This document contains training notes for the MCITP Windows Server 2008 Active Directory 70-640 exam. It covers several topics in multiple lectures, including:
- The basics of Active Directory, domains, forests, and domain controllers
- Installing Active Directory on two domain controllers and configuring replication
- Remote desktop configuration on client and server sides
- Active Directory objects like users, groups, and organizational units and how to create them
The notes provide information on key Active Directory concepts and step-by-step instructions for common administrative tasks to help prepare for the 70-640 exam.
Active Directory Introduction
Active Directory Basics
Components of Active Directory
Active Directory hierarchical structure.
Active Directory Database.
Flexible Single Master Operations (FSMO)Role
Active Directory Services.
Some useful Tool
Active Directory Introduction
Active Directory Basics
Components of Active Directory
Active Directory hierarchical structure.
Active Directory Database.
Flexible Single Master Operations (FSMO)Role
Active Directory Services.
Some useful Tool
In presentation describe the structure of active directory architecture & also several components like object , attribute, Schema, Containers , Object Types, Data Model, Security Model & other components also describe.
In presentation describe the structure of active directory architecture & also several components like object , attribute, Schema, Containers , Object Types, Data Model, Security Model & other components also describe.
يوضح المخطط المرفق P.M. Processes Network ترابط مجموعات العمليات ومجالات المعرفة والعمليات والمدخلات والمخرجات والأدوات لكل عملية. وتم رسم بعض العلاقات لتوضيح أن بعض مخرجات العمليات قد تكون مدخلات لعمليات أخري، ولم يتم رسم كل العلاقات لان ذلك سيزيد المخطط تعقيدا. كما تم اختصار بعض المصطلحات فقط للتسهيل وتم توضيحها في جدول مع المخطط، وفي الجدول يوجد الاختصار والمصطلح وكم مرة تم ذكر المصطلح Input و Output أو Tool . ولا يغني هذا المخطط عن PMBOk اطلاقاً، لكن يعتبر مدخل لتسهيل الفهم، والاهم فهم كيفية التطبيق ثم التطبيق العملي، ونشر المعرفة.
P.M. Processes Network thread processes and areas of knowledge, processes, and input and output tools for each process groups.
7 tips to simplify Active Directory Management Zoho Corporation
7 Tips to simplify Active Directory Management
1.Investigate nested group memberships and manage appropriate group permissions.
2.Identify and manage available server shares and user permissions for confidential files and folders.
3.Learn more about Office 365 license management and reporting; identify inactive, licensed, and unlicensed Office 365 users.
4.Learn how to use ADManager Plus's 200+ reports to retrieve essential data from Active Directory, Exchange, Office 365, and Google Apps.
5.Practice effective account provisioning techniques that incorporate AD accounts, mailboxes, Office 365 mailboxes, Lync settings, profile paths, and home folders.
6.Automatically trace, quarantine, and clean up stale accounts from Active Directory.
7.Create a user management console for HR or branch heads to create and manage their teams' accounts.
Ray’s Food: Configuration Scenario
Michael Boddie
Administering Windows Server
NTC/326
Sokly Vann
March 19, 2018
-Welcome-
1
Introduction
Active directory is the heart of windows server 2012
How to add three grocery locations to the corporate office domain.
Configuring Active directory
Managing Active directory (Active Directory Management) involves implementing Read Only Domain Controller (RODC), administering AD DS, implementing virtualized Domain controllers and managing the AD DS database
Active directory provides the necessary identity management. It allows network administrators to store and manage information about resources of the organization network.
Active directory provides authorization and authentication mechanism. It also provides framework within which other related services are deployed
Active directory management is the process of monitoring the operations of the Active Directory services. The major goal of active directory management is to automate Active directory user Active Directory provisioning processes.
Active directory includes:
Replication service
A query and index mechanism
A global catalog
A set of rules
2
How to add locations to the corporate network
Ray’s food network administrator can add locations to the corporate network by creating a domain account in Active directory
As one configures the Active directory domain, one can specify one or more active directory domains that the organizations can select when they authenticate
Managing and configuring Active Directory can take at most three hours (Lowe-Norris, 2006)
A location can also be referred to as a site
Once Active directory is installed one need to configure the domain. To do this, the network administrator needs to follow nine steps which are
Open server manager
Open notification icon from the top of the server manager
Click “promote this server to a domain controller‘”
Select add new forest from the radial options menu
Select a domain and forest functional level
Review the warning on the DNS which is the followed by clicking next
Enter a NetBIOS name and clicking next
Specify the location of SYSVOL fodders, database, and log files and then click next
Review the configuration options and click next
Review the configuration options and then click install when all the prerequisite have been successfully passed
After the installation is complete the machine reboots
3
References
Lowe-Norris, A. G., & Overdrive Inc. (2006). Active Directory. S.I.: O'Reilly Media. .
-Thank You-
4
Running head: VPN, DIRECTACCESS, AND WINDOWS ROUTING
VPN, DIRECTACCESS, AND WINDOWS ROUTING 2
Ray’s Food: VPN, Direct Access, and Windows Routing
Michael Boddie
Administering Windows Server
NTC/326
Sokly Va ...
Getting Started
This guide will help you deploy a Cloudtenna DirectShare virtual appliance (VA) using VMware ESXi.
Assumptions
• It is assumed that the reader has a working knowledge of VMware vSphere system administration,
Microsoft® Windows® desktop and server administration, SAN network design, basic Ubuntu Linux
commands and basic SAN storage operations.
• This is not a complete “how to” guide. Step by step setup is covered in part, examples of screen shots
and settings should be sufficient for the reader to apply the right changes to implement the steps outlined
in this guide.
Limitations and Other Considerations
External File Sharing and Collaboration can be setup in multiple different fashions. This solution guide will
address a specific scenario and how to build around it.
For information on how to setup a NON-PRODUCTION Windows Server 2012R2 demo environment in
conjunction with a DirectShare virtual appliance, download the “How to setup a Fresh Windows Server
for a DirectShare EasyDemo” at https://channel.ctna.co/downloads/ .
CLOUDTENNA DIRECTSHARE QUICK-START GUIDE 4
DirectShare Virtual Appliance Sizing
Optimal performance of the DirectShare VA (Virtual Appliance) is dependent on several factors. Sizing of
the VA is determined by number of concurrent users accessing files at max load.
Production sizing of compute resources should be determined by monitoring of the VA during initial usage
and onboarding of users. Although system administrators are accustomed to this best practice, more
frequent checks of resource utilization are recommended, as each environment has different success criteria
and usage, activity varies throughout different times of day, days of week, and seasonal demands on the
network may vary.
A deescalating resource monitoring check is recommended similar to this example:
Day 1+: Once every few until all users are on boarded and have successfully connected at least once.
Day 2: Twice daily.
Day 3 - 7: Once daily.
Day 8+: Notifications configured to alert administrators at 80% of vCPU and/or RAM reached.
Minimum VA resources:
• 1 vCPU, 2 GB RAM, 40 GB local volume (few users with limited file transfer requests).
• < 25 concurrent file transfers
Medium VA resources:
• 2 vCPU, 4 GB RAM, 40 GB local volume (light file transfers evenly throughout the day).
