Syngress the real MCTS MCITP windows server 2008 configuring active directory exam 70640 prep kit mar 2008 ISBN 1597492353 pdf

xxi Chapter 1 Confi guring Server Roles in Windows 2008.. This book’s primary goal is to help you prepare to take and pass Microsoft’s Exam 70-640, Windows Server 2008 Active Directory,

SOLUTIONS WEB SITE

To register your book, visit www.syngress.com/solutions Once registered, you can access our solutions@syngress.com Web pages There you may fi nd an assortment

of valueadded features such as free e-books related to the topic of this book, URLs

of related Web sites, FAQs from the book, corrections, and any updates from the author(s).

ULTIMATE CDs

Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form These CDs are the per- fect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Confi guration, to name a few.

DOWNLOADABLE E-BOOKS

For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form These e-books are often available weeks before hard copies, and are priced affordably.

SYNGRESS OUTLET

Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at signifi cant savings.

SITE LICENSING

Syngress has a well-established program for site licensing our e-books onto servers

in corporations, educational institutions, and large organizations Contact us at sales@syngress.com for more information.

CUSTOM PUBLISHING

Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use Contact us at sales@syngress.com for more information.use Contact us at sales@syngress.com for more information.

Visit us at

Naomi Alpern John Karnay

Robert J Shimonski Technical Reviewer

obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents The Work

is sold AS IS and WITHOUT WARRANTY You may have other legal rights, which vary from state

to state.

In no event will Makers be liable to you for damages, including any loss of profi ts, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and fi les.

Syngress Media® and Syngress® are registered trademarks of Elsevier, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

The Real MCTS/MCITP Exam 70-640 Prep Kit

Copyright © 2008 by Elsevier, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced

or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN 13: 978-1-59749-235-5

Publisher: Andrew Williams Page Layout and Art: SPI

Acquisitions Editor: David George Copy Editors: Audrey Doyle, Mike McGee

Technical Editor: Tony Piltzecker Indexer: Ed Rush

Project Manager: Gary Byrne Cover Designer: Michael Kavish

For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email m.pedersen@elsevier.com.

Tony Piltzecker (CISSP, MCSE, CCNA, CCVP, Check Point CCSA, Citrix

CCA), author and technical editor of Syngress Publishing’s MCSE Exam 70-296 Study Guide and DVD Training System and How to Cheat at Managing Microsoft Operations Manager 2005, is an independent consultant based in Boston, MA

Tony’s specialties include network security design, Microsoft operating system and applications architecture, and Cisco IP Telephony implementations Tony’s background includes positions as systems practice manager for Presidio Net-worked Solutions, IT manager for SynQor Inc, network architect for Planning Systems, Inc., and senior networking consultant with Integrated Information Systems Along with his various certifi cations, Tony holds a bachelor’s degree in business administration Tony currently resides in Leominster, MA, with his wife, Melanie, and his daughters, Kaitlyn and Noelle

Robert J Shimonski (MCSE, etc) is an entrepreneur, a technology consultant, and a published author with more than 20 years of experience in business and technology Robert’s specialties include designing, deploying, and managing networks, systems, virtualization, storage-based technologies, and security analysis Robert also has many years of diverse experience deploying and engineering mainframes and Linux- and UNIX-based systems such as Red Hat and Sun Solaris Robert has in-depth work-related experience with and deep practical knowledge of globally deployed Microsoft- and Cisco-based systems and stays current on the latest industry trends Robert consults with business clients to help forge their designs, as well as to optimize their networks and keep them highly available, secure, and disaster free.

Robert is the author of many information technology-related articles and

published books, including the best-selling Sniffer Network Optimization and Troubleshooting Handbook, Syngress (ISBN: 1931836574) Robert is also the author of other best-selling titles, including Security+ Study Guide and DVD Training System (ISBN: 1931836728), Network+ Study Guide & Practice Exams: Exam N10-003 (ISBN: 1931836426), and Building DMZs for Enterprise Networks

(ISBN: 1931836884) also from Syngress His current book offerings include the

newly published Vista for IT Security Professionals, Syngress (978-1-59749-139-6),

as well as being a series editor on the new Windows Server 2008 MCITP series from Syngress publishing

vi

Naomi J Alpern currently works for Microsoft as a consultant specializing in Unifi ed Communications She holds many Microsoft certifi cations, including an MCSE and MCT, as well as additional industry certifi cations such as Citrix Certifi ed Enterprise Administrator, Security+, Network+, and A+ Since the start of her technical career, she has worked in many facets of the technology world, including

IT administration, technical training, and, most recently, full-time consulting She likes to spend her time reading cheesy horror and mystery novels when she isn’t browsing the Web She is also the mother of two fabulous boys, Darien & Justin, who mostly keep her running around like a headless chicken

Tariq Bin Azad is the principal consultant and founder of NetSoft Communications Inc., a consulting company located in Toronto, Canada He is considered a top IT professional by his peers,

coworkers, colleagues, and customers He obtained this status by continuously learning and improving his knowledge and information

in the fi eld of information technology Currently, he holds more than

100 certifi cations, including MCSA, MCSE, MCTS, MCITP (Vista, Mobile 5.0, Microsoft Communications Server 2007, Windows 2008, and Microsoft Exchange Server 2007), MCT, CIW-CI, CCA, CCSP, CCEA, CCI, VCP, CCNA, CCDA, CCNP, CCDP, CSE, and many more Most recently, Tariq has been concentrating on Microsoft Windows 2000/2003/2008, Exchange 2000/2003/2007, Active Directory, and Citrix implementations He is a professional speaker and has trained architects, consultants, and engineers on topics such

as Windows 2008 Active Directory, Citrix Presentation Server, and Microsoft Exchange 2007 In addition to owning and operating an independent consulting company, Tariq works as a senior consultant and has utilized his training skills in numerous workshops, corporate trainings, and presentations Tariq holds a Bachelor of Science in Information Technology from Capella University, USA, a bachelor’s

has worked on projects or trained for major companies and zations, including Rogers Communications Inc Flynn Canada, Cap Gemini, HP, Direct Energy, Toyota Motors, Comaq, IBM, Citrix Systems Inc., Unicom Technologies, and Amica Insurance Company

organi-He lives in Toronto, Canada, and would like to thank his father, Azad Bin Haider, and his mother, Sitara Begum, for his lifetime of guidance for their understanding and support to give him the skills that have allowed him to excel in work and life

