MCTS 70-640 Windows Server 2008 Active Directory, Configuring Don Poulton MCTS 70-640 Exam Cram: Windows Server 2008 Active Directory, Configuring Associate Publisher Copyright © 2009 by Pearson Education, Inc. Dave Dusthimer All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, Executive Editor without written permission from the publisher. No patent liability is assumed with Betsy Brown respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no respon- Development Editor sibility for errors or omissions. Nor is any liability assumed for damages resulting from Deadline Driven the use of the information contained herein. Publishing ISBN-13: 978-0-7897-3791-5 ISBN-10: 0-7897-3791-4 Managing Editor Library of Congress Cataloging-in-Publication Data Patrick Kanouse Poulton, Don. MCTS 70-640 exam cram : Windows server 2008 active directory, configuring / Don Project Editor Poulton. -- 1st ed. Amanda Gillum p. cm. ISBN 978-0-7897-3791-5 (pbk. w/cd) Copy Editor 1. Electronic data processing personnel--Certification. 2. Microsoft software-- Gill Editorial Services Examinations--Study guides. 3. Directory services (Computer network technology)-- Examinations--Study guides. I. Title. Indexer QA76.3.P667 2008 Tim Wright 005.7'1376--dc22 Proofreader 2008034083 Leslie Joseph Printed in the United States of America First Printing: September 2008 Technical Editors Trademarks David Camardella All terms mentioned in this book that are known to be trademarks or service marks Pawan J. Bhardwaj have been appropriately capitalized. Que Publishing cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the Publishing validity of any trademark or service mark. Coordinator Warning and Disclaimer Vanessa Evans Every effort has been made to make this book as complete and as accurate as possi- ble, but no warranty or fitness is implied. The information provided is on an “as is” Book Designer basis. The author and the publisher shall have neither liability nor responsibility to any Gary Adair person or entity with respect to any loss or damages arising from the information con- tained in this book or from the use of the CD or programs accompanying it. Composition Bulk Sales Louisa Adair Que Publishing offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 [email protected] For sales outside of the U.S., please contact International Sales [email protected] Contents at a Glance Introduction 1 Self-Assessment 15 CHAPTER 1 Getting Started with Windows Server 2008 Active Directory 23 CHAPTER 2 Active Directory and DNS 75 CHAPTER 3 Active Directory Sites and Replication 123 CHAPTER 4 Configuring Additional Active Directory Roles 157 CHAPTER 5 Active Directory Objects and Trusts 207 CHAPTER 6 Configuring and Troubleshooting Group Policy 253 CHAPTER 7 Group Policy and Active Directory Security 313 CHAPTER 8 Monitoring and Maintaining the Active Directory Environment 345 CHAPTER 9 Active Directory Certificate Services 389 CHAPTER 10 Practice Exam 1 439 CHAPTER 11 Answer Key to Practice Exam 1 467 CHAPTER 12 Practice Exam 2 487 CHAPTER 13 Answer Key to Practice Exam 2 517 APPENDIX A Need to Know More? 537 APPENDIX B What’s on the CD-ROM 547 APPENDIX C Installing Windows Server 2008 551 Glossary 561 Index 587 Table of Contents Introduction.........................................................1 Self-Assessment....................................................15 MCTSs and MCITPs in the Real World .........................15 The Ideal MCITP Candidate..............................16 Put Yourself to the Test ...................................17 Testing Your Exam Readiness..............................20 Well, Let’s Get to It......................................21 Chapter 1: Getting Started with Windows Server 2008 Active Directory ................23 The Building Blocks of Active Directory .........................24 Domains................................................24 Trees...................................................25 Forests .................................................25 Organizational Units .....................................26 Sites....................................................26 Domain Controllers......................................26 Global Catalog ..........................................27 Operations Masters.......................................27 New Features of Active Directory in Windows Server 2008.........28 Server Manager..........................................30 Configuring Forests and Domains...............................33 Requirements for Installing Active Directory Domain Services .33 Installing Active Directory Domain Services .................35 Verifying the Proper Installation of Active Directory..........41 Performing Unattended Installations of Active Directory ......42 Server Core Domain Controllers...........................44 Active Directory Migration Tool (ADMT) v.3.1 ..............44 Alternate User Principal Name (UPN) Suffixes...............45 Removing Active Directory................................47 Upgrading from Windows Server 2003...........................48 Interoperability with Previous Versions of Active Directory ....49 Upgrading a Windows Server 2003 Domain Controller .......52 Configuring Global Catalog Servers.............................52 Promotion of Domain Controllers to Global Catalog Servers ..53 Universal Group Membership Caching (UGMC).............54 Partial Attribute Sets .....................................55 Configuring Operations Masters ................................56 Schema Master ..........................................56 Domain Naming Master ..................................60 PDC Emulator ..........................................61 Infrastructure Master.....................................63 RID Master .............................................63 Placement of Operations Masters...........................64 Transferring and Seizing of Operations Master Roles..........65 Exam CramQuestions .........................................69 Answers to Exam CramQuestions..........................72 Chapter 2: Active Directory and DNS ............................................75 Configuring DNS Zones.......................................76 DNS Zone Types ........................................77 Creating DNS Zones.....................................79 DNS Records ...........................................83 Configuring DNS Zone Properties.........................84 Dynamic, Non-Dynamic, and Secure Dynamic DNS..........86 Time to Live ............................................87 Zone Scavenging.........................................90 Configuring DNS Server Settings ..............................91 Forwarding..............................................91 Root Hints..............................................93 Configuring Zone Delegation..............................95 Debug Logging..........................................96 Event Logging...........................................98 Advanced Server Options..................................98 Monitoring DNS .......................................101 Command-Line DNS Server Administration................103 Configuring Zone Transfers and Replication.....................104 Replication Scope ......................................104 vi MCTS 70-640 Windows Server 2008 Active Directory, Configuring Types of Zone Transfers .................................106 Secure Zone Transfers...................................109 Configuring Name Servers...............................109 Application Directory Partitions...........................111 Exam CramQuestions........................................114 Answers to Exam CramQuestions.........................119 Chapter 3: Active Directory Sites and Replication.................................123 The Need for Active Directory Sites............................124 Configuring Sites and Subnets.................................126 