MCTS 70-640

Windows Server 2008 Active

Directory, Configuring

or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no respon-sibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein.

ISBN-13: 978-0-7897-3791-5 ISBN-10: 0-7897-3791-4

Library of Congress Cataloging-in-Publication Data Poulton, Don.

MCTS 70-640 exam cram : Windows server 2008 active directory, configuring / Don Poulton. -- 1st ed.

p. cm.

ISBN 978-0-7897-3791-5 (pbk. w/cd)

1. Electronic data processing personnel--Certification. 2. Microsoft software--Examinations--Study guides. 3. Directory services (Computer network technology)--Examinations--Study guides. I. Title.

QA76.3.P667 2008 005.7'1376--dc22

2008034083 Printed in the United States of America

First Printing: September 2008 Trademarks

All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Que Publishing cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.

Warning and Disclaimer

Every effort has been made to make this book as complete and as accurate as possi-ble, but no warranty or fitness is implied. The information provided is on an “as is” basis. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information con-tained in this book or from the use of the CD or programs accompanying it. Bulk Sales

Que Publishing offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact

U.S. Corporate and Government Sales 1-800-382-3419

corpsales@pearsontechgroup.com For sales outside of the U.S., please contact

Introduction 1

Self-Assessment 15

CHAPTER 1 Getting Started with Windows Server 2008

Active Directory 23

CHAPTER 2 Active Directory and DNS 75

CHAPTER 3 Active Directory Sites and Replication 123

CHAPTER 4 Configuring Additional Active Directory Roles 157

CHAPTER 5 Active Directory Objects and Trusts 207

CHAPTER 6 Configuring and Troubleshooting Group Policy 253

CHAPTER 7 Group Policy and Active Directory Security 313

CHAPTER 8 Monitoring and Maintaining the Active

Directory Environment 345

CHAPTER 9 Active Directory Certificate Services 389

CHAPTER 10 Practice Exam 1 439

CHAPTER 11 Answer Key to Practice Exam 1 467

CHAPTER 12 Practice Exam 2 487

CHAPTER 13 Answer Key to Practice Exam 2 517

APPENDIX A Need to Know More? 537

APPENDIX B What’s on the CD-ROM 547

APPENDIX C Installing Windows Server 2008 551

Glossary 561

Introduction. . . .1

Self-Assessment. . . .15

MCTSs and MCITPs in the Real World. . . .15

The Ideal MCITP Candidate. . . .16

Put Yourself to the Test. . . .17

Testing Your Exam Readiness. . . .20

Well, Let’s Get to It. . . .21

Chapter 1: Getting Started with Windows Server 2008 Active Directory. . . .23

The Building Blocks of Active Directory . . . .24

Domains. . . .24

Trees. . . .25

Forests . . . .25

Organizational Units . . . .26

Sites. . . .26

Domain Controllers. . . .26

Global Catalog . . . .27

Operations Masters. . . .27

New Features of Active Directory in Windows Server 2008. . . .28

Server Manager. . . .30

Configuring Forests and Domains. . . .33

Requirements for Installing Active Directory Domain Services .33 Installing Active Directory Domain Services. . . .35

