titlepagetemplate.indd 1 5/12/2008 12:14:33 PM PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2008 by Grandmasters All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Library of Congress Control Number: 2008927270 Printed and bound in the United States of America. 1 2 3 4 5 6 7 8 9 QWT 3 2 1 0 9 8 Distributed in Canada by H.B. Fenn and Company Ltd. A CIP catalogue record for this book is available from the British Library. Microsoft Press books are available through booksellers and distributors worldwide. For further infor- mation about international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/mspress. Send comments to [email protected]. Microsoft, Microsoft Press, Access, Active Directory, ActiveX, BitLocker, ESP, Excel, Forefront, Hyper-V, InfoPath, Internet Explorer, OneCare, Outlook, PowerPoint, ReadyBoost, SharePoint, SQL Server, Visual Studio, Windows, Windows NT, Windows PowerShell, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners. The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. This book expresses the author’s views and opinions. The information contained in this book is provided without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book. Acquisitions Editor: Ken Jones Developmental Editor: Laura Sackerman Project Editor: Victoria Thulman Editorial Production: nSight, Inc. Technical Reviewer: Roazanne Murphy Whalen Cover: Tom Draper Design Body Part No. X14-37562 This book is dedicated to my beautiful fiancée, Maria. Thank you for your love and support and especially for your patience through another long project that tied up our evenings and weekends. —John Policelli Somewhat unusually I wrote my part of this book and, more or less at the same time, underwent a quadruple cardiac bypass operation. This book is dedicated to the skilled team of doctors and nurses that got me smoothly through the procedure and back to work (if not quite fully fit) in record time. I would also like to acknowledge the helpfulness and considerable ability of my co-author Orin Thomas, who stepped in and completed tasks for me in a most professional fashion when I was unable to do so. —Ian McLean I dedicate my contribution to this book to my wife Yaneth and my son Anthony. —Paul Mancuso For Ross and Veronica. You mean the world to me. All my love, —David R. Miller About the Authors Orin Thomas Orin Thomas (MCSE, MVP) is an author and systems administrator who has worked with Microsoft Windows Server operating systems for more than a decade. He is the coauthor of numerous self-paced training kits for Microsoft Press, including MCSA/MCSE Self-Paced Training Kit (Exam 70- 290): Managing and Maintaining a Microsoft Windows Server 2003 Environ- ment, second edition, and a contributing editor for Windows IT Pro magazine. John Policelli John Policelli (Microsoft MVP for Directory Services, MCTS, MCSA, ITSM, iNet+, Network+, and A+) is a solutions-focused IT consultant with more than a decade of combined success in architecture, security, strate- gic planning, and disaster recovery planning. He has designed and imple- mented dozens of complex directory service, e-Messaging, Web, networking, and security enterprise solutions. John has spent the past nine years focused on identity and access management and provided thought leadership for some of the largest installations of Active Directory Domain Services in Canada. He has been involved as an author, technical reviewer, and subject matter expert for more than 50 training, exam-writing, press, and white paper projects related to Windows Server 2008 identity and access management, networking, and collaboration. Ian McLean Ian McLean (MCSE, MCITP, MCT) has more than 40 years’ experience in industry, commerce, and education. He started his career as an electron- ics engineer before going into distance learning and then education as a university professor. He currently provides technical support for a gov- ernment organization and runs his own consultancy company. Ian has written 22 books in addition to many papers and technical articles. Books he has previously coauthored include MCITP Self-Paced Training Kit (Exam 70-444): Optimizing and Maintaining a Database Administration Solution Using Microsoft SQL Server 2005 and MCITP Self-Paced Training Kit (Exam 70-646): Windows Server Administration: Windows Server 2008 Administrator. When not v vi writing, Ian annoys everyone by playing guitar very badly. However, he is forced to play instru- mentals because his singing is even worse. J.C. Mackin J.C. Mackin (MCITP, MCTS, MCSE, MCDST, MCT) is a writer, editor, consultant, and trainer who has been working with Microsoft networks for more than a decade. Books he has previously authored or coauthored include MCSA/MCSE Self-Paced Training Kit (Exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infra- structure, MCITP Self-Paced Training Kit (Exam 70-443): Designing a Data- base Server Infrastructure Using Microsoft SQL Server 2005, and MCITPSelf- Paced Training Kit (Exam 70-622): Supporting and Troubleshooting Applica- tions on a Windows Vista Client for Enterprise Support Technicians. He also holds a master’s degree in Telecommunications and Network Management. When not working with computers, J.C. can be found with a panoramic camera photograph- ing medieval villages in Italy or France. Paul Mancuso Paul Mancuso (MCITP, MCSE: Security and Messaging, MCT, CCSI, CCNP, VCP, CCISP) has been in the IT field lecturing, writing, training, and consulting for more than 20 years. As co-owner of National IT Train- ing and Certification Institute (NITTCI), Paul has extensive experience in authoring training materials as well as four books. Books he has recently coauthored include MCITP 70-622 Exam Cram: Supporting and Trouble- shooting Applications on a Windows Vista Client for Enterprise Support Tech- nicians for Que Publishing; and Designing a Messaging Infrastructure Using Exchange Server 2007 for Microsoft Press. He has recently taken up golf and enjoys hacking up luscious green golf courses in his spare time. vii David R. Miller David R. Miller (SME; MCT; MCITPro; MCSE Windows NT 4.0, Windows 2000, and Windows 2003: Security; CISSP; LPT; ECSA; CEH; CWNA; CCNA; CNE; Security+; A+; N+) is an information technology and network engineering consultant; instructor; author; and technical editor of books, curricula, certification exams, and computer-based training videos. He reg- ularly performs as a Microsoft Subject Matter Expert (SME) on product lines including Windows Vista, Windows Server 2008, and Microsoft Exchange Server 2007. He is the principal author of the information systems security book titled Security Administrator Street Smarts for Sybex and Wiley Publish- ing and is scheduled to write the second edition of this book in summer 2008. David is writing MCITP 70-622 PRO: Supporting and Troubleshooting Applications on a Windows Vista Client for Enterprise Support Technicians and MCITP 70-632 PRO: Supporting and Troubleshooting Applica- tions on a Windows Vista Client for Consumer Support Technicians for Que Publishing, due to be released in the first half of 2008. In addition to this book, he is an author on another Microsoft Certified IT Professional book for Microsoft Press, entitled MCITP 70-237 PRO: Designing Mes- saging Solutions with Exchange Server 2007. The two Microsoft Press books are due to be pub- lished in the first half of 2008. Table of Contents ix Contents at a Glance 1 Planning Name Resolution and Internet Protocol Addressing. . . . . . . . . 1 2 Designing Active Directory Domain Services . . . . . . . . . . . . . . . . . . . . . .79 3 Planning Migrations, Trusts, and Interoperability. . . . . . . . . . . . . . . . . .141 4 Designing Active Directory Administration and Group Policy Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169 5 Designing a Network Access Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . .227 6 Design a Branch Office Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . .287 7 Planning Terminal Services and Application Deployment. . . . . . . . . . .333 8 Server and Application Virtualization. . . . . . . . . . . . . . . . . . . . . . . . . . . .361 9 Planning and Designing a Public Key Infrastructure . . . . . . . . . . . . . . .391 10 Designing Solutions for Data Sharing, Data Security, and Business Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429 11 Designing Software Update Infrastructure and Managing Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .475 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513 Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .545 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .549