MCITP - csltraining.com · MCITP Windows Server 2008 Active Directory 70-640 Windows Server 2008...

1

MCITP Windows Server 2008 Active Directory 70-640

MCITPMicrosoft Certified IT Professional

Training Notes

Windows Server 2008 Active Directory

Exam Code 70-640

1



Training Notes


Exam Code 70-640

1



Training Notes


Exam Code 70-640

2


Lecture No 1

3


Lecture Outline:

1. What is active directory2. What is domain controller3. User login process4. Windows server 2008 “Namespace”5. Windows forest concept6. Server roles

What is Active Directory:

Active directory is a database or container which can hold different types of network objects likeusers, groups, organizational units, services like email, ftp, web etc and resources like printers,share folders map drives etc.

Domain Controller:

A domain controller is a server in the network which holds the active directory.

User Login Process:

When a user wants to login to his computer on a domain his user name and password is beingsent to the domain controller for the authentication and verification.

4


Windows Server 2008 “Namespace”:

Windows server 2008 namespace is name of the domain which is used to connect differentcomputers to the active directory like home.com. User login names are also the part of namespace [email protected]

Windows Forest Concept:

The Active Directory framework that holds the objects can be viewed at a number of levels. Theforest, tree, and domain are the logical divisions in an Active Directory network.

Within a deployment, objects are grouped into domains. The objects for a single domain arestored in a single database (which can be replicated). Domains are identified by their DNS namestructure, the namespace.

A tree is a collection of one or more domains and domain trees in a contiguous namespace,linked in a transitive trust hierarchy.

At the top of the structure is the forest. A forest is a collection of trees that share a commonglobal catalog, directory schema, logical structure, and directory configuration. The forestrepresents the security boundary within which users, computers, groups, and other objects areaccessible.

5


Server Roles:

In windows server 2008 roles are used to define which services it will be going to provide to thenetwork users like DNS, AD, FTP, Web, DHCP etc.

6


Lecture No 2

7


Lecture Outline:

1. Server 2008 installation methods2. Server 2008 hardware requirements and editions3. Installation of active directory on DC1 and DC24. Replication between two domain controllers

Server 2008 Installation Methods:

Server 2008 provides 2 types of installation

1. Bare Metal Installation

Bare metal installation is used to install server 2008 on hard disk on which nooperating system is installed.

2. Upgrade Installation

Upgrade installation is used to upgrade from server 2003 to server 2008 operatingsystem.

Note:Server 2000 cannot be upgraded to server 2008 operating system.

Server 2008 hardware requirements and editions:

For the installation of server 2008 the following hardware requirements the shown in the chartgiven below

8


Installation of active directory on DC1 and DC2:

The scenario for installation of active directory on DC1 and DC2 is shown above

Note:

For installation of active directory the following items should be configured

1. All the servers should have static IP address2. The domain administrator account should be renamed and its password should be

complex.3. Both the servers should have connectivity

Steps for installing active directory domain services

9


1. Open Server Manager by clicking the icon in the Quick Launch toolbar, or from theAdministrative Tools folder.

2. Wait till it finishes loading, then click on Roles > Add Roles link.

3. In the before you begin window, click Next.

4. In the Select Server Roles window, click to select Active Directory Domain Servicesand then click next.

10


5. In the Active Directory Domain Services window read the provided information if youwant to, and then click Next.

6. In the Confirm Installation Selections, read the provided information if you want to, andthen click Next.

11


7. Wait till the process completes.

8. When it ends, click Close.

12


9. Going back to Server Manager, click on the Active Directory Domain Services link, and notethat there's no information linked to it, because the DCPROMO command has not been run yet.

10. Now you can click on the DCPROMO link, or read on.

13


a. To run DCPROMO, enter the command in the Run command, or click on theDCPROMO link from Server Manager > Roles > Active Directory DomainServices.

b. Depending upon the question if AD-DS was previously installed or not, the ActiveDirectory Domain Services Installation Wizard will appear immediately or after ashort while. Click Next.

13




13




14


c. In the Operating System Compatibility window, read the provided information andclick next.

d. In the Choosing Deployment Configuration window, click on "Create a new domainin a new forest" and click next.

