70-640 Notes

9/24/2008

1

Welcome to Train SignalTrain Signal, Inc.

Coach Culbertson

Video 1

Welcome to Windows Server

2008 Active Directory

Your Host:

Coach Culbertson

MCT, MCITP, MCTS, MCSA, MCDBA, and several other random IT certifications

Train Signal, Inc.

Coach Culbertson

Welcome to Windows Server 2008 Active Directory

•About Your Instructor and Train

Signal

•Overall Scope of the Course

•What’s Covered in this Course

•The Globomantics Scenario

•What We’ll Build in this Course

In this video:

Train Signal, Inc.

Coach Culbertson

About Your Instructor and Train Signal

•MCITP: Server Administrator, MCTS: SharePoint Server

2007, MCSA, MCDBA, MCT, A+, Net+, CIW, and a few

others

•2 Year Tour of Duty as an Inner City High School Teacher in

Chicago

•Launched a couple hundred careers

About Train Signal

•Casual Training Method that teaches real skills first

•Scenario-Based Training to answer the question "Why does

this change my life?"

About Benjamin “Coach” Culbertson

9/24/2008

2

Train Signal, Inc.

Coach Culbertson

What’s Covered in this Course

2. What is Active Directory?

3. The First Two Domain Controllers

4. Setting Up Remote Desktop on Your Personal

Vista Client

5. Creating Organizational Units, User and

Computer Accounts, and Groups

6. Sharing Stuff On Servers

7. Get Your Control Freak On!

8. How to Make Your Boss Mad and then Fix it

Really Fast

What’s on the hit parade for this one, Coach? Can we dance to it?

Train Signal, Inc.

Coach Culbertson


9. Make Your Life Easier with Computer

Policies and Preferences

10.How to Push Software Onto a Lot of

Machines Without Getting Up From

Your Desk

11. What’s My P@ssw0rd again?

12.Passing the Buck

13.Creating Backup Solutions BEFORE

Stuff Blows Up

Train Signal, Inc.

Coach Culbertson


14.Reducing Single Points of Failure

15.Monitoring , Auditing, and

Defragging

16.Creating the Chicago Location

17.How To Give People Access to Stuff

That’s 790 Miles Away

18.Creating The Dallas Branch Office

19.Bringing an OU and Users Back from

the Dead

9/24/2008

3

Train Signal, Inc.

Coach Culbertson


20. What Do You Do When A Domain Controller

Blows Up?

21. Get Your Old Domain Controllers Up To Date

22. Connecting the Continents

23. Certification: It’s Really Not That Scary

24.DNS Stuff

25.Active Directory Certificate Services 101

26.Active Directory Lightweight Directory

Services 101

27.Active Directory Rights Management 101

Train Signal, Inc.

Coach Culbertson

The Globomantics Scenario

You are the newly hired Systems Administrator for a new startup

company called Globomantics, a stock brokerage. Hank Richards, our

Founder and CEO, is a rough and tumble Texan who isn’t the most tech

savvy individual, but knows the value of having good people who know

the ropes when it comes to computers.

You’ll have the rare opportunity to build out the corporate network,

specifically Active Directory, for Globomantics, including:

–The Main Office in New York

–The Chicago Office

–The Dallas Branch Office

–And melding networks with a small company in Tokyo, Verde

Petra, which Hank will buy out.

Here’s the story about a man named Hank…

Train Signal, Inc.

Coach Culbertson

What We’ll Build in this Course

We’ll start with this…

9/24/2008

4

Train Signal, Inc.

Coach Culbertson

What We’ll Build in this Course

…and end up with this!

Yeah, it’s a lot—

but we’ll take it a

step at a time!

Train Signal, Inc.

Coach Culbertson

So How About It?

Are You Ready?

C’mon, Let’s Go!


Coach Culbertson

Video 2

What is Active Directory?

And Why You Need To Care

9/24/2008

5

Train Signal, Inc.

Coach Culbertson

What is Active Directory?

•What is Active Directory and Why

Should I Care?

•What is a Domain Controller?

•What is a Domain?

•What is a Server Role?

•What is DNS?

In this video:

Train Signal, Inc.

Coach Culbertson

What is Active Directory and Why Should I Care?

• Active Directory is the Brain of a Windows Server Network.

• It’s a database that keeps track of a huge amount of stuff and gives us a

centralized way to manage all our network machines, users, and resources.

Okay, time for the secret

Users and

Groups

Services (i.e. Email, etc.)

Resources

(Printers, Shared Folders, etc.)

We say that

these items are

Objects in the

Active Directory

Database

Train Signal, Inc.

Coach Culbertson

What is Active Directory and Why Should I Care?

Every time you log in to a corporate network, you’re using Active Directory

As a matter of fact….

Hold up, let me check

the Active Directory

Database to see if you

get access!

Domain Controller

Active Directory

Database

Ok, I see your User

Account, it’s valid,

and it has these

permissions.

Here ya go!

9/24/2008

6

Train Signal, Inc.

Coach Culbertson

What is a Domain Controller?

•A Domain Controller is a Windows Server Machine that

runs Active Directory Domain Services.

•Think of it as the Boss of your network.

•You may have multiple Domain Controllers that all have

copies of the same Active Directory database.

Big Boss Machine comin’ at ya!

Domain Controller

Active Directory

Database

Domain Controller

Active Directory

Database

Domain Controller

Active Directory

Database

Train Signal, Inc.

Coach Culbertson

What is a Domain?

• A Windows Server domain is a logical group of computers running versions of

the Microsoft Windows operating system that share a central directory

database.

• The machines are all named with part of a Domain name like

globomantics.com (also called a “suffix”) and are registered in the Active

Directory Database so they can be managed.

Big word: “Namespace”

CL1.globomantics.com



Globomantics.com

Domain Controller

NY-DC1.globomantics.com

Train Signal, Inc.

Coach Culbertson

What is a Domain?

You’ll often see Domains represented like this:

globomantics.com

Na.globomantics.com

(Forest Root)

A Forest is comprised of

ALL the Domains in your

Enterprise. Your Forest

may only have one

domain!

9/24/2008

7

Train Signal, Inc.

Coach Culbertson

What is a Domain?

•Users are also part of the “namespace.”

•Example: Your email address is part of a domain

namespace:

– [email protected]

Note: Email-like logins are also called “User Principle

Names” when used to log into a Server 2008 network.

Don’t forget about users!

Train Signal, Inc.

Coach Culbertson

What is a Server Role?

•Servers need jobs, too.

•A Server Role is a major job that a Server can perform.

•It’s recommended that a Server not have too many Roles

Everybody needs a job—even servers!

A Domain Controller usually

has only two Roles:

•Active Directory Domain Services

•DNS

Train Signal, Inc.

Coach Culbertson

What is DNS?

•DNS is a service provided by a Server that allows you

to find other computers in your network.

•DNS allows you to type in a friendly name of a

machine instead of its IP Address, allowing your client

to get the IP address from the DNS server and go find

the resource.

•Without DNS, Active Directory will not work. Period.

•In Server 2008, it’s recommended that you integrate

DNS with Active Directory to make your IT life easier.

Domain Name Services are your friend

9/24/2008

8

Train Signal, Inc.

Coach Culbertson

What We Covered

•Define briefly what Active Directory is

•Describe what three primary types of Objects that

Active Directory provides

•Describe what happens when you log in to an

Active Directory network

•Define what a Domain Controller is

•Describe a Forest

•Describe a Domain

•Define briefly what a Server Role is

After watching this video, you should be able to:


Coach Culbertson

Video 3

The First Two Domain

Controllers:

Installing Server 2008 and Active

Directory

Train Signal, Inc.

Coach Culbertson

The First Two Domain Controllers

In this video:

• Building the Brain of the Globomantics Network

• Quick Server 2008 Requirements and Editions Check

• The Bare Metal Installation Process

• The Initial Configuration Task List

• Installation of Active Directory Domain Services

• Setting up a Second Domain Controller

• Can We Talk? Replication Testing

9/24/2008

9

Train Signal, Inc.

Coach Culbertson

Building the Brain of the Globomantics Network

Your mission should you choose to accept it: build 2 Domain Controllers to start

the Globomantics network at the New York headquarters. Here’s your

hardware and what we’re going to build.

This is how we begin

Internet T-1 connection

Computer Name: NY-DC1-2K8

IP: 192.168.5.2

3GHz 64-bit CPU

4GB RAM

2 – 120GB HDD’s

Gigabit NIC

This Domain Controller

will create the Domain

globomantics.com


IP:192.168.5.3

3GHz 64-bit CPU

4GB RAM

2 – 120GB HDD’s

Gigabit NIC


will join the Domain

globomantics.com

Network Switch

We’re setting up two almost identical DC’s for fault tolerance and better

performance. If one crashes, we have another!

Train Signal, Inc.

Coach Culbertson


Once we set up these two DC’s, we’ll have this:

NY-DC2-2K8

IP:192.168.5.3

NY-DC1-2K8

IP:192.168.5.2

globomantics.comForest Root Domain

Because it’s the

very first domain

New York Site

Train Signal, Inc.

Coach Culbertson

The Big Picture

globomantics.com

New York Site

na.globomantics.com

Chicago Site

asia.globomantics.com

Tokyo Site

9/24/2008

10

Train Signal, Inc.

Coach Culbertson

Quick Server 2008 Editions and Requirements Check

Hardware Requirements:

http://www.microsoft.com/windowsserver2008/en/us/system-requirements.aspx

Component Requirement

Processor

Minimum: 1 GHz (x86 processor) or 1.4 GHz (x64 processor)

Recommended: 2 GHz or fasterNote: An Intel Itanium 2 processor is required for Windows Server 2008 for

Itanium-Based Systems

MemoryMinimum: 512 MB RAM just to install

Recommended: 2 GB RAM or greaterCoach Says: As much as you can get!

Available Disk

Space

Minimum: 10 GB

Recommended: 40 GB or greaterNote: Computers with more than 16 GB of RAM will require more disk space for

paging, hibernation, and dump files

Other BFO Stuff

DVD-ROM drive

Super VGA (800 × 600) or higher resolution monitor Keyboard and Microsoft Mouse or compatible pointing device, NIC

BFO: Blinding Flash of the Obvious

Train Signal, Inc.

Coach Culbertson


Which Edition of Server 2K8 should we use for our first two DC’s?

http://www.microsoft.com/windowsserver2008/en/us/editions.aspx

Edition Description Price Max.

Ram for

32-bit

Max.

Ram for

64-bit

When to use

Standard Does almost

everything

$999 w/5

CAL’s

4 GB 32GB Small to medium environments, File and

Print Servers, less intensive applications

Enterprise Does it all $3999 w/25

CAL’s

64GB 2TB Large environments, clustering

Datacenter All that and a bag

of chips

$2999 PER

PROCESSOR

64GB 2TB For massive environments – includes

unlimited virtualization licenses!

Web Server Just a Web Server

(IIS 7.0)

$469 4GB 32GB You don’t need me to explain this. Really,

you don’t.

Itanium For high-end

web/application

servers

$2,999 N/A 2TB When you need to run super powered

databases or high end applications. Only

has Application Server Role.

Train Signal, Inc.

Coach Culbertson


And the winner for Globomantics’ Edition for the first 2 DC’s is...

Enterprise Edition 64-bit!

• We select Enterprise 64-bit for it’s ability to handle up to 2TB of Memory and

complete set of features for future growth (and we have the $$$).

•Each of our machines which we will be setting up as DC’s have:

– 4GB of RAM,

– 2 120GB hard drives installed

– A 3GHz 64-bit Quad-Core Intel processors

– Gigabit network cards

This will easily handle the Enterprise edition (at least at first).

9/24/2008

11

Train Signal, Inc.

Coach Culbertson

The Bare Metal Installation Process

•Two types of Server 2008 installations:

– Bare Metal – No existing Operating System on the HDD

– Upgrade—Installing over Server 2003 that is already installed on the HDD.

•Bare Metal is the simplest installation possible (and is recommended by Microsoft as the preferred method) —pop in the DVD and boot up!

•For Globomantics, we’ll be doing two bare metal installations of Server 2008 64-bit Enterprise edition. We’ll start by installing 2K8 on the first machine. Our hardware is set up and plugged in to the power and the network switch, so let’s go!

What do we mean by “bare metal?”

Train Signal, Inc.

Coach Culbertson

The Initial Configuration Task List

The Initial Task Configuration list is sheer hedonistic convenience. It groups together all the common tasks that you have to set up in one convenient place.

We will need to:– Configure Time Zone info

– Configure the network settings for 192.168.5.2 and an initial DNS server.

– Rename the computer to NY-DC1-2K8 and reboot

– Configure Automatic Updates and Feedback

– Configure Remote Desktop (Optional)

– Turn off the ICT from coming back because it’s annoying after set-up.

Back to the basics

Train Signal, Inc.

Coach Culbertson

Installation of Active Directory Domain Services

•Setting up a Domain Controller has two basic parts:

1. Installing the AD DS Role.

2. Running DCPromo.exe.

• Installing the AD DS Role is done from Server Manager using Add Roles.

•Dcpromo can be ran from the link provided in Server Manager after AD DS installation or from the Search box.

Now we’re ready to set this machine up as a DC

9/24/2008

12

Train Signal, Inc.

Coach Culbertson


Passwords

NY-DC1-2K8

IP:192.168.5.2


New York Site

The first password you create

is the Local Administrator only

for this one Server!

When you create a domain on

your first Server, the Local

Administrator Password

becomes the Domain

Administrator Password for all

the machines in your domain!

It’s a good idea to change the name of your

Domain Administrator account and its

password for security,

Train Signal, Inc.

Coach Culbertson


So we now have a functional DC and Domain!

NY-DC2-2K8

IP:192.168.5.3

NY-DC1-2K8

IP:192.168.5.2


New York Site

Train Signal, Inc.

Coach Culbertson

Setting Up Our Second Domain Controller

• We now need to set up our second DC, so here we go again:

1. Install Server 2K8 “Bare Metal.”

2. Configure the basic stuff using the ICT.

3. Install the AD DS Role.

4. Run DCPromo

Everything we’ve just done again, only faster this time

Internet T-1 connectionComputer Name: NY-DC1-2K8

IP: 192.168.5.2

3GHz 64-bit CPU

4GB RAM

2 – 120GB HDD’s

Gigabit NIC



globomantics.com


IP:192.168.5.3

3GHz 64-bit CPU

4GB RAM

2 – 120GB HDD’s

Gigabit NIC



globomantics.com

Network Switch

9/24/2008

13

Train Signal, Inc.

Coach Culbertson

Setting Up Our Second Domain Controller

• We now need to set up our second DC, so here we go again:

1. Install Server 2K8 “Bare Metal.”

2. Configure the basic stuff using the ICT.

3. Install the AD DS Role binaries.

4. Run DCPromo• When we run DCPromo this time, we will be adding a Domain Controller to the domain we just

created, globomantics.com.

Everything we’ve just done again, only faster this time

Internet T-1 connectionComputer Name: NY-DC1-2K8

IP: 192.168.5.2

3GHz 64-bit CPU

4GB RAM

2 – 120GB HDD’s

Gigabit NIC



globomantics.com


IP:192.168.5.3

3GHz 64-bit CPU

4GB RAM

2 – 120GB HDD’s

Gigabit NIC



globomantics.com

Network Switch

Train Signal, Inc.

Coach Culbertson

Replication: Can we talk?

•DC’s need to be able to talk and keep duplicate records in their respective

databases. When something changes in the domain, those changes have to

be communicated and recorded.

Our new DC’s need to be friends

NY-DC1-2K8

NY-DC2-2K8Network Switch

Hey, the admin just added three

OU’s, four user accounts, and

renamed one of the old user

accounts.

Got it, I’ll record those changed in

my copy of the Active Directory

database. Here’s the changes I’ve

received.

Great, I’ll record

your changes, too.

Train Signal, Inc.

Coach Culbertson

Replication: Can we talk?

The easiest way to check replication:

1. Create a new Organizational Unit in Active Directory Users and

Computers on either DC.

2. Go to the command line and type repadmin /syncall.

3. Check the other DC’s Active Directory Users and Computers to see if

the Organizational Unit also shows up there as well. If it does, your

DC’s are now BFF’s.

