Vous êtes sur la page 1sur 284

OFFICIAL MICROSOFT LEARNING PRODUCT

6432A
Managing and Maintaining
Windows Server® 2008 Active
Directory® Servers

Be sure to access the extended learning content on your


Course CD enclosed on the back cover of the book.
ii Managing and Maintaining Windows Server® 2008 Active Directory® Servers

Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
© 2008 Microsoft Corporation. All rights reserved.

Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in
the United States and/or other countries.
All other trademarks are property of their respective owners.

Technical Reviewer: Brian Stockbrugger

Product Number: 3690


Part Number: X14-94971
Released: 5/2008
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION
– Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply
to the Licensed Content named above, which includes the media on which you received it, if any. The terms
also apply to any Microsoft
• updates,
• supplements,
• Internet-based services, and
• support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use the
Licensed Content.

If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. “Academic Materials” means the printed or electronic documentation such as manuals, workbooks,
white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content.
b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions
location, an IT Academy location, or such other entity as Microsoft may designate from time to time.
c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and
conducted at or through Authorized Learning Centers by a Trainer providing training to Students
solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or
“MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions
Courseware). Each Authorized Training Session will provide training on the subject matter of one (1)
Course.
d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning Center
during an Authorized Training Session, each of which provides training on a particular Microsoft
technology subject matter.
e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f. “Licensed Content” means the materials accompanying these license terms. The Licensed Content
may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content,
(iii) classroom setup guide, and (iv) Software. There are different and separate components of the
Licensed Content for each Course.
g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that
may be included with the Licensed Content.
h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.
i. “Student Content” means the learning materials accompanying these license terms that are for use
by Students and Trainers during an Authorized Training Session. Student Content may include labs,
simulations, and courseware files for a Course.
j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and
b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized
Learning Center to teach or instruct an Authorized Training Session to Students on its behalf.
k. “Trainer Content” means the materials accompanying these license terms that are for use by
Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content
may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and
demonstration guides and script files for a Course.
l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as a
base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single
computer or other device in order to allow end-users to run multiple operating systems concurrently.
For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.
m. “Virtual Machine” means a virtualized computing experience, created and accessed using
Microsoft® Virtual PC or Microsoft® Virtual Server software that consists of a virtualized hardware
environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the
virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard
Disks will be considered “Trainer Content”.
n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these
license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic),
Trainer Content, Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location
or per Trainer basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for use
by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that
the number of copies in use does not exceed the number of Students enrolled in and the Trainer
delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by
classroom Devices and only for use by Students enrolled in and the Trainer delivering the
Authorized Training Session, provided that the number of Devices accessing the Licensed Content
on such server does not exceed the number of Students enrolled in and the Trainer delivering the
Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to
use the Licensed Content that you install in accordance with (ii) or (ii) above during such
Authorized Training Session in accordance with these license terms.
iv. Separation of Components. The components of the Licensed Content are licensed as a single unit.
You may not separate the components and install them on different Devices.
v. Third Party Programs. The Licensed Content may contain third party programs. These license
terms will apply to the use of those third party programs, unless other terms accompany those
programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized
Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for
your own personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own
personal training Use and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions in
this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain
the same information and/or work the way a final version of the Licensed Content will. We may
change it for the final, commercial version. We also may not release a commercial version. You will
clearly and conspicuously inform any Students who participate in each Authorized Training Session of
the foregoing; and, that you or Microsoft are under no obligation to provide them with any further
content, including but not limited to the final released version of the Licensed Content for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for
any purpose. You also give to third parties, without charge, any patent rights needed for their
products, technologies and services to use or interface with any specific parts of a Microsoft software,
Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a
license that requires Microsoft to license its software or documentation to third parties because we
include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features and
documentation that may be included with the Licensed Content, is confidential and proprietary to
Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release,
whichever is first, you may not disclose confidential information to third parties. You may
disclose confidential information only to your employees and consultants who need to know
the information. You must have written agreements with them that protect the confidential
information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or
governmental order. You must first give written notice to Microsoft to allow it to seek a
protective order or otherwise protect the information. Confidential information does not
include information that
• becomes publicly known through no wrongful act;
• you received from a third party who did not breach confidentiality obligations to Microsoft
or its suppliers; or
• you developed independently.

d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you
is the end date for using the beta version, or (ii) the commercial release of the final release version of
the Licensed Content, whichever is first (“beta term”).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta
term, and will destroy all copies of same in the possession or under your control and/or in the
possession or under the control of any Trainers who have received copies of the pre-released version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta
version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If
Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you
for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft
Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced
Server and/or other Microsoft products which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning
Lab Launcher, then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time
indicated on the install of the Virtual Machines (between 30 and 500 days after you install it).
You will not receive notice before it stops running. You may not be able to access data used
or information saved with the Virtual Machines when it stops running and may be forced to
reset these Virtual Machines to their original state. You must remove the Software from the
Devices at the end of each Authorized Training Session and reinstall and launch it prior to the
beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before
installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training
Session, you will obtain from Microsoft a product key for the operating system software for
the Virtual Hard Disks and will activate such Software with Microsoft using such product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with
the terms and conditions of this agreement and the following security
requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or
Devices that are accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session, except those held at Microsoft Certified
Partners for Learning Solutions locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all
classroom Devices at the end of each Authorized Training Session at Microsoft Certified
Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or
downloaded from Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use,
activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the
Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art,
animations, sounds, music, shapes, video clips and templates provided with the Licensed Content
solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content,
they may use Media Elements for their personal training use.
iv Evaluation Software. Any Software that is included in the Student Content designated as
“Evaluation Software” may be used by Students solely for their personal training outside of the
Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft
PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for
providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or
ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of
obscene or scandalous works, as defined by federal law at the time the work is created; and
(b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session,
Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of
the Licensed Content that are logically associated with instruction of the Authorized Training
Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a)
that any of these customizations or reproductions will only be used for providing an Authorized
Training Session and (b) to comply with all other terms and conditions of this agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and
use the Academic Materials. You may not make any modifications to the Academic Materials and
you may not print any book (either electronic or print version) in its entirety. If you reproduce
any Academic Materials, you agree that:

• The use of the Academic Materials will be only for your personal reference or training use
• You will not republish or post the Academic Materials on any network computer or broadcast
in any media;
• You will include the Academic Material’s original copyright notice, or a copyright notice to
Microsoft’s benefit in the format provided below:
Form of Notice:
© 2008 Reprinted for personal reference use only with permission by Microsoft
Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the US and/or other countries. Other
product and company names mentioned herein may be the trademarks of their
respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone else’s use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allow you to use it in certain ways. You may not
• install more copies of the Licensed Content on classroom Devices than the number of Students and
the Trainer in the Authorized Training Session;
• allow more classroom Devices to access the server than the number of Students enrolled in and the
Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network
server;
• copy or reproduce the Licensed Content to any server or location for further reproduction or
distribution;
• disclose the results of any benchmark tests of the Licensed Content to any third party without
Microsoft’s prior written approval;
• work around any technical limitations in the Licensed Content;
• reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that
applicable law expressly permits, despite this limitation;
• make more copies of the Licensed Content than specified in this agreement or allowed by applicable
law, despite this limitation;
• publish the Licensed Content for others to copy;
• transfer the Licensed Content, in whole or in part, to a third party;
• access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not
been authorized by Microsoft to access and use;
• rent, lease or lend the Licensed Content; or
• use the Licensed Content for commercial hosting services or general business purposes.
• Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional
information, see www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content
marked as “NFR” or “Not for Resale.”
10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as
“Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit
www.microsoft.com/education or contact the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of these license terms. In the event your status as an Authorized
Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by
Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must
destroy all copies of the Licensed Content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed
Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of
that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have
additional consumer rights under your local laws which this agreement cannot change. To
the extent permitted under your local laws, Microsoft excludes the implied warranties of
merchantability, fitness for a particular purpose and non-infringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT
RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
• anything related to the Licensed Content, software, services, content (including code) on third party
Internet sites, or third party programs; and
• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or
other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.

Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre
garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation
pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de
négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage.
Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects,
accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne
s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de
votre pays si celles-ci ne le permettent pas.
Managing and Maintaining Windows Server® 2008 Active Directory® Servers x
xi Managing and Maintaining Windows Server® 2008 Active Directory® Servers

Contents
Module 1: Managing an Active Directory Server Lifecycle
Lesson 1: Planning an Active Directory Server Deployment 1-3
Lesson 2: Using Active Directory Server Deployment Technologies 1-9
Lesson 3: Adding AD DS Server Roles 1-17
Lesson 4: Removing AD DS Server Roles 1-25
Lab: Managing and Maintaining a Windows Server 2008 Domain Controller 1-29

Module 2: Creating Baselines for Active Directory Servers


Lesson 1: Baseline Methodologies for Active Directory Servers 2-3
Lesson 2: WRPM Overview 2-10
Lesson 3: Using Metrics to Create Baselines for Active Directory Servers 2-16
Lab: Creating Baselines for Active Directory Servers 2-24

Module 3: Monitoring the System Health of Active Directory Servers


Lesson 1: System Health Overview 3-3
Lesson 2: Using Long-Term Monitoring to Identify Trends 3-7
Lesson 3: Setting Thresholds and Alerts for Short-Term Monitoring 3-11
Lesson 4: Choosing the Appropriate Windows Server 2008 Monitoring
Tools 3-17
Lab: Monitoring the Active Directory Server Roles 3-27

Module 4: Managing Active Directory Domain Services


Lesson 1: Restarting and Restoring Active Directory 4-3
Lesson 2: FSMO Roles Overview 4-6
Lesson 3: Planning Sites and Replication 4-13
Lesson 4: Managing RODCs 4-17
Lesson 5: Methods for Managing Server Core 4-21
Lesson 6: Best Practices for GPOs and Links 4-26
Lesson 7: Delegating the Active Directory Administration 4-34
Lab: Managing AD DS 4-39
Managing and Maintaining Windows Server® 2008 Active Directory® Servers xii

Module 5: Maintaining Security for Active Directory Servers


Lesson 1: Server Hardening Techniques 5-3
Lesson 2: Using the MBSA to Discover and Remove Security Holes 5-9
Lesson 3: Using Fine-Grained Password Policies to Simplify Network
Organization 5-14
Lesson 4: Planning Security Auditing 5-20
Lesson 5: Enhancing Physical Security 5-23
Lab: Maintaining Security for the Active Directory Servers 5-28

Module 6: Managing Active Directory Service Roles


Lesson 1: Using Windows Server 2008 Tools for AD CS 6-3
Lesson 2: Implementing AD LDS 6-8
Lesson 3: AD FS Overview 6-12
Lesson 4: AD RMS Overview 6-18
Lab: Managing Active Directory Service Roles 6-23
xiii Managing and Maintaining Windows Server® 2008 Active Directory® Servers
About This Course xiv

MCT USE ONLY. STUDENT USE PROHIBITED


About This Course
This section provides you with a brief description of the course, audience,
suggested prerequisites, and course objectives.

Course Description
This course provides you with the knowledge and skills to manage and maintain
Windows Server® 2008 Active Directory® servers. The course focuses on the Active
Directory server lifecycle by creating baselines, monitoring system health, and
maintaining security. The course also focuses on managing Active Directory
Domain Services (AD DS) and Active Directory service roles.

Audience
This course is intended for Server Administrators who are familiar with Microsoft®
Windows Server 2008 and who are, or will be, responsible for the daily
management and maintenance of Windows Server 2008 Active Directory servers. It
is also intended for IT professionals who could benefit from acquiring the skills
required by a Windows Server 2008 Active Directory Server Administrator, such as
a Server Administrator who is responsible for network application servers and
works closely with the Active Directory Server Administrator, or an Enterprise
Administrator who wants to understand the operational requirements of Windows
Server 2008 Active Directory Servers before designing a network server
infrastructure.

Student Prerequisites
This course requires that you meet the following prerequisites:
• 6424 Fundamentals of Windows Server® 2008 Active Directory®
• 6425 Configuring Windows Server® 2008 Active Directory® Domain Services
• 6426 Configuring Identity and Access Solutions with Windows Server® 2008
Active Directory®
• 6430 Managing and Maintaining Windows Server® 2008 Servers

Course Objectives
After completing this course, students will be able to:
• Plan and identify different approaches to Active Directory server deployment.
• Add and remove the AD DS server role.
xv About This Course

MCT USE ONLY. STUDENT USE PROHIBITED


• Identify strategies for developing, monitoring, and reviewing baselines.
• Create baselines for different Active Directory roles with the appropriate
metrics using the Windows Reliability and Performance Monitor (WRPM).
• Create and evaluate a monitoring plan based on business needs and
environments.
• Determine the health of Active Directory servers using performance
monitoring and event log triggers.
• Configure effective alerts and responses as well as evaluate alternative
recommendations for AD DS servers to meet a business goal.
• Describe and implement the methodology of maintaining Windows Server
2008 AD DS.
• Perform AD DS maintenance and administrative tasks.
• Explain and deploy proven methods to harden the Active Directory servers.
• Decide which Windows Server 2008 security features can address a given
business situation.
• Add server roles to a Windows Server 2008 network.
• Deploy and operate an Active Directory Lightweight Directory Services (AD
LDS) server role.

Course Outline
This section provides an outline of the course:
Module 1, "Managing an Active Directory® Server Lifecycle" explains how to
support and maintain Active Directory servers to meet changing business
requirements in an enterprise environment.
Module 2, "Creating Baselines for Active Directory® Servers" explains how to create
baselines using the WRPM and through analysis, make decisions to improve server
performance.
Module 3, "Monitoring the System Health of Active Directory® Servers" explains
how to create and evaluate a monitoring plan based on business needs and
environments. It also explains how to determine the health of Active Directory
servers using performance monitoring and even log triggers.
Module 4, "Managing Active Directory® Domain Services" explains how to
implement the methodology of maintaining Windows Server 2008 AD DS.
About This Course xvi

MCT USE ONLY. STUDENT USE PROHIBITED


Module 5, "Maintaining Security for Active Directory® Servers" explains how to
deploy proven methods to harden the Active Directory servers.
Module 6, "Managing Active Directory® Service Roles" explains how to add non-AD
DS roles to a Windows Server 2008 network and manage those role s with
supplied tools.

Course Materials
The following materials are included with your kit:
• Course Handbook. The Course Handbook contains the material covered in
class. It is meant to be used in conjunction with the Course CD.
• Course CD. The Course CD contains a Web page that provides you with links
to resources pertaining to this course, including lab exercise answer keys, lab
virtual machine build guide, and categorized resources and Web links.

Note: To open the Web page, insert the Course CD into the CD-ROM drive, and then in
the root directory of the CD, double-click StartCD.exe.

• Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to
support@mscourseware.com. To inquire about the Microsoft Certification
Program, send e-mail to mcphelp@microsoft.com.

Virtual Machine Environment


This section provides the information for setting up the classroom environment to
support the business scenario of the course.

Virtual Machine Configuration


In this course, you will use Microsoft Lab Launcher to perform the labs.

Important: In order to save time booting and logging in to the virtual machines,
the lab directions will advise you to leave the virtual machines running throughout
the course of each day. At the end of each day, you should close each virtual
xvii About This Course

MCT USE ONLY. STUDENT USE PROHIBITED


machine and save any changes. To close a virtual machine and save the changes,
simply shut down the VM as you would any physical machine, via the Start menu.
Do not click the Reset or Reset All buttons unless advised to do so by your instructor.

The following table shows the role of each virtual machine used in this course:

Virtual machine Role


NYC-DC1 Domain controller

NYC-SVR1 Member server (initially; will be promoted to DC)

Software Configuration
The Windows Server 2008 software is installed on each virtual machine.

Course Files
There are files associated with the labs in this course. The lab files are located in
the folder E:\Labfiles on the student computers.

Classroom Setup
Each classroom computer will have the same virtual machines configured in the
same way. The computers do not need to be networked as each one is self-
contained. As to the room layout, it is up to the instructor but a "U" shaped seating
arrangement may be more convenient for the lab discussion exercises.

Course Hardware Level


To ensure a satisfactory student experience, Microsoft Learning requires a
minimum equipment configuration for trainer and student computers in all
Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which
Official Microsoft Learning Product courseware are taught.
This course requires that student computers meet or exceed hardware level 5.5,
which specifies a 2.4-gigahertz (GHz) (minimum) Pentium 4 or equivalent CPU, 2
7200-rpm or faster hard disks with 40 gigabytes (GB) or more capacity, at least 2
gigabytes (GB) of RAM, and at least 16 megabytes (MB) of video RAM.
MCT USE ONLY. STUDENT USE PROHIBITED
Managing an Active Directory®Server Lifecycle 1-1

MCT USE ONLY. STUDENT USE PROHIBITED


Module 1
Managing an Active Directory® Server Lifecycle
Contents:
Lesson 1: Planning an Active Directory Server Deployment 1-3
Lesson 2: Using Active Directory Server Deployment Technologies 1-9
Lesson 3: Adding AD DS Server Roles 1-17
Lesson 4: Removing AD DS Server Roles 1-25
Lab: Managing and Maintaining a Windows Server 2008 Domain Controller 1-29
1-2 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


Module Overview

Planning for and managing an Active Directory lifecycle involves server


deployment, role installation, and role removal. This module describes these steps
with an emphasis on new capabilities in Windows Server® 2008.
Managing an Active Directory®Server Lifecycle 1-3

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 1
Planning an Active Directory Server
Deployment

When you plan to deploy Active Directory servers that are running Windows
Server 2008, you must contemplate hardware requirements, version differences,
and whether to upgrade existing systems or perform "clean" installs. Two new
features of Windows Server 2008, Read-Only Domain Controllers (RODCs) and
Windows® Server Core, provide more topics to think about during Active Directory
planning.
1-4 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


Server Deployment Issues: Base Hardware

Key Points
You can license Windows Server 2008 with Hyper-V or without it (the products
have different SKUs) although the cost savings are minimal for the non-Hyper-V
versions.
Minimum hardware requirements for Windows Server 2008 (x86) are higher than
for Microsoft® Windows Server 2003:
• 1 GHz processor (32-bit), Standard edition
• 1.4 GHz processor (64-bit), Standard edition
• Minimum of 512MB RAM
• Minimum of 10GB free disk space
Web Server edition is now available in a 64-bit version.

For more information, refer to the Compare Technical Features and


Specifications chart on the Microsoft Windows Server 2008 Web site.
Managing an Active Directory®Server Lifecycle 1-5

MCT USE ONLY. STUDENT USE PROHIBITED


Server Deployment Issues: Edition Differences

Key Points
CPUs in the above slide, refers to CPU sockets, not necessarily CPU cores.
Here is some additional information on specific editions:
• A Web Edition server cannot run Active Directory Domain Services (AD DS).
• The Enterprise Edition also provides rights to use four virtual instances of the
product.
• The Datacenter Edition provides unlimited rights to run virtual instances.
• An Intel Itanium 2 processor is required for Windows Server 2008 for Itanium-
based systems.
All editions provide for two simultaneous Remote Desktop connections.

For more information, refer to the Compare Technical Features and


Specifications chart on the Microsoft Windows Server 2008 Web site.
1-6 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


Server Deployment Issues: Upgrade vs. Clean Install

Key Points
Because of the changes Microsoft has made to the upgrade process, you can expect
fewer differences in terms of NTFS and Registry security than in upgrades to earlier
versions of Windows.
The new in-place upgrade is basically an export -- clean parallel install -- import
operation. Traditional cautions against performing an in-place upgrade are
therefore less valid when upgrading to Windows Server 2008.
If you perform an upgrade, you can view the log files setuperr.log and setupact.log in
the folder c:\windows\panther, to see any errors that might have been
encountered.

For more information, refer to the Application Considerations When


Upgrading to Windows Server 2008 article on the Microsoft TechNet,
Windows Server 2008 Technical Library Web site.
Managing an Active Directory®Server Lifecycle 1-7

MCT USE ONLY. STUDENT USE PROHIBITED


Deploying RODC vs. Writeable Domain Controllers

Key Points
The RODC option presents itself when running the AD DS Installation Wizard.
RODC may also run read-only DNS.
No administrative credentials are cached and only branch-office users' credentials
are cached on the RODC.
RODC is conceptually similar to the Backup Domain Controller in Windows NT®
Server.

For more information, refer to the AD DS: Read-Only Domain Controllers


article on the Microsoft TechNet, Windows Server 2008 Technical Library
Web site.
1-8 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


Deploying Windows Server Core as an Active Directory
Server

Key Points
Windows Server Core can run Internet Information Services (IIS), even though this
capability was not present in the beta product. It can also run DHCP, DNS, and act
as a file or print server.
Server Core has appeal because of lower hardware requirements, lower attack
surface, lower administrative overhead, and anticipated higher reliability.
Generally, Server Core is manageable remotely using standard MMC snap-ins.
However, as the reference document cited below points out, you might need to
enable some firewall rules (and perform other steps as well) to permit such remote
management.

For more information, refer to the Server Core blog on the Microsoft
TechNet Web site.
Managing an Active Directory®Server Lifecycle 1-9

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 2
Using Active Directory Server Deployment
Technologies

You can deploy Active Directory servers in your organization in several different
ways. This lesson is designed to make you think about the best method or
methods for your organization.
1-10 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


Active Directory Server Deployment: Local Installation

Key Points
You have various options for deploying an Active Directory server locally:
• Install by booting a Windows Server 2008 DVD.
• Install by booting to a custom-created DVD running WinPE and using your
own image files created with the Windows Automated Installation Kit (WAIK).
• Install by booting to an external USB hard drive, configured as above. These
devices are often significantly faster than optical drives.
• Modify any of the above by creating an answer file in the System Image
Manager (SIM) provided in the WAIK.
After the operating system is installed, if you are installing AD DS, you can script
the AD DS Installation Wizard, bypassing the interactive prompts. Here is an
example from TechNet:

dcpromo /unattend /InstallDns:yes /confirmGC:yes


/replicaorNewDomain:replica /databasePath:"e:\ntds"
/logPath:"e:\ntdslogs" /sysvolpath:"g:\sysvol"
/safeModeAdminPassword:FH#3573.cK /rebootOnCompletion:yes
Managing an Active Directory®Server Lifecycle 1-11

MCT USE ONLY. STUDENT USE PROHIBITED


Another similar method is to create an answer file and then call that file from
dcpromo via the /unattend parameter. The options are similar to the command-
line prompt given above.
1-12 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


Active Directory Server Deployment: Network Installation

Key Points
If you choose to use a network-based installation method for Windows Server
2008, you again have several options:
• Create a distribution point on the network to which you connect from the
target machine and then run an interactive install.
• Automate the distribution of Windows Server 2008 images over the network
with Windows Deployment Services (WDSs) (see next slide for details).
• Modify the above methods with an answer file created in the SIM provided in
the WAIK.
Windows Server 2008 images are likely to be much larger than Windows Server
2003 images, so their effect on network traffic is likely to be bigger.
Managing an Active Directory®Server Lifecycle 1-13

MCT USE ONLY. STUDENT USE PROHIBITED


Active Directory Server Deployment: Windows Deployment
Services Installation

Key Points
A boot image is an image that you use to start a computer onto which you intend to
install an operating system. An install image is an image containing the operating
system you want to install, plus any other applications you want to bundle into the
image.
The feature set between WDS on Windows Server 2003 and WDS on Windows
Server 2008 is not identical. For example, WDS on Windows Server 2008 includes
the ability to network-boot 64-bit machines with Extensible Firmware Interface
(EFI).
WDS can perform multicast transmissions so you can perform multiple
deployments concurrently.
Plan to do performance testing before deploying large numbers of images with
WDS. Windows Server 2008 and Windows Vista® images, in particular, are
substantially larger than Windows Server 2003 and Windows XP images.
1-14 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


For more information, refer to the Windows Deployment Services article
on the Microsoft TechNet, Windows Server 2008 Technical Library Web
site.
Managing an Active Directory®Server Lifecycle 1-15

MCT USE ONLY. STUDENT USE PROHIBITED


Active Directory Server Deployment: Installation from
Backup

Key Points
The main benefit of installing from backup is speed. If you are deploying only a
few AD DS servers, this technique might not be as advantageous as when you are
deploying many AD DS servers.
You can create a backup of relevant domain information from an existing domain
controller using NTDSUTIL (no longer by backing up the system state, as in
Windows Server 2003) and use that to build the new domain controller.
An acronym you might see in this connection is IFM, which stands for Install From
Media.
You must select the Advanced Mode check box at the start of the AD DS
Installation Wizard (dcpromo) to see this option.
1-16 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


Using SMS for Active Directory Deployment

Key Points
The successor to Systems Management Server (SMS) 2003 is System Center
Configuration Manager 2007. Software distribution functions very similarly in both
products.
SMS 2003 and System Center Configuration Manager 2007 are built on a
Microsoft SQL Server database that facilitates inventory management.
You can use these products to deploy both server and client versions of Windows.
You can obtain an evaluation version of System Center Configuration Manager
2007 on the Microsoft Web site. Unlike with SMS 2003, the evaluation version is
upgradeable to the paid version.