Laura E Hunter (CISSP, MCSE, MCT, MCDBA, MCP, MCP+I, CCNA, A+, Network+, iNet+, Security+, CNE-4, CNE-5) is a senior

it specialist with the University of Pennsylvania, where she provides network planning, implementation, and troubleshooting services for various business units and schools within the university Her specialties include Microsoft Windows 2000/2003 design and implementation, troubleshooting, and security topics As an “MCSE Early Achiever” on Windows 2000, Laura was one of the fi rst in the country to renew her Microsoft credentials under the Windows 2000 certifi cation structure Laura’s previous experience includes a position as the director of computer services for the Salvation Army and as the LAN adminis-trator for a medical supply fi rm She also operates as an independent consultant for small businesses in the Philadelphia metropolitan area and is a regular contributor to the TechTarget family of Web sites.Laura has previously contributed to Syngress Publishing’s

Confi guring Symantec Antivirus, Corporate Edition (ISBN 1-931836-81-7)

She has also contributed to several other exam guides in the Syngress Windows Server 2003 MCSE/MCSA DVD Guide and Training System series as a DVD presenter, contributing author, and technical reviewer

and is a member of the Network of Women in Computer Technology, the Information Systems Security Association, and InfraGard, a cooperative undertaking between the U.S Government other participants dedicated

to increasing the security of United States critical infrastructures

John Karnay is a freelance writer, editor, and book author living in Queens, NY John specializes in Windows server and desktop deploy-ments utilizing Microsoft and Apple products and technology John has been working with Microsoft products since Windows 95 and

NT 4.0 and consults for many clients in New York City and Long Island, helping them plan migrations to XP/Vista and Windows Server 2003/2008 When not working and writing, John enjoys recording and writing music as well as spending quality time with his wife, Gloria, and daughter, Aurora

Jeffery A Martin MS/IT, MS/M (MCSE, MCSE:Security, MCSE:Messaging, MCDBA, MCT, MCSA, MCSA:Security, MCSE:Mes-saging, MCP+I, MCNE, CNE, CNA, CCA, CTT, A+, Network+, I-Net+, Project+, Linux+, CIW, ADPM) has been working with computer networks for more than 20 years He is an editor, coeditor, author, or coauthor of more than 15 books and enjoys training others

in the use of technology

Gene Whitley (MBA, MCSE, MCSA, MCTS, MCP, Six Sigma

Green Belt) is a senior systems engineer with Nucentric Solutions (www.nucentric.com), a technology integration fi rm in Davidson, NC Gene started his IT career in 1992 with Microsoft, earning his MCP in

1993 and MCSE in 1994 He has been the lead consultant and project manager on numerous Active Directory and Exchange migration projects for companies throughout the U.S Gene has been a contributing

author on such books as How To Cheat At IIS 7 Server Administration, How To Cheat At Microsoft Vista Administration, and Microsoft Forefront Security Administration Guide When not working, he spends his time

with his wife and best friend, Samantha Gene holds an MBA from Winthrop University and a BSBA in Management Information Systems from The University of North Carolina at Charlotte