You might need to hit F5 to Refresh the screen to see the new items in

the Server Manager

Our new DC’s need to be friends

Best Friends Forever!

9/24/2008

14

Train Signal, Inc.

Coach Culbertson


So we now have the brain of the network done

NY-DC2-2K8

IP:192.168.5.3

NY-DC1-2K8

IP:192.168.5.2

Because it’s the

very first domain


New York Site

Train Signal, Inc.

Coach Culbertson

Terms You Should Know

• Bare Metal Installation—Installing an OS on a clean hard drive.

• Upgrade Installation—Installing Server 2008 on a machine already running

Server 2003.

• Initial Configuration Task List—Convenient list of common tasks to set up

Server 2008.

• DCPromo.exe – The wizard that sets up Active Directory and promotes a

machine to Domain Controller status.

Train Signal, Inc.

Coach Culbertson


• NTDS.dit—The database file for Active Directory.

• Sysvol—The shared folder that stores the server copy of the domain's public

files that must be shared for common access and replication throughout a

domain

• Replication—The process of exchanging and recording changes in Active

Directory between Domain Controllers.

9/24/2008

15

Train Signal, Inc.

Coach Culbertson

What We Covered

�Evaluate hardware to determine whether or not it will support Server 2008.

�Describe basic differences between versions of Server 2008.

�Describe what a Bare Metal Installation is.

�Perform a Bare Metal Installation of Server 2008.

After viewing this video, you should be able to:

Train Signal, Inc.

Coach Culbertson

What We Covered

�Use the Initial Configuration Task List to:

� Configure Time and Date

� Rename a Machine

� Configure a Static IP Address and DNS for

Networking

� Configure Automatic Updates and Feedback

�Install Active Directory Domain Services Role.

�Run the DCPromo Wizard to promote a server to

Domain Controller Status for both a first and second

domain controller.


Train Signal, Inc.

Coach Culbertson

What We Covered

�Verify if two Domain Controllers are replicating.

�Force two Domain Controllers to replicate using

repadmin /syncall.

Now that our first two DC’s are up, in the next video we’ll

start adding User Accounts for Globomantics, organizing

them according to departments, and more!


9/24/2008

16


Coach Culbertson

Video 4

Setting Up Remote Desktop

on Your Personal Vista Client

Because you don’t want to have to go into

the Server Room every time you need to do

something

Train Signal, Inc.

Coach Culbertson

Setting up Remote Desktop on Your Vista Client

•The DC’s Are Up And

Running...Now What?

•Why Remote Desktop Is

Just Great

In this video:

Train Signal, Inc.

Coach Culbertson

The DC’s Are Up And Running...Now What?

•You have a Vista machine

that you’ll be using for

everyday tasks, and you can

use Remote Desktop to

administer Servers without

having to be right at the

machine.

•Because we selected the

more secure option when we

set up Remote Desktop on

the Servers, we have to join

the Vista client machine to

the Globomantics Domain in

order to access DC1 and DC2

from the client machine.

Time to set up our Vista Client so we can access the servers remotely

9/24/2008

17

Train Signal, Inc.

Coach Culbertson

Your mission: Add the Client

•You first need to rename the client machine

to fit the Globomantics naming convention.

•The name of the machine needs to become

CL-NY-VIS and then rebooted.

•Then you’ll join the client to the

Globomantics Domain.

In order to make all this work...

Train Signal, Inc.

Coach Culbertson

Why Remote Desktop Is Just Great

•Once we have Remote

Desktop set up, you can

access your Servers just like

you’re at the machine.

•Create Remote Desktop

Shortcuts and the process is

even easier.

•You’re going to create 2

Remote Desktop shortcuts

on the Desktop so you can

get to DC1 and DC2 easily.

Why get out of your comfy office chair to go do Server stuff

when you can do it from your desk?

Train Signal, Inc.

Coach Culbertson

So now that you’re added your client to the domain

This is what our network looks like:

NY-DC2-2K8

IP:192.168.5.3

NY-DC1-2K8

IP:192.168.5.2


New York Site

CL1-NY-VIS

DHCP Address

9/24/2008

18

Train Signal, Inc.

Coach Culbertson

What We Covered

�Join a Vista Client to a Domain

�Create Remote Desktop

Shortcuts

�Log in to a Server using Remote

Desktop



Coach Culbertson

Video 5

Creating Organizational

Units, User and Computer

Accounts, and Groups

Train Signal, Inc.

Coach Culbertson

Creating the Globomantics Active Directory Structure

•The DC’s Are Up and Running...Now What?-

- Part 2

•What’s an OU Again?

•How About Some Users!

•Creating a Whole Bunch of Users at Once

•Give Me Some Computer Accounts!

•The Difference Between OU’s and Groups

In this video:

9/24/2008

19

Train Signal, Inc.

Coach Culbertson

The DC’s Are Up And Running...Now What?—Part 2

•“Populate” is a fancy word that means “put stuff into a space,” i.e. add in Objects to our Active Directory.

•We have the “Brain” of the Globomantics network, but it’s not particularly usable yet. We need to add in Organizational Units, User Accounts, Computer Accounts, and Groups.

• We’ll be accessing DC1 via Remote Desktop to add in all of our objects, and let replication add them to DC2.

Now that we can access DC1 remotely, we populate!

Train Signal, Inc.

Coach Culbertson


The Beginning Globomantics AD Structure- Here’s what we’re going build

2 Computer Accounts(the other 23 are on back order)

4 Groups for Users

2 Groups for Computers

The Domain Administrator

Account is already created

Train Signal, Inc.

Coach Culbertson


And they all live together in one big shoe—I mean Domain


2 Computer Accounts

(the other 23 are on back order)

4 Groups for Users




NY-DC1-2K8 NY-DC2-2K8

Everything lives in the

Active Directory Databaseon our Domain Controllers

9/24/2008

20

Train Signal, Inc.

Coach Culbertson

What’s an OU Again?

• An Organizational Unit is a container (read: folder) that holds AD Objects like User Accounts, Computer Accounts, and Groups.

• OU’s help to keep your Objects organized, but also are used to control what your Users can and can’t do (among other things).

• You can also pass the buck by delegating control over OU’s.

Big Words, Simple Meaning

User Group

Computer Group

User Account

Computer Account

Train Signal, Inc.

Coach Culbertson


• The easiest way to create an OU is to use Active Directory Users and

Computers.

– Right-click on the Domain icon, Select New, and then Organizational

Unit.

• You can also create an OU using the command line with this command:

dsadd ou “ou=NameOfOU, dc=YourDomain, dc=YourSuffix”

Ex: dsadd ou “ou=SalesUsers, dc=globomantics, dc=com”

• Even better, write a batch script in Notepad:

1. Open up Notepad

2. Type: dsadd ou “ou=%1, dc=YourDomain, dc=YourSuffix” replacing the

Domain and Suffix with your domain’s.

3. Save the file as addou.bat somewhere convenient.

4. Open up a Command Line box, navigate to the directory where you

saved it, and type addou WhateverNameYouWant

Two ways to create OU’s

This is called

the

Distinguished

Name

Train Signal, Inc.

Coach Culbertson


• Keep your OU’s for Users and OU’s for Computers Separate!

• You can create OU’s:

– Geographically

– By Function (Departments, etc.)

– and a billion other ways!

– But remember to KISS as much as you’re able to!

We’ll start off building a few OU’s so our User and Computer Accounts

will have a place to live

Keep It Simple, Sysadmin!

ChildOU

ChildOU

9/24/2008

21

Train Signal, Inc.

Coach Culbertson

How About Some Users!

User Accounts allow users to access network resources.

Well, you do want people to log in and use your network, right?

Stock Broker Billy

logs in with his User Name

and Password

Time to make some money!

Give me access to stuff!

NY-DC2-2K8Request to log on sent

Yep, I found it,

and it’s all good.

I’m giving you

access to your

stuff now.

Stock Broker Billy’s User Account

Access granted

Hold up there,

Billy, let me see if

you have an

account in Active

Directory!

Train Signal, Inc.

Coach Culbertson

Hank Richardson, the CEO of Globomantics, has just sent you an Excel Sheet of

25 names of new employees that will be needing User Accounts. Here they are:


Here’s the users we’re going to add

Hank Richardson

Melanie Halal

Joshua Hartson

Bill Altman

Steve Singer

Frieda Smith

William Switzer

Michael Barber

George Gibbs

Jennifer Owens

Bradley Stewart

Caroline Tooley

Paula Turk

Christina Winger

Michael Huntt

Lance Binga

Bill Mosher

Carol Reagan

Shirley Thomas

Jerry Watts

Alana Childs

Erin Rose

Todd Booth

Chika Briscoll

Rivena Martin

Kim Neff

•Are you serious? Are we going to right click for these 25 users?

Train Signal, Inc.

Coach Culbertson

•Dsadd is a command-line option that will allow you to create users with

the keyboard.

•Here’s the basic command:

dsadd user “cn=UserName, ou=OUName, dc=YourDomain, dc=YourSuffix”

•Here’s what it would look like in real life:

dsadd user “cn=hrichardson, ou=NYUsers, ou=NewYorkOU,dc=globomantics,

dc=com”

•Then we add some switches for First Name, Last Name, Password, and

Must Change Password when the user first logs in:

dsadd user “cn=hrichardson, ou=NYUsers, ou=NewYorkOU,dc=globomantics,

dc=com” -fn Hank –ln Richardson –pwd P@ssw0rd –mustchpwd yes


Introducing....DSADD!

This is called

the

Distinguished

Name

9/24/2008

22

Train Signal, Inc.

Coach Culbertson


Open Up Notepad and Type:

dsadd user “cn=%1, ou=OUName, dc=YourDomain,

dc=YourSuffix” –fn %2 –ln %3 –pwd P@ssw0rd

–mustchpwd yes

– Save it as addOUName.bat in a convenient place.

– Open up a command line, navigate to the

directory where the script lives, and type:

addOUName tmiller Tonia Miller

Let’s Do It Fast And Easy!

Replaces %1 Replaces %2 Replaces %3

Train Signal, Inc.

Coach Culbertson

Creating a Whole Bunch of Users At Once

•You can create a Batch Script for mass population using Excel.

• It’s even included with this course! Man, that Coach is a great guy!

Dude, there must be a faster way

Train Signal, Inc.

Coach Culbertson

Who Let The Computers In Here?

•Computer Accounts allow AD to keep track of and control the

computers in your network. A computer without an Account in

AD can’t access the network—it’s a security thing.

•Computer Accounts live in OU’s, which will allow you to install

software to all machines in an OU at once! (among other things)

•When you join a computer to a Domain (you’ll need Domain

Administrator level credentials), a Computer Account is

automatically created in AD.

•After Joining the Domain, you’ll have to move your Computer

Accounts to the appropriate OU.

•You can create accounts manually, but it’s not a very good idea.

Keeping track of your computers is a really really good idea

(and you don’t really have a choice)

9/24/2008

23

Train Signal, Inc.

Coach Culbertson

Who let the Computers In Here?

You have exactly two Vista machines (since all the rest are on backorder) to use to test out your Active Directory. The first one is already joined (CL1-NY-VIS), since it’s the one that you’ll be using as your day-to-day machine to access the Servers remotely.

Join your other machine to the Domain and then move them to the NYComputers OU. You’ll be using it to test the rest of our network functionality as you proceed.

So....

Train Signal, Inc.

Coach Culbertson

The Difference between OU’s and Groups

No.

Here’s the difference:

– OU’s keep your objects organized and are used

to control what users and computers can and

can’t do.

– Groups are Active Directory Objects that allow

you to provide and deny access to resources

like printers and folders en masse.

– Groups live in OU’s.

Hey! Aren’t our Accounts Already in OU’s? Aren’t

they grouped?

Train Signal, Inc.

Coach Culbertson


OU’s can be used to control what a User Can Do

Yes, All these users

can:

• Save docs to their

desktops

• Lock or Hide the

Taskbar

No, these users may

not:

• Change the Desktop

Wallpaper

• Install Software

9/24/2008

24

Train Signal, Inc.

Coach Culbertson

The Difference Between OU’s and Groups

SalesUsersGroup

Shared Sales Folder

Sales Printer

Groups control what a User Has Access To

Shared Ops Folder

Ops Printer

Train Signal, Inc.

Coach Culbertson


•Create Groups either from Active Directory Users and

Computers (again the whole Right-Click in an OU thing) or from

the command line:

– dsadd group “cn=GroupName, ou=OUName,

dc=YourDomain, dc=YourSuffix”

– Make it easy: add in a %1 for GroupName, add in a %2 for

OUName, save it as a batch script. You know the drill.

•Join Users to Groups in Active Directory Users and Computers

by Control-Clicking on a bunch of Users, right-click on any one

of the selected, and select Add to Group.

How to Create Groups

Train Signal, Inc.

Coach Culbertson


•Your user accounts are created and living happily in their OU’s. Now, you

need to create Groups to prepare for providing access to different

resources.

•You’ll add 4 Groups for Users in the NYUsers OU and 2 Groups for

Computers in the NYComputers OU.

Globomantics Group Structure

User Groups Computer Groups

SalesUsers StandardComputers

SalesManagers ITComputers

OpsUsers

OpsManagers

9/24/2008

25

Train Signal, Inc.

Coach Culbertson

Globomantics Group Structure

•Based on the original Excel sheet Hank sent

you, you’ll add the appropriate users to the

appropriate groups.

•Also, you’ll add your Vista machine, CL1-NY-

VIS, to the ITComputers Group, and CL2-NY-

VIS to the StandardComputers Group for

testing.

And then..

Train Signal, Inc.

Coach Culbertson


•User Account – An Active Directory Object that allows

Users to access network resources.

•Computer Account—An Active Directory Object that allows

AD to have a security relationship with a computer, and

allows you to control what that computer does on the

network.

•Organizational Unit—An Active Directory Object that

provides a place for User Accounts, Computer Accounts,

and Groups to live. Also provides control over what those

computers and users can and can’t do.

•Group- An Active Directory Object that allows or denies

access to network resources (like folders and printers) for

Users and Computers.

Here’s some IT vocabulary you need to know:

Train Signal, Inc.

Coach Culbertson


•Batch Script—A text file containing commands

that has a .bat as the suffix to the file name.

•Distinguished Name—The name of an Object as it

appears in the Active Directory Database.

Here’s some IT vocabulary you need to know:

9/24/2008

26

Train Signal, Inc.

Coach Culbertson

So now we have this

This is what our network looks like now


2 Computer Accounts

4 Groups for Users




NY-DC2-2K8

NY-DC1-2K8

Train Signal, Inc.

Coach Culbertson

What We Covered

�Create Organizational Units and Groups In Active Directory

Users and Groups

�Create User Accounts :

– In Active Directory Users and Groups

– Using the dsadd command line option

– Using a batch script

�Create a bunch of User Accounts using a Batch Script made

with Coach’s Excel Sheet User Batch Script Creator

�Add a Computer Account by joining a Vista client to the

Domain.

�Manually Create a Computer Account (which is a bad idea).


Train Signal, Inc.

Coach Culbertson

What We Covered

�Add Users and Computers to Groups using Active

Directory Users and Computers.

�Move Active Directory Objects to different OU’s

Now that we have some OU’s, User Accounts and

Groups, we’ll start using those OU’s and Groups in

the next two videos to provide control over your

network!


9/24/2008

27


Coach Culbertson

Video 6

Sharing Stuff On Servers

Setting up Shared Folders and Printers, Mapping

Drives, and Wrestling with Permissions

Train Signal, Inc.

Coach Culbertson

Sharing Stuff on Servers

•Setting up a Member Server

•Creating Shared Folders

•NTFS Vs. Share Level Permissions

•Mapping a Shared Drive

•Creating and Sharing a Printer

In this video:

Train Signal, Inc.

Coach Culbertson

Setting Up A Member Server

• We set up User Accounts and added them to Groups so that we could control

who had access to what shared folders and printers.

