338 terms

70-640 Study Guide - Entire Book

Benefits of Active Directory
• Hierarchical Organization
• Extensible Schema
• Centralized Data Storage
• Replication
• Ease of Administration
• Network Security
• Client Configuration Management
• Scalability
• Search Functionality
Components & Mechanisms of Active Directory
• Data Store
• Schema
• Global Catalog
• Searching Mechanisms
• Replication
Objects within a Domain share several characteristics
• Group Policy & Security Permissions
• Hierarchical Object Naming
• Hierarchical Inheritance
• Trust Relationships
Active Directory Database is made up of units called
Security identification numbers placed on applications by Active Directory. These numbers are guaranteed to be unique, but the number generated is very large, so the odds are very low that two applications will end up with the same number.
Security Identifier
Root Domain
The first domain that gets installed in your Active Directory forest
Trust Relationship
Allows two domains to share security information and objects, but it does not automatically assign permissions to these objects. Allows users who are contained within one domain to be granted access to resources in other domains.
Transitive two-way trusts
Microsoft's default relationship between two trusted domains
Organization (O)
This is the company or root - level domain. In this case, the root level is the Internet:

/O=Internet/DC=Com/DC=Stellacon/DC=Sales/CN=Managers/CN=John Smith
Domain Component (DC)
This is a portion of the hierarchical path. Used for organizing objects within the directory service. The three items in the example specify that the user object is located within the sales.stellacon.com domain.

/O=Internet/DC=Com/DC=Stellacon/DC=Sales/CN=Managers/CN=John Smith
Common Name (CN)
Specifies the names of objects in the directory. In this example, the user John Smith is contained within the Managers container

/O=Internet/DC=Com/DC=Stellacon/DC=Sales/CN=Managers/CN=John Smith
Relative Distinguished Name (RDN)
This name specifies only part of the objects path relative to another object. For example, if your current context is already the Managers group within the sales.stellacon.com domain, you could simply specify the user as CN=John Smith .

/O=Internet/DC=Com/DC=Stellacon/DC=Sales/CN=Managers/CN=John Smith
Organizational Units (OU)
Container objects that can be hierarchically arranged within a domain and can contain objects such as users, groups, computers, and even other similar objects.

These are objects to which security permissions and group policies are generally assigned.

The smallest component within a domain to which administrative permissions and group policies can be assigned.
Active Directory Certificate Services (AD CS)
Allows administrators to configure services for issuing and managing public key certificates. The following are configurable components:

* Web Enrollment
* Certificate Authorities
* Network Device Enrollment Service
* Online Responder Service
Active Directory Domain Services (AD DS)
Used to manage objects (users, computers, printers, etc.) on a network. Some features are:

* User Interface Improvements
* Read-Only Domain Controllers
* Auditing
* Fine-Grained Password Policies
* Restartable Active Directory Domain Services
* Database Monitoring Tool
Active Directory Federation Services (AD FS)
Provides Internet-based clients a secure identity access solution that works on both Windows and non-Windows operating systems.

It also gives users the ability to do a single sign-on (SSO) and access applications on other networks without needing a secondary password.
Active Directory Lightweight Directory Services (AD LDS)
This is a directory service that allows directory - enabled
applications to store and retrieve data without needing the dependencies AD DS requires.
Active Directory Rights Management Services (AD RMS)
This is included with Microsoft Server 2008 and allows administrators or users to determine what access (open,
read, modify, etc.) they give to other users in an organization.

This access can be used to secure email messages, internal websites, and documents.
Identity and Access Solutions (IDA)
Can be categorized into five distinct areas:

* Directory Services
* Strong authentication
* Federated Identities
* Information protection
* Identity Lifecycle Management
Benefits of Directory Services
* Read-only domain controllers
* Auditing
* Fine-grained password policies
* Restartable Active Directory Domain Services
* Database mounting tool
* Active Directory Recycle Bin
Forefront Identity Manager (FIM) 2010
Takes some of the basic administration work (resetting passwords, managing groups and distribution lists, managing resource access, and policy creation) out of the hands of administrators and put it into the hands of users.
Domain Name System (DNS)
* Is a service that allows you to resolve a hostname to an Internet Protocol (IP) address.

* A hierarchically distributed database
DNS is a standard set of protocols that
defines the following:
* A mechanism for querying and updating address information in the database
* A mechanism for replicating the information in the database among servers
* A schema of the database
Domain Namespace
The DNS distributed database inverted logical tree structure
Top Level Domains (e.g. com, net, org, gov, edu)
Domain Name
Identifies the domain's position in the logical DNS hierarchy in relation to its parent domain by separating each branch of the tree with a dot.
DNS Server
Any computer providing domain name services, no matter where the server resides in the DNS namespace.
DNS Client
Any machine that issues queries to a DNS server. The hostname may or may not be registered in a DNS database.
Software processes sometimes implemented in software libraries that handle the actual process of finding the answers to queries for DNS data.
A request for information sent to a DNS server.

Three types of requests can be made to a DNS server:
* Recursive
* Inverse
* Iterative
DNS Server - Dynamic Updates Available Options
* None - This means your DNS server is Non-Dynamic
* Nonsecure and Secure - This means that any machine (even if it does not have a domain account) can register with DNS. Using this setting could allow rogue systems to enter records into your DNS server.
* Secure Only - This means that only machines with accounts in Active Directory can register with DNS. Before DNS registers any account in its database, it checks Active
Directory to make sure that account is an authorized domain computer.
Iterative Queries
A client asks the DNS server for an answer, and the server returns the best answer. This information likely comes from the server ' s cache. The server never sends out an additional query in response the query. If the server doesn't know the answer, it may direct the client to another server through a referral.
Recursive Queries
The client sends a request to a name server, asking it to respond either with the requested answer or with an error message. The error states one of two things:
* The server can't come up with the right answer.
* The domain name doesn't exist.
Inverse Queries
Use pointer (PTR) records. Instead of supplying a name and then asking for an IP address, the client first provides the IP address and then asks for the name.
TTL (Time to Live)
Specifies how long the record will be held in the local cache until it must be resolved again.
DNS Zone
A portion of the DNS namespace over which a specific DNS server has authority. There are resource records (RRs) that define the hosts and other types of information that make up the database for the zone.
Primary Zones
Responsible for maintaining all of the records for the DNS zone. It contains the primary copy of the DNS database. All record updates occur on this component.
Primary Zone Local Database (i.e. A zone not configured with Active Directory Integration) Disadvantages
* Lack of fault tolerance
* Additional Network Traffic
* No Security
Secondary Zones
Non-editable copies of the DNS database used for load balancing, fault tolerance, and network performance. The database is acquired from the primary zone.
Disadvantages of Active Directory Integrated DNS
It has to reside on a domain controller because the DNS database is stored in Active Directory.
Advantages of Active Directory Integrated DNS
* Full Fault Tolerance
* No additional Network Traffic
* DNS Security
* Background Zone Loading
DNS Stubb Zone
Similar to a secondary zone in that the database is a non-editable copy of the primary zone but it only contains three record types to identify authorative DNS servers for a zone.
GlobalName Zones
These zones use single - label names (DNS names that do not contain a suffix such as .com , .net , and so on). They are not intended to support peer - to - peer networks and workstation name resolution, and they don 't support dynamic DNS updates.

The zones are NOT dynamic. Records have to be entered manually.

Help organizations move forward with an all-DNS network.
Zone transfers occur in one of two ways:
* Full zone transfers (AXFR)
* Incremental zone transfers (IXFR)
DNS Notify
A mechanism that allows the process of initiating notifications to secondary servers when zone changes occur (RFC 1996). Uses a push mechanism for communicating to a select set of secondary zone servers when their zone information is updated. (Does not allow you to configure a notify list for a stub zone.)

To configure the process, you create a list of secondary servers to notify.
Zone Replication can be configured one of two ways:
* The DNS snap-in
* A command-line tool called Dnscmd
Configure zone replication scope through the DNS snap-in:
1. Click Start > Administrative Tools > DNS.
2. Right - click the zone that you want to set up.
3. Choose Properties.
4. In the Properties dialog box, click the Change button next to Replication.
5. Choose the replication scope that fits your organization.
New Functionality in Windows Server 2008 DNS:
* Background zone loading
* Support for TCP/IP version 6 (IPv6)
* Read - only domain controllers
* GlobalName zone
DNS Socket Pools
Allows source port randomization to protect against DNS cache poisoning attacks. If you choose to use source port randomization, when the DNS service starts, the DNS
server will randomly pick a source port from a pool of available sockets.
DNS Cache Locking
Allows cached DNS records to remain safe for the duration of the record ' s time to live (TTL) value. This means that the cached DNS records cannot be overwritten or changed. Because of this new DNS feature, it 's tougher for hackers to perform cache - poisoning attacks against your DNS server.
DNS Security Extensions (DNSSEC)
Allows your Windows Server 2008 DNS server to sign and host DNSSEC - signed zones. DNSSEC cryptographically signs the DNS zone and all of the zone records, thus providing a greater level of security.
Windows Server 2008 R2 DNS server has the following changes:
* Ability to sign a zone and host signed zones
* Support for changes to the DNSSEC protocol
* Support for DNSKEY, RRSIG, NSEC, and DS resource records
DNS Record Types
* Start of Authority (SOA) Records
* Name Server (NS) Records
* Host Record
* Alias Record
* Pointer (PTR) Record
* Mail Exchanger (MX) Record
* Service (SRV) Record
Start of Authority (SOA) Records
The first record in a database file. The record defines the general parameters for the DNS zone, including the identity of the authoritative server for the zone.
Name Server (NS) Records
List the name servers for a domain. This record allows other name servers to look up names in your domain. A zone file may contain more than one of these components.

The format of these records is simple:
example.com. IN NS Hostname.example.com
Host Record
Is used to statically associate a host's name to its IP addresses (also called an A record for IPv4 and AAAA record for IPv6).

The format is pretty simple:
host_nameoptional_TTL IN A IP_Address
Alias Record
Aliases are used to point more than one DNS record toward a host for which an A record already exists. For example, if the hostname of your web server was actually chaos , you would likely have an A record like this:

chaos IN A

Then you could make a change to the record so that www.example.com would point to chaos:

www IN CNAME chaos.example.com.
Pointer (PTR) Record
Maps an IP address to a hostname through the use of the in-addr.arpa zone.

The record is necessary because IP addresses begin with the least - specific portion first (the network) and end with the most - specific portion (the host), whereas hostnames begin with the most - specific portion at the beginning and the least - specific at the end.
Mail Exchanger (MX) Record
The record is used to specify which servers accept mail for this domain. Each record contains two parameters — a preference and a mail server. The record uses the preference value to specify which server should be used if more than one record is present. The preference value is a number. The lower the number, the more preferred the server.
Service (SRV) Record
Using this record, which is another type of DNS record, a Windows 2000, XP, Vista, or Windows 7 client can query DNS servers for the location of a domain controller. These records tie together the location of a service (like a domain controller) with information about how to contact the service.
SRV Record Structure
* Domain name Domain for which this record is valid (ldap.tcp.example.com. ).
* TTL Time to live (86,400 seconds).
* Class This field is always IN , which stands for Internet .
* Record type Type of record ( SRV ).
* Priority Specifies a preference, similar to the Preference field in an MX record. The SRV record with the lowest priority is used first ( 10 ).
* Weight Service records with equal priority are chosen according to their weight ( 100 ).
* Port number The port where the server is listening for this service ( 389 ).
* Target The FQDN of the host computer (hsv.example.com and msy.example.com
Steps to Install & Configure DNS:
1. Open the Configure Your Server wizard by selecting Start > Administrative Tools > Server Manager.
2. Under Roles Summary, click the link to the right labeled Add Role.
3. If a Before You Begin screen appears, click Next.
4. Click the DNS Server Item in the Server Role list and click Next to continue. If your computer is configured with a dynamic IP address, you will be prompted to use a static
address. Click Install DNS Server anyway.
5. Click Next on the Introduction To DNS screen.
6. On the Confirm Installation screen, click the Install button. You may need to insert the Windows Server 2008 R2 CD into the CD - ROM drive.
7. At the Installation Results screen, click Close.
8. Close Server Manager.
DNS Load Balancing with Round Robin
This feature distributes the network load among multiple network hosts if they are available. You set this up by creating multiple resource records with the same hostname but different IP addresses for multiple computers. Depending on the options that you select, the DNS server responds with the addresses of one of the host computers.
DNS Caching-Only Server
Although all DNS name servers cache queries that they have resolved, this type of server only perform queries, caches the answers, and returns the results. They are not authoritative for any domains, and the information that they contain is limited to what has been cached while resolving queries. Accordingly, they don ' t have any zone files, and they don ' t participate in zone transfers. When this server is first started, it has no information in its cache; the cache is gradually built over time.
Configure DNS Caching-Only Server
1. Right-click your DNS server and choose the Properties command
2. When the Properties dialog box appears, switch to the Root Hints tab
3. If your server is connected to the Internet, you should see a list of root hints for the root servers maintained by ICANN and the Internet Assigned Numbers Authority (IANA). If not, click the Add button to add root hints as defined in the cache.dns file. You can obtain current cache.dns files on the Internet by using a search engine. Just search for "cache.dns " and download one.
Delegating Zones for DNS
DNS provides the ability to divide the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS servers. When deciding whether to
divide your DNS namespace to make additional zones, consider the following reasons to use additional zones:
* A need to delegate management of part of your DNS namespace to another location or department within your organization
* A need to divide one large zone into smaller zones for distributing traffic loads among multiple servers, for improving DNS name - resolution performance, or for creating a more fault - tolerant DNS environment
* A need to extend the namespace by adding numerous subdomains at once, such as to accommodate the opening of a new branch or site
DNS Forwarding
If a DNS server does not have an answer to a DNS request, it may be necessary to send that request to another DNS server. The two types of this method are:

* External
* Conditional
External Forwarding
When a DNS server forwards an external DNS request to a DNS server outside your organization.
Conditional Forwarding
Similar to external forwarding except that you are going to forward requests to specific DNS servers based on a condition.
DNS Aging and Scavenging
These features are used to clean up and remove stale resource records.
DNS Troubleshooting Tools
* Nslookup
* DNSLint
* IPConfig
* The DNS Log file
DNSLint Usage
Uses three main functions to verify DNS records and to generate a report in HTML:
* /d switch helps diagnose reasons that cause " lame delegation " and other related DNS problems.
* /ql switch helps verify a user - defined set of DNS records on multiple DNS servers.
* /ad switch helps verify DNS records pertaining to Active Directory replication.

The following are some sample queries:
command /d stellacon.com
command /ad /s
command /ql dns_server.txt
command /ql autocreate
Windows 2008 R2 Supported file systems:
* File Allocation Table 32 (FAT32)
* Windows NT File System (NTFS) - version 5
NTFS Benefits
* Disk Quotas
* Filesystem Encryption
* Dynamic Volumes
* Mounted Drives
* Remote Storage
* Self-Healing NTFS
* Security
Disk Quotas
In order to restrict the amount of disk space used by users on the network, systems administrators can establish this restriction. By default, Windows Server 2008 R2 supports disk restrictions at the volume level. That is, you can restrict the amount of storage space a specific user uses on a single disk volume.
Filesystem Encryption
This feature essentially scrambles all of the data stored within files before they are written to the disk. When an
authorized user requests the files, they are transparently decrypted and provided.
Dynamic Volumes
With Windows Server 2008 R2 ' s support for feature, systems administrators can change RAID and other disk configuration settings without needing to reboot or reinstall the server. The result is greater data protection, increased scalability, and increased uptime.
Remote Storage
Systems administrators can use this feature supported by NTFS to automatically off - load seldom - used data to tape or other devices, but the files remain available to users. If a user requests an archived file, Windows Server 2008 R2 can automatically restore the file from this component and make it available.
Self-Healing NTFS
To help protect the Windows Server 2008 R2 NTFS filesystem, Microsoft now uses a feature that attempts to fix corrupted NTFS filesystems without taking them offline. Allows an NTFS filesystem to be corrected without running the Chkdsk.exe utility. New features added to the NTFS kernel code allow disk inconsistencies to be corrected without system downtime.
Convert an existing partition from FAT or FAT32 to NTFS
Need to use the CONVERT command-line utility (e.g. CONVERT c: /fs:ntfs)

NOTE Converting a FAT or FAT32 partition to NTFS is a one way process and you cannot convert an NTFS partition to another filesystem without losing data
Windows 2008 R2 Supported Domain Functional Levels:
* Windows 2000 Native
* Windows 2003
* Windows Server 2008
* Windows Server 2008 R2
Windows 2008 & 2008 R2 Functional Features not Available for Windows 2000 Native or Windows Server 2003 Functional Levels:
* Authentication Assurance (Only 2008 R2)
* Fine-grained password policies
* Last interactive logon information
* Advanced Encryption Services
* Distributed File System replication support for Sysvol
Global Catalog Replication Enhancements
When an administrator adds a new attribute to the Global Catalog, only those changes are replicated to other Global Catalogs in the forest. This can significantly reduce the amount of network traffic generated by replication.
Defunct Schema Classes and Attributes
You can never permanently remove classes and attributes from the Active Directory schema, but you can mark them as defunct so that they cannot be used. With Windows Server 2003 and 2008 forest functionality, you can redefine the defunct schema attribute so that it occupies a new role in the schema.
Forest Trusts
Previously, systems administrators had no easy way of granting permission on resources in different forests. Windows Server 2003 and 2008 resolve some of these
difficulties by allowing trust relationships between separate Active Directory forests. These relationships act much like domain trusts, except that they extend to every domain in two forests.
Linked Value Replication
Windows Server 2003 and 2008 use this concept. With this concept, only the user record that has been changed is replicated (not the entire group). This can significantly reduce network traffic associated with replication.
Renaming Domains
Although the Active Directory domain structure was originally
designed to be flexible, there were several limitations. Because of mergers, acquisitions, corporate reorganizations, and other business changes, you may need to rename domains. In Windows Server 2003 and 2008, you can change the DNS and NetBIOS names for any domain, as well as reposition a domain within a forest. Note that this operation
is not as simple as just issuing a rename command.
Info needed before installing the first domain in your environment:
* The DNS name of the domain
* The computer name or NetBIOS name of the server
* Which domain function level the domain will operate in
* Whether other DNS servers are available on the network
* What type of and how many DNS servers are available on the network
Active Directory Domains and Trusts
Use this tool to view and change information related to the various domains in an Active Directory environment. This MMC snap - in also allows you to set up shortcut trusts.
Active Directory Sites and Services
Use this tool to create and manage Active Directory
sites and services to map to an organization ' s physical network infrastructure.
Active Directory Users and Computers
User and computer management is fundamental
for an Active Directory environment. The Active Directory Users and Computers tool allows you to set machine - and user - specific settings across the domain.
Active Directory Module for Windows PowerShell
New to Windows Server 2008 R2, a group of cmdlets used to manage your Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, and Active Directory Database Mounting Tool instances in a single, self - contained package.
Application Data Partitions
Allows system administrators and application developers to store custom information within Active Directory.

CANNOT contain security principals.

Replicas are managed using the Knowledge Consistency Checker (KCC).

You can create this component in one of the following three locations within an AD forest:

* As a new tree in an AD forest
* As a child of an AD domain partition
* As a child of another application data partition
Active Directory Service Interfaces (ADSI)
A set of programmable objects that can be accessed through languages such as Visual Basic Scripting Edition (VBScript), Visual C#, Visual Basic .NET, and many other language technologies that support the Component Object Model (COM) standard.
The LDP Tool
You can view and modify the contents of the Active Directory schema using queries. This component allows you to view information about application data partitions.

In order to use this utility, you must first install the Windows Server 2008 R2 Support Tools. The installer for this collection of utilities is located within the Windows Server 2008 R2 installation media in the \Support\Tools folder. You'll need to run the SupTools.msi file in order to install.
The component is the main method by which systems administrators create and manage application data partitions on their Windows Server 2008 domain controllers.
Removing Replicas of an Application Data Partition
If a DC contains a replica of application data partition information, you must remove the replica from the DC before you demote it.
ntdsutil Domain Management Commands:
* Create NC - Creates a new application directory partition
* Delete NC - Removes an application data partition
* List NC Information - Shows information about the specified application data partition
* List NC Replicas - Returns information about all replicas for the specific application data partition
* Precreate - Precreates cross-reference application data partition objects.
* Remove NC Replica - Removes a replica from the specified DC
* Select Operation Target - Selects the naming context that will be used for other operations
* Set NC Reference Domain - Specifies the reference domain for an application data partition
* Set NC Replicate - Defines settings for how often replication will occur
Benefits to integrating AD and DNS services:
* You can configure and manage replication along with other AD components
* You can automate much of the maintenance of DNS resource records through the use of dynamic updates
* You will be able to set specific security options on the various properties of DNS
Reasons for Using Multiple Domains
* Scalability
* Reducing Replication Traffic
* Meeting Business Needs
* Many Levels of Hierarchy
* Decentralized Administration
* Multiple DNS or Domain Names
* Legality
Drawbacks of Multiple Domains
* Administrative Inconsistency
* Increased Management Challenges
* Decreased Flexibility
AD Forest Features that all Domains have in common:
* Schema
* Global Catalog
* Configuration Information
Before creating a new child domain, you need the following information:
* The name of the parent domain
* The name of the child domain
* The filesystem locations for the AD database, logs, and shared system volume
* DNS configuration info
* The NetBIOS name of the new server
* A domain admin username and password
AD Forest
Elements used in the definition of each object contained in AD. Including its object clas (resources and security principles) and attributes. One schema per forest.
A command-line tool used to prepare a Windows 2003 forest or a Windows 2003 domain for the installation of Windows 2008 R2 DC's
Preparation steps prior to promoting a Windows 2008 R2 DC into a Windows 2000 or Windows 2003 forest
* Run "adprep /forestprep" on the Schema Operations Master
* Run "adprep /domainprep" on the Infrastructure master in the Windows 2003 forest
Reasons to Create Additional DC's
* Fault Tolerance and Reliability
* Performance
Steps to Perform Before Removing the Last DC in a Domain
* Computers no longer log on to this domain
* No user accounts are needed
* All encrypted data is decrypted
* All Cryptographic keys are backed up
* Make a list of all the resources that depend on the domain
AD Multimaster Replication
Every DC within the environment contains a copy of the AD database that is both readable and writable. If you want to modify the password of a user, you can do so on any DC and the changes are propagated to the other DC's.
Operation Masters
Functions that are not managed in a multimaster fashion.
Five Main Single-Master Operations
* Schema Master (Forest Operations Masters)
* Domain Naming Master (Forest Operations Masters)
* Relative ID (RID) Master (Domain Operation Masters)
* PDC Emulator Master (Domain Operation Masters)
* Infrastructure Master (Domain Operation Masters)
Schema Master
All of the domain controllers within a single Active Directory environment share the same schema. This ensures information consistency.
Developers and systems administrators can, however, modify the schema by adding custom information. A trivial example might involve adding a field to employee information that specifies a user 's favorite color.

When you need to make these types of changes, you must perform them on the domain controller that is responsible for propagating all of the changes to all of the other domain controllers within the forest.

* Use Active Directory Domains and Trusts tool to configure.
Domain Naming Master
Keeps track of all the domains within an AD forest. This DC is accessed whenever you need to add new domains to a tree or forest.

* Use Active Directory Domains and Trusts tool to configure.
Relative ID (RID) Master
Every security object within Active Directory must be assigned a unique identifier so that it is distinguishable from other objects. For example, if you have two OUs named IT that reside in different domains, you must have some way to
easily distinguish between them. Furthermore, if you delete one of the IT OUs and then later re - create it, the system must be able to determine that it is not the same object as the other IT OU. This component is always unique within an Active Directory domain and are used for managing security information and authenticating users. This component is responsible for creating these values within a domain whenever new Active Directory objects are created.

* Use ADUC snap-in to administer roles within a domain
PDC Emulator Master
Within a domain, this component is responsible for maintaining backward compatibility with Windows 95, 98, and NT clients.

When running in Windows 2000 Native, Windows 2003, Windows Server 2008, or Windows 2008 R2 domain functional level (which does not support the use of pre - Windows 2000 domain controllers), this component serves as the default domain controller to process authentication requests if another domain controller is unable to do so. This component also receives preferential treatment whenever domain security changes are made

* Use ADUC snap-in to administer roles within a domain.
Infrastructure Master
Whenever a user is added to or removed from a group, all of the other domain controllers should be made aware of this change. The role of the domain controller that acts in this capacity is to ensure that group membership information stays synchronized within an Active Directory domain.

* Use ADUC snap-in to administer roles within a domain
Steps to Assign Single-Master Operations
1. Open Active Directory Domains and Trusts tool
2. Right-click Active Directory Domains and Trusts, and choose Operations Masters
3. In the Operations Masters dialog box, note that you can change the operations master by clicking the Change button. If you want to move this assignment to another computer, you first need to connect to that computer and then make the change. Click Close to continue without making any changes.
4. Close the Active Directory Domains and Trusts administrative tool
5. Open the ADUC admin tool
6. Right-click the name of a domain and select Operation Masters. This brings up the RID tab of the Operations Masters dialog box. You can now change the computer that is assigned to this role
7. When finished, close the ADUC tool
Manage Single-Master Operations with three different tools:
1. Use AD Domains and Trusts to configure forest-wide roles
2. Use ADUC snap-in to administer roles within a domain
3. The AD Schema MMS snap-in is used to change the Schema Master role
Transitive Trusts
By default, Active Directory trusts are transitive trusts . The simplest way to understand transitive relationships is through an example like the following: If Domain A trusts Domain B and Domain B trusts Domain C, then Domain A implicitly trusts Domain C. If you need to apply a tighter level of security, trusts can be configured as intransitive.
One-Way vs. Two-Way Trusts
Trusts can be configured as one - way or two - way relationships. The default operation is to create two - way trusts or bidirectional trusts . This makes it easier to manage trust relationships by reducing the trusts you must create. In some cases, however, you might decide against two - way trusts. In one - way relationships, the trusting domain allows resources to be shared with the trusted domain but not the other way around.

When domains are added together to form trees and forests, an automatic transitive two - way trust is created between them.
External Trusts
Used to provide resources on a Windows NT 4 domain or forest that cannot use a forest trust. This is ALWAYS nontransitive, but can be established in a one-way or two-way configuration.
Default SID Filtering on External Trusts
When you set up an external trust, remember that it is possible for hackers to compromise a domain controller in a trusted domain. If this trust is compromised, a hacker can use the security identifier (SID) history attribute to associate SIDs with new user accounts, granting themselves unauthorized rights (this is called an elevation - of - privileges attack). To help prevent this type of attack, Windows Server 2008 R2 automatically enables a secure configuration on all external trusts. This configuration allows the domain controllers in the trusting domain (the domain with the resources) to remove all SID history attributes that are not members of the trusted domain.
Realm Trusts
Similar to external trusts but used to connect to a non-Windows domain that uses Kerebos authentication. These trusts can be transitive or nontransitive, one-way, or two-way.
Cross-Forest Trusts
Used to share resources between forests. Have been used since Windows Server 2000 domains and cannot be nontransitive, but you can establish them in a one-way or two-way configuration. Authentication requests in either forest can reach the other forest in a two - way cross - forest trust. If you want one forest to trust another forest, you must set it (at a minimum) to at least the forest function level of Windows Server 2003.
Selective Authentication vs. Forest - wide Authentication
Forest - wide authentication on a forest trust means that users of the trusted forest can access all the resources of the trusting forest. Selective authentication means that users cannot authenticate to a domain controller or resource server in the trusting forest unless they are explicitly allowed to do so.
Shortcut Trusts
In some cases, you may actually want to create direct trusts between two domains that implicitly trust each other. Such a trust can improve the speed at which resources are accessed across many different domains.
UPN Suffixes
Part of a user's name that appears after the @ symbol.

So, for instance, in this address wpanek@stellacon.com the component would be stellacon.com . By default, this is determined by the name of the domain in which the user is created. In this example, the user wpanek was created in the domain stellacon.com , so the two pieces logically fit together. However, you might find it useful to provide an alternative to consolidate forest - wide.
How to Add a UPS Suffix
1. Open Active Directory Domains and Trusts admin tool
2. Right-click Active Directory Domains and Trusts in the left side of the window and select Properties
3. On the UPN Suffixes tab of the Active Directory Domains and Trusts Properties dialog box, enter an alternative UPN suffix in the Alternative UPN Suffixes field. Click the Add button to add the suffix to the list.
4. To remove a UPN suffix, select its name in the list and click on the Remove button.
Managing GC Servers
1. Open Active Directory Sites and Services admin tool
2. Find the name of the local DC within the list of objects, and expand this object.Right-click NTDS Settings and select Properties
3. In the NTDS Settings Properties dialog box, type Primary GC Server for Domain in the Description field. Select the Global Catalog check box and click OK to continue.
4. When you have finished, close the Active Directory Sites and Services admin tool.
Universal Group Membership Caching (UGMC).
Stores information locally when a user attempts to log on for the first time. The DC retains the universal group membership of that logged-on user. The next time that user attempts to log on, the authenticating domain controller running Windows 2008 R2 will obtain the universal group membership from its local cache without the need to contact a GC.


* Faster Logon Times
* Reduced Network Bandwidth
* Ability to Use Existing Hardware
Update Sequence Number
This is given/assigned whenever a change is made to the AD database on a DC.
Linked Value Replication
A feature that is only active when a domain is in Windows Server 2003, 2008, or 2008 R2 functional level. When a change is made to a group, only the group member is replicated (similar to an incremental change).
Bridgehead Server
Designed to accept traffic between two remote sites and then forward this information to the appropriate servers.

Can reduce network bandwidth requirements and improve performance.