15


e. Enter an appropriate name for the new domain. Make sure you pick the right domainname, as renaming domains is a task you will not wish to perform on a daily basis.Click Next.

Note:

Do NOT use single label domain names such as "mydomain" or similar. You MUST picka full domain name such as "mydomain.local" or "mydomain.com" and so on.

The wizard will perform checks to see if the domain name is not already in use on thelocal network.

16


f. Pick the right forest function level. Windows 2000 mode is the default, and it allowsthe addition of Windows 2000, Windows Server 2003 and Windows Server 2008Domain Controllers to the forest you're creating.

17


g. The wizard will perform checks to see if DNS is properly configured on the localnetwork. In this case, no DNS server has been configured, therefore, the wizard willoffer to automatically install DNS on this server.

Note:

The first DCs must also be a Global Catalog. Also, the first DCs in a forest cannot be a ReadOnly Domain controller.

h. It's most likely that you'll get a warning telling you that the server has one or moredynamic IP Addresses. Running IPCONFIG /all will show that this is not the case,

18


because as you can clearly see, I have given the server a static IP Address. So, wheredid this come from? The answer is IPv6. I did not manually configure the IPv6Address, hence the warning. In a network where IPv6 is not used, you can safelyignore this warning.

i. You'll probably get a warning about DNS delegation. Since no DNS has beenconfigured yet, you can ignore the message and click Yes.

19


j. Next, change the paths for the AD database, log files and SYSVOL folder. For largedeployments, carefully plan your DC configuration to get the maximum performance.When satisfied, click Next.

k. Enter the password for the Active Directory Recovery Mode. This password must bekept confidential, and because it stays constant while regular domain user passwordsexpire (based upon the password policy configured for the domain, the default is 42days), it does not. This password should be complex and at least 7 characters long. Istrongly suggest that you do NOT use the regular administrator's password, and thatyou write it down and securely store it. Click Next.

20


l. In the Summary window review your selections, and if required, save them to anunattended answer file. When satisfied, click Next.

21


m. The wizard will begin creating the Active Directory domain, and when finished, youwill need to press Finish and reboot your computer.

22


Note:

Now join DC2 to the domain you have created on the DC1, after that run dcpromo.exe on DC2to install the second domain controller.

Replication between two domain controllers:

After the successful creation of both the domain controllers a user name test is created onthe domain controller and that user is also replicated to the additional domain controllerafter some time as shown in the above diagram.

Note:

In a case if the replication is not working automatically the following command is used forreplication

Open the command prompt and type the following command

C :\> repadmin /syncall

23


Lecture No 3

24


Lecture Outline:

1. Configuration of remote desktop connection on client side operating system

Remote desktop configuration scenario:

Server 2008 Client ComputerRequest for remote desktop

Server side steps:

1. Go to Control Panel>System>Advanced System Settings

2. Go to Remote tab.3. Under Remote Assistance, put a check mark on Allow Remote Assistance connections to

this computer.

24


Lecture Outline:




Server side steps:



this computer.

24


Lecture Outline:




Server side steps:



this computer.

25


4. Click on apply.

Client side steps:

1. Go to Start>All Programs>Accessories>Remote Desktop Connection

2. Enter the Computer Name or IP address of the computer you wish to connect to.

3. For more connection options, click on Options

25


4. Click on apply.

Client side steps:




25


4. Click on apply.

Client side steps:




26


Note:Here you can save the connection profile, adjust display properties, run specifiedprograms upon connection, adjust connection bandwidth, etc. For more information onspecific tabs, click on Help.

4. Click on Connect5. Enter your log in credentials of a user account on the remote computer that is allowed to

do a remote desktop connection.

26





26





27


Lecture No 4

28


Lecture outline:

1. Active directory objects2. Users, Groups and Organizational Units3. How to create OU’s in AD4. How to create groups in AD5. How to create users in AD

Active directory object:

An Active Directory structure is a hierarchical arrangement of information about objects. Theobjects fall into two broad categories: resources (e.g., printers) and security principals (user orcomputer accounts and groups). Security principals are assigned unique security identifiers(SIDs).

Each object represents a single entity whether a user, a computer, a printer, or a group and itsattributes. Certain objects can contain other objects. An object is uniquely identified by its nameand has a set of attributes the characteristics and information that the object represents defined bya schema, which also determines the kinds of objects that can be stored in Active Directory.

Users, groups and organizational units:

Organizational Units are called container objects since they help to organize the directory andcan contain other objects including other OUs. The basic unit of administration is noworganizational units rather than domains. Organizational units allow the creation of subdomains which are also called logical domains. Microsoft recommends that there should neverbe more than 10 levels or organizational unit nesting.

1. Organizational Unit - Used to create a hierarchy of AD objects into logical businessunits. Other organizational units may be contained inside organizational units.

2. User - Individual person3. Group - Groups of user accounts. Groups make user management easier.4. Computer - Specific workstations.5. Contact - Administrative contact for specific active directory objects.6. Connection - A defined one direction replication path between two domain controllers

making the domain controllers potential replication partners. These objects aremaintained on each server in "Active Directory Sites and Services".

7. Shared folder - Used to share files and they map to server shares.8. Printer - Windows NT shared printers are not published automatically.9. Site - A grouping of machines based on a subnet of TCP/IP addresses. An administrator

determines what a site is. Sites may contain multiple subnets. There can be severaldomains in a site. For example, an organization may have branches around the city theyare located in. Each location may be a site.

29


How to create OU’s in AD:

1. Click on Start button and go to Administrative Tools.2. From the appeared menu click on Active Directory Users and Computers and from the

opened snap-in right click on the name of the domain.3. From the appeared menu list point the mouse to New and from the available submenu

click on Organizational Unit.4. On New Object – Organizational Unit box type in the name of the organizational unit

in Name text box and click on Ok button to create the new OU.

How to create groups in AD:

1. Click on Start button and go to Administrative Tools.2. From the appeared menu click on Active Directory Users and Computers and from the

opened snap-in right click on the name of the domain.3. From the appeared menu list point the mouse to New and from the available submenu

click on Group.4. On New Object – Group box type in the name of the group in Name text box and click

on Ok button to create the new group.

30


How to create users in AD:

There are two ways of creating users in AD

1. Graphical method2. Command line method (for bulk creation of users)

1. Graphical Method

a. Open up Server Manager

31


b. Next we will open up the Roles section, next to Active Directory Users andComputers section and finally the Active Directory Users and Computers. Youshould now see your domain name.

c. We are going to click on our Users section where we are going to create a new UserAccount. To do so, right-click on the blank section, point to New and select User.

32


d. In this window you need to type in the user’s first name, middle initial and last name.Next you will need to create a user’s logon name.

In our example we are going to create a user account for Billy Miles and his logonname will be bmiles. When done, click on the Next button.

e. In the next window you will need to create a password for your new user and selectappropriate options.

In our example we are going to have the user change his password at his next logon.You can also prevent a user from changing his password, set the password so that itwill never expire or completely disable the account.

When you are done making your selections, click the Next button.

33


f. And finally, click on the Finish button to complete the creation of new User Account.

2. Command line method

For bulk creation of users in AD a dos command is used add users

1. Open the notepad and type the following command

34


ds add user “cn= %1, ou=child ou, ou=parent ou, dc=domain name, dc=com” –fn%2 –ln %3 –pwd abc123* -mustchpwd yes

2. Save the file adduset.bat3. Now open the command prompt and go to the directory where this file is saved4. Type adduser.bat user login name user first name user last name5. Users will be added to the AD

Creating a bunch of users at once

1. Copy and paste the first and last names of your users into the Add Users Info Heresheet

2. Type the Child OU name and Auto fill it down.3. Type the Parent OU name and Auto fill it down.4. Go to Mass User Creation Script Source and check to see if the domain name and

suffix are correct. If not, fill in correct value on the first line and Auto fill down.5. On the Save this sheet as text file sheet, make sure to auto fill for all required user

names.6. Go to File--> Save As and save the sheet in a convenient place, making sure to select

Formatted Text (Space Delimited) as the file type7. Take your .prn file rename it to something like .bat8. Post to your server and run it at the command line.