• Now we need to create the Shared Folders and Printers for each of the

different departments. Here’s what we’ll be building:

Time to add another Server

NY-MEM1-2K8

IP: 192.168.5.4

512MB RAM

2 GHz 32-bit CPU

2- 120GB HDD’s

Gigabit NIC

32-Bit Server 2K8 Standard Edition

MEM1 will be joining the


SalesDocs

Mapped as S:

SalesManagers

Shared

GeneralOps

Mapped as O:

OpsManagers

Shared

SalesLaser

OpsLaser

ManagersInkjet

NEW SERVER!

9/24/2008

28

Train Signal, Inc.

Coach Culbertson

Setting Up A Member Server

•It’s best practice not to share

folders for everyday work on a

Domain Controller—it already has

enough work to do.

•On our new Server, we’ll be

preparing the second HDD for File

and Folder sharing by formatting

and partitioning our second HDD

into two 60GB partitions, one for

Ops, one for Sales.

•We’ll also need to ensure that File

Sharing is enabled on MEM1 as

well.

First, we build another Server

NY-MEM1-2K8

IP: 192.168.5.4

512MB RAM

2 GHz 32-bit CPU

2- 120GB HDD’s

Gigabit NIC

32-Bit Server 2K8 Standard Edition

MEM1 will be joining the


Train Signal, Inc.

Coach Culbertson

Creating Shared Folders

You can create and share Folders using Windows

Explorer, but there’s a new Share and Storage

Management MMC that gives us a more

comprehensive experience.

Next up: Making the actual Folders

SalesDocs

On E:

SalesManagers

On E:

GeneralOps

On F:

OpsManagers

On F:

Here’s the folders we’ll create:

Train Signal, Inc.

Coach Culbertson


•Full Control—Do I really need to

explain this?

•Change—Able to add files, delete files,

add folders, and delete folders all in

the parent Folder, but can’t change

the Folder itself.

•Read — A user can’t add or delete

anything in the Folder, just read

what’s there.

•You can Deny or Allow these three

types of Share Permissions.

•Permissions can be set for whole

Groups or for individual User Accounts

•Deny is always Strongest!!!! Use

sparingly!

We can set up Share Level Permissions while we’re creating the folders

9/24/2008

29

Train Signal, Inc.

Coach Culbertson


Share Level Permissions only work at the Folder Level. All files in the Folder

inherit the permissions from the Folder.

Share Permissions—Folder Level Only

Share Permissions: Full Control

to all members of SalesUsers and

SalesManagers

SalesDocs

All Sales staff get Full Control

over All Files in SalesDocs

Train Signal, Inc.

Coach Culbertson


Here’s the Permissions to set on the individual Folders that you’ll be

creating on MEM1:

SalesDocs

On E:

Read and Change for

SalesUsers and Sales Managers

Read-Only for OpsUsers and OpsManagers

SalesManagers

On E:

Read and Change for

only SalesManagers

Deny all for Sales Users

Deny All for Ops Users

Read Only for OpsManagers

GeneralOps

On F:

Change and Read for

OpsUsers and OpsManagers

Read-Only for SalesUsers and

SalesManagers

OpsManagers

On F:

Read and Change for

only Ops Managers

Deny All for OpsUsers and

SalesUsers

Read-Only for SalesManagers

Train Signal, Inc.

Coach Culbertson


• We want SalesManagers to have access to everything the SalesUsers do, but

not vice versa.

• We can make the SalesManagers group a member of the SalesUsers Groups.

A Good Idea That Could Go Very Wrong

SalesDocs folder

Mapped as S:

SalesManagers folder

Shared

SalesUsers Group

SalesManagers Group

The SalesManagers as a

Member of the SalesUsers

has access to SalesDocs. But

SalesUsers will NOT have

access to the SalesManagers

folder.

9/24/2008

30

Train Signal, Inc.

Coach Culbertson

Share Level VS. NTFS Permissions

• If we Deny Access to SalesUsers and SalesManagers is a member of the

SalesUsers Group, then SalesManagers is also Denied Access.

• Sometimes making Groups members of other Groups is a good idea,

sometimes it’s not.

Be careful not to block access from other Groups that need it!

SalesDocs folder

Mapped as S:

SalesManagers folder

SalesUsers Denied Access

SalesUsers Group

SalesManagers Group

Because SalesManagers is

a member of SalesUsers, if

SalesUsers is denied access,

SalesManagers will be, too,

as Deny overrides everything

else. So this is a bad idea—

this time!

Train Signal, Inc.

Coach Culbertson

Handbook


• We can use NTFS Permissions on individual Files and Folders inside the Shared

Folder

Let’s control access to individual Files now.

Sales Training

PowerPointSales

Reports

Folder

Sales Budget

Coach’s Suggestion: Always start out with the

least restrictive Share Level Permissions and then

get more restrictive inside the folder with NTFS

Permissions

Share (SMB) Permissions:

Read and Change Permissions to

all members of SalesUsers and

SalesManagers

SalesDocs:

SalesUsers can have NTFS Read-Only Permissions

to these three files and this one folder....

...but Read and Change

Share Permissions on all

the rest of the files in

SalesDocs

Train Signal, Inc.

Coach Culbertson


• When you create Files and Folders inside of Folders (Parent Folder), those new

Files and Folders initially inherit the permissions from the Parent folder.

Let’s Talk Inheritance (and no, you’re getting any money on this one)

Parent Folder

“Child”FolderFile (Child)



SalesManagers



SalesManagers



SalesManagers

9/24/2008

31

Train Signal, Inc.

Coach Culbertson


But you can Block Inheritance of Permissions with NTFS Permissions for

Folders AND Files for really specific control of who gets to do what inside

that folder!

Parent Folder

“Child”FolderFile (Child)



SalesManagers

Read Only Permissions for SalesUsers

Full Control for SalesManagersRead Only Permissions for SalesUsers

Full Control for SalesManagers

Train Signal, Inc.

Coach Culbertson


•Hank has emailed you three files that SalesManagers

will need Full Control over, but SalesUsers should

have Read-Only Access to.

•You’ve put them in the SalesDocs folder already, but

now you need to apply appropriate NTFS permissions

to the files so that SalesUsers can’t change them.

•Hank also wants a SalesReports folder that members

of SalesManagers have Full Control over, but

SalesUsers can also Read-Only.

•Make it all happen with NTFS Permissions. (Hint: Block

Inheritance and Use Inheritance!)

Hank’s Files and the Sales Reports Folder

Train Signal, Inc.

Coach Culbertson


•Share Level Permissions work at the folder level.

•NTFS Permissions work at the Folder AND at the File Level.

•Documents inside Shared Folders inherit the Permissions (Share Level or NTFS!) of the Folder unless you stop the inheritance directly and apply new Permissions.

•When you move Shared folders, you lose the Share Level Permissions

•When you move Folders and Files that have NTFS Permissions, they may keep their Permissions OR inherit Permissions of a folder they go live in.

Here’s the Rules you need to remember

9/24/2008

32

Train Signal, Inc.

Coach Culbertson

Mapping a Shared Drive

•Most “Shared Drives” or “Mapped Drives” are just Shared Folders that we assign a Drive Letter to so they’re easier to find.

•You’ll map your two main department folders as below:

•Make sure that Hank’s account can access both Mapped Drives

Making Stuff Easier to Find

SalesDocs

Mapped as S:GeneralOps

Mapped as O:

Train Signal, Inc.

Coach Culbertson

Creating and Sharing Printers

•A Printer is software.

•A Print Device is hardware.

•You need to have a Printer in order to use a

Print Device.

•Once you have Printers, you can use them

to control who has access to which Print

Device

The Difference Between Printers and Print Devices

Train Signal, Inc.

Coach Culbertson

Creating and Sharing Printers

•You have three print devices- two Laser and one Inkjet.

•You will create a Printer for each of the devices, and then

assign Permissions as displayed below:

Here’s What You’re Going to Build Next

SalesLaser

•SalesUsers can Print

•SalesManagers can Print

and Manage

•Ops Groups can’t access

OpsLaser

•OpsUsers can Print

•OpsManagers can Print

and Manage

•Sales Groups can’t access

ManagersInkjet

•SalesManagers can Print

•OpsManagers can Print

•Users Groups can’t access

•Only SuperCoach can manage

9/24/2008

33

Train Signal, Inc.

Coach Culbertson

What Globomantics.com looks like now


2 Computer Accounts

4 Groups for Users


SuperCoach Administrator

NY-MEM1-2K8

NY-DC1-2K8 NY-DC2-2K8

SalesDocs

Mapped as S:

SalesManagers

Shared

GeneralOps

Mapped as O:

OpsManagers

Shared

SalesLaser

OpsLaser

ManagersInkjet

CL1-NY-VIS

CL2-NY-VIS

Train Signal, Inc.

Coach Culbertson

Terms You Need To Know

•Member Server—A Server that is not a Domain Controller

but is joined to the domain and has a particular job/Role

•Share Permissions—Permissions that only apply at the

Folder level and are inherited by all the files inside (unless

NTFS permissions are applied!)

•NTFS Permissions—Permissions that apply to both Folders

AND Files.

•Partition—A section of a Hard Drive

•SMB—Server Message Block—A Protocol used for Share

Permissions on a Folder

•Mapped Drive—Usually a Shared Folder that has been

assigned a Drive Letter so that it can be found easily.

Here’s the Critical Jargon from this video:

Train Signal, Inc.

Coach Culbertson

What We Covered

•Partition and format a Hard Drive on Server 2K8 via Disk Management

•Create Shared Folders and assign Share Permissions to Groups via the Share and Storage Management MMC.

•Describe the differences between Share and NTFS Permissions.

•Assign NTFS Permissions to Files and Folders

•Map Shared “Drives”

•Create and Assign Share Permissions to Printers


9/24/2008

34

Train Signal, Inc.

Coach Culbertson

Coming Up Next

In the next video, we’ll start using our OU’s

to apply Group Policy in order to make sure

our users can’t break stuff (or, at least, less

stuff)!


Coach Culbertson

Video 7

Get Your Control Freak On!

Starting to Control What Your Users Can and

Can’t Do Through Group Policy

Train Signal, Inc.

Coach Culbertson

Get Your Control Freak On!

•What are we building today,

Coach?

•What is Group Policy?

•Setting Up Coach’s Fave Four

Policies

In this video:

9/24/2008

35

Train Signal, Inc.

Coach Culbertson

What Are We Building Today, Coach?

Good news! The other 23 desktop machines finally came in and your

new assistant Jamie has set them all up and joined them all to the

domain. Now, we need to start thinking about locking down what users

can and can’t do on their desktop machines.

You want to ensure that:

•All desktop wallpaper is the same on every machine

•Users cannot access the Display Control Panel

•Users cannot install software

•Users cannot attach Removable Drives (USB sticks, MP3 players,

etc.)

In order to make this happen efficiently, we’ll use Group Policy Objects

in Active Directory to make this happen.

We’re locking down the Desktops!

Train Signal, Inc.

Coach Culbertson

What’s a Group Policy Object?

• A Group Policy Object

(GPO) contains Settings

that can be configured to

control what’s happening

with Users and Computers.

• There are literally

thousands of different

Settings that can be

configured inside of each

GPO.

• GPO’s are used with

Containers (Domains, Sites,

and OU’s), but are not

applied to Groups (but

Groups can play a part!)

Group Policy Objects give you control over what Users and Computers

can do, but a lot more!

Then why is it called Group Policy?????

Train Signal, Inc.

Coach Culbertson

What’s a Group Policy Object

• Every Windows computer has a Local Group Policy to control what can be done

on it and what is restricted, but you don’t want to go around to all the

computers in your Domain and configure all the settings manually.

• You’ll want to join the rest of the world and administer Group Policy from

Active Directory.

Local Vs. Domain

You can configure each computer

separately using Local Policy...

...or configure all your machines at once

from the comfort of your desk!

Because there’s nothing like going to

25 separate machines and making 26

modifications on each one (ugh!)

9/24/2008

36

Train Signal, Inc.

Coach Culbertson

What’s a Group Policy Object?

• We can create a Group Policy Object easily, but then we have to link it to the

appropriate Container (usually an OU) before it takes effect on the Users

and/or Computers.

• A single GPO can be linked to multiple Containers so you can re-use it over and

over.

Creating and Linking GPO’s

Links are Active Directory Objects, too!

Train Signal, Inc.

Coach Culbertson

What is a Group Policy Object?

GPO’s can be linked at different levels

At the Domain Level,

everything in the Domain is

affected

At the OU level, everything in

the OU is affected

We normally don’t apply

GPO’s at the Site level, but we

can.

Train Signal, Inc.

Coach Culbertson


•Group Policy has two sides: Users and Computers.

•While you can configure settings for both sides in any one GPO, we

generally don’t (this is why we separate Users and Computers into

separate OU’s.

...and for two different kinds of objects

•Each side of Group

Policy has Policies

and *NEW*

Preferences

• Generally, we

create separate

GPO’s for Users and

Computers

9/24/2008

37

Train Signal, Inc.

Coach Culbertson


Group Policy Settings are applied in a very specific

order:

Local Computer Policy�� Site Policy��Domain Policy��OU Policy

Remember it this way: L-S-D-OU

Also: The Last One Wins

All you GPO’s, get in the right order!

Train Signal, Inc.

Coach Culbertson

Setting Up Coach’s Fave Four Policies

•You need to ensure that User Accounts are restricted in the

following fashion:

•All desktop wallpaper is the same on every machine

and cannot be changed

•Users cannot access the Display Control Panel

•Users cannot install software

•Users cannot attach Removable Drives (USB sticks,

MP3 players, etc.)

• You’ll create a single Group Policy Object with these

settings on the User side, apply it to the NYUsers OU, and

then test it out with the LBinga account

Here we go...

Train Signal, Inc.

Coach Culbertson


•Group Policy Object—An Active Directory Object that allows you, the

Administrator, to control what Users can do on computers via Settings

(or Policies). A.K.A: GPO

• Link—An Active Directory Object that allows a GPO to affect a

particular Container (like an entire Domain or just an OU)

• L-S-D-OU—The Processing Order in which GPO’s are applied

•GPMC—The Group Policy Management Console, where we do all the

Group Policy work.

• Local Computer Policy—The Group Policy that resides on a local

Computer that only affects that particular computer.

And now, Vocabulary!

9/24/2008

38

Train Signal, Inc.

Coach Culbertson

What We Covered

•Create and Link a Group Policy Object to an OU

•Apply Settings in a GPO to lock down the User’s ability to:

– Change the Desktop (i.e. set the Wallpaper and make

sure the User can’t change it)

– Use the Display Control Panel

– Attach a USB drive or other Removable Storage Device

– Install Software (remember: UAC for Vista!)

•Describe the order in which Group Policy Objects are

processed in.

•Describe what Containers you can Link a GPO to

After Watching This Video, You Should Be Able To:


Coach Culbertson

Video 8

How to Make Your Boss Mad

and then Fix it Really Fast

Setting up your Organizational Units for Better

Group Policy Implementation, Security Filtering for

GPO’s using Groups, and Making Your Boss Happy

Again.

Train Signal, Inc.

Coach Culbertson

How to Make Your Boss Mad and then Fix it Really Fast

•What Are We Building Today,

Coach?

•Hank is ANGRY!

•A Little Reorganization

In this video:

9/24/2008

39

Train Signal, Inc.

Coach Culbertson


Our Active Directory Structure from our last episode...

5 Groups for Users


25 Computer Accounts

StandardComputers

ITComputers

L

i

n

k

Train Signal, Inc.

Coach Culbertson


...and how it will look after this one!


Executives

hrichardson

SaleManagers SalesUsers

OpsManagersOpsUsers

25 Computer Accounts

StandardComputers

ITComputers

L

i

n

k

ITUsers

Train Signal, Inc.

Coach Culbertson

Hank is ANGRY!

Hank is really mad that he can’t set a

picture of his favorite horse as the

Desktop Wallpaper, and he’s threatening

to fire you if you don’t get it fixed fast.

You need to make sure Hank’s user

account is exempted from the Desktop

Lockdown policy you just set up.

Also, your assistant Jamie doesn’t like

being locked down either—fix it!

Uh-Oh...

9/24/2008

40

Train Signal, Inc.