• < 75 concurrent file transfers
Large VA resources:
• 4 vCPU, 8 GB RAM, 40 GB local volume (increased file transfers at different peak times of day).
• < 150 concurrent file transfers
Maximum VA sizing:
• 8 vCPU, 16 GB RAM, 40 GB local volume (heavy concurrent file transfers all day long).
• <= 300 concurrent file transfers
The above-recommended resource allocations are for a single DirectShare VA. Local volume size
of 40 GB may be increased to accommodate longer audit log retention requirements, but not
required for performance.
This exam measures your ability to accomplish the technical tasks listed below. The percentages indicate the relative weight of each major topic area on the exam. http://www.allpass4sure.com/microsoft-pdf-70-410.html
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016panagenda
Depending on deployment size, operating system and security considerations you have different options to configure IBM Connections. This session show good and bad examples on how to do it from multiple customer deployments. Christoph Stoettner describes things he found and how you can optimize your systems. Main topics include simple (documented) tasks that should be applied, missing documentation, automated user synchronization, TDI solutions and user synchronization, performance tuning, security optimizing and planning Single Sign On for mail, IBM Sametime and SPNEGO. This is valuable information that will help you to be successful in your next IBM Connections deployment project.
A presentation from Christoph Stoettner (panagenda).
Reply 1 neededThere are a couple of options available when upg.docxsodhi3
Reply 1 needed
There are a couple of options available when upgrading from Server 2008 (R2) to Server 2012. The first and easiest option is a clean install. In this option, data must first be backed up as this will delete the previous OS and install the new version. The second option is a standard upgrade. This option preserves all the server roles currently in place as well as the hardware being used. (Microsoft, n.d).
Some limitations to consider when upgrading are as follows:
-Windows Server 2012 only supports 64-bit hardware
-Upgrade from one language to another is not supported
-Upgrading to certain editions are dependent on the previous OS you are running.
-Some roles that are previously installed may not work properly and may need additional upgrades.
I would recommend a clean install to avoid any issues that may develop during or after an in-place upgrade. I think that it would be more difficult to troubleshoot a standard upgrade failure than a clean install. Clean install may also alleviate the issues of previous application not working properly and may solve any current issues the server maybe experiencing.
Reference:
Microsoft. (n.d). Windows Server Installation and Upgrade. Retrieved from:
https://technet.microsoft.com/en-us/windowsserver/dn527667.aspx
Reply 2 needed
Server Core is good for a very large enterprise environment. In this kind of environment, where hundreds of servers are employed, it is not ideal for the administrator to go to the individual server and manage them locally. Most of these configurations would be run through scripts and remote administrator tools, therefore, server core should be utilized.
Some roles that I would install are active directory which handles network management of users data and security. Another would be Hyper-V which consolidates multiple servers into one single system. Other roles that could be used with server core includes DNS, DHCP, File Services, Print Services, Streaming Media Services, Web Server. (Microsoft, n.d).
There are several advantages of using Server Core. One advantage would be security. Since server core has less services running on it, there are fewer possible of malicious attacks. It has greater stability since it requires less processes and services fewer things can go wrong. It also has a smaller footprint and requires fewer resources such as RAM as compared to using a full GUI. The disadvantages of Server Core is it has a steep learning curve and is limited to nine server roles
Reference:
Microsoft. (n.d). Why is Server Core Useful? Retrieved from: https://msdn.microsoft.com/en-us/library/dd184076.aspx
Reply 1 needed
When migrating from Windows Server 2008 to Windows Server 2012, the system requirements remain unchanged. Some features such as virtual domain controller cloning require that the PDC emulator run Windows Server 2012 and a computer running Windows Server 2012 with the Hyper-V role installed. Here are some big issues to keep in mind ...
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
MCITP
1. 1
MCITP Windows Server 2008 Active Directory 70-640
MCITP
Microsoft Certified IT Professional
Training Notes
Windows Server 2008 Active Directory
Exam Code 70-640
1
MCITP Windows Server 2008 Active Directory 70-640
MCITP
Microsoft Certified IT Professional
Training Notes
Windows Server 2008 Active Directory
Exam Code 70-640
1
MCITP Windows Server 2008 Active Directory 70-640
MCITP
Microsoft Certified IT Professional
Training Notes
Windows Server 2008 Active Directory
Exam Code 70-640
3. 3
MCITP Windows Server 2008 Active Directory 70-640
Lecture Outline:
1. What is active directory
2. What is domain controller
3. User login process
4. Windows server 2008 “Namespace”
5. Windows forest concept
6. Server roles
What is Active Directory:
Active directory is a database or container which can hold different types of network objects like
users, groups, organizational units, services like email, ftp, web etc and resources like printers,
share folders map drives etc.
Domain Controller:
A domain controller is a server in the network which holds the active directory.
User Login Process:
When a user wants to login to his computer on a domain his user name and password is being
sent to the domain controller for the authentication and verification.
4. 4
MCITP Windows Server 2008 Active Directory 70-640
Windows Server 2008 “Namespace”:
Windows server 2008 namespace is name of the domain which is used to connect different
computers to the active directory like home.com. User login names are also the part of name
space ahmad@home.com
Windows Forest Concept:
The Active Directory framework that holds the objects can be viewed at a number of levels. The
forest, tree, and domain are the logical divisions in an Active Directory network.
Within a deployment, objects are grouped into domains. The objects for a single domain are
stored in a single database (which can be replicated). Domains are identified by their DNS name
structure, the namespace.
A tree is a collection of one or more domains and domain trees in a contiguous namespace,
linked in a transitive trust hierarchy.
At the top of the structure is the forest. A forest is a collection of trees that share a common
global catalog, directory schema, logical structure, and directory configuration. The forest
represents the security boundary within which users, computers, groups, and other objects are
accessible.
5. 5
MCITP Windows Server 2008 Active Directory 70-640
Server Roles:
In windows server 2008 roles are used to define which services it will be going to provide to the
network users like DNS, AD, FTP, Web, DHCP etc.
7. 7
MCITP Windows Server 2008 Active Directory 70-640
Lecture Outline:
1. Server 2008 installation methods
2. Server 2008 hardware requirements and editions
3. Installation of active directory on DC1 and DC2
4. Replication between two domain controllers
Server 2008 Installation Methods:
Server 2008 provides 2 types of installation
1. Bare Metal Installation
Bare metal installation is used to install server 2008 on hard disk on which no
operating system is installed.
2. Upgrade Installation
Upgrade installation is used to upgrade from server 2003 to server 2008 operating
system.
Note:
Server 2000 cannot be upgraded to server 2008 operating system.
Server 2008 hardware requirements and editions:
For the installation of server 2008 the following hardware requirements the shown in the chart
given below
8. 8
MCITP Windows Server 2008 Active Directory 70-640
Installation of active directory on DC1 and DC2:
The scenario for installation of active directory on DC1 and DC2 is shown above
Note:
For installation of active directory the following items should be configured
1. All the servers should have static IP address
2. The domain administrator account should be renamed and its password should be
complex.
