Académique Documents
Professionnel Documents
Culture Documents
6432A
Managing and Maintaining
Windows Server® 2008 Active
Directory® Servers
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
© 2008 Microsoft Corporation. All rights reserved.
Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in
the United States and/or other countries.
All other trademarks are property of their respective owners.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. “Academic Materials” means the printed or electronic documentation such as manuals, workbooks,
white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content.
b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions
location, an IT Academy location, or such other entity as Microsoft may designate from time to time.
c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and
conducted at or through Authorized Learning Centers by a Trainer providing training to Students
solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or
“MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions
Courseware). Each Authorized Training Session will provide training on the subject matter of one (1)
Course.
d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning Center
during an Authorized Training Session, each of which provides training on a particular Microsoft
technology subject matter.
e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f. “Licensed Content” means the materials accompanying these license terms. The Licensed Content
may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content,
(iii) classroom setup guide, and (iv) Software. There are different and separate components of the
Licensed Content for each Course.
g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that
may be included with the Licensed Content.
h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.
i. “Student Content” means the learning materials accompanying these license terms that are for use
by Students and Trainers during an Authorized Training Session. Student Content may include labs,
simulations, and courseware files for a Course.
j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and
b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized
Learning Center to teach or instruct an Authorized Training Session to Students on its behalf.
k. “Trainer Content” means the materials accompanying these license terms that are for use by
Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content
may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and
demonstration guides and script files for a Course.
l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as a
base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single
computer or other device in order to allow end-users to run multiple operating systems concurrently.
For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.
m. “Virtual Machine” means a virtualized computing experience, created and accessed using
Microsoft® Virtual PC or Microsoft® Virtual Server software that consists of a virtualized hardware
environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the
virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard
Disks will be considered “Trainer Content”.
n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these
license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic),
Trainer Content, Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location
or per Trainer basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for use
by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that
the number of copies in use does not exceed the number of Students enrolled in and the Trainer
delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by
classroom Devices and only for use by Students enrolled in and the Trainer delivering the
Authorized Training Session, provided that the number of Devices accessing the Licensed Content
on such server does not exceed the number of Students enrolled in and the Trainer delivering the
Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to
use the Licensed Content that you install in accordance with (ii) or (ii) above during such
Authorized Training Session in accordance with these license terms.
iv. Separation of Components. The components of the Licensed Content are licensed as a single unit.
You may not separate the components and install them on different Devices.
v. Third Party Programs. The Licensed Content may contain third party programs. These license
terms will apply to the use of those third party programs, unless other terms accompany those
programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized
Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for
your own personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own
personal training Use and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions in
this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain
the same information and/or work the way a final version of the Licensed Content will. We may
change it for the final, commercial version. We also may not release a commercial version. You will
clearly and conspicuously inform any Students who participate in each Authorized Training Session of
the foregoing; and, that you or Microsoft are under no obligation to provide them with any further
content, including but not limited to the final released version of the Licensed Content for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for
any purpose. You also give to third parties, without charge, any patent rights needed for their
products, technologies and services to use or interface with any specific parts of a Microsoft software,
Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a
license that requires Microsoft to license its software or documentation to third parties because we
include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features and
documentation that may be included with the Licensed Content, is confidential and proprietary to
Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release,
whichever is first, you may not disclose confidential information to third parties. You may
disclose confidential information only to your employees and consultants who need to know
the information. You must have written agreements with them that protect the confidential
information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or
governmental order. You must first give written notice to Microsoft to allow it to seek a
protective order or otherwise protect the information. Confidential information does not
include information that
• becomes publicly known through no wrongful act;
• you received from a third party who did not breach confidentiality obligations to Microsoft
or its suppliers; or
• you developed independently.
d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you
is the end date for using the beta version, or (ii) the commercial release of the final release version of
the Licensed Content, whichever is first (“beta term”).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta
term, and will destroy all copies of same in the possession or under your control and/or in the
possession or under the control of any Trainers who have received copies of the pre-released version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta
version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If
Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you
for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft
Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced
Server and/or other Microsoft products which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning
Lab Launcher, then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time
indicated on the install of the Virtual Machines (between 30 and 500 days after you install it).
You will not receive notice before it stops running. You may not be able to access data used
or information saved with the Virtual Machines when it stops running and may be forced to
reset these Virtual Machines to their original state. You must remove the Software from the
Devices at the end of each Authorized Training Session and reinstall and launch it prior to the
beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before
installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training
Session, you will obtain from Microsoft a product key for the operating system software for
the Virtual Hard Disks and will activate such Software with Microsoft using such product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with
the terms and conditions of this agreement and the following security
requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or
Devices that are accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session, except those held at Microsoft Certified
Partners for Learning Solutions locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all
classroom Devices at the end of each Authorized Training Session at Microsoft Certified
Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or
downloaded from Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use,
activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the
Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art,
animations, sounds, music, shapes, video clips and templates provided with the Licensed Content
solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content,
they may use Media Elements for their personal training use.
iv Evaluation Software. Any Software that is included in the Student Content designated as
“Evaluation Software” may be used by Students solely for their personal training outside of the
Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft
PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for
providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or
ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of
obscene or scandalous works, as defined by federal law at the time the work is created; and
(b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session,
Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of
the Licensed Content that are logically associated with instruction of the Authorized Training
Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a)
that any of these customizations or reproductions will only be used for providing an Authorized
Training Session and (b) to comply with all other terms and conditions of this agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and
use the Academic Materials. You may not make any modifications to the Academic Materials and
you may not print any book (either electronic or print version) in its entirety. If you reproduce
any Academic Materials, you agree that:
• The use of the Academic Materials will be only for your personal reference or training use
• You will not republish or post the Academic Materials on any network computer or broadcast
in any media;
• You will include the Academic Material’s original copyright notice, or a copyright notice to
Microsoft’s benefit in the format provided below:
Form of Notice:
© 2008 Reprinted for personal reference use only with permission by Microsoft
Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the US and/or other countries. Other
product and company names mentioned herein may be the trademarks of their
respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone else’s use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allow you to use it in certain ways. You may not
• install more copies of the Licensed Content on classroom Devices than the number of Students and
the Trainer in the Authorized Training Session;
• allow more classroom Devices to access the server than the number of Students enrolled in and the
Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network
server;
• copy or reproduce the Licensed Content to any server or location for further reproduction or
distribution;
• disclose the results of any benchmark tests of the Licensed Content to any third party without
Microsoft’s prior written approval;
• work around any technical limitations in the Licensed Content;
• reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that
applicable law expressly permits, despite this limitation;
• make more copies of the Licensed Content than specified in this agreement or allowed by applicable
law, despite this limitation;
• publish the Licensed Content for others to copy;
• transfer the Licensed Content, in whole or in part, to a third party;
• access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not
been authorized by Microsoft to access and use;
• rent, lease or lend the Licensed Content; or
• use the Licensed Content for commercial hosting services or general business purposes.
• Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional
information, see www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content
marked as “NFR” or “Not for Resale.”
10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as
“Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit
www.microsoft.com/education or contact the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of these license terms. In the event your status as an Authorized
Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by
Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must
destroy all copies of the Licensed Content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed
Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of
that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have
additional consumer rights under your local laws which this agreement cannot change. To
the extent permitted under your local laws, Microsoft excludes the implied warranties of
merchantability, fitness for a particular purpose and non-infringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT
RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
• anything related to the Licensed Content, software, services, content (including code) on third party
Internet sites, or third party programs; and
• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or
other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre
garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation
pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de
négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage.
Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects,
accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne
s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de
votre pays si celles-ci ne le permettent pas.
Managing and Maintaining Windows Server® 2008 Active Directory® Servers x
xi Managing and Maintaining Windows Server® 2008 Active Directory® Servers
Contents
Module 1: Managing an Active Directory Server Lifecycle
Lesson 1: Planning an Active Directory Server Deployment 1-3
Lesson 2: Using Active Directory Server Deployment Technologies 1-9
Lesson 3: Adding AD DS Server Roles 1-17
Lesson 4: Removing AD DS Server Roles 1-25
Lab: Managing and Maintaining a Windows Server 2008 Domain Controller 1-29
Course Description
This course provides you with the knowledge and skills to manage and maintain
Windows Server® 2008 Active Directory® servers. The course focuses on the Active
Directory server lifecycle by creating baselines, monitoring system health, and
maintaining security. The course also focuses on managing Active Directory
Domain Services (AD DS) and Active Directory service roles.
Audience
This course is intended for Server Administrators who are familiar with Microsoft®
Windows Server 2008 and who are, or will be, responsible for the daily
management and maintenance of Windows Server 2008 Active Directory servers. It
is also intended for IT professionals who could benefit from acquiring the skills
required by a Windows Server 2008 Active Directory Server Administrator, such as
a Server Administrator who is responsible for network application servers and
works closely with the Active Directory Server Administrator, or an Enterprise
Administrator who wants to understand the operational requirements of Windows
Server 2008 Active Directory Servers before designing a network server
infrastructure.
Student Prerequisites
This course requires that you meet the following prerequisites:
• 6424 Fundamentals of Windows Server® 2008 Active Directory®
• 6425 Configuring Windows Server® 2008 Active Directory® Domain Services
• 6426 Configuring Identity and Access Solutions with Windows Server® 2008
Active Directory®
• 6430 Managing and Maintaining Windows Server® 2008 Servers
Course Objectives
After completing this course, students will be able to:
• Plan and identify different approaches to Active Directory server deployment.
• Add and remove the AD DS server role.
xv About This Course
Course Outline
This section provides an outline of the course:
Module 1, "Managing an Active Directory® Server Lifecycle" explains how to
support and maintain Active Directory servers to meet changing business
requirements in an enterprise environment.
Module 2, "Creating Baselines for Active Directory® Servers" explains how to create
baselines using the WRPM and through analysis, make decisions to improve server
performance.
Module 3, "Monitoring the System Health of Active Directory® Servers" explains
how to create and evaluate a monitoring plan based on business needs and
environments. It also explains how to determine the health of Active Directory
servers using performance monitoring and even log triggers.
Module 4, "Managing Active Directory® Domain Services" explains how to
implement the methodology of maintaining Windows Server 2008 AD DS.
About This Course xvi
Course Materials
The following materials are included with your kit:
• Course Handbook. The Course Handbook contains the material covered in
class. It is meant to be used in conjunction with the Course CD.
• Course CD. The Course CD contains a Web page that provides you with links
to resources pertaining to this course, including lab exercise answer keys, lab
virtual machine build guide, and categorized resources and Web links.
Note: To open the Web page, insert the Course CD into the CD-ROM drive, and then in
the root directory of the CD, double-click StartCD.exe.
• Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to
support@mscourseware.com. To inquire about the Microsoft Certification
Program, send e-mail to mcphelp@microsoft.com.
Important: In order to save time booting and logging in to the virtual machines,
the lab directions will advise you to leave the virtual machines running throughout
the course of each day. At the end of each day, you should close each virtual
xvii About This Course
The following table shows the role of each virtual machine used in this course:
Software Configuration
The Windows Server 2008 software is installed on each virtual machine.
Course Files
There are files associated with the labs in this course. The lab files are located in
the folder E:\Labfiles on the student computers.
Classroom Setup
Each classroom computer will have the same virtual machines configured in the
same way. The computers do not need to be networked as each one is self-
contained. As to the room layout, it is up to the instructor but a "U" shaped seating
arrangement may be more convenient for the lab discussion exercises.