Coach Culbertson

A Little Reorganization

•Since GPO’s are applied at the OU level, we may need to

separate out Users and/or computers into separate OU’s for

different rights and restrictions.

•Since the Globomantics OU structure is very basic, we have

some options:

– We can separate our users into separate OU’s and apply

different GPO’s to each

– We can separate our users into separate OU’s inside of

NYUsers and Block Inheritance for certain OU’s for a

particular Group Policy Object.

– We can use Security Filtering to exempt certain User

Accounts and/or Groups from having a GPO applied to

them.

Sometimes we may need to reorganize a bit...

Train Signal, Inc.

Coach Culbertson


Option 1: We can separate out our Users into Child OU’s and Link

Separate GPO’s to each OU

Link

Link

Link

Each GPO has

settings

appropriate for

each department.

Train Signal, Inc.

Coach Culbertson


Option 2: We can separate our users into separate OU’s inside of

NYUsers and Block Inheritance for certain OU’s for a particular Group

Policy Object.

Link

All Users in Executives will NOT get the settings

from DesktopLockdown....

...unless DesktopLockdown is “Enforced”

ENFORCED!

Enforced

DesktopLockdown

Breaks Through!

Inherited!

Inherited!

9/24/2008

41

Train Signal, Inc.

Coach Culbertson


Option 3: We can use Security Filtering to exempt certain User Accounts

and/or Groups from having a GPO applied to them.

SalesManagers Group OpsManagers Group

ITUsers Group Executives Group

SalesUsers Group OpsUsers Group

Link

If we use Security Permissions

to Deny the Read and Apply

Group Policy permissions,

these two groups can be

exempt from the policy—even

if the Policy is Enforced!

Train Signal, Inc.

Coach Culbertson


• We can still use DesktopLockdown for all our users, but we’ll use Security

Filtering and the Delegation Tab in the GPMC to exempt the Executives and

ITUsers Groups from having it applied.

• In order to use Group Policy more efficiently in the future, we should break our

users out into separate OU’s.

We’ll fix it using a combination of techniques

Link

All other users will be

affected by DesktopLockdown

through Inheritance!

Deny Read and Apply

DesktopLockdown

Group Policy

Executives Group

ITUsers Group

Deny Read and Apply

DesktopLockdown

Group Policy

Train Signal, Inc.

Coach Culbertson


•Security Filtering—Using Security Permissions on a Group

Policy Object to determine which Users or Groups in an OU

get affected by its settings.

•Enforce—A property of a Group Policy object that breaks

through Block Inheritance and overrides any other

conflicting GPO’s

•Group Policy Inheritance—Similar to Folder Inheritance,

Users and Computers inherit Group Policy settings through

OU’s.

Look, it’s more vocabulary!

9/24/2008

42

Train Signal, Inc.

Coach Culbertson

What We Covered

•Rearrange Users, Groups, and Organizational Units.

•Use the GPMC to apply Security Filtering to include

and exempt Groups from Group Policy

•Block Inheritance of Policies for an OU.

•Use the GPMC to see what Group Policy Objects

are being inherited by an Organizational Unit.

•Make your boss happy by ensuring that his/her

account is not locked down, but everyone else’s is.



Coach Culbertson

Video 9

Make Your Life Easier with

Computer Policies and

Preferences

Locking down Machines at the Computer Level

and Mapping Drives with Group Policy Preferences

Train Signal, Inc.

Coach Culbertson

Make Your Life Easier with Computer Policies and Preferences

•The Computer Side of Group

Policy

•Mapping Network Drives with

Preferences

In this video:

9/24/2008

43

Train Signal, Inc.

Coach Culbertson

The Computer Side of Group Policy

Hank is seriously thinking about implementing the

“hoteling” concept, in which users don’t have

regular machines. Instead, he wants his sales reps

out in the field doing “house calls.” You need to

make sure that all the machines have a standard

policy no matter who’s at them, with the exception

of your machine, Jamie’s machine, and Hank’s

machine.

Oh, and by the way...

Train Signal, Inc.

Coach Culbertson


Now that you have set up your User Policies, it’s time to further lock down the

computers themselves. You’ll separate out your computers into two OU’s,

Standard and Privileged, then create a new GPO to apply to only the

StandardComputers.

And now for something not so different...

Link

Will have no GPO

Linked

CL4 through CL25

CL1 through CL3

CL2-NY-VIS

We’ll leave CL2 in

the Standard OU

for testing, but

move it later.

Train Signal, Inc.

Coach Culbertson


User Policy follows the user to whatever computer that User logs into.

And now time for another BFO!

Computer Policy stays with the computer no matter who logs on to it.

LBinga

CL3-NY-VIS

CL4-NY-VIS

CL5-NY-VIS

CL6-NY-VIS

CL3-NY-VIS

LBinga

hrichardson

JOwens

JOwens

9/24/2008

44

Train Signal, Inc.

Coach Culbertson


Here are the policies we’ll set for the StandardComputers

through our new ComputerLockdown GPO:

– Turn off the Windows Sidebar (because it’s annoying)

– Turn off that Welcome screen that keeps popping up

(because it’s annoying, too)

– User Account Control – Really more as a safety Precaution

– Turn on Loopback Processing to ensure that whoever logs

on to the machine always gets this policy applied to them.

– Ensure that any Local Group Policies do not run (because

they may interfere with our Domain/OU policies—again a

precautionary measure)

And now to add our Policy Settings to ComputerLockdown

Train Signal, Inc.

Coach Culbertson


Here’s how it works:

Loopback Processing- User Vs Computer Policy Showdown!

CL3-NY-VIS

LBinga

I have User

Settings, and I

travel with Lbinga

wherever he logs

in!

Oh yeah? Well I

have User

Loopback

Processing! My

User Settings

override or add to

your settings, even

though Lbinga’s

account isn’t even

in the OU I’m linked

to! Woo-Hoo!

I win!

Aw, man! Darn you

Loopback Processing!

Train Signal, Inc.

Coach Culbertson

Mapping Network Drives with Preferences

•Group Policy

Preferences allow us to

do a lot of useful tasks

that previously required

scripts.

•There are Preferences

for both User and

Computer sides of a

Group Policy Object.

•Better yet, they’re very

easy to set up and use!

We’ve done something old, now time for something new!

9/24/2008

45

Train Signal, Inc.

Coach Culbertson

Mapping Network Drives with Preferences

• Since we have Network Drives (i.e., Shared Folders) that we want everyone to

have access to, we can “map” those drives for our Users so that when they log

on, they’re already there in My Computer.

• We’ll create a new GPO just for the Mapped Drives and link it to the NYUsers

OU and let Inheritance push it down to the other Child OU’s inside of it.

Mapping Drives for Users just got a lot easier!

Inherited!

Inherited!

Link

Inherited!

Enforced!

(Just in case somebody

Blocks Inheritance later)

Train Signal, Inc.

Coach Culbertson


hrichardson

Executives

OpsManagers

OpsUsers

SaleManagers

SalesUsers

ITUsers

Time to Wrap Up!

So now our Active Directory network looks like this:

StandardComputers

ITComputers

Link

L

i

n

k

Train Signal, Inc.

Coach Culbertson

Critical Vocabulary

•Enforce – A setting on a Group Policy Link that breaks through Block Inheritance and overrides any conflicting policies.

•Loopback Processing—A Group Policy setting that forces the application of a GPO regardless of who is logged in to a computer.

•Group Policy Preferences—Settings in a Group Policy Object that expand Group Policy’s ability to map drives for Users, place files and create folders on managed client machines, etc.

•Mapped Drive—A shortcut to a shared folder (or shared hard drive) on the network that shows up in My Computer.

More Big Words!

9/24/2008

46

Train Signal, Inc.

Coach Culbertson

What We Covered

•Create new OU’s and move appropriate Computer Accounts into

them.

•Create and Link a GPO object to an OU ( I know, we’ve already

done this)

•Use the Computer Side of Group Policy to:

– Turn off the Vista Sidebar and Welcome screen

– Set up Loopback Processing on Computers to ensure that

Settings applied to Computers replace/merge/override any

User settings from other GPO’s

– Ensure that UAC is enabled on Vista

– Ensure that Local Computer Policies DO NOT run on Vista

Machines in our network.


Train Signal, Inc.

Coach Culbertson

What We Covered

•Use Group Policy Preferences on the Users side of a Group

Policy Object to Map Drives (shared folders) for all users

•Enforce a Group Policy to ensure that it is applied even if a

Block Inheritance setting is applied to an OU



Coach Culbertson

Video 10

How to Push Software Onto a

Lot of Machines Without

Getting Up From Your Desk

Using Group Policy Objects to Install Software and

Adjusting Group Policy that affects Group Policy at

the Domain Level.

9/24/2008

47

Train Signal, Inc.

Coach Culbertson

How to Push Software Onto a Lot of Machines Without Getting Up

From Your Desk

•You Are Here: A Quick Look at

What We’ve Built

•Create a GPO for Software

Installation

•When does all this Group Policy

Stuff actually take effect?

In this video:

Train Signal, Inc.

Coach Culbertson

You Are Here: A Quick Look at What We’ve Built

Train Signal, Inc.

Coach Culbertson

Create a GPO For Software Installation

So Hank went to a basketball game last night and ended up sitting next

to a guy who works for a software company that produces a lightweight

PDF reader. Since you haven’t yet installed any PDF reading software,

Hank wants you to install the PDF reader from his new friend’s company

on all the client machines in the Globomantics network.

Do you:

A. Walk around with a CD or USB stick to every one of your 25 client

machines, log in with administrator account and install it manually?

B. Put the software on a Shared folder and provide instructions for all

employees on installing it when they figure out they need it?

C. Post the software on a Shared Folder and then create a Group Policy

Object that will install the software the next time the machine restarts?

Would you like to view PDF’s? Of course you would!

Do you really have that much time on your hands?

Are you insane? No no no! Users can’t install software anyway!

9/24/2008

48

Train Signal, Inc.

Coach Culbertson


•An .msi file for installation

– Try to get an .msi version of a software package if at all possible.

– You can’t just install .exe files without repackaging them into .msi.

– There are several .msi packaging utilities out there if you need them.

– There is an alternative installation package called a Zap package—I don’t recommend it.

•A Shared folder for the software to live in that all your Users and Computers have at least Read access to.

•A new GPO linked to the appropriate OU.

What you need for a Software Installation GPO

Train Signal, Inc.

Coach Culbertson


• If you set it up for specific Users

or User Groups, you can Publish

the software so they can install it

on demand.

•You can also Assign the software

so it installs on the next client

restart.

• If you set up the GPO on the

Computers side, you can’t

Publish—only Assign

•Use your best judgment based on

who needs the software and

when picking which side of a GPO

to use for Software Installs.

You can set up a Software Installation GPO for Users or Computers

Train Signal, Inc.

Coach Culbertson


Hank’s new buddy has sent you the .msi file that you can use for your Software

Installation GPO. You decide to install it on every client computer since PDF’s are a

universal standard. So now all you have to do is:

1. Create a new Shared folder on NY-MEM1-2K8 named Software.

2. Create a folder inside Software named Foxit and put the Foxit .msi package there.

(Note: Always create new folders for each software package to make the process

nice and easy!

3. Create a new GPO and link it to the NYComputers OU. Name it FoxitInstall.

4. In the Computers section of the GPO, we’ll go to the Software Settings under

Policies to get to the Software Installation settings.

5. Create a new Package by right-clicking and selecting New��Package.

6. Select the .msi file and select any Options.

7. Run gpupdate /force from the Server (or wait for the Refresh Interval)

8. Have your users reboot their client machines.

So what now?

9/24/2008

49

Train Signal, Inc.

Coach Culbertson

When does all this Group Policy Stuff actually take effect?

• When a User logs into a machine (client or server, doesn’t matter), Windows checks for and applies any new GPO’s from Active Directory.

• When you run gpupdate /force, the new policy settings are pushed down right then and will either apply immediately or on the next logon, depending on what the settings are in the policy.

• For software installation GPO’s applied on the Computer side of the GPO, the installation happens at the next restart.

• For other User side GPO’s, it depends on what the Group Policy Refresh Interval is set at, and if Background Processing is enabled or disabled.

• Group Policy Refresh Intervals and Background Processing for Group Policy are usually set at the Default Domain Level Policy.

The Group Policy for Group Policy!?!?

Train Signal, Inc.

Coach Culbertson

Where We’re At Now

A new policy and a small domain level observation

New

Installation

Policy

Group

Policy

that

Controls

Group

Policy

Train Signal, Inc.

Coach Culbertson

Critical Vocabulary

•Group Policy Software Installation (GPSI) –

Function of Group Policy that allows installation of

software to computers with accounts within the

scope of the Group Policy object.

•MSI Package (.msi) –Microsoft Installer

•Publish (as an option in GPSI) – Option to make

software available to install on demand

•Assign (as an option in GPSI) --Option to install

software automatically on computer restart.

Time for more big words to impress your friends with!

9/24/2008

50

Train Signal, Inc.

Coach Culbertson

What We Covered

•Create a Software Installation GPO

•Describe the differences between using a

Software Installation GPO on the Computer side

and User side.

•Correctly select Assign, Publish, or Advanced

options for the Software Installation GPO.

•Set the Group Policy Refresh Interval on the

Default Domain Policy.

•Enable or Disable Background Policy Processing on

the Default Domain Policy.



Coach Culbertson

Video 11

What’s My P@ssw0rd again?

Domain Password Policies, Fine Grained Password

Policies, and a Little Password Management

Thrown In For Good Measure

Train Signal, Inc.

Coach Culbertson

What’s My P@ssw0rd again?

•The Default Domain Password Policy

•Letting Your Boss Use Whatever Password

He/She Wants

•A Little Password Management Goes a Long

Way

In this video:

9/24/2008

51

Train Signal, Inc.

Coach Culbertson

The Default Domain Password Policy

Passwords and users and security—oh my!

• Normally, the

Password Policy is

set for all users at

the Domain level.

• The default

settings are usually

good enough.

•Complexity

requirements are

enforced when

passwords are

changed or created.

Password Complexity Requirements: •Not contain the user's account name or parts of the user's full name that

exceed two consecutive characters

•Be at least six characters in length

•Contain characters from three of the following four categories:

•English uppercase characters (A through Z)

•English lowercase characters (a through z)

•Base 10 digits (0 through 9)

•Non-alphabetic characters (for example, !, $, #, %)

Train Signal, Inc.

Coach Culbertson

Letting Your Boss Use Whatever Password He/She Wants

Hank doesn’t like the fact that he has to use all these newfangled

password techniques with symbols and what not, and he doesn’t want

to have to think up a new password every 30 days. He wants to use the

names of his horses.

You’ll use a technique called Fine Grained Password Policies to exempt

Hank and the users that are part of the Executives group from the

Default Domain Password Policy Settings that you created, and then

reduce the complexity requirements and extend the expiration date so

that Hank and any other user placed in the Executives Group will only

have to update their passwords every 3 months.

You know Hank…

Train Signal, Inc.

Coach Culbertson

Letting Your Boss Use Whatever Password He/She Wants

• Normally you only have one Password Policy Setting in your entire domain, but by creating Password Setting Objects (PSO if you’re cool) , you can specify multiple password policies for individual users or for the Groups that users are part of.

• Your Domain Functional Level must be at a Server 2008 level (all your Domain Controllers must be Server 2008)

• We’ll need to go into ADSI Edit to create Password Policy objects, and link them to the User Account or Group they’ll apply to (i.e. for Globomantics, the Executives group)

Fine Grained Passwords—A Good Idea or Lousy Security?

9/24/2008

52

Train Signal, Inc.

Coach Culbertson

A Little Password Management Goes a Long Way

• Resetting Passwords is really easy:

– In AD Users and computers, find the

User Account that needs the password

reset.

– Right Click and Select Reset Password.

– Change to something easy to

communicate and then tell the user the

new password.

– Best Practice: Go back into the User

Account Properties and force the User

to change their password on the next

logon.

• *NEW* --In a Server 2008 environment, when

a password is reset, if a user has encrypted a

document, the user can STILL access the

document!

Everyone forgets passwords –be forgiving

Train Signal, Inc.