Reduced network bandwidth requirements and improved performance can be achieved by configuring replication to occur according to a predefined schedule.
Distributed File System Replication (DFSR)
A state - based, multimaster replication engine that supports replication scheduling and bandwidth throttling. Has the ability to detect insertions, removals, and rearrangements of data in files. This allows to replicate only the changed file blocks when files are updated.

* Is a multimaster replication engine, and changes that occur on one of the members are then replicated to all of the other members of the replication group.

* Uses the update sequence number (USN) journal to detects changes on the volume, and then replicates the changes only after the file is closed.

* Before sending or receiving a file, uses a staging folder to stage the file

* When a file is changed, replicates only the changed blocks and not the entire file. RDC protocol is what helps determine the blocks that have changed the file

* Is self-healing and can automatically recover from USN journal wraps, USN journal loss, or loss of the replication database
A command-line tool includes three new switches that provide enhanced diagnostic capabilities.

* /ReplState - When you use the ReplState switch, a summary of the replication status across all connections on the specified replication group member is provided. The ReplState switch takes a snapshot of the internal state of the DFSR service, and the updates that are currently being processed (downloaded or served) by the service are shown in a list.

* /IdRecord The service, when replicating a file or folder, creates an ID record, and an administrator can use this ID record to determine if a file has replicated properly to a specific member. The IdRecord switch returns the record for the file or folder that you specify by using its path or its Unique Identifier (UID).

* /FileHash The FileHash switch, when used against a particular file, will compute and display the hash value that is generated by the service. An administrator can then look at the hash values to compare two files. If the hash values for the two files are the same, then the two files are the same.
A partition of a network. As we started to discuss earlier, subnets are logical IP blocks usually connected to other IP blocks through the use of routers and other network devices. All of the computers that are located on a given part of the network generally well connected with each other.
AD Site
A logical object that can contain servers and other objects related to AD replication. Specifically, is a grouping of related subnets and created to match the physical network structure of an organization. Primarily used for slow WAN links.
Site Links
Created to define the types of connections that are available between components of a site. Logical connections that define a path between two AD sites. Can reflect a relative cost for a network connection and can reflect the bandwidth that is available for communications.
Event ID 1311
States that the Windows NT Directory Services (NTDS) Knowledge Consistency Checker (KCC) has found and reported a problem with AD replication. The error states that replication configuration information in AD does not accurately reflect the physical topology of the network.

This error is commonly found on ailing networks that have replication problems for one reason
or another.
Intrasite Replication
Refers to the synchronization of AD information betweeen DC's that are located in the same site. Usually connected by a high-speed LAN.

One domain controller contacts the others in the same site when changes to its copy of Active Directory are made. It compares the update sequence numbers in its own copy of Active Directory with those of the other domain controllers, then the most current information is chosen by the DC in question, and all domain controllers within the site use this information to make the necessary updates to their database.

Communications between domain controllers occur using the Remote Procedure Call (RPC) protocol . This protocol is optimized for transmitting and synchronizing information on fast and reliable network connections.
Intersite Replication
Occurs between domain controllers in different sites. Usually this means there is a WAN or other type of low-speed network connection between the various machines.

Offers several features that are tailored toward these types of connections. To begin with, two different protocols may be used to transfer information between sites:

RPC over IP: When connectivity is fairly reliable, IP is a good choice. IP - based communications require you to have a live connection between two or more domain controllers in different sites and let you transfer Active Directory information. RPC over IP was originally designed for slower WANs in which packet loss and corruption may occur often.

Simple Mail Transfer Protocol: Simple Mail Transfer Protocol (SMTP) is perhaps best known as the protocol that is used to send and receive email messages on the Internet. SMTP was designed to use a store - and - forward mechanism through which a server receives a copy of a message, records it to disk, and then attempts to forward it to another email server. If the destination server is unavailable, it holds the message and attempts to resend it at periodic intervals.

This type of communication is extremely useful for situations in which network connections are unreliable or not always available. If, for instance, a branch office in Peru is connected to the corporate office by a dial - up connection that is available only during certain hours, SMTP would be a good choice for communication with that branch.

SMTP is an inherently insecure network protocol. Therefore, if you would like to ensure that you transfer replication traffic securely and you use SMTP for Active Directory replication, you must take advantage of Windows Server 2008 R2's Certificate Services functionality.
Site Link Bridges
Used to connect site links so that the relationship can be transitive.
Knowledge Consistency Checker (KCC)
Forms a replication topology based on the site topology created. Responsible for determining the best way to replicate information within AD sites.
User Authentication
1. User tries to authenticate to a DC
2. The DC checks with the GC to see which domain the user belongs to
3. If the DC the user is trying to authenticate to is not a GC, then the DC sends a request to the GC to verify the users domain. The GC responds with the users info
4. The DC authenticates the user (if the user belongs to the same domain as the requested DC)
Universal Group Membership Caching (UGMC)
After a DC communicates with the GC, the DC will then cache the user's credentials for 8 hours. This minimizes the amount of resources needed when a user tries to authenticate to a normal DC.
Troubleshooting AD Replication
* Verify Network Connectivity
* Verify Router & Firewall Configurations
* Examine Event Logs
* Verify that Information is Synchronized
* Verify Authentication Scenarios
* Verify the Replication Topology (Right-click the NTDS Settings using the Sites & Services tool within a Server object and choose "All Tasks > Check Replication" and look for errors, if any that occur.
Command-line utility used to help troubleshoot AD replication problems.


Command Bridgeheads Lists the bridgehead servers for a specified site

Command dsaguid Returns a server name when given a GUID

Command failcache Shows a list of failed replication events

Command istg Returns the server name of the ISTG server for a specified site

Command kcc Forces the KCC to recalculate replication topology for a specified domain controller

Command latency Shows the amount of time between replications

Command queue Shows tasks waiting in the replication queue

Command querysites Uses routing information to determine cost of a route from a
specified site to another specified site or sites

Command replicate Starts a replication event for the specified directory partition between domain controllers

Command replsummary Displays the replication state and relative health of a forest
Server Manager Available Roles
* Active Directory Certificate Services
* Active Directory Domain Services
* Active Directory Federation Services
* Active Directory Lightweight Directory Services
* Active Directory Rights Management Services
Active Directory Certificate Services (AD CS)
Allows a private key to be combined with objects (such as users and computers), devices (such as routers), or services. This technology also provides services for creating and managing public key certificates used in software security systems that employ public key technologies.

The public-key infrastructure greatly increases data security.
Applications supported by AD CS
* Secure/Multipurpose Internet Mail Extensions (S/MIME)
* Secure wireless networks
* Virtual private networks (VPN)
* IP security (IPSec)
* Encrypting File System (EFS)
* Smart card logon
* Secure Socket Layer/Transport Layer Security (SSL/TLS)
* Digital Signatures
Active Directory Certificate Services (AD CS) Components
* Cert Publishers Group
* PKI-Savvy Applications
* Online Responder Service
* Certification Practice Statement
* Enrollment Agents
* Network Device Enrollment Service
* Web Enrollment
* Certificate Mapping
* Authentication Mechanism Assurance
Configurable AD CS Options
* Certificate Authorities
* Cryptographic Service Provider
* Hash Algorighm
Three types of Certificate Authorities (CAs):
* Enterprise Root CAs - (Automatically integrated with AD) are the most trusted CAs of the hierarchy. They hold the certificates that you issue to the users within your organization
* Stand-Alone Root CAs - Hold the certificates that you issue to Internet users
* Subordinate CAs - Are below the Enterprise and Stand-Alone Root CAs in the hierarchy. Enterprise or Stand-Alone CAs give certificates to the Subordinate CAs, which in turn issue certificates to objects and services.
Cryptographic Service Provider (CSP)
The mechanism that is responsible for authentication, encoding, and encryption services that Windows - based applications access through the Microsoft Cryptography application programming interface (CryptoAPI). Every one offers a unique implementation of the CryptoAPI. Some offer a strong cryptographic algorithm, while others use hardware components, such as smart cards.
Hash Algorithm
An algorithm that produces a hash value of some piece of data, such as a message or session key.
Certificate Authorities
They issue, revoke, and publish certificates for their clients; big entities like Thawte and VeriSign may do this for millions of users.
Users can receive certificates via CSP in the following ways:
* Through Group Policy Objects (GPOs)
* Web enrollment
* Extranet enrollment
* Smart card enrollment
* Certificate auto enrollment
Certificate Template Types:
* CA Certificate
* Client Computer Certificate
* Server Certificate
* User Certificate
Certificate Revocation Components:
* Certificate Revocation List
* CRL Distribution Point
* Online Responder
* Authority Information Access
Key Archival
Allows a key to be stored for later recoverability if necessary. In a Windows Server 2008 R2 CA, this process is automatic. The private key portion of a public-private key pair is stored and can be recovered when needed.

*NOTE* When recovery occurs, the data or messages that it was associated with are not recovered. Recovery only allows an individual to recover lost or damaged keys.
Key Recovery Agent
A set of rights that you can give an individual so that they have the permission to recover a lost or damaged key.
Assigning Administrative Roles
Using the Certification Authority MMC, you can assign users or administrators rights to help manage the certificate server.

To assign an individual a role, right - click the name of the server in the Certification Authority MMC and choose Properties. Click the Security tab. Add the individual and choose their roles.
You have the ability to view many different events of a CA server in the Security Log of the event viewer. You can review the following events:

* Back up and restore the CA database
* Change CA configurations
* Change CA security settings
* Issue and manage certificate requests
* Revoke certificates and publish the CRL
* Store and retrieve archived keys
* Start and stop Active Directory Certificate Services
Database Backup and Restore
Use the Certification Authority MMC, right click on the name of the server, choose All Tasks > Back Up CA, and follow the wizard.
Multi Forest Certificate Enrollment
In previous versions of Windows Server, when a CA issued certificates to users, the users had to be members of the same forest as the CA server. Now with Windows Server 2008 R2, you have the ability to issue certificates across a multi forest environment that has a two - way trust relationship established. Multi Forest Certificate Enrollment is available for enterprise CAs running Windows Server 2008 R2 Enterprise or Datacenter Edition.
High-Volume CAs
Organizations can choose to bypass certain CA database operations to reduce the CA database size. By default, the CA database stores a record of each request and issued certificate. If you have a project or application that needs a high volume of requests, this would increase the CA database growth rate and administration cost.
Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service
This is available because of existing methods such as auto enrollment. This acts as a proxy between the client computer and the CA server.