For more information, refer to the Overview of Operating System


Deployment article on the Microsoft TechNet, System Center
Configuration Manager TechCenter Web site.
Managing an Active Directory®Server Lifecycle 1-17

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 3
Adding AD DS Server Roles

The new Server Manager console carries with it new terminology. Roles are
collections of related functionality; AD DS is a role. Features, such as BitLocker™,
are capabilities that do not map to a single role. Proper understanding of roles and
features is essential to configuring and reconfiguring Active Directory servers.
1-18 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


Defining Active Directory Roles

Key Points
You can add an AD DS role using the various methods described in this module.
However, the actual promotion of a server to become a domain controller does not
occur until you run the DCPROMO tool.
If you do not add the AD DS role using for example Server Manager, then when
you run DCPROMO, the necessary binaries are installed for you. Unlike Windows
Server 2003, the necessary binaries for the role are not present by default in
Windows Server 2008.

For more information, refer to the Active Directory Domain Services,


Active Directory Lightweight Domain Services, Active Directory Rights
Management Services, Active Directory Certificate Services, and Active
Directory Federation Services Web pages on the Microsoft TechNet,
Windows Server 2008 Technical Library Web site.
Managing an Active Directory®Server Lifecycle 1-19

MCT USE ONLY. STUDENT USE PROHIBITED


Planning for Combining Roles

Key Points
Another potential advantage to splitting roles out onto different servers is that
downtime (whether planned or unplanned) on one server has less impact on the
overall role availability.
As you look at the various technical and administrative issues associated with
combining and/or segregating roles on physical servers, consider the potential
benefits of server consolidation through the use of virtualization.
Windows Server 2008 with Hyper-V is designed to provide the best of both worlds:
the cost savings of a smaller number of physical machines, and the administrative
and reliability benefits of single-purpose servers.
Having said that, you should still consider the impact of hardware failure on a
physical computer that is hosting multiple virtual machines and plan for that
contingency if you move towards server consolidation through virtualization.
1-20 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


Method Selection Criteria for Adding Server Roles

Key Points
Adding and removing server roles is a major operation and should be performed
by knowledgeable staff.
Windows Server 2008 does not offer the ability to create a restore point such as
you can create in Windows Vista. However, you can use Windows Server Backup
to back up your operating system files in case a role installation goes wrong.
Some network administrators choose to disable the Initial Configuration Tasks
(ICT) console because it offers no options that are not also available via Server
Manager.

For more information, refer to the Step-by-Step Guide for Windows


Server Backup in Windows Server 2008 article on the Microsoft TechNet,
Windows Server 2008 Technical Library Web site.
Managing an Active Directory®Server Lifecycle 1-21

MCT USE ONLY. STUDENT USE PROHIBITED


Demonstration: Using Different Methods to Add Server
Roles: Server Manager

Question: Do you think that the GUI method or the command-line method puts
the administrator at greater risk of making a mistake?
1-22 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


Using Different Methods to Add Server Roles: Remote
MMC

Key Points
Because Server Manager is the main MMC snap-in to add (and remove) roles, and
because it is not remote-enabled, you can consider running it via a Remote
Desktop session.
You can also execute the Server Manager's command-line version remotely, via
Remote Desktop or other methods. Some of these are presented in the next topic.
After a role has been added to a Windows Server 2008 system, you can generally
manage it by using the remote functionality of the associated MMC snap-in, as
described in the slide.
You can manage roles remotely even if the underlying service is not installed by
using Remote Server Administration Tools (RSAT), which is a feature in the Server
Manager language of "roles" and "features."
Managing an Active Directory®Server Lifecycle 1-23

MCT USE ONLY. STUDENT USE PROHIBITED


Using Different Methods to Add Server Roles: Other
Remote Access Tools

Key Points
The client component of WinRM is Windows Remote Shell (WinRS).
WMI is Microsoft's implementation of Web-Based Enterprise Management
(WBEM), present in Windows since Windows 2000.
RemoteApp is a new feature of Terminal Services whereby a single application can
be remoted instead of an entire desktop.

For more information, refer to the following articles: Windows Remote


Management on the MSDN® Library Web site; WMI - Windows
Management Instrumentation on the Windows Hardware Developer
Central Web site; and Terminal Services RemoteApp (TSRemoteApp) on
the Microsoft TechNet, Windows Server 2008 Technical Library Web site.
1-24 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


Verifying Server Roles

Key Points
The OCLIST command (with no qualifiers) on a Server Core system lists both
installed and uninstalled roles and features.
Another way you could verify the addition of a role would be to look in the
Registry for relevant keys and values. However, it is a good practice to avoid
REGEDIT if easier and safer methods exist.
Specific techniques also exist for particular roles. For example, one way to verify
that the AD DS role has been installed would be to try to log on to the server with
local account credentials. Domain controllers do not permit the use of local
accounts to log on.
Managing an Active Directory®Server Lifecycle 1-25

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 4
Removing AD DS Server Roles

You can decommission an AD DS server from the GUI or the command line, and
basically use the same methods as for installing an AD DS server. You might need
to decommission an AD DS server, for example, if your organization needs to
shuffle server resources towards a more performance-critical task.
1-26 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


Removing Server Roles via the GUI

Key Points
Component-Based Servicing is the system Microsoft uses to identify interdepencies
between roles and features, and required "role services" which are necessary to
support a given role. These dependency checks were limited in the older Add or
Remove Windows Components control panel.
This architecture helps ensure that you do not accidentally remove a role or role
service that is still required by the remaining roles on the server.
Removing a role via Server Manager is generally simpler than adding a role,
because you will see fewer (if any) configuration options.
You can remove multiple roles in a single operation.
Managing an Active Directory®Server Lifecycle 1-27

MCT USE ONLY. STUDENT USE PROHIBITED


Removing Server Roles via the Command-Line Tool

Key Points
Demoting a domain controller with DCPROMO does not remove the AD DS
binaries.

Question: When might you consider using SERVERMANAGERCMD.EXE versus


the MMC console?
1-28 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


Verifying Removed Roles

Key Points
As with verifying newly added roles, the OCLIST command on a Server Core
system lists both installed and uninstalled roles and features.
Do not use the presence or absence of Registry entries as authoritative evidence
that a role has been successfully removed. Some keys might remain in the Registry
even after the successful removal of an Active Directory role.
Managing an Active Directory®Server Lifecycle 1-29

MCT USE ONLY. STUDENT USE PROHIBITED


Lab: Managing and Maintaining a Windows
Server 2008 Domain Controller

Exercise 1: Evaluating the Need for AD DS Promotion


Scenario
Woodgrove Bank’s IT administrators have noticed slow logons at its branch office,
where it has deployed a server named NYC-SVR1. The branch office, which is two
miles away from the main New York headquarters, connects to the headquarters
location over a busy, shared T-1 connection. At the corporate headquarters, NYC-
DC1 acts as a domain controller and DNS server for the WoodgroveBank.com
domain. The branch office is closed Friday afternoons and all day Saturday and
Sunday. It is managed by a medium-sized staff, none of whom have had any server
training.

Exercise Overview
In this exercise, you will create a plan to add the AD DS role to NYC-SVR1.

f Task: Create a plan to add the AD DS role to NYC-SVR1


• Create a plan to add the AD DS role to NYC-SVR1. The plan should consider
the following elements:
1-30 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


• Whether NYC-SVR1 should become a writeable domain controller or a
RODC.
• When to perform the promotion of NYC-SVR1.
• Whether to perform the promotion through a remote desktop connection,
on site, by telephone, or by sending e-mail instructions to the local liaison.
• Use the space below to write the key points of the plan.
______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

Results: After this exercise, you should have a plan to promote NYC-SVR1 to be an AD
DS domain controller.
Managing an Active Directory®Server Lifecycle 1-31

MCT USE ONLY. STUDENT USE PROHIBITED


Exercise 2: Meeting the Need by Adding a Role
Exercise Overview
In this exercise, you will implement the plan to add the AD DS role to NYC-SVR1.
The main tasks for this exercise are as follows:
1. Start NYC-DC1 and NYC-SVR1.
2. Check the installed roles on NYC-SVR1.
3. Run DCPROMO on NYC-SVR1.
4. Verify successful promotion.

f Task 1: Start NYC-DC1 and NYC-SVR1


• Using the Lab Launcher tool, start NYC-DC1 and log on as
WoodgroveBank\Administrator with the password of Pa$$w0rd.
• Verify that the forest functional level is at least Windows Server 2003, the
minimum required to support RODCs. Use Active Directory Domains and
Trusts.
• Start NYC-SVR1 and log on as LocalAdmin with the password of Pa$$w0rd.

f Task 2: Check the installed roles on NYC-SVR1


The Server Manager console should come up automatically. Expand the Roles
node and view the installed roles. (If AD DS were already installed, you would
need to re-evaluate your plan.)

f Task 3: Run DCPROMO on NYC-SVR1


• On NYC-SVR1, open an administrative command prompt.
• Ping NYC-DC1 to make sure you can see it on the same virtual network.
• Run DCPROMO to start the AD DS Installation Wizard in advanced mode.
You will be adding a domain controller to an existing domain in the same site.
The new domain controller will also be a DNS server, a Global Catalog server,
and a RODC.
1-32 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


• When warned about static IP assignments, modify network connections to
disable IPv6.
• Complete the following steps in the wizard:
• Delegation of RODC Installation and Administration dialog box:
• Add the group NYC_BranchManagersGG
• Verify your spelling before continuing
• Install from Media dialog box: Select Replicate data over the network
from an existing domain controller
• Location for Database, Log Files, and SYSVOL dialog box: Leave all the
default settings
• Directory Services Restore Mode Administrator Password dialog box:
Type Pa$$w0rd as the password
• The promotion and replication is a lengthy process so this would be a good
time to take a break. When the wizard reports that it has finished, restart NYC-
SVR1, and log on as the administrator of the WoodgroveBank domain.

f Task 4: Verify successful promotion


• Navigate to NYC-DC1. In Server Manager, navigate to Active Directory Users
and Computers.
• Open the Domain Controllers organizational unit. Do you see NYC-SVR1?
What type of server is it?

__________________________________________________________________

Results: After this exercise, you should have a new RODC in the form of NYC-SVR1.
This should help alleviate the problem of slow logons in the branch office.
Managing an Active Directory®Server Lifecycle 1-33

MCT USE ONLY. STUDENT USE PROHIBITED


Exercise 3: Managing a Change Request for an RODC by
Using the Command Line
Exercise Overview
In this exercise, you will update the configuration of the new RODC through a
domain controller change and forced replication. The updated configuration
consists of a new organizational unit, Federal Auditors that is added to the domain
WoodgroveBank.com. Senior management wants to ensure that the new
organizational unit replicates to the NYC-SVR1 RODC immediately.
The main tasks for this exercise are as follows:
1. Add the new organizational unit on NYC-DC1.
2. Replicate the change to NYC-SVR1.

f Task 1: Add the new organizational unit on NYC-DC1


In Server Manager, use Active Directory Users and Computers to add the
FederalAuditors organizational unit.

f Task 2: Replicate the change to NYC-SVR1


• In Server Manager (still on NYC-DC1), navigate to Active Directory Sites and
Services, and expand the Default-First-Site-Name, the Servers node and the
node for NYC-SVR1.
• Select NTDS Settings. You should see an entry in the details pane for NYC-
DC1, which is a replication partner of NYC-SVR1.
• Force a replication from NYC-DC1 to NYC-SVR1.
• If you get an error message, it might be that the NYC-SVR1 domain controller
is still sorting itself out. Give it five minutes or so, and then try again. You
should eventually get a message that the operation completed successfully.
• Switch over to NYC-SVR1 and in Server Manager, verify that the
FederalAuditors role now appears under WoodgroveBank.com.
• Close NYC-SVR1 by executing a normal shutdown, saving your changes. Leave
the NYC-DC1 virtual machine running for future labs.
1-34 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


Results: After this exercise, you should have an AD DS change on NYC-DC1 and the
change replicated to NYC-SVR1.
Managing an Active Directory®Server Lifecycle 1-35

MCT USE ONLY. STUDENT USE PROHIBITED


Exercise 4: Developing a Management and Maintenance
Plan
Scenario
You and your colleagues in the IT department have been asked to write a first draft
for a management and maintenance plan for the NYC-DC1 and NYC-SVR1 domain
controllers.

Exercise Overview
In this exercise, you will write a first draft for a management and maintenance plan
for the NYC-DC1 and NYC-SVR1 domain controllers. (Depending on class size, the
instructor may break the class into smaller groups for purposes of generating
discussion.)
The main tasks for this exercise are as follows:
1. Decide which tools are better suited for each of the two domain controllers.
2. Decide whether the new RODC is meeting the business needs.
3. Decide whether delegation for certain functions might be appropriate.

f Task 1: Decide which tools are better suited for each of the two
domain controllers
• Decide which tools are better suited for corporate headquarters and which are
better suited to the branch office scenario. Consider that Server Manager is not
“remoteable” as such, but Active Directory Users and Computers is
remoteable, as well as Event Viewer.
• Use the space below to write the answers.

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
1-36 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


f Task 2: Decide whether the new RODC is meeting the business needs
• Consider the methods for determining whether the new RODC is meeting the
business needs.
• Use the space below to write the answers.

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

f Task 3: Decide whether delegation for certain functions might be


appropriate
• Consider whether delegation for certain functions might be appropriate, for
example, adding user accounts.
• Use the space below to write the answers.

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

Results: After this exercise, you should have a draft document that outlines how to
manage these two domain controllers.
Managing an Active Directory®Server Lifecycle 1-37

MCT USE ONLY. STUDENT USE PROHIBITED


Exercise 5: Evaluating the Management and Maintenance
Plan
Exercise Overview
In this exercise, you will discuss the plan documents you created in Exercise 4.
(Depending on class size, the instructor may break the class into smaller groups
for purposes of generating discussion.)

f Task: Evaluate the management and maintenance plan


• Discuss the plan documents you created in Exercise 4. There is no correct or
incorrect answer, but during the discussion make sure you talk about the
following points:
• Whether logons and connections to servers are now faster for Active
Directory users connecting to the NYC-SVR1 domain controller.
• Lack of technical expertise at the branch office.
• The remote ability or lack of, specific management tools.
• Delegating some routine management functions for NYC-SVR1 to the
branch office personnel.
• Use the space below to write the key points of the discussion.
______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
1-38 Managing an Active Directory®Server Lifecycle

MCT USE ONLY. STUDENT USE PROHIBITED


______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

Results: After this exercise, you should have ideas for evaluating the success of the
plan developed in Exercise 4.
Managing an Active Directory®Server Lifecycle 1-39

MCT USE ONLY. STUDENT USE PROHIBITED


Lab Review
MCT USE ONLY. STUDENT USE PROHIBITED
Creating Baselines for Active Directory® Servers 2-1

MCT USE ONLY. STUDENT USE PROHIBITED


Module 2
Creating Baselines for Active Directory® Servers
Contents:
Lesson 1: Baseline Methodologies for Active Directory Servers 2-3
Lesson 2: WRPM Overview 2-10
Lesson 3: Using Metrics to Create Baselines for Active Directory Servers 2-16
Lab: Creating Baselines for Active Directory Servers 2-24
2-2 Creating Baselines for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Module Overview

Every organization is different. Some have more formal IT requirements than


others. But most organizations can benefit by setting some baseline expectations
for Active Directory performance, security, and reliability. Variances from these
baselines then represent a call to action. This module explores methodologies for
creating baselines, and takes a look at the primary Windows Server® 2008 tool for
establishing baseline goals and measuring baseline compliance.
Creating Baselines for Active Directory® Servers 2-3

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 1
Baseline Methodologies for Active Directory
Servers

If your organization has never established performance baselines before, or if it


has, but the effort did not bear fruit, then it might be worth examining some of the
different ways of planning for baselines and managing the baseline creation
process.
2-4 Creating Baselines for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Planning for Baselines

Key Points
There are many reasons to implement baselines but probably the most significant
one is to become more proactive in managing information systems, setting
expectations, and matching real-world performance against those expectations.
Baselines generally only make sense for metrics that are measurable. For example,
"user-friendliness" might be very important but there are no software tools for
measuring it.
Some areas that are not traditionally incorporated in baseline planning might be
worth considering, for example, application compatibility, which is often not a
yes/no situation but a range between a fully compatibility application and one that
is unusable. What metrics might you use for this area?
Choosing the operational scenarios that your baselines will cover depends on the
nature of your business. For example, an accounting firm in the United States will
have different demands on its information systems in March than in May.
It is important to choose a high-stress scenario because that is often when the
performance of Active Directory systems is most important to the business.
Creating Baselines for Active Directory® Servers 2-5

MCT USE ONLY. STUDENT USE PROHIBITED


Defining Baseline Server Hardware and Roles

Key Points
There is no absolute baseline for server hardware because different functions have
different requirements. What might be acceptable hardware for a DHCP server
might be inadequate for a domain controller.

Question: What major roles do Active Directory servers assume in your


organization? How many different kinds of Active Directory servers do you have?
2-6 Creating Baselines for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Who Decides the Initial Performance Criteria?

Key Points
Like anything else in an organization, if no person or group takes ownership of
server baselining, it will never develop into a useful technique for managing an
Active Directory network.
A baseline committee must include the consumers of Active Directory services as
well as the providers.
It is possible to go overboard in the planning phases and create a baseline
methodology that is too ambitious for the resources available. It is better to start off
with a highly targeted baseline program (for example, "performance of Active
Directory domain controllers at high stress times") than to set too many new goals
simultaneously.
Creating Baselines for Active Directory® Servers 2-7

MCT USE ONLY. STUDENT USE PROHIBITED


Review of the Existing History of Microsoft® Windows
Server 2003

Key Points
Mine your Windows Server 2003 event and PerfLog history, focusing on strong
examples of the types of performance you want to baseline.
If such history is not available, consider performing some monitoring of the
template systems you have selected, using objects and counters identified later in
this module.
The reason for performing this type of analysis is that the published literature on
Active Directory server performance baselines is quite sparse. Over time, therefore,
you will need to develop your own baselines based on your own analysis and
experience.
A wide variety of third-party tools can assist you in analyzing performance and
event logs from existing servers.

Question: What factors do you think will determine whether existing Active
Directory servers can provide relevant performance and/or event log data for using
in Windows Server 2008 baselining?
2-8 Creating Baselines for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Evaluating Baseline Acceptability Over Time

Key Points
Periodic reviews should be realistic, considering available personnel resources.
They should also reflect the speed at which your organization's network changes.
More stable Active Directory environments might be fine with annual baseline
reviews; Active Directory environments in rapid flux might need semiannual or
even quarterly reviews at first.

Question: Do you think that in your organization customer expectations based on


experience with home computers affects their expectations for performance in the
Active Directory environment? How does your organization deal with that
discrepancy?
Creating Baselines for Active Directory® Servers 2-9

MCT USE ONLY. STUDENT USE PROHIBITED


Criteria for Revising Baselines vs. Starting Over

Key Points
If you find yourself in a position of starting over with a new baseline plan,
document why the old plan failed.
Sometimes it is necessary to start over because of a change in management, but
even then you should ask whether elements of the old plan might be salvageable
(for example, list of tools).
2-10 Creating Baselines for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 2
WRPM Overview

Windows® Reliability and Performance Monitor (WRPM), first introduced in


Windows Vista®, is present in Windows Server 2008 and combines a new tool
(Reliability Monitor) with a traditional one (Performance Monitor). This lesson
helps identify important objects and counters and helps you configure the tool for
use in a baseline program.
Creating Baselines for Active Directory® Servers 2-11

MCT USE ONLY. STUDENT USE PROHIBITED


Reliability Monitor

Key Points
The Reliability Monitor also correlates the graphical System Stability Index with
failures of the operating system, applications, and hardware.
The System Stability Index graph might show as dotted sections to indicate that
the operating system did not have enough data to calculate a stable index.
The relevant scheduled task is RACAgent.
Recent events are weighed more heavily than older events.
Days when the system is powered down do not count.
Microsoft® does not provide details on the formulas used to calculate the System
Stability Index, nor is there a mechanism for you to modify them or generate your
own.

For more information, refer to the Windows Server 'Longhorn'


Performance and Reliability Monitoring Step-by-Step Guide article on
the Microsoft TechNet, Windows Server 2008 Technical Library Web site.
2-12 Creating Baselines for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Performance Monitor

Key Points
An object is something you want to measure; a counter is a characteristic of that
object that you want to measure; and an instance is the specific occurrence of an
object that might have more than one occurrence (for example, CPU).
The Data Collector Set is a method for grouping collectors together so that you can
reuse the set over time; change its schedule; and/or load it into the real-time
performance monitor console.
You can use a Data Collector Set for ongoing monitoring or for one-time use.
You can save your own Data Collector Sets as a template.
Caveat: The properties for a Data Collector Set are different than the properties for
an individual collector.

For more information, refer to the Windows Server 'Longhorn'


Performance and Reliability Monitoring Step-by-Step Guide article on
Microsoft TechNet, Windows Server 2008 Technical Library Web site.
Also, refer to the Compare Multiple Log Files in Performance Monitor
article on the TechNet Web site.
Creating Baselines for Active Directory® Servers 2-13

MCT USE ONLY. STUDENT USE PROHIBITED


Essential Objects and Counters (Global)

Key Points
This slide shows several performance objects and counters that are generally
relevant for most server types and should be considered when setting up a
performance baseline for Active Directory servers.
Using LogicalDisk instead of PhysicalDisk might be more appropriate for servers
with multiple logical disks on a single physical disk.

For more information, refer to the Suggested Performance Counters to


Watch article on the Microsoft TechNet, IIS 6.0 Technical Library Web
site.
2-14 Creating Baselines for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Logging Options

Key Points
The point of doing PerfMon logging with existing servers is to establish some
ranges for good, fair, and poor performance.
Experiment with the logfile directory location. For example, depending on the type
of testing you are doing, you might benefit from using a USB flash drive.
Also, experiment with log size limits as logs can grow at widely varying rates
depending on the size of the Data Collector Set.
Creating Baselines for Active Directory® Servers 2-15

MCT USE ONLY. STUDENT USE PROHIBITED


Report Options and Formats

Key Points
The reporting features of WRPM have been borrowed from an older tool, the Server
Performance Advisor from Windows Server 2003.
You can obtain some syntax for the relog command by typing relog /? in a
command prompt session. For more details, see the reference below.
CSV = Comma Separated Values; TSV = Tab Separated Values.