When you plan to deploy Active Directory servers that are running Windows
Server 2008, you must contemplate hardware requirements, version differences,
and whether to upgrade existing systems or perform "clean" installs. Two new
features of Windows Server 2008, Read-Only Domain Controllers (RODCs) and
Windows® Server Core, provide more topics to think about during Active Directory
planning.
1-4 Managing an Active Directory®Server Lifecycle
Key Points
You can license Windows Server 2008 with Hyper-V or without it (the products
have different SKUs) although the cost savings are minimal for the non-Hyper-V
versions.
Minimum hardware requirements for Windows Server 2008 (x86) are higher than
for Microsoft® Windows Server 2003:
• 1 GHz processor (32-bit), Standard edition
• 1.4 GHz processor (64-bit), Standard edition
• Minimum of 512MB RAM
• Minimum of 10GB free disk space
Web Server edition is now available in a 64-bit version.
Key Points
CPUs in the above slide, refers to CPU sockets, not necessarily CPU cores.
Here is some additional information on specific editions:
• A Web Edition server cannot run Active Directory Domain Services (AD DS).
• The Enterprise Edition also provides rights to use four virtual instances of the
product.
• The Datacenter Edition provides unlimited rights to run virtual instances.
• An Intel Itanium 2 processor is required for Windows Server 2008 for Itanium-
based systems.
All editions provide for two simultaneous Remote Desktop connections.
Key Points
Because of the changes Microsoft has made to the upgrade process, you can expect
fewer differences in terms of NTFS and Registry security than in upgrades to earlier
versions of Windows.
The new in-place upgrade is basically an export -- clean parallel install -- import
operation. Traditional cautions against performing an in-place upgrade are
therefore less valid when upgrading to Windows Server 2008.
If you perform an upgrade, you can view the log files setuperr.log and setupact.log in
the folder c:\windows\panther, to see any errors that might have been
encountered.
Key Points
The RODC option presents itself when running the AD DS Installation Wizard.
RODC may also run read-only DNS.
No administrative credentials are cached and only branch-office users' credentials
are cached on the RODC.
RODC is conceptually similar to the Backup Domain Controller in Windows NT®
Server.
Key Points
Windows Server Core can run Internet Information Services (IIS), even though this
capability was not present in the beta product. It can also run DHCP, DNS, and act
as a file or print server.
Server Core has appeal because of lower hardware requirements, lower attack
surface, lower administrative overhead, and anticipated higher reliability.
Generally, Server Core is manageable remotely using standard MMC snap-ins.
However, as the reference document cited below points out, you might need to
enable some firewall rules (and perform other steps as well) to permit such remote
management.
For more information, refer to the Server Core blog on the Microsoft
TechNet Web site.
Managing an Active Directory®Server Lifecycle 1-9
You can deploy Active Directory servers in your organization in several different
ways. This lesson is designed to make you think about the best method or
methods for your organization.
1-10 Managing an Active Directory®Server Lifecycle
Key Points
You have various options for deploying an Active Directory server locally:
• Install by booting a Windows Server 2008 DVD.
• Install by booting to a custom-created DVD running WinPE and using your
own image files created with the Windows Automated Installation Kit (WAIK).
• Install by booting to an external USB hard drive, configured as above. These
devices are often significantly faster than optical drives.
• Modify any of the above by creating an answer file in the System Image
Manager (SIM) provided in the WAIK.
After the operating system is installed, if you are installing AD DS, you can script
the AD DS Installation Wizard, bypassing the interactive prompts. Here is an
example from TechNet:
Key Points
If you choose to use a network-based installation method for Windows Server
2008, you again have several options:
• Create a distribution point on the network to which you connect from the
target machine and then run an interactive install.
• Automate the distribution of Windows Server 2008 images over the network
with Windows Deployment Services (WDSs) (see next slide for details).
• Modify the above methods with an answer file created in the SIM provided in
the WAIK.
Windows Server 2008 images are likely to be much larger than Windows Server
2003 images, so their effect on network traffic is likely to be bigger.
Managing an Active Directory®Server Lifecycle 1-13
Key Points
A boot image is an image that you use to start a computer onto which you intend to
install an operating system. An install image is an image containing the operating
system you want to install, plus any other applications you want to bundle into the
image.
The feature set between WDS on Windows Server 2003 and WDS on Windows
Server 2008 is not identical. For example, WDS on Windows Server 2008 includes
the ability to network-boot 64-bit machines with Extensible Firmware Interface
(EFI).
WDS can perform multicast transmissions so you can perform multiple
deployments concurrently.
Plan to do performance testing before deploying large numbers of images with
WDS. Windows Server 2008 and Windows Vista® images, in particular, are
substantially larger than Windows Server 2003 and Windows XP images.
1-14 Managing an Active Directory®Server Lifecycle
Key Points
The main benefit of installing from backup is speed. If you are deploying only a
few AD DS servers, this technique might not be as advantageous as when you are
deploying many AD DS servers.
You can create a backup of relevant domain information from an existing domain
controller using NTDSUTIL (no longer by backing up the system state, as in
Windows Server 2003) and use that to build the new domain controller.
An acronym you might see in this connection is IFM, which stands for Install From
Media.
You must select the Advanced Mode check box at the start of the AD DS
Installation Wizard (dcpromo) to see this option.
1-16 Managing an Active Directory®Server Lifecycle
Key Points
The successor to Systems Management Server (SMS) 2003 is System Center
Configuration Manager 2007. Software distribution functions very similarly in both
products.
SMS 2003 and System Center Configuration Manager 2007 are built on a
Microsoft SQL Server database that facilitates inventory management.
You can use these products to deploy both server and client versions of Windows.
You can obtain an evaluation version of System Center Configuration Manager
2007 on the Microsoft Web site. Unlike with SMS 2003, the evaluation version is
upgradeable to the paid version.
The new Server Manager console carries with it new terminology. Roles are
collections of related functionality; AD DS is a role. Features, such as BitLocker™,
are capabilities that do not map to a single role. Proper understanding of roles and
features is essential to configuring and reconfiguring Active Directory servers.
1-18 Managing an Active Directory®Server Lifecycle
Key Points
You can add an AD DS role using the various methods described in this module.
However, the actual promotion of a server to become a domain controller does not
occur until you run the DCPROMO tool.
If you do not add the AD DS role using for example Server Manager, then when
you run DCPROMO, the necessary binaries are installed for you. Unlike Windows
Server 2003, the necessary binaries for the role are not present by default in
Windows Server 2008.
Key Points
Another potential advantage to splitting roles out onto different servers is that
downtime (whether planned or unplanned) on one server has less impact on the
overall role availability.
As you look at the various technical and administrative issues associated with
combining and/or segregating roles on physical servers, consider the potential
benefits of server consolidation through the use of virtualization.
Windows Server 2008 with Hyper-V is designed to provide the best of both worlds:
the cost savings of a smaller number of physical machines, and the administrative
and reliability benefits of single-purpose servers.
Having said that, you should still consider the impact of hardware failure on a
physical computer that is hosting multiple virtual machines and plan for that
contingency if you move towards server consolidation through virtualization.
1-20 Managing an Active Directory®Server Lifecycle
Key Points
Adding and removing server roles is a major operation and should be performed
by knowledgeable staff.
Windows Server 2008 does not offer the ability to create a restore point such as
you can create in Windows Vista. However, you can use Windows Server Backup
to back up your operating system files in case a role installation goes wrong.
Some network administrators choose to disable the Initial Configuration Tasks
(ICT) console because it offers no options that are not also available via Server
Manager.
Question: Do you think that the GUI method or the command-line method puts
the administrator at greater risk of making a mistake?
1-22 Managing an Active Directory®Server Lifecycle
Key Points
Because Server Manager is the main MMC snap-in to add (and remove) roles, and
because it is not remote-enabled, you can consider running it via a Remote
Desktop session.
You can also execute the Server Manager's command-line version remotely, via
Remote Desktop or other methods. Some of these are presented in the next topic.
After a role has been added to a Windows Server 2008 system, you can generally
manage it by using the remote functionality of the associated MMC snap-in, as
described in the slide.
You can manage roles remotely even if the underlying service is not installed by
using Remote Server Administration Tools (RSAT), which is a feature in the Server
Manager language of "roles" and "features."
Managing an Active Directory®Server Lifecycle 1-23
Key Points
The client component of WinRM is Windows Remote Shell (WinRS).
WMI is Microsoft's implementation of Web-Based Enterprise Management
(WBEM), present in Windows since Windows 2000.
RemoteApp is a new feature of Terminal Services whereby a single application can
be remoted instead of an entire desktop.
Key Points
The OCLIST command (with no qualifiers) on a Server Core system lists both
installed and uninstalled roles and features.
Another way you could verify the addition of a role would be to look in the
Registry for relevant keys and values. However, it is a good practice to avoid
REGEDIT if easier and safer methods exist.
Specific techniques also exist for particular roles. For example, one way to verify
that the AD DS role has been installed would be to try to log on to the server with
local account credentials. Domain controllers do not permit the use of local
accounts to log on.
Managing an Active Directory®Server Lifecycle 1-25
You can decommission an AD DS server from the GUI or the command line, and
basically use the same methods as for installing an AD DS server. You might need
to decommission an AD DS server, for example, if your organization needs to
shuffle server resources towards a more performance-critical task.
1-26 Managing an Active Directory®Server Lifecycle
Key Points
Component-Based Servicing is the system Microsoft uses to identify interdepencies
between roles and features, and required "role services" which are necessary to
support a given role. These dependency checks were limited in the older Add or
Remove Windows Components control panel.
This architecture helps ensure that you do not accidentally remove a role or role
service that is still required by the remaining roles on the server.
Removing a role via Server Manager is generally simpler than adding a role,
because you will see fewer (if any) configuration options.
You can remove multiple roles in a single operation.
Managing an Active Directory®Server Lifecycle 1-27
Key Points
Demoting a domain controller with DCPROMO does not remove the AD DS
binaries.
Key Points
As with verifying newly added roles, the OCLIST command on a Server Core
system lists both installed and uninstalled roles and features.
Do not use the presence or absence of Registry entries as authoritative evidence
that a role has been successfully removed. Some keys might remain in the Registry
even after the successful removal of an Active Directory role.
Managing an Active Directory®Server Lifecycle 1-29
Exercise Overview
In this exercise, you will create a plan to add the AD DS role to NYC-SVR1.
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Results: After this exercise, you should have a plan to promote NYC-SVR1 to be an AD
DS domain controller.
Managing an Active Directory®Server Lifecycle 1-31
__________________________________________________________________
Results: After this exercise, you should have a new RODC in the form of NYC-SVR1.
This should help alleviate the problem of slow logons in the branch office.
Managing an Active Directory®Server Lifecycle 1-33
Exercise Overview
In this exercise, you will write a first draft for a management and maintenance plan
for the NYC-DC1 and NYC-SVR1 domain controllers. (Depending on class size, the
instructor may break the class into smaller groups for purposes of generating
discussion.)