This meets the following requirements:

* AD forest with Windows Server 2008 R2 schema
* Enterprise CA running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003
* Requires an enterprise CA running Enterprise or Datacenter Edition of Windows Server
* Client computers running Windows 7
New Active Directory Domain Services (AD DS) Features
* User Interface Improvements
* Read-Only Domain Controllers (RODC)
* Auditing (Can now view the new and old values of objects and its attributes)
* Fine-Grained Password Policies
* Restartable Active Directory Domain Service
* Database Mounting Tool
Security Features Available for Domain Services
* Read-Only Domain Controllers
* Read-Only SYSVOL - When you create a read - only domain controller (RODC), the SYSVOL share becomes read only. File Replication Service (FRS) and Distribute File System (DFS) Replication updates to the SYSVOL are performed on a writable domain controller and then replicated to the RODC.
System Key Utility (Syskey.exe)
This is used to secure account data on a hard disk. Also helps member servers and client operating systems encrypt the passwords in their Security Account Manager (SAM) database.
Bitlocker Drive Encryption
Allows an IT admin to encrypt both the OS volume and additional data volumes within the same server. Use Server Manager to install.
Active Directory Recycle Bin
Administrators now have the ability to undo an accidentally
deleted Active Directory object.
Active Directory Module for Windows PowerShell and Windows PowerShell Cmdlets
Allows an administrator to perform command - line scripting for administrative, configuration, and diagnostic tasks. Uses a consistent vocabulary and syntax. Administrators using PowerShell can easily pipe cmdlets to build complex operations that allow end - to - end manageability with Exchange Server, Group Policy, and other services.
Offline Domain Join
Gives administrators the ability to preprovision
computer accounts in the domain to prepare operating systems for deployments. Computers, at startup, can then join the domain without the need to contact a domain controller.
Managed Service Accounts
Allows for easier management of service principal names (SPNs). Admins have the ability with out human intervention for password management, to run one Managed Service Account for each service that is running on a server.
Active Directory Management Pack
Gives admins the ability to proactively monitor the availability and performance of AD.
Active Directory Federation Services (AD FS v2)
Provides Internet-based clients a secure identity access solution that works on both Windows and non-Windows OSs. This allows organizations to set up trust relationships between networks and supports single sign-on (SSO).

Requires and AD FS server on both ends of the connection.

* Installed via Server Manager & adding a Role
AD FS Web Agents
Administrators have the ability to configure a Windows NT token - based Agent. To support this feature, Windows Server 2008 AD FS includes a user interface for the AD FS Web Agent role service. The account is a service account that calls on other services.
Trust Policies
A file that outlines the set of rules that a Federation Service uses to recognize partners, certificates, account stores, claims, and other properties associated with AD FS.

Two ways to create the federated trust:
* Importing and exporting policy files
* The manual process, which involves the mutual exchange of partner values
User and Group Claim Mapping
In basic terms, means that each partnered location agrees and appropriately maps the AD FS trust policy for sharing between federation partner locations. It contains user information and helps users connect to a partner's resources.

Three types supported by AD FS:
* Identity - This type helps identify the user.
* Group- This type indicates membership in a group or role
* Custom - This type provides any additional information that needs to be sent.
Active Directory Rights Management Services (AD RMS)
Allows admins or users to determine what access (open, read, modify, etc.) they give to other users in an organization. Access restrictions can improve security for email messages, internal websites, and documents.

Three new administrative roles allow for delegation of the responsibilities:
* "Component" Enterprise Administrators
* "Component" Administrators
* "Component" Auditors
AD RMS Administrative Roles
* "Component" Service Group
* "Component" Enterprise Administrators
* "Component" Auditors
Organizational Unit (OU)
A logical group of AD objects. Server as containers within which other AD objects can be created, but do not form part of the DNS namespace. Can contain the following types of AD objects:

* Users
* Groups
* Computers
* Shared Folder Objects
* Contacts
* Printers
* InetOrgPerson objects
* MSMQ Queue Aliases
* Other similar components
Benefits of OUs
* The smallest unit to which you can assign directory permissions
* You can easily change the structure
* The structure can support many different levels of hierarchy
* Child objects can inherit settings
* You can set Group Policy settings on this type of object
* You can easily delegate the administration of this type of object and objects within them to the appropriate users and groups
OU Naming Considerations
* Keep the names and descriptions simple
* Pay attention to limitations - The max length for the name of this object is 64 characters
* Pay attention to the hierarchical consistency
OU Delegation Control
You can delegate control only at the this level in the directory and not at the object level within an OU
Access Control Entries (ACEs)
Grant specific administrative rights on objects in a container to a user or group.
OU Deletion Protection
A nice feature when creating an OU is the ability to protect an OU from being accidently deleted.
The Built-In container includes all of the standard groups that are installed by default when you promote a domain controller.
Foreign Security Principals
Objects to which security can be assigned and that are not part of the current domain. Are Active Directory objects to which permissions can be applied, and they can be used to manage permissions in Active Directory.
Managed Service Accounts
A new Windows Server 2008 R2 OU. Service accounts are accounts created to run specific services like Exchange
and SQL Server. Having a Managed Service Accounts OU allows you to better control the service accounts and thus allows for better service account security.
An Active Directory object that defines attributes of users in Lightweight Directory Access Protocol (LDAP) and X.500 directories.
MSMQ Queue Alias
An Active Directory object associates an Active Directory path and a user - defined alias with a public, private, or direct single - element format name. This allows the object to be used to reference a queue that might not be listed in Active Directory Domain Services (AD DS).
User Principal Name (UPN)
When you log into a domain, your logon name looks like an email address (i.e., wpanek@willpanek.com ):This is the username, along with the @ sign, followed by the domain name. At the time that the user account is created, the object is is generated by default.
Fields not copied over from a user template:
* Name
* Logon Name
* Password
* Email
* Phone Numbers
* Description
* Office
* Web Page
Tools used to perform bulk imports of user accounts:
* ldifde.exe - Imports from line-delimited files. Allows and admin to export and import data
* csvde.exe - Performs the same export functions as ldifde.exe, but uses a comma-seperated file format. Does not allow admins to modify or delete objects. Only supports adding to AD.
Active Directory Migration Tool v3.2
Allows an administrator to migrate users, groups, and computers from a Microsoft Server 2003 domain to a Windows Server 2008 R2 Active Directory domain. Admins can also use the tool to migrate users, groups, and computers between AD domains in different forests and between domains in the same forest.
Offline Domain Join of a Computer
Gives administrators the ability to preprovision computer accounts in the domain to prepare operating systems for deployments. Computers, at startup, can then join the domain without the need to contact a domain controller.


* No additional network traffic for AD state changes
* No additional network traffic for computer state changes to the DC
* Changes for both the AD state and computer state can be completed at different times.
Domain Local Groups
Groups that remain in the domain in which they were created. You use these groups to grant permissions within a single domain. For example, if you create a domain local group named HPLaser, you cannot use that group in any other domain, and it has to reside in the domain in which you create it.

You can create these in domain Mixed or Native modes.
Global Group
Can contain other groups and accounts from the domain in which the group is created. In addition, you can give them permissions in any domain in the forest.

Can be created in domain Mixed or Native modes.
Universal Groups
Can include other groups and accounts from any domain in the domain tree or forest. You can give these permissions in any domain in the domain tree or forest.

