MCTS 70-640: Configuring Windows Server 2008 Active PDF Free Download

2y ago

61 Views

1 Downloads

3.60 MB

181 Pages

Report/dmca

Download PDF

Transcription

Exam 70-640: Windows Server 2008 ActiveDirectory, Configuring (2nd Edition)objectiveConfiguring Domain Name System (DNS) for Active DirectoryConfigure zones.Configure DNS server settings.Configure zone transfers and replication.Configuring the Active Directory InfrastructureConfigure a forest or a domain.Location in BookChapter 9, Lesson 1Chapter 9, Lesson 2Chapter 9, Lesson 2Chapter 1, Lessons 1, 2Chapter 10, Lessons 1, 2Configure trusts.Configure sites.Configure Active Directory replications.Configure the global catalog.Configure operations masters.Configuring Additional Active Directory Server RolesConfigure Active Directory Lightweight Directory Service (AD LDS).Configure Active Directory Rights management Service (AD RMS).Configure the read-only domain controller (RODC).Configure Active Directory Federation Services (AD FS).Creating and Maintaining Active Directory ObjectsAutomate creation of Active Directory accounts.Maintain Active Directory accounts.Create and apply Group Policy objects (GPOs).Configure GPO templates.Configure software deployment GPOs.Configure account policies.Configure audit policy by using GPOs.Maintaining the Active Directory EnvironmentConfigure backup and recovery.Perform offline maintenance.Monitor Active Directory.Configuring Active Directory Certificate ServicesInstall Active Directory Certificate Services.Configure CA server settings.Manage certificate templates.Manage enrollments.Manage certificate revocationsChapter 12, Lessons 1, 2Chapter 12, Lesson 2Chapter 11, Lessons 1, 2Chapter 8, Lesson 3Chapter 10, Lesson 3Chapter 11, Lesson 3Chapter 11, Lesson 2Chapter 10, Lesson 2Chapter 14, Lessons 1, 2Chapter 16, Lessons 1, 2Chapter 8, Lesson 3Chapter 17, Lessons 1, 2Chapter 3, Lessons 1, 2Chapter 4, Lessons 1, 2Chapter 5, Lessons 1, 2Chapter 2, Lessons 1, 2, 3Chapter 3, Lessons 1, 2, 3Chapter 4, Lessons 1, 2, 3Chapter 5, Lessons 1, 2, 3Chapter 8, Lesson 4Chapter 6, Lessons 1, 2, 3Chapter 6, Lessons 1, 2, 3Chapter 7, Lessons 1, 2, 3Chapter 7, Lesson 3Chapter 8, Lesson 1Chapter 7, Lesson 4Chapter 8, Lesson 2Chapter 13, Lesson 2Chapter 13, Lesson 1Chapter 6, Lesson 3Chapter 11, Lesson 3Chapter 13, Lesson 1Chapter 15, Lesson 1Chapter 15, Lesson 2Chapter 15, Lesson 2Chapter 15, Lesson 2Chapter 15, Lesson 2Exam Objectives The exam objectives listed here are current as of this book’s publication date. Exam objectivesare subject to change at any time without prior notice and at Microsoft’s sole discretion. Please visit the MicrosoftLearning Web site for the most current listing of exam objectives: ID 70-640.

Self-Paced TrainingKit (Exam 70-640):Configuring WindowsServer 2008 ActiveDirectory (2nd Edition) Dan HolmeDanielle RuestNelson RuestJason Kellington

PUBLISHED BYMicrosoft PressA Division of Microsoft CorporationOne Microsoft WayRedmond, Washington 98052-6399Copyright 2011 by Dan Holme, Nelson Ruest, Danielle Ruest, and Jason KellingtonAll rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by anymeans without the written permission of the publisher.Library of Congress Control Number: 2011929710ISBN: 978-0-7356-5193-7Printed and bound in the United States of America.7 8 9 10 11 12 13 14 15 QG 8 7 6 5 4 3Microsoft Press books are available through booksellers and distributors worldwide. If you need support relatedto this book, email Microsoft Press Book Support at mspinput@microsoft.com. Please tell us what you think ofthis book at soft and the trademarks listed at ctualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property oftheir respective owners.The example companies, organizations, products, domain names, email addresses, logos, people, places, andevents depicted herein are fictitious. No association with any real company, organization, product, domain name,email address, logo, person, place, or event is intended or should be inferred.This book expresses the author’s views and opinions. The information contained in this book is provided withoutany express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, ordistributors will be held liable for any damages caused or alleged to be caused either directly or indirectly bythis book.Acquisitions Editor: Jeff KochDevelopmental Editor: Karen SzallProject Editor: Rosemary CapertonEditorial Production: Tiffany Timmerman, S4Carlisle Publishing ServicesTechnical Reviewer: Kurt Meyer; Technical Review services provided by Content Master, a member of CMGroup, Ltd.Copyeditor: Crystal ThomasIndexer: Maureen JohnsonCover: Twist Creative Seattle[2013-11-22]