For more information about relog, refer to the Microsoft TechNet,


Microsoft Windows Server TechCenter Web site.
2-16 Creating Baselines for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 3
Using Metrics to Create Baselines for Active
Directory Servers

This lesson presents some of the more often-used metrics for particular Active
Directory roles and considers issues of measurement frequency and duration. This
information will be useful in building working baseline documents.
Creating Baselines for Active Directory® Servers 2-17

MCT USE ONLY. STUDENT USE PROHIBITED


Metrics: AD DS

Key Points
Domain controllers perform frequent disk reads and writes, so the physical disk
object is important.
Directory Replication Agent (DRA) inbound and outbound bytes relate to Active
Directory Domain Services (AD DS) replication.
There should be some Kerberos authentication activity for a functioning domain
controller.
Lightweight Directory Access Protocol (LDAP) client sessions should be non-zero
for a functioning domain controller.
LDAP bind time should be very low.

For more information, refer to the Counters by Object article on the


Microsoft TechNet, Windows Server 2003 Technical Library Web site. (At
the time of this writing, no similar article exists for Windows Server
2008.)
2-18 Creating Baselines for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Metrics: AD LDS

Key Points
In addition to the PerfMon counters and objects, the REPADMIN tool is especially
useful for monitoring Active Directory Lightweight Directory Services (AD LDS)
replication performance.
Creating Baselines for Active Directory® Servers 2-19

MCT USE ONLY. STUDENT USE PROHIBITED


Metrics: AD CS

Key Points
The online responder requires Internet Information Services (IIS), so machines
running Windows Server 2008 configured as an online responder can take
advantage of IIS performance counters as well as the explicit Active Directory
Certificate Services (AD CS) counters.
2-20 Creating Baselines for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Metrics: AD FS

Key Points
Active Directory Federation Services (AD FS) requires either AD DS or AD LDS, so
the performance objects and counters for those roles will be relevant in creating a
baseline for AD FS.
Creating Baselines for Active Directory® Servers 2-21

MCT USE ONLY. STUDENT USE PROHIBITED


Metrics: AD RMS

Key Points
Active Directory Rights Management (AD RMS) depends on the following roles
and services:
• AD DS
• AD CS (or a standalone or third-part certificate authority)
• Microsoft Message Queuing (MSMQ)
• IIS
• SQL Server®
A performance analysis plan should consider the underlying performance of those
roles and services.

For more information, refer to the Troubleshooting Performance


Problems in SQL Server 2005 article on the Microsoft TechNet Web site.
When available, look for a similar document on SQL Server 2008.
2-22 Creating Baselines for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Frequency of Measurement

Key Points
The higher the frequency, the greater the impact of performance monitoring on
performance. Logging to a separate physical drive helps.
For general-purpose performance monitoring, 15 to 30 minutes is a good interval.
Creating Baselines for Active Directory® Servers 2-23

MCT USE ONLY. STUDENT USE PROHIBITED


Duration of Measurement

Key Points
Consider the business-cycle variations in your organization when developing
durations. For example, if you see Active Directory activity vary throughout the
day, but you do not see much variation between different days of the week or
month, then a 1-day duration might be sufficient.
Activity can vary by month of the year, also. If you work for a tax consultancy, for
example, certain months might exhibit dramatically more activity than others.
Your measurement durations must capture all significant business-cycle variations.
2-24 Creating Baselines for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Lab: Creating Baselines for Active Directory
Servers

Exercise 1: Involving Users in Baseline Development


Scenario
The loan department of Woodgrove Bank has a number of users who work on
shared PCs. The frequency of logons and logoffs is relatively high in this
department. The department runs a small number of applications, and employees
perform very few searches of Active Directory. Communications outside the local
office are limited.
The research department of the bank, by contrast, is engaged in studying new
banking products. Employees of this department, who generally have a PC all to
themselves, perform a fair amount of market research and draw upon resources
throughout the organization, including people in different locations and even in
different domains. They tend to log on at the beginning of the day and log off at
the end of it.

Exercise Overview
The main tasks for this exercise are as follows:
1. Generate ideas for involving users in developing a baseline.
Creating Baselines for Active Directory® Servers 2-25

MCT USE ONLY. STUDENT USE PROHIBITED


2. Generate five questions to ask in a user survey to help IT professionals develop
baseline documents.

f Task 1: Generate ideas for involving users in baseline development


• Working in small groups, discuss ways in which computer users can become
involved in developing a baseline. There are no correct or incorrect answers.
• Use the space below to write the results and then share your results with the
class.

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

f Task 2: Generate five questions to ask in a user survey to help IT


professionals develop baseline documents
• Working in the same groups, discuss what type of questions you might ask in
a user survey (for example, an e-mail survey) to help you create appropriate
Active Directory baseline values. The following are some thought starters:
• What is the slowest operation you perform on your PC?
• What is the fastest operation you perform on your PC?
2-26 Creating Baselines for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


• How many times a day do you typically log on and off?
• How many times a day do you search the network for resources other than
mapped drives and printers?
• Use the space below to write the five questions and then share your results
with the class.

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

Results: After this exercise, you should have some ideas for involving users in what
traditionally has been an IT-only activity, developing network performance baselines.
Creating Baselines for Active Directory® Servers 2-27

MCT USE ONLY. STUDENT USE PROHIBITED


Exercise 2: Choosing Relevant WRPM Counters and
Durations
Scenario
Use the same scenario as in Exercise 1.

Exercise Overview
In this exercise, you will identify relevant WRPM counters for the loan department
and for the research department.
The main tasks for this exercise are as follows:
1. List the counters that you would consider including in the baseline.
2. Consider differences in a baseline strategy for the two departments.

f Task 1: List the counters that you would consider including in the
baseline
• Start NYC-DC1.
• Log on to NYC-DC1 as WoodgroveBank\Administrator with the password of
Pa$$w0rd.
• In Server Manager, expand the nodes Diagnostics, Reliability and
Performance, and Data Collector Sets.
• Under the System node, navigate to the Active Directory Diagnostics Data
Collector Set and select Properties.
• On the General tab, read the description of this Data Collector Set.
• Take a look at the other tabs on the Data Collector Set Properties page.
• Close Data Collector Set Properties page.
• In the details pane, you should see four data collectors. What types are they?
• Open the Properties of the Performance Counter data collector. Note the
PerfLog objects that Microsoft has chosen for this pre-built Data Collector Set.
This list is a good starting point for exploring Active Directory performance
counters in detail. Note, for example, the category DirectoryServices.
• Back in Server Manager, in the User Defined node, create a new Data Collector
Set named CustomAD with the following options:
2-28 Creating Baselines for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


• Create from a template (recommended)
• Template: Active Directory Diagnostics
• Root directory: Default
• Finish the Data Collector Set.
• Open the Properties dialog box and type Woodgrove Bank custom AD data
collector set as the description.
• Under the User Defined node, open the Properties of the Performance
Counter for the new CustomAD.
• View the Counter Selection dialog box on the Performance Counters tab.
• Expand the DirectoryServices object and browse the counters and counter
categories, especially:
• Asynchronous Thread Queue (ATQ)
• DRA
• Directory Service
• LDAP
• Security Accounts Manager (SAM)
• Browse the counters listed under FileReplicaSet.
• Use the space below to write any performance counters and/or objects that look
relevant to you.
______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

f Task 2: Consider differences in a baseline strategy for the two


departments
• Using the console from Task 1, identify three performance counters that
would probably be more important for the loan department than for the
research department. Use the space below to write the counters.
Creating Baselines for Active Directory® Servers 2-29

MCT USE ONLY. STUDENT USE PROHIBITED


______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
• Identify three performance counters that would probably be more important
for the research department than for the loan department. Use the space below
to write the counters.

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
• Identify three performance counters that would probably be important for
both departments. Use the space below to write the counters.

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
• Leave NYC-DC1 running for future labs.

Results: After this exercise, you should be familiar with some of the PerfMon Active
Directory counters, and have some idea of how to adapt a baseline strategy for
different business situations.
2-30 Creating Baselines for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Exercise 3: Evaluating and Revising a Baseline Document in
the Face of Business Changes
Scenario
The scenario is the same as in Exercise 1, but the IT department has just been
informed that the domain controller is about to support twice as many users.

Exercise Overview
In this exercise, you will discuss as a class whether the baseline document should
be modified in view of the increased user population, and explore possible
procedures and organizational standards for modifying (or suggesting
modifications to) the baseline document.
The main tasks for this exercise are as follows:
1. Decide whether the baseline document should be modified.
2. Discuss the procedures and standards for modifying a baseline document.

f Task 1: Decide whether the baseline document should be modified


• Discuss the pros and cons of modifying the baseline document for the
upcoming change.
• What questions would you ask in order to determine whether the Active
Directory performance baseline document should be modified?
• Use the space below to write the key points of the discussion.

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
Creating Baselines for Active Directory® Servers 2-31

MCT USE ONLY. STUDENT USE PROHIBITED


f Task 2: Discuss the procedures and standards for modifying a baseline
document
• Discuss who in the organization should be able to initiate a baseline
modification suggestion.
• Discuss who should review such suggestions, and how often they should
perform such a review.
• Discuss what happens to a baseline document that is never updated..
• Use the space below to write the key points of the discussion.

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

Results: After this exercise, you should have heard various perspectives and ideas on
the pros and cons of modifying Active Directory baseline documentation, and on how
to implement such modifications in a realistic and practical way.
2-32 Creating Baselines for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Lab Review
Monitoring the System Health of Active Directory® Servers 3-1

MCT USE ONLY. STUDENT USE PROHIBITED


Module 3
Monitoring the System Health of Active
Directory® Servers
Contents:
Lesson 1: System Health Overview 3-3
Lesson 2: Using Long-Term Monitoring to Identify Trends 3-7
Lesson 3: Setting Thresholds and Alerts for Short-Term Monitoring 3-11
Lesson 4: Choosing the Appropriate Windows Server 2008 Monitoring
Tools 3-17
Lab: Monitoring the Active Directory Server Roles 3-27
3-2 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Module Overview

Active Directory system health means different things to different organizations.


This module will identify aspects of Active Directory system health that you should
consider before getting into the details of performance and reliability monitoring.
Then, the module will explore both long-term monitoring for “big picture”
adjustments, and short-term monitoring for quick responses. Finally, the module
explores some of the tools available, and when to use each one for both long-term
and short-term monitoring.
Monitoring the System Health of Active Directory® Servers 3-3

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 1
System Health Overview

Moving from general to specific, this lesson considers three ways to define health:
overall system health, server health, and Active Directory (or service) health. Your
organization's health monitoring plan should encompass all three.
3-4 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Defining System Health

Key Points
Users view information systems as whole systems, not as components. The system
fails if any component of the overall system fails.
Active Directory is a large set of services, but managing Active Directory is
ultimately only one link in a long chain of things that have to "go right" in an
information system.

Question: Can you think of any aspects of system health that are important to
your organization, but that the above list omits?
Monitoring the System Health of Active Directory® Servers 3-5

MCT USE ONLY. STUDENT USE PROHIBITED


Defining Server Health

Key Points
The above areas encompass hardware, software, administration, and user support
elements.
Analyzing individual servers, while useful, is not in itself sufficient to obtain a
complete picture of system health. For example, an Active Directory Domain
Services (AD DS) domain controller can take much longer to boot if it cannot find
its replication partners quickly on the network.

Question: Are there any aspects of server health that are important to your
organization, but that the above list omits?
3-6 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Defining Active Directory Health

Key Points
Active Directory is more than just directory services with Windows Server® 2008.
Defining the health of an Active Directory Lightweight Directory Services (AD LDS)
installation will involve both Microsoft® tools and vendor-specific tools.
The health of your DNS environment (not just whether DNS works, but whether it
works optimally) has a major impact on AD DS and AD LDS.

For more information, consider discussing the "Active Directory Health


Check" with your Microsoft Technical Account Manager (TAM). Also, you
might want to explore the product "Spotlight on Active Directory" from
Quest Software.
Monitoring the System Health of Active Directory® Servers 3-7

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 2
Using Long-Term Monitoring to Identify
Trends

Long-term monitoring is designed to identify trends in performance, security, or


uptime that require improvement. Certain tools, such as System Center, focus
explicitly on such "big-picture" monitoring. But whatever tools you use, your
organization will need criteria for periodically reviewing your baselines and
adjusting them to meet real-world expectations and potentially changing business
needs.
3-8 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


System Center Operations Manager Features

Key Points
System Center Operations Manager is the successor to Microsoft Operations
Manager (MOM).
If you are not familiar with this product, Microsoft makes a 180-day evaluation
version available.

Question: Do you use the System Center Operations Manager in your


organization? What have you found to be its strengths and weaknesses?

For more information, refer to the Monitoring Active Directory with


MOM 2005 slideshow by Alexandre Le Bienvenu, which has a great deal
of content that remains useful. Also, visit the Microsoft home page for
System Center Operations Manager 2007.
Monitoring the System Health of Active Directory® Servers 3-9

MCT USE ONLY. STUDENT USE PROHIBITED


Re-evaluating Performance vs. Baselines

Key Points
Trends in the field can arise from changes in:
• User applications
• Business practices (for example, auditing)
• User population changes
• Back-end system changes (for example, antivirus software)
• Hardware changes
• Network link traffic
Proactively survey your IT consumer community to make sure your baseline
documents remain relevant by reflecting real world performance.

Question: Does your organization ever re-evaluate your baselines in the areas of
performance, security, and uptime?
3-10 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Adjusting Baselines

Key Points
Baseline adjustment is a balancing act between 1) spending too much time
updating the baseline and too little on managing the environment, and 2) risking
irrelevance by never updating the baseline document(s) to reflect system evolution.

Question: Do you use baselines as a metric for determining the performance of the
IT organization? If so, does it become even more important to update them?
Monitoring the System Health of Active Directory® Servers 3-11

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 3
Setting Thresholds and Alerts for Short-Term
Monitoring

Short-term monitoring focuses on the quick detection and correction of


performance problems that could affect the daily business activities of the
organization. Although some of the tools used might be the same as for long-term
monitoring, the time frame is completely different, requiring different approaches
both technologically and procedurally.
3-12 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Performance Threshold Basics

Key Points
Mean Time To Recover (MTTR) might be more important than Mean Time
Between Failures (MTBF).
Alert responses must have organizational (procedural) elements as well as
technological (triggering) elements to be successful.

Question: What Active Directory-related performance, downtime, or security alerts


do you currently monitor, if any?
Monitoring the System Health of Active Directory® Servers 3-13

MCT USE ONLY. STUDENT USE PROHIBITED


Creating Alerts and Triggers for Short-Term Monitoring:
Informational Alerts

Key Points
Windows Server 2008 makes no distinction between "informational alerts" and
"action alerts" but this is a useful distinction to make in your organization. For
informational alerts, logging an entry in the application event log might be
sufficient. It might be useful to create a filter (or view) in Event Viewer for such
informational alerts.
3-14 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Creating Alerts and Triggers for Short-Term Monitoring:
Action Alerts

Key Points
You can create scheduled tasks in Server Manager, under the Configuration node.
The task can run when PerfMon triggers it, even if you do not associate any triggers
with the scheduled task when you create it.
Once you have created a scheduled task to execute an alert, if you need to rename
it later, you must recreate it with the new name.
Monitoring the System Health of Active Directory® Servers 3-15

MCT USE ONLY. STUDENT USE PROHIBITED


Creating Alerts and Triggers for Short-Term Monitoring:
Event Log Triggers

Key Points
You can use event log triggers in addition to, or instead of, PerfMon alerts.

For more information, visit the www.eventid.net website, where


administrators post their experiences with specific event IDs. You can
also visit the Microsoft TechNet Events and Errors Message Center.
3-16 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Setting Action Plans for Alert Situations

Key Points
You might want to set up different action plans for different levels of severity if you
have created triggers for multiple scenarios.
Autoremediation is always preferable to manual remediation, as long as you have a
mechanism in place for periodically reviewing alert type and frequency.
Monitoring the System Health of Active Directory® Servers 3-17

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 4
Choosing the Appropriate Windows Server
2008 Monitoring Tools

Microsoft provides a number of tools that you can use for both long-term and
short-term monitoring. This lesson will explore some of these more useful tools.
3-18 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


WRPM: Resource Overview

Key Points
The Windows Reliability and Performance Monitor (WRPM) is an MMC snap-in
that provides tools for analyzing system performance. One of these tools is the
Resource Overview.
If you run the Resource Overview with insufficient credentials, it will not show
current system information.
One way to ensure that you are running with an elevated security token is to run
PerfMon.exe from an administrative command prompt.
The command perfmon /res will open the Resource Overview in a separate
window.

For more information, refer to the Monitoring General System Activity


Using Resource View article on the Microsoft TechNet, Windows Vista®
TechCenter Web site.
Monitoring the System Health of Active Directory® Servers 3-19

MCT USE ONLY. STUDENT USE PROHIBITED


WRPM: Performance Monitor

Key Points
The basic PerfMon program is an evolution of a tool that has been present in
Windows® operating systems since Windows NT®.
Successive versions of Windows have added performance objects and counters.

For more information, refer to the Monitoring Specific System Activity


Using Performance Monitor article on the Microsoft TechNet, Windows
Vista TechCenter.
3-20 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Event Viewer

Key Points
Most administrators will not need to review the operational logs regularly, but it is
important to know what is there.
Group Policy is now a service and has its own event log. This will be a primary
troubleshooting resource in Active Directory, along with Resultant Set of Policy.
Many third-party tools exist to gather, organize, and analyze event logs.

For more information, refer to the Authoring Event Rules in OpsMgr


blog on Microsoft TechNet, especially the Anatomy of a Vista/Server
2008 Event section.
Monitoring the System Health of Active Directory® Servers 3-21

MCT USE ONLY. STUDENT USE PROHIBITED


Demonstration: Using Event Logs

Question: What benefits might you gain from making a detailed study of the
complex new Event Viewer console?
3-22 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Event Subscriptions and WinRM

Key Points
Windows Remote Shell, or WinRS.exe, is the command-line tool for Windows
Remote Management.
You can add limited Windows Remote Management (WinRM) capability to
Windows Server 2003 R2 using the Windows optional components wizard.
WinRM must be started on machines to be polled (listeners) as well as on the
polling machine. The usual command is winrm quickconfig.

For more information, refer to the Windows Remote Management article


on the MSDN® Library under Win32 and COM Development.
Monitoring the System Health of Active Directory® Servers 3-23

MCT USE ONLY. STUDENT USE PROHIBITED


Services Console

Key Points
This console (services.msc) has not changed dramatically from Windows Server
2003.
Server Manager does not provide as much functionality as this console when it
comes to managing services.
You do not have to know the dependent services in advance in order to stop the
AD DS service from Server Manager. The Server Manager will know which ones to
stop.
When doing work locally on a Windows Server Core system, use SC.EXE instead
of the graphical tool.
3-24 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Server Manager

Key Points
You can not necessarily give up the full version of the Active Directory
administrative tools contained in Server Manager.
For most of what server administrators do, Server Manager comes close to being a
"one stop shop."

For more information, refer to the Server Manager topic in the Microsoft
TechNet, Windows Server 2008 Technical Library Web site.
Monitoring the System Health of Active Directory® Servers 3-25

MCT USE ONLY. STUDENT USE PROHIBITED


RSAT

Key Points
The following are Features in Server Manager: Remote Server Administration Tools
(RSAT) and its tools.
You do not need to install an RSAT tool if you have the related service or role
installed on your machine.
Unlike with previous versions of Windows, Windows Server 2008 does not ship
with optional support tools or resource kit tools.
If a desired tool is not in the RSAT or in the Windows Server 2008 base
distribution, an earlier version might work, but you should test it before relying on
it.

For more information, refer to the online help for Remote Server
Administration Tools in Server Manager.
3-26 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


PKIView

Key Points
The old name of Enterprise PKI (PKIView) was the PKI Health Tool. The following
table lists the meanings of icons located in the PKIView console.

Console Indicator Certificate Authority State

Question mark Health state evaluation

Green indicator No problems

Yellow indicator Non-critical problem

Red indicator Critical problem

Red cross over Certificate Authority icon Offline

For more information, refer to the article AD CS: Enterprise PKI (PKIView)
article on the Microsoft TechNet Web site.
Monitoring the System Health of Active Directory® Servers 3-27

MCT USE ONLY. STUDENT USE PROHIBITED


Lab: Monitoring Active Directory Server Roles

Exercise 1: Setting a Performance Alert to Meet a Business


Goal
Scenario
The management at Woodgrove Bank has issued a directive to the IT department
to respond more proactively when Active Directory domain controllers are
overloaded beyond “normal” time-of-day spikes. The business goal is to address
short-term domain performance problems before the users start calling the Help
Desk to report them. The bank would prefer not to spend money on additional
monitoring and alerting tools and would also like the solution to have a light
footprint in terms of system overhead.
Two system administrators have offered plans for generating an alert. The plans
are basically identical in terms of the performance objects and counters to be
monitored, and include the following, among others:
• Processor\Percent processor time
• PhysicalDisk\Avg. disk queue length
• Network Interface\bytes received/sec
• Network Interface\bytes sent/sec
3-28 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


• Directory Service\LDAP searches/sec
• Directory Service\DS reads/sec
• Directory Service\DRA inbound bytes total/sec
• Directory Service\DRA outbound bytes total/sec

The plans also suggest that over-threshold events should produce an e-mail to at
least one network administrator. Just creating an entry in the event log is not
proactive enough to meet the management mandate. However, Plan 1 specifies a 5-
second sampling interval, and Plan 2 specifies a 5-minute sampling interval.

Exercise Overview
In this exercise, you will select an alert plan and implement the plan through
Scheduled Tasks and the WRPM.
The main tasks for this exercise are as follows:
1. Decide which plan you would recommend, Plan 1 or Plan 2.
2. Create a scheduled task for the e-mail alert.
3. Create an alert in Performance Monitor.

f Task 1: Decide which plan you would recommend, Plan 1 or Plan 2


Decide whether you would recommend Plan 1 or Plan 2. The key criteria to
consider are as follows:
• The bank is interested in detecting Active Directory performance problems
beyond the normal time-of-day spikes.
• The solution should have a light footprint in terms of system overhead.
• Use the space below to write your answer.
______________________________________________________________________

f Task 2: Create a scheduled task for the e-mail alert


• Start NYC-DC1 (if it is not already started).
• Log on to NYC-DC1 as WoodgroveBank\Administrator with a password of
Pa$$w0rd.
Monitoring the System Health of Active Directory® Servers 3-29

MCT USE ONLY. STUDENT USE PROHIBITED


• In Server Manager, navigate to Configuration, Task Scheduler.
• Create a new task titled Performance Alert e-mail. The action should be to send
an e-mail from administrator@woodgrovebank.com to the same address. Make
sure the task can be run on demand, and specify administrator credentials for
the task.

f Task 3: Create an alert in Performance Monitor


• Under Diagnostics, Reliability and Performance, create a new user-defined
Data Collector Set titled Active Directory Performance Alert. (Use the manual
creation option.)
• Create a performance counter alert. Add the DS Directory Reads/sec counter
for the DirectoryServices object. Set the threshold at 5 reads/sec.
• Choose properties for the alert data collector. Set the sample interval to 5
minutes. Configure the properties to run the scheduled task you created in
Task 2 when an alert is triggered.
• Try starting and stopping the Data Collector Set to see how simple these
operations are.