You can create these objects only if you are in a domain Native mode.
A = Accounts (Create your user accounts)
G = Global groups (Put user accounts into global groups.)
DL = Domain local groups (Put global groups into domain local groups.)
P = Permissions (Assign permissions like Deny or Apply on the domain local group)
A = Accounts (Create your user accounts)
G = Global groups (Put user accounts into global groups.)
U = Universal groups (Put global groups into universal groups.)
DL = Domain local groups (Put universal groups into domain local groups.)
P = Permissions (Assign permissions like Deny or Apply on the domain local group)
LostAndFound folder
This folder in ADUC Advanced feature contains any files that may not have been replicated properly between domain controllers. You should check this folder periodically for any files so that you can decide whether you need to move them or copy them to other locations.
Publishing AD Objects
The act of making an AD object available. The two main publishable objects are Printer objects and Shared Folder objects.
Creating and Publishing a Printer
1. Click Start Devices And Printers Add A Printer. This starts the Add Printer Wizard.
2. In the Choose A Local Or Network Printer page, select Add A Local Printer. This should automatically take you to the next page. If it does not, Click Next.
3. In the Choose A Printer Port page, select Use An Existing Port. From the drop - down list beside that option, make sure LPT1: (Printer Port) is selected. Click Next.
4. On the Install The Printer Driver page, select Generic for the manufacturer, and for the printer, highlight Generic / Text Only. Click Next.
5. On the Type A Printer Name page, type Text Printer . Uncheck the Set As The Default Printer box and then click Next.
6. The Installing Printer screen appears. After the system is finished, the Printer Sharing page appears. Make sure the box labeled " Share this printer so that others on your network can find and use it " is selected, and accept the default share name of Text Printer.
7. In the Location section, type Building 203, and in the Comment section, add the following comment: This is a text - only Printer. Click Next.
8. On the You've Successfully Added Text Printer page, click Finish.
9. Next, you need to verify that the printer will be listed in Active Directory. Right - click the Text Printer icon and select Printer Properties.
10. Select the Sharing tab, and ensure that the List In The Directory box is checked. Note that you can also add additional printer drivers for other operating systems using this
tab. Click OK to accept the settings.
Creating and Publishing a Shared Folder
1. Create a new folder in the root directory of your C: partition, and name it Test Share .
2. Right - click the Test Share. Choose Share With Specific People.
3. In the File Sharing dialog box, enter the names of users you want to share this folder with. In the upper box, enter Everyone ; then click Add. Note that Everyone appears in the lower box. Click in the Permission Level column next to Everyone and choose Read/Write from the pop - up menu. Then click Share.
4. You ' ll see a message that your folder has been shared. Click Done.
5. Open the Active Directory Users and Computers tool. Expand the current domain, and right - click the RD OU. Select New Shared Folder.
6. In the New Object - Shared Folder dialog box, type Shared Folder Test for the name of the folder. Then type the UNC path to the share (for example, \\server1\Test Share). Click OK to create the share.
Some admin tasks allowed by AD Admin Center:
* Reset passwords
* Create new objects
* Delete objects
* Move objects
* Perform global searches
* Configure properties for AD objects
This command allows you to import and export data from Active Directory. The data gets stored in a comma - separated value (CSV) format.
This troubleshooting command checks the state of your domain controllers in your forest and sends back a report of any problems.
This command initiates the Active Directory Installation Wizard and adds or removes the Active Directory Domain Services (AD DS).
This command allows you to see and change permissions in the access control list (ACL) for objects in AD DS.
This command allows you to add object to the AD DS directory
This command shows the AD data stored in either a snapshot or a backup as if it were in a Lightweight Directory Access Protocol (LDAP) server.
This command provides database utilities for AD Lightweight Directory Services (AD LDS)
This command shows the properties of an object in the AD DS directory.
This command gives an administrator management utilities for Active Directory Lightweight Directory Services (AD LDS).
This command allows you to modify an AD DS object.
This command allows you to move an object in an AD domain from its current OU to a new OU within the same forest
This command allows you to query AD DS
This command removes an object from the AD DS directory.
This command allows you to Import and export data from Active Directory. The data is stored as LDAP Data Interchange Format (LDIF).
This is one of the most important commands for AD. It allows you to do maintenance on the AD database.
This command allows administrators to diagnose AD replication problems between DCs.
ADMX Central Store
A storage area where GPO administrative template files are saved. This is stored in the SYSVOL folder on a DC and is a repository for all administrative templates. Only Vista and Windows 7 clients can edit domain-based GPO's.
Security Template
Used to configure security settings through a GPO. Some of the security settings that can be configured are settings for account policies, local policies, event logs, restricted groups, system services, and the Registry.
Starter GPOs
Give admins the ability to store a collection of Administrative Template policy settings in a single object. Admin's then have the ability to import and export these to easily distribute the objects to other environments. When a object is created from a this, just like with any template, the new object receives the settings and values that were defined from the Administrative Template policy.
Group Policy Update Setting Change timing
Group Policy settings do not take effect immediately. You must run the gpupdate command at the command prompt or wait for the regular update cycle (90 minutes by default) in order for the policy changes to take effect.
Restricted Groups
Allows you to control group membership by using a GPO. The group membership I am referring to is the normal Active Directory groups (Domain Locals, Globals, and Universals). Offers two configurable properties: Members and Members Of.

The users on the Members list do not belong to this. The users on the Members Of list do belong to this. When you configure the policy for this object, members of the objectthat are not on the Members list are removed. Users who are on the Members list who are not currently a member of the object are added.
Software Restriction Policy
Allows administrators to identify software and to control its ability to run on the user's local computer, organizational
unit, domain, or site. This prevents users from installing unauthorized software.
Local (GPO)
Every Windows operating system computer has one that is stored locally. This functions for both the computer and user Group Policy processing.
Sites (GPO)
These settings apply to all of the domains and servers that are part of a site. Group Policy settings managed at the site level may apply to more than one domain within the same forest. Therefore, they are useful when you want to make settings that apply to all of the domains within an Active Directory tree or forest.
Domains (GPO)
GPO settings placed at the domain level will apply to all of the User and Computer objects within the domain. Usually, systems administrators make master settings at the domain level.
Group Policy Inheritance - What Takes Precedence?
By default, the settings at the most specific level (in this case, the OU that contains the User object) override those at more general levels.
Block Policy Inheritance
The option specifies that Group Policy settings for an object are not inherited from its parents. You might use this, for example, when a child OU requires completely different settings from a parent OU. Note, however, that you should use this carefully because this option allows other systems administrators to override the settings made at higher levels.
Force Policy Inheritance
The Enforced (sometimes referred as the No Override) option can be placed on a parent object and ensures that all lower - level objects inherit these settings. In some cases, systems administrators want to ensure that Group Policy inheritance is not blocked at other levels. For example, suppose it is corporate policy that all network accounts are locked out after five incorrect password attempts. In this case, you would not want lower - level systems administrators to override the option with other settings.

We must consider one final case: If a conflict exists between the computer and user settings, the user settings take effect. If, for instance, a systems administrator applies a default Desktop setting for the Computer policy and a different default Desktop setting for the User policy, the one they specify in the User policy takes effect. This is because the user settings are more specific, and they allow systems administrators to make changes for individual users, regardless of the computer they' re using.
Local Computer Policy Tool
This administrative tool allows you to quickly access the Group Policy settings that are available for the local computer. These options apply to the local machine and to users who access it. You must be a member of the local administrators group to access and make changes to these settings.
Group Policy Management Console
Provides a single solution for managing all Group Policy - related tasks and is also best suited to handle enterprise - level tasks such as forest - related work.

Allows administrators to manage the Group Policy and GPOs whether their enterprise solution spans multiple domains and sites within one or more forests or it is local to one site all from one easy - to - use console. Adds flexibility, manageability, and functionality. Using this console, you can also perform other functions such as backup and restore, importing, and copying.
A command - line utility that works with Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2. An administrator has the ability to display information about policies and also to perform some functions to manipulate audit policies.

/? - This is the auditpolexe help command
/get - Allows you to display the current audit policy
/set - Allows you to set a policy
/backup - Allows you to save the audit policy to a file
/restore - Restores a policy from previous backup
/remove - Removes all per-user audit policy settings and disables all system audit policy settings.
Windows Management Instrumentation (WMI)
Used to gather information or to help GPOs deploy better. The best way to explain this is to give an example. Let's say we wanted to deploy Microsoft Office 2010 to everyone in the company. We would first set up a GPO to deploy the Office package (explained later in the section "Deploying Software through a GPO").

We can then place a script on the GPO stating that only computers with 10 GB of hard disk space actually deploy Office. Now if a computer has 10 GB of free space, the Office GPO would get installed. If the computer does not have the 10 GB of hard disk space, the GPO will not deploy. You can use scripts to check fr computer information such as MAC addresses.

Is a powerful tool because if you know how to write scripts, the possibilities are endless. The following script is a sample of that is checking for at least 10 GB of free space on the C: partition/volume.

Select * from Win32_LogicalDisk where FreeSpace > 10737418240 AND Caption = "C:"
GPO Security Settings
The permissions options include the following:
Full Control
Create All Child Objects
Delete All Child Objects
Apply Group Policy

Of these, the Apply Group Policy setting is particularly important because you use it to filter the scope. Filtering is the process by which selected security groups are included or excluded from the effects of the group policy.
Script Policies
Specific options that are part of Group Policy settings for users and computers. These settings direct the operating system to the specific files that should be processed during the startup/shutdown or logon/logoff processes. You can create the scripts by using the Windows Script Host (WSH) or by using standard batch file commands.
Startup/Shutdown Scripts
These settings are located withing the Computer Configuration > Windows Settings > Scripts (Startup/Shutdown) object.
Logon/Logoff Scripts
These settings are located within the User Configuration > Windows Settings > Scripts (Logon/Logoff) object.
How to assign Scripts:
Double - click the setting, at which time its Properties dialog box appears. For instance, if you double - click the Startup setting, the Startup Properties dialog box appears, as shown in Figure 8.7. To add a script filename, click the Add button. When you do, you will be asked to provide the name of the script fi le (such as MapNetworkDrives .vbs or ResetEnvironment.bat ).

The Show Files button opens the directory folder in which you should store the Logon script files. In order to ensure that the files are replicated to all domain controllers, you should be sure that you place the files within the SYSVOL share.
Loopback Policy
Allows two ways to retrieve the list of GPOs for any user when using a specific computer in an OU:

Merge Mode - The GPOs for the computer are added to the end of the GPOs for the user. Because of this, the computer's GPOs have higher precedence than the user's GPOs.

Replace Mode - In Replace mode, the user ' s GPOs are not used. Only the GPOs of the computer object are used.
Computer Network Options (Group Policy location)
These settings are located within the Computer
Configuration Administrative Templates Network Network Connections folder.
User Network Options (Group Policy Location)
These settings are located within the User Configuration Administrative Templates Network folder.
Certificate Authorities (CAs)
Issue certificates, revoke certificates they've issued, and publish certificates for their clients.
Certificate Publishers
They make certificates publicly available, inside or outside an organization.
PKI-Savvy Applications
These allow you and your users to do useful things with certificates, like encrypt email or network connections.
Certificate Templates
These act like rubber stamps. By specifying particular ojbect as the model you want to use for a newly issued certificate, you're actually telling the CA which optional attributes to add to the certificate, as well as implicitly telling it how to fill some of the mandatory attributes.
Basic folder redirection
Redirects everyone's folders to the same location (but each user gets their own folder within that location).
Advanced folder redirection
Redirects folders to different locations based on group membership.
Configuring Folder Redirection in Group Policy
1. Open the GPMC tool.
2. Open the North America OU and then edit the Test CA GPO.
3. Open User Configuration Policies Windows Settings Folder Redirection
4. Right - click Documents and select Properties.
5. On the Target tab of the Documents Properties dialog box, choose the Basic - Redirect Everyone ' s Folder To The Same Location selection from the Setting drop - down list.
6. Leave the default option for the Target Folder Location drop - down list and specify a
network path in the Root Path field.
7. Click the Settings tab. All of the default settings are self - explanatory and should
typically be left with the default setting. Click OK when you have finished.
Folder Redirection vs Offline Folders
The system uses a pointer that moves the folders you want to a location you specify. Users do not see any of this — it is transparent to them. One problem with this method is that it does not work for mobile users (users who will be offline and who will not have access to files that they may need).