Contents at a GlanceIntroductionxxviiChapter 1Creating an Active Directory DomainChapter 2Administering Active Directory Domain Services35Chapter 3Administering User Accounts87Chapter 4Managing Groups149Chapter 5Configuring Computer Accounts205Chapter 6Implementing a Group Policy Infrastructure247Chapter 7Managing Enterprise Security and Configurationwith Group Policy SettingsChapter 8317Improving the Security of Authentication inan AD DS DomainChapter 91389Integrating Domain Name Systemwith AD DS439Chapter 10Administering Domain Controllers507Chapter 11Managing Sites and Active Directory Replication557Chapter 12Managing Multiple Domains and Forests605Chapter 13Directory Business Continuity655Chapter 14Active Directory Lightweight Directory Services731Chapter 15Active Directory Certificate Services and PublicKey Infrastructures771Chapter 16Active Directory Rights Management Services833Chapter 17Active Directory Federation Services879Answers921Index963

ContentsIntroductionxxviiSystem Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxviiHardware RequirementsxxviiiSoftware RequirementsxxixUsing the Companion CD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxHow to Install the Practice TestsxxxHow to Use the Practice TestsxxxHow to Uninstall the Practice TestsxxxiiAcknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiiSupport & Feedback. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiiChapter 1ErrataxxxiiiWe Want to Hear from YouxxxiiiStay in TouchxxxiiiCreating an Active Directory Domain1Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Lesson 1: Installing Active Directory Domain Services. . . . . . . . . . . . . . . . . . 3Active Directory, Identity and Access3Beyond Identity and Access8Components of an Active Directory Infrastructure9Preparing to Create a New Windows Server 2008 Forest12Adding the AD DS Role Using the Windows Interface12Creating a Domain Controller13Lesson Summary21Lesson Review22What do you think of this book? We want to hear from you!Microsoft is interested in hearing your feedback so we can continually improve ourbooks and learning resources for you. To participate in a brief online survey, please visit:www.microsoft.com/learning/booksurvey/vii

Lesson 2: Active Directory Domain Services on Server Core . . . . . . . . . . . 23Understanding Server Core23Installing Server Core24Performing Initial Configuration Tasks25Server Configuration26Adding AD DS to a Server Core Installation27Removing Domain Controllers27Lesson Summary30Lesson Review30Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Chapter Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Case Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Case Scenario: Creating an Active Directory Forest33Take a Practice Test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Chapter 2Administering Active Directory Domain Services35Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Lesson 1: Working with Active Directory Snap-ins. . . . . . . . . . . . . . . . . . . . 37Understanding the Microsoft Management Console37Active Directory Administration Tools39Finding the Active Directory Administrative Tools39Adding the Administrative Tools to Your Start Menu40Creating a Custom Console with Active Directory Snap-ins40Running Administrative Tools with Alternate Credentials41Saving and Distributing a Custom Console42Lesson Summary47Lesson Review48Lesson 2: Creating Objects in Active Directory. . . . . . . . . . . . . . . . . . . . . . . 49viiiContentsCreating an Organizational Unit49Creating a User Object51Creating a Group Object53Creating a Computer Object55Finding Objects in Active Directory57

Understanding DNs, RDNs, and CNs63Finding Objects by Using Dsquery63Lesson Summary70Lesson Review71Lesson 3: Delegation and Security of Active Directory Objects. . . . . . . . . 72Understanding Delegation72Viewing the ACL of an Active Directory Object73Property Permissions, Control Access Rights,and Object Permissions75Assigning a Permission Using the Advanced SecuritySettings Dialog Box76Understanding and Managing Permissions with Inheritance76Delegating Administrative Tasks with the DelegationOf Control Wizard77Reporting and Viewing Permissions78Removing or Resetting Permissions on an Object78Understanding Effective Permissions79Designing an OU Structure to Support Delegation80Lesson Summary82Lesson Review83Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Chapter Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Case Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Case Scenario: Managing Organizational Units and Delegation84Suggested Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Maintain Active Directory Accounts85Take a Practice Test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Chapter 3Administering User Accounts87Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Lesson 1: Automating the Creation of User Accounts. . . . . . . . . . . . . . . . . 89Creating Users with Templates89Using Active Directory Command-Line Tools91Contentsix

Creating Users with DSAdd92Exporting Users with CSVDE92Importing Users with CSVDE93Importing Users with LDIFDE94Lesson Summary100Lesson Review100Lesson 2: Administering with Windows PowerShell and ActiveDirectory Administrative Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Introducing Windows PowerShell102Preparing to Administer Active Directory UsingWindows , Providers, and PSDrives112The Active Directory PowerShell Provider113Creating a User with Windows PowerShell113Populating User Attributes115Importing Users from a Database withWindows PowerShell116The Active Directory Administrative Center117Lesson Summary123Lesson Review124Lesson 3: Supporting User Objects and Accounts. . . . . . . . . . . . . . . . . . . 125xContentsManaging User Attributes with Active DirectoryUsers And Computers125Managing User Attributes with DSMod and DSGet129Managing User Attributes with Windows PowerShell131Understanding Name and Account Attributes131Administering User Accounts135Lesson Summary143Lesson Review143

Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Chapter Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Case Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Case Scenario: Import User Accounts146Suggested Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Automate the Creation of User Accounts146Maintain Active Directory Accounts146Use the Active Directory Administrative Console147Take a Practice Test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Chapter 4Managing Groups149Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Lesson 1: Managing an Enterprise with Groups . . . . . . . . . . . . . . . . . . . . . 151Understanding the Importance of Groups151Defining Group Naming Conventions157Understanding Group Types159Understanding Group Scope160Converting Group Scope and Type165Managing Group Membership166Developing a Group Management Strategy169Lesson Summary173Lesson Review173Lesson 2: Automating the Creationand Management of Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Creating Groups with DSAdd175Importing Groups with CSVDE176Importing Groups with LDIFDE177Retrieving Group Membership with DSGet178Changing Group Membership with DSMod179Copying Group Membership179Moving and Renaming Groups with DSMove179Deleting Groups with DSRm180Managing Groups with Windows PowerShell181Contentsxi

Lesson Summary184Lesson Review185Lesson 3: Administering Groups in an Enterprise. . . . . . . . . . . . . . . . . . . . 186Best Practices for Group Attributes186Protecting Groups from Accidental Deletion188Delegating the Management of Group Membership189Understanding Shadow Groups193Default Groups194Special Identities196Lesson Summary199Lesson Review199Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Chapter Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Case Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202Case Scenario: Implementing a Group Strategy202Suggested Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202Automate Group Membership and Shadow Groups202Take a Practice Test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203Chapter 5Configuring Computer Accounts205Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206Lesson 1: Creating Computers and Joining the Domain. . . . . . . . . . . . . . 207xiiContentsUnderstanding Workgroups, Domains, and Trusts207Identifying Requirements for Joining a Computerto the Domain208The Computers Container and OUs208Delegating Permission to Create Computers210Prestaging a Computer Account210Joining a Computer to the Domain211Secure Computer Creation and Joins214Offline Domain Join217Lesson Summary223Lesson Review224

Lesson 2: Automating the Creation of Computer Objects. . . . . . . . . . . . 225Importing Computers with CSVDE225Importing Computers with LDIFDE226Creating Computers with DSAdd227Creating Computers with NetDom227Creating Computers with Windows PowerShell228Lesson Summary230Lesson Review230Lesson 3: Supporting Computer Objects and Accounts. . . . . . . . . . . . . . 232Configuring Computer Properties232Moving a Computer233Managing a Computer from the Active Directory UsersAnd Computers Snap-In234Understanding the Computer’s Logon and SecureChannel234Recognizing Computer Account Problems234Resetting a Computer Account235Renaming a Computer236Disabling and Enabling Computer Accounts238Deleting Computer Accounts238Recycling Computer Accounts239Lesson Summary241Lesson Review241Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243Chapter Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243Key Term. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243Case Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243Case Scenario 1: Creating Computer Objects and Joiningthe Domain244Case Scenario 2: Automating the Creation of ComputerObjects244Suggested Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244Create and Maintain Computer Accounts244Take a Practice Test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245Contentsxiii

Chapter 6Implementing a Group Policy Infrastructure247Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248Lesson 1: Implementing Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249What Is Configuration Management?249An Overview and Review of Group Policy250Group Policy Objects256Policy Settings262Registry Policies in the Administrative Templates Node265Lesson Summary275Lesson Review276Lesson 2: Managing Group Policy Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . 278GPO Links278GPO Inheritance and Precedence280Using Security Filtering to Modify GPO Scope285WMI Filters288Enabling or Disabling GPOs and GPO Nodes290Targeting Preferences291Group Policy Processing292Loopback Policy Processing294Lesson Summary299Lesson Review300Lesson 3: Supporting Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301Understanding When Settings Take Effect301Resultant Set Of Policy303Troubleshooting Group Policy with the Group PolicyResults Wizard and Gpresult.exe306Performing What-If Analyses with the Group PolicyModeling Wizard306Examining Policy Event Logs307Lesson Summary311Lesson Review311Chapter Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313Chapter Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313xivContents

Case Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313Case Scenario: Implementing Group Policy314Suggested Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314Create and Apply GPOs314Take a Practice Test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315Chapter 7Managing Enterprise Security and Configurationwith Group Policy Settings317Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317Lesson 1: Delegating the Support of Computers . . . . . . . . . . . . . . . . . . . . 319Understanding Restricted Groups Policies319Delegating Administration Using Restricted GroupsPolicies with the Member Of Setting322Delegating Administration Using Restricted GroupsPolicies with the Members Of This Group Setting322Lesson Summary327Lesson Review327Lesson 2: Managing Security Settings. . . . . . . . . .

configuring aDDitionaL active Directory Server roLeS Configure Active Directory Lightweight Directory Service (AD LDS). Chapter 14, Lessons 1, 2 Configure Active Directory Rights management Service (AD RMS). Chapter 16, Lessons 1, 2 Configure th