Coach Culbertson

Critical Vocabulary

•ADSI Edit – A low level utility used for editing the Active Directory

Database directly rather than using the GUI tools (i.e. Server Manager,

etc.) .

•Fine Grained Password Policy – A feature of Server 2008 that allows an

override of the Domain Password Policy requirements.

•PSO –Password Settings Object—An Active Directory Object created in

ADSI Edit that allows for an alternative password policy to be applied

to a user or a group.

•Server 2008 Functional Level – An operating mode which requires that

all Domain Controllers in your network to be Server 2008. (Required

for Fine Grained Password Policy)

Walk the walk and talk the talk

Train Signal, Inc.

Coach Culbertson

What We Covered

•Alter the Default Domain Policy Password Settings to

increase or decrease password requirements and settings.

•Locate the Functional Level for a Domain in AD Users and

Computers.

•Create a PSO (Password Settings Object) by using ADSI Edit

to override the Domain Password Policy Settings for

specific users or groups.

•Reset a User’s password and force the user to change their

password on the next logon.


9/24/2008

53


Coach Culbertson

Video 12

Passing the Buck

Providing Permissions to an Account for

Administrative Tasks Without Giving Away

All Your Thunder

Train Signal, Inc.

Coach Culbertson

Passing the Buck

•Giving Someone Else The Ability to Reset

Passwords

•Adding Users to Built-In Groups That Have

Permissions to Do Stuff

•Installing RSAT to a Vista Client for Easy

Server Management

In this video:

Train Signal, Inc.

Coach Culbertson

Giving Someone Else The Ability to Reset Passwords

Planning ahead, you realize that as time goes on you won’t have all the

time in the world to do busy work like resetting passwords or altering

permissions on shared folders and such. Fortunately, you’ve got an

assistant—Jamie! In order to free up your time, you’ll provide

permissions for Jamie’s account to reset passwords and do other

Administrative tasks.

You’ve got two options:

–Use the Delegation of Control Wizard

–Add Jamie to one (or more) of the Built-In Groups so he can do

administrative tasks without having to be an Administrator.

Why should you have to do all the work?

9/24/2008

54

Train Signal, Inc.

Coach Culbertson

Giving Someone Else The Ability to Reset Passwords

Using the Delegation of Control Wizard

You’ll use this when you only

want a particular User or

Group to be able to do one or

two simple tasks, like *ahem*

resetting passwords.

Train Signal, Inc.

Coach Culbertson

Adding Users to Built-In Groups That Have Permissions to Do Stuff

• The Delegation Wizard can’t provide everything, so you’ll have to also use some

additional Groups to provide some more permissions to Jamie.

• The boys and girls at MS have created Groups that already have specific

permissions in the BuiltIn OU. Here’s some of them that are particularly useful:

Need…more…power…

Permissions/Abilities Administrators Account

Operators

Backup

Operators

Print

Operators

Server

Operators

Create, delete, and manage user and

group accounts

X X

Read all user information X X X

Reset password for user accounts X X

Share directories X X

Create, delete, and manage printers X X X

Backup files and directories X X X

Restore files and directories X X X

Log on locally to the server X X X X X

Shut down the system X X X X X

Train Signal, Inc.

Coach Culbertson

Installing RSAT to a Vista Client for Easy Server Management

•So now that Jamie actually can do some administrative tasks, let’s

make it a little easier for him to get to the Servers without even having

to use Remote Desktop.

•The Remote Server Administration Tools for Vista is a collection of

MMC tools that allows you to administer most of the standard Server

tasks without having to use Remote Desktop or actually be at the

Server.

• It’s super easy to download and install, but you have to go into Control

Panel and enable it.

Giving Jamie the Remote Control for AD Users and Computers

9/24/2008

55

Train Signal, Inc.

Coach Culbertson

Critical Vocabulary

•Delegation of Control Wizard—A utility that allows an

administrator to grant busy-work tasks to other user

account.

•Built-In Groups—Groups that come as part of the default

Server 2008 installation that provide administrative

permissions for more tasks than what the Delegation of

Control Wizard can (sheer hedonistic convenience!).

•RSAT—Remote Server Administration Tools—A bunch of

Microsoft Management Consoles that come in Vista flavor

for easy remote management of Servers from your desk.

And now, big fancy words!

Train Signal, Inc.

Coach Culbertson

What We’ve Covered

•Use the Delegation of Control Wizard to provide

the ability for specific users to do small-scope

administrative tasks.

•Describe the differences between the 5 most

useful Built-In Groups.

•Add a User Account to a Built-In Group for higher

level administrative tasks.

•Install and Configure RSAT for VISTA



Coach Culbertson

Video 13

Creating Backup Solutions

BEFORE Stuff Blows Up

How to Use Windows Server Backup, WBADMIN,

and NTDSUTIL to Create Backup Media

9/24/2008

56

Train Signal, Inc.

Coach Culbertson

Creating Backup Solutions BEFORE Stuff Blows Up

•A Hour of Prevention Prevents an

Ounce of Pink Slip

•Your Three Built-In Backup Tools

•The Globomantics Backup Strategy

In this video:

Train Signal, Inc.

Coach Culbertson

A Hour of Prevention Prevents an Ounce of Pink Slip

So everything in the Globomantics network thus far is up and running smoothly,

and it’s time to seriously think about creating backup solutions before

everything blows up.

Eventually, you’ll be able to talk Hank into acquiring a third-party back-up

solution that has more power than the built-in tools in Server, but for now you’ll

have to make do with what you have.

You have three main tools built into Server 2008 for backup:

•Windows Server Backup—A GUI (Graphical User Interface) tool that creates

simple backups (replaces NTBackup).

•Wbadmin—A command line tool for creating and scheduling backups (also

available in Server Core!).

•Ntdsutil—An extremely powerful tool to do advanced backup operations (and a

lot more!) specifically for Active Directory files and database.

This video is really all about saving your job

Train Signal, Inc.

Coach Culbertson

Your Three Built-In Backup Tools

• Windows Server Backup is a

Feature that you must install

before using—it doesn’t install

automatically.

• It only:

– Backs up to a Shared

Folder (Network

Attached Storage) or to

DVD

– Backs up entire Volumes

– Overwrites previous

backups if you backup

to the same shared

folder over and over

• It’s great for simple backups

for small organizations

Windows Server Backup—Easy breezy backups, but with a few hitches!

9/24/2008

57

Train Signal, Inc.

Coach Culbertson


• WBADMIN is a command line that provides

more power to your backup options:

– It can run a one-time backup

– It can schedule regular backups

– It can back up your System State which

includes all the guts of your DC:

• Registry

• Boot files

• System Files

• AD Directory Services database

• SYSVOL directory

– System State data can be restored using

WBADMIN or using the graphical

Windows Server Backup

WBADMIN —Stronger tools and More Options

Train Signal, Inc.

Coach Culbertson


• NTDSUTIL is specifically for AD, and not so much

backing up your whole Server.

• In terms of creating Backup Media, it can create

IFM (Install From Media) media for faster creation

(or re-creation, as the case may be) of a Domain

Controller.

• It’s an interactive tool, providing different

commands depending on what Context it’s used in.

• When used in conjunction with media created by

Wbadmin or Windows Server Backup, it can allow

you to restore Active Directory Objects like entire

OU’s.

• It can also take Snapshots of your Active Directory

Database so you can see how your AD looks over

time!

NTDSUTIL – Super-Powered Utility for lots of operations with a funny name!

Train Signal, Inc.

Coach Culbertson

The Globomantics Backup Strategy

• Now that you’re familiar with the three built-in backup tools, we need a plan

for backup.

While we’re waiting on something else…

1. You’ll use Windows Server Back Up for

Nightly Backups to the Second Disk on

NY-DC2-2K8

2. …then create a System State

Backup on a weekly basis for

emergency restoration…

3. …and last but not least an IFM backup as an

additional emergency solution and for easy addition

of future Domain Controllers as well.

9/24/2008

58

Train Signal, Inc.

Coach Culbertson

Critical Vocabulary

•Windows Server Backup—The built-in GUI for doing simple

backups of entire Volumes

•WBADMIN—A command line for doing standard backups and

for creating System State backups

•NTDSUTIL—An Active Directory-specific interactive command

line tool for doing a lot of different and more powerful

maintenance tasks on your Active Directory. In terms of backup,

NTDSUTIL creates IFM media

• IFM—Install From Media –can be used to create (and recreate)

Domain Controllers quickly

•System State backup—Created by WBADMIN, it contains only

the guts of your AD that are absolutely necessary for faster

restoration of a DC.

For your viewing pleasure, some new words to review!

Train Signal, Inc.

Coach Culbertson

What We Covered

•Schedule a nightly backup of an entire Volume to

an attached disk using Windows Server Backup.

•Create a System State Backup of a Domain

Controller using Wbadmin.

•Create IFM Media using NTDSUTIL.

•Describe the differences between the three main

Backup and Maintenance tools in Server 2008.



Coach Culbertson

Video 14

Reducing Single Points of

Failure

Changing up the Operations Masters and

How to Add a Domain Controller with IFM

9/24/2008

59

Train Signal, Inc.

Coach Culbertson

Reducing Single Points Of Failure

•A Little Future Planning to Prevent

Major Problems

•What are Operations Masters?

•Restructuring the Globomantics DC’s a

Bit

–Adding a Domain Controller with

IFM

In this video

Train Signal, Inc.

Coach Culbertson

A Little Future Planning to Prevent Major Problems

• Right now, we only have 2 DC’s, both of which are Global Catalogs. Everything

seems fine and rolling right along, but there’s a lurking menace that we don’t

know about just yet!

So here we are…

Computer Name: NY-DC1-2K8 Computer Name: NY-DC2-2K8

Network Switch

If DC1 goes down, we will have major problems due to the fact that we have all of

our Operations Masters attached to it!

We can easily

reduce the risk of

SPOF issues by

giving this guy an

additional job or

two!

Train Signal, Inc.

Coach Culbertson

What are Operations Masters?

Operations Masters (used to be called FSMO’s –Flexible Single

Operations Masters) are specific jobs that a DC can do apart from all the

regular day-to-day stuff (any DC can do stuff like authenticating/logging

on, adding users, etc., these are special).

�The Forest Level Operations Masters

– Domain Naming—Responsible for adding and removing Domains

from inside your forest. Sits back and drinks coffee most of the

time until you need to add or remove a Domain.

– Schema—Handles all the database definitions. Also on coffee

break until you or an application you install needs to change the

Active Directory Schema.

These two can and should go on the same DC!

One of those hidden little elements that can cause big trouble!

9/24/2008

60

Train Signal, Inc.

Coach Culbertson

What are Operations Masters?

•The Domain Level Operations Masters

� PDC Emulator—This is the big one. PDC stands for Primary

Domain Controller. It handles password updates, Group Policy

Updates, time updates, and acts as the master Browser.

• Make all your Group Policy Changes on the Server that has

the PDC role for best performance!

� Relative Identifier (RID)—Provides Security Identifiers (also

known as SIDs) for new Users, Computers, and anything else that

gets added to your Active Directory. If the Server with this role

goes down, you may not be able to add any Users or Computers

to the Domain.

• SID—a unique identifier for an Object in Active Directory.

� Infrastructure Master—Keeps track of who’s in what Group.

Extremely vital if you have multiple Domains in your forest.

• The Infrastructure Master should be on a Server that is not a

Global Catalog, unless every single Domain Controller is also a

Global Catalog!

Train Signal, Inc.

Coach Culbertson

Restructuring the Globomantics DC’s a Bit

Let’s see if we can add a little more flexibility in our structure


Global CatalogComputer Name: NY-DC2-2K8

Global CatalogNetwork Switch

Computer Name:

NY-DC3-2K8

Domain Naming

PDC Emulator

RID

Infrastructure

Schema Master

Train Signal, Inc.

Coach Culbertson

Critical Vocabulary

•Operations Master—An assignable role/job for a Domain

Controller that only one Domain Controller at a time can do.

•Security Identifier (SID)—A unique value assigned to an

object in Active Directory for identification in an Active

Directory based network. May be assigned by a Domain

Controller, but also may be created by an Operating System

in the case of Computer Accounts and simply used by AD.

Hey, look! Some more big words!

9/24/2008

61

Train Signal, Inc.

Coach Culbertson

What We Covered

•Describe the five Operations Masters

•Identify what Server has been assigned

what Operations Master.

•Change Operations Masters

•Create a Domain Controller using IFM

media



Coach Culbertson

Video 15

Stuff To Make Your Active

Directory Life Just a Little More

Predictable

Monitoring , Auditing, and Maintaining Your Active

Directory Database

Train Signal, Inc.

Coach Culbertson

Monitoring, Auditing, and Defragging

•Watching Your AD Stuff

•Your Monitoring Toolbox

•Watch Who’s Doing What To Your

Active Directory

•Defragging Your AD Database

In this video:

9/24/2008

62

Train Signal, Inc.

Coach Culbertson

Watching Your AD Stuff

Globomantics is ready to launch, and you have taken solid

precautions already to ensure that if your Domain

Controllers blow up, you have flexible options to get your

network back up and running in a short time.

Now you need to figure out how to watch your DC’s for any

impending doom, and maintain your Active Directory

database so you get optimum performance. There are a lot

of third party tools out there for such things, but for now

you need to rely on what’s built in to Server 2008.

And now, something else that lands squarely in your job description

Train Signal, Inc.

Coach Culbertson

Your Monitoring Toolbox

• Your tools for watching what’s going on:

– Task Manager—For real time

immediate gratification of observing

what’s going on in your Server

– Event Viewer—An easy way to view

logs that are created by the various

monitoring tools.

– Performance Monitor—A true classic,

Performance Monitor allows granular

tracking.

– Reliability Monitor—Watches and

tracks changes in your system over

time

– Data Collection Sets—Probably the

easiest way to keep track of what’s

going on in your system!

Hey, neat! Server 2008 has cool monitoring toys!

Train Signal, Inc.

Coach Culbertson

Watch Who’s Doing What to Your Active Directory

•Auditing Policies are optional settings in Group Policy for Domain

Controllers that allows you to keep detailed track of changes made

to your AD.

•Not only can it track changes, but also who made the change, what

the object was before the change, and what the object is now.

Time to play Big Brother!

9/24/2008

63

Train Signal, Inc.

Coach Culbertson

Watch Who’s Doing What to Your Active Directory

To Set Up Auditing:

�You have to enable an Auditing Policy

(specifically Audit Directory Service) on either

the Default Domain Controller Policy or on the

Default Domain Policy.

�Then, you have to turn on the Auditing

component on the Object(s) you want to

Audit.

There’s two steps to setting this up- you can’t do one without the other!

Train Signal, Inc.

Coach Culbertson

Defragging Your AD Database

•Running regular maintenance on the AD Database recaptures disk space, making the database file more efficient (and sometimes faster!), and checks for any weirdness that might occur.

•When stuff gets deleted out of your Active Directory Database, the Database file itself doesn’t get any smaller.

• It’s time to bust out the NTDSUTIL command again! Here’s some crucial commands:

� Activate Instance NTDS –Your beginning command

� Files– The “context” that makes the following commands available:

�Compact– Defrags the database (and creates a copy of the NTDS.dit file)

�Integrity—checks database integrity

�Semantic Database Analysis—An NTDSUTIL tool that analyzes and checks your database for consistency

Give your AD Database a tune-up!

Train Signal, Inc.

Coach Culbertson

Critical Vocabulary

•NTDS.dit—The actual database file that holds your Active

Directory Objects

•Compact—The process of recovering disk space by

removing empty space and repositioning data on the disk

for optimum read time. (also known as defragging)

•Integrity—A database is said to have integrity when all of

the records hold exactly what they’re supposed to hold.

Maintain not just your AD, but your lexicon as well!

9/24/2008

64

Train Signal, Inc.

Coach Culbertson

What We Covered

•Use the Task Manager to watch performance in real time.

•Use the Event Viewer to see what‘s going on in your

machine.

•Use the Reliability Monitor to monitor changes in your DC

over time.

•Use the Performance Monitor if you have nothing else

better to do with your time.

•Use the Data Collection Sets to track Active Directory and

Domain Controller performance.