35


Lecture No 5

36


Lecture outline:

1. NTFS permissions2. NTFS permissions v/s share permissions3. How to share4. Mapping network drives

NTFS permissions:

NTFS (New Technology File System) is the standard file system of Windows NT, including itslater versions Windows 2000, Windows XP, Windows Server 2003, Windows Server2008, Windows Vista, and Windows 7.

NTFS supersedes the FAT file system as the preferred file system forMicrosoft’s Windows operating systems. NTFS has several improvements over FAT and HPFS(High Performance File System) such as security access control lists (ACL).

Administrators can use the NTFS utility to provide access control for files and folders, containersand objects on the network as a type of system security. Known as the “Security Descriptor”, thisinformation controls what kind of access is allowed for individual users and groups of users.

NTFS permissions v/s share permissions:

As mentioned earlier, shared permissions only apply to shares that you connect to over thenetwork. As well, share permissions work over NTFS permissions. NTFS permissions applyboth locally and across the network.

A share is another name for a shared network folder.

There are only 3 types of share permissions:

1. Read – View folder names and attributes; view file names and attributes; view file data;execute applications.

2. Change – View, create, delete or change folders, folder names and attributes (exceptpermissions); view, create, delete or change files, file names and attributes (exceptpermissions); view, create, delete or change file data; execute applications.

3. Full control – Perform all functions allowed by change permission; edit permissions andtake ownership of files.

How to share:

To share data in the form of folders and newly added console named share and storagemanagement console is used to open the SSM

1. Go to Start2. Administrative Tools

37


3. Share and Storage Management.

4. From the Action pane, choose Provision Share to start the wizard.5. The first screen of the wizard asks you to specify the location that you would like to

share. Use the Browse button to do so. For this example, I'm sharing theC:\StorageReports folder.

6. Any time you open up access to a resource, you should limit who can access that resourceto just those that require access. On the NTFS Permissions page of the wizard, you canopt to keep the default NTFS permissions or change permissions depending on yourneeds. In Figure I, note that I've shown both the NTFS Permissions page as well as theEdit Permissions dialog box to give you a look at how to change permissions. If you wantto change permissions, in the Permissions for dialog box click the Add button, select theuser that should be added to the permissions list and choose the appropriate permissions.

38


4. The next step of the wizard asks you to choose the protocol(s) allowed to access the share. Ifyou've opted to install the NFS portion of the File Services role, the NFS option will beavailable. If not, just SMB (Server Message Block), the Windows default, is available. TheShare name field is automatically populated with the name of the folder you selected.

5. On the SMB Settings page, provide a description of the share that will show up when peoplebrowse the server. Lower on the page, note the advanced settings area. If you want tochange these settings, click the advanced button. Figure J shows you the advanced optionspage. On the Advanced page, note the Enable access-based enumeration checkbox. Access-based enumeration was introduced in an add-on in previous versions of Windows Serverand brings to Windows the ability to limit user's visibility to just the folders that the user hasrights to see.

39


6. Next up… SMB permissions. On the SMB Permissions page, decide how you want users tobe able to access the resource over the network. Note that this set of permissions is separatefrom the NTFS permissions you worked with previously. The SMB permissions (also calledshare permissions) are combined with NTFS permissions and the most restrictivepermissions will apply. I recommend that you simply set SMB permissionsto Administrators have Full Control; all other users and groups have only Read access andWrite access and use just NTFS permissions to limit access.

7. On the review page, review your selections and click the Create button. When you're done,choose the Shares tab in the main console. You should see your new share listed, as shownin Figure K.