Verifying the Proper Installation of Active Directory. . . .41

Performing Unattended Installations of Active Directory. . . .42

Server Core Domain Controllers. . . .44

Active Directory Migration Tool (ADMT) v.3.1. . . .44

Alternate User Principal Name (UPN) Suffixes. . . .45

Removing Active Directory. . . .47

Upgrading from Windows Server 2003. . . .48

Interoperability with Previous Versions of Active Directory . . . .49

Universal Group Membership Caching (UGMC). . . .54

Partial Attribute Sets . . . .55

Configuring Operations Masters . . . .56

Schema Master . . . .56

Domain Naming Master. . . .60

PDC Emulator . . . .61

Infrastructure Master. . . .63

RID Master. . . .63

Placement of Operations Masters. . . .64

Transferring and Seizing of Operations Master Roles. . . .65

Exam CramQuestions . . . .69

Answers to Exam CramQuestions. . . .72

Chapter 2: Active Directory and DNS . . . .75

Configuring DNS Zones. . . .76

DNS Zone Types . . . .77

Creating DNS Zones. . . .79

DNS Records . . . .83

Configuring DNS Zone Properties. . . .84

Dynamic, Non-Dynamic, and Secure Dynamic DNS. . . .86

Time to Live . . . .87

Zone Scavenging. . . .90

Configuring DNS Server Settings . . . .91

Forwarding. . . .91

Root Hints. . . .93

Configuring Zone Delegation. . . .95

Debug Logging. . . .96

Event Logging. . . .98

Advanced Server Options. . . .98

Monitoring DNS . . . .101

Command-Line DNS Server Administration. . . .103

Configuring Zone Transfers and Replication. . . .104

Types of Zone Transfers . . . .106

Secure Zone Transfers. . . .109

Configuring Name Servers. . . .109

Application Directory Partitions. . . .111

Exam CramQuestions. . . .114

Answers to Exam CramQuestions. . . .119

Chapter 3: Active Directory Sites and Replication. . . .123

The Need for Active Directory Sites. . . .124

Configuring Sites and Subnets. . . .126

Creating Sites . . . .126

Adding Domain Controllers. . . .127

Creating and Using Subnets. . . .128

Site Links, Site Link Bridges, and Bridgehead Servers. . . .130

The Need for Site Links and Site Link Bridges . . . .131

Configuring Site Links . . . .131

Site Link Bridges . . . .132

Site Link Costs . . . .133

Bridgehead Servers. . . .135

Sites Infrastructure. . . .136

Configuring Active Directory Replication . . . .137

Intersite and Intrasite Replication . . . .138

Distributed File System. . . .139

One-Way Replication. . . .140

Replication Protocols. . . .141

Replication Scheduling . . . .142

Forcing Intersite Replication . . . .145

Monitoring and Troubleshooting Replication. . . .146

Exam CramQuestions. . . .150

Answers to Exam CramQuestions. . . .154

Chapter 4: Configuring Additional Active Directory Roles_{. . . .}157

New Server Roles and Features. . . .158

Active Directory Lightweight Directory Services (AD LDS) . . . .160

Configuring Data Within AD LDS . . . .165

Migration to AD LDS . . . .168

Configuring an Authentication Server. . . .169

Use of AD LDS on Server Core. . . .172

Active Directory Rights Management Services (AD RMS). . . .173

Installing AD RMS . . . .174

Certificate Request and Installation. . . .176

Self-Enrollments . . . .177

Delegation. . . .177

Active Directory Metadirectory Services (AD MDS). . . .178

Read-Only Domain Controllers. . . .178

Installing a Read-Only Domain Controller . . . .178