3. Both the servers should have connectivity
Steps for installing active directory domain services
9. 9
MCITP Windows Server 2008 Active Directory 70-640
1. Open Server Manager by clicking the icon in the Quick Launch toolbar, or from the
Administrative Tools folder.
2. Wait till it finishes loading, then click on Roles > Add Roles link.
3. In the before you begin window, click Next.
4. In the Select Server Roles window, click to select Active Directory Domain Services
and then click next.
10. 10
MCITP Windows Server 2008 Active Directory 70-640
5. In the Active Directory Domain Services window read the provided information if you
want to, and then click Next.
6. In the Confirm Installation Selections, read the provided information if you want to, and
then click Next.
11. 11
MCITP Windows Server 2008 Active Directory 70-640
7. Wait till the process completes.
8. When it ends, click Close.
12. 12
MCITP Windows Server 2008 Active Directory 70-640
9. Going back to Server Manager, click on the Active Directory Domain Services link, and note
that there's no information linked to it, because the DCPROMO command has not been run yet.
10. Now you can click on the DCPROMO link, or read on.
13. 13
MCITP Windows Server 2008 Active Directory 70-640
a. To run DCPROMO, enter the command in the Run command, or click on the
DCPROMO link from Server Manager > Roles > Active Directory Domain
Services.
b. Depending upon the question if AD-DS was previously installed or not, the Active
Directory Domain Services Installation Wizard will appear immediately or after a
short while. Click Next.
13
MCITP Windows Server 2008 Active Directory 70-640
a. To run DCPROMO, enter the command in the Run command, or click on the
DCPROMO link from Server Manager > Roles > Active Directory Domain
Services.
b. Depending upon the question if AD-DS was previously installed or not, the Active
Directory Domain Services Installation Wizard will appear immediately or after a
short while. Click Next.
13
MCITP Windows Server 2008 Active Directory 70-640
a. To run DCPROMO, enter the command in the Run command, or click on the
DCPROMO link from Server Manager > Roles > Active Directory Domain
Services.
b. Depending upon the question if AD-DS was previously installed or not, the Active
Directory Domain Services Installation Wizard will appear immediately or after a
short while. Click Next.
14. 14
MCITP Windows Server 2008 Active Directory 70-640
c. In the Operating System Compatibility window, read the provided information and
click next.
d. In the Choosing Deployment Configuration window, click on "Create a new domain
in a new forest" and click next.
15. 15
MCITP Windows Server 2008 Active Directory 70-640
e. Enter an appropriate name for the new domain. Make sure you pick the right domain
name, as renaming domains is a task you will not wish to perform on a daily basis.
Click Next.
Note:
Do NOT use single label domain names such as "mydomain" or similar. You MUST pick
a full domain name such as "mydomain.local" or "mydomain.com" and so on.
The wizard will perform checks to see if the domain name is not already in use on the
local network.
16. 16
MCITP Windows Server 2008 Active Directory 70-640
f. Pick the right forest function level. Windows 2000 mode is the default, and it allows
the addition of Windows 2000, Windows Server 2003 and Windows Server 2008
Domain Controllers to the forest you're creating.
17. 17
MCITP Windows Server 2008 Active Directory 70-640
g. The wizard will perform checks to see if DNS is properly configured on the local
network. In this case, no DNS server has been configured, therefore, the wizard will
offer to automatically install DNS on this server.
Note:
The first DCs must also be a Global Catalog. Also, the first DCs in a forest cannot be a Read
Only Domain controller.
h. It's most likely that you'll get a warning telling you that the server has one or more
dynamic IP Addresses. Running IPCONFIG /all will show that this is not the case,
18. 18
MCITP Windows Server 2008 Active Directory 70-640
because as you can clearly see, I have given the server a static IP Address. So, where
did this come from? The answer is IPv6. I did not manually configure the IPv6
Address, hence the warning. In a network where IPv6 is not used, you can safely
ignore this warning.
i. You'll probably get a warning about DNS delegation. Since no DNS has been
configured yet, you can ignore the message and click Yes.
19. 19
MCITP Windows Server 2008 Active Directory 70-640
j. Next, change the paths for the AD database, log files and SYSVOL folder. For large
deployments, carefully plan your DC configuration to get the maximum performance.
When satisfied, click Next.
k. Enter the password for the Active Directory Recovery Mode. This password must be
kept confidential, and because it stays constant while regular domain user passwords
expire (based upon the password policy configured for the domain, the default is 42
days), it does not. This password should be complex and at least 7 characters long. I
strongly suggest that you do NOT use the regular administrator's password, and that
you write it down and securely store it. Click Next.
20. 20
MCITP Windows Server 2008 Active Directory 70-640
l. In the Summary window review your selections, and if required, save them to an
unattended answer file. When satisfied, click Next.
21. 21
MCITP Windows Server 2008 Active Directory 70-640
m. The wizard will begin creating the Active Directory domain, and when finished, you
will need to press Finish and reboot your computer.
22. 22
MCITP Windows Server 2008 Active Directory 70-640
Note:
Now join DC2 to the domain you have created on the DC1, after that run dcpromo.exe on DC2
to install the second domain controller.
Replication between two domain controllers:
After the successful creation of both the domain controllers a user name test is created on
the domain controller and that user is also replicated to the additional domain controller
after some time as shown in the above diagram.
Note:
In a case if the replication is not working automatically the following command is used for
replication
Open the command prompt and type the following command
C :> repadmin /syncall
24. 24
MCITP Windows Server 2008 Active Directory 70-640
Lecture Outline:
1. Configuration of remote desktop connection on client side operating system
Remote desktop configuration scenario:
Server 2008 Client Computer
Request for remote desktop
Server side steps:
1. Go to Control Panel>System>Advanced System Settings
2. Go to Remote tab.
3. Under Remote Assistance, put a check mark on Allow Remote Assistance connections to
this computer.
24
MCITP Windows Server 2008 Active Directory 70-640
Lecture Outline:
1. Configuration of remote desktop connection on client side operating system
Remote desktop configuration scenario:
Server 2008 Client Computer
Request for remote desktop
Server side steps:
1. Go to Control Panel>System>Advanced System Settings
2. Go to Remote tab.
3. Under Remote Assistance, put a check mark on Allow Remote Assistance connections to
this computer.
24
MCITP Windows Server 2008 Active Directory 70-640
Lecture Outline:
1. Configuration of remote desktop connection on client side operating system
Remote desktop configuration scenario:
Server 2008 Client Computer
Request for remote desktop
Server side steps:
1. Go to Control Panel>System>Advanced System Settings
2. Go to Remote tab.
3. Under Remote Assistance, put a check mark on Allow Remote Assistance connections to
this computer.