This method however, are copies of folders that were local to you. Files are now available locally to you on the system you have with you. They are also located back on the server where they are stored. The next time you log in, the folders are synchronized so that both folders contain the latest data. This is a perfect feature for mobile users, whereas folder redirection provides no benefit for the mobile user.
Windows PowerShell Group Policy cmdlets
Maintain, create, remove, back up, and import GPOs.
Create, update, and remove GPO links to Active Directory containers.
Set Active Directory OUs and domain permissions and inheritance flags.
Configure Group Policy registry settings.
Create and edit Starter GPOs.

The requirement for Windows PowerShell Group Policy cmdlets is Windows Server 2008 R2 on either a domain controller or a member server that has the GPMC installed.

Windows 7 also has the ability to use this if it has Remote Server Administration Tools (RSAT) installed.
Software Management Lifecycle
Phase 1: Deploying Software
Phase 2: Maintaining Software
Phase 3: Removing Software

*NOTE* Each of these three phases is managed by the Microsoft Windows Installer (MSI).
Benefits of the Windows Installer
* Improved Software Removal
* More Robust Installation Routines
* Ability to Use Elevated Priveleges
* Support for Repairing Corrupted Applications
* Prevention of File Conflicts
* Automated Installations
* Advertising and On-Demand Installations
Windows Installer File Types
* Microsoft Windows Installer Packages
* Microsoft Transformation Files
* Microsoft Patches
* Initialization Files
* Application Assignment Scripts
Microsoft Transformation Files
Are useful when you are customizing the details of how applications are installed. When a systems administrator chooses to assign or publish an application, they may want to specify additional options for the package. If, for instance, a systems administrator wants to allow users to install only the Microsoft Word and Microsoft PowerPoint components of Office 2010, they could specify these options within a transformation file. Then, when users install the application, they will be provided with only the options related to these components.
Initialization Files
In order to provide support for publishing non - Windows Installer applications, initialization files can be used. These files provide links to a standard executable file that is used to install an application. An example might be \\server1\software\program1\setup.exe. These files can then be published and advertised, and users can access the Add or Remove Programs icon to install them over the network.
Application Assignment Scripts (AAS)
Store information regarding assigning programs and any settings that the systems administrator makes. These files are created when Group Policy is used to create software package assignments for users and computers.
Assigning Applications
Makes the program available for automatic installation. The applications advertise their availability to the affected users or computers by placing icons within the Programs folder of the Start menu.
Publishing Applications
Applications are advertised, but no icons are automatically
created. Instead, the applications are made available for installation using the Add Or Remove Programs icon in Control Panel.
A new feature in Windows 7 and Windows Server 2008 R2, and it is the replacement for Software Restriction Policies. Allows you to configure a Denied list and an Accepted list for Applications. Applications that are configured on the Denied list will not run on the system, whereas applications on the Accepted list will operate properly.
Group Policy Slow Link Detection
A setting in the Computer and User section of the GPO defines a slow connection for the purposes of applying and updating GPOs.
Publishing and Assigning Applications Using Group Policy
1. Open the Active Directory Users and Computers tool from the Administrative Tools
program group.
2. Expand the domain, and create a new top - level OU called Software .
3. Within the Software OU, create a user named Jane User with a login name of juser
(choose the defaults for all other options).
4. Exit Active Directory Users and Computers and open the Group Policy Management
5. Right - click the Software OU and choose Create A GPO In This Domain And Link It Here.
6. For the name of the new GPO, type Software Deployment .
7. To edit the Software Deployment GPO, right - click it and choose Edit. Expand the
Computer Confi guration Policies Software Settings object.
8. Right - click the Software Installation item, and select New Package.
9. Navigate to the Software share that you created in Exercise 8.7.
10. Within the Software share, double - click the Office 2010 folder and select the
appropriate MSI fi le depending on the version of Offi ce 2010 that you have. Offi ce 2010
Professional is being used in this example, so you ' ll see that the OFFICEMUI.MSI fi le is
chosen. Click Open.
11. In the Deploy Software dialog box, choose Advanced. (Note that the Published option is
unavailable because applications cannot be published to computers.) Click OK to return
to the Deploy Software dialog box.
12. To examine the deployment options of this package, click the Deployment tab. Accept
the default settings by clicking OK.
13. Within the Group Policy Object Editor, expand the User Confi guration Software
Settings object.
14. Right - click the Software Installation item, and select New Package.
15. Navigate to the Software share that you created in Exercise 8.7.
16. Within the Software share, double - click the Office 2010 folder, and select the
appropriate MSI fi le. Click Open.
17. For the Software Deployment option, select Published in the Deploy Software dialog
box and click OK.
18. Close the GPMC.
Applying Software Updates
1. Open the Group Policy Management Console from the Administrative Tools program group.
2. Click the Software OU, right - click the Software Deployment GPO, and choose Edit.
3. Expand the Computer Confi guration Policies Software Settings Software
Installation object.
4. Right - click the software package, and select Properties from the context menu to bring
up the Properties dialog box.
5. Select the Upgrades tab and click the Add button.
6. Click the Current Group Policy Object (GPO) radio button in the Choose A Package
From section of the dialog box, or click the Browse button to select the GPO to which
you want to apply the upgrade. Consult your application ' s documentation to see if you
should choose the Uninstall The Existing Package, Then Install The Upgrade Package
radio button or the Package Can Upgrade Over The Existing Package radio button.
7. Click Cancel to close the Add Upgrade Package dialog box.
8. Click Cancel and exit the GPMC.
Mandatory Upgrade
Forces everyone who currently has an existing version of the program to upgrade according to the GPO. Users who have never installed the program for whatever reason will be able to install only the new upgraded version.
Nonmandatory Upgrade
Allows users to choose whether they would like to upgrade. This upgrade type also allows users who do not have their application installed to choose which version they would like to use.
Default Package Location
This setting specifies the default filesystem or network location for software installation packages. This is useful if you are already using a specific share on a file server for hosting the necessary installation files.
New Packages
These settings specify the default type of package assignment that will be used when you add a new package to either the user or computer settings. If you'll be assigning or publishing multiple packages, you may find it useful to set a default here. Selecting the Advanced option enables Group Policy to display the package's Properties dialog box each time a new package is added.
Installation User Interface Options
When they are installing an application, systems administrators may or may not want end users to see all of the advanced installation options. If Basic is chosen, the user will only be able to configure the minimal settings (such as the installation location). If Maximum is chosen, all of the available installation options will be displayed. The specific installation options available will depend on the package itself.
Uninstall the Applications When They Fall out of the Scope of Management option
If this option is checked, applications will be removed if they are not specifically assigned or published within GPOs.
Removing Programs
To remove an application, you can right - click the package within the Group Policy settings and select All Tasks Remove

When choosing to remove a software package from a GPO, you have two options:

* Immediately Uninstall The Software From Users and Computers
* Allow Users To Continue To Use The Software, But Prevent New Installations
Microsoft Windows Installer Settings
* Always Install with Elevated Privileges
* Search Order
* Disable Rollback
* Disable Media Source For Any Install
Resultant Set of Policy (RSoP)
Displays the exact settings that actually apply to individual users, computers, OUs, domains, and sites after inheritance and filtering have taken effect.

Runs in two modes:
* Logging Mode - Displays the actual settings that apply to users and computers.
* Planning Mode - Can be applied to users, computers, OUs, domains, and sites, and you use it before you actually apply any settings.
The command-line utility gpresult.exe in included as part of the RSoP tool. Running the command by itself without any switches returns the following Group Policy information about the local user and computer:

* The name of the DC from which the local machine retrieved the policy info
* The data and time that the policies were applied
* Which policies were applied
* Which policies were filtered out
* Group membership
Security Principals
AD objects that are assigned security identifiers (SIDs).
Local Users and Groups
Used to assign permissions necessary to access a local machine.
Domain Users and Groups
Used to assign permissions throughout the domain.
Group Scope
First it determines the level of security that applies to a group. Second, it determines which users can be added to the group.
Types of Group Scope
* Domain Local
* Global
* Universal
Domain Local - Group Scope
The scope of domain local groups extends as far as the local domain. When you're using the Active Directory Users and Computers tool, domain local accounts apply to the computer for which you are viewing information. Used to assign permissions to local resources, such as files and printers. They can contain global groups, universal groups, and user accounts.
Global - Group Scope
Limited to a single domain. May contain any of the users that are a part of the Active Directory domain in which the global groups reside. Are often used for managing domain security permissions based on job functions.
Universal - Group Scope
Can contain users from any domains within an Active Directory forest. Therefore, systems administrators use them to manage security across domains. Are available only when you ' re running Active Directory in the Windows 2000 Native, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 domain functional level. When you are managing multiple domains, it often helps to group global groups within universal groups. For instance, if you have an Engineering global group in the research.stellacon.com domain and an Engineering global group in the asia.stellacon.com domain, you can create this type of group AllEngineers group that contains both of the global groups. Now whenever you must assign security permissions to all engineers within the organization, you need only assign permissions to the AllEngineers universal group.

For domain controllers to process authentication between domains, information about the membership of this type of group is stored in the Global Catalog (GC). Keep this in
mind if you ever plan to place users directly into this type of groups and bypass global groups because all of the users will be enumerated in the GC, which will impact size and performance.
Windows 2000 Mixed Domain Functional Level Limitations:
* Universal security groups are not available
* You are not allowed to change the scope of groups
* Limitations to group nesting exist. Specifically, the only nesting allowed is global groups contained in domain local groups.