Unidirectional Replication . . . .180

Administrator Role Separation. . . .181

Read-Only DNS . . . .182

BitLocker. . . .182

Replication of Passwords. . . .183

syskey _{. . . .}187

Active Directory Federation Services (AD FS). . . .188

Installing the AD FS Server Role. . . .190

Trust Policies. . . .192

User and Group Claim Mapping. . . .193

Configuring Federation Trusts . . . .194

Windows Server 2008 Virtualization. . . .197

Exam CramQuestions. . . .199

Answers to Exam CramQuestions. . . .203

Chapter 5: Active Directory Objects and Trusts . . . .207

Creating User and Group Accounts . . . .208

Introducing User Accounts. . . .208

Introducing Group Accounts . . . .209

Creating User, Computer, and Group Accounts. . . .210

Use of Template Accounts. . . .211

Using Bulk Import to Automate Account Creation. . . .213

Configuring Contacts. . . .220

Creating Distribution Lists. . . .221

Managing and Maintaining Accounts . . . .222

Creating Organizational Units. . . .223

Configuring Group Membership . . . .224

AGDLP/AGUDLP . . . .225

Resetting Accounts and Passwords. . . .227

Denying Privileges. . . .228

Protected Admin. . . .229

Local Versus Domain Groups. . . .230

Deprovisioning Accounts. . . .231

Disabling or Deleting Accounts. . . .232

Delegating Administrative Control of Active Directory Objects . . . .232

Configuring Active Directory Trust Relationships . . . .235

Transitive Trusts. . . .236

Forest Trust Relationships. . . .236

External Trust Relationships. . . .241

Realm Trust Relationships. . . .241

Shortcut Trust Relationships. . . .242

Authentication Scope. . . .243

SID Filtering. . . .244

Exam CramQuestions. . . .246

Answers to Exam CramQuestions. . . .250

Chapter 6: Configuring and Troubleshooting Group Policy_{. . . .}253

Overview of Group Policy. . . .254

Group Policy Objects. . . .255

Creating and Applying GPOs. . . .256

Managing GPOs. . . .260

Configuring GPO Hierarchy and Processing Priority. . . .266

Group Policy Filtering. . . .271

Group Policy Loopback Processing. . . .273

Configuring GPO Templates. . . .275

User Rights . . . .275

Administrative Templates. . . .277

Restricted Groups. . . .281

Starter GPOs . . . .282

Shell Access Policies. . . .284

Using Group Policy to Deploy Software . . . .284

Assigning and Publishing Software . . . .286

Deploying Software Using Group Policy. . . .287

Upgrading Software. . . .292

Removal of Software . . . .293

Troubleshooting the Application of Group Policy Objects. . . .294

Resultant Set of Policy. . . .294

Gpresult_{. . . .}300

Gpupdate_{. . . .}300

Exam CramQuestions. . . .302

Answers to Exam CramQuestions. . . .308

Chapter 7: Group Policy and Active Directory Security_{. . . .}313

Use of Group Policy to Configure Security. . . .314

Configuring Account Policies. . . .315

Fine-Grained Password Policies. . . .319

Security Options. . . .326

Additional Security Configuration Tools. . . .329

Auditing of Active Directory Services. . . .330

New Features of Active Directory Auditing. . . .330

Use of GPOs to Configure Auditing. . . .331

Use of Auditpol.exeto Configure Auditing_{. . . .}336

Exam CramQuestions. . . .338

Answers to Exam CramQuestions. . . .341

Chapter 8: Monitoring and Maintaining the Active Directory Environment_{. . . .}345