Foreword xxi

Chapter 1 Confi guring Server Roles in Windows 2008 1

Introduction 2

New Roles in 2008 2

Using Server Manager to Implement Roles 3

Using Server Core and Active Directory 9

What Is Server Core? 10

Read-Only Domain Controllers (RODCs) 15

Introduction to RODC 15

Its Purpose in Life 15

Its Features 16

Confi guring RODC 16

Removing an RODC 21

Active Directory Lightweight Directory Service (LDS) 22

When to Use AD LDS 22

Changes from Active Directory Application Mode (ADAM) 23

Confi guring AD LDS 23

Working with AD LDS 26

Active Directory Rights Management Service (RMS) 28

What’s New in RMS 28

RMS vs DRMS in Vista 29

Confi guring RMS 30

Active Directory Federation Services (ADFS) 37

What Is Federation? 37

Why and When to Use Federation 38

Confi guring ADFS 39

Summary of Exam Objectives 52

Exam Objectives Fast Track 52

Exam Objectives Frequently Asked Questions 54

Self Test 56

Self Test Quick Answer Key 59

Chapter 2 Confi guring Network Services 61

Introduction 62

Confi guring Domain Name System (DNS) 63

Identifying DNS Record Requirements 68

Installing and Confi guring DNS 72

Using Server Core and DNS 76

Confi guring Zones 79

Zone Transfer 82

Active Directory Records 85

Reverse Lookup Zones 86

Confi guring Reverse Lookup Zones 87

Confi guring Zone Resolution 91

Confi guring Dynamic Host Confi guration Protocol (DHCP) 93

DHCP Design Principles 95

DHCP Servers and Placement 96

Installing and Confi guring DHCP 97

Using Server Core and DHCP 100

Confi guring DHCP for DNS 102

Confi guring Windows Internet Naming Service (WINS) 103

Understanding WINS Replication 105

Automatic Partner Confi guration 105

Push Partnerships 106

Pull Partnerships 107

Push/Pull Partnerships 108

Replication Models 108

Ring Models 109

Hub-and-Spoke Models 109

Hybrid Replication Models 110

Static WINS Entries 110

Installing and Confi guring 111

Using Server Core for WINS 111

Confi guring WINS for DNS 112

Summary of Exam Objectives 114

Exam Objectives Fast Track 115

Exam Objectives Frequently Asked Questions 117

Self Test 119

Self Test Quick Answer Key 123

Chapter 3 Working with Users, Groups, and Computers 125

Introduction 126

Navigating Active Directory Users and Computers 126

Creating and Modifying User Accounts 129

User Account Types 129

Creating a New Account 130

Domain User Account Considerations 131

Password Considerations 132

Creating a New Account Using Active Directory Users and Computers 133

Modifying a Domain User Account Using Active Directory Users and Computers 136

Common User Management Options 156

Creating a New User Account Using Script 157

Creating User Template 158

Confi guring User Principal Names 159

Creating and Modifying Computer Accounts 160

Creating a New Computer Account Using Active Directory Users and Computers 161

Modifying a Computer Account Using Active Directory Users and Computers 162

Creating a New Computer Account Using a Script 167

Resetting a Computer Account Using Active Directory Users and Computers 167

Creating and Modifying Groups 169

Creating a Group 169

Types of Groups 170

Group Scopes 170

Universal Groups Replication Concerns 171

Group Strategies 171

Creating a New Group Using Active Directory Users and Computers 172

Modifying a Group Using Active Directory Users and Computers 173

Creating a New Group Using Script 176

The Delegation of Tasks 177

RODC (Read-Only Domain Controller) 184

Exam Objectives Fast Track 185

Exam Objectives Frequently Asked Questions 189

Self Test 192

Self Test Quick Answer Key 195

Chapter 4 Confi guring the Active Directory Infrastructure 197

Introduction 198

Working with Forests and Domains 199

Understanding Domains 200

Forest and Domain Functional Levels 202

Using Domain Functional Levels 203

Using the Windows 2000 Domain Functional Level 204

Windows Server 2003 Domain Functional Level 204

Windows Server 2008 Domain Functional Level 205

Confi guring Forest Functional Levels 206

Windows 2000 Forest Functional Level (default) 206

Windows Server 2003 Forest Functional Level 207

Windows Server 2008 Forest Functional Level 208

Raising Forest and Domain Functional Levels 208

Raising the Domain Functional Level 209

Understanding the Global Catalog 210

UPN Authentication 212

Directory Information Search 212

Universal Group Membership Information 214

Understanding GC Replication 214

Universal Group Membership 215

Attributes in the Global Catalog 215

Placing GC Servers within Sites 216

Bandwidth and Network Traffi c Considerations .217

Universal Group Membership Caching 218

Working with Flexible Single Master Operation (FSMO) Roles 220

Placing, Transferring, and Seizing FSMO Role Holders 223

Locating and Transferring the Schema Master Role 224

Locating and Transferring the Domain Naming Master Role 227

Locating and Transferring the Infrastructure, RID, and PDC Operations Master Roles 228

