity.
Computers in a branch office also require such activity. To improve performance of
systems in a branch office, allow the branch RODC to cache computer credentials as well.
Configure RODC-Specific Password Replication Policy
The two groups described in the previous section provide a method to manage
password replication policy on all RODCs. However, to best support a branch
office scenario, you need to allow the RODC in each branch office to cache
credentials of users in that specific location. Therefore, you need to configure the
Allowed List and the Denied List of each RODC.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
To configure any RODCs password replication policy, open the properties of the
RODCs computer account in the Domain Controllers OU. On the Password
Replication Policy tab, shown in the following screen shot, you can view the
current password replication policy settings and add or remove users or groups
from the password replication policy.

Demonstration Steps
2. In the Domain Controllers OU open the properties of BRANCHDC01.
3. Click the Password Replication Policy tab and view the default policy.
4. Close the BRANCHDC01 properties.
5. In the Active Directory Users and Computers console tree, click the Users
container.
6. Double-click Allowed RODC Password Replication Group. Go to the
Members tab and examine the default membership of Allowed RODC
Password Replication Group.
7. Click OK.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
8. Double-click Denied RODC Password Replication Group and go to the
Members tab.
9. Click Cancel to close the Denied RODC Password Replication Group
properties.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Demo
Key Po
In this d

onstration: A
oints
demonstration, y
Improving t
Administer RO
ou will see how t

ODC Creden
to administer RO
ntials Caching
DC credentials c
n 9-59
g

aching.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
When you click the Advanced button on the Password Replication Policy tab of
an RODC, an Advanced Password Replication Policy dialog box appears. An
example is shown in the following screen shot.

The drop-down list at the top of the Policy Usage tab allows you to select one of
two reports for the RODC:
Accounts whose passwords are stored on this Read-Only Domain
Controller: Display the list of user and computer credentials that are currently
cached on the RODC. Use this list to determine whether not required
credentials are being cached on the RODC, and modify the password
replication policy accordingly.
Accounts that have been authenticated to this Read-Only Domain
Controller: Display the list of user and computer credentials that have been
referred to a writable domain controller for authentication or service ticket
processing. Use this list to identify users or computers that are attempting to
authenticate with the RODC. If any of these accounts are not being cached,
consider adding them to the password replication policy.

In the same dialog box, the Resultant Policy tab allows you to evaluate the effective
caching policy for an individual user or computer. Click the Add button to select a
user or computer account for evaluation.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
You can also use the Advanced Password Replication Policy dialog box to
prepopulate credentials in the RODC cache. If a user or computer is on the Allow
list of an RODC, the account credentials can be cached on the RODC, but will not
be cached until the authentication or service ticket events causes the RODC to
replicate the credentials from a writable domain controller. By pre-populating
credentials in the RODC cache, for users and computers in the branch office for
example, you can ensure that authentication and service ticket activity will be
processed locally by the RODC even when the user or computer is authenticating
for the first time. To prepopulate credentials, click Prepopulate Passwords and
select the appropriate users and computers.
Demonstration Steps:
1. On NYC-DC1, in the Active Directory Users and Computers console tree,
click the Domain Controllers OU and open the properties of BRANCHDC01.
2. Click Password Replication Policy.
3. Click Advanced.
The Advanced Password Replication Policy for BRANCHDC01 dialog box
appears.
The Policy Usage tab displays Accounts whose passwords are stored on this
Read-Only Domain Controller.
4. From the drop-down list, select Accounts Whose Passwords Are Stored On
This Read-Only Domain Controller.
5. From the drop-down list, select Accounts that have been authenticated to
this Read-only Domain Controller.
6. Click the Resultant Policy tab, and then click Add.
The Select Users or Computers dialog box appears.
7. Type Chris.Gallagher, and then press Enter.
8. Click Policy Usage.
9. Click Prepopulate Passwords.
The Select Users or Computers dialog box appears.
10. Type the name of the account you want to pre-populate, and then click OK.
11. Click Yes to confirm that you want to send the credentials to the RODC.
The following message appears: Passwords for all accounts were successfully
prepopulated.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
9-62 Configuring
Admi
Key Po
RODCs
driver. A
file serv
back up
adminis
for spec
local rol
You can
comman
steps:
1. Op
2. Typ
nistrative Ro
oints
s in branch offices
Additionally, sma
ver role on a singl
p the system. ROD
strative role separ
cific administrativ
les to allow supp
n configure admin
nd. To add a user
en a command p
pe dsmgmt, and t
ole Separatio
s may require ma
all branch offices
le system, in whic
DCs support loca
ration. Each ROD
ve purposes. You
port of a specific R
nistrative role sep
r to the Administ
prompt on the RO
then press Enter.
on
aintenance such a
may combine the
ch case it will be
al administration
DC maintains a lo
can add a domai
RODC.
paration by using
trators role on an
ODC.
.
Services
as an updated dev
e RODC rolled w
important to be a
through a featur
ocal database of g
in user account t
g the dsmgmt.exe
n RODC, follow th

vice
with the
able to
e called
groups
o these
e
hese
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3. Type local roles, and then press Enter.
At the local roles prompt, you can type ? and press Enter for a list of
commands. You can also type list roles and press Enter for a list of local roles.
4. Type add username administrators, where username is the pre-Windows 2000
logon name of a domain user, and then press ENTER.

You can repeat this process to add other users to the various local roles on an
RODC.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
9-64 Configuring
Lab C: Co
Controlle
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log

onfigure
ers
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
Read-On
e the available vir
complete the foll
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
nly Doma
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
Services
ain
vironment. Before
rative Tools, and
n the Actions pan
tual machine star

e you
d then
ne,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

5. Open Windows Explorer and then browse to D:\Labfiles\Lab09c.
6. Run Lab09c_Setup.bat with administrative credentials. Use the account
Pat.Coleman_Admin, with the password, Pa$$w0rd.
8. Close the Windows Explorer window, Lab09c.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Lab Scenario
The security team at Contoso, Ltd. has tasked you with increasing the security and
you are to improve the security of domain controllers in branch offices.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 1: Install an RODC
In this exercise, you will configure the server BRANCHDC01 as an RODC in the
distant branch office. To avoid travel costs, you decide to do the conversion
remotely with the assistance of Aaron Painter, the desktop support technician and
only IT staff member at the branch. Aaron Painter has already installed a Windows
Server 2008 computer named BRANCHDC01 as a server in a workgroup. You will
stage a delegated installation of an RODC so that Aaron Painter can complete the
installation.
1. Stage a delegated installation of an RODC.
2. Run the Active Directory Domain Services Installation Wizard on a workgroup
server.

Task 1: Stage a delegated installation of an RODC.
2. Right-click the Domain Controllers OU, and then click Pre-create Read only
Domain Controller account.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3. Step through the Active Directory Domain Services Installation Wizard,
accepting all defaults. Use the computer name BRANCHDC01 and on the
Delegation of RODC Installation and Administration page, delegate
installation to Aaron.Painter_Admin.
Note that when the wizard is complete, the server appears in the Domain
Controllers OU with the DC Type column showing Unoccupied DC Account
(Read-only, GC).

Task 2: Run the Active Directory Domain Services Installation Wizard
on a workgroup server.
1. Start 6425C-BRANCHDC01.
2. Log on to BRANCHDC01 as Administrator with the password Pa$$w0rd.
3. Click Start, and then click Run.
4. Type dcpromo, and then press Enter.
A window appears that informs you that the AD DS binaries are being
installed. When installation is completed, the Active Directory Domain
Services Installation Wizard appears.
5. Click Next.
6. On the Operating System Compatibility page, click Next.
7. On the Choose A Deployment Configuration page, click the Existing forest
option, click Add a domain controller to an existing domain, and then click
Next.
8. On the Network Credentials page, type contoso.com.
9. Click the Set button.
A Windows Security dialog box appears.
10. In the User Name box, type Aaron.Painter_Admin.
12. Click Next.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
13. On the Select a Domain page, select contoso.com, and then click Next.
A message appears to inform you that your credentials do not belong to the
Domain Admins or Enterprise Admins groups. Because you have pre-staged
and delegated administration of the RODC, you can proceed with the
delegated credentials.
14. Click Yes.
A message appears to inform you that the account for BRANCHDC01 has been
prestaged in Active Directory as an RODC.
15. Click OK.
16. On the Location For Database, Log Files, and SYSVOL page, click Next.
17. On the Directory Services Restore Mode Administrator Password page, type
Pa$$w0rd12345 in the Password and Confirm Password boxes, and then
click Next.
In a production environment, you should assign a complex and secure
password to the Directory Services Restore Mode Administrator account.
Also, note that we modified the minimum password length in Lab A and as
such need to meet the new minimum password length requirements.
18. On the Summary page, click Next.
19. In the progress window, select the Reboot On Completion check box. Active
Directory Domain Services is installed on BRANCHDC01, the server reboots.

Results: In this exercise, you created a new RODC named BRANCHDC01 in the
contoso.com domain.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 2: Configure Password Replication Policy
In this exercise, you will configure a domain-wide password replication policy and
the password replication policy specific to BRANCHDC01.
1. Configure domain-wide password replication policy.
2. Create a group to manage password replication to the branch office RODC.
3. Configure password replication policy for the branch office RODC.
4. Evaluate resultant password replication policy.

Task 1: Configure domain-wide password replication policy.
Who are the default members of the Allowed RODC Password Replication
Group?
Who are the default members of the Denied RODC Password Replication
Group?
Add the DNSAdmins group as a member of the Denied RODC Password
Replication Group.
Examine the password replication property for NYC-BRANCHDC01.
What are the password replication policies for the Allowed RODC Password
Replication Group and for the Denied RODC Password Replication Group?

Task 2: Create a group to manage password replication to the branch
office RODC.
1. In the Groups\Role OU, create a new global security group called Branch
Office Users.
2. Add the following users to the Branch Office Users group:
Anav.Silverman
Chris.Gallagher
Christa.Geller
Daniel.Roth
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Task 3: Configure password replication policy for the branch office
RODC.
Configure BRANCHDC01 so that it caches passwords for users in the Branch
Office Users group.

Task 4: Evaluate resultant password replication policy.
Open the Resultant Policy for BRANCHDC01's password replication policy.

Question: What is the resultant policy for Chris.Gallagher?
Results: In this exercise, you configured the domain-wide password replication policy
to prevent the replication of passwords of members of DNSAdmins to RODCs. You also
configured the password replication policy for BRANCHDC01 to allow replication of
passwords of members of Branch Office Users.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 3: Manage Credential Caching
In this exercise, you will monitor credential caching.
1. Monitor credential caching.
2. Pre-populate credential caching.

Task 1: Monitor credential caching.
1. Log on to BRANCHDC01 as Chris.Gallagher with the password Pa$$w0rd
and then log off.
2. Log on to BRANCHDC01 as Mike.Danseglio with the password Pa$$w0rd,
and then log off.
The contoso.com domain used in this course includes a Group Policy object
(named 6425C) that allows users to log on to domain controllers. In a
production environment, it is not recommended to give users the right to log
on to domain controllers.
3. On NYC-DC1, in Active Directory Users and Computers, examine the
password replication policy for BRANCHDC01.

Question: Which users' passwords are currently cached on BRANCHDC01?
Question: Which users have been authenticated by BRANCHDC01?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Task 2: Prepopulate credential caching.
In the password replication policy for BRANCHDC01, prepopulate the
password for Christa Geller.

Results: In this exercise, you identified the accounts that have been cached on
BRANCHDC01, or have been forwarded to another domain controller for
authentication. You also prepopulated the cached credentials for Christa Geller.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Question: Why should you ensure that the password replication policy for a
branch office RODC has, in its Allow list, the accounts for the computers in the
branch office as well as the users?
Question: What would be the most manageable way to ensure that computers in a
branch are in the Allow list of the RODC's password replication policy?
click Revert.
4. Repeat these steps for 6425C-NYC-SVR1 and 6425C-BRANCHDC01.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Module
Review
Questio
regular
enforce
accomp
Questio
policies
Questio
logons o
Questio
credent
Review a
w Questions
on: In your organ
basis. You need t
d. The user accou
plish this with the
on: Where should
s for user account
on: What would b
on all machines i
on: What are the
tials for all users a
Improving t
and Takea
nization, a numbe
to ensure that all
unts are scattered
e least administra
d you define the
ts in the domain?
be the disadvanta
in your domain?
advantages and d
and computers in
aways
er of users deal w
these users have
d across multiple
ative effort?
default password
?
age of auditing al
disadvantages of
n a branch office
with confidential f
e strict account po
OUs. How woul
d and account loc
ll successful and
prepopulating th
to that branch's R
n 9-75

files on a
olices
ld you
ckout
failed
he
RODC?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Common Issues Related to Authentication in Active Directory
User is not forced to change the
password even if that setting is
configured in Default Domain Policy.

User or group does not have the
right PSO applied.

Real World Issues and Scenarios
You must ensure that all users change their password every 30 days. Company
procedures specify that if a user's password will expire while the user is out of the
office, the user may change the password prior to departure. You must account for
a user who is out of the office for up to two weeks. Additionally, you must ensure
that a user cannot reuse a password within a one-year time period. How would you
configure account policies to accomplish this?
Best Practices Related to Security of Authentication in an
AD DS Domain

Use Default Domain Policy GPO to specify general password and account
lockout policies that will apply for most users.
Use fine-grained password policy to specify password and account lockout
policies for specific users and groups with administrative privileges.
Do not enable all options for auditing because you will have many security
logs, which will be hard to search. Use advanced audit logging to have more
granular control.
Deploy RODCs in sites where physical security is an issue.
Tools
Group Policy
Management console
Editing and managing group
policy objects
Administrative Tools
ADSI Edit Creating Password Setting
Objects
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Dcpromo Creating and managing domain
controllers
Command-line utility
Content Specific to Windows Server 2008 R2

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Configuring Domain Name System 10-1
Module10
Configuring Domain Name System
Contents:
Lesson 1: Review of DNS Concepts, Components, and Processes 10-4
Lesson 2: Install and Configure DNS Server in an AD DS Domain 10-25
Lab A: Install the DNS Service 10-38
Lesson 3: AD DS, DNS, and Windows 10-43
Lesson 4: Advanced DNS Configuration and Administration 10-68
Lab B: Advanced Configuration of DNS 10-81
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-2 Configuring
Module
Window
Name S
as an IT
on DNS
resoluti
outside
Object
After co
Des
Inst
Des
Des
Overview
ws and Active D
System (DNS). Yo
T professional sup
S. In this module,
ion both within y
your domain, an
tives
ompleting this mo
scribe the concep
tall and configure
scribe how AD D
scribe the advanc
w
irectory services
ou will be already
pporting users, ap
, you will learn ho
your Active Direct
nd your intranet.
odule, you will be
pts, components,
e DNS.
S, DNS, and Win
ced configuration
s have a strong d
y familiar with DN
pplications, servi
ow to implement
tory Domain Serv
e able to:
and processes of
ndows are integra
n and administrat
Services
ependency on Do
NS as a user of DN
ices, and systems
t DNS to support
vices (AD DS) do
f DNS.
ated.
tion tasks of DNS

omain
NS and
that rely
t name
main,
S.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 1
Review o
Processe
DNS is
you will
in detail
informa
DNS-rel
Object
After co
Un
Des
1
of DNS Co
es
an integral and c
l review the role,
l the processes u
ation will be fami
lated concepts an
tives
ompleting this les
derstand the stru
scribe client and
oncepts,
critical componen
structure, and fu
sed to resolve DN
liar to you, this le
nd terminology.
sson, you will be a
ucture role, struct
server name reso
Configuri
Compon
nt of a Windows e
unctionality of DN
NS queries. Altho
esson will help yo
able to:
ture, and function
olution processes
ng Domain Name System
nents, and
enterprise. In this
NS. You will also
ough some of this
ou become fully a
nality of DNS.
.
m 10-3
d

s lesson,
explore
s
aware of

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-4 Configuring
Why D
Key Po
DNS is
services
a specifi
Therefo
Compu
resolve
http://t
the IP a
through
the IP a
DNS?
oints
used to resolve c
s. Most commonl
fied DNS name.
ore, users and app
ters, however, loc
names to addres
echnet.microsoft
ddress of the app
h a series of proce
ddress of the web
client queries for i
ly, DNS is used to
plications tend to
cate each other w
ses. For example
t.com, the name t
propriate web ser
esses that will be
b server: 207.46.
information abou
o resolve a client's
o use names to re
with their IP addr
e, if a user is brow
technet.microsoft
rver. The client qu
explained later, t
16.252.
Services
ut remote system
s query for the ad
fer to systems.
esses. DNS serve
wsing to
t.com must be res
ueries its DNS se
the DNS server re

ms and
ddress of
es to
solved to
erver and,
eturns
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

DNS H
Key Po
The nam
namesp
name su
most sp
generic
the DNS
the mor
Top-lev
are a lim
.mil, an
.ca, .uk,
Above e
actually
but it is
represen
Hierarchy
oints
mes used in DNS
paces called doma
uch as technet.mi
pecific part of the
part of the name
S namespace thro
re specific domain
el domains such
mited number of
d .edu. Each coun
.au, and .za.
each of these top-
y represented by a
interesting to no
nted as technet.m
S create a hierarch
ains to an individu
icrosoft.com is re
namethe indivi
e, com. The name
ough the most ge
n (microsoft) to t
as .com are highl
available top-leve
ntry also has an I
-level domains is
a dot ("."). The ro
ote that technet.m
microsoft.com. wi
Configuri
hy, from a root th
ual record for a sy
ead by humans fr
idual host name,
e can be resolved
eneric, top-level d
the most specific
ly regulated by In
el domains, inclu
ISO-based top-lev
the root of the D
oot dot is generall
microsoft.com wo
ith the trailing do
hrough a series of
ystem (host) or s
rom left to right, f
technetto the m
by starting at the
domain (com), th
host name (tech
nternet authoritie
ding .com, .net, .
vel domain, inclu
DNS namespace, w
ly left out of DNS
uld be more accu
ot.
m 10-5

f
service. A
from the
most
e root of
rough
hnet).
es; there
org, .gov,
uding .us,
which is
S names,
urately
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-6 Configuring
Zones
Key Po
For a D
client's
databas
resoluti
domain
A server
s
oints
NS server to be a
query for the IP a
se. This database
ion for a distinct p
n such as contoso
r that hosts a zon
able to resolve qu
address of anothe
is called a zone. A
portion of the DN
.com.
ne for a domain is
ueries from clients
er computerthe
A zone is a datab
NS namespace, st
s authoritative for
Services
sfor example, to
DNS server mus
ase that supports
tarting with a spe
r that domain.

o return a
st have a
s
ecific
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Resou
Key Po
Within
There a
Add
reso
you
AAA
Can
reco
asso
man
sim
serv
urce Records
oints
a zonethe DNS
re several types o
dress (A or AAAA
olve a name to an
u associate with D
AA records resolv
nonical Name (C
ords map an alias
ociate multiple n
nually update eac
mply change the s
ver by name, not
s
databaseare rec
of resource record
A). These are also
n IP address, and
DNS. The A recor
ve a name to an IP
NAME). These ar
s to another fully
ames with a sing
ch record when t
erver's A record,
by address, will
Configuri
cords called reso
ds, including:
known as Host r
are used in the s
ds resolve a nam
Pv6 address.
re also known as
y qualified name.
le server and pre
the server's IP add
and all CNAME r
continue to funct
urce records.
records. These re
standard DNS qu
me to an IPv4 addr
Alias records. Th
Alias records allo
event you from ha
dress changes. Yo
records, which re
tion.
m 10-7

cords
uery that
ress. The
hese
ow you to
aving to
ou can
efer to the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Mail Exchanger (MX) records. The MX record contains the name of the email
server of a domain. You can consider MX as a type of alias, except that the alias
is always called MX. This is so that, no matter what language or naming
standard is used by a domain, its mail server can always be located with a
query for MX.domain.
Name Service (NS) records. These records point to the authoritative DNS
servers for a domain.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Resou
Key Po
The reso
adminis
Alternat
their ow
If a zon
to be cr
to a serv
To redu
dynami
to the D
that the
update)
urce Record
oints
ource records in
strator.
tively, dynamic u
wn DNS records.
e is opened up fo
eated. For examp
ver other than th
uce the possibility
ic updates. Client
DNS zone, and cli
e client computer
) its host record in
Managemen
a zone can be cre
updates can be en
or dynamic updat
ple, someone cou
e correct web ser
y of spoofing, Win
ts must be authen
ients can only up
must be a doma
n DNS.
Configuri
nt
eated and mainta
nabled through w
tes, there is a pos
uld create a record
rver for a domain
ndows Server DN
nticated to the do
pdate their own D
in member to suc
ained manually by
which systems can
ssibility for a rogu
d named www th
n. This is called sp
NS supports secu
omain to make an
DNS records. This
ccessfully register
m 10-9

y an
n register
ue record
hat points
poofing.
ure
n update
s means
r (or
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-10 Configuring
Zone
Key Po
The DN
infrastru
two DN
The DN
one of t
Lik
a zo
hos
onl
zon
the
Replication
oints
NS databasethe z
ucture. As with an
NS servers availab
NS database can b
two ways:
ke other traditiona
one in a file. Only
sts the primary zo
y copy called a se
ne transfer. A DN
server from whic
zoneis an impor
ny other critical s
ble for clients to p
be stored and rep
al DNS implemen
y one DNS server
one. Other DNS s
econdary zone. T
S server hosting
ch it copies the zo
rtant component
service, an organi
provide redundan
licated to more th
ntations, Window
r can write to the
servers copy the z
The process of cop
a secondary zone
one.
Services
t of a network
ization should try
ncy.
han one DNS ser
ws DNS servers ca
zone: that DNS s
zone and create a
pying the zone is
e requires permis

y to have
rver in
an store
server
a read-
s called
ssions on
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
When DNS zones are hosted on domain controllers, you can store zone data
in Active Directory itself, creating an Active Directory integrated zone. Zone
data is replicated in the same multimaster fashion as other Active Directory
data. This is particularly important if dynamic updates are enabled, because
clients will be registering their records with their primary DNS server, which
will be in their site. The zone is also replicated incrementally: only records that
have changed are replicated. This is much more efficient than traditional
whole-file zone transfer. If the DNS zone is Active Directory-integrated, the
concept of primary and secondary zone does not apply anymore, because a
change can be made on any DNS server that is holding a copy of that zone.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-12 Configuring
Subdo
Key Po
As men
namesp
subdom
For exa
subdom
There a
Sub
sub
reco
serv
omains
oints
tioned earlier, a z
pace, starting with
mains within a po
mple, if you man
main, europe.cont
re three options f
bdomain. A zone
bdomains. If a zon
ords necessary to
ver is authoritativ
zone supports res
h a domain such
rtion of the DNS
nage the contoso.
toso.com.
for creating a sub
starts at a domai
ne contains a sub
o support resoluti
ve for the subdom
solution for a spe
as contoso.com. Y
namespace for w
com namespace,
bdomain such as
in and can contai
bdomain, the zon
ion for the subdo
main.
Services
ecific portion of th
You can create
which you have au
you can create a
europe.contoso.c
in one or more
ne includes all of t
omain, and the D