The main tasks for this exercise are as follows:
1. Decide which tools are better suited for each of the two domain controllers.
2. Decide whether the new RODC is meeting the business needs.
3. Decide whether delegation for certain functions might be appropriate.
f Task 1: Decide which tools are better suited for each of the two
domain controllers
• Decide which tools are better suited for corporate headquarters and which are
better suited to the branch office scenario. Consider that Server Manager is not
“remoteable” as such, but Active Directory Users and Computers is
remoteable, as well as Event Viewer.
• Use the space below to write the answers.
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
1-36 Managing an Active Directory®Server Lifecycle
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Results: After this exercise, you should have a draft document that outlines how to
manage these two domain controllers.
Managing an Active Directory®Server Lifecycle 1-37
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
1-38 Managing an Active Directory®Server Lifecycle
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Results: After this exercise, you should have ideas for evaluating the success of the
plan developed in Exercise 4.
Managing an Active Directory®Server Lifecycle 1-39
Key Points
There are many reasons to implement baselines but probably the most significant
one is to become more proactive in managing information systems, setting
expectations, and matching real-world performance against those expectations.
Baselines generally only make sense for metrics that are measurable. For example,
"user-friendliness" might be very important but there are no software tools for
measuring it.
Some areas that are not traditionally incorporated in baseline planning might be
worth considering, for example, application compatibility, which is often not a
yes/no situation but a range between a fully compatibility application and one that
is unusable. What metrics might you use for this area?
Choosing the operational scenarios that your baselines will cover depends on the
nature of your business. For example, an accounting firm in the United States will
have different demands on its information systems in March than in May.
It is important to choose a high-stress scenario because that is often when the
performance of Active Directory systems is most important to the business.
Creating Baselines for Active Directory® Servers 2-5
Key Points
There is no absolute baseline for server hardware because different functions have
different requirements. What might be acceptable hardware for a DHCP server
might be inadequate for a domain controller.
Key Points
Like anything else in an organization, if no person or group takes ownership of
server baselining, it will never develop into a useful technique for managing an
Active Directory network.
A baseline committee must include the consumers of Active Directory services as
well as the providers.
It is possible to go overboard in the planning phases and create a baseline
methodology that is too ambitious for the resources available. It is better to start off
with a highly targeted baseline program (for example, "performance of Active
Directory domain controllers at high stress times") than to set too many new goals
simultaneously.
Creating Baselines for Active Directory® Servers 2-7
Key Points
Mine your Windows Server 2003 event and PerfLog history, focusing on strong
examples of the types of performance you want to baseline.
If such history is not available, consider performing some monitoring of the
template systems you have selected, using objects and counters identified later in
this module.
The reason for performing this type of analysis is that the published literature on
Active Directory server performance baselines is quite sparse. Over time, therefore,
you will need to develop your own baselines based on your own analysis and
experience.
A wide variety of third-party tools can assist you in analyzing performance and
event logs from existing servers.
Question: What factors do you think will determine whether existing Active
Directory servers can provide relevant performance and/or event log data for using
in Windows Server 2008 baselining?
2-8 Creating Baselines for Active Directory® Servers
Key Points
Periodic reviews should be realistic, considering available personnel resources.
They should also reflect the speed at which your organization's network changes.
More stable Active Directory environments might be fine with annual baseline
reviews; Active Directory environments in rapid flux might need semiannual or
even quarterly reviews at first.
Key Points
If you find yourself in a position of starting over with a new baseline plan,
document why the old plan failed.
Sometimes it is necessary to start over because of a change in management, but
even then you should ask whether elements of the old plan might be salvageable
(for example, list of tools).
2-10 Creating Baselines for Active Directory® Servers
Key Points
The Reliability Monitor also correlates the graphical System Stability Index with
failures of the operating system, applications, and hardware.
The System Stability Index graph might show as dotted sections to indicate that
the operating system did not have enough data to calculate a stable index.
The relevant scheduled task is RACAgent.
Recent events are weighed more heavily than older events.
Days when the system is powered down do not count.
Microsoft® does not provide details on the formulas used to calculate the System
Stability Index, nor is there a mechanism for you to modify them or generate your
own.
Key Points
An object is something you want to measure; a counter is a characteristic of that
object that you want to measure; and an instance is the specific occurrence of an
object that might have more than one occurrence (for example, CPU).
The Data Collector Set is a method for grouping collectors together so that you can
reuse the set over time; change its schedule; and/or load it into the real-time
performance monitor console.
You can use a Data Collector Set for ongoing monitoring or for one-time use.
You can save your own Data Collector Sets as a template.
Caveat: The properties for a Data Collector Set are different than the properties for
an individual collector.
Key Points
This slide shows several performance objects and counters that are generally
relevant for most server types and should be considered when setting up a
performance baseline for Active Directory servers.
Using LogicalDisk instead of PhysicalDisk might be more appropriate for servers
with multiple logical disks on a single physical disk.
Key Points
The point of doing PerfMon logging with existing servers is to establish some
ranges for good, fair, and poor performance.
Experiment with the logfile directory location. For example, depending on the type
of testing you are doing, you might benefit from using a USB flash drive.
Also, experiment with log size limits as logs can grow at widely varying rates
depending on the size of the Data Collector Set.
Creating Baselines for Active Directory® Servers 2-15
Key Points
The reporting features of WRPM have been borrowed from an older tool, the Server
Performance Advisor from Windows Server 2003.
You can obtain some syntax for the relog command by typing relog /? in a
command prompt session. For more details, see the reference below.
CSV = Comma Separated Values; TSV = Tab Separated Values.
This lesson presents some of the more often-used metrics for particular Active
Directory roles and considers issues of measurement frequency and duration. This
information will be useful in building working baseline documents.
Creating Baselines for Active Directory® Servers 2-17
Key Points
Domain controllers perform frequent disk reads and writes, so the physical disk
object is important.
Directory Replication Agent (DRA) inbound and outbound bytes relate to Active
Directory Domain Services (AD DS) replication.
There should be some Kerberos authentication activity for a functioning domain
controller.
Lightweight Directory Access Protocol (LDAP) client sessions should be non-zero
for a functioning domain controller.
LDAP bind time should be very low.
Key Points
In addition to the PerfMon counters and objects, the REPADMIN tool is especially
useful for monitoring Active Directory Lightweight Directory Services (AD LDS)
replication performance.
Creating Baselines for Active Directory® Servers 2-19
Key Points
The online responder requires Internet Information Services (IIS), so machines
running Windows Server 2008 configured as an online responder can take
advantage of IIS performance counters as well as the explicit Active Directory
Certificate Services (AD CS) counters.
2-20 Creating Baselines for Active Directory® Servers
Key Points
Active Directory Federation Services (AD FS) requires either AD DS or AD LDS, so
the performance objects and counters for those roles will be relevant in creating a
baseline for AD FS.
Creating Baselines for Active Directory® Servers 2-21
Key Points
Active Directory Rights Management (AD RMS) depends on the following roles
and services:
• AD DS
• AD CS (or a standalone or third-part certificate authority)
• Microsoft Message Queuing (MSMQ)
• IIS
• SQL Server®
A performance analysis plan should consider the underlying performance of those
roles and services.
Key Points
The higher the frequency, the greater the impact of performance monitoring on
performance. Logging to a separate physical drive helps.
For general-purpose performance monitoring, 15 to 30 minutes is a good interval.
Creating Baselines for Active Directory® Servers 2-23
Key Points
Consider the business-cycle variations in your organization when developing
durations. For example, if you see Active Directory activity vary throughout the
day, but you do not see much variation between different days of the week or
month, then a 1-day duration might be sufficient.
Activity can vary by month of the year, also. If you work for a tax consultancy, for
example, certain months might exhibit dramatically more activity than others.
Your measurement durations must capture all significant business-cycle variations.
2-24 Creating Baselines for Active Directory® Servers
Exercise Overview
The main tasks for this exercise are as follows:
1. Generate ideas for involving users in developing a baseline.
Creating Baselines for Active Directory® Servers 2-25
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Results: After this exercise, you should have some ideas for involving users in what
traditionally has been an IT-only activity, developing network performance baselines.
Creating Baselines for Active Directory® Servers 2-27
Exercise Overview
In this exercise, you will identify relevant WRPM counters for the loan department
and for the research department.
The main tasks for this exercise are as follows:
1. List the counters that you would consider including in the baseline.
2. Consider differences in a baseline strategy for the two departments.
f Task 1: List the counters that you would consider including in the
baseline
• Start NYC-DC1.
• Log on to NYC-DC1 as WoodgroveBank\Administrator with the password of
Pa$$w0rd.
• In Server Manager, expand the nodes Diagnostics, Reliability and
Performance, and Data Collector Sets.
• Under the System node, navigate to the Active Directory Diagnostics Data
Collector Set and select Properties.
• On the General tab, read the description of this Data Collector Set.
• Take a look at the other tabs on the Data Collector Set Properties page.
• Close Data Collector Set Properties page.
• In the details pane, you should see four data collectors. What types are they?
• Open the Properties of the Performance Counter data collector. Note the
PerfLog objects that Microsoft has chosen for this pre-built Data Collector Set.
This list is a good starting point for exploring Active Directory performance
counters in detail. Note, for example, the category DirectoryServices.
• Back in Server Manager, in the User Defined node, create a new Data Collector
Set named CustomAD with the following options:
2-28 Creating Baselines for Active Directory® Servers
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
• Identify three performance counters that would probably be more important
for the research department than for the loan department. Use the space below
to write the counters.
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
• Identify three performance counters that would probably be important for
both departments. Use the space below to write the counters.
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
• Leave NYC-DC1 running for future labs.
Results: After this exercise, you should be familiar with some of the PerfMon Active
Directory counters, and have some idea of how to adapt a baseline strategy for
different business situations.
2-30 Creating Baselines for Active Directory® Servers
Exercise Overview
In this exercise, you will discuss as a class whether the baseline document should
be modified in view of the increased user population, and explore possible
procedures and organizational standards for modifying (or suggesting
modifications to) the baseline document.
The main tasks for this exercise are as follows:
1. Decide whether the baseline document should be modified.
2. Discuss the procedures and standards for modifying a baseline document.
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Creating Baselines for Active Directory® Servers 2-31
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Results: After this exercise, you should have heard various perspectives and ideas on
the pros and cons of modifying Active Directory baseline documentation, and on how
to implement such modifications in a realistic and practical way.
2-32 Creating Baselines for Active Directory® Servers
Moving from general to specific, this lesson considers three ways to define health:
overall system health, server health, and Active Directory (or service) health. Your
organization's health monitoring plan should encompass all three.
3-4 Monitoring the System Health of Active Directory® Servers
Key Points
Users view information systems as whole systems, not as components. The system
fails if any component of the overall system fails.
Active Directory is a large set of services, but managing Active Directory is
ultimately only one link in a long chain of things that have to "go right" in an
information system.
Question: Can you think of any aspects of system health that are important to
your organization, but that the above list omits?
Monitoring the System Health of Active Directory® Servers 3-5
Key Points
The above areas encompass hardware, software, administration, and user support
elements.
Analyzing individual servers, while useful, is not in itself sufficient to obtain a
complete picture of system health. For example, an Active Directory Domain
Services (AD DS) domain controller can take much longer to boot if it cannot find
its replication partners quickly on the network.
Question: Are there any aspects of server health that are important to your
organization, but that the above list omits?
3-6 Monitoring the System Health of Active Directory® Servers
Key Points
Active Directory is more than just directory services with Windows Server® 2008.