Placing the FSMO Roles within an Active Directory Environment 232

Working with Sites .233

Understanding Sites 233

Subnets 236

Site Planning 237

Criteria for Establishing Separate Sites 237

Creating a Site 238

Renaming a Site 243

Creating Subnets 244

Associating Subnets with Sites 247

Creating Site Links 249

Confi guring Site Link Cost 252

Understanding Replication 255

Intrasite Replication 256

Intersite Replication 258

Bridgehead Servers 259

Site Link Bridges 259

Scheduling 260

Forcing Replication 261

Replication Protocols 261

Planning, Creating, and Managing the Replication Topology 262

Planning Replication Topology 262

Creating Replication Topology 262

Confi guring Replication between Sites 263

Troubleshooting Replication Failure 264

Troubleshooting Replication 264

Using Event Viewer 265

Working with Trusts 266

Default Trusts 272

Forest Trusts 272

External Trusts 273

Shortcut Trusts 274

SID Filtering 275

Summary of Exam Objectives 277

Exam Objectives Fast Track 279

Exam Objectives Frequently Asked Questions 281

Self Test 285

Self Test Quick Answer Key 290

Chapter 5 Understanding Group Policy 291

Introduction 292

Types of Group Policies 292

Local Group Policy 293

Non-Local Group Policy Objects 296

Preferences 303

Network Location Awareness 306

User 307

Computer 308

Group Policy Hierarchy 309

Creating and Linking GPOs 314

Creating Stand-Alone GPOs 314

Linking Existing GPOs 315

Creating and Linking at One Time 316

Controlling Application of Group Policies 318

Enforce 318

Block Inheritance 322

Group Policy Results and Group Policy Modeling 323

WMI 330

Group Policy Filtering 331

Group Policy Loopback 334

GPO Templates 334

Administrative Templates 335

Security Templates 337

Starter GPOs 341

Summary of Exam Objectives 346

Exam Objectives Fast Track 347

Exam Objectives Frequently Asked Questions 348

Self Test 350

Self Test Quick Answer Key 356

Chapter 6 Confi guring Group Policy 357

Confi guring Software Deployment 358

Installation Overview 358

Publishing to Users 361

Assigning to Users 364

Assigning to Computers 368

Maintenance 370

Redeploying Software 370

Upgrading Software 371

Removing Software Deployed with Group Policy 375

Forced Removal 376

Optional Removal 377

Confi guring Account Policies 378

Domain Password Policy 379

Account Lockout Policy 380

Fine-Grain Password and Account Lockout Policies 384

Confi guring a Fine-Grain Password Policy 386

Applying Users and Groups to a PSO with Active Directory Users and Computers 394

Confi guring Audit Policies 397

Logon Events 399

Directory Service Access 401

Confi guring Directory Service Access Auditing in Group Policy 401

Confi guring Active Directory Object Auditing 402

Object Access 404

Confi guring Object Access Auditing in Group Policy 405

Confi guring Object Level Auditing 405

Other Audit Policies 408

Confi guring Additional Security-Related Policies 409

User Rights 409

Security Options 411

Restricted Groups 415

Adding a New Restricted Group 416

Modifying a Restricted Group 419

Deleting a Restricted Group 420

Administrative Templates 420

ADMX Central Store 422

Adding ADM Templates to a GPO 424

Converting ADM Files to the ADMX Format 427

Converting ADM Files to ADMX Files Using the Command Prompt 427

Converting ADM Files to ADMX Files Using the MMC Snap-in 427

Summary of Exam Objectives 432

Exam Objectives Fast Track 434

Exam Objectives Frequently Asked Questions 437

Self Test 440

Self Test Quick Answer Key 444

Chapter 7 Confi guring Certifi cate Services and PKI 445

Introduction 446

What Is PKI? 447

The Function of the PKI 449

Components of PKI 450

How PKI Works 452

PKCS Standards 454

How Certifi cates Work 460

Digital Signatures 464

Authentication 465

Secret Key Agreement via Public Key 466

Bulk Data Encryption without Prior Shared Secrets 466

User Certifi cates 479

Machine Certifi cates 480

Application Certifi cates 480

Analyzing Certifi cate Needs within the Organization 480

Working with Certifi cate Services 481

Confi guring a Certifi cate Authority 481

Certifi cate Authorities 482

Standard vs Enterprise 482

Root vs Subordinate Certifi cate Authorities 483

Certifi cate Requests 484

Certifi cate Practice Statement 489

Key Recovery 489

Backup and Restore 489

Assigning Roles 496

Enrollments 496

Revocation 497

Working with Templates 501

General Properties 503

Request Handling 505

Cryptography 506

Subject Name 508

Issuance Requirements 509

Security 512

Types of Templates 513

User Certifi cate Types 513

Computer Certifi cate Types 514

Other Certifi cate Types 516

Custom Certifi cate Templates 516

Securing Permissions 519

Versioning 520

Key Recovery Agent .521

Summary of Exam Objectives 523

Exam Objectives Fast Track 524

Exam Objectives Frequently Asked Questions 526

Self Test 529

Self Test Quick Answer Key 532

Chapter 8 Maintaining an Active Directory Environment 533

Introduction 534

Backup and Recovery 534

Using Windows Server Backup 535

Scheduling a Backup 540

Backing Up to Removable Media 548

Backing Up System State Data 551

Backing Up Key Files 555

Backing Up Critical Volumes 556

Recovering System State Data 557

Recovering Key Files 559

Directory Services Restore Mode 565

Performing Authoritative and Nonauthoritative Restores 568

Authoritative Restore 568

Nonauthoritative Restore 575

Linked Value Replication 575

Backing Up and Restoring GPOs 575

Off line Maintenance 584

Restartable Active Directory 584

Offl ine Defrag and Compaction 587

Active Directory Storage Allocation 590

Monitoring Active Directory 591

The Network Monitor 591

The Task Manager 594

The Applications Tab 596

The Processes Tab 597

The Services Tab 598

The Performance Tab 598

The Networking Tab 599

The Users Tab 601

The Event Viewer 602

Custom Views 602

Windows Logs 605

Applications and Services Logs 606

Subscriptions 607

Replmon 611

Using Replmon 611

RepAdmin 618

Resource Overview 624

The Performance Monitor 625

The Reliability Monitor 627

Data Collector Sets 629

Reports 631

Summary of Exam Objectives 633

Exam Objectives Fast Track 635

Exam Objectives Frequently Asked Questions 637

Self Test 639

Self Test Quick Answer Key 644

Appendix 645

Index 697

This book’s primary goal is to help you prepare to take and pass Microsoft’s Exam

70-640, Windows Server 2008 Active Directory, Confi guring Our secondary purpose in

writing this book is to provide exam candidates with knowledge and skills that go beyond the minimum requirements for passing the exam and help to prepare them

to work in the real world of Microsoft computer networking

What Is MCTS Exam 70-640?

Microsoft Certifi ed Technology Specialist (MCTS) Exam 70-640 is both a alone test for those wishing to master Active Directory technology and a requirement for those pursuing certifi cation as a Microsoft Certifi ed Information Technology Professional (MCITP) for Windows Server 2008 Microsoft’s stated target audience consists of IT professionals with at least one year of work experience on a medium-sized or large company network This means a multisite network with at least three domain controllers running typical network services such as fi le and print services, messaging, database, fi rewall services, proxy services, remote access services, an intranet, and Internet connectivity

stand-However, not everyone who takes Exam 70-640 will have this ideal ground Many people will take this exam after classroom instruction or self-study as

back-an entry into the networking fi eld Mback-any of those who do have job experience in

IT will not have had the opportunity to work with all of the technologies covered

by the exam In this book, our goal is to provide background information that will help you to understand the concepts and procedures described even if you don’t have the requisite experience, while keeping our focus on the exam objectives

Exam 70-640 covers the basics of managing and maintaining a network

environment that is built around Microsoft’s Windows Server 2008 The book includes the following task-oriented objectives:

■ Confi guring Domain Name System (DNS) for Active Directory

This objective includes confi guring zones, confi guring DNS server settings, and confi guring zone transfers and replication

■ Confi guring the Active Directory Infrastructure This objective

includes confi guring a forest or domain, confi guring trusts, confi guring sites, confi guring Active Directory replication, confi guring the global catalog, and confi guring operations masters

