Windows 2008 Active Directory ConfigurationMicrosoft Test: 70-640

Mark McCoyMCSE, CNE, CISSP

Agenda Introductions MS 70-640 Test Objectives Certification Text Study Group/Certification “Schedule” Week 1 Assignment Week 1 Discussion – Ch 1 & 2 Questions & Answers Week 1 Homework Assignment

Introductions Me

Name: Mark McCoy Email: mmccoy@neb.rr.com Phone: 402-317-0507 WWW: www.realmccoysystems.com Blog/Questions:

realmccoysystems.Wordpress.com You

Who Are You? Why are you attending this Group? What is your Career Goal?

MS 70-640 Test Objectives http://www.microsoft.com/learning/en/us/e

xams/70-640.aspx

Configuring the Active Directory infrastructure (25 percent)

Creating and maintaining Active Directory objects (24 percent)

Configuring Domain Name System (DNS) for Active Directory (16 percent)

Maintaining the Active Directory environment (13 percent)

Configuring Active Directory Certificate Services (13 percent)

Configuring additional Active Directory server roles (9 percent)

70-640 Certification text MCTS: Windows Server 2008

Active Directory Configuration (Exam 70-640)by Will Panek and James Chellis Sybex © 2008

Virtual Library Link: http://library.books24x7.com.proxy.itt-tech.edu/toc.asp?bookid=25192

Study Group Certification “Schedule”

The Group will meet three Saturdays a Month (the fourth Saturday will be for the IT Professionals Club Meeting)

We will meet after the IT Professionals Club on the fourth Saturday to stay on Schedule

We should plan to complete 70-640 test preparation prior to June 15 to provide an opportunity to take the test before June 30,

Week 1 Assignment

Read and be prepared to discuss Chapter’s 1 and 2 of the text

Chapter 1 – Overview of Active Directory The Windows NT 4 Domain Construct (the

“Roots” of The Active Directory Tree and Forest)

The Benefits of Active Directory The Logical Structure of Active Directory Understanding Active Directory Objects Windows 2008 Server Roles Identity and Access (IDA) in Active

Directory Exam Essentials

The Windows NT 4 Domain Construct The NT 4 Domain was used to organize users and

secure resources The NT4 Domain utilized a FLAT security Database

called a Security Access Manager (SAM) Database The SAM Database was stored on Primary Domain

Controller (PDC), Read/Write copy of the SAM, and copied to a Backup Domain Controller (BDC), Read-Only Copy of the SAM, for redundancy

The Domain constituted a Single Administrative Unit Windows NT4 utilized both “User Domains” and

“Resource Domains” due to limitations on the number of objects a single domain could account for

The Benefits of Active Directory Active Directory implements a Hierarchical Structure of Logical

as well as Physical Objects, which can, and often do, mimic the Organizational Structure

The Security Database is now stored on multiple Read/Write Domain Controllers

Active Directory implements a “multi-master” domain controller, not PDC’s or BDC’s, but only Domain Controllers, each with the same “rights”

Active Directory can store Millions of Objects, thereby eliminating the need for separate User and Resource Domains

Active Directory implements a “Distributed, but Centralized” Security Database

Active Directory is actually a database, which can be extended (extensible), has a Schema (design), and can be queried for information

The Domain Concept has been maintained and serves as a Security Boundary within the database

The Logical Structure of Active Directory Data Store

The term data store is used to refer to the actual structure that contains the information stored within Active Directory.

The data store is implemented as a set of files that resides within the file system of a domain controller.

Schema Structure or design of the Active Directory database Attributes - things that describe an object Classes – a “Category” of Objects

Global Catalog A database that contains all of the information pertaining to objects within all domains in the

Active Directory environment Replication

The process of copying the Active Directory Database, to include objects, permissions, logical structure, etc, from one Domain Controller to another

Domains, Trees, Forests Domain – The Basic Unit (Security Boundary) of Active Directory Tree – One or more domains in CONTIGUOUS name space Forest – A collection of Domains that may NOT be contiguous

Hierarchical Structure The Active Directory Structure is Hierarchical as opposed to flat

Inheritance By default permissions and policies within the domain flow down the hierarchy

Trust Relationships One Domain/Forest must Trust the Other in order to grant permissions from one Domain/Forest to the Other Trusts are Transitive (If A trusts B, and B trusts C, it is implied A trusts C)

Understanding Active Directory Objects GUID and SID

Each object in Active Directory has a globally unique identifier (GUID) or security identifier (SID)