25. 25
MCITP Windows Server 2008 Active Directory 70-640
4. Click on apply.
Client side steps:
1. Go to Start>All Programs>Accessories>Remote Desktop Connection
2. Enter the Computer Name or IP address of the computer you wish to connect to.
3. For more connection options, click on Options
25
MCITP Windows Server 2008 Active Directory 70-640
4. Click on apply.
Client side steps:
1. Go to Start>All Programs>Accessories>Remote Desktop Connection
2. Enter the Computer Name or IP address of the computer you wish to connect to.
3. For more connection options, click on Options
25
MCITP Windows Server 2008 Active Directory 70-640
4. Click on apply.
Client side steps:
1. Go to Start>All Programs>Accessories>Remote Desktop Connection
2. Enter the Computer Name or IP address of the computer you wish to connect to.
3. For more connection options, click on Options
26. 26
MCITP Windows Server 2008 Active Directory 70-640
Note:
Here you can save the connection profile, adjust display properties, run specified
programs upon connection, adjust connection bandwidth, etc. For more information on
specific tabs, click on Help.
4. Click on Connect
5. Enter your log in credentials of a user account on the remote computer that is allowed to
do a remote desktop connection.
26
MCITP Windows Server 2008 Active Directory 70-640
Note:
Here you can save the connection profile, adjust display properties, run specified
programs upon connection, adjust connection bandwidth, etc. For more information on
specific tabs, click on Help.
4. Click on Connect
5. Enter your log in credentials of a user account on the remote computer that is allowed to
do a remote desktop connection.
26
MCITP Windows Server 2008 Active Directory 70-640
Note:
Here you can save the connection profile, adjust display properties, run specified
programs upon connection, adjust connection bandwidth, etc. For more information on
specific tabs, click on Help.
4. Click on Connect
5. Enter your log in credentials of a user account on the remote computer that is allowed to
do a remote desktop connection.
28. 28
MCITP Windows Server 2008 Active Directory 70-640
Lecture outline:
1. Active directory objects
2. Users, Groups and Organizational Units
3. How to create OU’s in AD
4. How to create groups in AD
5. How to create users in AD
Active directory object:
An Active Directory structure is a hierarchical arrangement of information about objects. The
objects fall into two broad categories: resources (e.g., printers) and security principals (user or
computer accounts and groups). Security principals are assigned unique security identifiers
(SIDs).
Each object represents a single entity whether a user, a computer, a printer, or a group and its
attributes. Certain objects can contain other objects. An object is uniquely identified by its name
and has a set of attributes the characteristics and information that the object represents defined by
a schema, which also determines the kinds of objects that can be stored in Active Directory.
Users, groups and organizational units:
Organizational Units are called container objects since they help to organize the directory and
can contain other objects including other OUs. The basic unit of administration is now
organizational units rather than domains. Organizational units allow the creation of sub
domains which are also called logical domains. Microsoft recommends that there should never
be more than 10 levels or organizational unit nesting.
1. Organizational Unit - Used to create a hierarchy of AD objects into logical business
units. Other organizational units may be contained inside organizational units.
2. User - Individual person
3. Group - Groups of user accounts. Groups make user management easier.
4. Computer - Specific workstations.
5. Contact - Administrative contact for specific active directory objects.
6. Connection - A defined one direction replication path between two domain controllers
making the domain controllers potential replication partners. These objects are
maintained on each server in "Active Directory Sites and Services".
7. Shared folder - Used to share files and they map to server shares.
8. Printer - Windows NT shared printers are not published automatically.
9. Site - A grouping of machines based on a subnet of TCP/IP addresses. An administrator
determines what a site is. Sites may contain multiple subnets. There can be several
domains in a site. For example, an organization may have branches around the city they
are located in. Each location may be a site.
29. 29
MCITP Windows Server 2008 Active Directory 70-640
How to create OU’s in AD:
1. Click on Start button and go to Administrative Tools.
2. From the appeared menu click on Active Directory Users and Computers and from the
opened snap-in right click on the name of the domain.
3. From the appeared menu list point the mouse to New and from the available submenu
click on Organizational Unit.
4. On New Object – Organizational Unit box type in the name of the organizational unit
in Name text box and click on Ok button to create the new OU.
How to create groups in AD:
1. Click on Start button and go to Administrative Tools.
2. From the appeared menu click on Active Directory Users and Computers and from the
opened snap-in right click on the name of the domain.
3. From the appeared menu list point the mouse to New and from the available submenu
click on Group.
4. On New Object – Group box type in the name of the group in Name text box and click
on Ok button to create the new group.
30. 30
MCITP Windows Server 2008 Active Directory 70-640
How to create users in AD:
There are two ways of creating users in AD
1. Graphical method
2. Command line method (for bulk creation of users)
1. Graphical Method
a. Open up Server Manager
31. 31
MCITP Windows Server 2008 Active Directory 70-640
b. Next we will open up the Roles section, next to Active Directory Users and
Computers section and finally the Active Directory Users and Computers. You
should now see your domain name.
c. We are going to click on our Users section where we are going to create a new User
Account. To do so, right-click on the blank section, point to New and select User.
32. 32
MCITP Windows Server 2008 Active Directory 70-640
d. In this window you need to type in the user’s first name, middle initial and last name.
Next you will need to create a user’s logon name.
In our example we are going to create a user account for Billy Miles and his logon
name will be bmiles. When done, click on the Next button.
e. In the next window you will need to create a password for your new user and select
appropriate options.
In our example we are going to have the user change his password at his next logon.
You can also prevent a user from changing his password, set the password so that it
will never expire or completely disable the account.
When you are done making your selections, click the Next button.
33. 33
MCITP Windows Server 2008 Active Directory 70-640
f. And finally, click on the Finish button to complete the creation of new User Account.
2. Command line method
For bulk creation of users in AD a dos command is used add users
1. Open the notepad and type the following command
34. 34
MCITP Windows Server 2008 Active Directory 70-640
ds add user “cn= %1, ou=child ou, ou=parent ou, dc=domain name, dc=com” –fn
%2 –ln %3 –pwd abc123* -mustchpwd yes
2. Save the file adduset.bat
3. Now open the command prompt and go to the directory where this file is saved
4. Type adduser.bat user login name user first name user last name
5. Users will be added to the AD
Creating a bunch of users at once
1. Copy and paste the first and last names of your users into the Add Users Info Here
sheet
2. Type the Child OU name and Auto fill it down.
3. Type the Parent OU name and Auto fill it down.
4. Go to Mass User Creation Script Source and check to see if the domain name and
suffix are correct. If not, fill in correct value on the first line and Auto fill down.
5. On the Save this sheet as text file sheet, make sure to auto fill for all required user
names.
6. Go to File--> Save As and save the sheet in a convenient place, making sure to select
Formatted Text (Space Delimited) as the file type
7. Take your .prn file rename it to something like .bat
8. Post to your server and run it at the command line.
36. 36
MCITP Windows Server 2008 Active Directory 70-640
Lecture outline:
1. NTFS permissions
2. NTFS permissions v/s share permissions
3. How to share
4. Mapping network drives
NTFS permissions:
NTFS (New Technology File System) is the standard file system of Windows NT, including its
later versions Windows 2000, Windows XP, Windows Server 2003, Windows Server
2008, Windows Vista, and Windows 7.
NTFS supersedes the FAT file system as the preferred file system for
Microsoft’s Windows operating systems. NTFS has several improvements over FAT and HPFS
(High Performance File System) such as security access control lists (ACL).