Results: This exercise’s successful completion results in the selection of an alert plan
and the implementation of that plan through Scheduled Tasks and the WRPM.
3-30 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Exercise 2: Discussing Alert Response Strategies
Exercise Overview
In this exercise, you will discuss and list some of the pros and cons of different
short-term alert responses. You will also discuss ideas for long-term responses to
high traffic alerts. (Depending on class size, the instructor may break the class into
smaller groups for purposes of generating discussion.)
The main tasks for this exercise are as follows:
1. Discuss different short-term alert responses.
2. Discuss different long-term alert responses.

f Task 1: Discuss different short-term alert responses


Discuss and list the pros and cons of each short-term alert response, including (but
not limited to) the following:
E-mails to managers
______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
E-mails to affected users
______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
Triggered tasks (for example, scripts)
______________________________________________________________________

______________________________________________________________________
Monitoring the System Health of Active Directory® Servers 3-31

MCT USE ONLY. STUDENT USE PROHIBITED


______________________________________________________________________

______________________________________________________________________
Personal responses
______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
Follow-up analysis with affected users
______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
Other
______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
3-32 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


f Task 2: Discuss different long-term alert responses
Discuss and list some ideas for how to address Active Directory performance alerts
over the long term, including (but not limited to) the following:
Suggest changes in logon/logoff procedures
______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
Split out combined functionality to separate servers
______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
Review the number and placement of Global Catalog servers
______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
Maintain the Active Directory database
______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
Monitoring the System Health of Active Directory® Servers 3-33

MCT USE ONLY. STUDENT USE PROHIBITED


Move the Active Directory database to higher-performing disk storage
______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
Move the Active Directory log files to higher-performing disk storage
______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
Other
______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

Results: After this exercise, you should have identified a variety of alert responses
available to you and the pros and cons of each. You should have also identified the
various possible long-term responses to recurring Active Directory performance alerts
and shared your experiences with those methods.
3-34 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Exercise 3: Building a Case for Configuration Change
Scenario
As a result of using performance alerts and monitoring, you and your colleagues
have identified several possible long-term improvements that can reduce the
frequency and severity of Active Directory performance problems. However, before
you can bring your case to management for spending money on additional
resources, whatever form those might take (some of these should have been
discussed in Exercise 2), you would like to document your cause, and build a case
for changing the server configuration.

Exercise Overview
In this exercise, you will explore the different tools for building a case for changing
the server configuration.
The main tasks for this exercise are as follows:
1. Explore the new Event Viewer operational logs.
2. Create an Event Viewer subscription.
3. List other documentation that would support your request for configuration
changes and/or new resources.

f Task 1: Explore the Event Viewer operational logs


• Start NYC-DC1 (if it is not already started).
• In Server Manager, navigate to Diagnostics, Event Viewer, Applications and
Services Logs, and expand Applications and Services Logs.
• Which of these logs would be potentially relevant for an Active Directory
server?
• Select the Directory Service log. In a moment, the details pane will populate
with events. Do you see any errors or warnings?
• In the navigation pane, under Microsoft Windows, expand the logs. Spend
some time looking through these logs. Do you see any logs that would be
helpful when you are evaluating the performance of an Active Directory server?
Monitoring the System Health of Active Directory® Servers 3-35

MCT USE ONLY. STUDENT USE PROHIBITED


f Task 2: Create an Event Viewer subscription
• In Event Viewer, create a new subscription titled Active Directory events for
NYC.
• Specify NYC-SVR1 as the machine you would like to collect events from.
• Specify that you would like to collect only Critical and Error events, from the
Directory Service log.

f Task 3: List other documentation that would support your request for
configuration changes and/or new resources
Use the space below to list other documentation that would support your request
for configuration changes and/or new resources.
______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

Results: After this exercise, you should have identified some of the new capabilities of
the Windows Server 2008 Event Viewer, including operational logs and event
subscriptions, both of which might be useful in building a case for configuration
change. You should have also created a list of other documentation, both from
Windows Server 2008 tools and other sources, that could help support a campaign for
making configuration and/or resource changes in response to Active Directory
performance monitoring.
3-36 Monitoring the System Health of Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Lab Review
Managing Active Directory® Domain Services 4-1

MCT USE ONLY. STUDENT USE PROHIBITED


Module 4
Managing Active Directory® Domain Services
Contents:
Lesson 1: Restarting and Restoring Active Directory 4-3
Lesson 2: FSMO Roles Overview 4-6
Lesson 3: Planning Sites and Replication 4-13
Lesson 4: Managing RODCs 4-17
Lesson 5: Methods for Managing Server Core 4-21
Lesson 6: Best Practices for GPOs and Links 4-26
Lesson 7: Delegating Active Directory Administration 4-34
Lab: Managing AD DS 4-39
4-2 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Module Overview

Active Directory Domain Services (AD DS) is by far the most popular of the various
Active Directory roles in Windows Server® 2008. This module looks at various
aspects of managing AD DS, including a special focus on the features that are new
to Windows Server 2008: Read-Only Domain Controllers (RODCs), Windows®
Server Core, and Group Policy enhancements.
Managing Active Directory® Domain Services 4-3

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 1
Restarting and Restoring Active Directory

Certain maintenance operations require shutting down Active Directory. Windows


Server 2008 no longer demands a restart cycle to accomplish this. Additionally, it is
now possible to restore the AD DS database without restarting in the special
DSRM. Both features mean that you can maintain Windows Server 2008 AD DS
with less disruption.
4-4 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Restarting AD DS Without Rebooting

Key Points
You must be a member of the domain controller's Administrators group.
All the dependent services will start again when you restart the AD DS service.
Caveat: You must run DCPROMO with the /forceremoval qualifier to demote a
domain controller if the AD DS service is in the stopped state.
If a client contacts the domain controller to log on during stoppage of the directory
service, the server acts like a member server and the client will log on to another
domain controller.

For more information, refer to the Windows Server 2008 Restartable


Active Directory Step-by-Step Guide article on the Microsoft® TechNet,
Windows Server 2008 Technical Library Web site.
Managing Active Directory® Domain Services 4-5

MCT USE ONLY. STUDENT USE PROHIBITED


Restoring Active Directory Without Entering Directory
Services Restore Mode (DSRM): DSAMAIN

Key Points
Windows Server 2008 allows you to create "snapshots" of the directory using
NTDSUTIL, providing a backup mechanism.
Other third-party AD DS backup tools might be preferable for convenience and
features.
Caveat: Windows Server 2008 Server Backup does not support backing up to tape,
unlike its predecessor, NTBACKUP.

Question: What tool does your organization use to perform AD DS backups? Have
you ever tested the restore feature of that tool?

For more information, refer to the How to Restore Deleted User


Accounts and Their Group Memberships in Active Directory knowledge
base article 84001 on the Microsoft Help and Support Web site.
4-6 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 2
FSMO Roles Overview

Managing AD DS involves being aware of (and, perhaps, transferring) the non-


replicated Flexible Single Master Operations (FSMO) roles. These roles are
basically the same in Windows Server 2008 as in Microsoft Windows Server 2003,
so this lesson reviews them briefly.
Managing Active Directory® Domain Services 4-7

MCT USE ONLY. STUDENT USE PROHIBITED


Schema Master

Key Points
Transferring the schema master is a little tricky because the schema console
automatically connects to the current role holder. Connect to the target domain
controller first and then transfer the role using the console.
A general best practice when temporarily transferring a FSMO role is to transfer it
back to its original location when you are done with the operation that prompted
the transfer. This way, you do not need to modify your documentation.
Before you install your first Windows Server 2008 domain controller into a
Windows Server 2003 or Microsoft Windows Server 2000 forest, you must extend
the schema. Refer to the TechNet article below for detailed information.

Question: What would be the impact of performing an application installation that


requires schema modification, with the schema master being located at the other
end of a WAN link?

For more information, refer to the Prepare a Windows 2000 or Windows


Server 2003 Forest Schema for a Domain Controller That Runs Windows
Server 2008 article on the Microsoft TechNet Web site.
4-8 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


RID Master

Key Points
Restoring the RID master from an image backup raises the possibility of duplicate
identifiers. That could (for example) prevent two servers from both becoming
domain controllers.
If your RID master fails, and you are not adding large numbers of accounts to the
Active Directory database at the time, you might be able to "ride out" the failure and
operate without a RID master temporarily. Each domain controller maintains a
local cache of RIDs, so you can still add some accounts without having the RID
master available.

For more information, refer to the Planning Operations Role Placement


article on the Microsoft TechNet, Windows Server 2008 Technical Library
Web site.
Managing Active Directory® Domain Services 4-9

MCT USE ONLY. STUDENT USE PROHIBITED


Domain Naming Master

Key Points
The Domain Naming Master role must be present and available when creating any
new domains, including child domains as well as new domain trees.
If your Forest Functional Level (FFL) is less than Windows Server 2003, the
Domain Naming master should be on a machine that also acts as a Global Catalog
server.
Putting this role on the same machine as the schema master might simplify FSMO
role administration. Neither role is generally very busy in day-to-day activity.
4-10 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Infrastructure Master

Key Points
The infrastructure master role does not need to be on a fast machine in a one-
domain forest.
The infrastructure operations master for a domain maintains a list of the security
principals from other domains that are members of groups within its domain.
If a change occurs, for example a user in domain A belongs to a security group in
domain B and the user's name changes, domain B would never hear about the
change if not for the infrastructure master.
Managing Active Directory® Domain Services 4-11

MCT USE ONLY. STUDENT USE PROHIBITED


PDC Emulator

Key Points
The PDC Emulator stresses a server more than the other FSMO roles. Normally,
this role should be on a relatively fast machine.
You can lighten the authentication load of a busy PDC emulator by modifying the
weight of its DNS SRV records. Refer to the article below for detailed information.

For more information, refer to the Configuring Operations Master Roles


article on the Microsoft TechNet, Windows Server 2008 Technical Library
Web site.
4-12 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Global Catalog

Key Points
Adding global catalog servers can be a mixed blessing: global catalogs create more
replication traffic, but offload other global catalogs.
Only domain controllers that are designated as global catalogs can respond to
global catalog queries on port 3268. This includes directory searches for people
and printers.
Your application mix can affect the number of global catalogs you need. For
example, Microsoft Exchange needs fast, local access to a global catalog.

For more information, refer to the Planning Global Catalog Server


Placement article on the Microsoft TechNet, Windows Server 2008
Technical Library Web site.
Managing Active Directory® Domain Services 4-13

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 3
Planning Sites and Replication

The site is the only major AD DS structure that is designed to map to a network's
physical layout as opposed to its logical layout. You can manage replication across
WAN links with sites; you can also use them as a (preferably temporary) method
for deploying Group Policy settings that do not map to existing organizational unit
boundaries.
4-14 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Creating Sites

Key Points
There is no necessary mapping between sites and domains. A site might contain a
part of a domain, an entire domain, multiple domains, or parts of multiple
domains.
The relevant tool is Active Directory Sites and Services, which is a component of
the Remote Server Administration Tools (RSAT).
You can also use Active Directory Sites and Services to manage replication for an
Active Directory Lightweight Directory Services (AD LDS) instance.

Question: Does your organization configure Active Directory sites? Why or why
not? Have you encountered any problems with this capability?
Managing Active Directory® Domain Services 4-15

MCT USE ONLY. STUDENT USE PROHIBITED


Default Replication Settings

Key Points
These settings pertain to site replication traffic using the preferred transport, RPC
over IP. They do not apply to site links that use SMTP.
When you have multiple site links, and multiple possible replication paths
between sites, you can use the Cost parameter to set preferences for particular
paths.
Bridgehead servers are the points of contact between sites. You have the option to
fine-tune performance by designating preferred bridgehead servers, but this might
interfere with the automatic distribution of replication connections.
When a bridgehead server is added to a central (or "hub") site, Windows Server
2008 (unlike Windows Server 2003) dynamically redistributes replication
connections to take advantage of the new bridgehead server.
4-16 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Demonstration: Intersite Replication

Question: Would you be more likely to need to reconfigure the replication interval
when two sites are geographically nearby or when they are geographically far
apart?
Managing Active Directory® Domain Services 4-17

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 4
Managing RODCs

The RODC is one of the more significant new features in Windows Server 2008.
This lesson provides an overview of the technology and should inspire some
discussion about when and how your organization might deploy RODCs to your
advantage.
4-18 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Unidirectional Replication

Key Points
An RODC has everything that a writeable domain controller has, except account
passwords.
A writeable domain controller provides credentials based on password replication
policy settings.
The RODC encrypts cached credentials.
You can make an RODC a Global Catalog server, for example, if you have
Microsoft Exchange clients.
Consider BitLocker™ for additional security in locations with low physical security
where you might consider RODCs.
Consider delegation for RODC administrators to offload central IT staff. RODC
administrators do not need to be domain administrators.
Managing Active Directory® Domain Services 4-19

MCT USE ONLY. STUDENT USE PROHIBITED


Read-Only DNS

Key Points
If a client tries to update its DNS record, the RODC's DNS will issue the client a
referral to a writeable DNS server. The writeable DNS server will make the change
and then replicate it back to the RODC.
4-20 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Multi-RODC Installations

Key Points
The benefits of distributing the DNS query load might outweigh the disadvantages
of any possible inconsistencies.
If you have a large enough branch office that you need two or more RODCs, you
might consider whether you should have a writeable domain controller in that
office.
Managing Active Directory® Domain Services 4-21

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 5
Methods for Managing Server Core

Server Core presents some unique management problems due to its lack of an
integrated GUI. This lesson presents several tools and techniques for managing
Server Core Active Directory servers.
4-22 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Command-Line Tools

Key Points
Some details on command-line utilities:
• control timedate.cpl (run date-and-time applet)
• cscript (to activate scripts, for example, cscript slmgr.vbs)
• net user administrator * (set admin password)
• net localgroup administrators /add (add user to admins)
• net start, net stop (start and stop services)
• netsh (for example, to set static IP configuration, configure firewall)
• netdom (for example, to join a domain, rename the computer)
• oclist (to list installed roles and features)
• ocsetup (to install or remove roles and features)
• pnputil (to inject device drivers for Plug and Play)
• sc (to manage services)
• shutdown (to shut down or restart the machine)
• slmgr.vbs (to activate Windows)
Managing Active Directory® Domain Services 4-23

MCT USE ONLY. STUDENT USE PROHIBITED


• wevtutil (to manage event logs)
Many other commands are available (for example, cacls, defrag, nslookup,
pathping, etc.)
A special built-in, core-only script (scregedit.wsf) handles the following tasks:
• Enables automatic updates
• Sets Windows Error Reporting settings
• Allows Remote Administration connections
• Manages IPsec Monitor remotely
You can invoke a few GUI tools from the command line:
• Notepad
• Task Manager
• RegEdit

For more information, refer to the Windows Server Core Installation


Option of Windows Server 2008 Step-By-Step Guide article on the
Microsoft TechNet, Windows Server 2008 Technical Library Web site.
4-24 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Remote-Enabled Administrative Tools

Key Points
The RSAT tools require either Windows Server 2008 or Windows Vista® SP1.
Server Core does not support Internet Information Services (IIS), Active Directory
Certificate Services (AD CS), Active Directory Federation Services (AD FS), and
Active Directory Rights Management Services (AD RMS).
Managing Active Directory® Domain Services 4-25

MCT USE ONLY. STUDENT USE PROHIBITED


Group Policy

Key Points
WMI filters can work for the purpose of targeting GPOs. However, they are not as
easily discoverable as using a descriptively-named organizational unit for your
Server Core systems.
You can also use WMI filters on Windows XP and Windows Server 2003 systems
(but not Windows 2000).

For more information, refer to the WMI Filtering Using GPMC article on
the Microsoft TechNet, Microsoft Windows Server TechCenter Web site.
4-26 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 6
Best Practices for GPOs and Links

Group Policy is at the heart of Active Directory administration. This lesson


explores some of the new features of Longhorn group policy, most of which apply
both to Windows Server 2008 and to Windows Vista.
Managing Active Directory® Domain Services 4-27

MCT USE ONLY. STUDENT USE PROHIBITED


When to Link to Domains, Sites, and Organizational Units

Key Points
GPO links permit the settings in a GPO to take effect and apply to an Active
Directory structure.
You cannot directly link a GPO to a group, despite the name. Typically, GPOs are
linked to domains, organizational units, or sites.
There is no "forest" object in Active Directory to which you can link a GPO.

Question: Does your organization generally link its GPOs to the domain or to
organizational units?

For more information, refer to the Designing a Group Policy


Infrastructure article on the Microsoft TechNet, Microsoft Windows
Server TechCenter Web site.
4-28 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


GPMC

Key Points
The version of the Group Policy Management Console (GPMC) that ships with
Windows Server 2008 includes some new features that were not available before.
You can add comments to GPOs as well as to individual policy settings, as long as
the settings are in the Administrative Templates node.
The filter capability improves the searchability of the GPO structure.
Windows Vista SP1 unbundles the GPMC from the Windows Vista operating
system so that future GPMC updates may be downloaded and installed on both
Windows Vista and Windows Server 2008.
If your organization has multiple Group Policy administrators, you might want to
explore the Advanced Group Policy Management tools from Microsoft, which
enhances the GPMC with more advanced delegation, check-in and check-out, and
GPO rollback features. Refer to the reference below for more information.

For more information, refer to the Group Policy Management Console


Sample Scripts on the Microsoft Download Center Web site. Also, to
learn more about AGPM, refer to the Step-by-Step Guide for Microsoft
Advanced Group Policy Management article on the Microsoft TechNet,
Resources for IT Professionals Web site.
Managing Active Directory® Domain Services 4-29

MCT USE ONLY. STUDENT USE PROHIBITED


4-30 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Central Store for ADMX Files

Key Points
ADMX files use XML formatting conventions, like many text files in Windows
Server 2008.
The new file structure also splits out the language-specific code (*.ADML) from
language-independent code (*.ADMX).

For more information, refer to the How to Create a Central Store for
Group Policy Administrative Templates in Window Vista article, Microsoft
Knowledge Base article #929841 on the Microsoft Help and Support
Web site. Also, refer to the ADMX Migrator article on the Microsoft
Download Center Web site. Finally, refer to the Managing Group Policy
ADMX Files Step-by-Step Guide article on the MSDN®, Windows Vista
Developer Center Web site.
Managing Active Directory® Domain Services 4-31

MCT USE ONLY. STUDENT USE PROHIBITED


Group Policy Troubleshooting Tools

Key Points
You can run Resultant Set of Policy (RSOP) as a standalone console or from within
the GPMC or Server Manager. This tool can run in two modes: "what happened"
(logging) and "what if" (planning). However, this tool appears to be compromised.

Microsoft advises that beginning with Vista SP1, the RSOP report does not show all
group policy settings. (It is not clear if Windows Server 2008 is affected nor is it clear
which group policy settings are omitted.) Microsoft recommends using the command-
line tool gpresult (which comes with Windows Server 2008) to see the full set of group
policy settings applied for a computer or user.
4-32 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Group Policy as an Operating System Service

Key Points
The Group Policy operations log replaces the USERENV.LOG file.
Messages that use to appear in the Application log in Windows Server 2003 now
appear in the System log in Windows Server 2008.
Now that Group Policy is a service, the events that it logs may be used as the basis
for triggering a scheduled task.
New Group Policy templates can be applied without restarting the server.
Processing is less resource-intensive than when Group Policy was not a service.
The Group Policy service runs under the SVCHOST process.

For more information, refer to the Troubleshooting Group Policy Using


Event Logs on the Microsoft Windows Vista TechCenter Web site.
Managing Active Directory® Domain Services 4-33

MCT USE ONLY. STUDENT USE PROHIBITED


Group Policy "Preferences"

Question: Can you think of some Group Policy settings that you might want to
implement as preferences instead of traditional policies?

For more information, refer to the Group Policy Preferences Overview


article on the Microsoft Download Center Web site.
4-34 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 7
Delegating Active Directory Administration

Although it is purely optional, organizations may choose to delegate Active


Directory management to particular groups or users in order to reduce the load on
the central IT department. Windows Server 2008 provides a special method for
delegating management of an RODC.
Managing Active Directory® Domain Services 4-35

MCT USE ONLY. STUDENT USE PROHIBITED


Active Directory Delegation

Key Points
To create a delegation, in Active Directory Users and Computers, right-click the
object that you want to delegate and then click Create Delegation.
After you have created a delegation using the Active Directory Delegation Wizard,
you can create a custom console that displays only desired tasks, as explained in
the reference listed below.

Question: Does your organization delegate any Active Directory functions? Which
ones?

For more information, refer to the Create a Delegation Console article on


the Microsoft Certified Professional Magazine Online Web site.
4-36 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Demonstration: Active Directory Delegation

Question: Suppose you have just gone to work for a new company and are in
charge of re-evaluating its delegation model. How could you look at each domain
and organizational unit and determine whether those structures are presently in a
delegated state?
Managing Active Directory® Domain Services 4-37

MCT USE ONLY. STUDENT USE PROHIBITED


Editing Delegations

Key Points
You will need to access the Advanced security properties for the delegated domain
or organizational unit to see the relevant Access Control Entries (ACEs).
4-38 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Delegating Management of an RODC

Key Points
You can create a delegated administrator for an RODC after building the RODC,
also. Refer to the article listed below for more information.
This technique adheres to the principle of Least Required Privilege. A user or group
does not need to belong to Domain Admins to manage an RODC, for example, to
modify the machine's device driver configuration.

For more information, refer to the Administrator Role Separation


Configuration article on the Microsoft TechNet, Windows Server 2008
Technical Library Web site.
Managing Active Directory® Domain Services 4-39

MCT USE ONLY. STUDENT USE PROHIBITED


Lab: Managing AD DS

Exercise 1: Offline Defragging of the Active Directory


Database
Scenario
New management has taken over at Woodgrove Bank and the new directors are
eager to make changes in the organization. Four specific goals have been set for the
Active Directory team:
• Improve the Active Directory server uptime
• Reduce logon times
• Reduce replication delays between sites
• Improve the coordination of Group Policy management

Exercise Overview
In this exercise, you will perform an offline defragmentation of the NTDS database.
In conjunction with the new directive to improve Active Directory server uptime,
you need to minimize server downtime during this regularly-scheduled
maintenance activity. Windows Server 2008 enables you to reduce downtime by
stopping and starting AD DS without bringing down the entire server. Therefore,
4-40 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


other services provided by any given domain controller (such as DNS) do not have
to be interrupted while the Active Directory database is being maintained.
The main tasks for this exercise are as follows:
1. Stop AD DS via Server Manager.
2. Perform a defragmentation without rebooting.
3. Restart AD DS via Server Manager.

f Task 1: Stop AD DS via Server Manager


• Start NYC-DC1.
• Log on to NYC-DC1 as WoodgroveBank\Administrator with the password of
Pa$$w0rd.
• In the Server Manager navigation pane, expand Roles and select Active
Directory Domain Services.
• Stop the AD DS service and its dependent services.

f Task 2: Perform a defragmentation without rebooting


• Open a command prompt and run ntdsutil.
• Run the activate instance ntds command.
• Run the files command.
• Run the info command. Note the size of the database NTDS.DIT.
• To begin the compaction procedure, run the compact to c:\windows
command.
• Quit ntdsutil.
• Open a command prompt and copy ntds.dit from c:\windows to
c:\windows\ntds. Overwrite the existing version.
• Exit the command prompt.

f Task 3: Restart AD DS via Server Manager


• Back in the Server Manager window, start the AD DS service.
• Leave NYC-DC1 running for future labs.
Managing Active Directory® Domain Services 4-41

MCT USE ONLY. STUDENT USE PROHIBITED


Results: The successful completion of the exercise results in a properly defragmented
Active Directory database with minimal server downtime.
4-42 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Exercise 2: Evaluating an RODC with Read-Only DNS
Solution
Scenario
The scenario is the same as in Exercise 1, but more details have been provided
about a new branch opening in Miami, Florida. The branch will connect to the
NYC domain over a WAN link that is planned to operate at sub-T1 speeds. The
new branch office will have 140 employees, all of whom will be domain members
in Active Directory. Many of the employees will be in service positions where quick
logon and logoff performance will be desired to minimize customer wait time.