■ Confi guring Additional Active Directory Server Roles This

objective includes confi guring Active Directory Lightweight Directory Service (AD LDS), confi guring Active Directory Rights Management Service (AD RMS), confi guring the read-only domain controller (RODC), and confi guring Active Directory Federation Services (AD FS)

■ Creating and Maintaining Active Directory Objects This objective

includes automating the creation of Active Directory accounts, maintaining Active Directory accounts, creating and applying Group Policy Objects (GPOs), confi guring GPO templates, confi guring software deployment GPOs, confi guring account policies, and confi guring audit policies using GPOs

■ Confi guring Active Directory Certifi cate Services This objective

includes installing Active Directory certifi cate services, confi guring certifi cate authority (CA) server settings, managing certifi cate templates, managing enrollments, and managing certifi cate revocations

Path to

MCTS/MCITP/MS Certifi ed Architect

Microsoft certifi cation is recognized throughout the IT industry as a way to

demonstrate mastery of basic concepts and skills required to perform the tasks involved in implementing and maintaining Windows-based networks The certifi ca-tion program is constantly evaluated and improved, while the nature of information technology is changing rapidly; consequently, requirements and specifi cations for

certifi cation can also change rapidly This book is based on the exam objectives as

stated by Microsoft at the time of writing; however, Microsoft reserves the right to make changes to the objectives and to the exam itself at any time Exam candidates should regularly visit the Certifi cation and Training Web site at www.microsoft

com/learning/mcp/default.mspx for the most updated information on each

Microsoft exam

Microsoft currently offers three basic levels of certifi cation on the technology

level, professional level, and architect level:

■ Technology Series This level of certifi cation is the most basic, and

it includes the Microsoft Certifi ed Technology Specialist (MCTS)

certifi cation The MCTS certifi cation is focused on one particular

Microsoft technology There are 19 MCTS exams at the time of this

writing Each MCTS certifi cation consists of one to three exams, does

not include job-role skills, and will be retired when the technology is

retired Microsoft Certifi ed Technology Specialists will be profi cient

in implementing, building, troubleshooting, and debugging a specifi c

Microsoft technology

■ Professional Series This is the second level of Microsoft certifi cation, and it includes the Microsoft Certifi ed Information Technology

Professional (MCITP) and Microsoft Certifi ed Professional

Developer (MCPD) certifi cations These certifi cations consist of one

to three exams, have prerequisites from the Technology Series, focus on

a specifi c job role, and require an exam refresh to remain current The

MCITP certifi cation offers nine separate tracks as of the time of this

writing There are two Windows Server 2008 tracks, Server Administrator and Enterprise Administrator To achieve the Server Administrator MCITP for Windows Server 2008, you must successfully complete one Technology Series exam and one Professional Series exam To achieve the Enterprise

Administrator MCITP for Windows Server 2008, you must successfully

complete four Technology Series exams and one Professional Series exam

■ Architect Series This is the highest level of Microsoft certifi cation,

and it requires the candidate to have at least 10 years’ industry experience Candidates must pass a rigorous review by a review board of existing

architects, and they must work with an architect mentor for a period of

time before taking the exam

Prerequisites and Preparation

There are no mandatory prerequisites for taking Exam 70-640, although Microsoft recommends that you meet the target audience profi le described earlier Exam 70-640 is the logical choice for the fi rst step in completing the requirements for the MCITP

Preparation for this exam should include the following:

■ Visit the Web site at www.microsoft.com/learning/exams/70-640.mspx to review the updated exam objectives

■ Work your way through this book, studying the material thoroughly and marking any items you don’t understand

■ Answer all practice exam questions at the end of each chapter

■ Complete all hands-on exercises in each chapter

■ Review any topics that you don’t thoroughly understand

■ Consult Microsoft online resources such as TechNet (www.microsoft.com/technet/), white papers on the Microsoft Web site, and so forth, for better understanding of diffi cult topics

■ Participate in Microsoft’s product-specifi c and training and certifi cation newsgroups if you have specifi c questions that you still need answered

■ Take at least one practice exam, such as the one included on the Syngress/Elsevier certifi cation Web site, www.syngress.com/certifi cation

Exam Overview

In this book, we have tried to follow Microsoft’s exam objectives as closely as possible However, we have rearranged the order of some topics for a better fl ow and included background material to help you understand the concepts and procedures that are

NOTE

Those who already hold the MCSA or MCSE in Windows 2003 can

upgrade their certifi cations to MCITP Server Administrator by passing one upgrade exam and one Professional Series exam Those who already hold the MCSA or MCSE in Windows 2003 can upgrade their certifi ca- tions to MCITP Enterprise Administrator by passing one upgrade exam, two Technology Series exams, and one Professional Series exam.

included in the objectives Here is a brief synopsis of the exam topics covered in

each chapter:

■ Confi guring Server Roles in Windows 2008 In this chapter you will

learn about the new server roles in Windows Server 2008, including

RODCs, AD LDS, AD RMS, and AD FS We begin with a discussion of

Server Manager and Server Core, and confi guring the Active Directory

Role in Server Core We then discuss Read-Only Domain Controllers

(RODCs), and their purpose We show you the features of RODCs, and

then we show you how to install, confi gure, and remove them Active

Directory Lightweight Directory Service (AD LDS) is discussed next and how it differs from ADAM We show you how to install and work with AD LDS Next, we show you how to install and work with Active Directory

Rights Management Service (AD RMS) and how it differs from DRMS in Windows Vista Finally, we discuss Active Directory Federation Services