Defining the health of an Active Directory Lightweight Directory Services (AD LDS)
installation will involve both Microsoft® tools and vendor-specific tools.
The health of your DNS environment (not just whether DNS works, but whether it
works optimally) has a major impact on AD DS and AD LDS.
Key Points
System Center Operations Manager is the successor to Microsoft Operations
Manager (MOM).
If you are not familiar with this product, Microsoft makes a 180-day evaluation
version available.
Key Points
Trends in the field can arise from changes in:
• User applications
• Business practices (for example, auditing)
• User population changes
• Back-end system changes (for example, antivirus software)
• Hardware changes
• Network link traffic
Proactively survey your IT consumer community to make sure your baseline
documents remain relevant by reflecting real world performance.
Question: Does your organization ever re-evaluate your baselines in the areas of
performance, security, and uptime?
3-10 Monitoring the System Health of Active Directory® Servers
Key Points
Baseline adjustment is a balancing act between 1) spending too much time
updating the baseline and too little on managing the environment, and 2) risking
irrelevance by never updating the baseline document(s) to reflect system evolution.
Question: Do you use baselines as a metric for determining the performance of the
IT organization? If so, does it become even more important to update them?
Monitoring the System Health of Active Directory® Servers 3-11
Key Points
Mean Time To Recover (MTTR) might be more important than Mean Time
Between Failures (MTBF).
Alert responses must have organizational (procedural) elements as well as
technological (triggering) elements to be successful.
Key Points
Windows Server 2008 makes no distinction between "informational alerts" and
"action alerts" but this is a useful distinction to make in your organization. For
informational alerts, logging an entry in the application event log might be
sufficient. It might be useful to create a filter (or view) in Event Viewer for such
informational alerts.
3-14 Monitoring the System Health of Active Directory® Servers
Key Points
You can create scheduled tasks in Server Manager, under the Configuration node.
The task can run when PerfMon triggers it, even if you do not associate any triggers
with the scheduled task when you create it.
Once you have created a scheduled task to execute an alert, if you need to rename
it later, you must recreate it with the new name.
Monitoring the System Health of Active Directory® Servers 3-15
Key Points
You can use event log triggers in addition to, or instead of, PerfMon alerts.
Key Points
You might want to set up different action plans for different levels of severity if you
have created triggers for multiple scenarios.
Autoremediation is always preferable to manual remediation, as long as you have a
mechanism in place for periodically reviewing alert type and frequency.
Monitoring the System Health of Active Directory® Servers 3-17
Microsoft provides a number of tools that you can use for both long-term and
short-term monitoring. This lesson will explore some of these more useful tools.
3-18 Monitoring the System Health of Active Directory® Servers
Key Points
The Windows Reliability and Performance Monitor (WRPM) is an MMC snap-in
that provides tools for analyzing system performance. One of these tools is the
Resource Overview.
If you run the Resource Overview with insufficient credentials, it will not show
current system information.
One way to ensure that you are running with an elevated security token is to run
PerfMon.exe from an administrative command prompt.
The command perfmon /res will open the Resource Overview in a separate
window.
Key Points
The basic PerfMon program is an evolution of a tool that has been present in
Windows® operating systems since Windows NT®.
Successive versions of Windows have added performance objects and counters.
Key Points
Most administrators will not need to review the operational logs regularly, but it is
important to know what is there.
Group Policy is now a service and has its own event log. This will be a primary
troubleshooting resource in Active Directory, along with Resultant Set of Policy.
Many third-party tools exist to gather, organize, and analyze event logs.
Question: What benefits might you gain from making a detailed study of the
complex new Event Viewer console?
3-22 Monitoring the System Health of Active Directory® Servers
Key Points
Windows Remote Shell, or WinRS.exe, is the command-line tool for Windows
Remote Management.
You can add limited Windows Remote Management (WinRM) capability to
Windows Server 2003 R2 using the Windows optional components wizard.
WinRM must be started on machines to be polled (listeners) as well as on the
polling machine. The usual command is winrm quickconfig.
Key Points
This console (services.msc) has not changed dramatically from Windows Server
2003.
Server Manager does not provide as much functionality as this console when it
comes to managing services.
You do not have to know the dependent services in advance in order to stop the
AD DS service from Server Manager. The Server Manager will know which ones to
stop.
When doing work locally on a Windows Server Core system, use SC.EXE instead
of the graphical tool.
3-24 Monitoring the System Health of Active Directory® Servers
Key Points
You can not necessarily give up the full version of the Active Directory
administrative tools contained in Server Manager.
For most of what server administrators do, Server Manager comes close to being a
"one stop shop."
For more information, refer to the Server Manager topic in the Microsoft
TechNet, Windows Server 2008 Technical Library Web site.
Monitoring the System Health of Active Directory® Servers 3-25
Key Points
The following are Features in Server Manager: Remote Server Administration Tools
(RSAT) and its tools.
You do not need to install an RSAT tool if you have the related service or role
installed on your machine.
Unlike with previous versions of Windows, Windows Server 2008 does not ship
with optional support tools or resource kit tools.
If a desired tool is not in the RSAT or in the Windows Server 2008 base
distribution, an earlier version might work, but you should test it before relying on
it.
For more information, refer to the online help for Remote Server
Administration Tools in Server Manager.
3-26 Monitoring the System Health of Active Directory® Servers
Key Points
The old name of Enterprise PKI (PKIView) was the PKI Health Tool. The following
table lists the meanings of icons located in the PKIView console.
For more information, refer to the article AD CS: Enterprise PKI (PKIView)
article on the Microsoft TechNet Web site.
Monitoring the System Health of Active Directory® Servers 3-27
The plans also suggest that over-threshold events should produce an e-mail to at
least one network administrator. Just creating an entry in the event log is not
proactive enough to meet the management mandate. However, Plan 1 specifies a 5-
second sampling interval, and Plan 2 specifies a 5-minute sampling interval.
Exercise Overview
In this exercise, you will select an alert plan and implement the plan through
Scheduled Tasks and the WRPM.
The main tasks for this exercise are as follows:
1. Decide which plan you would recommend, Plan 1 or Plan 2.
2. Create a scheduled task for the e-mail alert.
3. Create an alert in Performance Monitor.
Results: This exercise’s successful completion results in the selection of an alert plan
and the implementation of that plan through Scheduled Tasks and the WRPM.
3-30 Monitoring the System Health of Active Directory® Servers
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
E-mails to affected users
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Triggered tasks (for example, scripts)
______________________________________________________________________
______________________________________________________________________
Monitoring the System Health of Active Directory® Servers 3-31
______________________________________________________________________
Personal responses
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Follow-up analysis with affected users
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Other
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
3-32 Monitoring the System Health of Active Directory® Servers
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Split out combined functionality to separate servers
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Review the number and placement of Global Catalog servers
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Maintain the Active Directory database
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Monitoring the System Health of Active Directory® Servers 3-33
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Move the Active Directory log files to higher-performing disk storage
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Other
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Results: After this exercise, you should have identified a variety of alert responses
available to you and the pros and cons of each. You should have also identified the
various possible long-term responses to recurring Active Directory performance alerts
and shared your experiences with those methods.
3-34 Monitoring the System Health of Active Directory® Servers
Exercise Overview
In this exercise, you will explore the different tools for building a case for changing
the server configuration.
The main tasks for this exercise are as follows:
1. Explore the new Event Viewer operational logs.
2. Create an Event Viewer subscription.
3. List other documentation that would support your request for configuration
changes and/or new resources.
f Task 3: List other documentation that would support your request for
configuration changes and/or new resources
Use the space below to list other documentation that would support your request
for configuration changes and/or new resources.
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Results: After this exercise, you should have identified some of the new capabilities of
the Windows Server 2008 Event Viewer, including operational logs and event
subscriptions, both of which might be useful in building a case for configuration
change. You should have also created a list of other documentation, both from
Windows Server 2008 tools and other sources, that could help support a campaign for
making configuration and/or resource changes in response to Active Directory
performance monitoring.
3-36 Monitoring the System Health of Active Directory® Servers
Active Directory Domain Services (AD DS) is by far the most popular of the various
Active Directory roles in Windows Server® 2008. This module looks at various
aspects of managing AD DS, including a special focus on the features that are new
to Windows Server 2008: Read-Only Domain Controllers (RODCs), Windows®
Server Core, and Group Policy enhancements.
Managing Active Directory® Domain Services 4-3
Key Points
You must be a member of the domain controller's Administrators group.
All the dependent services will start again when you restart the AD DS service.
Caveat: You must run DCPROMO with the /forceremoval qualifier to demote a
domain controller if the AD DS service is in the stopped state.
If a client contacts the domain controller to log on during stoppage of the directory
service, the server acts like a member server and the client will log on to another
domain controller.
Key Points
Windows Server 2008 allows you to create "snapshots" of the directory using
NTDSUTIL, providing a backup mechanism.
Other third-party AD DS backup tools might be preferable for convenience and
features.
Caveat: Windows Server 2008 Server Backup does not support backing up to tape,
unlike its predecessor, NTBACKUP.
Question: What tool does your organization use to perform AD DS backups? Have
you ever tested the restore feature of that tool?
Key Points
Transferring the schema master is a little tricky because the schema console
automatically connects to the current role holder. Connect to the target domain
controller first and then transfer the role using the console.
A general best practice when temporarily transferring a FSMO role is to transfer it
back to its original location when you are done with the operation that prompted
the transfer. This way, you do not need to modify your documentation.
Before you install your first Windows Server 2008 domain controller into a
Windows Server 2003 or Microsoft Windows Server 2000 forest, you must extend
the schema. Refer to the TechNet article below for detailed information.
Key Points
Restoring the RID master from an image backup raises the possibility of duplicate
identifiers. That could (for example) prevent two servers from both becoming
domain controllers.
If your RID master fails, and you are not adding large numbers of accounts to the
Active Directory database at the time, you might be able to "ride out" the failure and
operate without a RID master temporarily. Each domain controller maintains a
local cache of RIDs, so you can still add some accounts without having the RID
master available.
Key Points
The Domain Naming Master role must be present and available when creating any
new domains, including child domains as well as new domain trees.
If your Forest Functional Level (FFL) is less than Windows Server 2003, the
Domain Naming master should be on a machine that also acts as a Global Catalog
server.
Putting this role on the same machine as the schema master might simplify FSMO
role administration. Neither role is generally very busy in day-to-day activity.
4-10 Managing Active Directory® Domain Services
Key Points
The infrastructure master role does not need to be on a fast machine in a one-
domain forest.
The infrastructure operations master for a domain maintains a list of the security
principals from other domains that are members of groups within its domain.
If a change occurs, for example a user in domain A belongs to a security group in
domain B and the user's name changes, domain B would never hear about the
change if not for the infrastructure master.
Managing Active Directory® Domain Services 4-11
Key Points
The PDC Emulator stresses a server more than the other FSMO roles. Normally,
this role should be on a relatively fast machine.
You can lighten the authentication load of a busy PDC emulator by modifying the
weight of its DNS SRV records. Refer to the article below for detailed information.
Key Points
Adding global catalog servers can be a mixed blessing: global catalogs create more
replication traffic, but offload other global catalogs.
Only domain controllers that are designated as global catalogs can respond to
global catalog queries on port 3268. This includes directory searches for people
and printers.
Your application mix can affect the number of global catalogs you need. For
example, Microsoft Exchange needs fast, local access to a global catalog.