Mapping network drives:

In order to map a network drive on server 2008 the follow the steps

1. Make a new folder on any of the drive2. Share that folder over the network with the appropriate NTFS permissions3. Open my computer and click on the option named map network drive4. Give the UNC name of the share folder and then click finish

40


Lecture No 6

41


Lecture outline:

1. What is group policy2. Policy setting order3. Group policy management console to apply group policy

What is group policy:

Group Policy is a feature of the Microsoft Windows NT family of operating systems. GroupPolicy is a set of rules which control the working environment of user accounts and computeraccounts. Group Policy provides the centralized management and configuration of operatingsystems, applications and users' settings in an Active Directory environment. In other words,Group Policy in part controls what users can and cannot do on a computer system. AlthoughGroup Policy is more often seen in use for enterprise environments, it is also common in schools,smaller businesses and other kinds of smaller organizations. Group Policy is often used to restrictcertain actions that may pose potential security risks, for example: to block access to the TaskManager, restrict access to certain folders, disable the downloading of executable files and so on.

Policy setting order:

Group policies are processed in the following order:

1. Local Group Policy objects - This applies to any settings in the computer's local policy(accessed by running gpedit.msc). Previous to Windows Vista, there was only one localgroup policy stored per computer. There are now individual group policies settable peraccount of a Windows Vista and 7 machine

2. Site - Next the computer processes any group policies that are applied to the site thecomputer is currently in. If multiple policies are linked to a site these are processed in theorder set by the administrator using the Linked Group Policy Objects tab, policies withthe lowest link order are processed last and have the highest precedence.

3. Domain - Any policies applied at the domain level (default domain policy) are processednext. If multiple policies are linked to a domain these are processed in the order set by theadministrator using the Linked Group Policy Objects tab, policies with the lowest linkorder are processed last and have the highest precedence.

4. Organizational Unit - Last group policies assigned to the organizational unit thatcontains the computer or user are processed. If multiple policies are linked to anorganizational unit these are processed in the order set by the administrator using theLinked Group Policy Objects tab, policies with the lowest link order are processed lastand have the highest precedence.

42


Group policy management console to apply group policy:

Group policy management console is a toll which is used to manage the group policies in a moreeffective and efficient way. GPMC is by default installed in server 2008.

1. To open the GPMC, click Start, click Administrative Tools, and then click GroupPolicy Management.

2. In the GPMC console tree, expand Group Policy Objects in the forest and domaincontaining the GPO that you want to edit.

3. Right-click the GPO that you want to edit, and then click Edit.4. Select the appropriate policy which you want to apply to an OU.5. Link the newly created GPO to the OU.6. Open command prompt and use the following to update the group policy settings to all

the domain users

C :\> gpupdate \force

43


Lecture No 7

44


Lecture outline:

1. How to exempt a user or group from the group policy

How to exempt a user or group from the group policy:

To exempt a user or group from the group policy use the following process

1. Open the Group Policy Object that you want to apply an exception and then click on the“Delegation” tab and then click on the “Advanced” button.

2. Click on the “Add” button and select the group (recommended) that you want to excludefrom having this policy applied.

44


Lecture outline:






44


Lecture outline:






45


3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Selectthis group in the “Group or user names” list and then scroll down the permission and tick the“Deny” option against the “Apply Group Policy” permission.

45



45



46


Lecture No 8

47


Lecture outline:

1. Loop back processing in group policy2. How to map network drive

Loop back processing in group policy:

As we know group policy has two main configurations, user and computer. Accordingly, thecomputer policy is applied to the computer despite of the logged user and the user configurationis applied to the user despite of the computer he is logged on.For example we have a Domain, this Domain has two different organizational units(OU) Green and Red, Green OU contains a Computer account and Red OU contains Useraccount. The Green policy, which has settings “Computer Configuration 2 and UserConfiguration 2”, is applied to the OU with the computer account. The Red policy, which hassettings “Computer Configuration 1” and “User Configuration 1”, is applied to the OU with theUser account. If you have a look at the picture below it will become clearer

.