(AD FS), including defi ning what it is, explaining why and how to use it,

and describing how to confi gure it

■ Confi guring Network Services Chapter 2 presents the Network

Services used in Windows Server 2008 We begin by presenting the

Domain Name System (DNS), discussing its requirements, explaining how

to install and confi gure it, and describing how it is used with Server Core You’ll also learn how to confi gure zones and zone resolution Next, we

discuss the Dynamic Host Confi guration Protocol (DHCP) We cover

DHCP design principles, installing and confi guring DHCP, using DHCP with Server Core, and confi guring DHCP for DNS The third network

service covered in the chapter is Windows Internet Naming Service

(WINS), including installation and confi guration, using WINS with Server Core, and confi guring WINS for DNS

■ Working with Users, Groups, and Computers This chapter provides

information about creating and modifying user accounts, creating and

modifying computer accounts, creating and modifying groups, and tion of tasks Creating users, groups, and computers is discussed in the

delega-context of individual, manual creation, as well as creating each from scripts and modifying each using AD Users and Computers

■ Confi guring the Active Directory Infrastructure In this chapter you

will learn about creating the organizational structure of your network

and operations masters, and domain migrations We next cover topics such

as subnets, site links, replication, and the global catalog Finally, we cover trusts, including forest trusts, authentication, transitive, external, and shortcut trusts, and SID fi ltering

■ Understanding Group Policy Group policy is presented in two

chapters—the fi rst of which covers group policy basics, and the second

of which covers how to confi gure group policies In this chapter, you learn about user group policies and computer group policies, site domain and OU group policy hierarchy, how to create and link group policy objects (GPOs), both new and existing, controlling the application of group policies, and using GPO templates

■ Confi guring Group Policy The second Group Policy chapter discusses

confi guration We begin by explaining how to confi gure software ment and publishing and assigning to users and computers Next, we talk about confi guring account policies, including domain password policy, account lockout policy, and fi ne-grain password policies The last part of the chapter talks about confi guring audit policies

deploy-■ Confi guring Certifi cate Services and PKI We look at Public Key

Infrastructure, its components, how it works, and how certifi cates work Next, we talk about working with certifi cate services, confi guring a certifi -cate authority, the different types of certifi cate authorities, backing up and restoring, assigning roles, enrollments, and revocation In the last part of the chapter, we discuss working with templates, including types of templates, securing permissions, versioning, and key recovery agents

■ Maintaining an Active Directory Environment In the last chapter of

the book, we discuss how to maintain an Active Directory environment

We begin by discussing backup and recovery, including using Windows Server Backup, performing authoritative and nonauthoritative restores, linked value replication, directory services restore mode, and how to backup and restore group policy objects Next, you’ll learn about offl ine maintenance, including offl ine defragmentation and compaction, restartable Active Directory, and storage allocation Finally, you’ll learn how to moni-tor Active Directory Discussed here are the various tools used, including network monitor, task manager, event viewer, replmon, repadmin, systems resource manager, reliability and performance manager, and server

performance monitor

Exam Day Experience

Taking the exam is a relatively straightforward process Prometric testing centers

administer the Microsoft 70-640 exam You can register for, reschedule or cancel an exam through the Prometric Web site at www.register.prometric.com You’ll fi nd

listings of testing center locations on these sites Accommodations are made for

those with disabilities; contact the individual testing center for more information

Exam price varies depending on the country in which you take the exam

Exam Format

Exams are timed At the end of the exam, you will fi nd out your score and whether you passed or failed You will not be allowed to take any notes or other written

materials with you into the exam room You will be provided with a pencil and

paper, however, for making notes during the exam or doing calculations

In addition to the traditional multiple choice questions and the select and drag, simulation and case study questions, you might see some or all of the following

types of questions:

■ Hot area questions, in which you are asked to select an element or elements

in a graphic to indicate the correct answer You click an element to select

or deselect it

■ Active screen questions, in which you change elements in a dialog box (for

example, by dragging the appropriate text element into a text box or

selecting an option button or checkbox in a dialog box)

■ Drag and drop questions, in which you arrange various elements in a

target area

Test-Taking Tips

Different people work best using different methods However, there are some

common methods of preparation and approach to the exam that are helpful to

many test-takers In this section, we provide some tips that other exam candidates

have found useful in preparing for and actually taking the exam

■ Exam preparation begins before exam day Ensure that you know the

con-cepts and terms well and feel confi dent about each of the exam objectives

Many test-takers fi nd it helpful to make fl ash cards or review notes to study

on the way to the testing center A sheet listing acronyms and abbreviations

can be helpful, as the number of acronyms (and the similarity of different acronyms) when studying IT topics can be overwhelming The process of writing the material down, rather than just reading it, will help to reinforce your knowledge.

■ Many test-takers fi nd it especially helpful to take practice exams that are available on the Internet and with books such as this one Taking the practice exams can help you become used to the computerized exam-taking experience, and the practice exams can also be used as a learning tool The best practice tests include detailed explanations of why the correct answer is correct and why the incorrect answers are wrong

■ When preparing and studying, you should try to identify the main points

of each objective section Set aside enough time to focus on the material and lodge it into your memory On the day of the exam, you should be at the point where you don’t have to learn any new facts or concepts; instead, you’ll need simply to review the information already learned

■ The value of hands-on experience cannot be stressed enough Exam

questions are based on test writers’ experiences in the fi eld Working with the products on a regular basis—whether in your job environment or in

a test network that you’ve set up at home—will make you much more comfortable with these questions

■ Know your own learning style and use study methods that take advantage

of it If you’re primarily a visual learner, reading, making diagrams, watching video fi les on CD, etc., may be your best study methods If you’re primarily auditory, classroom lectures, audiotapes you can play in the car as you drive, and repeating key concepts to yourself aloud may be more effective If you’re

a kinesthetic learner, you’ll need to actually do the exercises, implement the

security measures on your own systems, and otherwise perform hands-on tasks to best absorb the information Most of us can learn from all of these methods, but have a primary style that works best for us

■ Although it may seem obvious, many exam-takers ignore the physical aspects of exam preparation You are likely to score better if you’ve had suffi cient sleep the night before the exam, and if you are not hungry, thirsty, hot/cold or otherwise distracted by physical discomfort Eat prior to going

to the testing center (but don’t indulge in a huge meal that will leave you uncomfortable), stay away from alcohol for 24 hours prior to the test, and dress appropriately for the temperature in the testing center (if you don’t

know how hot/cold the testing environment tends to be, you may want to wear light clothes with a sweater or jacket that can be taken off ).