*NOTE* When running in Native mode domains, you can make the following group scope changes:
- You can change domain local groups to a universal group. You can make this change only if the domain local group does not contain any other domain local groups.
- You can change a global group to a universal group. You can make this change only if the global group is not a member of any other global groups.
Built-in Domain Local Groups
Systems administrators use these to perform administrative functions on the local server. Because these have preassigned permissions and privileges, they allow systems administrators to easily assign common management functions.
Guest Account
Disabled by default. The purpose of this is to
provide anonymous access to users who do not have an individual logon and password to use within the domain. Although this might be useful in some situations, it is generally recommended that this be disabled to increase security.
krbtgt or Key Distribution Center Service account
This account is used for Kerberos authentication while it is using DCPromo.exe. The account is disabled by default. The account cannot be used to log on to the domain, and therefore does not need to be enabled.
Predefined Global Groups
* Cert Publishers
* Domain Computers
* Domain Admins
* Domain Controllers
* Domain Guests
* Domain Users
* Enterprise Admins
* Group Policy Creator Owners
* Schema Admins
Domain Guests Group
Generally, by default, members are given minimal permissions with respect to resources. Systems administrators may place user accounts in this group if they require only basic access or temporary permissions within the domain.
Foreign Security Principals
Allows permissions to be assigned to users who are not part of an Active Directory forest. This process is automatic and does not require the intervention of systems administrators. You can then add themto domain local groups, for which, in turn, you can grant permissions for resources within the domain. You can view a list by using the Active Directory Users and Computers tool.
Control Access
Changes security permissions on the object
Create Child
Creates objects within an OU (such as other OUs)
Delete Child
Deletes child objects within an OU
Delete Tree
Deletes an OU and the objects within it
List Contents
View objects within an OU
List Object
Views a list of objects within an OU
Views properties of an object (such as a username)
Modifies properties of an object
Access Control List (ACL)
A list of user accounts and groups that are allowed to access a resource.
Access Control Entry (ACE)
Defines what a user or group can actually do with the resource.
Fine-Grained Password Policy
Use ADSI Edit to create policy and ADUC to link the policy to a group.
Smart Cards
Store user certificate information in a magnetic strip (barcode) or on a gold chip on a plastic card. As an alternative to the standard username and password logon process, users can insert a smart card into a special smart card reader attached to the computer and enter a unique PIN on the keyboard. This provides the system with a double - verification (two - factor authentication) secure logon (the device and the PIN) and
reduces the likelihood that a user's authentication method will be stolen without detection.

To deploy this type of solution in the enterprise you must have a certificate authority (CA) and a public - key infrastructure (PKI) on your intranet. In each domain, you must
configure the security permissions of the ______ User, _______ Logon, and Enrollment Agent certificate templates to allow smart card users to enroll for certificates.
You must also set up the CA to issue __________ certificates and Enrollment Agent certificates.
Configuring Group Policy to Require Smart Card Logon
1. Open the Active Directory Users and Computers tool.
2. Create a new top - level OU called Smart Card Test .
3. Close the Active Directory Users and Computers tool and open the Group Policy Management Console.
4. Right - click the Smart Card Test OU and select Create A GPO In This Domain And Link It Here.
5. In the New GPO dialog box, enter Smart Card GPO Test in the Name box and Click OK. Right - click the new GPO and then click the Edit button.
6. In the Group Policy Object Editor window, expand Computer Confi guration Policies Windows Settings Security Settings Local Policies Security Options.
7. Double - click the Interactive Logon: Require Smart Card policy.
8. Check the box labeled Defi ne This Policy Setting, and then select Enabled and click OK.
9. Close the Group Policy Management Console.
Security Configuration and Analysis Utility
Used with security template files to create, modify, and apply security settings in the Registry and define security settings.

Can be accessed via a snap-in within the MMC.

* The secedit.exe command-line tool offers all the functionality in a command line environment.
Process for working with the Security Configuration and Analysis Utility
1. Open or create a security database file.
2. Import an existing template file.
3. Analyze the local computer.
4. Make any setting changes.
5. Save any template changes.
6. Export the new template (optional).
7. Apply the changes to the local computer (optional).
Steps to configure Auditing:
1. Configure the size and storage settings for the audit logs
2. Enable categories of events to audit
3. Specify which objects and actions should be recorded in the audit log
The main categories for auditing:
* Audit account logon events
* Audit account management
* Audit directory service access
* Audit logon events
* Audit object access
* Audit policy change
* Audit privilege use
* Audit process tracking
* Audit system events
Audit Account Logon Events
You enable this auditing event if you want to audit when a
user authenticates with a domain controller and logs onto the domain. This event is logged in the Security Log on the domain controller.
Audit Directory Service Access
Occurs whenever a user or administrator accesses Active Directory objects. Let's say an administrator opens Active Directory and clicks a user account; even if nothing is changed on that account, an event is logged.
Audit Logon Events
Are created for domain account activity. For example, you have a user who logs on to a server so that they can access files; the act of logging onto the server creates this audit event.
Audit Object Access
Allows you to audit objects within your network such as folders, files, and printers. If you suspect someone is trying to hack into an object (for example, the finance folder), this is the auditing that you would use. You still would need to enable auditing on the actual object (for example, the finance folder).
Audit Policy Change
Allows you to audit changes to user rights assignment policies, audit policies, or trust policies. This auditing allows you to see if anyone changes any of the other audit policies.
Audit Privilege Use
Allows an administrator to audit each instance of a user exercising a user right. For example, if a user changes the system time on a machine, this is a user right. Log on locally is another common user right.

In order to audit access to objects stored within Active Directory, you must enable the Audit Directory Service Access option. Then you must specify which objects and actions should be tracked.
What's New In Windows Server 2008 R2 Auditing
* Global Object Access Auditing - Administrators using Windows Server 2008 R2 and Windows 7 now have the ability to define computer - wide system access control lists
(SACLs). Administrators can define SACLs for either the filesystem or Registry. After the specified SACL is defined, the SACL is then applied automatically to every single object
of that type.

* "Reason for Access" Reporting - When an administrator is performing auditing, they can see whether an operation was successful or unsuccessful, but previously they lacked the
ability to see the reason why the operation was successful or unsuccessful. In Windows Server 2008 R2 and Windows 7, administrators now have the ability to view the reason why the operation was successful or unsuccessful.

* Advanced Audit Policy Settings - In Windows Server 2008 R2, the Advanced Audit Policy settings are 53 new settings that can be used in place of the 9 basic auditing settings. These new settings, shown in Figure 9.8, allow administrators to be more specific when targeting the types of activities that they want to audit.
Monitoring DC Performance. The major Areas to monitor are:
Processor (CPU) time
Disk I/O (input/output)
Disk space
Network utilization
Memory - Pages/Sec
Indicates the number of pages of memory that must be read from or written to disk per second. A high number may indicate that more memory is needed.
Network Interface - Packets Received Errors
Specifies the number of received network packets that contain errors. A high number may indicate problems with the network connection.
Network Segment - % Net Utilization
Specifies the percentage of total network resources being consumed. A high value may indicate network congestion.
Paging File - % Usage
Indicates the amount of the Windows virtual memory file in use. If this is a large number, the machine may benefit from a RAM upgrade.
Physical Disk - Avg. Disk Queue Length
Indicates the number of disk read or write requests that are waiting to access the disk. If this value is high, disk I/O could potentially be a bottleneck.
Server - Bytes Total/Sec
Specifies the number of bytes sent by the Server service on the local machine. A high value usually indicates that the server is responsible for fulfilling many outbound data requests (such as file/print server).
Counters that should be monitored for NTDS performance:
* The Address Book (AB)
* The Directory Replication Agent (DRA)
* The Directory Service (DS)
* The Lightweight Directory Access Protocol (LDAP)
* The Security Accounts Manager (SAM)
Event Viewer Subscription
Subscriptions allow a user to receive alerts about events that you predefine. In the Subscriptions Properties dialog box, you can define what type of events you want notifications of and the notification method. The Subscriptions section is an advanced alerting service to help you watch for events.
System State Data
Includes components that the Windows Server 2008 R2 OS relies on for normal operations.

* AD
* Boot Files
* Com+ Class Registration Database
* Registry
* SYSVOL Directory
Steps to restore System State data:
1. Fix any hardware problem that might prevent the computer from booting (for example, replace any failed hard disks).
2. Reinstall the Windows Server 2008 R2 operating system. This should be performed like a regular installation on a new system.
3. Reinstall any device drivers that may be required by your backup device. If you backed up information to the filesystem, this will not apply.
4. Restore the System State data using the Windows Server 2008 R2 Backup utility.
Wbadmin command-line utility
Replaces the old ntbackup command and backs up/restores the OS, volumes, files, folders, and applications from a command prompt. The account used to run the command must be a member of the Administrators group.
Authoritative Restore
A restore process that specifies a domain controller as having the authorative (or master) copy of the AD data store. When other domain controllers communicate with this domain controller, their information will be overwritten with AD data stored on the local machine.

AD services cannot be running during this process.
To enable the AD Recycle Bin
- Must be a member of the schema master

* Run the adprep /forestprep command, to prepare the forest, on the server that holds the schema master to update the schema.
* Run the adprep /domainprep /gpprep command, to prepare the domain, on the server that holds the infrastructure operations master role.
* If a read - only domain controller (RODC) is present in your environment, you must also run the adprep /rodcprep command.
* Make sure all domain controllers in your Active Directory forest are running Windows Server 2008 R2.
* Make sure the forest functional level is set to Windows Server 2008 R2.
The primary method by which systems administrators can do offline maintenance is through the ntdsutil command - line tool. You can launch this tool by simply entering ntdsutil at a command prompt. The ntdsutil command is both interactive and context
sensitive. That is, once you launch the utility, you ' ll see an ntdsutil command prompt. At this prompt, you can enter various commands that set your context within the application.


* compact to (at the file maintenance group)
* metadata cleanup
* Set DSRM password
A tool that can help the recovery process by giving you a way to compare data as it exists in snapshots so that you have the ability to decide which AD database to restore.

You must be a member of the Domain Admins group or Enterprise Admins group to view any snapshots taken.
Defrag the AD database
Use the ntdsutil command to defrag the AD database. Once this is done a new AD database (compacted) is created. The new file can be created on the same machine or a network location. After the file is created, copy the compacted Ntds.dit file back to the original location.
The RepAdmin utility is included when you install Windows Server 2008 R2 and allows admins to view the replication topology of each DC as seen from the DCs perspective.
ADSI Editor
A utility that allows you to manage objects and attributes in AD. Can view every object and attribute in an AD forest. Allows you to query, view, create, and edit attributes.