The site is the only major AD DS structure that is designed to map to a network's
physical layout as opposed to its logical layout. You can manage replication across
WAN links with sites; you can also use them as a (preferably temporary) method
for deploying Group Policy settings that do not map to existing organizational unit
boundaries.
4-14 Managing Active Directory® Domain Services
Key Points
There is no necessary mapping between sites and domains. A site might contain a
part of a domain, an entire domain, multiple domains, or parts of multiple
domains.
The relevant tool is Active Directory Sites and Services, which is a component of
the Remote Server Administration Tools (RSAT).
You can also use Active Directory Sites and Services to manage replication for an
Active Directory Lightweight Directory Services (AD LDS) instance.
Question: Does your organization configure Active Directory sites? Why or why
not? Have you encountered any problems with this capability?
Managing Active Directory® Domain Services 4-15
Key Points
These settings pertain to site replication traffic using the preferred transport, RPC
over IP. They do not apply to site links that use SMTP.
When you have multiple site links, and multiple possible replication paths
between sites, you can use the Cost parameter to set preferences for particular
paths.
Bridgehead servers are the points of contact between sites. You have the option to
fine-tune performance by designating preferred bridgehead servers, but this might
interfere with the automatic distribution of replication connections.
When a bridgehead server is added to a central (or "hub") site, Windows Server
2008 (unlike Windows Server 2003) dynamically redistributes replication
connections to take advantage of the new bridgehead server.
4-16 Managing Active Directory® Domain Services
Question: Would you be more likely to need to reconfigure the replication interval
when two sites are geographically nearby or when they are geographically far
apart?
Managing Active Directory® Domain Services 4-17
The RODC is one of the more significant new features in Windows Server 2008.
This lesson provides an overview of the technology and should inspire some
discussion about when and how your organization might deploy RODCs to your
advantage.
4-18 Managing Active Directory® Domain Services
Key Points
An RODC has everything that a writeable domain controller has, except account
passwords.
A writeable domain controller provides credentials based on password replication
policy settings.
The RODC encrypts cached credentials.
You can make an RODC a Global Catalog server, for example, if you have
Microsoft Exchange clients.
Consider BitLocker™ for additional security in locations with low physical security
where you might consider RODCs.
Consider delegation for RODC administrators to offload central IT staff. RODC
administrators do not need to be domain administrators.
Managing Active Directory® Domain Services 4-19
Key Points
If a client tries to update its DNS record, the RODC's DNS will issue the client a
referral to a writeable DNS server. The writeable DNS server will make the change
and then replicate it back to the RODC.
4-20 Managing Active Directory® Domain Services
Key Points
The benefits of distributing the DNS query load might outweigh the disadvantages
of any possible inconsistencies.
If you have a large enough branch office that you need two or more RODCs, you
might consider whether you should have a writeable domain controller in that
office.
Managing Active Directory® Domain Services 4-21
Server Core presents some unique management problems due to its lack of an
integrated GUI. This lesson presents several tools and techniques for managing
Server Core Active Directory servers.
4-22 Managing Active Directory® Domain Services
Key Points
Some details on command-line utilities:
• control timedate.cpl (run date-and-time applet)
• cscript (to activate scripts, for example, cscript slmgr.vbs)
• net user administrator * (set admin password)
• net localgroup administrators /add (add user to admins)
• net start, net stop (start and stop services)
• netsh (for example, to set static IP configuration, configure firewall)
• netdom (for example, to join a domain, rename the computer)
• oclist (to list installed roles and features)
• ocsetup (to install or remove roles and features)
• pnputil (to inject device drivers for Plug and Play)
• sc (to manage services)
• shutdown (to shut down or restart the machine)
• slmgr.vbs (to activate Windows)
Managing Active Directory® Domain Services 4-23
Key Points
The RSAT tools require either Windows Server 2008 or Windows Vista® SP1.
Server Core does not support Internet Information Services (IIS), Active Directory
Certificate Services (AD CS), Active Directory Federation Services (AD FS), and
Active Directory Rights Management Services (AD RMS).
Managing Active Directory® Domain Services 4-25
Key Points
WMI filters can work for the purpose of targeting GPOs. However, they are not as
easily discoverable as using a descriptively-named organizational unit for your
Server Core systems.
You can also use WMI filters on Windows XP and Windows Server 2003 systems
(but not Windows 2000).
For more information, refer to the WMI Filtering Using GPMC article on
the Microsoft TechNet, Microsoft Windows Server TechCenter Web site.
4-26 Managing Active Directory® Domain Services
Key Points
GPO links permit the settings in a GPO to take effect and apply to an Active
Directory structure.
You cannot directly link a GPO to a group, despite the name. Typically, GPOs are
linked to domains, organizational units, or sites.
There is no "forest" object in Active Directory to which you can link a GPO.
Question: Does your organization generally link its GPOs to the domain or to
organizational units?
Key Points
The version of the Group Policy Management Console (GPMC) that ships with
Windows Server 2008 includes some new features that were not available before.
You can add comments to GPOs as well as to individual policy settings, as long as
the settings are in the Administrative Templates node.
The filter capability improves the searchability of the GPO structure.
Windows Vista SP1 unbundles the GPMC from the Windows Vista operating
system so that future GPMC updates may be downloaded and installed on both
Windows Vista and Windows Server 2008.
If your organization has multiple Group Policy administrators, you might want to
explore the Advanced Group Policy Management tools from Microsoft, which
enhances the GPMC with more advanced delegation, check-in and check-out, and
GPO rollback features. Refer to the reference below for more information.
Key Points
ADMX files use XML formatting conventions, like many text files in Windows
Server 2008.
The new file structure also splits out the language-specific code (*.ADML) from
language-independent code (*.ADMX).
For more information, refer to the How to Create a Central Store for
Group Policy Administrative Templates in Window Vista article, Microsoft
Knowledge Base article #929841 on the Microsoft Help and Support
Web site. Also, refer to the ADMX Migrator article on the Microsoft
Download Center Web site. Finally, refer to the Managing Group Policy
ADMX Files Step-by-Step Guide article on the MSDN®, Windows Vista
Developer Center Web site.
Managing Active Directory® Domain Services 4-31
Key Points
You can run Resultant Set of Policy (RSOP) as a standalone console or from within
the GPMC or Server Manager. This tool can run in two modes: "what happened"
(logging) and "what if" (planning). However, this tool appears to be compromised.
Microsoft advises that beginning with Vista SP1, the RSOP report does not show all
group policy settings. (It is not clear if Windows Server 2008 is affected nor is it clear
which group policy settings are omitted.) Microsoft recommends using the command-
line tool gpresult (which comes with Windows Server 2008) to see the full set of group
policy settings applied for a computer or user.
4-32 Managing Active Directory® Domain Services
Key Points
The Group Policy operations log replaces the USERENV.LOG file.
Messages that use to appear in the Application log in Windows Server 2003 now
appear in the System log in Windows Server 2008.
Now that Group Policy is a service, the events that it logs may be used as the basis
for triggering a scheduled task.
New Group Policy templates can be applied without restarting the server.
Processing is less resource-intensive than when Group Policy was not a service.
The Group Policy service runs under the SVCHOST process.
Question: Can you think of some Group Policy settings that you might want to
implement as preferences instead of traditional policies?
Key Points
To create a delegation, in Active Directory Users and Computers, right-click the
object that you want to delegate and then click Create Delegation.
After you have created a delegation using the Active Directory Delegation Wizard,
you can create a custom console that displays only desired tasks, as explained in
the reference listed below.
Question: Does your organization delegate any Active Directory functions? Which
ones?
Question: Suppose you have just gone to work for a new company and are in
charge of re-evaluating its delegation model. How could you look at each domain
and organizational unit and determine whether those structures are presently in a
delegated state?
Managing Active Directory® Domain Services 4-37
Key Points
You will need to access the Advanced security properties for the delegated domain
or organizational unit to see the relevant Access Control Entries (ACEs).
4-38 Managing Active Directory® Domain Services
Key Points
You can create a delegated administrator for an RODC after building the RODC,
also. Refer to the article listed below for more information.
This technique adheres to the principle of Least Required Privilege. A user or group
does not need to belong to Domain Admins to manage an RODC, for example, to
modify the machine's device driver configuration.
Exercise Overview
In this exercise, you will perform an offline defragmentation of the NTDS database.
In conjunction with the new directive to improve Active Directory server uptime,
you need to minimize server downtime during this regularly-scheduled
maintenance activity. Windows Server 2008 enables you to reduce downtime by
stopping and starting AD DS without bringing down the entire server. Therefore,
4-40 Managing Active Directory® Domain Services
Exercise Overview
In this exercise, you will discuss some of the questions that might meet the second
goal laid out in the IT goals document. The goal is to reduce logon times,
specifically for employees in the new Miami branch. (Depending on class size, the
instructor may break the class into smaller groups for purposes of generating
discussion.)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Managing Active Directory® Domain Services 4-43
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Results: The successful completion of this exercise results in you having explained the
pros and cons of using RODCs to reduce logon times.
4-44 Managing Active Directory® Domain Services
Exercise Overview
The main tasks for this exercise are as follows:
1. Create a site for the Miami location.
2. Move the MIA-RODC server to the Miami site.
3. Modify the replication schedule to the Miami site to reduce latency.
Results: After this exercise, the replication schedule between the default site and the
Florida site has been modified to reduce latencies in the propagation of Active
Directory information between the sites.
4-46 Managing Active Directory® Domain Services
f Task: Discuss the pros and cons of linking GPOs at different levels
• Pros and cons of linking GPOs at the domain level.
• Pros and cons of linking GPOs at the site level.
• Pros and cons of linking GPOs at the organizational unit level.
• Use the space below to write the key points of the discussion.
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Results: The successful completion of this exercise results in you having explained the
pros and cons of linking GPOs at different levels in the Active Directory structure.
Managing Active Directory® Domain Services 4-47
Windows Server 2008 represents an advance over Microsoft Windows Server 2003
in that server roles, including Active Directory roles, are more secure after having
been installed via Server Manager. However, every organization's needs are
different, and many ways exist to secure Active Directory servers beyond the
default settings.
5-4 Maintaining Security for Active Directory® Servers
Key Points
Although the Security Configuration Wizard (SCW) is still present in the Windows
Server 2008 distribution, its use is less urgent than with Windows Server 2003 and
Microsoft considers it optional now.
You can apply manual hardening techniques to the creation of Active Directory
server images, or deploy settings "after the fact" via Group Policy.
Microsoft has already done some hardening behind the scenes with techniques
such as Address Space Layout Randomization (ASLR), per-service Security
Identifiers (SIDs), and Windows® Resource Protection (WRP).
For more information, refer to the WS2008: Dynamic Link Library Loader
and Address Space Load Randomization article on the Microsoft TechNet
Askperf blog Web site. Also, refer to the Windows Resource Protection
article on the MSDN® Library Web site.
Maintaining Security for Active Directory® Servers 5-5
Key Points
The Group Policy Object (GPO) Accelerator debuted in the Windows Vista®
Security Guide (see reference below). The tool is essentially unchanged in the
Windows Server 2008 Security Guide.
The GPOAccelerator saves a lot of time compared to the older method of using INF
templates and the Security snap-ins.
You should run the GPOAccelerator on test machines because it creates
organizational units and GPOs that you might not want to deploy on a production
system.