Administrators can use the NTFS utility to provide access control for files and folders, containers
and objects on the network as a type of system security. Known as the “Security Descriptor”, this
information controls what kind of access is allowed for individual users and groups of users.
NTFS permissions v/s share permissions:
As mentioned earlier, shared permissions only apply to shares that you connect to over the
network. As well, share permissions work over NTFS permissions. NTFS permissions apply
both locally and across the network.
A share is another name for a shared network folder.
There are only 3 types of share permissions:
1. Read – View folder names and attributes; view file names and attributes; view file data;
execute applications.
2. Change – View, create, delete or change folders, folder names and attributes (except
permissions); view, create, delete or change files, file names and attributes (except
permissions); view, create, delete or change file data; execute applications.
3. Full control – Perform all functions allowed by change permission; edit permissions and
take ownership of files.
How to share:
To share data in the form of folders and newly added console named share and storage
management console is used to open the SSM
1. Go to Start
2. Administrative Tools
37. 37
MCITP Windows Server 2008 Active Directory 70-640
3. Share and Storage Management.
4. From the Action pane, choose Provision Share to start the wizard.
5. The first screen of the wizard asks you to specify the location that you would like to
share. Use the Browse button to do so. For this example, I'm sharing the
C:StorageReports folder.
6. Any time you open up access to a resource, you should limit who can access that resource
to just those that require access. On the NTFS Permissions page of the wizard, you can
opt to keep the default NTFS permissions or change permissions depending on your
needs. In Figure I, note that I've shown both the NTFS Permissions page as well as the
Edit Permissions dialog box to give you a look at how to change permissions. If you want
to change permissions, in the Permissions for dialog box click the Add button, select the
user that should be added to the permissions list and choose the appropriate permissions.
38. 38
MCITP Windows Server 2008 Active Directory 70-640
4. The next step of the wizard asks you to choose the protocol(s) allowed to access the share. If
you've opted to install the NFS portion of the File Services role, the NFS option will be
available. If not, just SMB (Server Message Block), the Windows default, is available. The
Share name field is automatically populated with the name of the folder you selected.
5. On the SMB Settings page, provide a description of the share that will show up when people
browse the server. Lower on the page, note the advanced settings area. If you want to
change these settings, click the advanced button. Figure J shows you the advanced options
page. On the Advanced page, note the Enable access-based enumeration checkbox. Access-
based enumeration was introduced in an add-on in previous versions of Windows Server
and brings to Windows the ability to limit user's visibility to just the folders that the user has
rights to see.
39. 39
MCITP Windows Server 2008 Active Directory 70-640
6. Next up… SMB permissions. On the SMB Permissions page, decide how you want users to
be able to access the resource over the network. Note that this set of permissions is separate
from the NTFS permissions you worked with previously. The SMB permissions (also called
share permissions) are combined with NTFS permissions and the most restrictive
permissions will apply. I recommend that you simply set SMB permissions
to Administrators have Full Control; all other users and groups have only Read access and
Write access and use just NTFS permissions to limit access.
7. On the review page, review your selections and click the Create button. When you're done,
choose the Shares tab in the main console. You should see your new share listed, as shown
in Figure K.
Mapping network drives:
In order to map a network drive on server 2008 the follow the steps
1. Make a new folder on any of the drive
2. Share that folder over the network with the appropriate NTFS permissions
3. Open my computer and click on the option named map network drive
4. Give the UNC name of the share folder and then click finish
41. 41
MCITP Windows Server 2008 Active Directory 70-640
Lecture outline:
1. What is group policy
2. Policy setting order
3. Group policy management console to apply group policy
What is group policy:
Group Policy is a feature of the Microsoft Windows NT family of operating systems. Group
Policy is a set of rules which control the working environment of user accounts and computer
accounts. Group Policy provides the centralized management and configuration of operating
systems, applications and users' settings in an Active Directory environment. In other words,
Group Policy in part controls what users can and cannot do on a computer system. Although
Group Policy is more often seen in use for enterprise environments, it is also common in schools,
smaller businesses and other kinds of smaller organizations. Group Policy is often used to restrict
certain actions that may pose potential security risks, for example: to block access to the Task
Manager, restrict access to certain folders, disable the downloading of executable files and so on.
Policy setting order:
Group policies are processed in the following order:
1. Local Group Policy objects - This applies to any settings in the computer's local policy
(accessed by running gpedit.msc). Previous to Windows Vista, there was only one local
group policy stored per computer. There are now individual group policies settable per
account of a Windows Vista and 7 machine
2. Site - Next the computer processes any group policies that are applied to the site the
computer is currently in. If multiple policies are linked to a site these are processed in the
order set by the administrator using the Linked Group Policy Objects tab, policies with
the lowest link order are processed last and have the highest precedence.
3. Domain - Any policies applied at the domain level (default domain policy) are processed
next. If multiple policies are linked to a domain these are processed in the order set by the
administrator using the Linked Group Policy Objects tab, policies with the lowest link
order are processed last and have the highest precedence.
4. Organizational Unit - Last group policies assigned to the organizational unit that
contains the computer or user are processed. If multiple policies are linked to an
organizational unit these are processed in the order set by the administrator using the
Linked Group Policy Objects tab, policies with the lowest link order are processed last
and have the highest precedence.
42. 42
MCITP Windows Server 2008 Active Directory 70-640
Group policy management console to apply group policy:
Group policy management console is a toll which is used to manage the group policies in a more
effective and efficient way. GPMC is by default installed in server 2008.
1. To open the GPMC, click Start, click Administrative Tools, and then click Group
Policy Management.
2. In the GPMC console tree, expand Group Policy Objects in the forest and domain
containing the GPO that you want to edit.
3. Right-click the GPO that you want to edit, and then click Edit.
4. Select the appropriate policy which you want to apply to an OU.
5. Link the newly created GPO to the OU.
6. Open command prompt and use the following to update the group policy settings to all
the domain users
C :> gpupdate force
44. 44
MCITP Windows Server 2008 Active Directory 70-640
Lecture outline:
1. How to exempt a user or group from the group policy
How to exempt a user or group from the group policy:
To exempt a user or group from the group policy use the following process
1. Open the Group Policy Object that you want to apply an exception and then click on the
“Delegation” tab and then click on the “Advanced” button.
2. Click on the “Add” button and select the group (recommended) that you want to exclude
from having this policy applied.
44
MCITP Windows Server 2008 Active Directory 70-640
Lecture outline:
1. How to exempt a user or group from the group policy
How to exempt a user or group from the group policy:
To exempt a user or group from the group policy use the following process
1. Open the Group Policy Object that you want to apply an exception and then click on the
“Delegation” tab and then click on the “Advanced” button.
2. Click on the “Add” button and select the group (recommended) that you want to exclude
from having this policy applied.
44
MCITP Windows Server 2008 Active Directory 70-640
Lecture outline:
1. How to exempt a user or group from the group policy
How to exempt a user or group from the group policy:
To exempt a user or group from the group policy use the following process
1. Open the Group Policy Object that you want to apply an exception and then click on the
“Delegation” tab and then click on the “Advanced” button.
2. Click on the “Add” button and select the group (recommended) that you want to exclude
from having this policy applied.