■ Before you go to the testing center to take the exam, be sure to allow time

to arrive on time, take care of any physical needs, and step back to take a

deep breath and relax Try to arrive slightly early, but not so far in advance that you spend a lot of time worrying and getting nervous about the

testing process You may want to do a quick last-minute review of notes,

but don’t try to “cram” everything the morning of the exam Many

test-takers fi nd it helpful to take a short walk or do a few calisthenics shortly

before the exam to get oxygen fl owing to the brain

■ Before you begin to answer questions, use the pencil and paper provided

to you to write down terms, concepts and other items that you think you may have diffi culty remembering as the exam goes on Then you can refer back to these notes as you progress through the test You won’t have to

worry about forgetting the concepts and terms you have trouble with later

in the exam

■ Sometimes the information in a question will remind you of another

concept or term that you might need in a later question Use your pen and paper to make note of this in case it comes up later on the exam

■ It is often easier to discern the answer to scenario questions if you can

visualize the situation Use your pen and paper to draw a diagram of the

network that is described to help you see the relationships between

devices, IP addressing schemes, and so forth

■ When appropriate, review the answers you weren’t sure of However, you should change your answer only if you’re sure that your original answer

was incorrect Experience has shown that more often than not, when takers start second-guessing their answers, they end up changing correct

test-answers to the incorrect Don’t “read into” the question (that is, don’t fi ll in

or assume information that isn’t there); this is a frequent cause of incorrect responses

■ As you go through this book, pay special attention to the Exam Warnings,

as these highlight concepts that are likely to be tested You may fi nd it

useful to go through and copy these into a notebook (remembering that

writing something down reinforces your ability to remember it) and/or go through and review the Exam Warnings in each chapter just prior to

■ Use as many little mnemonic tricks as possible to help you remember facts and concepts For example, to remember which of the two IPsec protocols (AH and ESP) encrypts data for confi dentiality, you can associate the “E”

in encryption with the “E” in ESP

Pedagogical Elements

In this book, you’ll fi nd a number of different types of sidebars and other elements designed to supplement the main text These include the following:

■ Exam Warning These sidebars focus on specifi c elements on which the

reader needs to focus in order to pass the exam (for example, “Be sure you know the difference between symmetric and asymmetric encryption”)

■ Test Day Tip These sidebars are short tips that will help you in

organizing and remembering information for the exam (for example,

“When preparing for the exam on test day, it may be helpful to have

a sheet with defi nitions of these abbreviations and acronyms handy for

a quick last-minute review”)

■ Confi guring & Implementing These sidebars contain background

information that goes beyond what you need to know from the exam, but provide a “deep” foundation for understanding the concepts discussed in the text

■ New & Noteworthy These sidebars point out changes in Windows Server

2008 from Windows Server 2003 as they will apply to readers taking the exam These may be elements that users of Windows Server 2003 would be very familiar with that have changed signifi cantly in Windows Server 2008

or totally new features that they would not be familiar with at all

■ Head of the Class These sidebars are discussions of concepts and facts

as they might be presented in the classroom, regarding issues and questions that most commonly are raised by students during study of a particular topic

Each chapter of the book also includes hands-on exercises in planning and confi uring the features discussed It is essential that you read through and, if possible, per-form the steps of these exercises to familiarize yourself with the processes they cover.You will fi nd a number of helpful elements at the end of each chapter For

g-example, each chapter contains a Summary of Exam Objectives that ties the topics

discussed in that chapter to the published objectives Each chapter also contains an

Exam Objectives Fast Track, which boils all exam objectives down to manageable

summaries that are perfect for last-minute review The Exam Objectives Frequently

Asked Questions section answers those questions that most often arise from readers

and students regarding the topics covered in the chapter Finally, in the Self Test

section, you will fi nd a set of practice questions written in a multiple-choice format that will assist you in your exam preparation These questions are designed to assess your mastery of the exam objectives and provide thorough remediation, as opposed

to simulating the variety of question formats you may encounter in the actual

exam You can use the Self Test Quick Answer Key that follows the Self Test questions

to quickly determine what information you need to review again The Self Test

Appendix at the end of the book provides detailed explanations of both the correct

and incorrect answers

Additional Resources

There are two other important exam preparation tools included with this study

guide One is the DVD included in the back of this book The other is the concept review test available from our Web site

■ A DVD that provides book content in multiple electronic formats

for exam-day review Review major concepts, test day tips, and exam

warnings in PDF, PPT, MP3, and HTML formats Here, you’ll cut through all of the noise to prepare you for exactly what to expect when you take

the exam for the fi rst time You will want to watch this DVD just before

you head out to the testing center!