Creating Sites ..........................................126 Adding Domain Controllers..............................127 Creating and Using Subnets..............................128 Site Links, Site Link Bridges, and Bridgehead Servers.............130 The Need for Site Links and Site Link Bridges .............131 Configuring Site Links ..................................131 Site Link Bridges .......................................132 Site Link Costs .........................................133 Bridgehead Servers......................................135 Sites Infrastructure......................................136 Configuring Active Directory Replication .......................137 Intersite and Intrasite Replication .........................138 Distributed File System..................................139 One-Way Replication....................................140 Replication Protocols....................................141 Replication Scheduling ..................................142 Forcing Intersite Replication .............................145 Monitoring and Troubleshooting Replication ...............146 Exam CramQuestions........................................150 Answers to Exam CramQuestions.........................154 Chapter 4: Configuring Additional Active Directory Roles...........................157 New Server Roles and Features ................................158 Active Directory Lightweight Directory Services (AD LDS) .......160 Installing AD LDS .....................................161 vii Contents Configuring Data Within AD LDS .......................165 Migration to AD LDS ..................................168 Configuring an Authentication Server......................169 Use of AD LDS on Server Core...........................172 Active Directory Rights Management Services (AD RMS) .........173 Installing AD RMS .....................................174 Certificate Request and Installation........................176 Self-Enrollments .......................................177 Delegation.............................................177 Active Directory Metadirectory Services (AD MDS) .........178 Read-Only Domain Controllers................................178 Installing a Read-Only Domain Controller .................178 Unidirectional Replication ...............................180 Administrator Role Separation............................181 Read-Only DNS .......................................182 BitLocker..............................................182 Replication of Passwords.................................183 syskey .................................................187 Active Directory Federation Services (AD FS)....................188 Installing the AD FS Server Role..........................190 Trust Policies...........................................192 User and Group Claim Mapping..........................193 Configuring Federation Trusts ...........................194 Windows Server 2008 Virtualization............................197 Exam CramQuestions........................................199 Answers to Exam CramQuestions.........................203 Chapter 5: Active Directory Objects and Trusts ...................................207 Creating User and Group Accounts ............................208 Introducing User Accounts...............................208 Introducing Group Accounts .............................209 Creating User, Computer, and Group Accounts .............210 Use of Template Accounts................................211 Using Bulk Import to Automate Account Creation...........213 Configuring the UPN ...................................218 viii MCTS 70-640 Windows Server 2008 Active Directory, Configuring Configuring Contacts....................................220 Creating Distribution Lists...............................221 Managing and Maintaining Accounts ...........................222 Creating Organizational Units............................223 Configuring Group Membership .........................224 AGDLP/AGUDLP .....................................225 Resetting Accounts and Passwords.........................227 Denying Privileges......................................228 Protected Admin........................................229 Local Versus Domain Groups.............................230 Deprovisioning Accounts.................................231 Disabling or Deleting Accounts...........................232 Delegating Administrative Control of Active Directory Objects .....................................232 Configuring Active Directory Trust Relationships ................235 Transitive Trusts........................................236 Forest Trust Relationships................................236 External Trust Relationships..............................241 Realm Trust Relationships................................241 Shortcut Trust Relationships..............................242 Authentication Scope....................................243 SID Filtering...........................................244 Exam CramQuestions........................................246 Answers to Exam CramQuestions.........................250 Chapter 6: Configuring and Troubleshooting Group Policy ..........................253 Overview of Group Policy.....................................254 Group Policy Objects....................................255 Creating and Applying GPOs..................................256 Managing GPOs........................................260 Configuring GPO Hierarchy and Processing Priority ........266 Group Policy Filtering...................................271 Group Policy Loopback Processing........................273 Configuring GPO Templates ..................................275 User Rights ............................................275 ADMX Central Store....................................276 ix Contents Administrative Templates.................................277 Restricted Groups.......................................281 Starter GPOs ..........................................282 Shell Access Policies.....................................284 Using Group Policy to Deploy Software ........................284 Assigning and Publishing Software ........................286 Deploying Software Using Group Policy...................287 Upgrading Software.....................................292 Removal of Software ....................................293 Troubleshooting the Application of Group Policy Objects .........294 Resultant Set of Policy...................................294 Gpresult................................................300 Gpupdate................................................300 Exam CramQuestions........................................302 Answers to Exam CramQuestions.........................308 Chapter 7: Group Policy and Active Directory Security.............................313 Use of Group Policy to Configure Security......................314 Configuring Account Policies.............................315 Fine-Grained Password Policies...........................319 Security Options........................................326 Additional Security Configuration Tools....................329 Auditing of Active Directory Services...........................330 New Features of Active Directory Auditing.................330 Use of GPOs to Configure Auditing.......................331 Use of Auditpol.exeto Configure Auditing..................336 Exam CramQuestions........................................338 Answers to Exam CramQuestions.........................341 Chapter 8: Monitoring and Maintaining the Active Directory Environment .............345 Backing Up and Recovering Active Directory....................346 Use of Windows Server Backup...........................347 Recovering Active Directory..............................352 Linked Value Replication.................................358 Backing Up and Restoring GPOs .........................358