48


If Loopback processing of Group Policy is not enabled and our User logs on to our Computer,the following is true:

As we can see from the picture, the User gets Computer Configuration 2 and User Configuration1. This is absolutely standard situation, where policies are applied according to the belonging tothe OU. User belongs to the Red OU, he gets the Red User configuration 1accordingly.Now let’s enable the Loopback processing of Group Policy for the Green OU. In this case if theUser logs on to the Computer, the policies applied in the following way:

49


As we can see, now the User is getting User Configuration 2 despite of the fact that he belongs tothe Red OU. So, what has happened in this scenario, the User Configuration 1 was replaced withthe User Configuration 2, i.e. with the configuration applied to the Computer account.As you have probably noticed, the picture above says “Loopback in replace mode”. I have tomention that the Loopback processing of Group Policy has two different modes, Replace andMerge. It is obvious that Replace mode replaces User Configuration with the one applied to theComputer, whereas Merge mode merges two User Configurations.

In Merge mode, if there is a conflict, for example two policies provide different values for thesame configuration setting, the Computer’s policy has more privilege. For example in ourscenario, in case of the conflict the User Configuration 2 would be enforced.In the real work environment Loopback processing of Group Policy is usually used on TerminalServers. For example you have users with enabled folder redirection settings, but you do notwant these folder redirection to work when the users log on to the Terminal Server, in this casewe enable Loopback processing of Group Policy in the Policy linked to the Terminal Server’sComputer account and do not enable the folder redirection settings. In this case, once the Userlogged on to the Terminal Server his folder redirection policy will not be applied.

How to map network drive:

In server 2008 Microsoft introduced a new way of mapping network drives which providesadministrators to quickly and easily map a network drive. Also there is no need to write a scriptas in the server 2003.

50


1. Public drive mappingsProducing a Group Policy Preference item to create public drive mappings is simple. TheGPO containing the preference item is typically linked to higher containers in ActiveDirectory, such as a domain or a parent organizational unit.

Newly created Group Policy objects apply to all authenticated users. The drive map preferenceitems contained in the GPO inherits the scope of the GPO; leaving us to simply configure thepreference item and link the GPO. We start by configuring the drive map preference item bychoosing the Action of the item. Drive map actions include Create, Replace, Update, andDelete. These are the actions commonly found in most preferenceitems. Create and Delete actions are self-explanatory. The compelling differencebetween Replace and Update is that Replace deletes the mapped drive and then creates a newmapped drive with the configured settings. Update does NOT delete the mapped drive-- it onlymodifies the mapped drive with the new settings. Group Policy Drive Maps use the drive letter todetermine if a specific drive exists. The preceding image shows a Drive Map preference itemconfigure with the Replace action. The configured location is a network share named data;hosted by a computer named hq-con-srv-01. The configured drive letter is the G drive. All otheroptions are left at their defaults. This GPO is linked at the contoso.com domain.

50




50




51


2. Inclusive drive mappingInclusive drive mappings are drives mapped to a user who is a member of (or included) ina specific security group. The most common use for inclusive drive maps is to mapremote data shares in common with a specific sub set of users, such as accounting,marketing, or human resources. Configuring an inclusively mapped drive is the same as apublic drive mapping, but includes one additional step. The following image shows usconfiguring the first part of an inclusive drive mapping preference item.

Configuring the first part of an inclusive drive mapping preference item does not make itinclusive; it does the work of mapping the drive. We must take advantage of item-level targetingto ensure the drive mapping items works only for users who are members of the group. We canconfigure item level targeting by clicking the Targeting button, which is located on theCommon tab of the drive mapping item. The targeting editor provides over 20 different types oftargeting items. We're specifically using the Security Group targeting item.

51




51




52


Using the Browse button allows us to pick a specific group in which to target the drive mappingpreference item. Security Group targeting items accomplishes its targeting by comparing securityidentifiers of the specified group against the list of security identifiers with the securityprincipal's (user or computer) token. Therefore, always use the Browse button when selecting agroup; typing the group name does not resolve the name to a security identifier.

52



52



53


The preceding screen shows a properly configured, inclusive targeting item. A properlyconfigured security group targeting item shows both Group and SID fields. The Group field isstrictly for administrative use (we humans recognize names better than numbers). The SID fieldis used by the client side extension to determine group membership. We can determine this is aninclusive targeting item because of the text that represents the item within the list. The word is inthe text "the user is a member of the security group CONTOSO\Management." Our new drivemap item and the associated inclusive targeting item are now configured. We can now link thehosting Group Policy object to the domain with confidence that only members of theManagement security group receive the drive mapping. We can see the result on a client. Thefollowing image shows manager Mike Nash's desktop from a Windows Vista computer. We cansee that Mike receives two drive mappings: the public drive mapping (G: drive) and themanagement drive mapping (M: drive).

53



53



54


Lecture No 9

55


Lecture outline:

1. How to install software on more than one computer2. Steps for software installation

How to install software on more than one computer:

An .msi file for installation

1. Try to get an .msi version of a software package if at all possible.2. You can’t just install .exe files without repackaging them into .msi.3. There are several .msi packaging utilities out there if you need them.4. There is an alternative installation package called a Zap package.

A Shared folder for the software to live in that all yourUsers and Computers have at least Read access to.A new GPO linked to the appropriate OU.

You can set up a Software Installation GPO for Users or Computers

1. If you set it up for specific Users or User Groups, you can publish the software so theycan install it on demand.

2. You can also assign the software so it installs on the next client restart.3. If you set up the GPO on the Computers side, you can’t publish only assign4. Use your best judgment based on who needs the software and when picking which side of

a GPO to use for Software Installs.

Steps for software installation:

1. Create a new Shared folder on your data server named Software.2. Create a folder inside Software named Foxit and put the Foxit.msi package there.3. Create a new GPO and link it to the appropriate OU. Name it FoxitInstall.4. In the Computers section of the GPO, we’ll go to the Software Settings under Policies to

get to the Software Installation settings.5. Create a new Package by right-clicking and selecting new package.6. Select the .msi file and select any Options.7. Run gpupdate /force from the Server (or wait for the Refresh Interval)8. Have your users reboot their client machines.

56


Lecture No 10

57


Lecture outline:

1. Domain Password Policies2. Fine Grained Password3. Steps for configuring fine grained password policies

Domain Password Policies:

1. Normally, the Password Policy is set for all users at the Domain level.2. The default settings are usually good enough.3. Complexity requirements are enforced when passwords are changed or created.

Password Complexity Requirements:1. Not contain the user's account name or parts of the user's full name that exceed

two consecutive characters2. Be at least six characters in length3. Contain characters from three of the following four categories:

English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example $, #, %)

Fine Grained Password

1. Normally you only have one Password Policy Setting in your entire domain, but bycreating Password Setting Objects you can specify multiple password policies forindividual users or for the Groups that users are part of.

2. Your Domain Functional Level must be at a Server 2008 level (all your DomainControllers must be Server 2008)

3. We’ll need to go into ADSI Edit to create Password Policy objects, and link them to theUser Account or Group.

Steps for configuring fine grained password policies:

To start with the fine grained password policies go to

1. Administrative Tools - ADSI Edit2. Actions then Connect3. DC=domain, DC=com4. CN=System5. CN=Password Settings Container6. Right click select new object

58


7. In the Create Object dialog box, under Select a class, click msDC-PasswordSettings, and then click Next.

59


8. In the Create Object dialog box, enter SpecialAdmins in the Value field, andthen click Next.

9. For the msDS-PasswordSettingsPrecedence value, enter 1, and then click Next

60


10. For the msDS-PasswordReversibleEncryptionEnabled value, enter false, andthen click Next

11. For the msDS-PasswordHistoryLength value, enter 24, and then click Next

61


12. For the msDS-PasswordComplexityEnabled value, enter false, and thenclick Next

13. For the msDS-MinimumPasswordLength value, enter 12, and then click Next

62


14. For the msDS-MinimumPasswordAge, enter 1:00:00:00, and then click Next

15. For the msDS-MaximumPasswordAge, enter 30:00:00:00, and then click Next

63


16. For the msDS-LockoutThreshold, enter 3, and then click Next

17. For the msDS-LockoutObservationWindow, enter 0:00:30:00, and thenclick Next

64


18. For the msDS-LockoutDuration, enter (never), and then click Next, thenclick Finish

19. Right-click on CN=SpecialAdmins in the console tree, and thenselect Properties

65


20. On the CN=SpecialAdmins Properties window, select the msDS-PSOAppliesTo attribute, and then click the Edit button

21. On the Multi-valued Distinguished Name With Security PrincipalEditor window, click on the Add Windows Account button

66


22. On the Select Users, Computers, or Groups window, enter SpecialAdmins inthe Enter the object names to select field, and then click OK