45. 45
MCITP Windows Server 2008 Active Directory 70-640
3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select
this group in the “Group or user names” list and then scroll down the permission and tick the
“Deny” option against the “Apply Group Policy” permission.
45
MCITP Windows Server 2008 Active Directory 70-640
3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select
this group in the “Group or user names” list and then scroll down the permission and tick the
“Deny” option against the “Apply Group Policy” permission.
45
MCITP Windows Server 2008 Active Directory 70-640
3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select
this group in the “Group or user names” list and then scroll down the permission and tick the
“Deny” option against the “Apply Group Policy” permission.
47. 47
MCITP Windows Server 2008 Active Directory 70-640
Lecture outline:
1. Loop back processing in group policy
2. How to map network drive
Loop back processing in group policy:
As we know group policy has two main configurations, user and computer. Accordingly, the
computer policy is applied to the computer despite of the logged user and the user configuration
is applied to the user despite of the computer he is logged on.
For example we have a Domain, this Domain has two different organizational units
(OU) Green and Red, Green OU contains a Computer account and Red OU contains User
account. The Green policy, which has settings “Computer Configuration 2 and User
Configuration 2”, is applied to the OU with the computer account. The Red policy, which has
settings “Computer Configuration 1” and “User Configuration 1”, is applied to the OU with the
User account. If you have a look at the picture below it will become clearer
.
48. 48
MCITP Windows Server 2008 Active Directory 70-640
If Loopback processing of Group Policy is not enabled and our User logs on to our Computer,
the following is true:
As we can see from the picture, the User gets Computer Configuration 2 and User Configuration
1. This is absolutely standard situation, where policies are applied according to the belonging to
the OU. User belongs to the Red OU, he gets the Red User configuration 1accordingly.
Now let’s enable the Loopback processing of Group Policy for the Green OU. In this case if the
User logs on to the Computer, the policies applied in the following way:
49. 49
MCITP Windows Server 2008 Active Directory 70-640
As we can see, now the User is getting User Configuration 2 despite of the fact that he belongs to
the Red OU. So, what has happened in this scenario, the User Configuration 1 was replaced with
the User Configuration 2, i.e. with the configuration applied to the Computer account.
As you have probably noticed, the picture above says “Loopback in replace mode”. I have to
mention that the Loopback processing of Group Policy has two different modes, Replace and
Merge. It is obvious that Replace mode replaces User Configuration with the one applied to the
Computer, whereas Merge mode merges two User Configurations.
In Merge mode, if there is a conflict, for example two policies provide different values for the
same configuration setting, the Computer’s policy has more privilege. For example in our
scenario, in case of the conflict the User Configuration 2 would be enforced.
In the real work environment Loopback processing of Group Policy is usually used on Terminal
Servers. For example you have users with enabled folder redirection settings, but you do not
want these folder redirection to work when the users log on to the Terminal Server, in this case
we enable Loopback processing of Group Policy in the Policy linked to the Terminal Server’s
Computer account and do not enable the folder redirection settings. In this case, once the User
logged on to the Terminal Server his folder redirection policy will not be applied.
How to map network drive:
In server 2008 Microsoft introduced a new way of mapping network drives which provides
administrators to quickly and easily map a network drive. Also there is no need to write a script
as in the server 2003.
50. 50
MCITP Windows Server 2008 Active Directory 70-640
1. Public drive mappings
Producing a Group Policy Preference item to create public drive mappings is simple. The
GPO containing the preference item is typically linked to higher containers in Active
Directory, such as a domain or a parent organizational unit.
Newly created Group Policy objects apply to all authenticated users. The drive map preference
items contained in the GPO inherits the scope of the GPO; leaving us to simply configure the
preference item and link the GPO. We start by configuring the drive map preference item by
choosing the Action of the item. Drive map actions include Create, Replace, Update, and
Delete. These are the actions commonly found in most preference
items. Create and Delete actions are self-explanatory. The compelling difference
between Replace and Update is that Replace deletes the mapped drive and then creates a new
mapped drive with the configured settings. Update does NOT delete the mapped drive-- it only
modifies the mapped drive with the new settings. Group Policy Drive Maps use the drive letter to
determine if a specific drive exists. The preceding image shows a Drive Map preference item
configure with the Replace action. The configured location is a network share named data;
hosted by a computer named hq-con-srv-01. The configured drive letter is the G drive. All other
options are left at their defaults. This GPO is linked at the contoso.com domain.
50
MCITP Windows Server 2008 Active Directory 70-640
1. Public drive mappings
Producing a Group Policy Preference item to create public drive mappings is simple. The
GPO containing the preference item is typically linked to higher containers in Active
Directory, such as a domain or a parent organizational unit.
Newly created Group Policy objects apply to all authenticated users. The drive map preference
items contained in the GPO inherits the scope of the GPO; leaving us to simply configure the
preference item and link the GPO. We start by configuring the drive map preference item by
choosing the Action of the item. Drive map actions include Create, Replace, Update, and
Delete. These are the actions commonly found in most preference
items. Create and Delete actions are self-explanatory. The compelling difference
between Replace and Update is that Replace deletes the mapped drive and then creates a new
mapped drive with the configured settings. Update does NOT delete the mapped drive-- it only
modifies the mapped drive with the new settings. Group Policy Drive Maps use the drive letter to
determine if a specific drive exists. The preceding image shows a Drive Map preference item
configure with the Replace action. The configured location is a network share named data;
hosted by a computer named hq-con-srv-01. The configured drive letter is the G drive. All other
options are left at their defaults. This GPO is linked at the contoso.com domain.
50
MCITP Windows Server 2008 Active Directory 70-640
1. Public drive mappings
Producing a Group Policy Preference item to create public drive mappings is simple. The
GPO containing the preference item is typically linked to higher containers in Active
Directory, such as a domain or a parent organizational unit.
Newly created Group Policy objects apply to all authenticated users. The drive map preference
items contained in the GPO inherits the scope of the GPO; leaving us to simply configure the
preference item and link the GPO. We start by configuring the drive map preference item by
choosing the Action of the item. Drive map actions include Create, Replace, Update, and
Delete. These are the actions commonly found in most preference
items. Create and Delete actions are self-explanatory. The compelling difference
between Replace and Update is that Replace deletes the mapped drive and then creates a new
mapped drive with the configured settings. Update does NOT delete the mapped drive-- it only
modifies the mapped drive with the new settings. Group Policy Drive Maps use the drive letter to
determine if a specific drive exists. The preceding image shows a Drive Map preference item
configure with the Replace action. The configured location is a network share named data;
hosted by a computer named hq-con-srv-01. The configured drive letter is the G drive. All other
options are left at their defaults. This GPO is linked at the contoso.com domain.
51. 51
MCITP Windows Server 2008 Active Directory 70-640
2. Inclusive drive mapping
Inclusive drive mappings are drives mapped to a user who is a member of (or included) in
a specific security group. The most common use for inclusive drive maps is to map
remote data shares in common with a specific sub set of users, such as accounting,
marketing, or human resources. Configuring an inclusively mapped drive is the same as a
public drive mapping, but includes one additional step. The following image shows us
configuring the first part of an inclusive drive mapping preference item.