Organization Organization (O) is the company or root-level domain

Domain Component Domain component (DC) is a portion of the hierarchical path

Common Names Common name (CN) specifies the names of objects in the directory

Organizational Unit A logical grouping of User Accounts and Resources

User Accounts (Common Names – CN) Users within Active Directory

Computer Accounts Workstations or Servers in Active Directory

Distinguished Names The Full Name of an Object Starting from the Root of the Domain

Relative names The Name of an Object from a Particular point within the Domain

Windows 2008 Server Roles

Server Manager (New in 2008) Server Manager is a Microsoft Management Console (MMC) snap-in that

allows an administrator to view information about server configuration Active Directory Certificate Services

Used to provide HTTPS, Secure FTP, etc Services Public Key Encryption

Active Directory Domain Services “Becoming a Domain Controller” Can now configure a “Read-Only” Domain Controller

Active Directory Federation Services Single Sign-on across multiple platforms Organizations can set up trust relationships with other trusted organizations

so a user's digital identity and access rights can be accepted without a secondary password

Active Directory Lightweight Directory Services This type of service allows directory-enabled applications to store and

retrieve data without needing the dependencies AD DS requires Active Directory Rights Management Services

Active Directory Rights Management Services (AD RMS), included with Microsoft Windows Server 2008, allows administrators or users to determine what access (open, read, modify, etc.) they give to other users in an organization. This access can be used to secure email messages, internal websites, and documents

Identity and Access (IDA) in Active Directory Users may have to access resources on different types

of hardware, software, and devices. Many of these systems and devices do not always

communicate with each other, it is not unusual for users to have multiple identities on multiple systems.

IDA Provides a means to manage Identity and Access on Multiple Systems

IDA solutions can be categorized into five distinct areas: Directory services Strong authentication Federated Identities Information protection Identity Lifecycle Management

Chapter 1 Exam Essentials Understand the problems that Active Directory is

designed to solve. The creation of a single, centralized directory service can make

network operations and management much simpler. Active Directory solves many shortcomings in Windows NT's domain model.

Understand Active Directory design goals. Active Directory should be structured to mirror an organization's

logical structure. Understand the factors that you should take into account, including business units, geographic structure, and future business requirements.

Understand Windows Server 2008 server roles. Understand what the five Active Directory Windows Server 2008

server roles—AD CS, AD DS, AD FS, AD LDS, and AD RMS—do for an organization and its users.

Understand identity and access (IDA) solutions. Understand how IDA can help organizations solve the problems

associated with multiple usernames and passwords. Understand how the Active Directory Windows Server 2008 server roles work with and affect IDA.

Chapter 2 – Domain Name System (16% of Test) Introducing DNS Introducing DNS Zones New Functionality in Windows Server

2008 DNS Introducing DNS Record Types Configuring DNS Monitoring and Troubleshooting DNS Exam Essentials

Introducing DNS The Domain Name System (DNS):

A service designed to resolve Internet Protocol (IP) addresses to hostnames DNS Roles:

DNS Server: Provides DNS Service DNS Client: Requests DNS Service Resolver: Software Process to Determine IP Address from Host Address

Dynamic versus Non-Dynamic DNS Dynamic DNS (RFC 2136) allows clients to update DNS Entry automatically (via

DHCP Server) In Non-Dynamic DNS, the client systems do not have the ability to update to DNS.

Updates must be made manually Non-Secure Dynamic DNS

Computers that are not part of Active Directory can Dynamically Update DNS Entry

Secure Dynamic DNS Only members of the Active Directory Domain can dynamically update their

DNS Entry DNS Queries

Iterative: Client Queries DNS Servers “in turn” until IP address is found Recursive: Client makes request of his local DNS Server. The DNS Server performs

the remaining queries. Inverse Queries: Use pointer records (IP Address) to find the Host

Introducing DNS Zones Primary Zones

The primary zone is responsible for maintaining all of the records for the DNS zone. All record updates occur on the primary zone.

Secondary Zones Secondary zones are non-editable copies of the DNS database. Used for load balancing (also referred to as load sharing) A secondary zone gets its database from a primary zone.