he DNS
uthority.
com:
the
DNS
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Delegation. A delegation is a "link" to a subdomain, created by one or more NS
records that point to one or more authoritative name server(s) for the
subdomain. An NS record points to a name or IP address of a subdomain's
name server. If the NS record points to a name, there must also be a host (A)
record for the server in the parent domain. The NS records are created when
you create the delegation, but if you need to change the IP addresses or names
of the namespace servers, you must update the NS records manually.
Stub zone. A stub zone is very similar to a delegation, except that the NS
records that point to the name server are updated automatically in the parent
zone. This sounds like an ideal way to manage subdomains hosted on separate
DNS servers, and stub zones are ideal in many environments. However, the
automatic update of NS records requires that TCP port 53 be open between
the host (parent) name servers and all name servers in the child domain. If it is
not able to keep TCP port 53 open to support this requirement, you should
use a standard delegation.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-14 Configuring
Placin
Key Po
In an en
zones an
replicati

ng DNS Serve
oints
nvironment that c
nd DNS servers i
ion traffic, and ad
ers and Zone
contains more th
in a way that opti
dministrative ove

es
an one domain, y
imizes name reso
erhead.
Services
you can choose to
olution for clients

o place
s,
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

On the left of this illustration, the parent zone has a delegation or a stub domain
that points to the name servers of the child domain. Queries for records in the
child domain are resolved by the DNS server that is authoritative for the child
domain. The name servers might be located in Europe to support queries by clients
for servers and services in Europe.
On the right of the figure, DNS servers host a single zone that includes a
subdomain for the child domain. This structure increases replication traffic
between the two DNS servers, but clients in either location can resolve names from
either domain from the authoritative DNS server in their location.
contoso.com
hqdc01
filesvr01
desktop101
europe
zone
europe.contoso.com
eudc01
filesvr42
desktop631
zone
contoso.com
hqdc01
filesvr01
desktop101
europe
eudc01
filesvr42
desktop631
zone
contoso.com
hqdc01
filesvr01
desktop101
europe
eudc01
filesvr42
desktop631
zone
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-16 Configuring
DNS C
Key Po
Now th
DNS ser
subdom
name is
When a
to a hos
GetAdd
The DN
maintai
been res
HOSTS
initialize
a name
time, th
Client
oints
at you've learned
rvers and how ch
mains, or stub zon
s resolved to an IP
a client applicatio
st such as technet
drInfo() API, whic
NS Client service f
ned database on
solved. Then, the
file (%systemroo
ed during DNS C
is successfully re
he ability of the D
d about how the D
hild domains are
nes, you are ready
P address.
on, such as Micro
t.microsoft.com,
ch passes the hos
first checks the D
the clientto det
e DNS resolver ca
ot%\system32\d
Client startup and
esolved, it is adde
NS client to resol
DNS namespace i
supported by usi
y to explore in de
soft Internet Ex
the client applica
st name to the DN
DNS resolver cach
termine whether
ache is preloaded
drivers\etc\hosts)
d when the HOST
ed to the DNS res
lve names locally
Services
is hosted in zone
ing delegations,
etail the way in w
xplorer, needs to
ation makes a call
NS Client service.
hea local, dynam
the name has pre
d with the content
) when the cache
TS file is modified
solver cache. So, o
y increases.

es on
which a
o connect
l to the

mically
eviously
ts of the
e is
d. When
over
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Each resource record contains a time-to-live (TTL) value, which determines how
long the record stays in the cache. When the TTL is reached, the record is removed
from the cache.
You can use the ipconfig /displaydns command to examine the contents of the
local DNS resolver cache, and the ipconfig /flushdns command to flush the cache
and reload it with the contents of the HOSTS file.
It's important to note that if a client queries a DNS server for a host record, and the
DNS server returns a negative response, which indicates that the record cannot be
found, that negative response is also cached. If you create a host record on the
DNS server and retry the query, the client fails because it continues to retrieve the
negative response from its cache until that response is removed from the cache. In
this case, the ipconfig /flushdns command can be used to force the client to re-
query the DNS server.
You can use the nslookup.exe command to query a DNS server directly bypassing
the DNS resolver cache.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-18 Configuring
Query
Key Po
If the D
cache, it
that is b
of the re
The que
iterative
sent fro
server to
recursiv
describe
DNS ser
indicatin
client's
If the pr
cannot b
Addition
y to DNS Ser
oints
NS Client service
t queries the prim
being requested (
ecord being requ
ery sent to the DN
e or recursive que
m a Windows cli
o return a respon
ve query, it querie
ed in the next sec
rver is unable to
ng that the doma
query.
rimary DNS serve
be resolved, the D
nal DNS servers
rver
e cannot resolve t
mary DNS server.
for example, the
uested (for examp
NS server also sp
ery. A recursive q
ient to its DNS se
nse that is definiti
es other DNS serv
ction, until the D
resolve the client
ain name system
er returns a negat
DNS client does n
are queried only
the query by usin
The query speci
address, host, or
ple, technet.micro
ecifies whether th
query is the most
erver. The recursi
ive. When the DN
vers by using a p
NS server resolve
t query, it returns
does not have a r
tive answer, indic
not query the sec
if the primary DN
Services
ng the DNS resolv
fies the type of re
r "A" record) and
osoft.com).
he client is reque
common type of
ive query tells the
NS server receive
rocess that will b
es the client's que
s a negative respo
record that match
cating that the na
condary DNS serv
NS server is not a

ver
ecord
the name
esting an
query
e DNS
s a
be
ery. If the
onse,
hes the
ame
ver.
available.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Therefore, ensure that every DNS server can resolve all queries from all clients that
direct queries to that server.
Clients can optionally request an iterative query. The DNS server attempts to
resolve the query locally by using processes that will be described in the next
section, and will return a resolution (if available), or will return the most useful
information that it can provide.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-20 Configuring
DNS S
Key Po
The DN
a resolu
If no res
the DNS
when th
resolved
If a reso
If no res
server r
exampl
host tha
name se
server c
root ("."
Server Resol
oints
NS server, on rece
ution can be foun
sponse is found,
S server builds a
he server starts an
d from other DNS
olution is found in
solution is found
eturns its best gu
e, the DNS server
at the client reque
erver of the host's
can refer the clien
) of the DNS nam
ution
eiving a client que
nd, it is returned t
the server checks
cache of resolved
nd is populated w
S servers. A recor
n the cache, it is r
d, and if the client
uessthe most us
r might not have
ests, but it might
s parent domain.
nt to a list of root
mespace. The clie
ery, first checks th
to the client as an
s its Cached Look
d resource record
with resource reco
rd is purged when
returned as a pos
t requested an ite
seful information
a cached resourc
have a cached re
In the worst-case
name servers: DN
ent takes whateve
Services
he locally hosted
n authoritative res
kups. Like the DN
ds. The cache is in
ords because they
n its TTL is reach
sitive response.
erative query, the
that it can provid
ce record for the s
esource record fo
e scenario, the DN
NS servers that h
er information is r

zones. If
sponse.
NS client,
nitialized
y are
hed.
DNS
de. For
specific
r the
NS
host the
returned
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
by the DNS server in an iterative query and uses that information to continue to try
to resolve the name.
If the client requested a recursive query, the DNS server continues with processes
described in the next section.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-22 Configuring
Recur
Key Po
If the cl
query to
the clien
In the m
cache is
.com na
In this c
server h
an itera
The roo
zone NS
informa
server r
continu
rsion
oints
ient requests a re
o resolve it. In eff
nt's behalf. This p
most extreme exa
s empty. It does n
ame servers.
case, the DNS ser
has a list of these
tive query for tec
ot DNS servers ca
S records for nam
ation as a referral
eturns its best g
ues the process.
ecursive query, th
fect, the DNS serv
process is called r
ample of recursion
not have any cach
rver starts by que
root servers in its
chnet.microsoft.co
annot resolve tech
me servers in the
. This is a good e
guess, and the cli
he DNS server con
ver proxies the qu
recursion.
n, the DNS serve
hed NS records fo
erying the root DN
s root hints. It sen
om.
hnet.microsoft.co
.com domain. Th
xample of an iter
ient (in this case
Services
ntinues to proces
uery and perform
r has just started
or microsoft.com
NS servers. The D
nds the root DNS
om, but they have
hey return this
rative query: the r
itself a DNS serv

ss the
ms it on
and its
or even
DNS
S server
e in their
root DNS
er)
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Next, the DNS server sends another iterative query to the .com name server. Again,
the server cannot resolve technet.microsoft.com, but it can provide NS records for
microsoft.com as a referral.
With this referral, the DNS server queries the name server for microsoft.com. That
DNS server is authoritative (hosts a zone) or microsoft.com, and is able to return
an exact match for the host record for technet.microsoft.com.
The DNS server caches this resolution and returns it to the client as a positive
response.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-24 Configuring
Lesson 2
Install an
Now th
DNS an
role in a
Object
After co
Inst
Add
Man
Con
Con
nd Config
at you have revie
nd name resolutio
an AD DS domain
tives
ompleting this les
tall DNS.
d DNS zones.
nage DNS record
nfigure DNS serv
nfigure DNS clien
gure DNS
ewed the concept
on, you are ready
n.
sson, you will be a
ds.
ver settings.
nt settings.
S in an AD
ts, terminology, an
y to install and co
able to:
Services
D DS Dom
nd processes rela
nfigure the DNS
main

ated to
server

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Instal
Key Po
The DN
other fu
to perfo
You can
The DN
Domain
The dom
server r
When th
is availa
automa
(dnsmg
Adminis
SP1 or l
l and Manag
oints
NS server role is n
unctionality, it is a
orm the role.
n install the DNS
NS server role can
n Services Installa
main controller o
ole.
he DNS server ro
able to add to you
tically to the Serv
gmt.msc). To adm
strative tools to y
later operating sy
ge the DNS S
not installed on W
added in a role-b
server role by us
n also be added au
ation Wizard, wh
options page of th
ole is installed, yo
ur administrative
ver Manager cons
minister a remote
your administrativ
ystems.
Configuri
Server Role
Windows Server 2
ased manner wh
sing the Add Role
utomatically by th
hich you can start
he wizard allows y
ou will find that th
consoles. The sn
sole and in the D
DNS server, add
ve workstation th
2008 by default. L
en a server is con
e link in Server M
he Active Directo
by using dcprom
you to add the D
he DNS Manager
nap-in is also add
NS Manager con
the Remote Serv
hat runs Window
m 10-25

Like any
nfigured
Manager.
ory
mo.exe.
DNS
r snap-in
ed
sole
ver
ws Vista
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
When you install the DNS server role, the dnscmd.exe command-line
administrative tool is also added. DNSCmd can be used to script and automate
DNS configuration. At the command prompt, type dnscmd.exe /?for help.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Create
Key Po
After ins
To creat
and clic
creating
You wil
Prim
Sec
ano
Stu
dom
You can
domain
e a Zone
oints
stalling a DNS se
te a zone, right-cl
ck New Zone. The
g a zone.
l be able to select
mary zone. The D
condary zone. Th
other DNS server
b zone. The DNS
main. Stub zones
n also select to sto
n controller. This
erver, you can beg
lick the Forward
e New Zone Wiz
t one of the three
DNS server will b
e DNS server will
. The secondary z
S server will main
will be discussed
ore the zone data
creates an Active
Configuri
gin adding zones
Lookup Zones n
ard takes you thr
e types of zones:
e able to write to
l maintain a copy
zone is read-only
ntain a list of nam
d in detail later in
a in Active Directo
e Directory integr
to the server.
node in the conso
rough the process
the zone.
y of a zone hosted
y.
me servers for ano
n this module.
ory if the DNS ser
ated zone, which
m 10-27

le tree
s of
d on
other

rver is a
h will be
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
discussed later in this module. If you clear this option, the zone data is stored in a
file rather than in Active Directory.
After choosing the zone type, you are prompted to enter the zone namethe fully
qualified domain name for the zone.
Zone Updates
When you create a zone, you are also prompted to specify whether dynamic
updates are supported. Dynamic updates reduce the management overhead of a
zone, because clients can add, delete, and update their own resource records.
Dynamic updates leave open the possibility that a resource record could be
spoofed. For example, a computer could register a record named www, effectively
redirecting traffic from your web server to the incorrect address.
To eliminate the possibility of spoofing, Windows Server 2008 DNS Server service
supports secure dynamic updates. A client must authenticate prior to updating its
resource records, so the DNS server knows whether the client is the same
computer that has the permission to modify the resource record.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Create
Key Po
In most
need to
To creat
wish to
the type
IP addre
for upd
e Resource R
oints
t environments, e
add resource rec
te a resource reco
create. A dialog b
e of record you ar
ess, you can man
ating records and
Records
even those with d
cords to a zone.
ord, right-click th
box appears with
re adding. Beside
nually set the TTL
d pointer records
Configuri

dynamic updates
he zone and choo
h input controls th
es entering a resou
L period, and you
s.
enabled, there wi
se the type of rec
hat are appropria
urce record name
u can configure op
m 10-29

ill be the
cord you
ate for
e and an
ptions
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-30 Configuring
Confi
Key Po
An ente
at least
If the zo
to anoth
Director
describe
If the zo
and con
read-on
resoluti
primary
The firs
servers
seconda
gure Redund
oints
erprise should str
two DNS servers
one is Active Dire
her domain contr
ryintegrated zon
ed in the next les
one is not Active D
nfigure it to host a
nly copy of the pri
ion, but not for re
y zone.
st step in this pro
as name servers f
ary servers to the
dant DNS Se
rive to ensure tha
s.
ectoryintegrated
roller in the same
nes and the replic
sson.
Directory-integra
a secondary zone
imary zone. A sec
ecords managem
cess is to configu
for the zone. The
e parent zone.
ervers
t a zone can be re
, you can simply
e domain as the fi
cation of the DNS
ated, you must ad
e. Remember that
condary zone can
ent. All changes a
ure the zone itself
en, add naming se
Services
esolved authorita
add the DNS ser
irst DNS server. A
S zone by AD DS
dd another DNS s
t a secondary zon
n be used for nam
are pulled from th
f to refer to the se
ervice records for

atively by
rver role
Active
are
server
ne is a
me
he
econdary
r the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
A secondary server copies the zone from another DNS server called the master
server. The master server need not be the primary server, but there are obvious
advantages to using the primary zone as the master to reduce the latency with
which record updates are replicated to secondary servers.
The master server must allow the secondary servers to connect and initiate a zone
transfer. This is configured on the Zone Transfers tab of the zone properties on the
master server, shown here:

You can then add the secondary zone to the forward lookup zones of the
secondary server. The secondary server is configured to replicate the zone from the
master server.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-32 Configuring
Confi
Key Po
In Lesso
using it
recursiv
To conf
is to add
servers.
or they
infrastru
Server s
your co
Forward
a netwo
The list
purpose
gure Forwar
oints
on 1, you learned
s local zones and
ve query, the DNS
figure a DNS serv
d forwarders to th
Typically, these
are configured as
ucture. For exam
service to resolve
rporate DNS serv
ders are similar to
ork connection. T
is not shared wit
e for the DNS ser
rders
d that a DNS serv
d cache. If it is un
S server performs
ver to effectively p
he DNS server. F
servers are hoste
s upstream DNS
mple, your Active D
names within th
vers, which host z
o the DNS server
That list of DNS s
th the DNS serve
rver service.
ver attempts to re
able to do so, and
s the query on be
perform a recursi
Forwarders are po
ed by your Intern
servers in your en
Directory domain
e domain, and th
zones for other e
rs that you config
ervers is used by
er service. Forwar
Services
solve a client's qu
d if the query is s
ehalf of the client
ive query, the firs
ointers to other D
et service provide
nterprise DNS
n may use Windo
hen forward quer
nterprise domain
gure in the IP pro
the DNS Client s
rders serve the sa

uery by
sent as a
.
t method
DNS
er (ISP),
ows DNS
ies to
ns.
perties of
service.
me
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
If forwarders are not configured, the server will attempt to query a name server for
the root of the DNS namespace ("."). These root servers are maintained as root
hints. Although the root DNS name servers do not change frequently, they can
change occasionally. Windows Update will include updates to the root hints.
There are several mechanisms with which a recursive query can be made more
efficient, including conditional forwarders and stub zones. These options will be
discussed in Lesson 4.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-34 Configuring
Client
Key Po
A DNS s
client is
operatin
a DNS s
The con
screen s
t Configurat
oints
server is not of m
s distinct from all
ng system. There
server. A client sh
nfiguration can be
shot:
ion
much use unless c
Active Directory
fore, a client does
hould have at leas
e fixed in the clie
clients are configu
yrelated compon
s not assume tha
st two DNS serve
ent's IP configurat
Services
ured to query it. T
nents of the Wind
t its domain cont
ers configured.
tion, as shown in

The DNS
dows
troller is
n the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

The netsh.exe command can also be used to configure the first and additional DNS
servers for a network connection, as in the following example:
netsh interface ipv4 set dns "Local Area Connection"
static 10.0.0.11 primary
netsh interface ipv4 add dns "Local Area Connection"10.0.0.12
Alternatively, the DNS servers can be passed to clients through Dynamic Host
Configuration Protocol (DHCP) by using the DHCP scope option 6: DNS server.
Remember that secondary and additional DNS servers are not queried if the
primary DNS server returns a negative response. Additional DNS servers are
queried only if the primary DNS server does not respond, and is offline.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-36 Configuring
Lab A: In
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
not
4. Rep
5. Log

nstall the
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manage
ck Start.
the Actions pane,
t log on to NYC-D
peat steps 2 and 3
g on to NYC-DC1
User name: Pat.
Password: Pa$$
Domain: Conto
DNS Serv
e the available vir
complete the foll
ager.
er, click 6425C-N
click Connect. W
DC1 until directed
3 for 6425C-NYC
1 by using the foll
.Coleman
$w0rd
so
vice
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
d to do so.
C-DC2.
lowing credentia
Services
vironment. Before
rative Tools, and
n the Actions pane
tual machine star
ls:

e you
d then
e,
rts. Do
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Lab Scenario
You are an administrator of Contoso, Ltd. You recently added a second domain
controller to your enterprise, and you want to add redundancy to the DNS server
hosting the domain's zone. Currently, the only DNS server for the contoso.com
zone is NYC-DC1. You need to ensure that clients that resolve against the new
DNS server, NYC-DC2, can access Internet websites. Additionally, you have been
asked to configure a subdomain to support name resolution required for the
testing of an application by the development team.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 1: Add the DNS Server Role
In this exercise, you will add the DNS server role to NYC-DC2, examine the
domain zone that is automatically populated on the DNS server, and then
configure NYC-DC2 to use itself as its primary DNS server.
1. Add the DNS server role.
2. Change the DNS server configuration of the DNS client.
3. Examine the domain forward lookup zone.
4. Configure forwarders for Internet name resolution.

Task 1: Add the DNS server role
1. On NYC-DC2, run Server Manager as an administrator, with the user name
2. Add the DNS server role to NYC-DC2.
3. Close Server Manager.
4. Restart NYC-DC2. Then log on as Pat.Coleman with the password Pa$$w0rd.
This is not necessary in a production environment, but it speeds the process of
restarting services and replicating the DNS records to NYC-DC2 for the
purposes of this exercise.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Task 2: Change the DNS server configuration of the DNS client
2. Run the command prompt as an administrator, with the user name
3. Type netsh interface ipv4 set dnsserver "Local Area Connection" static
10.0.0.11 primary and then press Enter.
4. Type netsh interface ipv4 add dnsserver "Local Area Connection" 10.0.0.10
and then press Enter.

Task 3: Examine the domain forward lookup zone
1. Run DNS Manager as an administrator, with the user name
2. Examine the SOA, NS, and A records in the contoso.com forward lookup zone.

Task 4: Configure forwarders for Internet name resolution
Configure two forwarders for NYC-DC2: 192.168.200.12 and 192.168.200.13.
Because these DNS servers do not actually exist, the Server FQDN will display
either <Attempting to resolve> or <Unable to resolve>. In a production
environment, you would configure forwarders to upstream DNS servers on the
Internet; usually those provided by your ISP.

Results: In this exercise, you added the DNS server role to NYC-DC2 and simulated the
configuration of forwarders to resolve internet DNS names.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 2: Configure Forward Lookup Zones and Resource
Records
In this exercise, you will add a forward lookup zone for the development domain
at Contoso, Ltd. You will then add a host and CNAME record to the zone and
confirm that name resolution for the new zone is functioning.
1. Create a forward lookup zone.
2. Create Host and CNAME records.
3. Test name resolution.

Task 1: Create a forward lookup zone
Create a new forward lookup zone named development.contoso.com. The
zone should be a primary zone, stored in Active Directory and replicated to all
domain controllers in the contoso.com domain. Configure the zone so that it
does not allow dynamic updates.

Note: In a production environment, you would most likely just replicate to all DNS servers.
However, for this lab, you will replicate to all domain controllers to ensure quick and
guaranteed replication.
Task 2: Create Host and CNAME records
1. In the development.contoso.com zone, create a host (A) record for APPDEV01
with the IP address 10.0.0.24.
2. Create a CNAME record, www.development.contoso.com that resolves to
appdev01.development.contoso.com.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Task 3: Test name resolution
At the command prompt, type nslookup www.development.contoso.com,
and then press Enter.
Examine the output of the command. What does the output tell you?