Question: Has your organization ever used custom security templates with
Windows Server 2003 or Windows XP? If so, why?
For more information, refer to the Windows Vista Security Guide on the
Microsoft Download Center Web site. Also, refer to the Windows Server
2008 Security Guide on the Microsoft Download Center Web site.
5-6 Maintaining Security for Active Directory® Servers
Key Points
Most organizations do not dedicate servers to one specific function; however, many
templates and security tools presume this to be the case.
You can use a modified organizational unit model that takes practical realities into
account. For example, you could design an organizational unit named
"Infrastructure Servers" that would include settings relevant for DNS and DHCP
systems.
Active Directory servers are more likely to benefit, from the security standpoint,
from being segregated by role from other functions such as infrastructure services.
This is why Microsoft, for example, provides a default domain controller policy
object in a "vanilla" Active Directory installation.
5-8 Maintaining Security for Active Directory® Servers
Key Points
Group Policy-based Access Control List (ACL) changes provide a way of bringing
consistency to Active Directory servers that might exhibit inconsistent file system
security due to different source images and/or installation methods (clean versus
upgrade).
Active Directory Rights Management Services (AD RMS) integrates with Active
Directory Federation Services (AD FS), so you can deploy rights management
restrictions to federated users in a separate Active Directory forest.
Maintaining Security for Active Directory® Servers 5-9
Key Points
Device driver installation restrictions do not affect users with systems that have
already had the subject device drivers installed. Therefore, you will normally want
to deploy both device driver installation restrictions, and removable device use
restrictions. These are two separate areas in Windows Server 2008 Group Policy.
These restrictions are especially relevant for Active Directory servers due to the
importance of the data they contain (for example, NTDS.DIT).
For years, organizations have used the Microsoft Baseline Security Analyzer
(MBSA) as a method for auditing patch currency and identifying system
vulnerabilities. It remains a useful tool for those purposes.
Maintaining Security for Active Directory® Servers 5-11
Key Points
The "other Windows Update Agent (WUA) tools" include the following:
• Microsoft Update
• Windows Software Update Service (WSUS)
• Systems Management Server (SMS) Inventory Tool for Microsoft Updates
(ITMU), although ITMU does not rely on MBSA for scanning as of SMS 2003
SP1.
Various versions of MBSA are in circulation:
• 2.1: All versions from Windows 2000 to Windows Vista, including 64-bit
• 2.0.1: Compatible with new-format offline scan file wsusscn2.cab, but not with
Longhorn
• 1.2.1: Use only if you have Windows NT4, Windows Exchange 5.5 or 5.0,
Microsoft Office 2000
Different ways you can use MBSA include:
• When building custom security templates.
• As a last check to make sure nothing significant has been forgotten.
5-12 Maintaining Security for Active Directory® Servers
Key Points
You can perform offline scans but be aware that a new offline scan file is available
(wsusscn2.cab) that supersedes the previous Windows Update offline scan file,
Wsusscan.cab.
For more information, refer to the Windows Server Update Services 3.0
article on the Microsoft TechNet, Microsoft Windows Server TechCenter
Web site.
5-14 Maintaining Security for Active Directory® Servers
Key Points
Some of the administrative vulnerabilities that MBSA flags include Windows
Firewall status, automatic updates status, enforcement of strong passwords, and
the presence of enabled but unsecured Guest accounts.
For more information, refer to the MBSA 2.0 Frequently Asked Questions
page on the Microsoft TechNet Web site.
Maintaining Security for Active Directory® Servers 5-15
Key Points
Technically, you could create GPOs with password policy settings that you could
link to individual organizational units. However, such GPOs would never take
effect in the presence of domain-based password policies.
In Windows Server 2003 and Windows Server 2000, password policies and
account lockout policies were made at the domain level via the default domain
policy object.
One can debate the meaning of "security boundary" (the forest is the true security
boundary in many ways) but the domain was the boundary for setting password
policies in Active Directory.
Question: Has your organization wrestled with unifying its password policies in
order to keep the total number of Active Directory domains to a minimum?
Key Points
Caveat: The major constraint for many organizations will be the DFL requirement.
Tip: You do not have to create a shadow group that mirrors the membership of an
organizational unit. That is simply the recommended practice. The thing to
remember is that fine-grained password policies do not apply directly to an Active
Directory structural unit (domain, organizational unit, or site), so in that sense they
are not like traditional group policy settings.
Key Points
The time formats used by the above password policy settings are
days:hours:minutes:seconds.
Maintaining Security for Active Directory® Servers 5-19
Key Points
Password security is becoming ever more important in Active Directory
environments because user account credentials are used in more ways. For
example, to access shares in another organization's forest via AD FS.
Your organization might also need to consider identity integration products that
can manage accounts and passwords for multiple systems in a single
"clearinghouse" such as Microsoft Identity Lifecycle Manager (ILM) 2007.
ILM 2007 extends the previous Microsoft Identity Integration Server (MIIS) 2003
product and provides account and password synchronization, user provisioning,
and certificate management.
Question: What password policies does your organization use? Do your users
find these easy or difficult to comply with?
Key Points
You must be an administrator to modify auditing settings.
The global policy "Audit directory service access" controls whether directory service
auditing is on or off (the default for Windows Server 2008 is "on").
You control what Active Directory Domain Services (AD DS) objects get audited by
setting a Security Access Control List (SACL) for those objects via the Security tab
on the object's properties page.
Windows Server 2000 and Windows Server 2003 only logged the name of a
changed attribute. Windows Server 2008 can log the old and new values of a
changed attribute.
Modifications to Directory Services objects were logged in those versions with ID
566. Windows Server 2008 logs modifications with ID 4662.
Maintaining Security for Active Directory® Servers 5-23
Key Points
All four audit subcategories are enabled when you enable the global policy "Audit
directory service access."
The subcategory "Directory service changes" encompasses four types of changes:
• Modify (event ID 5136)
• Create (event ID 5137)
• Undelete (event ID 5138)
• Move (event ID 5139)
You could use AUDITPOL to disable the "Directory service changes" subcategory if
the additional information is not useful to your organization, but you still want to
log Directory Services object changes as was done in Windows Server 2003 and
Windows Server 2000.
Active Directory servers might contain a great deal of data about an organization's
network. The consequences of having that data compromised could be severe. One
component of any Active Directory security plan should be a physical security plan.
Maintaining Security for Active Directory® Servers 5-25
Key Points
Even though a Read-Only Domain Controller (RODC) might require less physical
security than a writeable domain controller, you should consider the impact on
user downtime if an RODC is compromised.
Any organization that uses RODCs should have a procedure in place for quickly
putting a new RODC online if something happens to an existing RODC. For
example, a step-by-step guide for running DCPROMO with appropriate options on
a member server.
At least one writeable domain controller in the domain must be running Windows
Server 2008 before an RODC can be deployed.
Although physical security concerns might be a prime reason to consider
deploying RODCs, remember that logon performance can be another reason,
especially if the branch office has poor network connectivity to a hub site.
5-26 Maintaining Security for Active Directory® Servers
Key Points
Only the members of the Allowed RODC Password Replication group are allowed
to replicate authentication information to RODCs. Furthermore, RODCs do not
store administrator credential information.
Remember that any application that stores data in Active Directory could
conceivably replicate that data to an RODC and create a security risk. In such
cases, consider setting schema attributes for such data so that they will not
replicate to an RODC. (These attributes are known as the RODC filtered attribute
set. You might need guidance from the application developer to set these
properly.)
Key Points
Other physical security issues include the following:
• Preventing domain controllers from booting into alternate operating systems
• Securing networking infrastructure
• Preventing remote restart of domain controllers
Question: What steps does your organization take to secure writeable domain
controllers? Do you feel these steps are adequate?
Key Points
Onsite backups should only be available in an area where access is auditable.
Similarly, there should be procedures in place for auditing the return of any
backup media from offsite to onsite.
Microsoft recommends that backup media should only be in the backup device
during actual backup or restore operations.
Maintaining Security for Active Directory® Servers 5-29
Exercise Overview
The main tasks for this exercise are as follows:
1. Install the GPOAccelerator tool.
2. Create new GPOs with the GPOAccelerator.
3. Examine the settings with the Group Policy Management Console (GPMC).
5-30 Maintaining Security for Active Directory® Servers
Results: After this exercise, you should have installed the GPOAccelerator tool, created
new GPOs with the GPOAccelerator, and examined the settings with the GPMC.
5-32 Maintaining Security for Active Directory® Servers
Exercise Overview
In this exercise, you will install the MBSA and perform a sample run.
The main tasks for this exercise are as follows:
1. Install the MBSA 2.1 Beta 2.
2. Perform an MBSA analysis of NYC-DC1.
Results: After this exercise, you should you should have installed the MBSA 2.1 Beta 2
and performed an MBSA analysis of NYC-DC1.
Maintaining Security for Active Directory® Servers 5-33
Exercise Overview
In this exercise, you will discuss how to deploy fine-grained password policies.
(Depending on class size, the instructor may break the class into smaller groups
for purposes of generating discussion.)
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
5-34 Maintaining Security for Active Directory® Servers
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
Results: After this exercise, you should have discussed how to deploy fine-grained
password policies and some of the implications such restructuring could have for your
overall Active Directory design.
Maintaining Security for Active Directory® Servers 5-35
This module provides an overview of four Active Directory roles that were formerly
not considered Active Directory roles: Certificate Services, Lightweight Domain
Services, Federation Services, and Rights Management Services. The module also
describes some of the management challenges that these roles create, and some
new features of Windows Server® 2008 that might help to address those
challenges.
Managing Active Directory® Service Roles 6-3
Key Points
Certificate Revocation Lists (CRLs) can become large over time. This can become a
performance issue, affecting network bandwidth and authentication times.
An online responder does not need to be a Certification Authority.
There is a new Microsoft® Management Console (MMC) snap-in for managing
online responders. This is in addition to the other snap-ins you might already be
familiar with (Certification Authority, Certificates, and Certificate Templates).
Key Points
Use the Certificate Services snap-in to create a permissions list for each enrollment
agent, naming the users and groups on behalf of whom the agent can enroll.
The performance of a Certification Authority will be slower if you use enrollment
agent restrictions; however, you can mitigate the slowdown by:
• Minimizing the number of enrollment agent accounts
• Minimizing the list of accounts in the permissions list
• Using group accounts instead of user accounts
In addition to the new ability to restrict enrollment agents, you can also now enroll
network devices (for example, routers) that do not have domain accounts, via
Network Device Enrollment Service (NDES ).
Key Points
Enterprise PKI analyzes the health of Certification Authorities running Windows
Server 2008 or Microsoft Windows Server 2003. It no longer requires a separate
download.
Caveat: Remember that AD CS may not be installed on Windows Server Core
systems.
The Cryptography API 2 (CAPI2) diagnostics events reside in Event Viewer under
Applications and Services Logs - Microsoft - Windows - CAPI2.
Key Points
The four bullets in the slides correspond to tabs on the Certificate Path Validation
Settings dialog box.
New policy store categories under Public Key Policies as of Windows Server 2008
include:
• Trusted Publishers
• Untrusted Certificates
• Trusted People
• Intermediate Certification Authorities
Caveat: If you allow users to have a high degree of control over trust decisions and
management of their certificates, plan for some user training in these areas.