Configuring the first part of an inclusive drive mapping preference item does not make it
inclusive; it does the work of mapping the drive. We must take advantage of item-level targeting
to ensure the drive mapping items works only for users who are members of the group. We can
configure item level targeting by clicking the Targeting button, which is located on the
Common tab of the drive mapping item. The targeting editor provides over 20 different types of
targeting items. We're specifically using the Security Group targeting item.
51
MCITP Windows Server 2008 Active Directory 70-640
2. Inclusive drive mapping
Inclusive drive mappings are drives mapped to a user who is a member of (or included) in
a specific security group. The most common use for inclusive drive maps is to map
remote data shares in common with a specific sub set of users, such as accounting,
marketing, or human resources. Configuring an inclusively mapped drive is the same as a
public drive mapping, but includes one additional step. The following image shows us
configuring the first part of an inclusive drive mapping preference item.
Configuring the first part of an inclusive drive mapping preference item does not make it
inclusive; it does the work of mapping the drive. We must take advantage of item-level targeting
to ensure the drive mapping items works only for users who are members of the group. We can
configure item level targeting by clicking the Targeting button, which is located on the
Common tab of the drive mapping item. The targeting editor provides over 20 different types of
targeting items. We're specifically using the Security Group targeting item.
51
MCITP Windows Server 2008 Active Directory 70-640
2. Inclusive drive mapping
Inclusive drive mappings are drives mapped to a user who is a member of (or included) in
a specific security group. The most common use for inclusive drive maps is to map
remote data shares in common with a specific sub set of users, such as accounting,
marketing, or human resources. Configuring an inclusively mapped drive is the same as a
public drive mapping, but includes one additional step. The following image shows us
configuring the first part of an inclusive drive mapping preference item.
Configuring the first part of an inclusive drive mapping preference item does not make it
inclusive; it does the work of mapping the drive. We must take advantage of item-level targeting
to ensure the drive mapping items works only for users who are members of the group. We can
configure item level targeting by clicking the Targeting button, which is located on the
Common tab of the drive mapping item. The targeting editor provides over 20 different types of
targeting items. We're specifically using the Security Group targeting item.
52. 52
MCITP Windows Server 2008 Active Directory 70-640
Using the Browse button allows us to pick a specific group in which to target the drive mapping
preference item. Security Group targeting items accomplishes its targeting by comparing security
identifiers of the specified group against the list of security identifiers with the security
principal's (user or computer) token. Therefore, always use the Browse button when selecting a
group; typing the group name does not resolve the name to a security identifier.
52
MCITP Windows Server 2008 Active Directory 70-640
Using the Browse button allows us to pick a specific group in which to target the drive mapping
preference item. Security Group targeting items accomplishes its targeting by comparing security
identifiers of the specified group against the list of security identifiers with the security
principal's (user or computer) token. Therefore, always use the Browse button when selecting a
group; typing the group name does not resolve the name to a security identifier.
52
MCITP Windows Server 2008 Active Directory 70-640
Using the Browse button allows us to pick a specific group in which to target the drive mapping
preference item. Security Group targeting items accomplishes its targeting by comparing security
identifiers of the specified group against the list of security identifiers with the security
principal's (user or computer) token. Therefore, always use the Browse button when selecting a
group; typing the group name does not resolve the name to a security identifier.
53. 53
MCITP Windows Server 2008 Active Directory 70-640
The preceding screen shows a properly configured, inclusive targeting item. A properly
configured security group targeting item shows both Group and SID fields. The Group field is
strictly for administrative use (we humans recognize names better than numbers). The SID field
is used by the client side extension to determine group membership. We can determine this is an
inclusive targeting item because of the text that represents the item within the list. The word is in
the text "the user is a member of the security group CONTOSOManagement." Our new drive
map item and the associated inclusive targeting item are now configured. We can now link the
hosting Group Policy object to the domain with confidence that only members of the
Management security group receive the drive mapping. We can see the result on a client. The
following image shows manager Mike Nash's desktop from a Windows Vista computer. We can
see that Mike receives two drive mappings: the public drive mapping (G: drive) and the
management drive mapping (M: drive).
53
MCITP Windows Server 2008 Active Directory 70-640
The preceding screen shows a properly configured, inclusive targeting item. A properly
configured security group targeting item shows both Group and SID fields. The Group field is
strictly for administrative use (we humans recognize names better than numbers). The SID field
is used by the client side extension to determine group membership. We can determine this is an
inclusive targeting item because of the text that represents the item within the list. The word is in
the text "the user is a member of the security group CONTOSOManagement." Our new drive
map item and the associated inclusive targeting item are now configured. We can now link the
hosting Group Policy object to the domain with confidence that only members of the
Management security group receive the drive mapping. We can see the result on a client. The
following image shows manager Mike Nash's desktop from a Windows Vista computer. We can
see that Mike receives two drive mappings: the public drive mapping (G: drive) and the
management drive mapping (M: drive).
53
MCITP Windows Server 2008 Active Directory 70-640
The preceding screen shows a properly configured, inclusive targeting item. A properly
configured security group targeting item shows both Group and SID fields. The Group field is
strictly for administrative use (we humans recognize names better than numbers). The SID field
is used by the client side extension to determine group membership. We can determine this is an
inclusive targeting item because of the text that represents the item within the list. The word is in
the text "the user is a member of the security group CONTOSOManagement." Our new drive
map item and the associated inclusive targeting item are now configured. We can now link the
hosting Group Policy object to the domain with confidence that only members of the
Management security group receive the drive mapping. We can see the result on a client. The
following image shows manager Mike Nash's desktop from a Windows Vista computer. We can
see that Mike receives two drive mappings: the public drive mapping (G: drive) and the
management drive mapping (M: drive).
55. 55
MCITP Windows Server 2008 Active Directory 70-640
Lecture outline:
1. How to install software on more than one computer
2. Steps for software installation
How to install software on more than one computer:
An .msi file for installation
1. Try to get an .msi version of a software package if at all possible.
2. You can’t just install .exe files without repackaging them into .msi.
3. There are several .msi packaging utilities out there if you need them.
4. There is an alternative installation package called a Zap package.
A Shared folder for the software to live in that all your
Users and Computers have at least Read access to.
A new GPO linked to the appropriate OU.
You can set up a Software Installation GPO for Users or Computers
1. If you set it up for specific Users or User Groups, you can publish the software so they
can install it on demand.
2. You can also assign the software so it installs on the next client restart.
3. If you set up the GPO on the Computers side, you can’t publish only assign
4. Use your best judgment based on who needs the software and when picking which side of
a GPO to use for Software Installs.
Steps for software installation:
1. Create a new Shared folder on your data server named Software.
2. Create a folder inside Software named Foxit and put the Foxit.msi package there.
3. Create a new GPO and link it to the appropriate OU. Name it FoxitInstall.
4. In the Computers section of the GPO, we’ll go to the Software Settings under Policies to
get to the Software Installation settings.