Exercise Overview
In this exercise, you will discuss some of the questions that might meet the second
goal laid out in the IT goals document. The goal is to reduce logon times,
specifically for employees in the new Miami branch. (Depending on class size, the
instructor may break the class into smaller groups for purposes of generating
discussion.)

f Task: Discuss the following questions


• Generally speaking, where should you consider installing an RODC?
• Do all RODCs need to be running DNS?
• Should more than one RODC be running DNS in a given location?
• Should Woodgrove Bank consider a caching-only DNS server before an
RODC?
• Use the space provided below to write the key points of the discussion.

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________
Managing Active Directory® Domain Services 4-43

MCT USE ONLY. STUDENT USE PROHIBITED


______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

Results: The successful completion of this exercise results in you having explained the
pros and cons of using RODCs to reduce logon times.
4-44 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Exercise 3: Making Site Replication Decisions
Scenario
The scenario is the same as in Exercise 1, but you need to reduce replication
delays, specifically between the NYC and the Miami sites.

Exercise Overview
The main tasks for this exercise are as follows:
1. Create a site for the Miami location.
2. Move the MIA-RODC server to the Miami site.
3. Modify the replication schedule to the Miami site to reduce latency.

f Task 1: Create a site for the Miami location


• On NYC-DC1, in the Server Manager navigation pane, expand Roles, Active
Directory Domain Services, Active Directory Sites and Services, and Sites.
(If you receive an error, stop and restart Server Manager.)
• Expand Default-First-Site-Name and Servers.
• Open the Servers node and view the results in the details pane.
• Create a new site named FloridaSite and associate it with the
DEFAULTIPSITELINK.

f Task 2: Move the MIA-RODC server to the Miami site


Drag and drop the MIA-RODC server object from Default-First-Site-Name into
FloridaSite.

f Task 3: Modify the replication schedule to the Miami site to reduce


latency
• Under the Sites node, expand Inter-Site Transports and select the IP
container.
• Navigate to the properties page for DEFAULTIPSITELINK. In the Replicate
every field, change the value from 180 minutes to 60 minutes.
Managing Active Directory® Domain Services 4-45

MCT USE ONLY. STUDENT USE PROHIBITED


• Modify the replication schedule to exclude the time period from noon to
4:00pm for all days.
• Leave NYC-DC1 running for future labs.

Results: After this exercise, the replication schedule between the default site and the
Florida site has been modified to reduce latencies in the propagation of Active
Directory information between the sites.
4-46 Managing Active Directory® Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED


Exercise 4: Group Policy Link Strategies
Exercise Overview
In this exercise, you will discuss the pros and cons of linking GPOs at different
levels.

f Task: Discuss the pros and cons of linking GPOs at different levels
• Pros and cons of linking GPOs at the domain level.
• Pros and cons of linking GPOs at the site level.
• Pros and cons of linking GPOs at the organizational unit level.
• Use the space below to write the key points of the discussion.

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

Results: The successful completion of this exercise results in you having explained the
pros and cons of linking GPOs at different levels in the Active Directory structure.
Managing Active Directory® Domain Services 4-47

MCT USE ONLY. STUDENT USE PROHIBITED


Lab Review
MCT USE ONLY. STUDENT USE PROHIBITED
Maintaining Security for Active Directory® Servers 5-1

MCT USE ONLY. STUDENT USE PROHIBITED


Module 5
Maintaining Security for Active Directory®
Servers
Contents:
Lesson 1: Server Hardening Techniques 5-3
Lesson 2: Using the MBSA to Discover and Remove Security Holes 5-10
Lesson 3: Using Fine-Grained Password Policies to Simplify Network
Organization 5-15
Lesson 4: Planning Security Auditing 5-21
Lesson 5: Enhancing Physical Security 5-24
Lab: Maintaining Security for Active Directory Servers 5-29
5-2 Maintaining Security for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Module Overview

Active Directory security is a process. It involves server hardening, periodic


retesting and auditing, taking advantage of new features Microsoft® has built into
Windows Server® 2008, and improving the physical security of Active Directory
servers. This module looks at all of these aspects of the Active Directory security
process.
Maintaining Security for Active Directory® Servers 5-3

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 1
Server Hardening Techniques

Windows Server 2008 represents an advance over Microsoft Windows Server 2003
in that server roles, including Active Directory roles, are more secure after having
been installed via Server Manager. However, every organization's needs are
different, and many ways exist to secure Active Directory servers beyond the
default settings.
5-4 Maintaining Security for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Manual Hardening Techniques

Key Points
Although the Security Configuration Wizard (SCW) is still present in the Windows
Server 2008 distribution, its use is less urgent than with Windows Server 2003 and
Microsoft considers it optional now.
You can apply manual hardening techniques to the creation of Active Directory
server images, or deploy settings "after the fact" via Group Policy.
Microsoft has already done some hardening behind the scenes with techniques
such as Address Space Layout Randomization (ASLR), per-service Security
Identifiers (SIDs), and Windows® Resource Protection (WRP).

For more information, refer to the WS2008: Dynamic Link Library Loader
and Address Space Load Randomization article on the Microsoft TechNet
Askperf blog Web site. Also, refer to the Windows Resource Protection
article on the MSDN® Library Web site.
Maintaining Security for Active Directory® Servers 5-5

MCT USE ONLY. STUDENT USE PROHIBITED


Applying Security Templates

Key Points
The Group Policy Object (GPO) Accelerator debuted in the Windows Vista®
Security Guide (see reference below). The tool is essentially unchanged in the
Windows Server 2008 Security Guide.
The GPOAccelerator saves a lot of time compared to the older method of using INF
templates and the Security snap-ins.
You should run the GPOAccelerator on test machines because it creates
organizational units and GPOs that you might not want to deploy on a production
system.

Question: Has your organization ever used custom security templates with
Windows Server 2003 or Windows XP? If so, why?

For more information, refer to the Windows Vista Security Guide on the
Microsoft Download Center Web site. Also, refer to the Windows Server
2008 Security Guide on the Microsoft Download Center Web site.
5-6 Maintaining Security for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


For more information on the GPOAccelerator, refer to the Microsoft
Download Center, the GPOAccelerator Web site.
Maintaining Security for Active Directory® Servers 5-7

MCT USE ONLY. STUDENT USE PROHIBITED


Server Organizational Unit Placement

Key Points
Most organizations do not dedicate servers to one specific function; however, many
templates and security tools presume this to be the case.
You can use a modified organizational unit model that takes practical realities into
account. For example, you could design an organizational unit named
"Infrastructure Servers" that would include settings relevant for DNS and DHCP
systems.
Active Directory servers are more likely to benefit, from the security standpoint,
from being segregated by role from other functions such as infrastructure services.
This is why Microsoft, for example, provides a default domain controller policy
object in a "vanilla" Active Directory installation.
5-8 Maintaining Security for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


ACL Deployment via Group Policy

Key Points
Group Policy-based Access Control List (ACL) changes provide a way of bringing
consistency to Active Directory servers that might exhibit inconsistent file system
security due to different source images and/or installation methods (clean versus
upgrade).
Active Directory Rights Management Services (AD RMS) integrates with Active
Directory Federation Services (AD FS), so you can deploy rights management
restrictions to federated users in a separate Active Directory forest.
Maintaining Security for Active Directory® Servers 5-9

MCT USE ONLY. STUDENT USE PROHIBITED


Group Policy Device Restrictions

Key Points
Device driver installation restrictions do not affect users with systems that have
already had the subject device drivers installed. Therefore, you will normally want
to deploy both device driver installation restrictions, and removable device use
restrictions. These are two separate areas in Windows Server 2008 Group Policy.
These restrictions are especially relevant for Active Directory servers due to the
importance of the data they contain (for example, NTDS.DIT).

For more information, refer to the Step-By-Step Guide to Controlling


Device Installation Using Group Policy article on the MSDN Library Web
site.
5-10 Maintaining Security for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 2
Using the MBSA to Discover and Remove
Security Holes

For years, organizations have used the Microsoft Baseline Security Analyzer
(MBSA) as a method for auditing patch currency and identifying system
vulnerabilities. It remains a useful tool for those purposes.
Maintaining Security for Active Directory® Servers 5-11

MCT USE ONLY. STUDENT USE PROHIBITED


MBSA Overview

Key Points
The "other Windows Update Agent (WUA) tools" include the following:
• Microsoft Update
• Windows Software Update Service (WSUS)
• Systems Management Server (SMS) Inventory Tool for Microsoft Updates
(ITMU), although ITMU does not rely on MBSA for scanning as of SMS 2003
SP1.
Various versions of MBSA are in circulation:
• 2.1: All versions from Windows 2000 to Windows Vista, including 64-bit
• 2.0.1: Compatible with new-format offline scan file wsusscn2.cab, but not with
Longhorn
• 1.2.1: Use only if you have Windows NT4, Windows Exchange 5.5 or 5.0,
Microsoft Office 2000
Different ways you can use MBSA include:
• When building custom security templates.
• As a last check to make sure nothing significant has been forgotten.
5-12 Maintaining Security for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


• As a periodic check to make sure that security updates are propagating
through your network.
Although MBSA does not scan multiple systems simultaneously, you can make a
list and use the following command to scan systems in the list:

mbsacli/listfile <name of file>

For more information, refer to the MBSA newsgroup


"microsoft.public.security.baseline_analyzer" on news.microsoft.com.
Maintaining Security for Active Directory® Servers 5-13

MCT USE ONLY. STUDENT USE PROHIBITED


Managing Windows Server 2008 Updates

Key Points
You can perform offline scans but be aware that a new offline scan file is available
(wsusscn2.cab) that supersedes the previous Windows Update offline scan file,
Wsusscan.cab.

For more information, refer to the Windows Server Update Services 3.0
article on the Microsoft TechNet, Microsoft Windows Server TechCenter
Web site.
5-14 Maintaining Security for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Proper Hardening Procedures

Key Points
Some of the administrative vulnerabilities that MBSA flags include Windows
Firewall status, automatic updates status, enforcement of strong passwords, and
the presence of enabled but unsecured Guest accounts.

For more information, refer to the MBSA 2.0 Frequently Asked Questions
page on the Microsoft TechNet Web site.
Maintaining Security for Active Directory® Servers 5-15

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 3
Using Fine-Grained Password Policies to
Simplify Network Organization

Many organizations have deployed multiple domains in order to meet the


requirement to have more than one set of password policies. Windows Server
2008 permits administrators, for the first time, to deploy multiple sets of password
policies within a single domain. Given that fewer domains generally means easier
administration and simpler Active Directory management, this new capability
could be significant for many Active Directory-based organizations.
5-16 Maintaining Security for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Password Policies in Windows Server 2003

Key Points
Technically, you could create GPOs with password policy settings that you could
link to individual organizational units. However, such GPOs would never take
effect in the presence of domain-based password policies.
In Windows Server 2003 and Windows Server 2000, password policies and
account lockout policies were made at the domain level via the default domain
policy object.
One can debate the meaning of "security boundary" (the forest is the true security
boundary in many ways) but the domain was the boundary for setting password
policies in Active Directory.

Question: Has your organization wrestled with unifying its password policies in
order to keep the total number of Active Directory domains to a minimum?

For more information, refer to the Security Watch: Windows Domain


Password Policies article on the Microsoft TechNet, TechNet Magazine,
December 2007 Web site.
Maintaining Security for Active Directory® Servers 5-17

MCT USE ONLY. STUDENT USE PROHIBITED


Implementing Fine-Grained Password Policies Overview

Key Points
Caveat: The major constraint for many organizations will be the DFL requirement.
Tip: You do not have to create a shadow group that mirrors the membership of an
organizational unit. That is simply the recommended practice. The thing to
remember is that fine-grained password policies do not apply directly to an Active
Directory structural unit (domain, organizational unit, or site), so in that sense they
are not like traditional group policy settings.

For more information, refer to the AD DS: Fine-Grained Password


Policies article on the Microsoft TechNet, Windows Server 2008 Technical
Library Web site. Also, refer to the Step-by-Step Guide for Fine-Grained
Password and Account Lockout Policy Configuration article, which is also
on the Windows Server 2008 Technical Library Web site.
5-18 Maintaining Security for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Password Policy Defaults

Key Points
The time formats used by the above password policy settings are
days:hours:minutes:seconds.
Maintaining Security for Active Directory® Servers 5-19

MCT USE ONLY. STUDENT USE PROHIBITED


Managing Effective Passwords

Key Points
Password security is becoming ever more important in Active Directory
environments because user account credentials are used in more ways. For
example, to access shares in another organization's forest via AD FS.
Your organization might also need to consider identity integration products that
can manage accounts and passwords for multiple systems in a single
"clearinghouse" such as Microsoft Identity Lifecycle Manager (ILM) 2007.
ILM 2007 extends the previous Microsoft Identity Integration Server (MIIS) 2003
product and provides account and password synchronization, user provisioning,
and certificate management.

Question: What password policies does your organization use? Do your users
find these easy or difficult to comply with?

For more information, refer to the Account Lockout and Password


Concepts article on the Microsoft TechNet, Microsoft Windows Server
TechCenter, Windows Server 2003 R2 Technical Library Web site. Also,
5-20 Maintaining Security for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


refer to the Microsoft Identity Lifecycle Manager 2007 FP1 article, on the
Microsoft Identify Lifecycle Manager Home Web site.
Maintaining Security for Active Directory® Servers 5-21

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 4
Planning Security Auditing

Security auditing in Active Directory is an important component of an overall


Active Directory security management plan. Windows Server 2008 brings new and
useful auditing capabilities but requires knowledge of a command-line tool to
implement them.
5-22 Maintaining Security for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


New AD DS Auditing Capabilities

Key Points
You must be an administrator to modify auditing settings.
The global policy "Audit directory service access" controls whether directory service
auditing is on or off (the default for Windows Server 2008 is "on").
You control what Active Directory Domain Services (AD DS) objects get audited by
setting a Security Access Control List (SACL) for those objects via the Security tab
on the object's properties page.
Windows Server 2000 and Windows Server 2003 only logged the name of a
changed attribute. Windows Server 2008 can log the old and new values of a
changed attribute.
Modifications to Directory Services objects were logged in those versions with ID
566. Windows Server 2008 logs modifications with ID 4662.
Maintaining Security for Active Directory® Servers 5-23

MCT USE ONLY. STUDENT USE PROHIBITED


Using AUDITPOL.EXE

Key Points
All four audit subcategories are enabled when you enable the global policy "Audit
directory service access."
The subcategory "Directory service changes" encompasses four types of changes:
• Modify (event ID 5136)
• Create (event ID 5137)
• Undelete (event ID 5138)
• Move (event ID 5139)
You could use AUDITPOL to disable the "Directory service changes" subcategory if
the additional information is not useful to your organization, but you still want to
log Directory Services object changes as was done in Windows Server 2003 and
Windows Server 2000.

For more information, refer to the Windows Server 2008 Auditing AD DS


Changes Step-by-Step Guide article on the Microsoft TechNet, Windows
Server 2008 Technical Library Web site.
5-24 Maintaining Security for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 5
Enhancing Physical Security

Active Directory servers might contain a great deal of data about an organization's
network. The consequences of having that data compromised could be severe. One
component of any Active Directory security plan should be a physical security plan.
Maintaining Security for Active Directory® Servers 5-25

MCT USE ONLY. STUDENT USE PROHIBITED


RODC and Physical Security

Key Points
Even though a Read-Only Domain Controller (RODC) might require less physical
security than a writeable domain controller, you should consider the impact on
user downtime if an RODC is compromised.
Any organization that uses RODCs should have a procedure in place for quickly
putting a new RODC online if something happens to an existing RODC. For
example, a step-by-step guide for running DCPROMO with appropriate options on
a member server.
At least one writeable domain controller in the domain must be running Windows
Server 2008 before an RODC can be deployed.
Although physical security concerns might be a prime reason to consider
deploying RODCs, remember that logon performance can be another reason,
especially if the branch office has poor network connectivity to a hub site.
5-26 Maintaining Security for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


RODC and Cached Credentials

Key Points
Only the members of the Allowed RODC Password Replication group are allowed
to replicate authentication information to RODCs. Furthermore, RODCs do not
store administrator credential information.
Remember that any application that stores data in Active Directory could
conceivably replicate that data to an RODC and create a security risk. In such
cases, consider setting schema attributes for such data so that they will not
replicate to an RODC. (These attributes are known as the RODC filtered attribute
set. You might need guidance from the application developer to set these
properly.)

For more information, refer to the Appendix D: Steps to Add an Attribute


to the RODC Filtered Attribute Set article, on the Microsoft TechNet,
Windows Server 2008 Technical Library, Active Directory Domain
Services, Step-by-Step Guide for Read-Only Domain Controllers Web
site.
Maintaining Security for Active Directory® Servers 5-27

MCT USE ONLY. STUDENT USE PROHIBITED


Physical Security for Writeable Domain Controllers

Key Points
Other physical security issues include the following:
• Preventing domain controllers from booting into alternate operating systems
• Securing networking infrastructure
• Preventing remote restart of domain controllers

Question: What steps does your organization take to secure writeable domain
controllers? Do you feel these steps are adequate?

For more information, refer to the Maintaining Physical Security article


on the Microsoft TechNet, Microsoft Windows Server TechCenter,
Windows Server 2003 Technical Library Web site. Although the article
was written based on Windows Server 2003, most of the points remain
valid for Windows Server 2008.
5-28 Maintaining Security for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Physical Security for Backups

Key Points
Onsite backups should only be available in an area where access is auditable.
Similarly, there should be procedures in place for auditing the return of any
backup media from offsite to onsite.
Microsoft recommends that backup media should only be in the backup device
during actual backup or restore operations.
Maintaining Security for Active Directory® Servers 5-29

MCT USE ONLY. STUDENT USE PROHIBITED


Lab: Maintaining Security for Active Directory
Servers

Exercise 1: Manually Implementing AD DS Server


Hardening
Scenario
Woodgrove Bank wants to improve Active Directory security for all its domain
controllers. However, the bank does not want to start “from scratch” but wants to
use best practice tools from Microsoft, if possible. The corporate accounts division
(Organization Unit=CorpAccts) has stricter requirements than the loan division
(Organizational Unit=Loans).

Exercise Overview
The main tasks for this exercise are as follows:
1. Install the GPOAccelerator tool.
2. Create new GPOs with the GPOAccelerator.
3. Examine the settings with the Group Policy Management Console (GPMC).
5-30 Maintaining Security for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


f Task 1: Install the GPOAccelerator tool
• Open NYC-DC1 and log on as Administrator with the password of
Pa$$w0rd.
• Navigate to the E:\labfiles folder and run the GPO Accelerator.msi file.
• Install the program, accepting all defaults.

f Task 2: Create new GPOs with the GPOAccelerator


• Run the GPOAccelerator that you just installed as an administrator.
• At the command prompt, type:
cscript gpoaccelerator.wsf /wssg /enterprise /lab
which will create the following Group Policy Objects:
• WSSG EC Domain Policy (WSSG stands for Windows Server Security
Guide, which incorporates the GPOAccelerator tool; EC stands for
Enterprise Client, intended to be a fairly typical corporate environment
where security needs and functionality must be balanced)
• WSSG EC Domain Controller Baseline Policy
• WSSG EC Member Server Baseline Policy
• <server role> Policy (there are several of these)
• Read the various dialog boxes and progress messages, and then close the
Command Prompt window.

f Task 3: Examine the settings with the Group Policy Management


console
• From the Administrative Tools menu, open the Group Policy Management
console.
• Expand the navigation tree and highlight the WSSG EC Domain Policy GPO.
• In the details pane, click the Settings tab.
• Spend a few minutes navigating the settings that Microsoft feels are
appropriate for securing Active Directory Domain Services (AD DS) servers.
• Similarly, explore settings for the following GPOs:
• WSSG EC Active Directory Certificate Services Servers Policy
Maintaining Security for Active Directory® Servers 5-31

MCT USE ONLY. STUDENT USE PROHIBITED


• WSSG EC DNS Servers Policy
• WSSG EC Domain Controller Baseline Policy
• To see the new organizational units that you built with the GPOAccelerator script,
expand the WSSG EC Member Servers OU GPMC node, and note the various sub-
organizational units that exist under that node.

Results: After this exercise, you should have installed the GPOAccelerator tool, created
new GPOs with the GPOAccelerator, and examined the settings with the GPMC.
5-32 Maintaining Security for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


Exercise 2: Assessing Ongoing Security Requirements
Scenario
The scenario is the same as in Exercise 1.

Exercise Overview
In this exercise, you will install the MBSA and perform a sample run.
The main tasks for this exercise are as follows:
1. Install the MBSA 2.1 Beta 2.
2. Perform an MBSA analysis of NYC-DC1.

f Task 1: Install the MBSA 2.1 Beta 2.


In the E:\Labfiles folder, run the mbsasetup.msi file. Accept all defaults.

f Task 2: Perform an MBSA analysis of NYC-DC1.


• Run the Microsoft Baseline Security Analyzer 2.1 you just installed.
• Click the Scan a computer icon.
• Our virtual machines do not have Internet connectivity, so you will not
perform the security-patch portion of the scan, which requires MBSA to
download a catalog file from the Net. So, select only the top three check boxes:
• Check for Windows administrative vulnerabilities
• Check for weak passwords
• Check for IIS administrative vulnerabilities
• Start the scan.
• Review the resultant report. Are there any vulnerabilities on NYC-DC1?
______________________________________________________________________

Results: After this exercise, you should you should have installed the MBSA 2.1 Beta 2
and performed an MBSA analysis of NYC-DC1.
Maintaining Security for Active Directory® Servers 5-33

MCT USE ONLY. STUDENT USE PROHIBITED


Exercise 3: Deploying Fine-Grained Password Policies
Scenario
The scenario is the same as in Exercise 1.

Exercise Overview
In this exercise, you will discuss how to deploy fine-grained password policies.
(Depending on class size, the instructor may break the class into smaller groups
for purposes of generating discussion.)

f Task: Discuss deploying fine-grained password policies


• Discuss how to deploy fine-grained password policies. There is no correct or
incorrect answer, but during the discussion make sure you talk about the
following points:
• How many of you envision a use for fine-grained password policies, that is,
for making password and account lockout policies apply at the
organizational unit level rather than the domain level?
• What do you see as the pros and cons of following Microsoft’s suggested
practice and creating “shadow groups” to mirror the membership of
organizational units?
• What do you perceive as some of the benefits of having fewer domains,
now that it is not necessary to create a domain boundary only because a
constituency in your organization needs different password policies?
• How many people in your organization are conversant with the Active
Directory Service Interfaces (ADSI) Edit and LDAP Data Interchange
Format Data Exchange (LDIFDE) tools?
• Use the space below to write the key points of the discussion.