For more information, refer to the AD CS: Policy Settings article on the
Microsoft TechNet, Windows Server 2008 Technical Library Web site.
6-8 Managing Active Directory® Service Roles
Key Points
You can think of AD LDS as Active Directory but without any user, group, or
computer account information, and therefore no domains or Group Policy settings.
It basically exposes the Active Directory replication engine for use by application
developers.
AD LDS does provide partitioning, multi-master replication, and Lightweight
Directory Access Protocol (LDAP) access.
You can provide AD LDS access to business partners without exposing your AD DS
database.
AD LDS can leverage AD DS for user authentication purposes.
Question: What types of applications do you think might benefit from their own
private replication ring? Can you think of any applications that might require
authentication via a database separate from AD DS? How about a unique and
separate directory store?
6-10 Managing Active Directory® Service Roles
Key Points
Active Directory Service Interface (ADSI) Edit is specific to the Microsoft
implementation of Active Directory, whereas LDP can work with any LDAP
provider.
ADSI Edit is a console; LDP is a standalone executable.
LDP exposes some objects that you cannot see in ADSI Edit.
The new auditing capabilities of AD DS in Windows Server 2008, for example,
recording old and new attributes in the audit log after an attribute change, are also
available to AD LDS.
You can also use the snapshot tool DSAMAIN with AD LDS.
You can adapt an AD LDS instance for management with Active Directory Sites and
Services by running MS-ADLDS-DisplaySpecifiers.LDF against the instance schema.
Question: Why does it make sense that Active Directory Users and Computers
and Active Directory Domains and Trusts do not work with AD LDS?
6-12 Managing Active Directory® Service Roles
Key Points
AD FS is based on Web Services Architecture. You can read more about it at the
www.w3.org site. The architecture is designed to facilitate interoperability between
Web services.
AD FS is designed to relieve the requirement of a secondary credentials request
when trusted users from outside your network access a Web application in your
network.
The resource partner manages access to its network's application(s) for trusted
partners.
The account partner authenticates users and issues cookies for use later, when
users access applications on the resource partner's network.
Key Points
Using Server Manager to manage AD FS, you can set up the following role services,
as required, depending on the location and function of the server:
• The Federation Service, which performs user authentication routing from
trusted users in other networks.
• The Federation Service Proxy, which resides in a perimeter network or
perimeter network and passes credentials along to an internal server running
the Federation Service.
• The Claims-Aware Agent, which installs on an IIS server hosting a claims-aware
application that you want to make available to trusted external users.
As an alternative to Server Manager, you can run the Federation Services snap-in as
a separate console. Use the IIS Manager snap-in to manage the Claims-Aware
Agent.
Key Points
Single Sign-On (SSO) mode refers to a system in which users who have
authenticated to one network may access applications on a different network
without providing an extra set of credentials.
You can integrate AD FS with Microsoft Office SharePoint® Server 2007 and extend
the SSO benefits to that system. Doing so will require a strong knowledge of both
products.
Key Points
The dependencies are made possible by what Microsoft calls "Component-Based
Servicing."
Removal of AD FS will prompt for removal of subsidiary roles and services.
Office SharePoint Server 2007 is not a dependent service but can interoperate with
AD FS.
Active Directory Rights Management Services (AD RMS) is also not a dependent
role, but can interoperate with AD FS to share rights-protected content across
network boundaries.
Key Points
Windows Server 2003 R2 had limited ability to import and export trust policy
settings, but Windows Server 2008 makes the process more streamlined.
In Windows Server 2008, the Add Partner Wizard not only permits importing of
trust policy settings, but modifying those settings before actually importing them.
AD RMS was introduced in Windows Server 2003 and in Windows Server 2008 is
now a server role. It provides a form of Digital Rights Management (DRM) with
selected applications.
Managing Active Directory® Service Roles 6-19
Key Points
NTFS provides some control over what users can do with documents; however,
such documents must remain on NTFS volumes or lose those restrictions.
Additionally, NTFS does not provide for permissions such as "forward," nor does it
permit (as AD RMS does) the creation of time periods during which the controls
will be valid.
In addition to Office 2007 (but only Enterprise, Professional Plus, or Ultimate),
Windows Office SharePoint Server 2007 is also RMS-aware.
The AD RMS server resides on a member server, not a domain controller.
You can experiment with AD RMS using a Microsoft server for a trial period.
For more information, refer to the Event Review: RMS in Windows Server
2008 article on the Microsoft TechNet, Resources for IT Professionals,
Events and Webcasts Web site. Also, refer to the Active Directory Rights
Management Services Overview article on the Microsoft TechNet,
Windows Server 2008 Technical Library Web site.
6-20 Managing Active Directory® Service Roles
Key Points
A lot of software has to be properly configured to use AD RMS. Before
implementing AD RMS, make sure dependent roles and services are up and
running correctly.
AD RMS can integrate with AD FS to provide rights management for documents
shared with trusted users in a federated external network.
AD RMS can also integrate with Windows Office SharePoint Server.
If you will be using AD RMS with Federation Services, refer to the Using
Identity Federation with Active Directory Rights Management Services
Step-by-Step Guide article located on the Windows Server 2008
Technical Library Web site.
Managing Active Directory® Service Roles 6-21
Key Points
The user who installs AD RMS must not use the same account as the AD RMS
service account.
You must be in the AD RMS Enterprise Administrators group as well as the local
administrators group to change the AD RMS service account.
AD RMS Enterprise Administrators can do anything in the AD RMS console. The
installing user is automatically added to this group.
AD RMS Auditors can use the AD RMS console but only the reporting features.
Exercise Overview
The main tasks for this exercise are as follows:
1. Install the AD LDS role on NYC-DC1.
2. Configure the AD LDS service for a new instance.
Results: This exercise’s successful completion results in the installation of the AD LDS
service and the configuration of one instance of the Custapp directory.
Managing Active Directory® Service Roles 6-25
Exercise Overview
In this exercise, you will discuss the ongoing management issues for the new
customer relations database application. (Depending on class size, the instructor
may break the class into smaller groups for purposes of generating discussion.)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Results: After this exercise, you will have identified a number of management
concerns for an AD LDS application.
6-26 Managing Active Directory® Service Roles
Exercise Overview
The main tasks for this exercise are as follows:
1. Use ADSI Edit to view an AD LDS instance.
2. Use LDP to view an AD LDS instance.
3. Use the Schema Console to view the schema for an AD LDS instance.
f Task 3: Use the Schema Console to view the schema for an AD LDS
instance
• Register the schema console DLL in a command prompt with the command
regsvr32 schmmgmt.dll.
• Close the Command Prompt window.
• Use fast user switching to log on as Thomas, who has already been set up as a
Schema Admin.
• Open the MMC shell and add the Active Directory Schema snap-in.
• In the navigation pane, from the Active Directory Schema node open Change
Active Directory Domain Controller.
• Specify NYC-DC1.woodgrovebank.com:50000 and wait for the status column
to show Online.
• You should see new nodes for classes and attributes. (If you do not, close the
console and try re-creating it.) Expand the Classes node and scroll down until
you see the entry for User. (This is the object class that was added when you
created the instance in Exercise 1 and specified the LDIF script MS-User.LDF.)
• Open the Properties for the User entry and navigate to the Attributes tab.
These are the attributes for the user object in this instance of AD LDS. They are
now completely separate from the attributes for the user object in AD DS.
• Close all open dialog boxes and consoles, and then close the virtual machine.
6-28 Managing Active Directory® Service Roles
Your evaluation of this course will help Microsoft understand the quality of your
learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will
use your responses to improve your future learning experience. Your open and
honest feedback is valuable and appreciated.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Managing and Maintaining a Windows Server 2008 Domain Controller L1-1
Exercise Overview
In this exercise, you will create a plan to add the Active Directory® Domain Services
(AD DS) role to NYC-SVR1.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-2 Module 1: Managing an Active Directory Server Lifecycle
Results: After this exercise, you should have a plan to promote NYC-SVR1 to be an
AD DS domain controller.
12. Note that nothing happens. The wizard wants you to assign the IP version 6
address but does not provide a dialog box for you to do so. On the Start
menu, right-click the Network entry and click Properties.
13. In the task pane, click Manage network connections.
14. Right-click Local Area Connection and click Properties.
15. Note that the IP version 4 address is already configured as static. Remove
support for IP version 6 by deselecting the check box, and click OK. Close the
Network Connections control panel and the Network and Sharing Center.
16. Back at the Active Directory Domain Services Installation Wizard, click Next.
17. In the Specify the Password Replication Policy dialog box, review the
settings but do not change any of them, and then click Next.
18. In the Delegation of RODC Installation and Administration dialog box, click
the Set button and add the group NYC_BranchManagersGG. Verify it with the
Check Names button. Click OK and then Next.
19. In the Install from Media dialog box, make sure that Replicate data over the
network from an existing domain controller is selected, and click Next.
20. In the Source Domain Controller dialog box, make sure that Let the wizard
choose an appropriate domain controller is selected, and click Next.
21. In the Location for Database, Log Files, and SYSVOL dialog box, leave all the
default settings and click Next.
22. In the Directory Services Restore Mode Administrator Password dialog box,
type Pa$$w0rd as the password (you must type it twice), and click Next.
23. Review the Summary page. If everything looks good, click Next.
24. At this point, the actual promotion and replication of domain data takes place.
It is a lengthy process so this would be a good time to take a break. When the
wizard reports that it has finished, restart the NYC-SVR1 virtual machine, and
log on as the administrator of the domain WoodgroveBank.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Managing and Maintaining a Windows Server 2008 Domain Controller L1-5
Results: After this exercise, you should have a new RODC in the form of NYC-SVR1.
This should help alleviate the problem of slow logons in the branch office.
Results: After this exercise, you should have an AD DS change on NYC-DC1 and the
change replicated to NYC-SVR1.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Managing and Maintaining a Windows Server 2008 Domain Controller L1-7
Exercise Overview
In this exercise, you will write a first draft of a management and maintenance plan
for the NYC-DC1 and NYC-SVR1 domain controllers.
f Task 1: Decide which tools are better suited for each of the two
domain controllers
• Decide which tools are better suited for corporate headquarter and which are
better suited to the branch office scenario. Consider that Server Manager is not
“remoteable” as such, but Active Directory Users and Computers is
remoteable, as well as Event Viewer.
Answers will vary.
f Task 2: Decide whether the new RODC is meeting the business needs
• Consider the methods for determining whether the new RODC is meeting the
business needs.
Answers will vary.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-8 Module 1: Managing an Active Directory Server Lifecycle
Results: After this exercise, you should have a draft document that outlines how to
manage these two domain controllers.
Results: After this exercise, you should have ideas for evaluating the success of the
plan developed in Exercise 4.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Creating Baselines for Active Directory Servers L2-9
Results: After this exercise, you should have some ideas for involving users in what
traditionally has been an IT-only activity, developing network performance baselines.
Exercise Overview
In this exercise, you will identify relevant Windows® Reliability and Performance
Monitor (WRPM) counters for the loan department and for the research
department.
f Task 1: List the counters that you would consider including in the
baseline
1. Open the Microsoft® Lab Launcher, if it is not already open.
2. Start NYC-DC1, if it is not already started.
3. Log on to NYC-DC1 as WoodgroveBank\Administrator with the password of
Pa$$w0rd.