5. Create a new Package by right-clicking and selecting new package.
6. Select the .msi file and select any Options.
7. Run gpupdate /force from the Server (or wait for the Refresh Interval)
8. Have your users reboot their client machines.
57. 57
MCITP Windows Server 2008 Active Directory 70-640
Lecture outline:
1. Domain Password Policies
2. Fine Grained Password
3. Steps for configuring fine grained password policies
Domain Password Policies:
1. Normally, the Password Policy is set for all users at the Domain level.
2. The default settings are usually good enough.
3. Complexity requirements are enforced when passwords are changed or created.
Password Complexity Requirements:
1. Not contain the user's account name or parts of the user's full name that exceed
two consecutive characters
2. Be at least six characters in length
3. Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example $, #, %)
Fine Grained Password
1. Normally you only have one Password Policy Setting in your entire domain, but by
creating Password Setting Objects you can specify multiple password policies for
individual users or for the Groups that users are part of.
2. Your Domain Functional Level must be at a Server 2008 level (all your Domain
Controllers must be Server 2008)
3. We’ll need to go into ADSI Edit to create Password Policy objects, and link them to the
User Account or Group.
Steps for configuring fine grained password policies:
To start with the fine grained password policies go to
1. Administrative Tools - ADSI Edit
2. Actions then Connect
3. DC=domain, DC=com
4. CN=System
5. CN=Password Settings Container
6. Right click select new object
58. 58
MCITP Windows Server 2008 Active Directory 70-640
7. In the Create Object dialog box, under Select a class, click msDC-
PasswordSettings, and then click Next.
59. 59
MCITP Windows Server 2008 Active Directory 70-640
8. In the Create Object dialog box, enter SpecialAdmins in the Value field, and
then click Next.
9. For the msDS-PasswordSettingsPrecedence value, enter 1, and then click Next
60. 60
MCITP Windows Server 2008 Active Directory 70-640
10. For the msDS-PasswordReversibleEncryptionEnabled value, enter false, and
then click Next
11. For the msDS-PasswordHistoryLength value, enter 24, and then click Next
61. 61
MCITP Windows Server 2008 Active Directory 70-640
12. For the msDS-PasswordComplexityEnabled value, enter false, and then
click Next
13. For the msDS-MinimumPasswordLength value, enter 12, and then click Next
62. 62
MCITP Windows Server 2008 Active Directory 70-640
14. For the msDS-MinimumPasswordAge, enter 1:00:00:00, and then click Next
15. For the msDS-MaximumPasswordAge, enter 30:00:00:00, and then click Next
63. 63
MCITP Windows Server 2008 Active Directory 70-640
16. For the msDS-LockoutThreshold, enter 3, and then click Next
17. For the msDS-LockoutObservationWindow, enter 0:00:30:00, and then
click Next
64. 64
MCITP Windows Server 2008 Active Directory 70-640
18. For the msDS-LockoutDuration, enter (never), and then click Next, then
click Finish
19. Right-click on CN=SpecialAdmins in the console tree, and then
select Properties
65. 65
MCITP Windows Server 2008 Active Directory 70-640
20. On the CN=SpecialAdmins Properties window, select the msDS-
PSOAppliesTo attribute, and then click the Edit button
21. On the Multi-valued Distinguished Name With Security Principal
Editor window, click on the Add Windows Account button
66. 66
MCITP Windows Server 2008 Active Directory 70-640
22. On the Select Users, Computers, or Groups window, enter SpecialAdmins in
the Enter the object names to select field, and then click OK
23. Click OK on the Multi-valued Distinguished Name With Security Principal
Editor window
24. Click OK on the CN=SpecialAdmins Properties window
68. 68
MCITP Windows Server 2008 Active Directory 70-640
Lecture outline:
1. Providing Permissions to an Account for Administrative Tasks
2. Installation of VSAT on client side
Providing Permissions to an Account for Administrative Tasks:
To give a user rights to perform some of the administrative tasks the following stuff should be
used
1. Use the Delegation of Control Wizard
2. Add a user to one (or more) of the Built-In Groups so he can do administrative tasks
without having to be an Administrator.
The Delegation Wizard can’t provide everything, so you’ll have to also use some
additional Groups to provide some more permission to a user. The detail of different groups has
been shown in the chart below.
Installation of VSAT on client side:
Giving a user the Remote Control for AD Users and Computers
1. So now that user actually can do some administrative tasks, let’s make it a little easier for
him to get to the Servers without even having to use Remote Desktop.
2. The Remote Server Administration Tools for Windows7 is a collection of MMC tools
that allows you to administer most of the standard Server tasks without having to use
Remote Desktop or actually be at the Server.
3. It’s super easy to download and install, but you have to go into Control panel and enable
it.
70. 70
MCITP Windows Server 2008 Active Directory 70-640
Lecture outline:
1. Creating backup
2. Windows server 2008 built in tools for backup
Creating backup:
In information technology, a backup or the process of backing up is making copies
of data which may be used to restore the original after a data loss event. Backups have two
distinct purposes. The primary purpose is to recover data after its loss, be it by data deletion
or corruption. Data loss is a very common experience of computer users. 67% of internet users
have suffered serious data loss. The secondary purpose of backups is to recover data from an
earlier time, according to a user-defined data retention policy, typically configured within a
backup application for how long copies of data are required.
Windows server 2008 built in tools for backup:
Main tools built into Server 2008 for backup are
1. Windows Server Backup
A GUI (Graphical User Interface) tool that creates simple backups (replaces
NTBackup).
Windows Server Backup is a Feature that you must install before using it doesn’t
install automatically.
It only Back up to a Shared Folder (Network Attached Storage) or to DVD
Backs up entire Volumes
Overwrites previous backups if you backup to the same shared folder over and
over
It’s great for simple backups for small organizations
To install Windows Server Backup go to Server Manager, Add Features and Windows Server
Backup
2. Wbadmin
WBADMIN is a command line that provides more power to your backup options
It can run a one-time backup
It can schedule regular backups
It can back up your System State which includes all the guts of your DC:
o Registry
o Boot files
o System Files
o AD Directory Services database
o SYSVOL directory
71. 71
MCITP Windows Server 2008 Active Directory 70-640
System State data can be restored using WBADMIN or using the graphical
Windows Server Backup
To create a wbadmin backup type the following command at command prompt
C:>wbadmin systemstatebackup –backuptarget :Driveletter:
3. Ntdsutil
An extremely powerful tool to do advance backup operations (and a lot more)
specifically for Active Directory files and database
NTDSUTIL is specifically for AD, and not so much backing up your whole
Server.
In terms of creating Backup Media, it can create IFM (Install from Media) media
for faster creation (or re-creation, as the case may be) of a Domain Controller.
It’s an interactive tool, providing different commands depending on what Context
it’s used in.
When used in conjunction with media created by Wbadmin or Windows Server
Backup, it can allow you to restore Active Directory Objects like entire OU’s.
It can also take Snapshots of your Active Directory Database so you can see how
your AD looks over
To create an Ntdsutil backup type the following sequence of commands at command prompt
C :>ntdsutil
Ntdsutil: ifm
Ntdsutil: activate instance ntds
Ifm: create sysvol full D:ifm