Results: In this exercise, you created a new forward lookup zone,
development.contoso.com, with host and CNAME records, and verified that names in
the zone can be resolved.
Note: Do not shut down the virtual machines after you are finished with this lab because the
settings you have configured here will be used in the next lab.
Question: If you did not configure forwarders on NYC-DC2, what would be the
result for clients that use NYC-DC2 as their primary DNS server?
Question: What would happen to clients' ability to resolve names in the
development.contoso.com domain if you had chosen a stand-alone DNS zone,
rather than an Active Directory-integrated zone? Why would this happen? What
should you do to solve this problem?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-42 Configuring
Lesson 3
AD DS, D
You've l
default
lesson, y
DS and
Object
After co
Un
Cho
Cre
DNS, and
learned to configu
settings that supp
you will learn mo
the interrelation
tives
ompleting this les
derstand the inte
oose a DNS dom
eate a zone delega
Window
ure DNS in a sim
port Active Direc
ore about the com
between AD DS
sson, you will be a
egration between
ain for an Active
ation for a new A
ws
mple environment
ctory domains ou
mponents and pr
and DNS.
able to:
AD DS and DNS
Directory domain
Active Directory d
Services
t by using many o
t of the box. In th
ocesses that supp
S.
n.
omain.

of the
his
port AD
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Configure replication for Active Directory-integrated zones.
Describe the purpose of SRV records in the domain controller location
process.
Understand read-only DNS servers.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-44 Configuring
AD DS
Key Po
AD DS,
interdep
S, DNS, and
oints
DNS, and the W
pendent in many
Windows
Windows operating
y ways. In this les
g system are integ
son, you will exp
Services
grated and
plore each in mor

re detail.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Integ
Key Po
Active D
name. B
namesp
DS dom
Let's ass
register
www.co
could ch
The
you
des
rate AD DS a
oints
Directory requires
Because DNS is al
pace, you should
main.
sume that you ar
ed domain name
ontoso.com. If yo
hoose one of the
e same domain n
u use the same na
scribed in the nex
and the DNS
s DNS, and an AD
lso used as a glob
carefully conside
e an administrato
e contoso.com, an
u are planning th
following:
ame as your exte
amespace, you ha
xt section.
Configuri
S Namespace
D DS domain mu
bally available, sta
er where in the na
or of Contoso, Lt
nd which has a w
he namespace for
ernal DNS domain
ave to implement
e
ust have a DNS do
andards-based
amespace you set
d, which maintai
website at
r your AD DS dom
n name: contoso.
t split-brain DNS,
m 10-45

omain
t your AD
ins the
main, you
.com. If
which is
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
A subdomain of your external domain name: ad.contoso.com. If you use a
subdomain of a registered domain name, you can proceed easily because you
are the owner of that portion of the DNS namespace. You should be careful,
however, of going too deep in the DNS namespace. Users and admins alike
will be typing fully qualified domain names frequently, and a lengthy domain
suffix will make each FQDN more difficult to enter. In addition, URLs and
UNCs have length limits, which are easier to reach with lengthy DNS suffixes.
A separate domain name: contoso.net. If you use a separate domain name for
your Active Directory domain, register the domain so that it is not usurped by
another organization. Ensure that you maintain ownership of that portion of
the DNS namespace.

In today's increasingly connected world, the lines between network, intranet,
extranet, and the Internet are blurred. It is becoming difficult to maintain
namespace separation and less value is contributed by it. For this reason, many
organizations are choosing to use the most familiar domain name: the public
domain name. The public domain name is the one most closely associated with the
organization and the domain name that's easiest to type. As already mentioned,
there are steps you must take to support this configuration, but the cost of the
steps is typically far less than the benefits it provides. With any of these choices,
you must manage name resolution, perimeter protection, and security, so there are
equivalent levels of administrative effort to support any of these namespace
choices. Therefore, use a DNS name that is easy for the users of your namespace.
In the early years of Active Directory, it was common to suggest the use of a custom
top-level domain, such as .msft or even the .local top-level domain for the Active
Directory domain. Due to changes in the networked world, including IP version 6
(IPv6)and increased interconnectivity, these options should be explored only after
very careful consideration of their ability to support your business requirements,
the benefits they might provide, and the cost in terms of administration and user
support.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Split-
Key Po
Whenev
connect
separati
clients.
answer
only fro
externa
same tim
The inte
the reso
allows s
The ext
records
much sm
will typi
Brain DNS
oints
ver you use a dom
tions to your netw
ion of DNS zones
This is called spl
queries for the sa
om your local clie
l clients. No clien
me.
ernal DNS zone m
ource records for
secure dynamic u
ternally accessible
that they require
maller than the z
ically be updated
main name for an
work from the ou
s that provides di
lit-brain DNS. In f
ame domain nam
ents, whereas exte
nt should be avail
must support the
servers, clients, a
updates and store
e DNS zone prov
e, for example, ww
zone supporting t
d manually, rather
Configuri
n AD DS domain
utside world, ensu
ifferent informati
fact, you use sepa
me. Internal DNS
ernal DNS answe
lable to access bo
e AD DS domain i
and services in th
es its zone data in
vides to outside cl
ww and ftp. This
the domain intern
r dynamically. Th
that is also used
ure that there is a
ion to public and
arate DNS server
answers queries
ers queries only fr
oth DNS servers a
in full fidelity, wi
he domain. Ideally
n Active Directory
lients only the re
zone will typical
nally. The externa
he DNS Server ho
m 10-47

for
a
d internal
s to
coming
rom
at the
th all of
y, it
y itself.
source
lly be
al zone
osting the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
external zone will often be placed behind the external firewall, with only port 53
opened to it.
There may well be some need for duplicate records in the two zones. If your
internal users need access to the public website, such as www.contoso.com, that
resource record must exist in the internal zone against which clients query.
Remember, because the internal DNS server is considered authoritative for the
zone (as is the external server), it will return either a resolution for a query or a
negative response, indicating that the record simply doesn't exist. There is no
"second query" or iterative query against the external zone. Therefore, you will
create records that are required internally and externally, such as www, in both
zones.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Create
Key Po
In Modu
When y
there w
and the
configu
query th
externa
Name S
server.
This is n
from th
Howeve
a child d
If the ch
e a Delegatio
oints
ule 1, you created
you promoted the
as no delegation
e domain was esta
red with the IP ad
he DC and can re
l clients can reso
Service records in
not a problem for
e rest of the Inter
er, within a forest
domain if the chi
hild domain is a s
on for an Ac
d a new Window
e domain control
for the contoso.c
ablished with DN
ddress of the dom
esolve names in th
lve contoso.com
n the .com domain
r the labs in this
rnet, and there is
t, it is important t
ild domain's zone
subdomain of the
Configuri
ctive Directo
ws Server 2008 AD
ller, you received
com domain. You
NS on the domain
main controller a
he contoso.com d
names because t
n that point to yo
course because y
no need for a de
that there are del
e will be hosted o
e existing zone, n
ry Domain
D DS domain and
a message indica
u ignored the mes
n controller. Clien
s their DNS serve
domain. Howeve
there is no delega
our authoritative
your domain is se
elegation.
egations from a p
on separate DNS
no delegation is n
m 10-49

d forest.
ating that
ssage,
nts
er will
er, no
ationno
DNS
eparated
parent to
servers.
necessary.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
For example, to add a domain, europe.contoso.com, to the domain tree, and to
support replication and authentication in the forest, clients in contoso.com must
be able to resolve servers, services, and other records in europe.contoso.com.
Before you add a child domain to a tree, or a new tree to a forest, you must create a
delegation in the parent domain or the forest root domain.
To create a delegation, right-click the zone for the parent domain and choose New
Delegation. You will be prompted to enter name servers for the new domain. Refer
to the server that is or will be the child domain's DNS server.
To create a delegation for a new domain tree or for the forest root domain itself,
create a new zone first in the existing root DNS zone. In the new zone, add an
Address record that uses the full DNS name of the new domain's DNS server.
Then, add an NS record for the new domain that refers to the full DNS name of the
domain controller.
After you've created the delegation, you are ready to configure the server that will
be the child domain's first domain controller. First, configure its DNS server to
point to the DNS server on which you created the delegation.
Install the DNS role by using Server Manager and then create the primary zone for
the child domain. Alternatively, use the Active Directory Domain Services
Installation Wizard (dcpromo.exe), which can install DNS as part of the
installation of AD DS.
After the child domain has been created, reconfigure the child DNS server to refer
to itself as its primary DNS server. Typically, you will add the parent DNS server as
a forwarder, conditional forwarder, or stub zone to the child DNS server. You must
ensure, one way or another, that systems in the child domain can resolve names in
the parent domain. Finally, use an Active Directory-integrated zone that supports
secure dynamic updates for the child domain.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Active
Key Po
In Lesso
DS data
Active D
are sign
Mu
mo
wri
poi
geo
bec
con
e Directory
oints
on 1, you learned
abase when the D
Directory-integrat
nificant:
ultimaster updates
dified by a single
tten to by any DC
nt of failure in th
ographically distri
cause it allows cli
nnect to a potenti
Integrated Z
d that Windows D
DNS server is an A
ted zone. The ben
s. Unlike standar
e primary server, A
C to which the zo
he DNS infrastruc
ibuted environm
ents to update th
ially distant prim
Configuri
Zones
DNS Server can s
AD DS domain co
nefits of Active Di
rd primary zones
Active Directory-
one is replicated.
cture. It is particu
ments that use dyn
heir DNS records
ary server.
tore zone data in
ontroller. This cre
irectory-integrate
, which can only
integrated zones
This removes a s
ularly important in
namic update zon
without having t
m 10-51

n the AD
eates an
ed zones
be
can be
single
n
nes,
to
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Replication of DNS zone data by using AD DS replication. In Module 12, you
will learn about the efficient topology-generating and replication mechanisms
of AD DS replication. One of the characteristics of Active Directory replication
is attribute-level replication in which only changed attributes are replicated. An
Active Directory-integrated zone can leverage these benefits of Active Directory
replication, rather than replicating the entire zone file as in traditional DNS
zone transfer models.
Secure dynamic updates. An Active Directory-integrated zone can enforce
secure dynamic updates.
Granular security. As with other Active Directory objects, an Active Directory-
integrated zone allows you to delegate administration of zones, domains, and
resource records by modifying the access control list (ACL) on the object.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Appli
Key Po
An Activ
records
Dom
con
For
con
The
dur
dns
cation Partit
oints
ve Directory integ
can be stored in
mainDNSZone p
ntrollers that are D
restDNSZones pa
ntrollers that are D
ese default partiti
ring AD DS instal
scmd.exe comma
tions for DNS
grated zone store
one of several pa
artition. This par
DNS servers with
artition. This part
DNS servers in th
ions are created w
llation. You can u
and to create the p
Configuri
S Zones
es its records in th
artitions:
rtition is replicate
hin the domain.
tition is replicated
he forest.
when DNS is inst
use the DNS man
partitions after A
he AD DS databa
ed to all domain
d to all domain
talled and configu
nagement tool or t
AD DS is installed
m 10-53

ase. The
ured
the
.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Domain partition. This partition, which also contains records for objects,
users, and computers, is replicated to all domain controllers, whether or not
they are DNS servers. In Windows 2000, DNS zones were stored in the
Domain NC. If you have Windows 2000 domain controllers that are DNS
servers, use this replication option to support those systems.
Your choice of partition is primarily a matter of selecting the replication
topology you want for your DNS zones. Of course, the zone must be replicated
to a DNS server for that DNS server to be authoritative for the zone. If a DNS
server does not have a replica of the zone, it must have a forwarder or stub
zone to perform recursive queries for names in the zone.
Custom application partition. If the default application partitions do not give
you the replication model that you require to support your DNS infrastructure,
you can create a custom application partition for which you can specify which
servers will replicate the partition.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

DNS A
Key Po
You can
the follo
dnscmd
MyZone
Application
oints
n create an applic
owing example:
d NYC-DC1.conto
e.contoso.com
Partitions
cation partition by
oso.com /created
Configuri
y using the dnscm
directorypartit
md.exe command
tion
m 10-55

d, as in
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
You can change the replication scope of a zone from its properties. Click the
Change button next to Replication, as shown in this figure:

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Dynam
Key Po
By defau
server. T
through
It is the
address
the follo
Wh
Wh
con
Wh
The clie
the zon
several
mic Updates
oints
ult, Windows sys
This behavior can
h Group Policy.
DHCP Client ser
s is obtained from
owing events:
hen the client star
hen an IP address
nnection.
hen an administra
ent attempts to id
e. If the zone is n
iterations in whic
s
stems attempt to
n be modified in
rvice that perform
m a DHCP server
rts and the DHCP
s is configured, ad
ator runs ipconfig
dentify the DNS s
not an Active Dire
ch the client iden
Configuri
register their reco
the IP configurat
ms the registration
or is fixed. The re
P Client service is
dded, or changed
g /registerdns.
erver that is the p
ectory-integrated
ntifies a name serv
ords with their D
tion of the client o
n, whether the cl
egistration occur
s started.
d on any network
primary DNS serv
zone, this may re
ver, sends an upd
m 10-57

DNS
or
lient's IP
s during
k

ver for
equire
date, and
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
is refused because the name server hosts only a secondary zone. Eventually, if the
zone supports dynamic updates, the client reaches a DNS server that can write to
the zone. This is the primary server for a standard, file-based zone or any DC that is
a name server for an Active Directory-integrated zone.
If the zone is configured for secure dynamic updates, the DNS server refuses the
change. The client then authenticates and re-sends the update.
In some configurations, you may not want clients to update their records even in a
dynamic update zone. Alternatively, you can configure the DHCP server to register
the records on the clients' behalf. By default, a client registers its A (host/address)
record, and the DHCP server registers the PTR (pointer/reverse lookup) record.
PTR records are discussed in Lesson 4.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Backg
Key Po
It is pos
particul
previou
start wh
Window
start res
loaded,
ground Zone
oints
ssible for a zone t
larly if the A recor
us versions of Win
hen it had to load
ws Server 2008 lo
sponding to quer
the server works
e Loading
that supports an A
rds for clients are
ndows, it took a l
d a large zone.
oads zones in the
ries very quickly.
s to load that zon
Configuri
AD DS domain to
e maintained in a
long time for the
e background, all
If a query is sent
ne.
o be quite large,
a large domain. In
DNS Server servi
owing the DNS s
t for a zone that is
m 10-59

n the
ice to
server to
s not yet
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-60 Configuring
Servic
Key Po
A Servic
allowing
SRV rec
Wh
Wh
Wh
Wh
Wh
An SRV
protoc
An exam
ce Locator Re
oints
ce Locator (SRV)
g a client to locat
cords are used in
hen a domain con
hen a client comp
hen a user change
hen an Microsoft
hen an administra
V record follows th
col.service.nam
mple of an SRV re
ecords
resource record
te a host that prov
the following an
ntroller needs to r
puter needs to aut
es the password
Exchange server
ator opens Active
he syntax shown
me TTL class ty
ecord is shown h
resolves a query
vides a specific se
d many other sce
replicate changes
thenticate to AD
performs a direc
e Directory Users
n here:
ype priority w
here:
Services
for a network ser
ervice.
enarios:
s from its partner
DS
ctory lookup
and Computers
weight port ta

rvice,
rs

arget
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
_ldap._tcp.contoso.com 600 IN SRV 0 100 389 NYC-DC1.contoso.com
The components of the record are:
The protocol service name, such as the LDAP service, offered by a domain
controller.
The time-to-live value, in seconds.
The class (all records in a Windows DNS server will be IN or INternet).
The type: SRV.
The priority and weight, which help clients determine which host should be
preferred.
The port on which the service is offered by the server. Port 389 is the standard
port for LDAP on a Windows DC.
The target, or host of the service, which in this case is the domain controller
named NYC-DC1.contoso.com.

When a client process looks for a domain controller, it can query DNS for an LDAP
service. The query returns both the SRV record and the A record for the server(s)
that provide the requested service.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-62 Configuring
Demo
Doma
Key Po
In this d
controll
Use

Sim
ns
se
_l
onstration: S
ain Controlle
oints
demonstration, y
ler in the contoso
e DNS Manager t
tcp.contoso.com
tcp.siteName._s
covering a speci
msdcs.contoso.c
used by DCs to
mulate a client qu
slookup
et type=srv
ldap._tcp.conto
RV Resource
ers
ou will see the SR
o.com forest. You
to see the service
m, which lists all d
sites.contoso.com
ific site
com, which track
locate each other
ery for a domain
so.com
e Records Re
RV records regist
u will:
locator records r
domain controlle
m, which lists dom
ks the domain con
r
controller.
Services
egistered by
tered by a domain
registered in.
ers in the domain
main controllers t
ntrollers in a fore
AD DS

n
n
that are
est and is
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Learn how domain controllers register their resource records in a dynamic
update zone. Delete an SRV record, and then stop and restart the NetLogon
service. The NetLogon service registers DC records at startup.
View the %systemroot%\system32\config\netlogon.dns file, which contains
the records that must be registered manually if the zone does not support
dynamic updates.

Demonstration Steps
1. Run DNS Management with administrative credentials using the account
Pat.Coleman_Admin with the password Pa$$w0rd then in the console tree,
expand NYC-DC1, Forward Lookup Zones, and contoso.com, and then click
the _tcp node. Examine the SRV records.
2. In the console tree, expand NYC-DC1, Forward Lookup Zones, contoso.com,
_sites, BRANCHA, and then click the _tcp node. Examine the SRV records.
3. Run Command Prompt with the administrative credentials used earlier.
4. Type nslookup and then press Enter.
5. Type set type=srv, and then press Enter.
6. Type _ldap._tcp.contoso.com,,and then press Enter.
7. Switch to DNS Manager.
8. Expand NYC-DC1, Forward Lookup Zones, and contoso.com, and then click
the _tcp node.
9. Right-click the SRV records for NYC-DC1.contoso.com, and then click Delete.
10. Stop and start the netlogon service.
11. In the DNS console tree, right-click the _tcp node, and then click Refresh.
Examine the SRV records for NYC-DC1.contoso.com.
12. Open %systemroot%\system32\config\netlogon.dns file in notepad
13. Examine the default SRV records.
If the virtual machines are not already started, perform these steps.
1. Start 6425C-NYC-DC1 and log on as Pat.Coleman with the password Pa$$w0rd.
2. Open D:\Labfiles\Lab10b.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3. Run Lab10b_Setup.bat with administrative credentials. Use the account
Pat.Coleman_Admin with the password Pa$$w0rd. The lab setup script runs.
When it is complete, press any key to continue.
4. Close the Windows Explorer window, Lab10b.
5. Start 6425C-NYC-DC2.
7. Start 6425C-BRANCHDC02. Do not log on. Wait for BRANCHDC02 to complete
startup before continuing.
When all the virtual machines are ready, perform the following steps
1. On 6425C-NYC-DC1, run DNS Management with administrative credentials. Use
the account Pat.Coleman_Admin with the password Pa$$w0rd.
2. In the console tree, expand NYC-DC1, Forward Lookup Zones, and contoso.com,
and then click the _tcp node. Examine the SRV records.
3. In the console tree, expand NYC-DC1, Forward Lookup Zones, contoso.com,
_sites, BRANCHA, and then click the _tcp node. Examine the SRV records.
4. Run Command Prompt with administrative credentials. Use the account
5. Type nslookup and then press Enter.
6. Type set type=srv,and then press Enter.
7. Type _ldap._tcp.contoso.com,and then press Enter. Type Exit and then press
ENTER.
9. In the console tree, expand NYC-DC1, Forward Lookup Zones, and contoso.com,
and then click the _tcp node.
10. Right-click the SRV records for NYC-DC1.contoso.com, and then click Delete.
11 Switch to Command Prompt.
12. Type net stop netlogon and then press Enter.
13. Type net start netlogon and then press Enter.
15. In the console tree, right-click the _tcp node, and then click Refresh. Examine the
SRV records for NYC-DC1.contoso.com.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
16. Click Start, and in the Start Search box, type notepad.exe.
Note: You should run this with administrative credentials to open the netlogon file in the
next step.
17. Click File, click Open, type %systemroot%\system32\config\netlogon.dns in
the File Name box, and then press Enter.
18. Examine the default SRV records.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-66 Configuring
Doma
Key Po
When a
client h
retrieve
LDAP b
Note th
respond
The clie
controll
about si
the clien
The clie
a list of
LDAP b
proceed
ain Controlle
oints
a client authentica
as not authentica
s a list of all dom
bind with each, an
hat, at this point, i
ds first.
ent then attempts
ler examines the
ites and subnets.
nt what site the c
ent then queries D
domain controlle
bind with each, an
ds to authenticate
er Location
ates, it attempts t
ated before, it que
main controllers in
nd the first DC to
it is possible that
s to authenticate w
client's IP addres
If the domain co
client is in.
DNS for _ldap._tc
ers that are cover
nd the first one to
e with that domai
to locate a domain
eries _ldap._tcp.d
n the domain. Th
o respond is selec
a domain contro
with the domain
ss and compares
ontroller is not in
cp.siteName. dom
ring that site. Aga
o respond is selec
in controller.
Services
n controller in its
domainName, an
he client attempts
cted for the next s
oller in another si
controller. The d
it with the inform
the client's site, i
mainName, which
ain, the client atte
cted. The client th

s site. If a
d
an
step.
ite
domain
mation
it tells
h returns
empts an
hen
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

The clie
the dom
needs to
that dom
the regi
The pro
Domain
how SR
authent
ent stores its site m
main controller w
o contact a doma
main controller is
stry and queries
ocess is summariz
n controller locati
RV records and th
tication to an effic
membership in th
with which it is au
ain controller, it s
s not available, th
for _ldap._tcp.sit
zed in the slide b
ion will be revisit
he domain contro
cient domain con
Configuri
he registry, and it
thenticated. The
starts with its affin
he client retrieves
teName.domainN
elow:
ted in Module 12
oller location proc
ntroller.
t forms an affinity
next time the clie
nity domain cont
s its site informati
Name.
2, where you will
cess serve to loca
m 10-67
y with
ent
troller. If
ion from

learn
alize
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-68 Configuring
Read-
Key Po
A DNS s
zones th
the ROD
Of cour
Director
and dyn
Dynami
when th
include
the ROD
controll
replicat
record f
replicati
-Only DNS Z
oints
server on a Read-
hat are replicated
DC as their DNS
rse, a key characte
ry, so resource re
namic updates ar
ic updates are ser
hey attempt to sen
the client's upda
DC tracks the clie
ler to which the c
e single object (R
for the client from
ion mechanisms.
Zones
-Only Domain Co
d to the RODC an
server.
eristic of an ROD
ecords cannot be
e not accepted fr
rviced by referrin
nd an update to a
ated resource reco
ent that attempte
client was referred
RSO) operation in
m the writable do
.
ontroller (RODC
nd can resolve qu
DC is that it canno
added manually
om clients.
ng clients to a wri
an RODC. It is us
ord in the zone a
ed the update, and
d. After a short w
n which it retrieve
omain controller,
Services
) can be authorit
ueries for clients t
ot make changes
to the zone on a
iteable domain co
seful for the ROD
s quickly as poss
d the writable do
wait, the RODC pe
es the updated D
bypassing standa

ative for
that use
to Active
n RODC,
ontroller
DC to
sible, so
omain
erforms a
DNS
ard
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 4
Advance
Administ
You've l
support
configu
Object
After co
Un
Con
Aud
Des
ed DNS C
tration
learned how to co
ts AD DS. In this
ration and admin
tives
ompleting this les
derstand and con
nfigure advanced
dit, maintain, and
scribe DNS enhan
onfigurat
onfigure a simple
module, you will
nistration.
sson, you will be a
nfigure single-lab
d DNS server setti
d troubleshoot th
ncements in Win
Configuri
tion and
e DNS implemen
l explore selected
able to:
el name resolutio
ings.
he DNS server rol
ndows Server 200
tation and how D
d topics of advanc
on.
e.
08 R2
m 10-69

DNS
ced DNS

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-70 Configuring
Resolv
Key Po
In the n
to a hos
and bro
It is imp
single-la
First, th
DNS do
of the tw
TCP/IP
ving Single-
oints
normal course of
st by a single-labe
owse to http://leg
portant that you u
abel name.
he client tries to re
omain suffix to th
wo following opti
Settings of a con
Label Names
operations, a use
el name. For exam
galapp.
understand how
esolve the name a
he single-label nam
ions, the first of w
nnection and the
s
er or application m
mple, a user may
the DNS Client s
as a fully qualifie
me. The suffix is
which is configur
second by using
Services
may want or need
open Internet Ex
service works to r
d name by appen
determined by u
red in the Advanc
Group Policy.

d to refer
xplorer
resolve a
nding a
sing one
ced
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
The DNS domain suffixes appended by the client are:
The client's network connection DNS suffix. The client appends the suffix of
its DNS connection, such as ad.contoso.com. If you can use the connection-
based suffix, you can configure a client to use domain name devolution, which
means that if the connection suffix fails, the client retries with the parent
domain name, which would be contoso.com in this example. The devolution
stops at that pointit does not query by using a top-level domain name.