•Enable Auditing Policies for in the Default Domain

Controller GPO for Object and Account Access


Train Signal, Inc.

Coach Culbertson

What We Covered

•View the Results of your Auditing Policies in Event Viewer.

•Use NTDSUTIL to defragment your database and check for

integrity and consistency of the AD Database as a whole.

We have set up the New York office AD infrastructure and

made plans for disaster recovery. In the next video, we’re

going to expand to Chicago, and set up a child domain for

the Chicago office by creating some more DC’s!



Coach Culbertson

Video 16

Creating the Chicago Location

Adding a Child Domain, Creating Sites and

Subnets, and Configuring Replication with the

Mother Ship

9/24/2008

65

Train Signal, Inc.

Coach Culbertson

Creating the Chicago Location

•All You Need Is Lov—I mean a DC!

•Adding a Site and Subnet Before

Jumping In

–Creating the Child Domain

–Making Sure Chicago Can Talk To

New York

In this video:

Train Signal, Inc.

Coach Culbertson

All You Need Is Lov—I mean a DC!

In order to keep tabs on the Chicago stock exchange, Hank has decided

to open up an office in downtown Chicago. To keep things more

manageable, you decide that the best way to keep the Globomantics

network a little more manageable for future growth is to separate out

the Chicago office into its’ own child domain (sometimes called a

subdomain).

There’s good reason to break out Chicago into it’s own child domain:

–Less Network Traffic to suck up your bandwidth between Chicago

and New York

–De-centralized management will allow you to delegate control

over Chicago to an administrator (yet to be hired—or maybe we’ll

send Jamie!) that’s actually in Chicago.

–Having a location-centric Active Directory structure can allow for

easier tracking of stuff between locations.

It’s time to expand!

Train Signal, Inc.

Coach Culbertson

All You Need Is Lov—I mean a DC!

In order to create the Chicago child domain, all we need is another DC!

Computer Name: NY-

DC1-2K8Computer Name: NY-

DC2-2K8Network Switch

Computer

Name:

NY-DC3-2K8

Globomantics.com

Computer Name:

NA-DC1-2K8

Global Catalog

DNSNa.globomantics.com

9/24/2008

66

Train Signal, Inc.

Coach Culbertson

Adding a Site and Subnet Before Jumping In

• Sites in AD represent the physical structure, or topology, of your network.

• Right now, we have only one Site defined in Globomantics.com, New York. We

first need to create the Chicago site in Active Directory Sites and Services.

• In order to allow Active Directory the ability to track our machines by location,

we’ll also create a Subnet Object as well, and assign that Subnet Object to

Chicago.

• Once that’s done, we can use the Location Attribute in Active Directory to track

and find machines according to their IP address.

• Here’s what we have and what we’re going to create:

Before we begin…

NY-DC1

NY-DC2

NY-DC3

NA-DC1

Subnet

Object

Train Signal, Inc.

Coach Culbertson

Critical Vocabulary

•Child Domain—A Subdomain that is part of the

main Forest useful for delegation of management,

location-based management, and saving

bandwidth over WAN links.

•Site—An Active Directory Object that represents

the major components of the physical topology of

a network.

•Subnet Object—An Active Directory Object that

allows AD to track machines based on IP Address.

Some words of wisdom…or at least some words that will help

Train Signal, Inc.

Coach Culbertson

What We Covered

•Create a new Site in Active Directory

•Create a new Subnet object in Active Directory

•Assign a Subnet Object to a Site

•Use DCPromo to create a new Child Domain in an

existing Forest

•Configure Replication between Domain

Controllers


9/24/2008

67


Coach Culbertson

Video 17

How To Give People Access to

Stuff That’s 790 Miles Away

Creating Universal Groups, the AGUDLP Strategy,

and Making Sure Your People Can Log In

Anywhere In Your Enterprise

Train Signal, Inc.

Coach Culbertson

Giving People Access to Stuff 790 Miles Away

•Time For Some More Users!

•The Types of Groups

•Setting Up Your Groups for Access Between

Domains

•Making Sure Your Users Can Log In

Anywhere in Your Enterprise

In this video:

Train Signal, Inc.

Coach Culbertson

Time for some more users!

Hank has sent you

another 20 users to

add to the Chicago

office, so it’s time to

make them quickly

and easily with the

Excel sheet script

maker.

You’ll also create

some OU’s and

Groups as well,

similar to what you

did with New York.

Break out that Excel Script Maker again!

9/24/2008

68

Train Signal, Inc.

Coach Culbertson

The Types of Groups

• There are two core types of Groups

What kind of Groups do we create?

Security Groups allow you to grant

Permissions to resourcesDistribution Groups are basically

Email lists, and aren’t used very often

There are Three Scopes of Security Groups :

Usable in any trusted

Domain in your Forest

Users can only come from

the home Domain

Usable in any trusted

Domain in your Forest


ANY Domain

Usable in the Domain it

lives in ONLY


the home Domain

Train Signal, Inc.

Coach Culbertson

Setting Up Your Groups for Access Between Domains

• Now that we have multiple domains, we also have the challenge of making

sure that we can easily provide access to resources between them.

• AGUDLP is a strategy that we can use to grant access in a more “reusable” way.

• Here’s how it works:

AGUDLP –Alphabet Soup anyone?

Accounts go into

Global Groups

The Global Group

becomes a member

of a Universal Group

The Universal Group

becomes a member of a

Domain Local Group

Permissions are then granted to

the Domain Local Group to

network resources

Train Signal, Inc.

Coach Culbertson

Setting Up Your Groups for Access Between Domains

• The Sales team will need access to the Sales docs folder, as the sales program

will be pretty much the same throughout the company. Here’s what we’ll do to

get them access to the SalesDocs folder over in New York:

And now, here’s what we’re going to do for our Globomantics Sales Team

In the na.globomantics

domain, all the Chicago Sales User Accounts go

into a Global Group called ChicagoSales

We’ll create a Universal

Group in the NA domain called AllSales and make

ChicagoSales a member of AllSales

In Globomantics.com (the

New York domain), we’ll create a Domain Local Group

called SalesDocs and make AllSales a member of it.

On the NY-MEM1-2K8 File Server, we’ll

grant Permissions to the Domain Local Group SalesDocsAccess to the SalesDocs

Folder

9/24/2008

69

Train Signal, Inc.

Coach Culbertson

Global

Catalog Server

Globomantics.com

Making Sure Your Users Can Log In Anywhere in Your Enterprise

•Hank is going to be bouncing back and forth between locations, and you need to make sure that he and anyone else who’s visiting either office can log in.

We got us a Global Catalog to check out!

As long as there’s a Global

Catalog at a Site, your users

can log in with an “email

address” style login, like

[email protected].

If there’s not a Global

Catalog, you’ll need to enable

Universal Group Caching on

the Site. (It’s a check box—

super easy!)

Global

Catalog

Server

Na.globomantics.com

Train Signal, Inc.

Coach Culbertson

Critical Vocabulary

•Security Group—Group Object in Active Directory that allows you to

provide access to resources on the network.

•Distribution Group—Group Object in Active Directory that acts as an

email distribution list.

•Global Group—A Group usable in any trusted Domain in your forest.

Users can only come from the home Domain. Can be a member of a

Universal Group.

•Universal Group—A Group usable in any trusted Domain in your

Forest. Users can only come from ANY Domain. Can be a member of

Domain Local.

•Domain Local—A Group usable only in the Domain it lives in. Users can

only be from the Domain it lives in, but Universal Groups can be

Members of the Domain Local.

Important Words

Train Signal, Inc.

Coach Culbertson

What We Covered

•Distinguish between Global, Universal, and

Domain Local Groups.

•Distinguish between Security and Distribution

Groups.

•Utilize AGUDLP to provide access to resources

across Domains.

•Ensure that Users can log in to another Domain by

either providing a Global Catalog at a Site or using

the Universal Site Caching setting on a Site.


9/24/2008

70


Coach Culbertson

Video 18

Creating The Dallas

Branch Office

Building a Read-Only Domain Controller for a

Less Secure Location

Train Signal, Inc.

Coach Culbertson

Creating the Dallas Branch Office

•Hanks Says There Will Be a Dallas Office

•The Dallas OU and Site Structure

•What is an Read Only Domain

Controller?

•Building an RODC for Dallas

In this video:

Train Signal, Inc.

Coach Culbertson

Hanks Says There Will Be a Dallas Office

Dallas is Hank’s hometown. He has a ranch just outside of Dallas, and he

doesn’t want to have to fly out to New York or Chicago to do work.

That’s not a problem, but he also wants a staff of 5 people in the not-yet

created Dallas location. He’s already rented a little office 5 miles from

his ranch, and there’s basically a closet that if you ask really nicely you

might be able to use it to hold the router and any servers.

You decide that due to the lack of security in the office that using a Read

Only Domain Controller is going to be the best option. But before we can

build the RODC, we need to create an OU Structure for Dallas.

And if Hanks says it…

9/24/2008

71

Train Signal, Inc.

Coach Culbertson

The Dallas OU and Site Structure

•We first need to have

some OU’s for our

Dallas User Accounts

to live in.

•Then, we need to add

a Dallas site so we can

have a physical

representation of our

network.

Let’s keep it simple still…

Train Signal, Inc.

Coach Culbertson

What is an Read Only Domain Controller?

•An RODC allows Users that the Administrator allows to log in to a

particular location.

•The RODC downloads only the User Account information that it

needs—it does not upload anything to the writeable (or Full) Domain

Controllers.

•You don’t need to have a Global Catalog on the RODC—you can use

Universal Group Caching to cut down on replication traffic.

•Better yet, you can use the Server Core Installation to provide two

important advantages:

– You don’t need a super-duper box to run it.

– You can remotely administrate the Server Core functions using

MMC’s.

For low-security locations with few users, an RODC is a happy thing.

Train Signal, Inc.

Coach Culbertson

Building an RODC for Dallas

Computer Name: RODC-DAL-2K8

2GHz Single Core Processor

512MB RAM

1 Gigabit NIC

1- 120 GB HDD

Server Core Server 2008

32-bit Version

With Active Directory Domain Services-RODC

DNS Server

DHCP for the Dallas office will be configured at the Router

And now, here’s what we’re going to build

9/24/2008

72

Train Signal, Inc.

Coach Culbertson

So here’s what we’ve built so far…

New York, Chicago, Dallas…What’s next? Tokyo?

Train Signal, Inc.

Coach Culbertson

Zooming in on Dallas

Users from New York (like Hank) can still log in with their email-style login, more

commonly known as a UPN (User Principle Name) with the presence of a Global

Catalog OR by enabling Universal Group Caching and putting Users that you

want into a Universal Group.

Train Signal, Inc.

Coach Culbertson

Critical Vocabulary

•RODC—Read Only Domain Controller—a Domain

Controller that only caches User Account information for

only a small amount of users for a particular location.

•Server Core—A version of Server 2008 that only has a

command line interface and lesser operating requirements

that supports only 9 Server Roles

•UPN—User Principle Name—An email-style login name

that can be used to login across Domains when a Global

Catalog is present at the Site OR when the User is part of a

Universal Group and Universal Group Caching is enabled

on a Site.

More words! More words!

9/24/2008

73

Train Signal, Inc.

Coach Culbertson

What We Covered

•Install Server 2008 as a Server Core installation.

•Use a configuration script to configure basic settings for your

Server Core Installation.

•Install Active Directory Domain Services Role with the RODC

option.

•Attach an MMC to a Server Core installation for management.

•Configure Universal Group Caching for a Site so you don’t

have to provide a Global Catalog for that Site.

•Setup which users can log in at that location

•Pre-Populate Passwords for Users that will be logging in at

the location for a faster login experience.



Coach Culbertson

Video 19

Bringing an OU and Users Back

from the Dead

How to Restore Individual Organizational Units

and User Accounts AFTER They’ve Been Deleted

Train Signal, Inc.

Coach Culbertson

Bringing an OU and Users Back From The Dead

•Okay, Who Killed Off The Ops Department?

•The Two Types of Restorations

– Use Windows Server Backup to do a Non-

Authoritative Restoration

– Use NTDSUTIL and WBADMIN to do an

Authoritative Restoration

•How to Put Resurrected Users Back Into Groups

Using Backlinks

In this video:

9/24/2008

74

Train Signal, Inc.

Coach Culbertson

Okay, Who Killed Off The Ops Department?

Things are going well, until on a Tuesday morning the entire New York

Ops department can no longer log in. When you go to see what’s

happening, you notice that the New York Ops OU is…gone. Aced, no

trace, nada, not there, here or anywhere.

When you check your Security log, you see that the account BSamson,

an account belonging to one of your new IT staff who had been given

Account Operator permissions, successfully deleted the entire OU last

night at 1AM. Brock did not report in this morning due to the fact that

he’s in police custody for *ahem* other chemically-related issues.

Fortunately, at midnight, a System State back-up of your entire Domain

Controller was successfully completed. You need to restore the Ops OU

for New York due to Brock’s drug-induced mayhem.

Ummm….whoops?

Train Signal, Inc.

Coach Culbertson

The Two Types of Restorations

• There are two options for doing restoration of an

OU:

– Non-Authoritative Restore: Most often done

using Windows Server Backup, you can

restore the entire Domain Controller.

– Authoritative Restore: Using WBADMIN and

NTDSUTIL, you can restore an OU, an

individual User Account, or any other AD

Object after doing a System State Restore

and mark it as Authoritative.

• What makes a Restore “Authoritative?”

– The Update Sequence Number in the AD

Database is increased by 10,000 so other

Domain Controllers know that the restored

object is the most recent.

Oh, the choices, the choices! (Okay, there’s only 2)

Train Signal, Inc.

Coach Culbertson

The Two Types of Restorations

• To run a non-authoritative restore, just go to Windows Server Backup and click Recover. Use the most recent backup file set that was created before the deletion. You’re done (sort of-you may have problems with this type of restore).

• To run an authoritative restore:

1. Restart the DC into Domain Recovery Mode (hit F8 on the keyboard during reboot to get this option)

2. Login with ./Administrator and the Domain Recovery Mode password you set up when you ran DCPromo

3. Type wbadmin get versions –backuptarget backuplocation, where backuplocation is the location where your back up files live

4. Figure out which version you want to restore.

5. Type wbadmin start systemstaterecovery –version:ID –backuptarget: backuplocation

6. After the restore, type ntdsutil activate instance NTDS

7. Type authoritative restore to get into the right NTDSUTIL Context

8. Type restore object “distinguishedName” for a single account or restore subtree “distinguishedName” if you’re restoring an entire OU.

9. Reboot normally.

And now, the secrets of how to do both

9/24/2008

75

Train Signal, Inc.

Coach Culbertson

How to Put Resurrected Users Back Into Groups Using Backlinks

• In a Server 2003 and Server 2008 Functional Domain/Forest NTDSUTIL uses what we call Linked Value Replication to restore Group Membership to restored Accounts (you can ignore this whole slide if you’re in a Server 2K3/2K8 Functional Level.)

• When you do an authoritative restore in a Server 2000 Functional Level Domain, you end up losing Group memberships on your User Accounts. Of course, you could go back and recreate them manually….(no, you can’t, you don’t have that kind of time on your hands)

• During the authoritative restore, at least one file called an LDIF file is created. You can use this file to restore group membership to all the users you restored quickly by using what are called Backlinks from the LDIF file.

• To restore group membership using backlinks:

1. After the Authoritative Restore is complete and the DC has been restarted normally, open a command prompt and type

repadmin /syncall DCNAME /a /d /A/P /q where DCNAME is the name of your Domain Controller that you just restored.

2. Change to the Directory where your LDIF files ended up.

3. Type ldifde –i-k-f filename where filename is the name of the LDIF file you need.

4. Rinse and repeat Step 3 for each file that was created by the NTDSUTIL restore process.

If for some strange reason your Server 2008 DC is running under a

Server 2000 Functional Level Domain…

Train Signal, Inc.

Coach Culbertson

Critical Vocabulary

•Authoritative Restore—A process in which objects or an entire

Directory can be restored and marked as “authoritative” by increasing

the Update Sequence Number by 10,000 to let all other DC’s know to

use this object in replication.