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________
5-34 Maintaining Security for Active Directory® Servers

MCT USE ONLY. STUDENT USE PROHIBITED


__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

Results: After this exercise, you should have discussed how to deploy fine-grained
password policies and some of the implications such restructuring could have for your
overall Active Directory design.
Maintaining Security for Active Directory® Servers 5-35

MCT USE ONLY. STUDENT USE PROHIBITED


Lab Review
MCT USE ONLY. STUDENT USE PROHIBITED
Managing Active Directory® Service Roles 6-1

MCT USE ONLY. STUDENT USE PROHIBITED


Module 6
Managing Active Directory® Service Roles
Contents:
Lesson 1: Using Windows Server 2008 Tools for AD CS 6-3
Lesson 2: Implementing AD LDS 6-8
Lesson 3: AD FS Overview 6-12
Lesson 4: AD RMS Overview 6-18
Lab: Managing Active Directory Service Roles 6-23
6-2 Managing Active Directory® Service Roles

MCT USE ONLY. STUDENT USE PROHIBITED


Module Overview

This module provides an overview of four Active Directory roles that were formerly
not considered Active Directory roles: Certificate Services, Lightweight Domain
Services, Federation Services, and Rights Management Services. The module also
describes some of the management challenges that these roles create, and some
new features of Windows Server® 2008 that might help to address those
challenges.
Managing Active Directory® Service Roles 6-3

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 1
Using Windows Server 2008 Tools for AD CS

Active Directory Certificate Services (AD CS) (formerly known simply as


"Certificate Services") can form the basis of a Public Key Infrastructure (PKI) for
organizations that want to deploy certificate-based security, for example, via smart
cards. Windows Server 2008 brings some new management tools that this lesson
introduces.
6-4 Managing Active Directory® Service Roles

MCT USE ONLY. STUDENT USE PROHIBITED


Benefits of OCSP and Online Responders

Key Points
Certificate Revocation Lists (CRLs) can become large over time. This can become a
performance issue, affecting network bandwidth and authentication times.
An online responder does not need to be a Certification Authority.
There is a new Microsoft® Management Console (MMC) snap-in for managing
online responders. This is in addition to the other snap-ins you might already be
familiar with (Certification Authority, Certificates, and Certificate Templates).

For more information, refer to the Installing, Configuring, and


Troubleshooting the Online Responder (Microsoft's OCSP Responder)
article on the Microsoft TechNet, Windows Server 2008 Technical Library
Web site. Also, refer to the Windows Server 2008 Active Directory
Certificate Services Step-by-Step Guide article on the Microsoft
Download Center Web site.
Managing Active Directory® Service Roles 6-5

MCT USE ONLY. STUDENT USE PROHIBITED


New Restricted Enrollment Agent Overview

Key Points
Use the Certificate Services snap-in to create a permissions list for each enrollment
agent, naming the users and groups on behalf of whom the agent can enroll.
The performance of a Certification Authority will be slower if you use enrollment
agent restrictions; however, you can mitigate the slowdown by:
• Minimizing the number of enrollment agent accounts
• Minimizing the list of accounts in the permissions list
• Using group accounts instead of user accounts
In addition to the new ability to restrict enrollment agents, you can also now enroll
network devices (for example, routers) that do not have domain accounts, via
Network Device Enrollment Service (NDES ).

For more information, refer to the Active Directory Certificate Server


Enhancements in Windows Server Code Name 'Longhorn' article on the
Microsoft Download Center Web site. Also, refer to the AD CS: Restricted
Enrollment Agent article on the Microsoft TechNet, Windows Server
2008 Technical Library Web site.
6-6 Managing Active Directory® Service Roles

MCT USE ONLY. STUDENT USE PROHIBITED


Using the New Enterprise PKI Console (PKIView)

Key Points
Enterprise PKI analyzes the health of Certification Authorities running Windows
Server 2008 or Microsoft Windows Server 2003. It no longer requires a separate
download.
Caveat: Remember that AD CS may not be installed on Windows Server Core
systems.
The Cryptography API 2 (CAPI2) diagnostics events reside in Event Viewer under
Applications and Services Logs - Microsoft - Windows - CAPI2.

For more information, refer to the Troubleshooting PKI Problems on


Windows Vista article on the Microsoft Windows Vista TechCenter Web
site. Also, refer to the AD CS: Enterprise PKI article on the Microsoft
TechNet, Windows Server 2008 Technical Library Web site.
Managing Active Directory® Service Roles 6-7

MCT USE ONLY. STUDENT USE PROHIBITED


Group Policy Settings for Certificate Services in Windows
Server 2008

Key Points
The four bullets in the slides correspond to tabs on the Certificate Path Validation
Settings dialog box.
New policy store categories under Public Key Policies as of Windows Server 2008
include:
• Trusted Publishers
• Untrusted Certificates
• Trusted People
• Intermediate Certification Authorities
Caveat: If you allow users to have a high degree of control over trust decisions and
management of their certificates, plan for some user training in these areas.

For more information, refer to the AD CS: Policy Settings article on the
Microsoft TechNet, Windows Server 2008 Technical Library Web site.
6-8 Managing Active Directory® Service Roles

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 2
Implementing AD LDS

Active Directory Lightweight Directory Services (AD LDS), formerly known as


Active Directory Application Mode (ADAM), provides the data replication platform
of Active Directory for application developers to leverage in their products.
Managing Active Directory® Service Roles 6-9

MCT USE ONLY. STUDENT USE PROHIBITED


How AD LDS Differs from AD DS

Key Points
You can think of AD LDS as Active Directory but without any user, group, or
computer account information, and therefore no domains or Group Policy settings.
It basically exposes the Active Directory replication engine for use by application
developers.
AD LDS does provide partitioning, multi-master replication, and Lightweight
Directory Access Protocol (LDAP) access.
You can provide AD LDS access to business partners without exposing your AD DS
database.
AD LDS can leverage AD DS for user authentication purposes.

Question: What types of applications do you think might benefit from their own
private replication ring? Can you think of any applications that might require
authentication via a database separate from AD DS? How about a unique and
separate directory store?
6-10 Managing Active Directory® Service Roles

MCT USE ONLY. STUDENT USE PROHIBITED


For more information, refer to the Active Directory Lightweight Directory
Services Overview article on the Microsoft TechNet, Windows Server
2008 Technical Library Web site.
Managing Active Directory® Service Roles 6-11

MCT USE ONLY. STUDENT USE PROHIBITED


Managing an AD LDS Instance

Key Points
Active Directory Service Interface (ADSI) Edit is specific to the Microsoft
implementation of Active Directory, whereas LDP can work with any LDAP
provider.
ADSI Edit is a console; LDP is a standalone executable.
LDP exposes some objects that you cannot see in ADSI Edit.
The new auditing capabilities of AD DS in Windows Server 2008, for example,
recording old and new attributes in the audit log after an attribute change, are also
available to AD LDS.
You can also use the snapshot tool DSAMAIN with AD LDS.
You can adapt an AD LDS instance for management with Active Directory Sites and
Services by running MS-ADLDS-DisplaySpecifiers.LDF against the instance schema.

Question: Why does it make sense that Active Directory Users and Computers
and Active Directory Domains and Trusts do not work with AD LDS?
6-12 Managing Active Directory® Service Roles

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 3
AD FS Overview

Active Directory Federation Services (AD FS) is an alternative to a forest-to-forest


trust when one organization wants to grant network access to a subset of the
population of another organization.
Managing Active Directory® Service Roles 6-13

MCT USE ONLY. STUDENT USE PROHIBITED


AD FS Refresher

Key Points
AD FS is based on Web Services Architecture. You can read more about it at the
www.w3.org site. The architecture is designed to facilitate interoperability between
Web services.
AD FS is designed to relieve the requirement of a secondary credentials request
when trusted users from outside your network access a Web application in your
network.
The resource partner manages access to its network's application(s) for trusted
partners.
The account partner authenticates users and issues cookies for use later, when
users access applications on the resource partner's network.

For more information, refer to the A Developer's Introduction to Active


Directory Federation Services article on the MSDN® Magazine Web site.
Also, refer to the Active Directory Federation Services Overview article on
the Microsoft TechNet, Windows Server 2008 Technical Library Web site.
6-14 Managing Active Directory® Service Roles

MCT USE ONLY. STUDENT USE PROHIBITED


AD FS Management Console

Key Points
Using Server Manager to manage AD FS, you can set up the following role services,
as required, depending on the location and function of the server:
• The Federation Service, which performs user authentication routing from
trusted users in other networks.
• The Federation Service Proxy, which resides in a perimeter network or
perimeter network and passes credentials along to an internal server running
the Federation Service.
• The Claims-Aware Agent, which installs on an IIS server hosting a claims-aware
application that you want to make available to trusted external users.
As an alternative to Server Manager, you can run the Federation Services snap-in as
a separate console. Use the IIS Manager snap-in to manage the Claims-Aware
Agent.

For more information, refer to the Step-by-Step Guide for AD FS in


Windows Server 2008 article on the Microsoft TechNet, Windows Server
2008 Technical Library Web site.
Managing Active Directory® Service Roles 6-15

MCT USE ONLY. STUDENT USE PROHIBITED


Defining Web-Based Single Sign-On Mode

Key Points
Single Sign-On (SSO) mode refers to a system in which users who have
authenticated to one network may access applications on a different network
without providing an extra set of credentials.
You can integrate AD FS with Microsoft Office SharePoint® Server 2007 and extend
the SSO benefits to that system. Doing so will require a strong knowledge of both
products.

For more information, refer to the Configure Web SSO authentication by


using AD FS (Office SharePoint Server) article on the Microsoft TechNet,
Microsoft Office System, Office SharePoint Server 2007 Web site.
6-16 Managing Active Directory® Service Roles

MCT USE ONLY. STUDENT USE PROHIBITED


AD FS Dependent Services Overview

Key Points
The dependencies are made possible by what Microsoft calls "Component-Based
Servicing."
Removal of AD FS will prompt for removal of subsidiary roles and services.
Office SharePoint Server 2007 is not a dependent service but can interoperate with
AD FS.
Active Directory Rights Management Services (AD RMS) is also not a dependent
role, but can interoperate with AD FS to share rights-protected content across
network boundaries.

For more information, refer to the Active Directory Federation Services


Role article on the Microsoft TechNet, Windows Server 2008 Technical
Library Web site.
Managing Active Directory® Service Roles 6-17

MCT USE ONLY. STUDENT USE PROHIBITED


New Import/Export Capabilities

Key Points
Windows Server 2003 R2 had limited ability to import and export trust policy
settings, but Windows Server 2008 makes the process more streamlined.
In Windows Server 2008, the Add Partner Wizard not only permits importing of
trust policy settings, but modifying those settings before actually importing them.

For more information, refer to the Active Directory Federation Services


Role article, the section "Better administrative experience when
establishing federated trusts" on the Microsoft TechNet, Windows Server
2008 Technical Library Web site.
6-18 Managing Active Directory® Service Roles

MCT USE ONLY. STUDENT USE PROHIBITED


Lesson 4
AD RMS Overview

AD RMS was introduced in Windows Server 2003 and in Windows Server 2008 is
now a server role. It provides a form of Digital Rights Management (DRM) with
selected applications.
Managing Active Directory® Service Roles 6-19

MCT USE ONLY. STUDENT USE PROHIBITED


AD RMS Refresher

Key Points
NTFS provides some control over what users can do with documents; however,
such documents must remain on NTFS volumes or lose those restrictions.
Additionally, NTFS does not provide for permissions such as "forward," nor does it
permit (as AD RMS does) the creation of time periods during which the controls
will be valid.
In addition to Office 2007 (but only Enterprise, Professional Plus, or Ultimate),
Windows Office SharePoint Server 2007 is also RMS-aware.
The AD RMS server resides on a member server, not a domain controller.
You can experiment with AD RMS using a Microsoft server for a trial period.

For more information, refer to the Event Review: RMS in Windows Server
2008 article on the Microsoft TechNet, Resources for IT Professionals,
Events and Webcasts Web site. Also, refer to the Active Directory Rights
Management Services Overview article on the Microsoft TechNet,
Windows Server 2008 Technical Library Web site.
6-20 Managing Active Directory® Service Roles

MCT USE ONLY. STUDENT USE PROHIBITED


New Administrative Groups

Key Points
A lot of software has to be properly configured to use AD RMS. Before
implementing AD RMS, make sure dependent roles and services are up and
running correctly.
AD RMS can integrate with AD FS to provide rights management for documents
shared with trusted users in a federated external network.
AD RMS can also integrate with Windows Office SharePoint Server.

For more information, refer to the Windows Server Active Directory


Rights Management Services Step-by-Step Guide article on the Microsoft
TechNet, Windows Server 2008 Technical Library Web site.

If you will be using AD RMS with Federation Services, refer to the Using
Identity Federation with Active Directory Rights Management Services
Step-by-Step Guide article located on the Windows Server 2008
Technical Library Web site.
Managing Active Directory® Service Roles 6-21

MCT USE ONLY. STUDENT USE PROHIBITED


If you want to integrate AD RMS and SharePoint, refer to the Deploying
Active Directory Rights Management Services with Microsoft Office
SharePoint Server 2007 Step-by-Step Guide article, which is also located
on the Windows Server 2008 Technical Library Web site.
6-22 Managing Active Directory® Service Roles

MCT USE ONLY. STUDENT USE PROHIBITED


AD RMS Dependent Services Overview

Key Points
The user who installs AD RMS must not use the same account as the AD RMS
service account.
You must be in the AD RMS Enterprise Administrators group as well as the local
administrators group to change the AD RMS service account.
AD RMS Enterprise Administrators can do anything in the AD RMS console. The
installing user is automatically added to this group.
AD RMS Auditors can use the AD RMS console but only the reporting features.

For more information, refer to the Administer AD RMS by Using the


Active Directory Rights Management Services Console article on the
Microsoft TechNet, Windows Server 2008 Technical Library Web site.
Managing Active Directory® Service Roles 6-23

MCT USE ONLY. STUDENT USE PROHIBITED


Lab: Managing Active Directory Service Roles

Exercise 1: Installing the AD LDS Role


Scenario
Woodgrove Bank is deploying a new customer relations database package that
leverages the Active Directory replication engine. The new software requires AD
LDS. Some of the management functions for the new application will be handled
by utilities provided by the vendor. However, IT personnel will be responsible for
occasional use of Active Directory utilities to help manage the AD LDS instance.

Exercise Overview
The main tasks for this exercise are as follows:
1. Install the AD LDS role on NYC-DC1.
2. Configure the AD LDS service for a new instance.

f Task 1: Install the AD LDS role on NYC-DC1


• Start NYC-DC1, if it is not already started, and open Server Manager.
• Add the Active Directory Lightweight Directory Services role. Accept all
defaults.
6-24 Managing Active Directory® Service Roles

MCT USE ONLY. STUDENT USE PROHIBITED


f Task 2: Configure AD LDS for a new instance
• Start the AD LDS Setup Wizard for the new role.
• Create a new instance named CustApp1 with the default port values.
• Create an application directory partition named:
CN=Custapp1,DC=woodgrovebank,DC=com.
• Accept the defaults for file locations and service account selection.
• At the AD LDS Administrators screen, browse to select the
ITAdmins_WoodgroveGG security group.
• In the Importing LDIF Files screen, select MS-ADLDS-DisplaySpecifiers.LDF
and MS-User.LDF.
• When prompted for credentials, type woodgrovebank\thomas and
Pa$$w0rd.
• Close the page.

Results: This exercise’s successful completion results in the installation of the AD LDS
service and the configuration of one instance of the Custapp directory.
Managing Active Directory® Service Roles 6-25

MCT USE ONLY. STUDENT USE PROHIBITED


Exercise 2: Identifying Ongoing Management Concerns
Scenario
The scenario is the same as in Exercise 1.

Exercise Overview
In this exercise, you will discuss the ongoing management issues for the new
customer relations database application. (Depending on class size, the instructor
may break the class into smaller groups for purposes of generating discussion.)

f Task: Discuss ongoing management concerns


• Generate a list of issues to go over with the application vendor to determine
which management and administration tasks will be managed by vendor
software and which tasks will be managed by tools bundled with Windows
Server 2008.
• Use the space below to write the list of issues.

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

Results: After this exercise, you will have identified a number of management
concerns for an AD LDS application.
6-26 Managing Active Directory® Service Roles

MCT USE ONLY. STUDENT USE PROHIBITED


Exercise 3: Using Windows Server 2008 Tools for Managing
AD LDS
Scenario
The scenario is the same as in Exercise 1. You need to become familiar with how to
use Active Directory tools in the context of AD LDS, rather than in the context of
managing AD DS.

Exercise Overview
The main tasks for this exercise are as follows:
1. Use ADSI Edit to view an AD LDS instance.
2. Use LDP to view an AD LDS instance.
3. Use the Schema Console to view the schema for an AD LDS instance.

f Task 1: Use ADSI Edit to view an AD LDS instance


• In the Server Manager details pane, with the Active Directory Lightweight
Directory Services node highlighted, find and click the ADSI Edit link.
• Connect to the Distinguished Name:
CN=CustApp1,DC=woodgrovebank,DC=com. You will need to specify port
50000 and specify credentials of Thomas and Pa$$w0rd.
• On the ADSI Edit console, in the navigation pane, expand the nodes. You
should see three containers. You would see more containers after initializing
the application that needs to use the LDS instance.
• In the navigation pane, select CN=Roles.
• In the details pane, look at the properties for CN=Users. Select the different
attributes by clicking them. Note that in some cases you have a View button
available, and in other cases the button becomes an Edit button. This tells you
that you can use ADSI Edit to modify data in the LDS directory.
• Close the CN=Users Properties window and then close ADSI Edit.

f Task 2: Use LDP to view an AD LDS instance


• In the Server Manager details pane, with the Active Directory Lightweight
Directory Services node highlighted, find and click the LDP.exe link.
Managing Active Directory® Service Roles 6-27

MCT USE ONLY. STUDENT USE PROHIBITED


• Perform a connection operation to server NYC-DC1.woodgrovebank.com at
port 50000. The details pane should populate with information.
• At the top of the details pane, view the ldap_open command.
• Bind with credentials, using Thomas, Pa$$w0rd, and woodgrovebank.com.
• View the results of the bind operation at the bottom of the details pane. You
have just authenticated to LDP.
• Navigate to the Tree view for the BaseDN of
CN=custapp1,DC=woodgrovebank,DC=com. You should see the same
structure appear that you saw in the ADSI Edit tool in Task 1. View the
properties of the three CN entries that appear under the base DN, to get a feel
for the kind of information that you can view in LDP.

f Task 3: Use the Schema Console to view the schema for an AD LDS
instance
• Register the schema console DLL in a command prompt with the command
regsvr32 schmmgmt.dll.
• Close the Command Prompt window.
• Use fast user switching to log on as Thomas, who has already been set up as a
Schema Admin.
• Open the MMC shell and add the Active Directory Schema snap-in.
• In the navigation pane, from the Active Directory Schema node open Change
Active Directory Domain Controller.
• Specify NYC-DC1.woodgrovebank.com:50000 and wait for the status column
to show Online.
• You should see new nodes for classes and attributes. (If you do not, close the
console and try re-creating it.) Expand the Classes node and scroll down until
you see the entry for User. (This is the object class that was added when you
created the instance in Exercise 1 and specified the LDIF script MS-User.LDF.)
• Open the Properties for the User entry and navigate to the Attributes tab.
These are the attributes for the user object in this instance of AD LDS. They are
now completely separate from the attributes for the user object in AD DS.
• Close all open dialog boxes and consoles, and then close the virtual machine.
6-28 Managing Active Directory® Service Roles

MCT USE ONLY. STUDENT USE PROHIBITED


Results: After this exercise, you will have seen three tools that you can use to manage
an AD LDS instance, and have some understanding of when to use each.
Managing Active Directory® Service Roles 6-29

MCT USE ONLY. STUDENT USE PROHIBITED


Lab Review
6-30 Managing Active Directory® Service Roles

MCT USE ONLY. STUDENT USE PROHIBITED


Course Evaluation

Your evaluation of this course will help Microsoft understand the quality of your
learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will
use your responses to improve your future learning experience. Your open and
honest feedback is valuable and appreciated.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Managing and Maintaining a Windows Server 2008 Domain Controller L1-1

Module 1: Managing an Active Directory Server


Lifecycle
Lab: Managing and Maintaining a
Windows Server 2008 Domain
Controller
Logon Information:
• Virtual Machines: NYC-SVR1, NYC-DC1
• User Name: WoodgroveBank\Administrator
• Password: Pa$$w0rd

Estimated time: 80 minutes

Exercise 1: Evaluating the Need for an AD DS Promotion


Scenario
Woodgrove Bank’s IT administrators have noticed slow logons at its branch office,
where it has deployed a server named NYC-SVR1. The branch office, which is two
miles away from the main New York headquarters, connects to the headquarters
location over a busy, shared T-1 connection. At the corporate headquarters, NYC-
DC1 acts as a domain controller and DNS server for the WoodgroveBank.com
domain. The branch office is closed Friday afternoons and all day Saturday and
Sunday. It is managed by a medium-sized staff, none of whom have had any server
training.

Exercise Overview
In this exercise, you will create a plan to add the Active Directory® Domain Services
(AD DS) role to NYC-SVR1.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-2 Module 1: Managing an Active Directory Server Lifecycle

f Task: Create a plan to add the AD DS role to NYC-SVR1


• Create a plan to add the AD DS role to NYC-SVR1. The plan should consider
the following elements:
• Whether NYC-SVR1 should become a writeable domain controller or a
Read-Only Domain Controller (RODC).
• When to perform the promotion of NYC-SVR1.
• Whether to perform the promotion through a remote desktop connection,
on site, by telephone, or by sending e-mail instructions to the local liaison.
Answers will vary.

Results: After this exercise, you should have a plan to promote NYC-SVR1 to be an
AD DS domain controller.

Exercise 2: Meeting the Need by Adding a Role


Exercise Overview
In this exercise, you will implement the plan to add the AD DS role to NYC-SVR1.

f Task 1: Start NYC-DC1 and NYC-SVR1


1. Start NYC-DC1 using the Lab Launcher tool.
2. Log on to NYC-DC1 as WoodgroveBank\Administrator with the password of
Pa$$w0rd.
3. Verify that the forest functional level is at least Microsoft Windows Server
2003, the minimum required to support RODCs. Look for Active Directory
Domains and Trusts in Server Manager. If you do not find it, open it from
Administrative Tools. You can view the FFL via the context menu of the
topmost node in the console's navigation pane; click Raise Forest Functional
Level and click past the warning message.
4. In the Lab Launcher tool on your host operating system, start NYC-SVR1. It
will start faster, as it is not a domain controller.
5. Log on to NYC-SVR1 as LocalAdmin with the password of Pa$$w0rd.
6. Close the Initial Configuration Tasks window, if it opens.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Managing and Maintaining a Windows Server 2008 Domain Controller L1-3

f Task 2: Check the installed roles on NYC-SVR1


• The Server Manager console should come up automatically (it may take a few
moments). Expand the Roles node and view the installed roles. (If AD DS
were already installed, you would need to re-evaluate your plan.)

f Task 3: Run DCPROMO on NYC-SVR1


1. On NYC-SVR1, open an administrative command prompt.
2. Ping NYC-DC1 to make sure you can see it on the same virtual network. If the
ping command fails, troubleshoot your virtual network, or contact your
instructor.
3. To start the AD DS Installation Wizard, run DCPROMO. What message do you
see as the process begins? (Answer: “Active Directory Domain Services binaries
are being installed.”)
4. When the Welcome page appears, select the Use advanced mode installation
check box and then proceed to the next page.
5. In the Operating System Compatibility dialog box, click Next.
6. In the Choose a Deployment Configuration dialog box, click Existing forest
and Add a domain controller to an existing domain, and then click Next.
7. In the Network Credentials dialog box, type WoodgroveBank.com for the
domain name. Click the Set button on the same dialog box and type
administrator and Pa$$w0rd for the domain credentials. Click OK and then
Next.
8. In the Select a Domain dialog box, leave the forest root domain highlighted
and click Next.
9. In the Select a Site dialog box, leave the default site highlighted and click
Next.
10. On the Additional Domain Controller Options page, select all three boxes to
ensure that the new domain controller is also a DNS server, a Global catalog
server, and an RODC, and then click Next.
11. In the warning about static IP assignments, click No, I will assign static IP
addresses to all physical network adapters.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-4 Module 1: Managing an Active Directory Server Lifecycle

12. Note that nothing happens. The wizard wants you to assign the IP version 6
address but does not provide a dialog box for you to do so. On the Start
menu, right-click the Network entry and click Properties.
13. In the task pane, click Manage network connections.
14. Right-click Local Area Connection and click Properties.
15. Note that the IP version 4 address is already configured as static. Remove
support for IP version 6 by deselecting the check box, and click OK. Close the
Network Connections control panel and the Network and Sharing Center.
16. Back at the Active Directory Domain Services Installation Wizard, click Next.
17. In the Specify the Password Replication Policy dialog box, review the
settings but do not change any of them, and then click Next.
18. In the Delegation of RODC Installation and Administration dialog box, click
the Set button and add the group NYC_BranchManagersGG. Verify it with the
Check Names button. Click OK and then Next.
19. In the Install from Media dialog box, make sure that Replicate data over the
network from an existing domain controller is selected, and click Next.
20. In the Source Domain Controller dialog box, make sure that Let the wizard
choose an appropriate domain controller is selected, and click Next.
21. In the Location for Database, Log Files, and SYSVOL dialog box, leave all the
default settings and click Next.
22. In the Directory Services Restore Mode Administrator Password dialog box,
type Pa$$w0rd as the password (you must type it twice), and click Next.
23. Review the Summary page. If everything looks good, click Next.
24. At this point, the actual promotion and replication of domain data takes place.
It is a lengthy process so this would be a good time to take a break. When the
wizard reports that it has finished, restart the NYC-SVR1 virtual machine, and
log on as the administrator of the domain WoodgroveBank.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Managing and Maintaining a Windows Server 2008 Domain Controller L1-5

f Task 4: Verify successful promotion


1. Navigate to the NYC-DC1 virtual machine. In Server Manager, navigate to
Active Directory Users and Computers.
2. Open the Domain Controllers organizational unit. Do you see NYC-SVR1?
What type of server is it?