DNS suffix search order. You can specify the DNS suffixes that a client should
try. This is easiest to manage by using Group Policy. If DNS suffix search order
is used, there is no devolution. You must specify exactly the domain names
you want the client to try.

If the DNS suffix does not result in a resolution, the DNS client gives up and
queries DNS with a single-label name. If this does not work, NetBIOS name
resolution is attempted, which starts with a query to a Windows Internet Name
Service (WINS) server and, if that fails, resorts to a NetBIOS broadcast on the local
segment.
The DNS client does not have much time in which to resolve the name. In fact,
after 12 seconds, the resolution fails, at which point it is up to the client application
to determine what steps to take. This means that it's possible that the client will
time out before all name combinations are queried.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Windows Server 2008 DNS Server provides a new option to support the resolution
of single-label names: the GlobalNames zone. The GlobalNames zone is a
specialized zone that you create on your DNS servers. Typically, you would want it
to be replicated in the ForestDNSZones partition so that it is available to all DNS
servers in the forest. The zone contains CNAME records with a single-label names
and their resolution to fully qualified domain names.
When a client submits a single-label query, the DNS server can resolve the query
by retrieving the CNAME record from the GlobalNames zone and then looking up
the appropriate A record for the FQDN.
To use GlobalNames, you must create the GlobalNames zone, and then enable its
use in resolution by using the dnscmd.exe command. Details are available in the
article listed under Additional Reading.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Resolv
Key Po
There a
domain
Sec
hos
per
opt
For
serv
serv
If y
mai
aga
Roo
nam
Win
ve Names O
oints
re several ways to
nrecords for whi
condary zone. Th
sting a secondary
rform a zone tran
tion that is availab
rwarders. Forwar
vers, DNS servers
ver can perform q
ou choose to poi
intain, it is best to
ainst a third-party
ot hints. Root hin
mespace ("."). The
ndows Update, th
utside Your
o provide resolut
ich your DNS ser
e first option is to
y zone of the exte
nsfer from a name
ble for you to use
ders, detailed in
s provided by you
queries against se
nt to a DNS serve
o ask permission
y DNS server.
nts point to name
e DNS server has
hough the list do
Configuri
Domain
tion for DNS reco
rvers are not auth
o make the server
rnal domain. Thi
e server in the zon
e for domains out
Lesson 2, are poi
ur ISP, or Interne
ervers listed as fo
er other than one
n before performin
e servers for the ro
a list of root serv
oes not change oft
ords outside of yo
horitative.
rs authoritative b
is requires permis
ne, so it is typical
tside of your ente
inters to upstream
et DNS servers. Y
orwarders.
e which you or yo
ng recursive quer
oot of the DNS
vers that is updat
ten.
m 10-73

our
by
ssion to
lly not an
erprise.
m DNS
our DNS
our ISP
ries
ted by
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Conditional forwarders. Conditional forwarders point to name servers against
which to query for specific domain names. A conditional forwarder creates a
direct shortcut to a server to query for a domain and bypasses the need to
recursively query a (nonconditional) forwarder or to go to the root of the DNS
namespace with a root hint.
Stub zone. You learned about stub domains earlier in this module, because
they can be used as a form of delegation for a child domain. Stub domains can
also be very useful for resolving names outside your enterprise. Remember
that the key benefit of a stub domain is that the DNS server dynamically
maintains the list of name servers for the domain. You can think of a stub zone
as a dynamic conditional forwarder. The "cost" is that TCP port 53 must be
open to all name servers of the domain.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Rever
Key Po
Wherea
lookup
A fully q
to most
first oct
submit
and app
So, if a c
10.0.1.3
rse Lookup Z
oints
as a typical DNS q
requests a host n
qualified name is
t specific (such as
tet is the most gen
a DNS query with
pends a reserved
client wants to kn
34, it queries for 3
Zone
query requests an
name for a given I
processed right
s technet). But an
neric, and the las
h an IP address, t
domain name, in
now the host nam
34.1.0.10.in-add
Configuri
n IP address for a
IP address.
to left, from mos
n IP address is mo
t octet is the mos
the client reverse
n-addr.arpa.
me for the compu
dr.arpa.
a host name, a rev
t generic (such as
ore generic on th
st specific. Theref
es the order of the
uter with the IP ad
m 10-75

verse
s .com)
e leftthe
fore, to
e octets
ddress
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
If you recall the domain name system hierarchy, you'll remember that the root is
indicated by a ".", and below it are the most "generic" domains-the top-level
domains. As you navigate down the hierarchy, you get more specific. The in-
addr.arpa domain is the top-level domain for reverse lookups. Below it are domains
for each octet of IP addresses. This suggests that DNS supports only standard
subnet masks, where the subnet mask for an octet is either 0 or 255. Although this
is true on the Internet as a whole, Windows Server 2008 DNS Server allows you to
create subnetted reverse lookup zones if you require them.
Like forward lookup zones, reverse lookup zones have resource records. The most
typical resource record in a reverse lookup zone is the Pointer (PTR) record, with
the name set to the value of the last octet of a host's IP address and the data of the
record as the host's fully qualified domain name.
Also like forward lookup zones, reverse lookup zones support dynamic updates.
By default, when Windows DHCP Server assigns an IP address to a client, the
DHCP server registers the PTR record for the client.
Reverse lookup zones are not required, but they are recommended. Some
applications and services use reverse lookups as a security check to validate the
identity of a request from a client. The application can use the IP address of the
client to look up its PTR record, and then can validate that the A record for the
host matches. If secure updates are in place, it ensures that the request is from the
correct client.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

DNS S
Key Po
The DN
configu
process
records
scenario
remove
You can
integrat
and scav
zones, w
a zone-b
For stan
After yo
you mu
configu
Server and Z
oints
NS Server role is fa
re in a zone that
s of deleting aged
, but also for SRV
os, it's possible to
d domain contro
n implement scav
ted zones. The se
venging properti
which inherit the
by-zone basis by u
ndard primary zo
ou've specified the
ust actually perfor
ring the server fo
Zone Mainten
fairly self-maintain
supports dynami
records. It is imp
V records register
o have SRV record
ollers. Scavenging
venging at the ser
rver's Properties
ies, which act as t
server properties
using the zone's
ones, you must se
e time limits after
rm the scavengin
or automatic scav
Configuri
nance
ning; however, on
ic updates: scave
portant not only
red by domain co
ds that refer to in
g ensures that the
rver or zone level
dialog box allow
the default for Ac
s. You can overrid
Properties dialog
et scavenging at th
r which scavengin
g. This is most ea
venging, which ca
ne feature is impo
nging. Scavengin
for client and ser
ontrollers. In certa
ncorrect, moved, o
ey are eventually r
for Active Direct
ws you to set serve
ctive Directory-int
de the server defa
g box.
he zone level.
ng of records is a
asily managed by
an be done on the
m 10-77

ortant to
ng is the
rver A
ain
or
removed.
tory-
er aging
tegrated
aults on
allowed,
y
e
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Advanced tab of the server's Properties dialog box. You can also manually initiate
scavenging by right-clicking the server in the DNS Manager snap-in.
Another server maintenance task that you may need to perform is viewing or
flushing the cache. This is useful when you discover that clients are obtaining
incorrect resolutions from a server for zones for which it is not authoritative. You
can view the Cached Lookups of a server by clicking the View menu in the DNS
Manager snap-in and clicking Advanced Features. You can then clear the server
cache, if necessary, by right-clicking the server node or the Cached Lookups node
in the console tree.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Test a
Key Po
DNS ev
Manage
you can
Module
on a cen
Occasio
transact
Also in
iterative
root hin
The inte
/test:DN
integrat
specific
and Troubles
oints
vents are logged in
er, and Event Man
n centralize the co
e 13. This is a reco
ntral location for
onally, it may be u
tions. You can en
the server's Prop
e queries to ensur
nts are working a
egration between
NS command per
tion is working. Y
problem. Type d
shoot DNS S
n the DNS log, w
nager. As with oth
ollection of event
ommended pract
signs of trouble i
useful to perform
nable debug loggi
erties dialog box
re that stub zone
s expected.
n DNS and AD DS
rforms an exhaus
You can perform a
dcdiag.exe /? for
Configuri
erver and Cl
which is displayed
her event logs in
s by using subscr
tice, because it all
in your DNS infr
m debug logging, w
ing in the server's
, you can perform
s, conditional for
S was detailed in
stive series of test
a more granular t
more details.
ient
d in DNS Manage
Windows Server
riptions as detaile
lows you to keep
astructure.
which logs detail
s Properties dialo
m test recursive an
rwarders, forward
Lesson 3. The dc
ts to ensure that t
test if you suspec
m 10-79

er, Server
r 2008,
ed in
p an eye
ls of DNS
og box.
nd
ders, and
cdiag.exe
this
ct a
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
DNS and the DNS Server role are all about resolving client queries. Sometimes, you
need to troubleshoot the client-side experience and components of DNS.
You can use the following commands to troubleshoot the client side of DNS.
ipconfig /all. This command displays the IP configuration of the client,
including its DNS servers. Make sure that the client is using the correct servers,
and that those servers are accessible.
NSLookup. This performs DNS queries directly. A typical test with NSLookup
includes:
set server=IP address
The preceding query specifies the DNS server to query. The default is the
primary DNS server of the client. When a response is received, NSLookup
identifies the server that returned the response. If a reverse lookup zone is not
available with a PTR record containing the IP address of the DNS server, the
DNS server's name will display as Unknown, but its IP address will be
identified. The next line is:
set type=record type
This line sets the type of record to query, such as SRV. The default is an
address/host (A) record. The last line is:
record
This specifies the record to query, which is typically a fully qualified domain
name when the resolution of an A record is being tested.
ipconfig /displaydns. This command shows the contents of the DNS resolver
cache on the client.
ipconfig /flushdns. This purges the client's DNS resolver cache.
ipconfig /registerdns. This command triggers a dynamic update in which the
client registers its A records.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

DNS E
Key Po
Window
enhance
service.
DNS Se
As DNS
securing
is often
are hard
DNS Se
the zon
receives
for. A re
pair and
with. To
the sign
Enhancemen
oints
ws Server 2008 R
ements provide a
ecurity Extensi
S security threats
g the DNS is criti
subject to man-in
d to defend again
ecurity Extension
e to be cryptogra
s a query, it return
esolver or anothe
d validate that the
o do so, the resolv
ned zone, or for a
nts in Windo
R2 provides sever
additional securit
ions
become more top
ical to securing en
n-the-middle, spo
nst.
s (DNSSEC) allow
aphically signed. W
ns the digital sign
er server can obta
e responses are a
ver or server mus
a parent of the sig
Configuri
ows Server 20
al enhancements
ty and functionali
pical, it is import
nterprise network
oofing, and cache
ws for a DNS zon
When a DNS serv
natures in additio
ain the public key
authentic and hav
st be configured w
gned zone.
008 R2
s to DNS. These
ity for this impor
ant to realize tha
ks and the Intern
e-poisoning attack
ne and all the rec
ver hosting a sign
on to the records
y of the public/pr
ve not been tamp
with a trust anch
m 10-81

rtant
at
net. DNS
ks that
cords in
ned zone
queried
ivate key
ered
hor for
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
The DNSSEC implementation in Windows Server 2008 R2 DNS server provides
the ability to sign both file-backed and Active Directoryintegrated zones through
an offline zone signing tool. This signed zone will then replicate or zone transfer to
other authoritative DNS servers. When configured with a trust anchor, a DNS
server is capable of performing DNSSEC validation on responses received on
behalf of the client.
The DNS client in Windows Server 2008 R2 and Windows 7 is a nonvalidating
security-aware stub resolver. This means that the DNS client will offload the
validation responsibilities to its local DNS server, but the client is capable of
consuming DNSSEC responses. The DNS clients behavior is controlled by a policy
that determines whether the client should check for validation results for names
within a given namespace. The client will return the results of the query to the
application only if validation has been successfully performed by the server.
DNS Devolution
Devolution is a behavior in Active Directory environments that allows client
computers that are members of a child namespace to access resources in the parent
namespace without the need to explicitly provide the fully qualified domain name
(FQDN) of the resource.
With devolution, the DNS resolver creates new FQDNs by appending the single-
label, unqualified domain name with the parent suffix of the primary DNS suffix
name, and the parent of that suffix, and so on, stopping if the name is successfully
resolved or at a level determined by devolution settings. Devolution works by
removing the left-most label and continuing to get to the parent suffix.
For example, if the primary DNS suffix is central.contoso.com and devolution is
enabled with a devolution level of two, an application attempting to query the host
name emailsrv7 will attempt to resolve emailsrv7.central.contoso.com and
emailsrv7.contoso.com. If the devolution level is three, an attempt will be made to
resolve emailsrv7.central.contoso.com, but not emailsrv7.contoso.com.
The DNS client in Windows Server 2008 R2 and Windows 7 introduces the
concept of a devolution level, which provides control of the label where devolution
will terminate. Previously, the effective devolution level was two. An administrator
can now specify the devolution level, allowing for precise control of the
organizational boundary in an Active Directory domain when clients attempt to
resolve resources within the domain. This update to DNS devolution is also
available for previous versions of Microsoft Windows
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
DNS Cache Locking
Cache locking is a new feature available if your DNS server is running Windows
Server 2008 R2. When you enable cache locking, the DNS server will not allow
cached records to be overwritten for the duration of the TTL value. Cache locking
provides for enhanced security against cache poisoning attacks. You can also
customize the settings used for cache locking.
When a recursive DNS server responds to a query, it will cache the results obtained
so that it can respond quickly if it receives another query requesting the same
information. The period of time the DNS server will keep information in its cache
is determined by the TTL value for a resource record. Until the TTL period expires,
information in the cache might be overwritten if updated information about that
resource record is received. If an attacker successfully overwrites information in the
cache, they might be able to redirect traffic on your network to a malicious site.
Cache locking is configured as a percent value. For example, if the cache locking
value is set to 50, the DNS server will not overwrite a cached entry for half of the
duration of the TTL. By default, the cache locking percent value is 100. This means
that cached entries will not be overwritten for the entire duration of the TTL. The
cache locking value is stored in the CacheLockingPercent registry key located in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameter
s. If the registry key is not present, the DNS server will use the default cache
locking value of 100.
DNS Socket Pool
The socket pool enables a DNS server to use source port randomization when
issuing DNS queries. This provides enhanced security against cache poisoning
attacks.
A DNS server running Windows Server 2008 R2 or a server that has installed
security update MS08-037, will use source port randomization to protect against
DNS cache poisoning attacks. With source port randomization, the DNS server will
randomly pick a source port from a pool of available sockets that it opens when
the service starts.
Instead of using a predicable source port when issuing queries, the DNS server
uses a random port number selected from this pool, known as the socket pool. The
socket pool makes cache poisoning attacks more difficult because an attacker must
correctly guess the source port of a DNS query in addition to a random transaction
ID to successfully execute the attack.
The default size of the socket pool is 2,500. When you configure the socket pool,
you can choose a size value from 0 to 10000. The larger the value, the greater
protection you will have against DNS spoofing attacks. If you configure a socket
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
pool size of zero, the DNS server will use a single socket for remote DNS queries. If
the DNS server is running Windows Server 2008 R2, you can also configure a
socket pool exclusion list.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab B: Ad
Some o
complet
2 in Lab
Lab B.
1. On
clic
2. In H
clic
3. In t
4. Log

dvanced
f the virtual mach
ting Lab A. Howe
b A before contin
the host comput
ck Hyper-V Mana
Hyper-V Manage
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
Configur
hines should alre
ever, if they are n
nuing because the
ager.
er, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
Configuri
ration of
eady be started an
ot, you should go
ere are dependenc
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
DNS
nd available after
o through Exercis
cies between Lab
rative Tools, and
n the Actions pane
tual machine star
m 10-85

ses 1 and
b A and
d then
e,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
5. Open Windows Explorer and then browse to D:\Labfiles\Lab10b.
6. Run Lab10b_Setup.bat with administrative credentials. Use the account
Administrator with the password Pa$$w0rd.
8. Close the Windows Explorer window, Lab10b.
4. Repeat steps 2 and 3 for 6425C-NYC-DC2.
5. Log on by using the following credentials:
User name: Pat.Coleman
Password: Pa$$w0rd
Domain: Contoso
6. Repeat steps 2 and 3 for 6425C-TST-DC1.
7. Log on by using the following credentials:
User name: Sara.Davis
Password: Pa$$w0rd
8. Repeat steps 2 and 3 for 6425C-BRANCHDC02. Do not log on to
BRANCHDC02.

Lab Scenario
You are the DNS administrator at Contoso, Ltd. You want to improve the health
and efficiency of your DNS infrastructure by enabling scavenging and creating a
reverse lookup zone for the domain. You also want to examine the records that
enable clients to locate domain controllers. Finally, you are asked to configure
name resolution between contoso.com and the domain of a partner company,
tailspintoys.com.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 1: Enable Scavenging of DNS Zones
In this exercise, you will enable scavenging of DNS zones to remove stale resource
records.
1. Enable scavenging of a DNS zone.
2. Configure default scavenging settings.

Task 1: Enable scavenging of a DNS zone
1. On NYC-DC2, run DNS Manager as an administrator, with the user name
2. Enable scavenging for the contoso.com zone. Accept the defaults for
scavenging-related intervals.

Task 2: Configure default scavenging settings
Configure NYC-DC2 so that, by default, scavenging is enabled for all zones.
Accept the defaults for scavenging-related intervals.

Results: In this exercise, you configured scavenging of the contoso.com domain and
enabled scavenging as the default for all zones.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 2: Create Reverse Lookup Zones
In this exercise, you will create a reverse lookup zone for the contoso.com domain.
1. Create a reverse lookup zone.
2. Explore and verify the functionality of a reverse lookup zone.

Task 1: Create a reverse lookup zone
Create a reverse lookup zone for IPv4 network 10. Allow only secure dynamic
updates and replicate the zone to all domain controllers in the contoso.com
domain.

Note: In a production environment, you would most likely replicate to all DNS servers.
However, for the purposes of our lab, we will replicate to all domain controllers to ensure
quick and guaranteed replication.
Task 2: Explore and verify the functionality of a reverse lookup zone
1. Run the command prompt as an administrator, with the user name
2. Type nslookup www.development.contoso.com,and then press Enter.
Note that the first section of the command output, which identifies the DNS
server that was queried, indicates the IP address of the server but, next to
Server, reports that the server is Unknown. That is because the nslookup.exe
command cannot resolve the IP address to a name.
4. In the console tree, click the 10.in-addr.arpa zone under Reverse Lookup
Zones.
5. Examine the records in the zone.
6. Switch to the command prompt.
7. Type ipconfig /registerdns, and then press Enter.
9. Right-click the 10.in-addr.arpa zone, and then click Refresh.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10. Examine the resource records that have appeared.
11. Switch to the command prompt.
12. Type nslookup www.development.contoso.com,and then press Enter.
Note that the DNS server that was queried at 10.0.0.11 is now resolved to its
name.

Results: In this exercise, you created and experienced the functionality of a reverse
lookup zone.

Exercise 3: Explore Domain Controller Location
In this exercise, you will examine the resource records that allow clients to locate
domain controllers.
1. Explore _tcp.
2. Explore _tcp.brancha._sites.contoso.com.

Task 1: Explore _tcp
Examine the records in _tcp.contoso.com. What do the records represent?

Task 2: Explore _tcp.brancha._sites.contoso.com
Examine the records in _tcp.brancha._sites.contoso.com. What do the records
represent?

Results: In this exercise, you examined the SRV records in the contoso.com domain.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 4: Configure Name Resolution for External
Domains
In this exercise, you will configure name resolution between two completely
separate domains.
1. Configure a stub zone.
2. Configure a conditional forwarder.
3. Validate name resolution for external domains.

Task 1: Configure a stub zone
On NYC-DC2, create a stub zone for tailspintoys.com that refers to the IPv4
address 10.0.0.31 as the master server.

Task 2: Configure a conditional forwarder
1. On TST-DC1, run DNS Management as an administrator, with the user name
Sara.Davis_Admin and the password Pa$$w0rd.
2. Create a conditional forwarder for contoso.com that forwards to the IPv4
address 10.0.0.10.

Task 3: Validate name resolution for external domains
1. On TST-DC1, open a command prompt and type nslookup
www.development.contoso.com, and then press Enter. The command should
return the address 10.0.0.24.
2. Switch to DNS Manager and create a host (A) record for www.tailspintoys.com
that resolves to 10.0.0.143.
3. On NYC-DC2, open a command prompt and type nslookup
www.tailspintoys.com, and then press Enter. The command should return
the address 10.0.0.143.

Results: In this exercise, you configured DNS name resolution between the
contoso.com and tailspintoys.com domains.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
click Revert.
4. Repeat these steps for 6425C-NYC-DC2, 6425C-TST-DC1, and 6425C-
BRANCHDC02.
Question: In this lab, you used a stub zone and a conditional forwarder to provide
name resolution between two distinct domains. What other options you could
have used?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
10-92 Configuring
Module
Review
Questio
advanta
would p
Questio
your cu
What m
Questio
Questio
automa
to do th
Comm
Issue
Client c
Review a
w Questions
on: You are cond
ages of using Win
point out when d
on: You are deplo
ustomer requires t
must you consider
on: What is the d
on: You must aut
te the deploymen
his?
mon Issues Rela
can sometimes cac
and Takea
ducting a presenta
ndows Server 200
discussing the Wi
oying DNS server
that the infrastru
r while planning
difference between
tomate a DNS ser
nt of Windows Se
ated to DNS
Tro
che invalid
aways
ation for a potent
08 R2. What are t
ndows Server 20
rs into an Active D
cture is resistant
the DNS configu
n recursive and it
rver configuration
erver 2008. Whic
oubleshooting tip

Services
tial client about th
the new features
008 R2 DNS serve
Directory domain
to single points o
uration?
terative queries?
n process so that
ch DNS tool can y

he
that you
er role?
n, and
of failure.
you can
you use
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
DNS records
Zone transfer is not working Ensure that the server trying to transfer the
zone is permitted in the primary zone
configuration

Use Performance Monitor to identify the load
on the server that DNS requests generate. It
may be necessary to split the load or create
additional subzones.