•Non-Authoritative Restore—A simple restoration process that can be

accomplished either from Windows Server Backup or by using

Directory Restore Mode and WBADMIN (if you really want to)

•Update Sequence Number—A value in an Active Directory Object that

helps Domain Controllers know which objects need to be updated in

the Directory during replication.

• Linked Value Replication (LVR) –A magical process available in a Server

2003 or 2008 Functional Level Domain that restores Group

Membership back to restored accounts automatically.

Just a few really big words

Train Signal, Inc.

Coach Culbertson

What We Covered

•Perform an Non-Authoritative Restore using

Windows Server Backup on a DC

•Perform an Authoritative Restore using Directory

Services Restore Mode, WBADMIN, and

NTDSUTIL.

•Restore Group Membership from Backlinks using

ldifde (if for some weird reason you’re not running

a Server 2003 or Server 2008 Domain Functional

Level)


9/24/2008

76


Coach Culbertson

Video 20

What Do You Do When A Domain

Controller Blows Up?

Strategies to Use When Recreating a Dead

Domain Controller

Train Signal, Inc.

Coach Culbertson

What Do You Do When A Domain Controller Blows Up?

•Uh-Oh

•Seizing Operations Masters for Quick

Restoration of Functionality

•Possible Solutions for Restoring

Domain Controllers

In this video:

Train Signal, Inc.

Coach Culbertson

Uh-Oh

NY-DC3 has blown up. Completely. It is a quivering mass of metal that screeches

and whines when it tries to start up. The absolute best way to describe the

current state of DC3 is this:

And…the inevitable happens

Now, you need to decide what to do with the DC. The good news is, you still have two

other Domain Controllers running so Users can still log in. The bad news is, DC-3 is (or

rather was) your Infrastructure Master. You need to get an Infrastructure Master back

online as fast as you can first, and then decide how to get NY-DC3 back.

9/24/2008

77

Train Signal, Inc.

Coach Culbertson

Seizing Operations Masters for Quick Restoration of Functionality

•The GUI:

– Try to move an Operations Master from the GUI like you would

normally.

•NTDSUTIL:

– You can also use NTDSUTIL to seize an Operations Master role

with the following operation:

1. Go into NTDSUTIL like normal, and don’t forget to type activate

instance NTDS as your first command.

2. Type roles to move into the Roles context.

3. Type help to get a list of the commands.

• To seize the Infrastructure Master, type seize infrastructure

master

How to seize an Operations Master Role When The Machine Doesn’t

Exist Anymore

Train Signal, Inc.

Coach Culbertson

Possible Solutions for Restoring Domain Controllers

• If the hardware and the Server 2008 Operating System is okay but

Active Directory has been trashed, you can just do a System State

Restore from the last backup.

• If your hardware is trashed, build a new Server 2008, install Windows

Server Backup, and do a Recovery of the last Full Backup of NY-DC3.

(Requires the Backup to be on a DVD or NAS)

• Last, if you don’t have access to a set of backup files (shame, shame!!),

since NY-DC3 is more of an auxiliary machine, you can

– Delete the NY-DC3 Computer Account from the Domain

Controllers OU.

– Build a brand new Server 2008 machine, install AD DS and run

DCPromo.

– Let replication do the job of restoring the Active Directory

database.

– Move the Infrastructure Master back to the new DC-3.

It all depends…

Train Signal, Inc.

Coach Culbertson

Critical Vocabulary

•Toast—What a Domain Controller smells like

when it blows up. Okay, in reality, it smells like

burning plastic and metal, but you get the point.

•That’s all. No new real words this time that you

haven’t already seen.

Hey, wait a minute….

9/24/2008

78

Train Signal, Inc.

Coach Culbertson

What We Covered

•Seize an Operations Master and thereby

transfer the functionality to a live Domain

Controller.

•Identify a methodology to restore a Domain

Controller to functional status.



Coach Culbertson

Video 21

Get Your Old Domain

Controllers Up To Date

Upgrading a Server 2003 Machine to Server 2008

Train Signal, Inc.

Coach Culbertson

Get Your Old Domain Controllers Up To Date

•Hank just bought a company…in Tokyo!

•Advantages of the Server 2008 Domain

Functional Level

•The Upgrade Process

In this video:

9/24/2008

79

Train Signal, Inc.

Coach Culbertson

Hank just bought a company….in Tokyo!

Hank’s been on a spending spree, and bought a small

brokerage in Tokyo, Japan for the mere sum of $1.5 million.

The small company, Verde Petra, Inc. , is a 10-person shop

that focuses on the Asian markets. Their network is a simple

1 Domain Controller setup with 10 client machines, an

outsourced email solution, and a couple of network printers.

However, their Domain Controller is running a 32-bit edition

of Server 2003, and needs to be upgraded to Server 2008 to

take advantage of all the extras that a Server 2008

Functional Level provides. Before we do anything to

integrate, you need to prepare the Verde Petra Domain

Controller by upgrading it to Server 2008 Enterprise 32-bit.

…and now you have to integrate it into your network!

Train Signal, Inc.

Coach Culbertson

Advantages of the Server 2008 Domain Functional Level

•Distributed File System Replication

•Advanced Encryption Standard support for the Kerberos

protocol

•Last Interactive Logon Information

– GPO Found in Computer Configuration ��Policies ��

Administrative Templates �� Windows Components ��

Windows Logon Options

Display information about previous logons during user

logon

•Fine-grained password policies

When you get a 2008 Functional Level, you also get these nifty bonus items!

Train Signal, Inc.

Coach Culbertson

The Upgrade Process

• Before you do anything, make sure your

hardware is up to spec.

• When Upgrading a Domain Controller, you’ll

need to grab some scripts off the Server 2008

disc and run adprep /FORESTPREP and adprep

/DOMAINPREP

• The rest of the upgrade process is simple—put

in the CD and click on the Upgrade option when

it comes up, and install as normal.

• NOTE: You cannot upgrade Server 2000 to Server

2008. You would have to first upgrade the Server

to 2003 and then to 2008.

Showtime!

9/24/2008

80

Train Signal, Inc.

Coach Culbertson

Critical Vocabulary

• Nope. No new words this round.

Words?

Train Signal, Inc.

Coach Culbertson

What We Covered

•Prepare a Server 2003 Domain

Controller for Upgrade to 2008 using

adprep

•Upgrade a Server 2003 DC to Server

2008

•Describe the advantages of running a

Server 2008 Functional Level



Coach Culbertson

Video 22

Connecting the Continents

How to connect two Active Directory Networks

For Fun and Profit (and by using Trusts and DNS)

9/24/2008

81

Train Signal, Inc.

Coach Culbertson

Connecting the Continents

•Tokyo is now a Server 2008 network--so now

what?

•Our Two Options To Connect Tokyo and New York

•What You Need for Active Directory Federation

Services

•What You Need for a Trust

•The Globomantics/Verde Petra Solution: Trusts

In this video:

Train Signal, Inc.

Coach Culbertson

Tokyo is now a Server 2008 network--so now what?

So you’ve got Tokyo up to date in terms of the OS and the Domain Functional Level. Now it’s time to make sure that Verde Petra becomes accessible to Globomantics and vice versa.

Hank ponied up for some nifty Virtual Private Network (VPN) technology that allows Tokyo and the New York office to have a direct connection. Eventually, you will want to combine the Verde Petra Domain with the Globomantics domain using the Active Directory Migration Tool, but what you need to do right now is get the two offices connected ASAP so they can share info in ways other than email.

Time to connect ‘em together!

Train Signal, Inc.

Coach Culbertson

Our Two Options To Connect Tokyo and New York

• *NEW* Active Directory Federation Services allows two separate Active

Directory networks to authenticate Users from either Domain for shared

folders and resources. It uses Port 443 (The SSL Port) for secure

transmissions.

• We can also create a Trust between the two Forests as well since we have

more or less a direct link via VPN between New York and Tokyo.

Actually, there’s more than two, but these are a good start.

globomantics

Na.

globomantics

VerdePetra.com

So the question is, do we use Active Directory

Federation Services or do we set up some Trust

Relationships between the two locations?

9/24/2008

82

Train Signal, Inc.

Coach Culbertson

What You Need for Active Directory Federation Services

• AD FS is an SSO (Single Sign-On) method of sharing information between two partner networks, usually through a Web Site or application like SharePoint Services or SharePoint Server.

• It uses Port 443, the SSL Port, and HTTPS to transfer info back and forth. It also uses cookies to keep track of authentication.

• Here’s what AD FS requires:

It’s not as easy as it sounds

AD DS ServerAD DS Server

AD FS ServerAD FS Server

Web Server (SharePoint)

w/ SSL Certificate

DMZ with

Federation

Proxy Server

DMZ with

Federation

Proxy ServerInternet

Train Signal, Inc.

Coach Culbertson

What You Need for a Trust

• A Trust allows Users from different networks to access information on another

network.

• As long as there’s a secure connection between the two networks (like our

VPN), all we really need is a DC on either side.

• Each Domain should be running at least Server 2003 Functional Level, and the

Forest Functional Level has to be at least Server 2003. (Server 2008 Preferred)

So much faster to set up…for small environments

AD DS Server

Running DNS

AD DS Server

Running DNS

DNS Must Be Configured Correctly on Both

To Forward Requests to the Other Domain

Train Signal, Inc.

Coach Culbertson

What You Need For a Trust

•External Trust—Allows separate Domains in separate

Forests to trust each other’s users without trusting every

Domain in a Forest.

•Forest Trust—Trusts between two Forest Root Domains

that can allow Users from any Domain inside of either

Forest to share Resources.

•Shortcut Trusts—Simply allows users to access resources in

a different Domain in the same Forest faster.

•Realm Trusts—Allows a Windows Active Directory Network

that uses Kerberos to trust a UNIX-based network that also

uses Kerberos to share resources.

The kinds of Trusts

9/24/2008

83

Train Signal, Inc.

Coach Culbertson


• Trusts can be one-way, two-way, and transitive

Trust Directions

A BOne Way Trust

Network A Trusts Network B. Users from Network B can access

allowed resources on A, but Users from A cannot access stuff on

Network B

Train Signal, Inc.

Coach Culbertson


Network A Trusts Network B. Users from either

network can access allowed resources on the other.

Trust Directions

A BTwo Way Trust

Train Signal, Inc.

Coach Culbertson


• Transitive Trusts

Trust Directions

A B C

If Domain A Trusts Domain B and the trust is transitive, and if C Trusts B, then A and C

also have a trust relationship

9/24/2008

84

Train Signal, Inc.

Coach Culbertson

The Globomantics/Verde Petra Solution: Trusts

Since Hank has already spent the big dollars buying out Verde Petra, your budget

is a little slim. Since AD Federation Services requires so much hardware, plus a

SharePoint implementation which you know nothing about, it doesn’t make

any sense to use Federation. Not to mention in the fact that eventually you

will be using the Active Directory Migration Tool to move all the users from

Tokyo into Globomantics, and removing the Verde Petra domain altogether

and replacing it with tk.globomantics.com.

But not today.

You’re going to implement the following Trust relationship strategy between

Globomantics and Verde Petra in order to get moving fast!

So here’s what you’re actually going to do:

Train Signal, Inc.

Coach Culbertson


• You’re going to implement a two-way forest trust, as well as an External trust

between Verde Petra and Na.Globomantics so that users will be able to access

stuff faster.

Here’s what it will look like!

globomantics

Na.

globomantics

VerdePetra.com

Two-Way Forest

Trust

We really don’t need an External Trust,

though, because the trust between Verde

Petra and Globomantics is Transitive!

Train Signal, Inc.

Coach Culbertson


• You need to ensure that the DNS Servers on both Networks are configured to

know about each other.

• Both DNS Servers are Active Directory Integrated, but a trust does not make it

so that either DNS server knows about the other one.

• You will set up a Stub Zone on each DNS Server, so that any DNS requests for

resources on the other network will be forwarded to the DNS Server in the

other network.

Before we do that, though…

Globomantics Server

Running DNS Verde Petra Server

Running DNSDude, I need

the Tokyo

Sales

Numbers

This request is for

Verde Petra. I

have a Stub Zone

that will tell you

which DNS Server

to about it.

Tokyo Sales

Numbers.xls

Mapped Drive

9/24/2008

85

Train Signal, Inc.

Coach Culbertson

Critical Vocabulary

•Active Directory Federation Services—A Server Role that allows

partner networks to share information across Domains using Single

Sign-On. Most often used to share intranet Web sites and applications

like SharePoint.

•Trusts– A relationship between Forests or Domains that allows sharing

of resources

•Stub Zone—A DNS Zone that simply provides information about

another Domain’s DNS servers.

•Conditional Forwarder—An entry in a DNS server that forwards on a

DNS request if the request meets a specific requirement, i.e. the

request is for information about a computer in another Domain.

•External Trust—Allows separate Domains in separate Forests to trust

each other’s users without trusting every Domain in a Forest.

Yowza! Lots-o-words this time!

Train Signal, Inc.

Coach Culbertson

Critical Vocabulary

•Forest Trust—Trusts between two Forest Root Domains that can

allow Users from any Domain inside of either Forest to share

Resources.

•Shortcut Trusts—Simply allows users to access resources in a

different Domain faster.

•Realm Trusts—Allows a Windows Active Directory Network that

uses Kerberos to trust a UNIX-based network that also uses

Kerberos to share resources.

•Transitive Trust—A trust property that allows for trusting of other

domains if the domain that is being trusted trusts other domains.

•Active Directory Migration Tool– A free download from Microsoft

that allows you to move Active Directory Objects (i.e. User

Accounts, etc.) between domains for consolidation.

And some more…

Train Signal, Inc.

Coach Culbertson

What We Covered

•Define the requirements and describe the use of Active

Directory Federation Services.

•Define the types and directions of Trusts.

•Create Stub Zones in a DNS Server in preparation for a

Trust.

•Implement a Two Way Transitive Forest Trust.

•Add A Universal Group from another Domain to a Domain

Local Group in a home Domain.


9/24/2008

86


Coach Culbertson

Video 23

Certification: It’s Really

Not That Scary

What it is, what to expect, and how to prepare

Train Signal, Inc.

Coach Culbertson

Certification: It’s Really Not That Scary

•The New Generation of Certifications

for Server 2008

•The Upgrade Paths for MCSA’s/MCSE’s

•How to Sign Up for a Microsoft Exam

•70-640 Exam Prep Tips

In this video:

Train Signal, Inc.

Coach Culbertson

The New Generation of Server 2008 Certifications

• The Three New Server

Certification Blocks for

Network Admins

– MCTS

– MCITP: Server

Administrator

– MCITP: Enterprise

Administrator

• There is no “MCSE 2008”

• There is no “MCSA 2008”

New Alphabet Soup for Everyone!

9/24/2008

87

Train Signal, Inc.

Coach Culbertson

The New Generation of Server 2008 Certifications

•MCTS - Take any one exam from a large selection

•MCITP: Server Administrator Exams (From Scratch - Three Exams)

– 70-640: TS Active Directory

– 70-642: TS Network Infrastructure

– 70-646 Pro: Server Administrator

•MCITP: Enterprise Administrator (From Scratch - Five Exams)

– 70-620: Vista

– 70-640: TS Active Directory

– 70-642: TS Network Infrastructure

– 70-643: TS Server 2008 Application Infrastructure, Configuring

– 70-647 Pro: Enterprise Administrator

What you need to take for each Credential

When you get multiple TS certs, you can

build a nifty logo using MS’s Logo Builder!

Train Signal, Inc.

Coach Culbertson

The Upgrade Paths for MCSA’s/MCSE’s

• Take Two Exams

– 70-648: Provides 2 Additional MCTS Certs

– 70-646: Provides MCITP

For an MCSA 2003 to Move Up To MCITP: Server Administrator

Train Signal, Inc.

Coach Culbertson


• Take 4 Tests:

– 70-648: Provides 2 MCTS

– 70-620 or 70-624: TS: Vista

– 70-643: TS: Applications Infrastructure

– 70-647: MCITP: Enterprise

For an MCSA 2003 to Upgrade to MCITP: Enterprise Administrator

9/24/2008

88

Train Signal, Inc.