Results: After this exercise, you should have a new RODC in the form of NYC-SVR1.
This should help alleviate the problem of slow logons in the branch office.

Exercise 3: Managing a Change Request for an RODC by


Using the Command Line
Exercise Overview
In this exercise, you will update the configuration of the new RODC through a
domain controller change and forced replication. The updated configuration
consists of a new organizational unit, Federal Auditors that is added to the domain
WoodgroveBank.com. Senior management wants to ensure that the new
organizational unit replicates to the NYC-SVR1 read-only domain controller
immediately.

f Task 1: Add the new organizational unit on NYC-DC1


1. On NYC-DC1, in Server Manager, navigate to Active Directory Users and
Computers.
2. In either the navigation pane or the details pane, right-click the
WoodgroveBank.com domain icon, and click New and Organizational Unit.
3. Name the new organizational unit as FederalAuditors and click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-6 Module 1: Managing an Active Directory Server Lifecycle

f Task 2: Replicate the change to NYC-SVR1


1. In Server Manager (still on NYC-DC1), navigate to Active Directory Sites and
Services.
2. Expand Sites and Default-First-Site-Name.
3. Expand the Servers node and the node for NYC-SVR1.
4. Click NTDS Settings. You should see an entry in the details pane for NYC-
DC1, which is a replication partner of NYC-SVR1.
5. In the details pane, right-click the entry for NYC-DC1, and click Replicate
Now. This will force a replication from NYC-DC1 to NYC-SVR1. (In this
console, replication occurs from right to left.) If you get an error message, it
may be that the NYC-SVR1 domain controller is still sorting itself out. Give it
five minutes or so, and then try again. You should eventually get a message
that the replication operation completed successfully.
6. Switch over to NYC-SVR1 and, in Server Manager, navigate to Active Directory
Users and Computers.
7. Verify that the FederalAuditors role now appears under WoodgroveBank.com.
8. Close NYC-SVR1 by executing a normal shutdown, saving your changes. (You
do not want to close the virtual machine and discard changes, which may
appear as an option.)
9. Leave the NYC-DC1 virtual machine running for future labs.

Results: After this exercise, you should have an AD DS change on NYC-DC1 and the
change replicated to NYC-SVR1.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Managing and Maintaining a Windows Server 2008 Domain Controller L1-7

Exercise 4: Developing a Management and Maintenance


Plan
Scenario
You and your colleagues in the IT department have been asked to write a first draft
of a management and maintenance plan for the NYC-DC1 and NYC-SVR1 domain
controllers.

Exercise Overview
In this exercise, you will write a first draft of a management and maintenance plan
for the NYC-DC1 and NYC-SVR1 domain controllers.

f Task 1: Decide which tools are better suited for each of the two
domain controllers
• Decide which tools are better suited for corporate headquarter and which are
better suited to the branch office scenario. Consider that Server Manager is not
“remoteable” as such, but Active Directory Users and Computers is
remoteable, as well as Event Viewer.
Answers will vary.

f Task 2: Decide whether the new RODC is meeting the business needs
• Consider the methods for determining whether the new RODC is meeting the
business needs.
Answers will vary.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-8 Module 1: Managing an Active Directory Server Lifecycle

f Task 3: Decide whether delegation for certain functions might be


appropriate
• Consider whether delegation for certain functions might be appropriate, for
example, adding user accounts.
Answers will vary.

Results: After this exercise, you should have a draft document that outlines how to
manage these two domain controllers.

Exercise 5: Evaluating the Management and Maintenance


Plan
Exercise Overview
In this exercise, you will discuss the plan documents you created in Exercise 4.

f Task: Evaluate the management and maintenance plan


• Discuss the plan documents you created in Exercise 4. There is no correct or
incorrect answer, but during the discussion make sure you talk about the
following points:
• Whether logons and connections to servers are now faster for Active
Directory users connecting to the NYC-SVR1 domain controller.
• Lack of technical expertise at the branch office.
• The remotability, or lack of, specific management tools.
• Delegating some routine management functions for NYC-SVR1 to the
branch office personnel.
Answers will vary.

Results: After this exercise, you should have ideas for evaluating the success of the
plan developed in Exercise 4.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Creating Baselines for Active Directory Servers L2-9

Module 2: Creating Baselines for Active


Directory Servers
Lab: Creating Baselines for Active
Directory Servers
Logon Information:
• Virtual Machines: NYC-DC1
• User Name: WoodgroveBank\Administrator
• Password: Pa$$w0rd

Estimated time: 60 minutes

Exercise 1: Involving Users in Baseline Development


Scenario
The loan department of Woodgrove Bank has a number of users who work on
shared PCs. The frequency of logons and logoffs is relatively high in this
department. The department runs a small number of applications, and employees
perform very few searches of Active Directory. Communications outside the local
office are limited.
The research department of the bank, by contrast, is engaged in studying new
banking products. Employees of this department, who generally have a PC all to
themselves, perform a fair amount of market research and draw upon resources
throughout the organization, including people in different locations and even in
different domains. They tend to log on at the beginning of the day and log off at
the end of it.

f Task 1: Generate ideas for involving users in baseline development


• Working in small groups, discuss ways in which computer users can become
involved in developing a baseline.
Answers will vary.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-10 Module 2: Creating Baselines for Active Directory Servers

f Task 2: Generate five questions to ask in a user survey to help IT


professionals develop baseline documents
• Working in the same groups, discuss what type of questions you might ask in
a user survey (for example, an e-mail survey) to help you create appropriate
Active Directory baseline values. The following are some thought starters:
• What is the slowest operation you perform on your PC?
• What is the fastest operation you perform on your PC?
• How many times a day do you typically log on and off?
• How many times a day do you search the network for resources other than
mapped drives and printers?
Answers will vary.

Results: After this exercise, you should have some ideas for involving users in what
traditionally has been an IT-only activity, developing network performance baselines.

Exercise 2: Choosing Relevant WRPM Counters and


Durations
Scenario
Use the same scenario as in Exercise 1.

Exercise Overview
In this exercise, you will identify relevant Windows® Reliability and Performance
Monitor (WRPM) counters for the loan department and for the research
department.

f Task 1: List the counters that you would consider including in the
baseline
1. Open the Microsoft® Lab Launcher, if it is not already open.
2. Start NYC-DC1, if it is not already started.
3. Log on to NYC-DC1 as WoodgroveBank\Administrator with the password of
Pa$$w0rd.
4. In Server Manager, expand the nodes Diagnostics, Reliability and
Performance, and Data Collector Sets.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Creating Baselines for Active Directory Servers L2-11

5. Expand the System node beneath Data Collector Sets. Here are several Data
Collector Sets that Microsoft has pre-built for you as a way to get you started
with the system diagnostics tools.
6. Right-click the Active Directory Diagnostics Data Collector Set, and click
Properties. These properties apply to the Data Collector Set as a whole, even
though it has various components that can be configured separately.
7. On the General tab, read the description of this Data Collector Set.
8. Take a look at the other tabs on the Data Collector Set properties page.
9. To close the page, click the Cancel button.
10. In the details pane, you should see four data collectors. What types are they?
Answer: Trace, Trace, Performance Counter, and Configuration
11. Right-click the Performance Counter data collector and click Properties. Note
the PerfLog objects that Microsoft has chosen for this pre-built Data Collector
Set. This list is a good starting point for exploring Active Directory
performance counters in detail. Note, for example, the category
DirectoryServices.
12. To return to Server Manager, click Cancel.
13. Now you will see where you would create your own Data Collector Set. In the
navigation pane, right-click the User Defined node, click New, and then Data
Collector Set.
14. In the Create new Data Collector Set dialog box, type the name CustomAD,
click the Create from a template (Recommended) option button, and click
Next.
15. Click Active Directory Diagnostics as the template that you will use as the
starting point for your new custom Data Collector Set, CustomAD, and click
Next.
16. Leave the Root directory selection as the default value and click Next.
17. In the Create new Data Collector Set window, click the Open properties for
this data collector set option button, and click Finish.
18. In the Description field, type Woodgrove Bank custom AD data collector
set.
19. If you would like to, look at the other tabs and then click OK.
20. Expand the User Defined node.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-12 Module 2: Creating Baselines for Active Directory Servers

21. With CustomAD highlighted in the Server Manager navigation pane, right-click
Performance Counter in the details pane and click Properties.
22. To display the (untitled) counter selection dialog box, on the Performance
Counters tab, click the Add button (this button was grayed out when you
were viewing the system template).
23. To display the counters in this category, find the DirectoryServices object in
the upper left list box, and click the + next to its name.
24. Browse the counters listed under DirectoryServices. Can you find any context-
sensitive help to assist you in understanding their meaning? (There is a
description field which you can activate by checking the Show description
box, but it varies from very helpful, for some counters, to a mere restatement
of the counter name, for others. You will need some good books, magazine
articles, and online references to help you understand these counters.)
25. Can you locate the following counter categories:
• ATQ (Asynchronous Thread Queue)
• DRA (Directory Replication Agent)
• DS (Directory Service)
• LDAP
• SAM (Security Accounts Manager)
26. Browse the counters listed under FileReplicaSet. In the course handbook, you
should have written performance counters and/or objects that look relevant to
you.

f Task 2: Consider differences in a baseline strategy for the two


departments
1. Using the console from Task 1, identify three performance counters that
would probably be more important for the loan department than for the
research department. (The answer should reflect the fact that loan department
employees perform frequent logons and logoffs.) Answers will vary.
2. Identify three performance counters that would probably be more important
for the research department than for the loan department. (The answer should
reflect the fact that the research department performs more Active Directory
search operations.) Answers will vary.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Creating Baselines for Active Directory Servers L2-13

3. Identify three performance counters that would probably be important for


both departments. Answers will vary.
4. Leave NYC-DC1 running for future labs.

Results: After this exercise, you should be more familiar with some of the PerfMon
Active Directory counters, and have some idea of how to adapt a baseline strategy for
different business situations.

Exercise 3: Evaluating and Revising a Baseline Document in


the Face of Business Changes
Scenario
The scenario is the same as in Exercise 1, but the IT department has just been
informed that the domain controller is about to support twice as many users as it
does presently.

Exercise Overview
In this exercise, you will discuss as a class whether the baseline document should
be modified in view of the increased user population, and explore possible
procedures and organizational standards for modifying (or suggesting
modifications to) the baseline document.

f Task 1: Decide whether the baseline document should be modified


1. Discuss the pros and cons of modifying the baseline document for the
upcoming change.
2. What questions would you ask in order to determine whether the Active
Directory performance baseline document should be modified? Examples:
• Is the increase in the user population permanent or temporary?
• Will the new users be domain users?
• Will the new users be running AD LDS?
Answers will vary.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-14 Module 2: Creating Baselines for Active Directory Servers

f Task 2: Discuss the procedures and standards for modifying a baseline


document
1. Discuss who in the organization should be able to initiate a baseline
modification suggestion.
2. Discuss who should review such suggestions, and how often they should
perform such a review.
3. Discuss what happens to a baseline document that is never updated.
Answers will vary.

Results: After this exercise, you should have heard various perspectives and ideas on
the pros and cons of modifying Active Directory baseline documentation, and on how
to implement such modifications in a realistic and practical way.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Monitoring Active Directory Server Roles L3-15

Module 3: Monitoring the System Health of


Active Directory Servers
Lab: Monitoring Active Directory
Server Roles
Logon Information:
• Virtual Machine: NYC-DC1
• User Name: Administrator
• Password: Pa$$w0rd

Estimated time: 75 minutes

Exercise 1: Setting a Performance Alert to Meet a Business


Goal
Scenario
The management at Woodgrove Bank has issued a directive to the IT department
to respond more proactively when Active Directory® domain controllers are
overloaded beyond “normal” time-of-day spikes. The business goal is to address
short-term domain performance problems before users start calling the Help Desk
to report them. The bank would prefer not to spend money on additional
monitoring and alerting tools and would also like the solution to have a light
footprint in terms of system overhead.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-16 Module 3: Monitoring the System Health of Active Directory Servers

Two system administrators have offered plans for generating an alert. The plans
are basically identical in terms of the performance objects and counters to be
monitored, and include the following, among others:
• Processor\Percent processor time
• PhysicalDisk\Avg. disk queue length
• Network Interface\bytes received/sec
• Network Interface\bytes sent/sec
• Directory Service\LDAP searches/sec
• Directory Service\DS reads/sec
• Directory Service\DRA inbound bytes total/sec
• Directory Service\DRA outbound bytes total/sec

The plans also suggest that over-threshold events should produce an e-mail to at
least one network administrator. Just creating an entry in the event log is not
proactive enough to meet the management mandate. However, Plan 1 specifies a 5-
second sampling interval, and Plan 2 specifies a 5-minute sampling interval.

Exercise Overview
In this exercise, you will select an alert plan and implement the plan through
Scheduled Tasks and the Windows® Reliability and Performance Monitor.

f Task 1: Decide which plan you would recommend, Plan 1 or Plan 2


• Decide whether you would recommend Plan 1 or Plan 2. The key criteria to
consider are as follows:
• The bank is interested in detecting Active Directory performance problems
beyond the normal time-of-day spikes.
• The solution should have a light footprint in terms of system overhead.
These criteria suggest that Plan 2 is preferable, because the higher sampling
interval makes false alarms less likely and also puts less of a burden on the
server. When developing a monitoring/alerting architecture, consider that
every CPU cycle that goes towards system overhead is one CPU cycle that is
not available for production work.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Monitoring Active Directory Server Roles L3-17

f Task 2: Create a scheduled task for the e-mail alert


1. If it is not already open, open the Microsoft® Lab Launcher.
2. If it is not already started, start the NYC-DC1 virtual machine.
3. Log on to NYC-DC1 as WoodgroveBank\Administrator with a password of
Pa$$w0rd.
4. In Server Manager, navigate to Configuration and Task Scheduler. (You
could also run Task Scheduler by typing taskschd.msc in the Start menu’s
search field, but Windows Server® 2008 Server Manager is close to a one-stop
shop for administrative work.)
5. Right-click Task Scheduler and click Create Task.
6. The General tab should appear. Name your task Performance alert e-mail, and
click Run whether user is logged on or not.
7. Click the Actions tab and then click the New button.
8. In the Action drop-down list, click Send an e-mail.
9. For the e-mail, type the following information and click OK:
• From: administrator@woodgrovebank.com
• To: administrator@woodgrovebank.com
• Subject: Active Directory Performance Alert
• Text: NYC-DC1 is reporting a performance alert. Please check the server
for abnormal activity.
• SMTP Server: smtp.woodgrovebank.com
10. Click the Settings tab and make sure the Allow task to be run on demand
check box is selected.
11. To close the Create Task dialog box, click OK..
12. Enter the credentials of the administrator account (password = Pa$$w0rd) so
that the task knows what security context it should use, and then click OK.
13. In the Server Manager navigation pane, expand Task Scheduler and click the
Task Scheduler Library node. You should see your new task in the details
pane. If not, press the F5 key (refresh) and try again.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-18 Module 3: Monitoring the System Health of Active Directory Servers

f Task 3: Create an alert in Performance Monitor


1. In Server Manager, open the Diagnostics, Reliability and Performance, Data
Collector Sets, and User Defined nodes.
2. Right-click the User Defined node, click New, and then click Data Collector
Set.
3. Name the new Data Collector Set Active Directory Performance Alert, click the
Create manually (advanced) option button, and then click Next.
4. Click the Performance Counter Alert option button (not Performance
counter!) and click Next.
5. To open a new window where you can add performance counters, click the
Add button.
6. Using the Add button, add the DS Directory Reads/sec counter for the
DirectoryServices object and click OK. (We will not take the time here to add
all the performance counters that you would create in real life.)
7. Set the dialog box options so that the alert will be raised when the value of this
counter exceeds 5 reads/sec and click Next. (This value might be based on
your observations of stressed servers in your organization.)
8. Click the Open properties for this data collector set option button and then
click Finish. In a few moments, the new Data Collector Set properties page
will appear.
9. Click the Task tab.
10. Note that this is the location where you can specify a task to run when the
Data Collector Set stops. That’s not what we want, so click Cancel.
11. You should see the Data Collector Set (Active Directory Performance Alert) in
the navigation pane and the DataCollector01 alert in the details pane. Right-
click the alert data collector icon and click Properties.
12. On the Alerts tab, set the sample interval to 5 minutes. Is the alert threshold
value set correctly? It should be. This property was created when you created
the new Data Collector Set.
13. Click the Alert Action tab. Does this provide a means for starting a scheduled
task when the alert triggers? (The answer here is “no.”)
14. Click the Alert Task tab. Under Run this task when an alert is triggered, type
the name of the scheduled task that you created in Task 2 of this exercise (it
should be Performance alert e-mail), and click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Monitoring Active Directory Server Roles L3-19

15. Right-click the Active Directory Performance Alert Data Collector Set and
click Start.
16. In Server Manager, click the Task Scheduler Library node and then look at
the details pane. Has the Performance alert e-mail task executed yet?
(Most likely it has not. To test its performance in the real world, you could
perform some heavy Active Directory search activity, for example with the help
of a script, and see if the task triggers. If it triggers but the e-mail is not
delivered, troubleshoot the task and double check the parameters.)
17. Right-click the Active Directory Performance Alert Data Collector Set, and
click Stop.
18. Leave the NYC-DC1 virtual machine running if your instructor indicates that
you will be doing another lab today. Otherwise, close the virtual machine by
performing a normal server shutdown, and save the changes.

Results: This exercise’s successful completion results in the selection of an alert plan
and the implementation of that plan through Scheduled Tasks and the Windows®
Reliability and Performance Monitor.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-20 Module 3: Monitoring the System Health of Active Directory Servers

Exercise 2: Discussing Alert Response Strategies


Exercise Overview
In this exercise, you will discuss and list some of the pros and cons of different
short-term alert responses. You will also discuss ideas for long-term responses to
high traffic alerts.

f Task 1: Discuss different short-term alert responses


• Discuss and list some of the pros and cons of different short-term alert
responses that server administrators can make, such as the following:
• E-mails to managers
• E-mails to affected users
• Triggered tasks (for example, scripts)
• Personal responses
• Follow-up analysis with affected users
Answers will vary.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Monitoring Active Directory Server Roles L3-21

f Task 2: Discuss different long-term alert responses


• Discuss and list some ideas for how to address Active Directory performance
alerts over the long term, including (but not limited to) the following:
• Suggest changes in logon/logoff procedures
• Split out combined functionality to separate servers
• Review the number and placement of Global Catalog servers
• Maintain the Active Directory database
• Move the Active Directory database to higher-performing disk storage
• Move the Active Directory log files to higher-performing disk storage
Answers will vary.

Results: After this exercise, you should have identified a variety of alert responses
available to you and the pros and cons of each. You should have also identified the
various possible long-term responses to recurring Active Directory performance alerts
and shared your experiences with those methods.

Exercise 3: Building a Case for Configuration Change


Scenario
As a result of using performance alerts and monitoring, you and your colleagues
have identified several possible long-term improvements that can reduce the
frequency and severity of Active Directory performance problems. However, before
you can bring your case to management for spending money on additional
resources, whatever form those might take (some of these should have been
discussed in Exercise 2), you would like to document your cause, and build a case
for changing the server configuration.

Exercise Overview
In this exercise, you will explore the different tools for building a case for changing
the server configuration.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-22 Module 3: Monitoring the System Health of Active Directory Servers

f Task 1: Explore the Event Viewer operational logs


1. If it is not already started, start NYC-DC1.
2. In Server Manager, navigate to Diagnostics, Event Viewer, Applications and
Services Logs, and expand Applications and Services Logs.
3. Which of the logs in this category would be potentially relevant for an Active
Directory server? The answer should include the following:
• Directory Service
• DNS Server
• File Replication Service
4. Click the Directory Service log. In a moment, the details pane will populate
with events. Do you see any errors or warnings? (You should. There will be
errors indicating that the NYC-DC1 domain controller could not find some of
its replication partners. If you cannot easily see the details of a specific event as
displayed in the console, double-click that event.)
5. In the navigation pane, expand the logs under Microsoft, Windows. Look at
these logs. Would any of the logs in this category be helpful when you are
evaluating the performance of an Active Directory server? The answer should
include the following:
• CAPI2 (for a certificate server)
• CertificateServicesClient
• Diagnostics-Networking
• GroupPolicy
• MemoryDiagnostics-Results
• Resource-Exhaustion-Detector
• ServerManager
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Monitoring Active Directory Server Roles L3-23

f Task 2: Create an Event Viewer subscription


1. Under Event Viewer, click the Subscriptions node.
2. To start the Event Collector service, click the Yes button when prompted.
3. Right-click the Subscriptions node and click Create Subscription.
4. For the subscription name, type Active Directory events for NYC.
5. Leave the destination log set to Forwarded Events.
6. To choose systems from which you would like to collect events, click the
Select Computers button.
7. Click the Add Domain Computers button.
8. Type NYC-SVR1 and verify the spelling with the Check Names button.
9. To get back to the subscription properties page, click OK twice.
10. To choose which events you would like to collect, click the Select Events
button.
11. Select the Critical and Error check boxes.
12. Click the Event Logs drop-down list, navigate to Applications and Services
Logs, select the Directory Service check box, and click OK.
13. To close the properties page for the subscription, click OK. You should now
see the subscription in the details pane of Server Manager.
14. Leave the NYC-DC1 virtual machine running if your instructor indicates that
you will be doing another lab today. Otherwise, close the virtual machine by
executing a normal shutdown, saving your changes.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-24 Module 3: Monitoring the System Health of Active Directory Servers

f Task 3: List other documentation that would support your request for
configuration changes and/or new resources
• List other documentation that would support your request for changing the
server configuration and/or new resources. Possibilities might include:
• Performance monitor logs
• Help Desk trouble tickets
• Maintenance logs
• Specific experiments with simulated network loads
• “Best practices” magazine articles
• TechNet articles
• White papers
Answers will vary.