Real-World Issues and Scenarios
Reverse DNS zones
Typically, administrators do not create reverse DNS zones in their DNS
infrastructure. This will not cause any obvious issues at first. However, many
applications use reverse DNS to resolve name information about hosts on
which they are running.
Some applications require that a reverse zone and pointer resource records are
defined. Many email security devices and software routinely check for a reverse
DNS record for the IP address communicating with it.
DNS and Active Directory trusts
When creating trusts between two Active Directory domains, the ability for
domain A to lookup records in domain B (and vice versa) is tied to the
configuration of the DNS infrastructure. Active Directory domains are
accessible rarely on the Internet. Therefore, you need conditional forwarders,
stub zones, or secondary zones to replicate the DNS infrastructure across
domains and forests.
Secure zones against zone dumping
By default, zone transfers are disabled in Windows Server 2008. When
configuring zone transfers, it is a best practice to specify the IP address of the
servers to which you want to transfer zone data. Do not select the Allow zone
transfer to Any Server, especially if the server is on the Internet. With this
option enabled, it is possible to dump the entire zone, which can provide a
significant amount of information about the network to possible attackers.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Best Practices Related to DNS

If you are using Active Directory, use directory-integrated storage for your DNS
zones. This offers increased security, fault tolerance, and simplified
deployment and management.
Disable recursion for servers that do not answer client queries or communicate
by using forwarders. As DNS servers communicate amongst themselves by
using iterative queries, this ensures that the server responds only to queries
that are intended for it.
Consider the use of secondary zones to assist in off-loading DNS query traffic
wherever appropriate.
Enter the correct email address of the responsible person for each zone you
add to, or manage on, a DNS server. Applications use this field to notify DNS
administrators for a variety of reasons. For example, query errors, incorrect
data returned in a query, and security problems are a few ways in which this
field can be used. Although most Internet email addresses contain the
@symbol to represent the word at in email, this symbol must be replaced
with a period (.) when entering an email address for this field. For example,
instead of administrator@microsoft.com, you would use
administrator.microsoft.com.

Tools
DNS Management
Console
DNS administration and management
Nslookup Use to perform query testing of the
DNS domain namespace.

Dnscmd Use this command-line interface to
manage DNS servers. This utility is
useful in scripting batch files to help
automate routine DNS management
tasks or to perform simple unattended
setup and configuration of new DNS
servers on your network.

Ipconfig Use this command to view and modify
IP configuration details that the

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
computer uses. This utility includes
additional command-line options to
provide help in troubleshooting and
supporting DNS clients.
DNSlint Provides several automated tests to verify
that DNS servers and resource records are
configured properly and pointing to valid
services.
You can download this command from
Microsoft
athttp://support.microsoft.com/kb/321
045.

Windows Server 2008 R2 Features Introduced in This Module
DNS Enhancements in Windows
Server 2008 R2

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Administering AD DS Domain Controllers 11-1
Module 11
Administering AD DS Domain Controllers
Contents:
Lesson 1: Domain Controller Installation Options 11-4
Lab A: Install Domain Controllers 11-31
Lesson 2: Install a Server Core Domain Controller 11-39
Lab B: Install a Server Core Domain Controller 11-47
Lesson 3: Manage Operations Masters 11-52
Lab C: Transfer Operations Master Roles 11-71
Lesson 4: Configure DFS-R Replication of SYSVOL 11-76
Lab D: Configure DFS-R Replication of SYSVOL 11-84

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-2 Configuring
Module
Domain
perform
enterpri
compon
Group P
in SYSV
level co
will lear
domain
forest o
domain
In addit
Replicat
Distribu
and ma
Overview
n controllers host
m the services tha
ise. Until now, yo
nents of an AD D
Policy. Each of th
VOL on domain c
mponents of Acti
rn how to add W
n controllers to a f
r domain for its f
n controller, and h
tion, you will see
tion Service (FRS
uted File System R
nageable replicat
w
t the Active Direc
t support identity
ou saw how you c
S infrastructure s
hese components
controllers. In this
ive Directory, sta
Windows Server 2
forest or domain
first Windows Se
how to manage th
how to migrate t
S) used in the pre
Replication (DFS
tion.
ctory Domain Se
y and access man
can support the l
such as users, gro
is contained in t
s module, you wi
arting with the do
2008 and Window
, how to prepare
rver 2008 or Win
he roles performe
the replication of
evious versions of
S-R) mechanism t
Services
ervices (AD DS) a
nagement in a Wi
logical and mana
oups, computers,
he directory data
ill explore the ser
omain controllers
ws Server 2008 R
a Windows Serv
ndows Server 200
ed by domain con
f SYSVOL from th
f Windows to the
that provides mor

and
indows
gement
and
abase and
rvice-
s. You
R2
er 2003
08 R2
ntrollers.
he File
e
re robust
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Objectives
After completing this module, you will be able to:
Describe the various options for installing domain controllers.
Install and configure a domain controller on Server Core.
Manage the placement, transfer, and seizure of operations master roles.
Migrate SYSVOL replication from FRS to DFS-R.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-4 Configuring
Lesson 1
Domain
In Modu
Wizard
Domain
contoso
need to
provide
to add d
Active D
and una
Controlle
ule 1, Introducing
in Server Manag
n Services Installa
o.com forest. Beca
maintain at least
e a level of fault to
domain controlle
Directory forest. I
attended method
er Installa
g Active Directory D
er to install AD D
ation Wizard to c
ause domain con
t two domain con
olerance if one do
ers to remote sites
n this lesson, you
ds for installing do
ation Opt
Domain Services,
DS. Then, you use
create the first dom
ntrollers are critica
ntrollers in each d
omain controller
s or create new d
u will learn user-i
omain controller
Services
tions
you used the Add
ed the Active Dire
main controller in
al to authenticatio
domain in your fo
fails. You might a
omains or trees i
interface, comma
s in various scen

d Roles
ectory
n the
on, you
orest to
also need
in your
and-line,
arios.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Objectives
Install a domain controller using the Windows interface, dcpromo.exe
command-line parameters, or an answer file for unattended installation.
Add Windows Server 2008 or Windows Server 2008 R2 domain controllers to
a domain or forest with Windows Server 2003 and Windows 2000 Server
domain controllers.
Create new domains and trees.
Perform a staged installation of a read-only domain controller.
Install a domain controller from installation media to reduce network
replication.
Remove a domain controller.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-6 Configuring
Instal
Key Po
To use t
perform
accomp
role ins
must in
Services
Clic
Wh
Dir
Afte
to r
tho
Note: Microsof
it recom
l a Domain C
oints
the Windows int
m two major steps
plished by using t
tallation has copi
nstall and configu
s Installation Wiz
ck Start and, in th
hen you complete
ectory Domain S
er adding the AD
run the Active Dir
se links.
ft documentation f
mmends that you ad
Controller by
erface for installin
s. First, you must
the Add Roles Wi
ied the binaries r
ure AD DS by laun
zard by using one
he Start Search b
e the Add Roles W
ervices Installatio
DS role, links ap
rectory Domain S
for Windows Serve
dd the AD DS role
y Using the W
ng a domain con
t install the AD D
izard in Server M
equired for the ro
nching the Active
e of these method
box, type dcprom
Wizard, click the l
on Wizard.
ppear in Server M
Services Installati
er 2008 emphasize
e and then run Dcp
Services
Windows Int
ntroller, you need
S role, which can
Manager. After the
ole to the server,
e Directory Doma
ds:
mo, and then click
link to launch the
Manager that remi
ion Wizard. Click
es the role-based m
promo.exe (the Act
terface

to
n be
AD DS
you
ain
k OK.
e Active
ind you
k any of
model, so
tive
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Directory Domain Services Installation Wizard). However, you can simply run
Dcpromo.exe, and as a first step, the wizard detects that the AD DS binaries are not
installed and adds the AD DS role automatically.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-8 Configuring
Unatt
Key Po
You can
unatten
Server 2
values t
the New
for a ne
These o
/unatten
Alternat
The ans
followed
followin
[DCINS
NewDom
tended Insta
oints
n also add or rem
nded installation s
2008 R2 version o
to the Active Dire
wDomainDNSNa
w domain.
options can be pr
ndOption:value, su
tively, you can pr
swer file is a text
d by options and
ng file provides th
STALL]
mainDNSName=con
llation Optio
move a domain co
supported by the
of dcpromo.exe.
ectory Domain Se
me option specif
ovided at the com
uch as dcpromo /
rovide the option
file that contains
d their values in th
he NewDomainD
ntoso.com
ons and Answ
ntroller at the co
e Windows Server
Unattended insta
ervices Installation
fies a fully qualifie
mmand line by ty
/newdomaindnsn
ns in an unattende
a section headin
he option=value fo
DNSName option
Services
wer Files
mmand line by u
r 2008 and Wind
allation options p
n Wizard. For ex
ed domain name
yping dcpromo
name:contoso.co
ed installation an
ng, [DCINSTALL]
orm. For example
.

using
dows
provide
ample,
(FQDN)
m.
nswer file.
,
e, the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
The answer file is called by adding its path to the unattended parameter, as shown
in the following example:
dcpromo /unattend:"path to answer file"
The options in the answer file can be overridden by parameters on the command
line. For example, if the NewDomainDNSName option is specified in the answer
file, and the /NewDomainDNSName parameter is used on the command line, the
value on the command line takes precedence. If any required values are neither in
the answer file nor on the command line, the Active Directory Domain Services
Installation Wizard prompts for the answers, so you can use the answer file to
partially automate an installation, providing a subset of configuration values to be
used during an interactive installation.
The wizard is not available when running dcpromo.exe from the command line in
Server Core. In that case, the dcpromo.exe command returns with an error code.
For a complete list of parameters that you can specify as part of an unattended
installation of AD DS, open an elevated command prompt and type the following
command:
dcpromo /?[:operation]
In the preceding command, operation is one of the following:
Promotion returns all parameters that you can use when creating a domain
controller.
CreateDCAccount returns all parameters that you can use when creating a
prestaged account for a read-only domain controller (RODC).
UseExistingAccount returns all parameters that you can use to attach a new
domain controller to a prestaged RODC account.
Demotion returns all parameters that you can use when removing a domain
controller.

Note: When you use the Windows interface to create a domain controller, the Active Directory
Domain Services Installation Wizard gives you the option, on the Summary page, to
export your settings to an answer file. If you need to create an answer file for use from
the command linefor example, on a Server Core installationyou can use this shortcut
to create an answer file with the correct options and values.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-10 Configuring
Instal
Key Po
In Modu
in a new
detailed
running
a new fo
(DNS) n
first dom
the Acti
necessa
l a New Win
oints
ule 1, the installa
w forest by using
d steps to add the
g Dcpromo.exe to
orest root domain
name, its NetBIO
main controller c
ive Directory Dom
ary to install or co
ndows Server
ation of the first W
the Windows int
e AD DS role to a
o promote the ser
n, you must spec
OS name, and the
cannot be an ROD
main Services Ins
onfigure DNS, it d
r 2008 Forest
Windows Server 2
terface was discu
server by using S
rver to a domain
cify the forest root
forest and doma
DC and must be a
tallation Wizard
does so automatic
Services
t
2008 domain con
ssed. You learned
Server Manager a
controller. When
t domain name sy
in functional leve
a global catalog s
detects that it is
cally.

ntroller
d the
and then
n creating
ystem
els. The
server. If
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
You can also use an answer file by typing dcpromo /unattend:"path to answer file"
where the answer file contains unattended installation options and values. The
following example contains the minimum parameters for an unattended
installation of a new Windows Server 2008 domain controller in a new forest.
[DCINSTALL]
ReplicaOrNewDomain=domain
NewDomain=forest
NewDomainDNSName=fully qualified DNS name
DomainNetBiosName=domain NetBIOS name
ForestLevel={0=Windows 2000 Server Native;
2=Windows Server 2003 Native;
3=Windows Server 2008}
DomainLevel={0=Windows Server 2000 Native;
2=Windows Server 2003 Native;
3=Windows Server 2008}
InstallDNS=yes
DatabasePath="path to folder on a local volume"
LogPath="path to folder on a local volume"
SYSVOLPath="path to folder on a local volume"
SafeModeAdminPassword=password
RebootOnCompletion=yes
You can also specify one or more unattended installation parameters and values at
the command line. For example, if you dont want the Directory Services Restore
Mode password in the answer file, leave the entry blank and specify the
/SafeModeAdminPassword:password parameter when you run dcpromo.exe.
You can also include all options on the command line itself. The following example
creates the first domain controller in a new forest in which you dont expect to
install any Windows Server 2003 domain controllers.
dcpromo /unattend /installDNS:yes /dnsOnNetwork:yes
/replicaOrNewDomain:domain /newDomain:forest
/newDomainDnsName:contoso.com /DomainNetbiosName:contoso
/databasePath:"e:\ntds" /logPath:"f:\ntdslogs"
/sysvolpath:"g:\sysvol"
/safeModeAdminPassword:password /forestLevel:3 /domainLevel:3
/rebootOnCompletion:yes
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-12 Configuring
Prepa
Doma
Key Po
If you h
2003 or
Window
The AD
that is r
controll
include
perform
environ
Window
are an Existin
ain Controlle
oints
have an existing fo
r Windows 2000
ws Server 2008 o
Prep command i
running a version
lers in the forest o
d in the installati
ms operations tha
nment before you
ws Server.
ng Domain fo
ers
orest with domai
Server, you mus
r Windows Serve
is used to prepare
n of Windows Ser
or domain. Adpre
ion disk of each v
t must be comple
can add a domai
or Windows
n controllers run
t prepare them p
er 2008 R2 doma
e Active Directory
rver that is newer
ep.exe is a comm
version of Windo
eted in an existin
in controller that
Services
Server 2008
nning Windows S
rior to creating y
ain controller.
y for a domain co
r than the existing
mand-line tool tha
ows Server. Adpre
ng Active Director
t runs that version
8

Server
your first
ontroller
g domain
at is
ep.exe
ry
n of
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Adprep.exe has parameters that perform a variety of operations to prepare an
existing Active Directory environment for a domain controller that runs a later
version of Windows Server. Not all versions of Adprep.exe perform the same
operations. However, in general, the different types of operations that Adprep.exe
can perform include the following:
Updating the Active Directory schema
Updating security descriptors
Modifying access control lists (ACLs) on Active Directory objects and on files
in the SYSVOL shared folder
Creating new objects, as needed
Creating new containers, as needed

To prepare the forest for the first domain controller running Windows Server 2008
or Windows Server 2008 R2, follow these steps:
1. Log on to the schema master as a member of the Enterprise Admins, Schema
Admins, and Domain Admins groups.
Lesson 3 discusses operations masters and provides steps for identifying
which domain controller is the schema master.
2. Copy the contents of the \sources\adprep folder from the Windows Server
2008 DVD to a folder on the schema master.
3. Open an elevated command prompt, and change directories to the adprep
folder.
4. Type adprep /forestprep, and then press Enter.

You must allow time for the operation to complete. After the changes have
replicated throughout the forest, you can continue to prepare the domains for
Windows Server 2008.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
To prepare a domain for the first domain controller running Windows Server
2008, perform these steps:
1. Log on to the domain infrastructure operations master as a member of
Domain Admins.
Lesson 3 provides steps for identifying which domain controller is the
infrastructure operations master.
2008 DVD to a folder on the infrastructure master.
3. Open a command prompt and change directories to the adprep folder.
4. Type adprep /domainprep /gpprep, and then press Enter.

On Windows Server 2003, you might receive an error message stating that updates
were unnecessary. You can ignore this message.
Allow the change to replicate throughout the forest before you install a domain
controller that runs Windows Server 2008.
To prepare AD DS for the first RODC, follow these steps:
1. Log on to any computer as a member of the Enterprise Admins.
2008 DVD to a folder on the computer.
3. Open an elevated command prompt, and change directories to the adprep
folder.
4. Type adprep /rodcprep, and then press Enter.

You can also run adprep /rodcprep at any time in a Windows 2000 Server or
Windows Server 2003 forest. It does not have to be run in conjunction with
/forestprep. However, you must run adprep /rodcprep and allow its changes to
replicate throughout the forest prior to installing the first RODC.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Instal
Key Po
Addition
Active D
the dep
for the n
addition
remaini
location
l an Addition
oints
nal domain contr
Directory Domain
loyment configur
new domain cont
nal options such
ing steps are the s
ns and the Directo
nal Domain
rollers can be add
n Services Installa
ration, enter netw
troller, and config
as DNS Server, G
same as for the fi
ory Services Rest
Administering A
Controller in
ded by installing
ation Wizard. You
work credentials,
gure the domain
Global Catalog (G
irst domain contr
ore Mode Admin
D DS Domain Controller
n a Domain
AD DS and launc
u are prompted t
select a domain
controller with
GC), or RODC. Th
roller: configuring
nistrator password
rs 11-15

ching the
o choose
and site
he
g file
d.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
If you have one domain controller in a domain, and if you select the Use Advanced
Mode Installation check box on the Welcome to the Active Directory Domain
Services Installation Wizard page, you are able to configure the following advanced
options:
Install From Media. By default, a new domain controller replicates all data for
all directory partitions it hosts from other domain controllers during the Active
Directory Domain Services Installation Wizard. To improve the performance of
installation, particularly over slow links, you can use installation media created
by existing domain controllers. Installation media is a form of backup. The
new domain controller can read data from the installation media directly and
then replicate only updates from other domain controllers. Install From Media
(IFM) is further discussed in the Install AD DS from Media topic.
Source Domain Controller. If you want to specify the domain controller from
which the new domain controller replicates its data, you can click Use This
Specific Domain Controller.

Note: Dcpromo/adv is still supported. In Windows Server 2003, dcpromo/adv was used to
specify advanced installation options. The adv parameter is still supported; it simply
preselects the Use Advanced Mode Installation check box on the Welcome page.
To use Dcpromo.exe with command-line parameters to specify unattended
installation options, you can use the minimal parameters shown in the following
example.
dcpromo /unattend /replicaOrNewDomain:replica
/replicaDomainDNSName:contoso.com /installDNS:yes /confirmGC:yes
/safeModeAdminPassword:password /rebootOnCompletion:yes
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
If you are not logged on to the server with domain credentials, specify the
userdomain and username parameters as well. A minimal answer file for an
additional domain controller in an existing domain is as follows.
[DCINSTALL]
ReplicaOrNewDomain=replica
ReplicaDomainDNSName=FQDN of domain to join
UserDomain=FQDN of domain of user account
UserName=DOMAIN\username (in Administrators group of the domain)
Password=password for user specified by UserName (* to prompt)
InstallDNS=yes
ConfirmGC=yes
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-18 Configuring
Instal
Key Po
If you h
Window
before y
section,
Then, in
Wizard.
and Cre
domain
cannot b
Advanc
you with
controll
Using d
shown i
l a New Win
oints
have an existing d
ws Server 2008 o
you do this, , you
, Preparing an Exi
nstall AD DS and
. On the Choose
eate a new domai
n functional level.
be an RODC, and
ed Mode Installa
h a Source Doma
ler from which to
dcpromo.exe, you
in the following c
ndows Server
domain, you can c
r Windows Serve
must run adprep
isting Domain for
launch the Activ
a Deployment Co
in in an existing f
Because it is the
d it cannot be ins
tion check box o
ain Controller pag
o replicate the con
u can create a chil
command.
r 2008 Child
create a new child
er 2008 R2 doma
p/forestprep as d
Windows Server 2
ve Directory Dom
onfiguration page
forest. You are pr
first domain con
stalled from medi
on the Welcome p
ge on which you
nfiguration and s
ld domain with th
Services
Domain
d domain by crea
ain controller. Ho
described in the e
2008 DCs.
main Services Insta
e, click Existing F
rompted to select
ntroller in the dom
ia. If you select th
page, the wizard p
specify a domain
schema partitions
he minimal optio

ating a
owever,
arlier
allation
Forest
t the
main, it
he Use
presents
n
s.
ons
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
dcpromo /unattend /installDNS:yes
/replicaOrNewDomain:domain /newDomain:child
/ParentDomainDNSName:contoso.com
/newDomainDnsName:subsidiary.contoso.com /childName:subsidiary
/DomainNetbiosName:subsidiary
/safeModeAdminPassword:password /forestLevel:3 /domainLevel:3
The following answer file reflects the same minimal parameters.
[DCINSTALL]
NewDomain=child
ParentDomainDNSName=FQDN of parent domain
UserDomain=FQDN of user specified by UserName
UserName= DOMAIN\username (has permissions to add a child domain)
Password=password for user specified by UserName or * for prompt
ChildName=single-label prefix for domain
(Child domain FQDN will be ChildName.ParentDomainDNSName)
DomainNetBiosName=Domain NetBIOS name
DomainLevel=domain functional level (not lower than current forest
level)
InstallDNS=yes
CreateDNSDelegation=yes
DNSDelegationUserName=DOMAIN\username with permissions to create
DNS delegation, if different than UserName,
above
DNSDelegationPassword=password for DNSDelegationUserName or * for
prompt
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-20 Configuring
Instal
Key Po
You lear
Active D
contigu
subsidia
Addition
the sam
tailspint
little fun
and the
domain
schema
First, yo
an Exist
run the
l a New Dom
oints
rned in Module 1
Directory forest, a
ous DNS namesp
ary.contoso.com
nal trees are simp
me namespace. Fo
toys.com domain
nctional differenc
e process for creat
n. In both cases, d
and configuratio
ou must run adpr
ting Domain for W
Active Directory
main Tree in
1, Introducing Acti
a tree is compose
pace. So, for exam
domains would b
ply additional do
or example, if Con
n would be in a se
ce between a chil
ting a new tree is
domains in the sa
on partition, as w
rep/forestprep as
Windows Server 20
Domain Services
a Forest
ive Directory Dom
d of one or more
mple, the contoso
be in a single tree
mains in the sam
ntoso, Ltd bough
eparate tree in th
d domain and a d
s, therefore, very s
ame forest share t
well as global catal
s described in the
008 DCs. Then, yo
s Installation Wiz
Services
main Services that i
e domains that sh
o.com and
e.
me forest that are n
ht Tailspin Toys, t
e domain. There
domain in anothe
similar to creating
the same Active D
log.
e earlier section, P
ou can install AD
zard.

in an
hare
not in
the
is very
er tree,
g a child
Directory
Preparing
DS and
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
The following options provided as parameters to dcpromo.exe create a new tree for
the tailspintoys.com domain within the contoso.com forest.
dcpromo /unattend /installDNS:yes
/replicaOrNewDomain:domain /newDomain:tree
/newDomainDnsName:tailspintoys.com /DomainNetbiosName:tailspintoys
/safeModeAdminPassword:password /domainLevel:2
The domain functional level is configured at 2Windows Server 2003 Nativeso
the domain could include Windows Server 2003 domain controllers.
An unattended installation answer file that creates the same new tree would look
similar to the following example.
[DCINSTALL]
NewDomain=tree
NewDomainDNSName=FQDN of new domain
DomainNetBiosName=NetBIOS name of new domain
UserName= DOMAIN\username (with permissions to create a new domain)
Password=password for user specified by UserName or * for prompt
DomainLevel=domain functional level (not lower than current forest
level)
InstallDNS=yes
ConfirmGC=yes
CreateDNSDNSDelegation=yes
DNSDelegationUserName=account with permissions to create DNS
delegation
required only if different than UserName, above
DNSDelegationPassword=password for DNSDelegationUserName or * for
prompt
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-22 Configuring
Stage
Key Po
As you r
DS Dom
authent
associat
Many ti
then, sh
Using, W
of an RO
Cre
acc
RO
the
the
Atta
AD
e the Installat
oints
remember from M
main, RODCs are
tication local to th
ted with placing a
imes, there are few
hould a domain c
Windows Server
ODC. The proces
eate the account
ount for the ROD
DC are specified
RODC will be cr
next stage of the
ach the server to
DS is installed, a
tion of an RO
Module 9, Improv
designed to supp
he site while miti
a domain control
w or no IT suppo
controller be crea
2008 you can to
ss includes two st
for the RODC. A
DC in Active Dire
at this time: the n
reated, and, optio
e installation.
o the RODC acco
and the serverw
ODC
ving the Security of
port branch office
gating the securit
ller in a less well-
ort personnel in a
ted in a branch o
create a staged, o
tages:
A member of Dom
ctory. The param
name, the Active
onally, the user or
ount. After the ac
which must be a m
Services
f Authentication in
e scenarios by pro
ty and data integ
-controlled enviro
a branch office. H
office?
or delegated, inst
main Admins crea
meters related to t
Directory site in
r group that can c
ccount has been c
member of a work

n an AD
oviding
rity risks
onment.
How,
tallation
ates an
the
which
complete
created,
kgroup
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
and not the domainis joined to the domain and as an RODC attached to the
prestaged account. These steps can be the users or groups specified when the
RODC account was prestaged; these users do not require any privileged group
membership. A server can also be attached by a member of Domain Admins or
Enterprise Admins, but the ability to delegate this stage to a nonprivileged user
makes it much easier to deploy RODCs in branches without IT support. The
domain controller will replicate its data from another writable domain
controller in the domain, or you can use the IFM method discussed in the
Installing AD DS from Media section.