Backing Up and Recovering Active Directory. . . .346

Use of Windows Server Backup. . . .347

Recovering Active Directory. . . .352

Linked Value Replication. . . .358

Offline Maintenance of Active Directory. . . .362

Restartable Active Directory. . . .362

Offline Defragmentation and Compaction. . . .363

Active Directory Database Storage Allocation. . . .365

Monitoring Active Directory . . . .366

Network Monitor . . . .367

Task Manager . . . .369

Event Viewer . . . .371

Reliability and Performance Monitor . . . .374

Windows System Resource Manager . . . .378

Server Performance Advisor . . . .380

Exam CramQuestions. . . .382

Answers to Exam CramQuestions. . . .386

Chapter 9: Active Directory Certificate Services _{. . . .}389

What’s New with Certificate Services in Windows Server 2008?. . . .390

Installing Active Directory Certificate Services. . . .392

Certificate Authority Types and Hierarchies . . . .392

Installing Root CAs . . . .393

Installing Subordinate CAs . . . .396

Certificate Requests. . . .397

Certificate Practice Statements. . . .398

Managing Certificate Templates. . . .399

Certificate Template Types. . . .399

Configuring Certificate Templates. . . .400

Managing Different Certificate Template Versions. . . .404

Key Archival . . . .405

Key Recovery Agents. . . .406

Managing Certificate Enrollments. . . .408

Network Device Enrollment Services. . . .408

Certificate Autoenrollment . . . .410

Web Enrollment. . . .411

Smart Card Enrollment. . . .414

Creating Enrollment Agents. . . .414

Certificate Stores . . . .417

Certificate Server Permissions . . . .420

Certificate Database Backup and Restore. . . .421

Assigning Administration Roles. . . .422

Managing Certificate Revocation. . . .423

Certificate Revocation Lists . . . .424

Configuring Online Responders. . . .428

Authority Information Access. . . .431

Exam CramQuestions. . . .432

Answers to Exam CramQuestions. . . .436

Chapter 10: Practice Exam 1. . . .439

Exam CramQuestions. . . .439

Chapter 11: Answer Key to Practice Exam 1 . . . .467

Answers at a Glance. . . .467

Answers to Exam CramQuestions. . . .468

Chapter 12: Practice Exam 2_{. . . .}487

Exam CramQuestions. . . .487

Chapter 13: Answer Key to Practice Exam 2_{. . . .}517

Answers at a Glance. . . .517

Answers to Exam CramQuestions. . . .518

Appendix A: Need to Know More?. . . .537

Chapter 1. . . .537

Chapter 2. . . .538

Chapter 3. . . .539

Chapter 4. . . .539

Chapter 5. . . .541

Chapter 6. . . .542

Chapter 8. . . .544

Chapter 9. . . .545

Appendix C. . . .546

Appendix B: What’s on the CD-ROM _{. . . .}547

Multiple Test Modes . . . .547

Study Mode. . . .547

Certification Mode. . . .547

Custom Mode. . . .548

Attention to Exam Objectives. . . .548

Installing the CD . . . .548

System Requirements:. . . .548

Creating a Shortcut to the MeasureUp Practice Tests. . . .549

Technical Support. . . .550

Appendix C: Installing Windows Server 2008_{. . . .}551

Windows Server 2008 Hardware Requirements . . . .551

Manually Installing Windows Server 2008. . . .552

Installing a Complete Server. . . .552

Using Sysprep to Prepare a Virtual Server. . . .555

Installing a Windows Server Core Computer . . . .556

Useful Server Core Commands. . . .557

Upgrading a Windows Server 2003 Computer. . . .558

Automating Windows Server 2008 Installation. . . .559

Glossary. . . .561

Don Poulton, MCSA, MCSE, A+, Network+, Security+, has been involved with computers since the days of 80-column punch cards. After a career of more than 20 years in environmental science, Don switched careers and trained as a Windows NT 4.0 MCSE. He has been involved in consulting with a couple of small training providers as a technical writer, during which time he wrote train-ing and exam prep materials for Windows NT 4.0, Windows 2000, and Windows XP.

In addition, Don has worked on programming projects, both in his days as an environmental scientist, and more recently with Visual Basic to update an older statistical package used for multivariate analysis of sediment contaminants.

When not working on computers, Don is an avid amateur photographer who has had his photos displayed in international competitions and published in magazines such as Michigan Natural Resources Magazineand National Geographic Traveler. Don also enjoys traveling and keeping fit.

I would like to dedicate this work to the memory of my first wife Elaine, who passed away exactly 20 years ago this spring. She was an inspiration

not just to our two children but also to the hundreds of children she touched in her too-brief teaching career.

—Don Poulton

Acknowledgments

As the reader of this book, youare our most important critic and commentator. We value your opinion and want to know what we’re doing right, what we could do better, what areas you’d like to see us publish in, and any other words of wisdom you’re willing to pass our way.

As an associate publisher for Que Publishing, I welcome your comments. You can email or write me directly to let me know what you did or didn’t like about this book—as well as what we can do to make our books better.

Please note that I cannot help you with technical problems related to the topic of this book. We do have a User Services group, however, where I will forward specific technical questions related to the book.

When you write, please be sure to include this book’s title and author as well as your name, email address, and phone number. I will carefully review your comments and share them with the author and editors who worked on the book.

Email: feedback@quepublishing.com

Mail: Dave Dusthimer Associate Publisher Que Publishing 800 East 96th Street

Reader Services

Welcome to MCTS 70-640 Exam Cram: Windows Server 2008 Active Directory, Configuring. This book aims to help you get ready to take—and pass—Microsoft Certification Exam 70-640: TS: Windows Server 2008 Active Directory, Configuring. This book contains information to help ensure your success as you pursue this Microsoft exam and the Technology Specialist or IT Professional certification.

This Introduction explains the new generation of Microsoft certifications cen-tering on Windows Server 2008 and how the Exam Cramseries can help you prepare for Exam 70-640. This chapter discusses the basics of the MCTS and MCITP certifications, including a discussion of test-taking strategies. Chapters 1 through 9 are designed to remind you of everything you need to know to take and pass the exam. The two sample tests at the end of this book should give you a reasonably accurate assessment of your knowledge and, yes, I’ve provided the answers and their explanations to the tests. Along with the explanations are some particularly useful links to more information on each topic. Each answer also includes a reference to the chapter in the book that covers the topic.