■ Web-based practice exams Just visit us at www.syngress.com/

certifi cation to access a complete Windows Server 2008 concept choice review These remediation tools are written to test you on all of

multiple-the published certifi cation objectives The exam runs in both “live” and

“practice” mode Use “live” mode fi rst to get an accurate gauge of your

knowledge and skills, and then use practice mode to launch an extensive

review of the questions that gave you trouble

Configuring Server Roles

in Windows 2008

Exam objectives review:

˛ Summary of Exam Objectives

˛ Exam Objectives Fast Track

˛ Exam Objectives Frequently Asked Questions

˛ Self Test

˛ Self Test Quick Answer Key

Exam objectives in this chapter:

■ New Roles in 2008

■ Read-Only Domain Controllers (RODCs)

■ Active Directory Lightweight Directory

With the introduction of new revisions to Microsoft products—be it Windows, Exchange, Communications Server, or others—we have seen a trend toward “roles” within each product, as opposed to the various products being an all-in-one type

of solution (as with Exchange 2007), or being additional features that work as a snap-in, such as DNS in Windows 2003

With earlier versions of Windows Server 2000 or 2003, an Active Directory server was just that—an Active Directory server What we are trying to say here is that it was more-or-less an “all-or-nothing” deal when creating a domain controller

in Windows 2003 Very little flexibility existed in the way a domain controller could

be installed, with the exception of whether a domain controller would also be a global catalog server or flexible single master operation (FSMO) server

With the release of Windows Server 2008, we have several new ways to deploy

an Active Directory domain controller In this chapter, we will discuss the new roles available in Windows Server 2008, how to create a domain controller, and how to implement and manage server roles

New Roles in 2008

Windows Server 2008 offers many new ways to “skin the Active Directory cat,”

if you will With the introduction of these new roles is a new way to determine how they are implemented, configured, and managed within an Active Directory domain or forest We will be discussing each of these Active Directory roles in depth later in this chapter, but the new roles (and the official Microsoft definitions) are as follows:

■ Read-only domain controller (RODC): This new type of domain

controller, as its name implies, hosts read-only partitions of the Active Directory database An RODC makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot

be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in

an extranet or in an application-facing role

■ Active Directory Lightweight Directory Service (ADLDS):

Formerly known as Windows Server 2003 Active Directory Application Mode (ADAM), ADLDS is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the dependencies required for Active

Directory Domain Services (ADDS) ADLDS provides much of the same

functionality as ADDS, but does not require the deployment of domains

or domain controllers

■ Active Directory Rights Management Service (ADRMS):

Active Directory Rights Management Services (ADRMS), a format and

application-agnostic technology, provides services to enable the creation

of information-protection solutions ADRMS includes several new features

that were available in Active Directory Rights Management Services

(ADRMS) Essentially, ADRMS adds the ability to secure objects

For example, an e-mail can be restricted to read-only, meaning it cannot

be printed, copied (using Ctrl + C, and so on), or forwarded.

■ Active Directory Federation Services (ADFS): You can use Active

Directory Federation Services (ADFS) to create a highly extensible,

Internet-scalable, and secure identity access solution that can operate

across multiple platforms, including both Windows and non-Windows

environments Essentially, this allows cross-forest authentication to

external resources—such as another company’s Active Directory ADFS

was originally introduced in Windows Server 2003 R2, but lacked much

of its now-available functionality

So, these are the roles themselves, but as also mentioned, they can be managed

in a number of new ways:

■ Server Manager: This is likely to be a familiar tool to engineers who

have worked with earlier versions of Windows It is a single-screen solution that helps manage a Windows server, but is much more advanced than the

previous version

■ Server Core: Server Core brings not only a new way to manage roles,

but an entirely new way to deploy a Windows Server With Server Core,

we can say goodbye to unnecessary GUIs, applications, services, and many

more commonly attacked features

Discussing Server Core is going to take considerably longer, so let’s start with

Server Manager

Using Server Manager to Implement Roles

Although we will be discussing Server Manager (Figure 1.1) as an Active Directory

In fact, Server Manager is a single solution (technically, a Microsoft Management Console [MMC]) snap-in that is used as a single source for managing system identity (as well as other key system information), identifying problems with servers, displaying server status, enabled roles and features, and general options such as server updates and feedback.

Table 1.1 outlines some of the additional roles and features Server Manager can

be used to control:

Figure 1.1 Server Manager

Server Manager is enabled by default when a Windows 2008 server is installed

(with the exception of Server Core) However, Server Manager can be shut off

via the system Registry and can be re-opened at any time by selecting Start |

Administrative Tools | Server Manager , or right-clicking Computer under

the Start menu, and choosing Manage (Figure 1.2).

Table 1.1 Partial List of Additional Server Manager Features

Domain Name Service Provides name/IP address resolution

File Services Storage management, replication, searching

Print Services Management of printers and print servers

Terminal Services Remote access to a Windows desktop or

application

Internet Information Web server services

Server

BitLocker Drive Whole-disk encryption security feature

Encryption

Group Policy Management of Group Policy Objects

Management

SMTP Server E-mail services

Failover Clustering Teaming multiple servers to provide high

So, those are the basics of Server Manager Now let’s take a look at how we use Server Manager to implement a role Since we will be discussing the four Active Directory roles in depth later in this chapter, let’s take the IIS role and talk about using the Add Role Wizard to install Internet Information Services (IIS).

EXERCISE 1.1

USING THE ADD ROLE WIZARD

Notice in Figure 1.1 that the Server Manager window is broken into three different sections:

■ Provide Computer Information

■ Update This Server

■ Customize This Server

Figure 1.2 Opening Server Manager

Under the Customize This Server section, click the Add Role icon

When the wizard opens, complete the following steps to install IIS onto

the server.

1 Click the Add Roles icon.

2 At the Before You Begin window, read the information provided,

and then click Next.

3 From the list of server roles (Figure 1.3), click the check box next

to Web Server (IIS) and then click Next.

4 If you are prompted to add additional required features, read

and understand the features, and then click Add Required

Features.

Figure 1.3 List of Server Roles