Creating the Prestaged Account for the RODC
To create the account for the RODC by using the Active Directory Users and
Computers snap-in, right-click the Domain Controllers OU and click Pre-Create
Read-Only Domain Controller Account. A wizard similar to the Active Directory
Domain Services Installation Wizard appears. You prompted to specify the RODC
name and site. You can also configure the password replication policy, as detailed
in Module 9, Improving the Security of Authentication in an AD DS Domain.
On the Delegation of RODC Installation and Administration page, you can specify
one security principaluser or groupthat can attach the server to the RODC
account you create. The user or group will also have local administrative rights on
the RODC after the installation. Delegate to a group rather than to a user. If you do
not specify a user or group, only members of the Domain Admins or Enterprise
Admins groups can attach the server to the account.
You can create prestaged RODC accounts by using dcpromo.exe with numerous
parameters or by creating an answer file for dcpromo.exe. The steps for doing so
are detailed at: http://go.microsoft.com/fwlink/?LinkId=168471.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-24 Configuring
Attac
Key Po
After yo
To attac
1. Ens
dom
Pro
app
be a
dcp
wiz
atta
2. Run
The
in t
oth
h a Server to
oints
ou have prestaged
ch a server to a pr
sure that the serv
main.
omote from a wor
proachwhen you
a member of a wo
promo.exe or the
zard will look in t
ach to that accoun
n dcpromo.exe /U
e wizard prompts
the domain indica
her domain contro
o a Prestaged
d the account, the
restaged RODC a
ver is a member o
rkgroup. When y
u attach an RODC
orkgroup, not of
Active Directory
the domain for th
nt.
UseExistingAccou
s for network cre
ated by the crede
oller promotion o
d RODC Acco
e server can be at
account:
of a workgroup, n
ou create an ROD
C to a prestaged a
the domain, whe
Domain Services
he existing accoun
unt:attach.
dentials and then
entials. Remaining
operations.
Services
ount
ttached to it.
not a member of t
DC by using the s
accountthe serv
en you launch
s Installation Wiz
nt with its name a
n finds the RODC
g steps are simila

the
staged
ver must
zard. The
and will
C account
ar to
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
To use an answer file, provide the following options and values.
[DCINSTALL]
ReplicaDomainDNSName=FQDN of domain to join
Password=password for user specified by UserName
InstallDNS=yes
ConfirmGC=yes
Run dcpromo with the /unattend:"answer file path and the
/UseExistingAccount:Attach options, as shown in the following example.
dcpromo /useexistingaccount:attach /unattend:"c:\rodcanswer.txt"
All the options just shown in the answer file can also be specified or overridden
directly on the command line as shown in the following example.
dcpromo /unattend /UseExistingAccount:Attach
/ReplicaDomainDNSName:contoso.com
/UserDomain:contoso.com /UserName:contoso\dan /password:*
/safeModeAdminPassword:password /rebootOnCompletion:yes
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-26 Configuring
Instal
Key Po
When y
partition
large dir
controll
AD DS m
Installin
Active D
Installat
controll
writable
the imp
Remem
controll
specify w
l AD DS from
oints
you add domain c
ns are replicated
rectory or where
ler and a writable
more efficiently b
ng from media in
Directory that can
tion Wizard as a
ler. Then, the new
e domain control
pact of replication
mber that it is not
ler, but also the S
whether to includ
m Media
controllers to a fo
to the new doma
bandwidth is con
e domain control
by using the insta
volves creating in
n be used by the A
data source for p
w domain contro
ller. So, if the inst
n to a new domain
only the director
SYSVOL. When y
de SYSVOL on th
orest, data from e
ain controller. In
nstrained betwee
ler from which to
all-from-media (IF
nstallation media
Active Directory D
populating the dir
ller replicates on
tallation media is
n controller.
y that must be re
you create your in
he installation me
Services
existing directory
an environment
en a new domain
o replicate, you ca
FM) option.
aa specialized ba
Domain Services
rectory on a new
ly updates from a
recent, you can m
eplicated to a new
nstallation media,
edia.

y
with a
an install
ackup of
domain
another
minimize
w domain
, you can
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Using IFM also allows you to control the timing of impact to your network
bandwidth. You can, for example, create installation media and transfer it to a
remote site during off hours and then create the domain controller during normal
business hours. Because the installation media is from the local site, impact to the
network is reduced, and only updates will be replicated over the link to the remote
site.
To create installation media:
1. Open an elevated command prompt on a writable domain controller, running
Windows Server 2008 or Windows Server 2008 R2.
The installation media can be used to create both writable and read-only DCs.
2. Run ntdsutil.exe.
3. At the ntdsutil prompt, type activate instance ntds, and then press Enter.
4. Type ifm, and then press Enter.
5. At the ifm: prompt, type one of the following commands, based on the type of
installation media you want to create:
create sysvol full path. Creates installation media with SYSVOL for a
writable domain controller in the folder specified by path.
create full path. Creates installation media without SYSVOL for a writable
domain controller or an Active Directory Lightweight Directory Services
(AD LDS) instance in the folder specified by path.
create sysvol rodc path. Creates installation media with SYSVOL for an
RODC in the folder specified by path.
create rodc path. Creates installation media without SYSVOL for an
RODC in the folder specified by path.

When you run the Active Directory Domain Services Installation Wizard, select the
Use Advanced Mode Installation check box, and you will be presented with the
Install From Media page later in the wizard. Select the Replicate data from media
at the following location check box. You can use the ReplicationSourcePath
installation option in an answer file or on the dcpromo.exe command line.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-28 Configuring
Remo
Key Po
You can
Director
specifyi
controll
metadat
controll
ove a Domain
oints
n remove a doma
ry Domain Servic
ng options at the
ler is removed wh
ta about the dom
ler has been remo
n Controller
in controller by u
ces Installation W
e command line o
hile it has connec
main controller so
oved.
using Dcpromo.e
Wizard or from a c
or in an answer fi
ctivity to the dom
that the director
Services
exe to launch the
command promp
ile. When a doma
main, it updates th
ry knows the dom

Active
pt,
ain
he forest
main
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
To use an answer file, provide the following options and values.
[DCINSTALL]
Password=password for user specified by UserName
AdministratorPassword=password will be assigned to local Administrator
RemoveApplicationPartitions=yes
RemoveDNSDelegation=yes
DNSDelegationUserName=DOMAIN\username with permissions to remove
DNS delegation
DNSDelegationPassword=password for the account
Run dcpromo with the /unattend:"answer file path" and the /UninstallBinaries
options, as in the following example:
dcpromo /uninstallbinaries /unattend:"c:\rodcanswer.txt"
All the options just shown in the answer file can also be specified or overridden
directly on the command line. Just type a command similar to the following:
dcpromo /unattend /uninstallbinaries
/UserName:contoso\dan
/password:*
/administratorpassword:Pa$$w0rd
If a domain controller must be demoted while it cannot contact the domain, you
must use the forceremoval option of dcpromo.exe. Type dcpromo /forceremoval,
and the Active Directory Domain Services Installation Wizard steps you through
the process. You are presented warnings related to any roles the domain controller
hosts. Read each warning and, after you have mitigated or accepted the impact of
the warning, click Yes. You can suppress warnings by using the demotefsmo:yes
option of dcpromo.exe. After the domain controller has been removed, you must
manually clean up the forest metadata.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-30 Configuring
Lab A: In
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log

5. Rep
mac
nstall Dom
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
peat steps 2 and 3
chines..
main Con
e the available vir
complete the foll
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
3 for the 6425C-N
ntrollers
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
NYC-SVR1 and 6
Services
vironment. Before
rative Tools, and
n the Actions pan
tual machine star
425C-NYC-DC2

e you
d then
ne,
rts.
virtual
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6. Log on to NYC-DC2 and NYC-SVR1 by using the following credentials:
User name: Administrator
Password: Pa$$w0rd
Domain: Contoso

Lab Scenario
You decide to add a new domain controller to provide fault tolerance for the
directory service. You have already installed a new server named NYC-SVR1. You
will also de-commission NYC-DC2 by removing AD DS.
Exercise 1: Create an Additional Domain Controller with the
Active Directory Domain Services Installation Wizard
In this exercise, you will use the Active Directory Domain Services Installation
Wizard (DCPromo.exe) to create an additional domain controller in the
contoso.com domain. You will not complete the installation, however. Instead, you
will save the settings as an answer file, which will be used in the next exercise.
Promote a domain controller by using the Active Directory Domain Services
Installation Wizard.

Task : Promote a domain controller by using the Active Directory
Domain Services Installation Wizard
On NYC-SVR1, run DCPromo.exe. Accept all of the defaults provided by the
Active Directory Administration Wizard except those listed below:
Additional domain controller in an existing forest
Domain: contoso.com
Alternate credentials: Pat.Coleman_Admin with the password Pa$$w0rd.
Select domain: contoso.com.
When a warning appears informing you that a DNS delegation could not
be found, click Yes.
Directory Services Restore Mode Administrator Password: Pa$$w0rd
Export the settings to a file on your desktop called AdditionalDC.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Cancel the installation of the domain controller on the Summary page. Do not
continue with the Active Directory Domain Services Installation Wizard.

Results: In this exercise, you simulated promoting NYC-SVR1 to a domain controller.

Exercise 2: Add a Domain Controller from the Command
Line
In this exercise, you will examine the answer file you created in Exercise 1. You will
use the installation options in the answer file to create a dcpromo.exe command
line to install the additional domain controller.
1. Create the DCPromo command.
2. Execute the DCPromo command.

Task 1: Create the DCPromo command
Open the AdditionalDC.txt file you created in Exercise 1. Examine the
answers in the file. Can you identify what some of the options mean?
Tip: Lines beginning with a semicolon are comments or inactive lines that have
been commented out.
Open a second instance of Notepad, as a new text file. Turn on word wrap.
Position the windows so you can see both the blank text file and the
AdditionalDC.txt file as a reference.
In Notepad, type the dcpromo.exe command line just as you would do in a
command prompt. Determine the command line to install the domain
controller with the same options as those listed in the answer file. Parameters
on the command line take the form /option:value, whereas in the answer file,
they take the form option=value. Configure both the Password and
SafeModeAdminPassword values as Pa$$w0rd. Instruct DCPromo to reboot
when complete.
As you will learn in Lab B, you can set the Password value to an asterisk (*),
and then you will be prompted to enter the password when you run the
command.
When you have created the command, open the Exercise2.txt file, found in
the \\NYC-DC1\d$\Labfiles\Lab11a folder. Compare the correct command
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
in Exercise2.txt with the command you created in the previous step. Make any
necessary corrections to your command.

Task 2: Run the DCPromo command
Open the Command Prompt window.
Switch to the Notepad file with the dcpromo.exe command you built in Task
1. Turn off word wrap, copy the command line you created, paste it into the
command prompt window, then press Enter to execute the command.
NYC-SVR1 is promoted to a domain controller. This takes a few minutes.

Results: In this exercise, you promoted NYC-SVR1 as an additional domain controller
in the contoso.com domain and forest.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 3: Remove a Domain Controller
In this exercise, you will remove a domain controller from the contoso.com
domain.
Remove a domain controller.

Task 1: Remove a domain controller
If necessary, log on to NYC-DC2 as Contoso\Administrator with the
password Pa$$w0rd.
Run DCPromo as an administrator. Accept all defaults presented by the
wizard, and configure the new Administrator password to be Pa$$w0rd.
Restart the server when the process has completed.

Results: In this exercise, you demoted NYC-DC2 to a member server.

Exercise 4: Create a Domain Controller from Installation
Media
You can reduce the amount of replication required to create a domain controller by
promoting the domain controller by using the IFM option. IFM requires that you
provide installation media, which is, in effect, a backup of Active Directory. In this
exercise, you will create the installation media on NYC-DC1, transfer it to NYC-
DC2, and then simulate the promotion of NYC-DC2 to a domain controller by
using the installation media.
1. Create installation media.
2. Promote a domain controller by using installation media.

Task 1: Create installation media
1. On NYC-DC1, run the Command Prompt as an administrator, with the user
2. Use ntdsutil.exe to create installation media in a folder named C:\IFM.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Task 2: Promote a domain controller by using installation media
1. Switch to NYC-DC2, and log on as Contoso\Administrator with the password
Pa$$w0rd.
2. Copy the IFM folder from the NYC-DC1 drive C to drive C on NYC-DC2.
3. On NYC-DC2, run DCPromo.exe. Select the advanced mode installation and
then accept all of the defaults provided by the Active Directory Administration
Domain Services Installation Wizard except those listed below:
Additional domain controller in an existing forest.
Domain: contoso.com.
Select domain: contoso.com.
Select a site: Default-First-Site-Name
When a warning appears informing you that a DNS delegation could not
be found, click Yes.
Install from Media: Replicate data from media stored at C:\IFM.
After the Source Domain Controller page, cancel the wizard without
completing the promotion.

Results: In this exercise, you created installation media on NYC-DC1 and simulated the
promotion of NYC-DC2 to a domain controller using the installation media.
To prepare for the next lab
click Revert.
4. Repeat these steps for 6425C-NYC-DC2 and 6425C-NYC-SVR1.
.
Question: Why would you choose to use an answer file or a dcpromo.exe
command line to install a domain controller rather than the Active Directory
Domain Services Installation Wizard?
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Question: In which situations does it make sense to create a domain controller
using installation media?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 2
Install a
Many o
acting a
in the d
configu
installin
reduce i
Core in
Window
Server C
manage
learn to
installat
Object
After co
Ide
Server Co
rganizations wan
as domain contro
directoryparticul
ration of Window
ng only the comp
its servers and se
stallation is a min
ws Explorer GUI
Core installation r
e a server locally,
o create a domain
tion. You will also
tives
ompleting this les
ntify the benefits
ore Doma
nt to implement t
llers because of t
larly user passwo
ws Server 2008 re
ponents and servi
ecurity surface fur
nimal installation
and the Microso
remotely by usin
you must use com
n controller from
o learn how to re
sson, you will be a
s and functionalit
Administering A
ain Contr
he maximum ava
the sensitive natu
ords. Although th
educes the securi
ices required by i
rther by installing
n of Windows tha
ft .NET Framewo
ng GUI tools; how
mmand-line tools
the command lin
emove domain co
able to:
ty of installing Ser
roller
ailable security fo
ure of information
he role-based
ity surface of a se
ts roles, it is poss
g Server Core. A S
at forgoes even th
ork. You can adm
wever, to configur
s. In this lesson, y
ne within a Server
ontrollers from a d
rver Core.
rs 11-37

or servers
n stored
erver by
sible to
Server
he
minister a
re and
you will
r Core
domain.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Install and configure Server Core.
Add and remove AD DS by using command-line tools.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Unde
Key Po
Window
known
gigabyte
Core in
improve
surface.
limited,
Server C
fewer up
Server C
Act
Act
Dyn
DN
rstand Serve
oints
ws Server 2008 o
as Server Core, is
es (GB) of disk sp
stallation limits t
es the security an
The number of s
so there are fewe
Core also reduces
pdates and less m
Core, in Window
ive Directory Dom
ive Directory Ligh
namic Host Conf
NS Server
er Core
r Windows Serve
s a minimal insta
pace and less tha
the server roles an
nd manageability
services and com
er opportunities
s the managemen
maintenance.
s Server 2008, su
main Services (AD
htweight Directo
figuration Protoco
Administering A
er 2008 R2 Serve
llation of Window
an 256 megabytes
nd features that c
of the server by r
mponents running
for an intruder to
nt burden of the s
upports nine serv
D DS)
ry Services (AD L
ol (DHCP) Server
r Core Installatio
ws that consume
s (MB) of memor
can be added, but
reducing its attac
g at any one time
o compromise the
server, which req
ver roles:
LDS)
r
rs 11-39

on, better
es about 3
ry. Server
t
ck
are
e server.
quires
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
File Services
Print Server
Streaming Media Services
Web Server (IIS) (as a static Web serverASP.NET cannot be installed)
Hyper-V (Windows Server Virtualization)

Server core, in Windows Server 2008, also supports these 11 optional features:
Microsoft Failover Cluster
Network Load Balancing
Subsystem for UNIX-based applications
Windows Backup
Multipath I/O
Removable Storage Management
Windows Bitlocker Drive Encryption
Simple Network Management Protocol (SNMP)
Windows Internet Naming Service (WINS)
Telnet client
Quality of Service (QoS)

Note: Following content is Windows Server 2008 R2 specific
The Server Core installation option of Windows Server 2008 R2 includes support
for additional server roles and features. Server Core installations of Windows
Server 2008 R2 now use the Deployment Image Servicing and Management
(DISM) tool to install and uninstall server roles.
In addition to the server roles available in Server Core installations of Windows
Server 2008, the following roles are available:
The Active Directory Certificate Services (AD CS) role
The File Server Resource Manager component of the File Services role
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
A subset of ASP.NET in the Web Server role
In addition to the Windows features available in Server Core installations of
Windows Server 2008, the following features are available in R2 version:
.NET Framework
A subset of .NET Framework 2.0
A subset of .NET Framework 3.0, including Windows Communication
Foundation (WCF) and Windows Workflow Foundation (WF)
A subset of .NET Framework 3.5, including WF additions from .NET
Framework 3.5 and .NET Language-Integrated Query (LINQ)
Windows PowerShell, including cmdlets for Server Manager and the Best
Practices Analyzer
Windows-on-Windows 64-bit (WoW64)
Note: The Removable Storage feature has been removed.
You can remotely configure a server running a Server Core installation of Windows
Server 2008 R2 by using Server Manager.

http://go.microsoft.com/fwlink/?LinkId=168473

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-42 Configuring
Instal
Key Po
You can
differen
You
on
Wh
app

l Server Core
oints
n install Server Co
nces between a fu
u select Server Co
the following pag
hen the installatio
pears.
e
ore by using the s
ll installation and
ore Installation in
ge.
on is complete an

same procedure a
d a Server Core in
n the Installing W
nd you log on, a c
Services
as a full installati
nstallation are:
Windows Wizard s
command promp

on. The
shown
t
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

When you install Windows Server 2008 from the installation DVD, the initial
password for the Administrator account is blank. When you log on to the server for
the first time, use a blank password. You will be prompted to change the password
on first logon.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-44 Configuring
Serve
Key Po
On a fu
window
Server C
line too
comman
prompt
r Core Confi
oints
ll installation of W
w opens to guide y
Core provides no
ls. The following
nds you can use.
t and type the nam
iguration Co
Windows Server
you through pos
GUI, so you mu
g table lists comm
To learn more ab
me of the comma
ommands
2008, the Initial
t-installation con
st complete the t
mon configuration
bout any comma
and followed by /
Services
Configuration Ta
nfiguration of the
tasks by using com
n tasks and the
nd, open a comm
/?.

asks
server.
mmand-
mand
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Server Core Configuration Commands
Task Command
Change the Administrator
password
When you log on with Ctrl+Alt+Delete, you will be
prompted to change the password.
You can also type the following command:
net user administrator *
Set a static IPv4 configuration netsh interface ipv4
Activate Windows Server cscript c:\windows\system32\slmgr.vbs ato
Join a domain netdom
Add Server Core roles,
components, or features
ocsetup.exe package or feature
Note that the package or feature names are case-
sensitive.
Display installed roles,
components, and features
oclist.exe
Enable Remote Desktop cscript c:\windows\system32\scregedit.wsf /AR 0
Promote a domain controller dcpromo.exe
Configure DNS dnscmd.exe
Configure DFS dfscmd.exe

The Ocsetup.exe command is used to add supported Server Core roles and
features to the server. The exception to this rule is AD DS. Do not use Ocsetup.exe
to add or remove AD DS. Use Dcpromo.exe instead.
Because there is no Active Directory Domain Services Installation Wizard in Server
Core, you must use the command line to run Dcpromo.exe with parameters that
configure AD DS. To learn about the parameters of dcpromo.exe, open a command
line and type dcpromo.exe /?. Each configuration scenario has additional usage
information. For example, type dcpromo.exe /?:Promotion for detailed usage
instructions for promoting a domain controller.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-46 Configuring
Lab B: In
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log

5. Rep
unt
nstall a Se
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
peat steps 2 and 3
til directed to do
erver Core
e the available vir
complete the foll
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
3 for the 6425C-N
so.
e Domain
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
NYC-DC3. Do no
Services
n Control
vironment. Before
rative Tools, and
n the Actions pan
tual machine star
ot log on to NYC-D
ller

e you
d then
ne,
rts.
DC3
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Lab Scenario
You are a domain administrator for Contoso, Ltd, and you want to add a domain
controller to the AD DS environment. To enhance the security of the new domain
controller, you plan to use Server Core. You have already installed Server Core on a
new computer, and you are ready to configure the server as a domain controller.
Exercise 1: Perform Post-Installation Configuration on
Server Core
In this exercise, you will perform post-installation configuration of the server to
prepare it with the name and TCP/IP settings required for the remaining exercises
in this Lab.
Perform post-installation configuration of Server Core.