4. In Server Manager, expand the nodes Diagnostics, Reliability and
Performance, and Data Collector Sets.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Creating Baselines for Active Directory Servers L2-11
5. Expand the System node beneath Data Collector Sets. Here are several Data
Collector Sets that Microsoft has pre-built for you as a way to get you started
with the system diagnostics tools.
6. Right-click the Active Directory Diagnostics Data Collector Set, and click
Properties. These properties apply to the Data Collector Set as a whole, even
though it has various components that can be configured separately.
7. On the General tab, read the description of this Data Collector Set.
8. Take a look at the other tabs on the Data Collector Set properties page.
9. To close the page, click the Cancel button.
10. In the details pane, you should see four data collectors. What types are they?
Answer: Trace, Trace, Performance Counter, and Configuration
11. Right-click the Performance Counter data collector and click Properties. Note
the PerfLog objects that Microsoft has chosen for this pre-built Data Collector
Set. This list is a good starting point for exploring Active Directory
performance counters in detail. Note, for example, the category
DirectoryServices.
12. To return to Server Manager, click Cancel.
13. Now you will see where you would create your own Data Collector Set. In the
navigation pane, right-click the User Defined node, click New, and then Data
Collector Set.
14. In the Create new Data Collector Set dialog box, type the name CustomAD,
click the Create from a template (Recommended) option button, and click
Next.
15. Click Active Directory Diagnostics as the template that you will use as the
starting point for your new custom Data Collector Set, CustomAD, and click
Next.
16. Leave the Root directory selection as the default value and click Next.
17. In the Create new Data Collector Set window, click the Open properties for
this data collector set option button, and click Finish.
18. In the Description field, type Woodgrove Bank custom AD data collector
set.
19. If you would like to, look at the other tabs and then click OK.
20. Expand the User Defined node.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-12 Module 2: Creating Baselines for Active Directory Servers
21. With CustomAD highlighted in the Server Manager navigation pane, right-click
Performance Counter in the details pane and click Properties.
22. To display the (untitled) counter selection dialog box, on the Performance
Counters tab, click the Add button (this button was grayed out when you
were viewing the system template).
23. To display the counters in this category, find the DirectoryServices object in
the upper left list box, and click the + next to its name.
24. Browse the counters listed under DirectoryServices. Can you find any context-
sensitive help to assist you in understanding their meaning? (There is a
description field which you can activate by checking the Show description
box, but it varies from very helpful, for some counters, to a mere restatement
of the counter name, for others. You will need some good books, magazine
articles, and online references to help you understand these counters.)
25. Can you locate the following counter categories:
• ATQ (Asynchronous Thread Queue)
• DRA (Directory Replication Agent)
• DS (Directory Service)
• LDAP
• SAM (Security Accounts Manager)
26. Browse the counters listed under FileReplicaSet. In the course handbook, you
should have written performance counters and/or objects that look relevant to
you.
Results: After this exercise, you should be more familiar with some of the PerfMon
Active Directory counters, and have some idea of how to adapt a baseline strategy for
different business situations.
Exercise Overview
In this exercise, you will discuss as a class whether the baseline document should
be modified in view of the increased user population, and explore possible
procedures and organizational standards for modifying (or suggesting
modifications to) the baseline document.
Results: After this exercise, you should have heard various perspectives and ideas on
the pros and cons of modifying Active Directory baseline documentation, and on how
to implement such modifications in a realistic and practical way.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Monitoring Active Directory Server Roles L3-15
Two system administrators have offered plans for generating an alert. The plans
are basically identical in terms of the performance objects and counters to be
monitored, and include the following, among others:
• Processor\Percent processor time
• PhysicalDisk\Avg. disk queue length
• Network Interface\bytes received/sec
• Network Interface\bytes sent/sec
• Directory Service\LDAP searches/sec
• Directory Service\DS reads/sec
• Directory Service\DRA inbound bytes total/sec
• Directory Service\DRA outbound bytes total/sec
The plans also suggest that over-threshold events should produce an e-mail to at
least one network administrator. Just creating an entry in the event log is not
proactive enough to meet the management mandate. However, Plan 1 specifies a 5-
second sampling interval, and Plan 2 specifies a 5-minute sampling interval.
Exercise Overview
In this exercise, you will select an alert plan and implement the plan through
Scheduled Tasks and the Windows® Reliability and Performance Monitor.
15. Right-click the Active Directory Performance Alert Data Collector Set and
click Start.
16. In Server Manager, click the Task Scheduler Library node and then look at
the details pane. Has the Performance alert e-mail task executed yet?
(Most likely it has not. To test its performance in the real world, you could
perform some heavy Active Directory search activity, for example with the help
of a script, and see if the task triggers. If it triggers but the e-mail is not
delivered, troubleshoot the task and double check the parameters.)
17. Right-click the Active Directory Performance Alert Data Collector Set, and
click Stop.
18. Leave the NYC-DC1 virtual machine running if your instructor indicates that
you will be doing another lab today. Otherwise, close the virtual machine by
performing a normal server shutdown, and save the changes.
Results: This exercise’s successful completion results in the selection of an alert plan
and the implementation of that plan through Scheduled Tasks and the Windows®
Reliability and Performance Monitor.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-20 Module 3: Monitoring the System Health of Active Directory Servers
Results: After this exercise, you should have identified a variety of alert responses
available to you and the pros and cons of each. You should have also identified the
various possible long-term responses to recurring Active Directory performance alerts
and shared your experiences with those methods.
Exercise Overview
In this exercise, you will explore the different tools for building a case for changing
the server configuration.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-22 Module 3: Monitoring the System Health of Active Directory Servers
f Task 3: List other documentation that would support your request for
configuration changes and/or new resources
• List other documentation that would support your request for changing the
server configuration and/or new resources. Possibilities might include:
• Performance monitor logs
• Help Desk trouble tickets
• Maintenance logs
• Specific experiments with simulated network loads
• “Best practices” magazine articles
• TechNet articles
• White papers
Answers will vary.
Results: After this exercise, you should have identified some of the new capabilities of
the Windows Server 2008 event viewer, including operational logs and event
subscriptions, both of which may be useful in building a case for configuration
change. You should have also created a list of other documentation, both from
Windows Server 2008 tools and other sources, that could help support a campaign for
making configuration and/or resource changes in response to Active Directory
performance monitoring.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Managing AD DS L4-25
Exercise Overview
In this exercise, you will perform an offline defragmentation of the NTDS database.
In conjunction with the new directive to improve Active Directory server uptime,
you need to minimize server downtime during this regularly-scheduled
maintenance activity. Windows Server® 2008 enables you to reduce downtime by
stopping and starting Active Directory Domain Services (AD DS) without bringing
down the entire server. Therefore, other services provided by any given domain
controller (such as DNS) do not have to be interrupted while the Active Directory
database is being maintained.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-26 Module 4: Managing Active Directory Domain Services
Exercise Overview
In this exercise, you will discuss some of the questions that might meet the second
goal laid out in the IT goals document. The goal is to reduce logon times,
specifically for employees in the new Miami branch.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-28 Module 4: Managing Active Directory Domain Services
Results: The successful completion of this exercise results in you having explained the
pros and cons of using RODCs to reduce logon times.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Managing AD DS L4-29
Note: You will not take the time here to create the subnet definitions for FloridaSite
and for Default-First-Site-Name, but be aware that these steps would be necessary
in an actual network.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-30 Module 4: Managing Active Directory Domain Services
Results: After this exercise, the replication schedule between the default site and the
Florida site has been modified to reduce latencies in the propagation of Active
Directory information between the sites.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Maintaining Security for Active Directory Servers L5-31
6. Click OK when the message urging you to link the Enterprise Domain Policy
to your domain appears.
7. Close the Command Prompt window.
Results: After this exercise, you should have installed the GPOAccelerator tool,
created new GPOs with the GPOAccelerator, and examined the settings with the
Group Policy Management console.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-34 Module 5: Maintaining Security for Active Directory Servers
Exercise Overview
In this exercise, you will install the Microsoft Baseline Security Analyzer (MBSA)
and perform a sample run.
Results: After this exercise, you should have installed the MBSA 2.1 Beta 2 and
performed an MBSA analysis of NYC-DC1.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-36 Module 5: Maintaining Security for Active Directory Servers
Exercise Overview
In this exercise, you will discuss how to deploy fine-grained password policies.
Results: After this exercise, you should have discussed how to deployed fine-grained
password policies and some of the implications such restructuring could have for your
overall Active Directory design.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Managing Active Directory® Service Roles L6-37
Results: This exercise’s successful completion results in the installation of the AD LDS
service and the configuration of one instance of the Custapp directory.
Exercise Overview
In this exercise, you will discuss the ongoing management issues for the new
customer relations database application.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-40 Module 6: Managing Active Directory® Service Roles
Results: After this exercise, you will have identified a number of management
concerns for an AD LDS application.
f Task 3: Use the Schema Console to view the schema for an AD LDS
instance
In order to use the schema console, either with AD DS or with AD LDS, the DLL
must first be registered, just as with Microsoft® Windows Server 2003.
1. Click Start and open a command prompt.
2. Type regsvr32 schmmgmt.dll and press Enter.
3. Close the success message that appears.
4. Close the Command Prompt window.
5. In order to manage the AD LDS schema, you need to be logged on as Thomas
Andersen. So click Start, click the arrow at the lower right, and click Switch
User. (Note that in the domain environment, Windows Server 2008 permits
you to use Fast User Switching, something that Windows Server 2003 did not
permit.)
6. Click the Other User icon, then log on as user Thomas and password
Pa$$w0rd. (The domain should default to WoodgroveBank.) Because Thomas
Andersen has not logged on to this computer before, it will take a few
moments to build the new user profile. By the way, Thomas Andersen needs to
be a Schema Admin to perform the rest of these tests; he has already been set
up as a member of that group.
7. Close the Server Manager window.
8. Click Start, in the search field, type MMC, and press Enter.
9. When prompted by User Account Control, click Continue.
10. In the generic MMC console, click File and then Add/Remove Snap-In….
11. In the left column, highlight Active Directory Schema, click the Add button,
and click OK.
12. In the new console, in the navigation pane, right-click the Active Directory
Schema node and click Change Active Directory Domain Controller.
13. In the Change Directory Server dialog box, under the Name column, click
<Type a Directory Server name [:port] here>, and type
NYC-DC1.woodgrovebank.com:50000.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-44 Module 6: Managing Active Directory® Service Roles
14. Press Enter, wait for the status column to show Online, and then click OK.
15. In the confirmation dialog box, which is asking you if you want to change the
database you are managing, click Yes. The server and port number should
reflect in the navigation pane of the schema console. You should see new
nodes for classes and attributes.
Note: If you do not see these nodes, close the Schema console and reopen it by
repeating Steps 8 through 11, and if necessary, Steps 12 through 14.)
16. Expand the Classes node and scroll down until you see the User entry. (This
is the object class that was added when you created the instance in Exercise 1
and specified the LDIF script MS-User.LDF.)
17. Right-click the User entry, click Properties and click the Attributes tab. These
are the attributes for the user object in this instance of AD LDS. They are now
completely separate from the attributes for the user object in AD DS.
18. Close all open dialog boxes and consoles. When prompted to save console
settings for Console, click No.
19. Close the virtual machine by performing a normal shutdown.
Results: After this exercise, you will have seen three tools that you can use to manage
an AD LDS instance, and have some understanding of when to use each.