Results: After this exercise, you should have identified some of the new capabilities of
the Windows Server 2008 event viewer, including operational logs and event
subscriptions, both of which may be useful in building a case for configuration
change. You should have also created a list of other documentation, both from
Windows Server 2008 tools and other sources, that could help support a campaign for
making configuration and/or resource changes in response to Active Directory
performance monitoring.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Managing AD DS L4-25

Module 4: Managing Active Directory Domain


Services
Lab: Managing AD DS
Logon Information:
• Virtual Machine: NYC-DC1
• User Name: Administrator
• Password: Pa$$w0rd

Estimated time: 90 minutes

Exercise 1: Offline Defragging of the Active Directory


Database
Scenario
New management has taken over at Woodgrove Bank and the new directors are
eager to make changes in the organization. Four specific goals have been set for the
Active Directory team:
• Improve the Active Directory server uptime
• Reduce logon times
• Reduce replication delays between sites
• Improve the coordination of Group Policy management

Exercise Overview
In this exercise, you will perform an offline defragmentation of the NTDS database.
In conjunction with the new directive to improve Active Directory server uptime,
you need to minimize server downtime during this regularly-scheduled
maintenance activity. Windows Server® 2008 enables you to reduce downtime by
stopping and starting Active Directory Domain Services (AD DS) without bringing
down the entire server. Therefore, other services provided by any given domain
controller (such as DNS) do not have to be interrupted while the Active Directory
database is being maintained.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-26 Module 4: Managing Active Directory Domain Services

f Task 1: Stop AD DS via Server Manager


1. Start NYC-DC1, if it is not already running.
2. Log on to NYC-DC1 as WoodgroveBank\Administrator with the password of
Pa$$w0rd.
3. If Server Manager does not start automatically in a few moments, run it from
the Start menu.
4. In the Server Manager navigation pane, expand Roles and click Active
Directory Domain Services. The details pane should populate with
information relevant to this role.
5. In the details pane, under System Services, click Active Directory Domain
Services, and then click the Stop button to the right.
6. Click the Stop Dependent Services button that appears, which informs you of
the dependent services the console will also stop.

f Task 2: Perform a defragmentation without rebooting


1. With Server Manager open, click Start and then click Command Prompt.
2. Type ntdsutil and press Enter.
3. Type activate instance ntds and press Enter. This tells the program that you
wish to work with the NTDS database, not some other database (such as one
you may be using with Active Directory Lightweight Domain Services (AD
LDS)).
4. Type files and press Enter.
5. Type info and press Enter. Note the size of the database NTDS.DIT.
6. To begin the compaction procedure, type compact to c:\windows. As a best
practice, you would probably create a special folder for this purpose, but for
now, we know that the Windows® directory exists.
7. After a few moments, read the advice that the NTDSUTIL program provides.
To quit NTDSUTIL, type quit twice.
8. At the command prompt, type copy c:\windows\ntds.dit c:\windows\ntds.
9. To overwrite the existing version of the database, type Y and then press Enter.
10. Exit the command prompt.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Managing AD DS L4-27

f Task 3: Restart AD DS via Server Manager


1. Go back to the Server Manager window.
2. In the details pane, under System Services, click Active Directory Domain
Services, and then click the Start button on the right.
3. Wait a moment until the service (and its dependent services) show as running.
You have restarted AD DS.
4. Leave NYC-DC1 running for future labs.

Results: The successful completion of the exercise results in a properly defragmented


Active Directory database with minimal server downtime.

Exercise 2: Evaluating an RODC with Read-Only DNS


Solution
Scenario
The scenario is the same as in Exercise 1, but more details have been provided
about a new branch opening in Miami, Florida. The branch will connect to the
NYC domain over a WAN link that is planned to operate at sub-T1 speeds. The
new branch office will have 140 employees, all of whom will be domain members
in Active Directory. Many of the employees will be in service positions where quick
logon and logoff performance will be desired to minimize customer wait time.

Exercise Overview
In this exercise, you will discuss some of the questions that might meet the second
goal laid out in the IT goals document. The goal is to reduce logon times,
specifically for employees in the new Miami branch.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-28 Module 4: Managing Active Directory Domain Services

f Task: Discuss the following questions


• Generally speaking, where should you consider installing a Read-Only Domain
Controller (RODC)? (The answer should include situations with limited
physical security and where experienced domain administrators are not on-
site.)
• Do all RODCs need to be running DNS? (The answer is no. If there is only one
RODC at a given site, it will often be advantageous to have that machine
running DNS, due to the frequency of DNS lookups performed by a domain
controller.)
• Should more than one RODC be running DNS in a given location? (This is
open to debate, but there may be benefits in terms of DNS consistency if only
one RODC per site is actually running DNS.)
• Should Woodgrove Bank consider a caching-only DNS server before an
RODC? (Generally, yes. A caching-only DNS server is easy to set up and does
not need to be a powerful machine. It is also easier to administer and maintain
than an RODC.)

Results: The successful completion of this exercise results in you having explained the
pros and cons of using RODCs to reduce logon times.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Managing AD DS L4-29

Exercise 3: Making Site Replication Decisions


Scenario
The scenario is the same as in Exercise 1, but you need to reduce replication
delays, specifically between the NYC and the Miami sites.

f Task 1: Create a site for the Miami location


1. In the Server Manager navigation pane, expand Roles, expand Active
Directory Domain Services, Active Directory Sites and Services, and Sites. If
you receive one or more error messages, and you performed Exercise 1 of this
lab, close and re-open Server Manager, and then try again.
2. Expand Default-First-Site-Name and Servers. Click the Servers node and
view the results in the details pane.
3. You are going to create a new site and move the MIA-RODC server into that
new site. Right-click the Sites container and click New Site.
4. Name the site FloridaSite. Click DEFAULTIPSITELINK to highlight it and
then click OK.
5. Click OK at the informational message.

f Task 2: Move the MIA-RODC server to the Miami site


1. From the Servers folder, under Default-First-Site-Name, drag the MIA-RODC
server object and drop it into the Servers folder under FloridaSite.
2. Read the warning and click Yes. The MIA-RODC server should now appear
under the FloridaSite container.

Note: You will not take the time here to create the subnet definitions for FloridaSite
and for Default-First-Site-Name, but be aware that these steps would be necessary
in an actual network.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-30 Module 4: Managing Active Directory Domain Services

f Task 3: Modify the replication schedule to the Miami site to reduce


latency
1. Under the Sites node, expand Inter-Site Transports and click the IP
container.
2. In the details pane, right-click DEFAULTIPSITELINK and click Properties.
3. In the Replicate every field, change the value from 180 minutes to 60 minutes
and click the Apply button. This is the frequency with which the sites joined
by this site link will replicate. Decreasing the interval complies with one of the
management directives in the scenario and will bring the two sites up-to-date
more rapidly (at the cost of some increase in replication traffic across the WAN
link).
4. Click the Change Schedule button.
5. Modify the replication schedule to exclude the time period from noon to
4:00pm for all days.
6. To close the open dialog boxes, click OK twice.
7. Leave NYC-DC1 running for future labs.

Results: After this exercise, the replication schedule between the default site and the
Florida site has been modified to reduce latencies in the propagation of Active
Directory information between the sites.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Maintaining Security for Active Directory Servers L5-31

Module 5: Maintaining Security for Active


Directory Servers
Lab: Maintaining Security for
Active Directory Servers
Logon Information:
• Virtual Machine: NYC-DC1
• User Name: Administrator
• Password: Pa$$w0rd

Estimated time: 60 minutes

Exercise 1: Manually Implementing AD DS Server


Hardening
Scenario
Woodgrove Bank wants to improve Active Directory security for all its domain
controllers. However, the bank does not want to start “from scratch” but wants to
use best practice tools from Microsoft®, if possible. The corporate accounts division
(Organization Unit = CorpAccts) has stricter requirements than the loan division
(Organizational Unit = Loans).
MCT USE ONLY. STUDENT USE PROHIBITED
L5-32 Module 5: Maintaining Security for Active Directory Servers

f Task 1: Install the GPOAccelerator tool


1. Open NYC-DC1, if it is not already started, and log on as Administrator with
the password of Pa$$w0rd.
2. Click Start, right-click the Computer item, and click Explore.
3. Navigate to the E:\Labfiles folder and run the GPO Accelerator.msi file.
4. When prompted by theRun.
5. At the Welcome screen, click Next.
6. Click I accept the terms in the License Agreement and then click Next.
7. In the Features to Install dialog box, click Next.
8. In the Ready to install dialog box, click Install.
9. When you see the completion dialog box, click Finish.
10. Close the Windows® Explorer window.

f Task 2: Create new GPOs with the GPOAccelerator


1. To open the GPO Accelerator folder, click Start, All Programs, and GPO
Accelerator.
2. Right-click GPO Accelerator Command-line and click Run as Administrator.
3. At the command prompt, type:
cscript gpoaccelerator.wsf /wssg /enterprise /lab which will create the
following Group Policy Objects:
a. WSSG EC Domain Policy (WSSG stands for Windows Server® Security
Guide, which incorporates the GPOAccelerator tool; EC stands for
Enterprise Client, intended to be a fairly typical corporate environment
where security needs and functionality must be balanced.)
b. WSSG EC Domain Controller Baseline Policy
c. WSSG EC Member Server Baseline Policy
d. <server role> Policy (there are several of these)
4. Read the warning about the fact that you are about to modify your Active
Directory environment and click Yes to continue.
5. After a couple of minutes, click OK at the message that the Enterprise lab
environment has been created.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Maintaining Security for Active Directory Servers L5-33

6. Click OK when the message urging you to link the Enterprise Domain Policy
to your domain appears.
7. Close the Command Prompt window.

f Task 3: Examine the settings with the Group Policy Management


console
1. Click Start, Administrative Tools, and Group Policy Management.
2. In the Group Policy Management console, expand the topmost node for the
forest, expand the Domains node, expand WoodgroveBank.com, and then
expand the Group Policy Objects node.
3. Click the WSSG EC Domain Policy GPO.
4. To display the settings contained in this GPO, in the GPMC details pane, click
the Settings tab.
5. If you see an Internet Explorer security warning, click Close.
6. Spend a few minutes navigating the settings that Microsoft feels are
appropriate for securing an Active Directory domain.
7. Repeat Steps 3 - 6 for at least the following GPOs:
a. WSSG EC AD Certificate Services Servers Policy
b. WSSG EC DNS Servers Policy
c. WSSG EC Domain Controller Baseline Policy
8. To see the new organizational units that you built with the GPOAccelerator
script, expand the WSSG EC Member Servers OU GPMC node, and note the
various sub-organizational units that exist under that node.
9. Close the Group Policy Management console.

Results: After this exercise, you should have installed the GPOAccelerator tool,
created new GPOs with the GPOAccelerator, and examined the settings with the
Group Policy Management console.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-34 Module 5: Maintaining Security for Active Directory Servers

Exercise 2: Assessing Ongoing Security Requirements


Scenario
The scenario is the same as in Exercise 1.

Exercise Overview
In this exercise, you will install the Microsoft Baseline Security Analyzer (MBSA)
and perform a sample run.

f Task 1: Install the MBSA 2.1 Beta 2


1. In Windows Explorer, open the E:\Labfiles folder and double-click the
mbsasetup.msi file.
2. Click Run to proceed.
3. At the Welcome screen, click Next.
4. Click I accept the license agreement and click Next.
5. In the Destination Folder dialog box, leave the default settings and click Next.
6. In the Start Installation dialog box, click Install. It will take a few moments
for the program to install.
7. At the success message, click OK.
8. Close Windows Explorer.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Maintaining Security for Active Directory Servers L5-35

f Task 2: Perform an MBSA analysis of NYC-DC1


1. Click Start, All Programs, and Microsoft Baseline Security Analyzer 2.1.
2. Click the Scan a computer icon.
3. Our virtual machines do not have Internet connectivity, so you will not
perform the security-patch portion of the scan, which requires MBSA to
download a catalog file from the Internet. So, select only the top three check
boxes:
a. Check for Windows administrative vulnerabilities
b. Check for weak passwords
c. Check for IIS administrative vulnerabilities
4. Click the Start Scan button.
5. Review the resultant report. Are there any vulnerabilities on NYC-DC1?
6. Close the MBSA window.

Results: After this exercise, you should have installed the MBSA 2.1 Beta 2 and
performed an MBSA analysis of NYC-DC1.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-36 Module 5: Maintaining Security for Active Directory Servers

Exercise 3: Deploying Fine-Grained Password Policies


Scenario
The scenario is the same as in Exercise 1.

Exercise Overview
In this exercise, you will discuss how to deploy fine-grained password policies.

f Task: Discuss deploying fine-grained password policies


• Discuss how to deploy fine-grained password policies. There is no correct or
incorrect answer, but during the discussion make sure you talk about the
following points:
• How many of you envision a use for fine-grained password policies, that is,
for making password and account lockout policies apply at the
organizational unit level rather than the domain level?
• What do you see as the pros and cons of following Microsoft’s suggested
practice and creating “shadow groups” to mirror the membership of
organizational units? (For example, one “con” would be that it requires
extra administration to periodically synchronize the shadow group
membership with organizational membership, although that operation
could be scripted.)
• What do you perceive as some of the benefits of having fewer domains,
now that it is not necessary to create a domain boundary only because a
constituency in your organization needs different password policies? (One
example might be that you could have fewer cross-domain references to
slow down Active Directory operations.)
• How many people in your organization are conversant with the ADSI Edit
and LDIFDE tools?

Results: After this exercise, you should have discussed how to deployed fine-grained
password policies and some of the implications such restructuring could have for your
overall Active Directory design.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Managing Active Directory® Service Roles L6-37

Module 6: Managing Active Directory® Service


Roles
Lab: Managing Active Directory®
Service Roles
Logon Information:
• Virtual Machine: NYC-DC1
• User Name: Administrator
• Password: Pa$$w0rd

Estimated time: 60 minutes

Exercise 1: Installing the AD LDS Role


Scenario
Woodgrove Bank is deploying a new customer relations database package that
leverages the Active Directory replication engine. The new software requires Active
Directory Lightweight Directory Services (AD LDS). Some of the management
functions for the new application will be handled by utilities provided by the
vendor. However, IT personnel will be responsible for occasional use of Active
Directory utilities to help manage the AD LDS instance.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-38 Module 6: Managing Active Directory® Service Roles

f Task 1: Install the AD LDS role on NYC-DC1


1. Start NYC-DC1, if it is not already started.
2. Start Server Manager, if it is not already running.
3. In the navigation pane, right-click the Roles node and click Add Roles.
4. In the Before You Begin dialog box, read the text and click Next.
5. Select the Active Directory Lightweight Directory Services check box and
click Next.
6. At the introduction screen, read the content, and then click Next.
7. At the confirmation screen, click Install.
8. At the Installation Results screen, click Close. You should now see the new
role in the Roles list in the Server Manager navigation pane.

f Task 2: Configure AD LDS for a new instance


1. In the Server Manager navigation pane, under Roles, click the Active
Directory Lightweight Directory Services node. In a moment, the details
pane should populate with information.
2. In the details pane, under Advanced Tools, click AD LDS Setup Wizard.
3. On the Welcome page, click Next.
4. On the Setup Options page, click A unique instance and click Next.
5. Name the new instance CustApp1 and click Next.
6. Accept the default port values of 50000 and 50001 and click Next.
7. On the Application Directory Partition page, click Yes, create an application
directory partition.
8. Name the partition as CN=Custapp1,DC=woodgrovebank,DC=com and click
Next.
9. On the File Locations page, accept the defaults and click Next.
10. On the Service Account Selection page, leave Network service account
selected and click Next.
11. On the AD LDS Administrators page, click This account and click the
Browse button.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Managing Active Directory® Service Roles L6-39

12. Click Advanced and click Find now.


13. Click the ITAdmins_WoodgroveGG group and click OK.
14. Back on the Select User or Group page, click OK.
15. Back on the AD LDS Administrators page, click Next.
16. On the Importing LDIF Files page, select the MS-ADLDS-
DisplaySpecifiers.LDF and MS-User.LDF check boxes and click Next.
17. On the Ready to Install page, click Next.
18. When prompted for credentials, type woodgrovebank\thomas and
Pa$$w0rd, and click OK. (Thomas Andersen is a member of
ITAdmins_WoodgroveGG, the group you specified earlier to have
administration rights to You can verify this if you like, with Active Directory
Users and Computers.)
19. On the completion page, click Finish.

Results: This exercise’s successful completion results in the installation of the AD LDS
service and the configuration of one instance of the Custapp directory.

Exercise 2: Identifying Ongoing Management Concerns


Scenario
The scenario is the same as in Exercise 1.

Exercise Overview
In this exercise, you will discuss the ongoing management issues for the new
customer relations database application.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-40 Module 6: Managing Active Directory® Service Roles

f Task: Discuss ongoing management concerns


• Generate a list of issues to go over with the application vendor to determine
which management and administration tasks will be managed by vendor
software, and which tasks will be managed by tools bundled with Windows
Server 2008. There is no absolute correct answer, but the following issues
would normally be part of lifecycle management for an AD LDS application:
• Security/authorization
• Backup/restore and disaster recovery methods, including performing a
test restore periodically
• Partition management
• Replication management
• Schema management
• Performance monitoring
• Organizational unit management
The customer organization would normally review each of the above areas
with the AD LDS application vendor to determine whether vendor software,
Windows Server 2008 Active Directory tools, or some combination, should be
used to manage each area.
Besides the above, answers will vary.

Results: After this exercise, you will have identified a number of management
concerns for an AD LDS application.

Exercise 3: Using Windows Server 2008 Tools for Managing


AD LDS
Scenario
The scenario is the same as in Exercise 1. You need to become familiar with how to
use Active Directory tools in the context of AD LDS, rather than in the context of
managing Active Directory Domain Services (AD DS).
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Managing Active Directory® Service Roles L6-41

f Task 1: Use ADSI Edit to view an AD LDS instance


ADSI Edit is a tool that you can use to view and modify objects in the AD LDS
database.
1. In the Server Manager details pane, click the Active Directory Lightweight
Directory Services node.
2. Scroll down to the Advanced Tools area and click the ADSI Edit link.
3. In the ADSI Edit console, in the navigation pane, right-click the topmost node,
and then click Connect to.
4. Under Connection point, click the Select or type a Distinguished Name or
Naming Context option button.
5. Just below the option button, type
CN=Custapp1,DC=woodgrovebank,DC=com.
6. Click the Advanced button, in the Advanced window, select the Specify
Credentials check box and type Thomas and Pa$$w0rd. (Remember,
Thomas is a member of the group that is allowed to manage the instance.)
7. In the Advanced window type the port number for this instance of AD LDS,
namely 50000, and then click OK.
8. In the Connection Settings window, click OK. You should now be placed back
in the ADSI Edit console, with the naming context for the AD LDS instance
loaded.
9. In the ADSI Edit console, in the navigation pane, expand the nodes. You
should see three containers beneath the node:
CN=Custapp1,DC=woodgrovebank,DC=com. You would see more containers
after initializing the application that needs to use the LDS instance.
10. In the navigation pane, click the CN=Roles node.
11. In the details pane, right-click the CN=Users node and click Properties.
12. Explore the properties for this node. Select different attributes by clicking
them. Note that in some cases (such as the attribute distinguishedName) you
have a View button available, and in other cases (such as the attribute
description) the button becomes an Edit button. This tells you that you can use
ADSI Edit to modify data in the LDS directory.
13. Close the CN=Users Properties window and then close ADSI Edit.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-42 Module 6: Managing Active Directory® Service Roles

f Task 2: Use LDP to view an AD LDS instance


LDP is an executable, not an MMC snap-in like ADSI Edit, and it is usable with any
LDAP directory service. It also provides access to some LDAP operations that ADSI
Edit does not.
1. In the Server Manager details pane, with the Active Directory Lightweight
Directory Services node highlighted, scroll down to the Advanced Tools area
and click the LDP.exe link. The LDP console should open.
2. On the Connection menu, click Connect.
3. In the Server field, type NYC-DC1.woodgrovebank.com.
4. In the Port field, type 50000.
5. Click OK. The details pane of the LDP tool should populate with information.
6. Scroll to the top of the details pane and view the ldap_open command.
7. On the Connection menu, click Bind and the Bind with credentials option
button.
8. Type the credentials for Thomas Andersen as follows and click OK:
a. User name: Thomas
b. Password: Pa$$w0rd
c. Domain: woodgrovebank.com
9. View the results of the bind operation at the bottom of the details pane. You
have just authenticated to LDP.
10. On the View menu, click Tree.
11. In the BaseDN field, type CN=custapp1,DC=woodgrovebank,DC=com and
click OK.
12. In the navigation pane, you should see the same structure appear that you saw
in the ADSI Edit tool in Task 1. To get a feel for the kind of information that
you can view in LDP, in the navigation pane, under the base DN, double-click
the three CN entries and view the properties in the details pane.
13. Close the LDP window.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Managing Active Directory® Service Roles L6-43

f Task 3: Use the Schema Console to view the schema for an AD LDS
instance
In order to use the schema console, either with AD DS or with AD LDS, the DLL
must first be registered, just as with Microsoft® Windows Server 2003.
1. Click Start and open a command prompt.
2. Type regsvr32 schmmgmt.dll and press Enter.
3. Close the success message that appears.
4. Close the Command Prompt window.
5. In order to manage the AD LDS schema, you need to be logged on as Thomas
Andersen. So click Start, click the arrow at the lower right, and click Switch
User. (Note that in the domain environment, Windows Server 2008 permits
you to use Fast User Switching, something that Windows Server 2003 did not
permit.)
6. Click the Other User icon, then log on as user Thomas and password
Pa$$w0rd. (The domain should default to WoodgroveBank.) Because Thomas
Andersen has not logged on to this computer before, it will take a few
moments to build the new user profile. By the way, Thomas Andersen needs to
be a Schema Admin to perform the rest of these tests; he has already been set
up as a member of that group.
7. Close the Server Manager window.
8. Click Start, in the search field, type MMC, and press Enter.
9. When prompted by User Account Control, click Continue.
10. In the generic MMC console, click File and then Add/Remove Snap-In….
11. In the left column, highlight Active Directory Schema, click the Add button,
and click OK.
12. In the new console, in the navigation pane, right-click the Active Directory
Schema node and click Change Active Directory Domain Controller.
13. In the Change Directory Server dialog box, under the Name column, click
<Type a Directory Server name [:port] here>, and type
NYC-DC1.woodgrovebank.com:50000.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-44 Module 6: Managing Active Directory® Service Roles

14. Press Enter, wait for the status column to show Online, and then click OK.
15. In the confirmation dialog box, which is asking you if you want to change the
database you are managing, click Yes. The server and port number should
reflect in the navigation pane of the schema console. You should see new
nodes for classes and attributes.

Note: If you do not see these nodes, close the Schema console and reopen it by
repeating Steps 8 through 11, and if necessary, Steps 12 through 14.)

16. Expand the Classes node and scroll down until you see the User entry. (This
is the object class that was added when you created the instance in Exercise 1
and specified the LDIF script MS-User.LDF.)
17. Right-click the User entry, click Properties and click the Attributes tab. These
are the attributes for the user object in this instance of AD LDS. They are now
completely separate from the attributes for the user object in AD DS.
18. Close all open dialog boxes and consoles. When prompted to save console
settings for Console, click No.
19. Close the virtual machine by performing a normal shutdown.

Results: After this exercise, you will have seen three tools that you can use to manage
an AD LDS instance, and have some understanding of when to use each.

Vous aimerez peut-être aussi