Task : Perform post-installation configuration of Server Core
Log on to NYC-DC3 as Administrator with the password Pa$$w0rd.
Configure the IPv4 address and DNS server by typing each of the following
commands.
netsh interface ipv4 set address name="Local Area Connection"
source=static address=10.0.0.14 mask=255.255.255.0
gateway=10.0.0.1

netsh interface ipv4 set dns name="Local Area Connection"
source=static address=10.0.0.10 primary
Confirm the IP configuration you entered previously with the command
ipconfig /all.
Rename the server by typing netdom renamecomputer %computername%
/newname:NYC-DC3. You will be prompted to press Y to confirm the
operation.
Restart by typing shutdown -r -t 0.
Log on as Administrator with the password Pa$$w0rd.
Join the domain using the following command.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
netdom join %computername% /domain:contoso.com
/UserD:CONTOSO\Administrator /PasswordD:Pa$$w0rd
/OU:"ou=servers,dc=contoso,dc=com"
Restart by typing shutdown -r -t 0.

Results: In this exercise, you configured the Server Core installation as a member of
the contoso.com domain named NYC-DC3.

Exercise 2: Create a Domain Controller with Server Core
In this exercise, you will add the DNS and AD DS roles to the Server Core
installation.
1. Add the DNS Server role to Server Core.
2. Create a domain controller on Server Core with the dcpromo.exe command.

Task 1: Add the DNS Server role to Server Core
Log on to NYC-DC3 as Contoso\Administrator with the password
Pa$$w0rd.
Display available server roles by typing oclist. What is the package identifier
for the DNS server role? What is its status?
Type ocsetup, and then press Enter. There is a minor amount of GUI in Server
Core. Click OK to close the window.
Type ocsetup DNS-Server-Core-Role and then press Enter. Note that package
identifiers are case-sensitive.
Type oclist |more and confirm that the DNS server role is installed.

Task 2: Create a domain controller on Server Core with the
dcpromo.exe command
Make sure you are still logged on to NYC-DC3 as Contoso\Administrator
with the password Pa$$w0rd
Type dcpromo.exe /?, and then press Enter. Review the usage information.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Type dcpromo.exe /?:Promotion, and then press Enter. Review the usage
information.
Type the following command to add and configure the AD DS role, and then
press Enter.
dcpromo /unattend /ReplicaOrNewDomain:replica
/ReplicaDomainDNSName:contoso.com /ConfirmGC:Yes
/UserName:CONTOSO\Administrator /Password:*
/safeModeAdminPassword:Pa$$w0rd

Results: In this exercise, you promoted the Server Core server, NYC-DC3, to a domain
controller in the contoso.com domain.
click Revert.
4. Repeat these steps for 6425C-NYC-DC3.

Question: Did you find the configuration of Server Core to be particularly difficult?
Question: What are the advantages of using Server Core for domain controllers?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-50 Configuring
Lesson 3
Manage
In an Ac
capable
controll
must be
masters
are capa
five ope
learn th
the nua
Operatio
ctive Directory do
e of writing to the
lers. However, in
e performed by o
s are domain cont
able of playing th
erations masters f
heir purposes, how
ances of administe
ons Maste
omain, all domain
e database and rep
any multimaster
nly one system. I
trollers that play
he role, but do no
found in Active D
w to identify the
ering and transfe
ers
n controllers are
plicating changes
r replication topo
In an Active Direc
a specific role. O
ot. This lesson wil
Directory forests a
operations maste
erring roles.
Services
equivalent. They
s to other domain
ology, certain ope
ctory domain, op
Other domain con
ll introduce you t
and domains. You
ers in your enterp

y are all
n
rations
perations
ntrollers
to the
u will
prise, and
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Objectives
Define the purpose of the five single master operations in Active Directory
forests.
Identify the domain controllers that perform operations master roles.
Plan the placement of operations master roles.
Transfer and seize operations master roles.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-52 Configuring
Unde
Key Po
In any r
because
is no ex
differen
domain
controll
Op
Op
Sin
Op
Flex
rstand Single
oints
replicated databa
e they are imprac
xception. A limite
nt places at the sa
n controller in a d
lers that perform
erations masters
erations master r
gle master roles
erations tokens
xible single mast
e Master Op
se, some changes
tical to perform i
d number of ope
me time and mus
domain or forest.
them, are referre
roles
er operations (FS
perations
s must be perform
n a multimaster f
erations are not p
st be the respons
These operations
ed to by a variety
SMOs)
Services
med by only one
fashion. Active D
ermitted to occur
sibility of only on
s, and the domain
of terms:

replica
irectory
r at
ne
n

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
One domain controller performs a function, and while it does, no other domain
controller performs that function.
All Active Directory domain controllers are capable of performing single master
operations. The domain controller that actually does perform an operation is the
domain controller that currently holds the operations token.
An operation token, and thus the role, can be transferred easily to another domain
controller without a reboot.
To reduce the risk of single points of failure, the operations tokens can be
distributed among multiple DCs.
AD DS contains five operations master roles. Two roles are performed for the
entire forest:
Domain naming
Schema

Three roles are performed in each domain:
Relative identifier (RID)
Infrastructure
PDC Emulator

Each of these roles is detailed in the following sections. In a forest with a single
domain, there are, therefore, five operations masters. In a forest with two domains,
there are eight operations masters because the three domain master roles are
implemented separately in each of the two domains.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-54 Configuring
Opera
Key Po
Window
specific
Forest-
The sch
Each ro
Domai
The dom
When y
accessib
Schem
The dom
any cha
schema
ations Maste
oints
ws Server 2008 in
functionality and
-Wide Operatio
hema master and
le is performed b
in Naming Mas
main naming role
you add or remov
ble, or the operati
ma Master Role
main controller h
anges to the fores
. If you want to m
er Roles
ncludes several O
d scope.
ons Master Rol
the domain nam
by only one doma
ster Role
e is used when ad
ve a domain, the d
ion will fail.
holding the schem
ts schema. All ot
modify the schem
Operations Master
les
ming master must
ain controller in t
dding or removin
domain naming m
ma master role is
ther DCs hold rea
ma or install an ap
Services
r roles, each of w
be unique in the
the entire forest.
ng domains in the
master must be
responsible for m
ad-only replicas o
pplication that mo

which has
e forest.
e forest.
making
of the
odifies
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
the schema, do so on the domain controller holding the schema master role.
Otherwise, changes you request must be sent to the schema master to be written
into the schema.
Domain-Wide Operations Master Roles
Each domain maintains three single master operations: RID, Infrastructure, and
PDC Emulator. Each role is performed by only one domain controller in the
domain.
RID Master Role
The RID master plays an integral part in the generation of security identifiers
(SIDs) for security principals such as users, groups, and computers. The SID of a
security principal must be unique. Because any domain controller can create
accounts, and therefore, SIDs, a mechanism is necessary to ensure that the SIDs
generated by a domain controller are unique. Active Directory domain controllers
generate SIDs by assigning a unique RID to the domain SID. The RID master for
the domain allocates pools of unique RIDs to each domain controller in the
domain. Thus, each domain controller can be confident that the SIDs it generates
are unique.
Note: The RID master role is like DHCP for SIDs. If you are familiar with the concept that you
allocate a scope of IP addresses for the Dynamic Host Configuration Protocol (DHCP)
server to assign to clients, you can draw a parallel to the RID master, which allocates
pools of RIDs to domain controllers for the creation of SIDs.
Infrastructure Master Role
In a multidomain environment, it is common for an object to reference objects in
other domains. For example, a group can include members from another domain.
Its multivalued member attribute contains the distinguished names of each
member. If the member in the other domain is moved or renamed, the
infrastructure master of the groups domain updates the groups member attribute
accordingly.
Note: The infrastructure master. You can think of the infrastructure master as a tracking
device for group members from other domains. When those members are renamed or
moved in the other domain, the infrastructure master identifies the change and makes
appropriate changes to group memberships so that the memberships are kept up to
date.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
PDC Emulator Role
The PDC Emulator role performs multiple, crucial functions for a domain:
Emulates a Primary Domain Controller (PDC) for backward compatibility
In the days of Windows NT 4.0 domains, only the PDC could make changes
to the directory. Previous tools, utilities, and clients written to support
Windows NT 4.0 are unaware that all Active Directory domain controllers can
write to the directory, so such tools request a connection to the PDC. The
domain controller with the PDC emulator role registers itself as a PDC so that
down-level applications can locate a writable domain controller. Such
applications are less common now that Active Directory is nearly 10 years old,
and if your enterprise includes such applications, work to upgrade them for
full Active Directory compatibility.
Participates in special password update handling for the domain
When a user's password is reset or changed, the domain controller that makes
the change replicates the change immediately to the PDC emulator. This
special replication ensures that the domain controllers know about the new
password as quickly as possible. If a user attempts to log on immediately after
changing passwords, the domain controller responding to the users logon
request might not know about the new password. Before it rejects the logon
attempt, that domain controller forwards the authentication request to a PDC
emulator, which verifies that the new password is correct and instructs the
domain controller to accept the logon request. This function means that any
time a user enters an incorrect password, the authentication is forwarded to
the PDC emulator for a second opinion. The PDC emulator, therefore, should
be highly accessible to all clients in the domain. It should be a well-connected,
high-performance domain controller.
Manages Group Policy updates within a domain
If a Group Policy object (GPO) is modified on two DCs at approximately the
same time, there could be conflicts between the two versions that could not be
reconciled as the GPO replicates. To avoid this situation, the PDC emulator
acts as the focal point for all Group Policy changes. When you open a GPO in
the Group Policy Management Editor (GPME), the GPME binds to the domain
controller performing the PDC emulator role. Therefore, all changes to GPOs
are made on the PDC emulator by default.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Provides a master time source for the domain
Active Directory, Kerberos, File Replication Service (FRS), and DFS-R each rely
on timestamps, so synchronizing the time across all systems in a domain is
crucial. The PDC emulator in the forest root domain is the time master for the
entire forest, by default. The PDC emulator in each domain synchronizes its
time with the forest root PDC emulator. Other domain controllers in the
domain synchronize their clocks against that domains PDC emulator. All
other domain members synchronize their time with their preferred domain
controller. This hierarchical structure of time synchronization, all implemented
through the Win32Time service, ensures consistency of time. Universal
Coordinated Time (UTC) is synchronized, and the time displayed to users is
adjusted based on the time zone setting of the computer.
Note: Change the time service only one way. It is highly recommended to allow Windows to
maintain its native, default time synchronization mechanisms. The only change you
should make is to configure the PDC emulator of the forest root domain to synchronize
with an extra time source. If you do not specify a time source for the PDC emulator, the
System event log will contain errors reminding you to do so. See
http://go.microsoft.com/fwlink/?LinkId=91969, and the articles it refers to, for more
information.
Acts as the domain master browser
When you open Network in Windows, you see a list of workgroups and
domains, and when you open a workgroup or domain, you see a list of
computers. These two lists, called browse lists, are created by the Browser
service. In each network segment, a master browser creates the browse list: the
lists of workgroups, domains, and servers in that segment. The domain master
browser serves to merge the lists of each master browser so that browse clients
can retrieve a comprehensive browse list.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-58 Configuring
Optim
Key Po
When y
operatio
domain
assignm
controll
practice
Co-
The
sing
the
nam
add
sam
eve
unl
mize the Plac
oints
you create the for
ons master roles
n controllers to th
ments to other do
lers or to optimiz
es for the placeme
-locate the schem
e schema master
gle domain contr
domain controll
ming master mus
ded, the master m
me name as the ne
ry object in the fo
less schema modi
cement of Op
est root domain w
are performed by
he domain, you ca
main controllers
ze placement of a
ent of operations
ma master and d
and domain nam
roller that is a GC
ler hosting them
t be hosted on a
must ensure that t
ew domain. The
orest. The load of
ifications are bein
perations M
with its first dom
y the domain con
an transfer the op
to balance the lo
a single master op
s master roles are
domain naming m
ming master roles
C server. These ro
should be tightly
GC server becaus
there is no object
GCs partial repli
f these operation
ng made.
Services
asters
main controller, al
ntroller. As you ad
perations master
oad among doma
peration. The best
as follows:
master
should be placed
oles are rarely use
y secured. The do
se when a new do
t of any type with
ica contains the n
ns master roles is

ll five
dd
role
in
t
d on a
ed, and
omain
omain is
h the
name of
very light
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Co-locate the RID master and PDC emulator rules
Place the RID and PDC emulator roles on a single domain controller. If the
load mandates that the roles be placed on two separate domain controllers,
those two systems should be physically well connected and have explicit
connection objects created in Active Directory so that they are direct
replication partners. They should also be direct replication partners with
domain controllers that you have selected as standby operations masters.
Place the infrastructure master on a domain controller that is not a GC
The infrastructure master should be placed on a domain controller that is not
a GC server but is physically well connected to a GC server. The infrastructure
master should have explicit connection objects in Active Directory to that GC
server so that they are direct replication partners. The infrastructure master
can be placed on the same domain controller that acts as the RID master and
PDC emulator.
Note: It doesnt matter if theyre all GCs. If all DCs in a domain are GC serverswhich indeed is
a best practice recommendation that will be discussed in Module 12, Manage Sites and
Active Directory Replicationyou do not need to worry about which domain controller is
the infrastructure master. When all DCs are GCs, all DCs have up-to-date information
about every object in the forest, which eliminates the need for the infrastructure master
role.
Have a failover plan
In the following sections, you will learn to transfer single operations master
roles between domain controllers, which is necessary if there is lengthy
planned or unplanned downtime of an operations master. Determine, in
advance, a plan for transferring operations roles to other DCs in the event that
one operations master is offline.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-60 Configuring
Ident
Key Po
To impl
perform
Director
tools.
ify Operatio
oints
lement your role
ming single maste
ry administrative
ns Masters
placement plan,
er operations role
e tool as well as in
you must know w
es. Each role is ex
n other user inter
Services
which DCs are cu
xposed in an Activ
rface and comman

urrently
ve
nd-line
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
To identify the current master for each role, use the following tools:
PDC Emulator: The Active Directory Users And Computers snap-in
Right-click the domain and choose Operations Masters. Click the PDC tab.
An example is shown on the following page, which indicates that
SERVER01.contoso.com is currently the PDC operations master.

RID Master: The Active Directory Users And Computers snap-in
Right-click the domain and click Operations Masters. Click the RID tab.
Infrastructure Master: The Active Directory Users And Computers snap-in
Right-click the domain and click Operations Masters. Click the
Infrastructure tab.
Domain Naming: The Active Directory Domains And Trusts snap-in
Right-click the root node of the snap-in (Active Directory Domains And
Trusts) and click Operations Master.
Schema Master: The Active Directory Schema snap-in
Right-click the root node of the snap-in (Active Directory Schema) and click
Operations Master.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Note: You must register the Active Directory Schema snap-in before you can create a custom
Microsoft Management Console (MMC) with the snap-in. At a command prompt, type
regsvr32 schmmgmt.dll.
You can also use several other tools to identify operations masters, including
the following commands.
NTDSUtil
ntdsutil
roles
connections
connect to server DomainControllerFQDN:portnumber
quit
select operation target
list roles for connected server
quit
quit
quit
dcdiag /test:knowsofroleholders /v
netdom query fsmo

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Trans
Key Po
You can
followin
Wh
con
role
dom
failu
If y
ope
taki
If y
ope
dec
will
dom
fer Operatio
oints
n transfer a single
ng scenarios:
hen you establish
ntroller you instal
es are performed
main controllers,
ure and improve
ou plan to take a
erations master ro
ing it offline.
ou are decommis
erations master ro
commissioning. T
l attempt to do so
main controller b
ons Master R
e operations mast
your forest, all fi
ll. When you add
by the first doma
you can distribu
performance.
a domain controll
ole, transfer that
ssioning a domain
ole, transfer that
The Active Directo
o automatically, b
by transferring its
Administering A
oles
ter role easily. Yo
ive roles are perfo
d a domain to the
ain controller in t
te the roles to red
ler offline that is c
role to another d
n controller that
role to another d
ory Domain Servi
but you should pr
roles.
ou will transfer ro
ormed by the firs
e forest, all three d
that domain. As y
duce single-point
currently holding
domain controller
currently holds a
domain controller
ices Installation W
repare for demot
rs 11-63

oles in the
t domain
domain
you add
t-of-
g an
r prior to
an
r prior to
Wizard
ting a
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
To transfer an operations master role, follow these steps:
1. You should ensure that the new role holder is up to date with replication from
the former role holder before transferring the role. You can use the skills
introduced in Module 12 to force replication between the two systems.
2. Open the administrative tool that exposes the current master.
For example, open the Active Directory Users and Computers snap-in to
transfer any of the three domain master roles.
3. Connect to the domain controller to which you are transferring the role.
This is accomplished by right-clicking the root node of the snap-in and clicking
Change Domain Controller or Change Active Directory Domain Controller.
(The command differs between snap-ins.)
4. Open the Operations Master dialog box, which will show you the domain
controller currently holding the role token for the operation. Click the Change
button to transfer the role to the domain controller to which you are
connected.

When you transfer an operations master role, both the current master and the new
master are online. When the token is transferred, the new master immediately
begins to perform the role, and the former master immediately ceases to perform
the role. This is the preferred method of moving operations master roles.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Seize
Key Po
Althoug
console
from pr
Recogn
Several
absence
day ope
masters
Howeve
attempt
exampl
new sec
Operations
oints
gh transfer of ope
es and without an
revious holder if t
nize Operation
operations maste
e becomes a prob
eration of your en
s by examining th
er, you will often
t to perform a fun
e, if the RID mast
curity principals.
Master Role
erations master ro
ny service downti
that holder is offl
ns Master Failur
er roles can be un
blem. Other maste
nterprise. You can
he Directory Servi
discover that an
nction managed b
ter fails, eventual
Administering A
s
oles can be perfor
me, in some case
line.
res
navailable for qui
er roles play a cru
n identify problem
ice event log.
operations maste
by the master, an
lly you will be pre
rmed by using re
es you cannot tran
ite some time bef
ucial role in the d
ms with operation
er has failed when
d the function fai
evented from cre
rs 11-65

egular
nsfer role
fore their
day-to-
ns
n you
ils. For
ating
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Respond to an Operations Master Failure
If a domain controller performing a single master operation fails, and you cannot
bring the system back to service, you can seize the operations token. When you
seize a role, you designate a new master without gracefully removing the role from
the failed master.
Seizing a role is drastic, so determine the cause and expected duration of the
offline operations master. If the operations master can be brought online in
sufficient time, wait. Sufficient time depends on the impact of the role that has
failed.
PDC Emulator Failure
The PDC Emulator is the operations master that will have the most immediate
impact on normal operations and on users if it becomes unavailable. Fortunately,
the PDC Emulator role can be seized to another domain controller and then
transferred back to the original role holder when the system comes back online.
Infrastructure Master Failure
A failure of the infrastructure master will be noticeable to administrators but not to
users. Because the master is responsible for updating the names of group members
from other domains, it can appear as if group membership is incorrect although,
membership is not actually affected. You can seize the infrastructure master role to
another domain controller and then transfer it back to the previous role holder
when that system comes online.
RID Master Failure
A failed RID master will eventually prevent domain controllers from creating new
SIDs and, therefore, will prevent you from creating new accounts for users, groups,
or computers. However, domain controllers receive a sizable pool of RIDs from the
RID master, so unless you are generating numerous new accounts, you can often
go for some time without the RID master online while it is being repaired. Seizing
this role to another domain controller is a significant action. After the RID master
role has been seized, the domain controller that had been performing the role
cannot be brought back online.
Schema Master Failure
The schema master role is necessary only when schema modifications are being
made, either directly by an administrator or by installing an Active Directory
integrated application that changes the schema. At other times, the role is not
necessary. It can remain offline indefinitely until schema changes are necessary.
Seizing this role to another domain controller is a significant action. After the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
schema master role has been seized, the domain controller that had been
performing the role cannot be brought back online.
Domain Naming Master Failure
The domain naming master role is necessary only when you add a domain to the
forest or remove a domain from a forest. Until such changes are required to your
domain infrastructure, the domain naming master role can remain offline for an
indefinite period of time. Seizing this role to another domain controller is a
significant action. After the domain naming master role has been seized, the
domain controller that had been performing the role cannot be brought back
online.
Seize an Operations Master Role
Although you can transfer roles by using the administrative tools, you must use
Ntdsutil.exe to seize a role. To seize an operations master role, perform the
following steps:
1. At the command prompt, type ntdsutil, and then press Enter.
2. At the ntdsutil prompt, type roles, and then press Enter.
The next steps establish a connection to the domain controller you want to
perform the single master operation role.
3. At the fsmo maintenance prompt, type connections, and then press Enter.
4. At the server connections prompt, type connect to server
DomainControllerFQDN, and then press Enter.
DomainControllerFQDN is the FQDN of the domain controller you want to
perform the role.
Ntdsutil responds that it has connected to the server.
5. At the server connections prompt, type quit, and then press Enter.
6. At the fsmo maintenance prompt, type seize role, and then press Enter.
Role is one of the following:
schema master
domain naming master
RID master
PDC
infrastructure master
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
7. At the fsmo maintenance prompt, type quit, and then press Enter.
8. At the ntdsutil prompt, type quit, and then press Enter.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Returning a Role to Its Original Holder
To provide for planned downtime of a domain controller if a role has been
transferred, not seized, the role can be transferred back to the original domain
controller.
If, however, a role has been seized and the former master is able to be brought
back online, you must be very careful. The PDC emulator and infrastructure master
are the only operations master roles that can be transferred back to the original
master after having been seized.
Note: Do not return a seized schema, domain naming, or RID master to service! After seizing
the schema, domain naming, or RID roles, you must completely decommission the
original domain controller.
If you have seized the schema, domain naming, or RID roles to another domain
controller, you must not bring the original domain controller back online without
first completely decommissioning the domain controller. That means you must
keep the original role holder physically disconnected from the network, and you
must remove AD DS by using the dcpromo /forceremoval command. You must
also clean the metadata for that domain controller as described at
http://go.microsoft.com/fwlink/?LinkId=80481.
After the domain controller has been completely removed from Active Directory, if
you want the server to rejoin the domain, you can connect it to the network and
join the domain. If you want it to be a domain controller, you can promote it. If
you want it to resume performing the operations master role, you can transfer the
role back to the domain controller.
Note: Because of the critical nature of DCs, completely reinstall the former domain controller in
this scenario.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-70 Configuring
Lab C: Tr
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log

5. Star
ransfer O
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
rt 6425C-NYC-DC
Operation
e the available vir
complete the foll
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
C2,.
s Master
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
Services
Roles
vironment. Before
rative Tools, and
n the Actions pan
tual machine star

e you
d then
ne,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6. Wait for NYC-DC2 to complete startup before continuing. Do not log on until
directed to do so.