23. Click OK on the Multi-valued Distinguished Name With Security PrincipalEditor window

24. Click OK on the CN=SpecialAdmins Properties window

67


Lecture No 11

68


Lecture outline:

1. Providing Permissions to an Account for Administrative Tasks2. Installation of VSAT on client side

Providing Permissions to an Account for Administrative Tasks:

To give a user rights to perform some of the administrative tasks the following stuff should beused

1. Use the Delegation of Control Wizard2. Add a user to one (or more) of the Built-In Groups so he can do administrative tasks

without having to be an Administrator.

The Delegation Wizard can’t provide everything, so you’ll have to also use someadditional Groups to provide some more permission to a user. The detail of different groups hasbeen shown in the chart below.

Installation of VSAT on client side:

Giving a user the Remote Control for AD Users and Computers

1. So now that user actually can do some administrative tasks, let’s make it a little easier forhim to get to the Servers without even having to use Remote Desktop.

2. The Remote Server Administration Tools for Windows7 is a collection of MMC toolsthat allows you to administer most of the standard Server tasks without having to useRemote Desktop or actually be at the Server.

3. It’s super easy to download and install, but you have to go into Control panel and enableit.

69


Lecture No 12

70


Lecture outline:

1. Creating backup2. Windows server 2008 built in tools for backup

Creating backup:

In information technology, a backup or the process of backing up is making copiesof data which may be used to restore the original after a data loss event. Backups have twodistinct purposes. The primary purpose is to recover data after its loss, be it by data deletionor corruption. Data loss is a very common experience of computer users. 67% of internet usershave suffered serious data loss. The secondary purpose of backups is to recover data from anearlier time, according to a user-defined data retention policy, typically configured within abackup application for how long copies of data are required.

Windows server 2008 built in tools for backup:

Main tools built into Server 2008 for backup are

1. Windows Server Backup A GUI (Graphical User Interface) tool that creates simple backups (replaces

NTBackup). Windows Server Backup is a Feature that you must install before using it doesn’t

install automatically. It only Back up to a Shared Folder (Network Attached Storage) or to DVD

Backs up entire Volumes Overwrites previous backups if you backup to the same shared folder over and

over It’s great for simple backups for small organizations

To install Windows Server Backup go to Server Manager, Add Features and Windows ServerBackup

2. Wbadmin WBADMIN is a command line that provides more power to your backup options It can run a one-time backup It can schedule regular backups It can back up your System State which includes all the guts of your DC:

o Registryo Boot fileso System Fileso AD Directory Services databaseo SYSVOL directory

71


System State data can be restored using WBADMIN or using the graphicalWindows Server Backup

To create a wbadmin backup type the following command at command prompt

C:\>wbadmin systemstatebackup –backuptarget :Driveletter:

3. Ntdsutil An extremely powerful tool to do advance backup operations (and a lot more)

specifically for Active Directory files and database NTDSUTIL is specifically for AD, and not so much backing up your whole

Server. In terms of creating Backup Media, it can create IFM (Install from Media) media

for faster creation (or re-creation, as the case may be) of a Domain Controller. It’s an interactive tool, providing different commands depending on what Context

it’s used in. When used in conjunction with media created by Wbadmin or Windows Server

Backup, it can allow you to restore Active Directory Objects like entire OU’s. It can also take Snapshots of your Active Directory Database so you can see how

your AD looks over

To create an Ntdsutil backup type the following sequence of commands at command prompt

C :\>ntdsutilNtdsutil: ifmNtdsutil: activate instance ntdsIfm: create sysvol full D:\ifm

MCITP - csltraining.com · MCITP Windows Server 2008 Active Directory 70-640 Windows Server 2008...

Documents

Transcript of MCITP - csltraining.com · MCITP Windows Server 2008 Active Directory 70-640 Windows Server 2008...