Read this book and understand the material, and you’ll stand a very good chance of passing the test. Use the additional links to the other materials and points of reference, and along with actual product use, you will be in excellent shape to do well on the exam.

Exam Crambooks help you understand and appreciate the subjects and materi-als you need to pass Microsoft certification exams. These books are aimed strict-ly at test preparation and review. They do not teach you everything you need to know about a topic. Instead, they present and dissect the questions and problems that you’re likely to encounter on a test. These books work to bring together as much information as possible about Microsoft certification exams.

Every Microsoft Windows Server 2008–related certification starts off with Exam 70-640, which this book prepares you for, as well as Exam 70-642, TS: Windows Server 2008 Network Infrastructure, Configuring. From there, if you continue along any of the tracks, each of the IT Pro certifications mandates that you pass one or two other Windows Server 2008–specific exams. Exam 70-646, PRO: Windows Server 2008, Server Administrator, completes the requirements for the MCITP: Windows Server 2008 Administrator certification. The MCITP: Windows Server 2008 Enterprise Administrator certification requires that you pass two additional exams, 70-643, TS: Windows Server 2008 Applications Infrastructure, Configuring, and 70-647, PRO: Windows Server 2008, Enterprise Administrator. Furthermore, the Windows Server 2008 Enterprise Administrator certification requires that you pass one client exam related to Windows Vista, either 70-620, TS: Microsoft Windows Vista, Configuring, or 70-624, TS: Deploying and Maintaining Windows Vista Client and 2007 Microsoft Office System Desktops.

Content included in this book is also covered in the upgrade exams provided by Microsoft for individuals holding the Microsoft Certified Systems Administrator (MCSA) or Microsoft Certified Systems Engineer (MCSE) titles on Windows Server 2003. More specifically, this includes Exam 70-648, TS: Upgrading Your MCSA on Windows Server 2003 to Windows Server 2008, Technology Specialist, and 70-649, TS: Upgrading Your MCSE on Windows Server 2003 to Windows Server 2008, Technology Specialist. Individuals wish-ing to pass either of these exams will find the content in this book helpful for learning the Active Directory portions of these exams.

The Microsoft Certified Professional

(MCP) Program

The MCP Program includes a new generation series of professional certifica-tions as well as a series of traditional program tracks. Each program track boasts its own special acronym. (As a certification candidate, you need to have a high tolerance for alphabet soup of all kinds.)

New Generation Microsoft Certifications

needs and capabilities. These tracks are simpler and more specifically targeted than the older certification tracks. In many cases, they can be achieved by pass-ing fewer exams than was the case with the older tracks.

. MCTS (Microsoft Certified Technology Specialist)— Typically

consisting of one to three exams, these certifications enable you to target your learning program to specific Microsoft technologies. MCTS certifi-cations are available in a broad range of Microsoft technologies, and more will be added as newer technologies become online.

. MCITP (Microsoft Certified Information Technology

Professional)—By taking one to three additional exams beyond the MCTS level, you can achieve a comprehensive set of IT skills enabling you to be successful at a range of specialized jobs such as design, project management, operations management, and planning. Currently, MCITP certifications are available in the fields of Business Intelligence

Developer, Customer Support Technician, Database Administrator, Database Developer, Enterprise Messaging Administrator, Enterprise Project Management with Microsoft Office Project Server 2007, Enterprise Support Technician, Exchange Messaging Administrator, Windows Server 2008 Administrator, and Windows Server 2008 Enterprise Administrator.

. MCPD (Microsoft Certified Professional Developer)—Similar to the

MCITP certification, this enables you to achieve a comprehensive set of developer-related job skills. Current MCPD certifications are based on .NET Framework 2.0 applications that use Microsoft Visual Studio 2005 and include Web Developer, Windows Developer, and Enterprise Applications Developer. Additional certifications will be released as newer technologies emerge.