Lab Scenario
You are a domain administrator at Contoso, Ltd. One of the redundant power
supplies has failed on NYC-DC1, and you must take the server offline for servicing.
You want to ensure that AD DS operations are not interrupted while the server is
offline.
Exercise 1: Identify Operations Masters
In this exercise, you will use both user interface and command-line tools to identify
operations masters in the contoso.com domain.
1. Identify operations masters using the Active Directory administrative snap-ins.
2. Identify operations masters by using NetDom.

Task 1: Identify operations masters by using the Active Directory
administrative snap-ins
On NYC-DC1, run Active Directory Users and Computers as an
Pa$$w0rd.
Use Active Directory Users and Computers to identify the operations master
role token holders for RID, PDC and Infrastructure. Which domain controller
holds those roles?
Close Active Directory Users and Computers.
Run Active Directory Domains and Trusts as an administrator, with the user
Use Active Directory Domains and Trusts to identify the operations master
role token holders for Domain Naming. Which domain controller holds this
role?
Close Active Directory Domains and Trusts.
Run the Command Prompt as an administrator, with the user name
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Type regsvr32 schmmgmt.dll, and then press Enter.
Run mmc.exe as an administrator, with the user name Pat.Coleman_Admin
Add the Active Directory Schema snap-in to the console.
Use Active Directory Schema to identify the operations master role token
holders for Schema. Which domain controller holds this role?
Close the console. You do not need to save any changes.

Task 2: Identify operations masters by using NetDom
Type the command netdom query fsmo, and press Enter.

Results: In this exercise, you used both administrative snap-ins and NetDom to
identify operations masters.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 2: Transfer Operations Master Roles
In this exercise, you will prepare to take the operations master offline by
transferring its role to another domain controller. You will then simulate taking it
offline, bringing it back online, and returning the operations master role.
1. Transfer the PDC role by using the Active Directory Users And Computers
snap-in.
2. Consider other roles before taking a domain controller offline.
3. Transfer the PDC role by using NTDSUtil.

Task 1: Transfer the PDC role by using the Active Directory Users And
Computers snap-in
Run Active Directory Users and Computers as an administrator, with the
Connect to NYC-DC2.
Before transferring an operations master, you must connect to the domain
controller to which the role will be transferred.
The root node of the snap-in indicates the domain controller to which you are
connected: Active Directory Users And Computers [NYC-DC2.contoso.com].
Transfer the PDC operations master role to NYC-DC2.

Task 2: Consider other roles before taking a domain controller offline
You are preparing to take NYC-DC1 offline. You have just transferred the PDC
operations role to NYC-DC2.
List other operations master roles that must be transferred prior to taking
NYC-DC1 offline.
List other server roles that must be transferred prior to taking NYC-DC1
offline.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Task 3: Transfer the PDC role by using NTDSUtil

You have finished performing maintenance on NYC-DC1. Now, you need to bring
it back online.
Remember you cannot bring a domain controller back online if the RID, schema,
or domain naming roles have been seized. But, you can bring it back online if a
role was transferred.
Use NTDSUtil to connect to NYC-DC1 and transfer the PDC role back to it.

Results: In this exercise, you should have transferred the PDC role to NYC-DC2 by
using the Active Directory Users and Computers snap-in, and then transferred it back
to NYC-DC1 using NTDSUtil.
click Revert.

Question: If you transfer all roles before taking a domain controller offline, is it
okay to bring the domain controller back online?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 4
Configur
SYSVOL
group p
manage
consiste
(GPOs)
are repl
Window
FRS has
occasion
In Wind
option t
learn ho

re DFS-R
L, a folder located
policy templates (
ement of an Activ
ent on each doma
) and logon script
licated effectively
ws, the FRS was u
s limitations in bo
nally. Unfortunat
dows Server 2008
to use DFS-R to r
ow to migrate SYS
Replicati
d at %SystemRoo
(GPTs), and othe
ve Directory doma
ain controller. Ho
ts are made often
and efficiently to
used to replicate
oth capacity and
tely, troubleshoo
8 and Windows S
replicate the cont
SVOL from FRS t

Administering A
ion of SY
ot%\SYSVOL con
er resources critic
ain, by default. Id
owever, changes
n, so you must en
o all DCs. In the p
the contents of S
performance tha
ting and configur
Server 2008 R2 d
ents of SYSVOL.
to DFS-R.
YSVOL
ntains logon scrip
cal to the health a
deally, SYSVOL sh
to Group Policy o
nsure that those c
previous versions
YSVOL between
t causes it to brea
ring FRS is quite
domains, you hav
In this lesson, yo
rs 11-75

pts,
and
hould be
objects
changes
s of
DCs.
ak
difficult.
ve the
ou will
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Objectives
Raise the domain functional level.
Migrate SYSVOL replication from FRS to DFS-R.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Raise
Key Po
In Modu
the con
Multiple
levels in
operatin
function
domain
Window
R2. At th
Window
Native d
Window
Server 2
controll
As you r
Window
the Domain
oints
ule 1, Introducing
cept of domain a
e Domains and Fo
n detail. A domain
ng systems that a
nality in Active D
n controller can b
ws Server 2003 N
he Windows 200
ws 2000 Server o
domain functiona
ws Server 2008 d
2008. At the Win
lers must be runn
raise functional le
ws Server 2008 d
n Functional
g Active Directory D
and forest functio
orests, you will lea
ns functional lev
are supported as D
irectory. A doma
e at one of four fu
Native, Windows
00 Native domain
r Windows Serve
al level, DCs can
domain functiona
dows Server 200
ning Windows Se
evels, new capab
domain functiona
Administering A
Level
Domain Services,
nal levels. In Mo
arn about forest a
vel is a setting tha
DCs in a domain
in with a Window
unctional levels: W
Server 2008, and
n functional level,
er 2003. At the W
be running Wind
l level, all DCs m
8 R2 domain fun
erver 2008 R2.
ilities of Active D
l level, for examp
you were introdu
dule 14, Managin
and domain funct
at both restricts th
and enables add
ws Server 2008 R
Windows 2000 N
d Windows Serve
, DCs can be run
Windows Server 2
dows Server 2003
must be running W
nctional level, all d
Directory are enab
ple, you can use D
rs 11-77

uced to
ng
tional
he
ditional
R2
Native,
er 2008
ning
2003
3. At the
Windows
domain
bled. At
DFS-R to
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
replicate SYSVOL. If you upgrade domain functional level to Windows Server 2008
R2, you will get authentication mechanism assurance, which packages information
about the type of logon method (smart card or user name/password) that is used
to authenticate domain users inside each users Kerberos token. Also, Automatic
SPN management will be enabled.
Simply upgrading all DCs to Windows Server 2008 or newer is not enough: You
must specifically raise the domain functional level. You do this by using Active
Directory Domains and Trusts.
To raise the domain functional level:
1. Run the Active Directory Domains and Trusts snap-in.
2. Right-click the domain and choose Raise Domain Functional Level.
3. Select Windows Server 2008 or 2008 R2 as the desired functional level, and
then click Raise.

After you set the domain functional level to Windows Server 2008 R2, you cannot
add DCs running Windows 2000 Server, Windows Server 2003 or Windows
Server 2008. The functional level is associated only with domain controller
operating systems; member servers and workstations can be running Windows
Server 2003, Windows 2000 Server, Windows 7, Windows Vista, Windows XP, or
Windows 2000 Workstation.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Unde
Key Po
Because
Window
replicati
parallel
clients a
the oper
Migratio
0 (s
rep
1 (p
and
SYS
orig
rstand Migra
oints
e SYSVOL is critic
ws does not prov
ion of SYSVOL in
SYSVOL structu
are redirected to
ration has proven
on to DFS-R there
start). The defau
licate SYSVOL.
prepared). A cop
d is added to a rep
SVOL_DFSR fold
ginal SYSVOL fol
ation Stages
cal to the health a
vide a mechanism
nstantly. In fact, m
ure. When the par
the new structure
n successful, you
efore consists of
ult state of a doma
py of SYSVOL is c
plication set. DFS
ders on all DCs. H
lders and clients
Administering A

and functionality
m with which to co
migration to DFS
rallel structure is
e as the domains
can eliminate FR
four stages or sta
ain controller. On
created in a folde
S-R begins to repl
However, FRS con
continue to use S
y of your domain,
onvert from FRS
S-R involves creati
successfully in p
s system volume.
RS.
ates:
nly FRS is used to
er called SYSVOL
licate the content
ntinues to replica
SYSVOL.
rs 11-79

to DFS-R
ing a
lace,
When
o
_DFSR
ts of the
te the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
3 (eliminated). Replication of the old SYSVOL folder by FRS is stopped. The
original SYSVOL folder is not deleted. Therefore, if you want to remove it
entirely, you must do so manually.

You move your DCs through these stages by using the DFSMig command. You will
use three options with dfsrmig.exe:
setglobalstate state
The setglobalstate option configures the current global DFSR migration state,
which applies to all DCs. The state is specified by the state parameter, which is
03. Each domain controller will be notified of the new DFSR migration state
and will migrate to that state automatically.
getglobalstate
The getglobalstate option reports the current global DFSR migration state.
getmigrationstate
The getmigrationstate option reports the current migration state of each
domain controller. Because it might take time for DCs to be notified of the new
global DFSR migration state, and because it might take even more time for a
domain controller to make the changes required by that state, DCs will not be
synchronized with the global state instantly. The getmigrationstate option
enables you to monitor the progress of DCs toward the current global DFSR
migration state.

If there is a problem moving from one state to the next higher state, you can revert
to previous states by using the setglobalstate option. However, after you have used
the setglobalstate option to specify state 3 (eliminated), you cannot revert to the
earlier states.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Migra
Key Po
To migr
1. Op
2. Rig
3. If th
200
Sele
4. Clic
5. Log
6. Typ
7. Typ
Pre
DC
Thi
ate to DFS-R
oints
rate SYSVOL repl
en the Active Dir
ht-click the doma
he Current doma
08, select Window
ect an available
ck Raise. Click O
g on to a domain
pe dfsrmig /setgl
pe dfsrmig /getm
pared global stat
Cs.
is can take 15 min
Replication
lication from FRS
rectory Domains
ain and choose R
ain functional le
ws Server 2008 o
domain function
OK twice in respo
controller and op
lobalstate 1.
migrationstate to
te. Repeat this ste
nutes to an hour
Administering A
of SYSVOL
S to DFS-R, perfor
s and Trusts sna
Raise Domain Fu
evel box does not
or Windows Serv
nal level list.
nse to the dialog
pen a command
query the progre
ep until the state h
or longer.
rm the following
p-in.
unctional Level.
t indicate Window
ver 2008 R2 from
boxes that appea
prompt.
ess of DCs towar
has been attained
rs 11-81

steps:
ws Server
m the
ar.
d the
d by all
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
8. Type dfsrmig /setglobalstate 2.
9. Type dfsrmig /getmigrationstate to query the progress of DCs toward the
Redirected global state. Repeat this step until the state has been attained by all
DCs.
This can take 15 minutes to an hour or longer.
10. Type dfsrmig /setglobalstate 3.
After you begin migration from state 2 (prepared) to state 3 (replicated), any
changes made to the SYSVOL folder will have to be replicated manually to the
SYSVOL_DFSR folder.
11. Type dfsrmig /getmigrationstate to query the progress of DCs toward the
Eliminated global state. Repeat this step until the state has been attained by all
DCs.
This can take 15 minutes to an hour or longer.
12. For more information about the dfsrmig.exe command, type dfsrmig.exe /?.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab D: C
Lab Se
For this
begin th
1. On
clic
2. In H
clic
3. In t
4. Log

5. Rep
onfigure
etup
s lab, you will use
he lab, you must
the host comput
ck Hyper-V Mana
Hyper-V Manag
ck Start.
the Actions pane,
g on by using the
User name: Pat.
Password: Pa$$
Domain: Conto
peat steps 2-4 for
DFS-R R
e the available vir
complete the foll
ager.
ger, click 6425C-N
click Connect. W
e following creden
.Coleman
$w0rd
so
6425C-NYC-DC
Administering A
eplicatio
rtual machine env
lowing steps:
oint to Administr
NYC-DC1, and in
Wait until the virt
ntials:
2.
n of SYSV
vironment. Before
rative Tools, and
n the Actions pan
tual machine star
rs 11-83
VOL

e you
d then
ne,
rts.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
6. On NYC-DC1, open Windows Explorer and then browse to
D:\Labfiles\Lab11d.
7. Run Lab11d_Setup.bat with administrative credentials. Use the account
9. Close the Windows Explorer window, Lab11d.

Lab Scenario
You are an administrator at Contoso, Ltd. You have recently upgraded the last
remaining Windows Server 2003 domain controller to Windows Server 2008, and
you want to take advantage of the improved replication of SYSVOL by using DFS-
R.

Exercise 1: Observe the Replication of SYSVOL
In this exercise, you will observe SYSVOL replication with File Replication Service
(FRS) by adding a logon script to the NETLOGON share and observing its
replication to another domain controller.
1. Observe SYSVOL replication.

Task 1: Observe SYSVOL replication
On NYC-DC1, open %SystemRoot%\ Sysvol\sysvol\contoso.com\Scripts.
Run Notepad as an administrator, with the user name Pat.Coleman_Admin
Save a test file as %SystemRoot%\Sysvol\sysvol\contoso.com\Scripts
\TestFRS.txt.
On NYC-DC2, open %SystemRoot%\Sysvol\sysvol\contoso.com\Scripts.
Confirm that TestFRS.txt has replicated to the NYC-DC2 Scripts folder.
If the file does not appear immediately, wait. It can take up to 15 minutes for
replication to occur. You can, optionally, continue with Exercise 2. Before
continuing with Exercise 3, check to ensure that the file has replicated.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
After you have observed the replication, close the Windows Explorer window
showing the Scripts folder on both NYC-DC1 and NYC-DC2.

Results: In this exercise, you observed the replication of a test file between the
SYSVOL\Scripts folders of two DCs.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 2: Prepare to Migrate to DFS-R
Before you can migrate to DFS-R of SYSVOL, the domain must contain only
Windows Server 2008 DCs, and the domain functional level must be raised to
Windows Server 2008.
1. Confirm that the current domain functional level is Windows Server 2008.
2. Confirm that DFS-R replication is available at Windows Server 2008 domain
functional level.

Task 1: Confirm that the current domain functional level is Windows
Server 2008
On NYC-DC1, run Active Directory Users and Computers as an
Pa$$w0rd.
Confirm that the current domain functional level is Windows Server 2008.

Task 2: Confirm that DFS-R replication is available at the Windows
Server 2008 domain functional level
Open the command prompt. Use the account Pat.Coleman_Admin with the
password Pa$$w0rd. Type dfsrmig /getglobalstate, and then press Enter. A
message appears informing you that DFS-R migration has not yet been
initialized.

Results: In this exercise, you raised the domain functional level to Windows Server
2008 and confirmed that by doing so you have made it possible to migrate SYSVOL
replication to DFS-R.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 3: Migrate SYSVOL Replication to DFS-R
In this exercise, you will migrate the replication mechanism from FRS to DFS-R.
1. Migrate SYSVOL replication to DFS-R

Task 1: Migrate SYSVOL replication to DFS-R
1. Switch to the Command Prompt
2. Type dfsrmig /setglobalstate 0, and then press Enter.
The following message appears.
Current DFSR global state: 'Start'
New DFSR global state: 'Start'
Invalid state change requested.
The default global state is already 0, Start, so your command is not valid.
However, this does serve to initialize DFSR migration.
3. Type dfsrmig /getglobalstate, and then press Enter.
Succeeded.
4. Type dfsrmig /getmigrationstate, and then press Enter.
All Domain Controllers have migrated successfully to Global state
('Start').
Migration has reached a consistent state on all Domain
Controllers.
Succeeded.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
New DFSR global state: 'Prepared'

Migration will proceed to 'Prepared' state. DFSR service will
copy the contents of SYSVOL to SYSVOL_DFSR
folder.

If any DC is unable to start migration then try manual polling.
OR Run with option /CreateGlobalObjects.
Migration can start anytime between 15 min to 1 hour.
Succeeded.
A message appears that reflects the migration state of each domain controller.
Migration can take up to 15 minutes.
7. Repeat this step until you receive the following message that indicates
migration has progressed to the Prepared state and is successful.
('Prepared').
Controllers.
Succeeded.
When you receive the message just shown, continue to the next step.
During migration to the Prepared state, you might see one of these messages.
The following Domain Controllers are not in sync with Global state
('Prepared'):

Domain Controller (Local Migration State) - DC Type
===================================================

NYC-DC1 ('Start') - Primary DC
NYC-DC2 ('Start') - Writable DC

Migration has not yet reached a consistent state on all Domain
Controllers.
State information might be stale due to AD latency.
or
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
('Prepared'):

===================================================

NYC-DC1 ('Start') - Primary DC
NYC-DC2 ('Waiting For Initial Sync') - Writable DC

Controllers.
or
('Prepared'):

===================================================

NYC-DC2 ('Waiting For Initial Sync') - Writable DC

Controllers.
8. Click Start, point to Administrative Tools, right-click Event Viewer, and then
click Run as administrator.
10. In the User name box, type Pat.Coleman_Admin.
Event Viewer opens.
12. In the console tree, expand Applications and Services Logs, and select DFS
Replication.
13. Locate the event with Event ID 8014 and view its properties.
14. Close Event Viewer.
15. Switch to the Command Prompt.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
The following message appears:
Current DFSR global state: 'Prepared'
New DFSR global state: 'Redirected'

Migration will proceed to 'Redirected' state. The SYSVOL share
will be
changed to SYSVOL_DFSR folder.

If any changes have been made to the SYSVOL share during the state
transition from 'Prepared' to 'Redirected', please robocopy the
changes
from SYSVOL to SYSVOL_DFSR on any replicated RWDC.
Succeeded.
A message appears that reflects the migration state of each domain controller.
Migration can take up to 15 minutes.
18. Repeat step 17 until you receive the following message that indicates migration
has progressed to the Prepared state and is successful.
('Redirected').
Controllers.
Succeeded.
When you receive the message just shown, continue to the next task.
During migration, you might receive messages like the following.
('Redirected'):

===================================================

NYC-DC2 ('Prepared') - Writable DC

Controllers.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Results: In this exercise, you migrated the replication of SYSVOL to DFS-R in the
contoso.com domain.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Exercise 4: Verify DFS-R Replication of SYSVOL
In this exercise, you will verify that SYSVOL is being replicated by DFS-R.
1. Confirm the new location of SYSVOL.
2. Observe SYSVOL replication.

Task 1: Confirm the new location of SYSVOL
At the Command Prompt, type net share, and then press Enter. Confirm that
the NETLOGON share refers to the %SystemRoot%\SYSVOL_DFSR
\Sysvol\contoso.com\Scripts folder, and that the SYSVOL share refers to the
%SystemRoot%\SYSVOL_DFSR\Sysvol folder.

Task 2: Observe SYSVOL replication
On NYC-DC1, open %SystemRoot%\SYSVOL_DFSR\Sysvol
\contoso.com\Scripts.
Note that the TestFRS.txt file created earlier is already in the Scripts folder.
While the DCs were at the Prepared state, files were replicated between the
legacy, FRS SYSVOL folder and the new, DFS-R SYSVOL folder.
Run Notepad as an administrator, with the user name Pat.Coleman_Admin
Save a test file as %SystemRoot%\SYSVOL_DFSR\Sysvol\contoso.com
\Scripts \TestDFSR.txt.
On NYC-DC2, open %SystemRoot%\SYSVOL_DFSR\Sysvol\contoso.com
\Scripts.
Confirm that the TestDFSR.txt file has replicated to the NYC-DC2 Scripts
folder.
If the file does not appear immediately, wait a few moments.

Results: In this exercise, you observed the replication of a test file between the
SYSVOL_DFSR Scripts folders of two DCs.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
click Revert.
Question: What would you expect to be different between two enterprises, one
which created its domain initially with Windows 2008 DCs, and one that migrated
to Windows Server 2008 from Windows Server 2003?
Question: What must you be aware of while migrating from the Prepared to the
Redirected state?

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
11-94 Configuring
Module
Review
Questio
function
Questio
installat
Questio
Questio
operatio
Review a
w Questions
on: In which scen
nal level during d
on: How can you
tion?
on: How can you
on: If you seize th
on master?
and Takea
nario will you hav
dcpromo wizard?
easily prepare an
say that RID ma
he operations ma
aways
ve the option to c

n unattended file
ster is not workin
aster role, can you
Services
choose domain an
for domain cont
ng?
u bring online the

nd forest
troller
e original
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Common Issues Related to Administering AD DS Domain Controllers
Cannot raise domain or forest
functional level
Check if all DCs are running same version of
operating system that is equal to domain
functional level. If forest case, check that all
domains are running same functional level that
is equal to desired forest functional level
You cannot transfer one or more
operation masters roles
Check if current role master is online. If not,
you must seize the role instead transferring it.
Check if role that you want to install is
supported on Server Core, as this version
supports only limited number of roles and
features.
You cannot add additional domain
controller to current AD DS
infrastructure
Check if there is at least one domain
controller available
Check DNS functionality
Check IP settings
Best Practices Related to Administering AD DS Domain Controllers

Always install at least two DCs per one domain to achieve high availability.
Use Server Core domain controller when using role-centric servers, and to
maintain higher security and easier management.
Distribute operations masters roles on several servers. Be sure to co-locate
compatible roles.
Use DFS-R for SYSVOL replication.
Tools
Active Directory Users
and Computers
Managing operation masters
Managing domain functional
level
Creating and managing AD
objects
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
Active Directory
Domains and Trusts
Managing domain and forest
functional level
Trust management
Dcpromo.exe Installation and configuration of
Active Directory Domain
Services
You can run it
manually
Server Manager AD DS role installation Administrative Tools
Active Directory
Schema Management
Managing schema master role Must be added as a
separate snap-in

Windows Server 2008 R2 Features Introduced in this Module
Windows Server 2008 R2 feature Description
New Server Core roles and Features In Windows Server 2008 R2, new roles and
features are provided for Server Core
installation

6425C ENU Beta TrainerHandbook Part2

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

6425C ENU Beta TrainerHandbook Part2

Caricato da

Copyright:

Formati disponibili

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

Microsoft Certied Trainers and InstructorsYour instructor is a technical and

2008 Active Directory

2008 Active Directory

2008 Active Directory

2008 Active Directory

Domain Services xiii

2008 Active Directory

2008 Active Directory

Potrebbero piacerti anche