Active Directory Integrated Zones All Zone Information is maintained in Active Directory Zone Information is replicated with that of Active Directory Zone information is more secure

Stub Zones Only contain the IP Address of the Primary Zone DNS Server Stub zones work a lot like secondary zones—the database is a non-editable copy of a

primary zone. The stub zone's database contains only the information necessary (three record

types) to identify the authoritative DNS servers for a zone Zone Transfers

Full Zone Transfer – AXZR Incremental Transfer – IXFR

Replication Active Directory Integrated Zone Transfers are part of the Replication Process

New Functionality in Windows Server 2008 DNS Background zone loading

If an organization had to restart a DNS server with an extremely large Active Directory Integrated DNS zones database in the past, it could take hours for DNS data to be retrieved from Active Directory. During this time, the DNS server was unable to service any client requests.

To address this issue, Microsoft Windows Server 2008 DNS has implemented background zone loading. As the DNS restarts, the Active Directory zone data populates the database in the background This allows the DNS server to service client requests for data from other zones almost immediately after a restart.

Support for TCP/IP version 6 (IPv6) IP Version 6 is a 128 bit Hexadecimal Number Four Sets of 32 Bits

Read-only domain controllers Functions as a Domain Controller to support Logon Authentication and

resource location, but is read-only GlobalName zone

Intended to assist in the transition from WINS resolution to DNS These use single-label names (DNS names that do not contain a suffix such as

.com, .net, etc.) the same way WINS does. GlobalName zones are not intended to support peer-to-peer networks and

workstation name resolution, nor do they support dynamic DNS updates.

Introducing DNS Record Types Start of Authority (SOA)

What Server is responsible for the Zone Name Server (NS)

Servers running DNS in the Zone Host Record

Workstation, Server, Printer on Network Name to IP Address

Alias (canonical name (CNAME) ) A “Second Name” for a Host on the Network

Pointer (PTR) Record IP Address mapped to a Host name

Mail Exchanger (MX) Name of the Mail Server

Service Record (SVR) SRV records tie together the location of a service (like a domain

controller) with information about how to contact the service.

Configuring DNS Installing DNS Through Server Manager Load Balancing through Round Robin

You set up round robin load balancing by creating multiple resource records with the same hostname but different IP addresses for multiple computers

If round robin is enabled, when a client requests name resolution, the first address entered in the database is returned to the resolver and is then sent to the end of the list. The next time a client attempts to resolve the name, the DNS server returns the second name in the database (which is now the first name) and then sends it to the end of the list, and so on.

Configuring a Caching-Only Server Setting Zone Properties

SOA, Named Servers, WINS, Zone Transfers, Security, Etc Configuring Dynamic Updates Creating Delegated DNS Zones Manually Creating Records

Monitoring and Troubleshooting DNS Monitoring DNS with the DNS Snap-In Troubleshooting DNS

Using Nslookup Windows Server 2008. Windows Server 2008 gives you the ability to launch

nslookup from the DNS snap-in. Using Nslookup on the Command Line

nslookup DNS_name_or_IP_address server_IP_address Using Nslookup in Interactive Mode Using Nslookup in Interactive Mode

Using DNSLint dnslint /d helps diagnose reasons that cause "lame delegation" and other related

DNS problems. dnslint /ql helps verify a user-defined set of DNS records on multiple DNS servers. dnslint /ad helps verify DNS records pertaining to Active Directory replication. Here

is the syntax for DNSLint: Using Ipconfig

ipconfig /all Displays additional information about DNS, including the FQDN and the DNS suffix search list.

ipconfig /flushdns Flushes and resets the DNS resolver cache. For more information about this option, see the section "Configuring DNS" earlier in this chapter.

ipconfig /displaydns Displays the contents of the DNS resolver cache. For more information about this option, see "Configuring DNS" earlier in this chapter.ipconfig /registerdns

Chapter 2 Exam Essentials Understand the purpose of DNS.

Resolve Host name to IP Address Understand the different parts of the DNS

database SOA, MX, Host, PTR, SVR, NS records

Know how DNS resolves names Understand the differences among DNS servers,

clients, and resolvers Know how to install and configure DNS. Know how to create new forward and reverse

lookup zones. Know how to configure zones for dynamic updates Know how to delegate zones for DNS Understand the tools that are available for

monitoring and troubleshooting DNS.

Questions and Answers

Week 2 Assignment/Homework Week 2 Lab Preparation:

Download “Lab” Software from www.DreamSpark.com

Download Windows 2008 Server ISO (FREE) Download Microsoft Virtual PC 2007 Install (FREE)

Get HD (those who haven’t gotten theirs yet) From IT Chair – Can also use personal laptops

Week 2 Reading: Read Chapter 3: Planning and Installation of

Active Directory Read Chapter 4: Installing and Managing

Trees and Forests