Coach Culbertson


• Take Two Tests:


– 70-646: MCITP: Server Administrator

For an MCSE 2003 to MCTIP: Server Administrator

Train Signal, Inc.

Coach Culbertson


• Take 3 Exams:


– 70-620 or 70-624: TS: Vista

– 70-647: MCITP: Enterprise Administrator

For an MCSE 2003 to MCTIP: Enterprise Administrator

Train Signal, Inc.

Coach Culbertson

How to Sign Up for a Microsoft Exam

•Go to Prometric.com

–it’s easy!

• Prometric is the

exclusive provider of

Microsoft exams.

•Microsoft periodically

offers free Second

Shots – check the

Microsoft site first!

One Web Site To Sign Up For Them All!

9/24/2008

89

Train Signal, Inc.

Coach Culbertson

70-640 Exam Prep Tips

• I recommend:

• Take the Transcender Practice Exam Several Times—Look up the stuff that you

miss in this Video Course or in the Microsoft Press Book.

• Review this course at least twice

• Get some Virtual Machines and push buttons!

Prep

MCTS Self-Paced Training Kit (Exam 70-640): Configuring

Windows Server 2008 Active Directory from Microsoft Press

Train Signal, Inc.

Coach Culbertson


•Do not stay up all night studying –get good sleep!

•When you go in to the test center, leave your cell phone

and anything else in your car.

•Bring in only 2 forms of ID and your car keys. You must

have 2 forms of ID!!!

•Before taking the test, stop and breathe. Relax.

•During the test, do not forget to breathe.

•Mark Questions for Review the first time through if you

have to think too long about any one of them. You can go

back at the end of the test and answer them later.

On the day of the test…

Train Signal, Inc.

Coach Culbertson


•Know the material.

The Biggest Tip I Can Give You--

9/24/2008

90

Train Signal, Inc.

Coach Culbertson

What We Covered

•Describe the Requirements for MCTS and the MCITP

Tracks

•Describe the Upgrade Paths for MCSA’s\MCSE’s to

MCITP

•Sign up for an Exam on the Prometric Web Site



Coach Culbertson

Video 24

DNS Stuff

A Primer On Domain Name Service and How It Fits

In With Active Directory

Train Signal, Inc.

Coach Culbertson

DNS Stuff

•A Quick Overview of DNS

•What Are DNS Zones Really?

•The Different Kinds of DNS Records

•Forwarders and Root Hints

•Global Name Zones: The WINS Killer

(Kind of)

In this video:

9/24/2008

91

Train Signal, Inc.

Coach Culbertson

A Quick Overview of DNS

•Domain Name Service (DNS) is a Server 2008 Role that’s

basically a big phone book allowing users and computers to

look up a Host’s IP Address by using a Host Name.

•The process of locating a computer via an IP address by

looking it up by name is called Name Resolution.

•When Computers (or hosts) get assigned IP Addresses by

DHCP or by an Administrator, they register their name and IP

address with a DNS Server.

•That computer can now be found through the process of

Name Resolution, and Active Directory can now find Users,

Computers, and other Hosts by working in conjunction with

the DNS Server.

Without DNS, a Domain Controller is a really expensive paperweight

Train Signal, Inc.

Coach Culbertson

What Are DNS Zones Really?

•A DNS Zone is basically a Text File or Database that Defines what

machines it knows about in the “namespace.”

•There are 4 basic types of Zones you need to know about:

– *RECOMMENDED FOR SERVER 2008*

Active Directory Integrated Zone : DNS Database is stored as an

Active Directory Object. No need for Secondary Zones if all your DNS

Servers are also DC’s.

– Primary: Used in a Standalone DNS Server, it acts as a Master

DNS Server that records and reads info.

– Secondary: A Read Only Copy of a Primary Zone. Must copy Zone

Files from a DNS Server that has a Primary Zone.

– Stub: Only contains information about other DNS Servers.

Big words for simple concepts

Train Signal, Inc.

Coach Culbertson


•Let Active Directory manage a lot of the DNS stuff

for you!

•AD Integrated Zones allow for:

– Zone Transfers during AD Replication

– Multimaster Replication

– Secure Dynamic Updates

– Backwards compatible to Secondary Zones (if

you have any in your network)

Why an Active Directory Integrated Zone?

9/24/2008

92

Train Signal, Inc.

Coach Culbertson


•Forward Lookup Zones: Looks up a Host IP Address

by name

•Reverse Lookup Zones: Looks up a Host Name by

IP Address—Used mostly for security and error

checking.

•Stub Zones: Remember these from the Connecting

Continents Video?

•Conditional Forwarders: Used in place of Stub

Zones to forward DNS requests about other

Domains.

And some more Zones

Train Signal, Inc.

Coach Culbertson

The Different Kinds of DNS Records

•A (Host): Name and IP Address of a Host (Computer,

Network Printer, PDA, etc.)

•PTR (Pointer): A Record in a Reverse Zone

•SOA (Start of authority): The Beginning Record of a Zone

•SRV (Service Locator): For Servers and Service Providing

Hosts

•NS (Name Server): A Record that points to a DNS Server.

•MX (Mail Exchanger): For Email Servers

•CNAME (Alias): A “nickname” record that allows for

multiple names for the same machine.

What lives in a DNS Zone?

Train Signal, Inc.

Coach Culbertson

Forwarders and Root Hints

•Root Hints allow your DNS Server to communicate with

Name Servers on the Internet.

•A Forwarder can act in the place of root hints if your

security requirements are higher.

– You need two DNS Servers for this—One on the inside

of your network perimeter that doesn’t use Root Hints

and one on the perimeter that does.

– Internet DNS requests are forwarded out to the

Perimeter DNS Server by the internal DNS and then

brought back in.

If the DNS Server doesn’t know where a host is, it has to call out

9/24/2008

93

Train Signal, Inc.

Coach Culbertson

Global Name Zones: The WINS Killer (Kind of)

•WINS is an older technology that allows you to use NetBIOS for Name

Resolution.

•Most WINS server technology is being replaced by DNS for speed,

reliability, and security.

•Global Name Zones are a NEW feature of Server 2008 for Single Label

Name Resolution.

•Use it for easy access intranet websites, and a potential replacement

for WINS if you have older network-aware software applications still

running that require WINS (Especially if you’re rolling over to IPv6!)

•WINS is still available on Server 2008 as a Feature (not a Role) if you

need it.

Can we replace WINS? Sometimes…

Train Signal, Inc.

Coach Culbertson

Global Name Zones: The WINS Killer (Kind of)

•On your Primary DNS Server, run this command to prepare

your DNS for Global Names:

dnscmd /config /enableglobalnamesupport 1

•Then create a new Forward Lookup Zone called GlobalNames.

•Add CNAME Records for any Web Site or machine you want

to have Single Label Resolution for.

To create a Global Name Zone:

Train Signal, Inc.

Coach Culbertson

Critical Vocabulary

Oh boy, here we go…

9/24/2008

94


Coach Culbertson

Video 25

AD Certificate Services 101

A Primer on Active Directory Certificate Services

and Public Key Infrastructure

Train Signal, Inc.

Coach Culbertson

AD Certificate Services 101

•Let’s Talk Security

•Lions and Tigers and Keys and Certificates,

Oh My!

•Respect My Authori-tay!

•I’m Sorry, Dave, I Can’t Do That. Your

Certificate Has Been Revoked.

In this video:

Train Signal, Inc.

Coach Culbertson

Let’s Talk Security

•Security in networks is a huge area, but a good place to

start is by using Certificate Services as a way to:

– Encrypt Data Files

– Encrypt Remote Communications

– Secure Email

– Secure Logons with Smart Cards

– Secure Servers with Network Access Protection

(requires Certificates)

– Protect Data from Tampering

In times such as these…

9/24/2008

95

Train Signal, Inc.

Coach Culbertson

Lions and Tigers and Keys and Certificates, Oh My!

•A Certificate is a file that contains

– A Public Key for Encryption

– A Digital Signature for Identity Verification

– A name, which can refer to a person, a computer or an

organization

– A validity period

– The location of a revocation center (usually a URL)

• It’s used to both encrypt files and communications as well as prove

identity.

•A Certificate is generated by a Certificate Authority (that’ s a CA if

you’re cool) using a Private Key, which part of a whole Public Key

Infrastructure

So, that’s neat and all, but what is a Certificate?!?!?

Train Signal, Inc.

Coach Culbertson

Lions and Tigers and Keys and Certificates, Oh My!

Let’s Illustrate The Key Thing…

Public Key

Private Key

Your Buddies

You

Public KeyPublic Key

Public Key

Train Signal, Inc.

Coach Culbertson

Respect My Authori-tay!

•Certificate Authority (CA) servers that generate certificates

are called “root CA’s.”

•Certificates are generated from one of these three types of

Certificate and then passed on to users, devices, other

servers and so on.

•Certificate Authorities also can provide verification of a

User’s or Organization’s Identity with Online Responder

Services.

The Certificates have to come from somewhere

Server 2008

Standalone

Certificate Authority

Server 2008

Enterprise


(Integrated into

Active Directory)

Third Party

Certificate

Authority

(i.e. VeriSign,

etc.)

9/24/2008

96

Train Signal, Inc.

Coach Culbertson


•Usually you’ll have more

than one machine actually

doing Certificate Services

work.

•With a Standalone CA,

you’ll create Certificates

and then pass them off to

Issuing Servers. Then you’ll

take the Standalone offline.

•Pretty much all the work is

done manually with a

Standalone CA. You can’t

just have it autoenroll

users.

Multiple Tiers Provide Multiple Levels of Protection

Server 2008

Standalone


Server 2008

Subordinate

Certificate

Issuer

Server 2008

Subordinate

Certificate

Issuer

Server 2008

Subordinate

Certificate

Issuer

Train Signal, Inc.

Coach Culbertson


•With an Enterprise CA, it

stays online all the time

and is integrated with

Active Directory.

•Enterprise CA’s can assign

certificates automatically

to users in AD using

Autoenrollment.

•At least a second tier is still

a good idea, and you may

have more depending on

your security needs.

Enterprise CA’s stay online, and need to be highly available

Server 2008

Enterprise


Server 2008

Subordinate

Certificate

Issuer

Server 2008

Subordinate

Certificate

Issuer

Server 2008

Subordinate

Certificate

Issuer

Train Signal, Inc.

Coach Culbertson

I’m Sorry, Dave, I Can’t Do That. Your Certificate Has Been Revoked.

•When a certificate is presented by a user when attempting to

access an encrypted file or whatever has been secured, the

certificate is checked against a Certificate Revocation List

(RCL) by a Certificate Authority to make sure it hasn’t been

revoked.

•An Online Responder (OR) can be used in place of a

Certificate Authority server. An Online Responder (*new* in

Server 2008) doesn’t need to check the certificate against an

entire RCL, and instead just checks to see if the certificate is

valid. It’s much faster and efficient.

•Network Device Enrollment Service (NDES) allows you to

include routers and switches in your PKI hierarchy if you

really think you need it.

CRL’s, NDES’s, and OR’s—Could I vague it up even more?

9/24/2008

97

Train Signal, Inc.

Coach Culbertson

Quick Summary

•AD Certificate Services allow you to secure just about

anything in your network.

•You need at least one Root CA to create certificates, and

will probably have other subordinate servers issue them

out to protect your Root CA from getting abused.

•Certificate Revocation Lists allow for validation of

certificates by CA severs when they’re used, but the new

Online Responder service available in AD CS as of Server

2008 is faster and more efficient.

•The new Network Device Enrollment Service (NDSE) allows

you to include switches and routers in your PKI as well.

AD CS in a Nutshell


Coach Culbertson

Video 26

Active Directory Lightweight

Directory Services 101

A Primer on AD LDS

Train Signal, Inc.

Coach Culbertson

Active Directory Lightweight Directory Services 101

•What is AD LDS?

•What might it look like on a

network?

•What is an Instance of AD LDS?

In this video:

9/24/2008

98

Train Signal, Inc.

Coach Culbertson

What is AD LDS?

•Active Directory Lightweight Directory Services

(formerly known as ADAM—Active Directory

Applications Mode) is a Server Role that provides

LDAP services.

•You’ll only need it if you’re installing Applications, like

network-aware commercial apps and Open Source

Web apps that rely on LDAP to authenticate users and

provide permissions to aspects of the specific

Application.

•It usually lives on a server separate from your AD DS

(sometimes the same server as your Application), and

can also be installed on Server Core!

And why in the world would you ever need it?

Train Signal, Inc.

Coach Culbertson

What might it look like on a network?

Oh, maybe something like this:

Domain Controller

(AD DS)

AD LDS Server

Running an AD LDS

Instance

Server Running Network Aware

Application

Train Signal, Inc.

Coach Culbertson

What is an Instance of AD LDS?

• An “Instance” of LDS is just a running copy of AD LDS that uses a particular

“store” of data.

• You can have multiple Instances of LDS running on the same AD LDS Server, all

with their own unique Schema definitions.

• You could have multiple instances of LDS running for multiple applications, all

instances being customized for the unique application requirements.

• Management Tools for LDS:

– ADSI Edit

– Event Viewer

– Ldp.exe

– NTDSUTIL—Command Line

– LDIFDE—Command Line

– DSDBUTIL—Command Line

– DSACLS—Command Line

Think of it as a Copy in RAM

9/24/2008

99

Train Signal, Inc.

Coach Culbertson

Quick Summary

•Active Directory Lightweight Directory Services is a Server

Role that allows LDAP services.

•You’ll only need it for applications that require it.

•You don’t need AD DS for it, although it can work with AD

DS.

•When you install AD LDS, you need to also create an

Instance of LDS (a running copy)

•Most of the tools you would use for AD LDS are command

line based, but there’s a few that have a GUI, like ADSI Edit

and Ldp.exe.

AD LDS in a Nutshell


Coach Culbertson

Video 27

AD Rights Management 101

A Primer on Digital Rights Management in Server

2008

Train Signal, Inc.

Coach Culbertson

AD Rights Management 101

•What is Rights

Management?

•Some Additional Notes

About RMS

In this video:

9/24/2008

100

Train Signal, Inc.

Coach Culbertson

What is Rights Management?

Here’s what happens with AD RMS

BubbaSergio

RMS Server

SQL

ServerActive

Directory

2. Then Bubba defines a set of usage rights

and rules for his file. Word 2007 creates a “publishing license” and encrypts the

file

3. Bubba emails the file or puts it on a share

4. Sergio clicks the file to open. Word

2007 calls to the RMS server which validates the user and issues

a “use license.”

5. Word 2007 opens the file and

enforces whatever rights Bubba put on it.

1. Bubba receives a “client licensor

certificate” the first time he rights-protect a Word 2007 file he’s

created.

Train Signal, Inc.

Coach Culbertson

Some Additional Notes About RMS

•The application that creates the file must be RMS-aware (Office 2007 is a good example.)

•The Rights assigned to the File travel along with the File.

• If somebody isn’t on the list of users who can open a file, they can’t get into the file.

•The Certificates that are used in RMS are not dependent on AD Certificate Services—they’re created and issued by the RMS Server, not a Certificate Authority.

•AD RMS in Server 2008 supports AD Federation Services, and it can be used with SharePoint deployments as well.

•There’s fantastic Reporting Tools built into the AD RMS in Server 2008 for auditing who’s accessed the document, who failed to access a document, etc.

Some stuff you’ll want to know

Train Signal, Inc.

Coach Culbertson

Quick Summary

•Rights Management Service requires an RMS Server, a SQL

Server, and a AD DS Domain Controller, and an RMS-aware

application (Office 2007).

•The Author of a document sets up who gets to do what on

a Document, and they do that from inside of the RMS-

aware App (like Word 2007 or Excel 2007) based on Users

and Groups from Active Directory.

•You don’t need a separate AD Certificate Services system

for RMS.

•It works with AD FS and SharePoint.

•There’s seriously cool tools to audit who’s had access to

the protected files.

RMS in a Nutshell

Date post:	02-Oct-2014
Category:	Documents
Upload:	rahulupadhyayula
View:	598 times
Download:	0 times