. MCA (Microsoft Certified Architect)—Enables you to prove a top

Traditional MCP Program Tracks

The traditional program tracks that Microsoft has followed for a number of years certify individuals on technologies up to and including Windows Server 2003:

. MCSE (Microsoft Certified Systems Engineer)— Anyone who has a

current MCSE is warranted to possess a high level of networking expert-ise with Microsoft operating systems and products. This credential is designed to prepare individuals to plan, implement, maintain, and sup-port information systems, network, and internetworks built around Microsoft Windows 2000 or Windows Server 2003 and its BackOffice Server family of products.

The Windows Server 2003 MCSE is the last certification that Microsoft plans to award on this program. Obtaining this credential requires an individual to pass six core exams and one elective exam. The core exams include four networking system exams, one operating system exam, and one design exam. Beginning with Windows Server 2008, the MCSE has been replaced by the MCITP credential already mentioned.

. MCSA (Microsoft Certified Systems Administrator)— This

certifica-tion program is designed for individuals who are systems administrators but have no need for network design skills in their current career path. An MCSA on Windows Server 2003 candidate must pass three core exams plus one elective exam. Beginning with Windows Server 2008, the MCSA has been replaced by the MCTS and MCITP credentials already mentioned.

. MCP (Microsoft Certified Professional)—This is the least prestigious

of all the certification tracks from Microsoft. Passing one of the major Microsoft exams qualifies an individual for the MCP credential.

Individuals can demonstrate proficiency with additional Microsoft prod-ucts by passing additional certification exams.

. MCSD (Microsoft Certified Solution Developer)—The MCSD

. MCDBA (Microsoft Certified Database Administrator)—The

MCDBA credential reflects the skills required to implement and admin-ister Microsoft SQL Server databases. To become an MCDBA, you must pass a total of three core exams and one elective exam. The core exams involve SQL Server administration, SQL Server design, and networking systems. Beginning with SQL Server 2005, this certification has been replaced with the MCITP: Database Developer and the MCITP: Database Administrator certifications.

. MCT (Microsoft Certified Trainer)—Microsoft Certified Trainers are

deemed able to deliver elements of the official Microsoft curriculum, based on technical knowledge and instructional ability. Therefore, it is necessary for an individual seeking MCT credentials (which are granted on a course-by-course basis) to pass the related certification exam for a course and complete the official Microsoft training in the subject area, as well as to demonstrate an ability to teach.

This teaching skill criterion may be satisfied by proving that you have already attained training certification from Novell, Banyan, Lotus, the Santa Cruz Operation, or Cisco, or by taking a Microsoft-sanctioned workshop on instruction. Microsoft makes it clear that MCTs are impor-tant cogs in the Microsoft training channels. Instructors must be MCTs before Microsoft allows them to teach in any of its official training chan-nels, including the Certified Technology Education Centers (CTEC) and its online training partner network.

After a Microsoft product becomes obsolete, MCPs typically have to recertify on current versions. (If individuals do not recertify, their certifications become invalid; a current exception to this rule is the MCSE on Windows NT 4.0.) Because technology keeps changing and new products continually supplant old ones, this recertification requirement should come as no surprise.

About the Exam and Content Areas

Exam 70-640: Windows Server 2008 Active Directory, Configuring, includes a variety of content. For specifics on the exam, check the exam guide on the Microsoft website at http://www.microsoft.com/learning/en/us/exams/70-640.mspx.

The broad topic areas covered by the exam include the following:

. Configuring Domain Name System (DNS) for Active Directory—

You should be able to configure DNS zones, DNS server settings, zone transfers, and replication.

. Configuring the Active Directory Infrastructure—You are expected

to be able to configure Active Directory forests, domains, trusts, sites, replication, global catalog, and operations masters.

. Configuring Additional Active Directory Server Roles—You are

expected to be able to configure Windows Server 2008 as a Server Core domain controller and a read-only domain controller, and to use the new Server Manager console to configure services related to Active Directory in Windows Server 2008.

. Creating and Maintaining Active Directory Objects—You should be

able to configure and maintain Active Directory accounts, including automatic creation of user and group accounts. You should also be able to configure Group Policy objects (GPO), including creating and apply-ing GPOs and configurapply-ing GPO templates, software deployment GPOs, account policies, and audit policies.

. Maintaining the Active Directory Environment—You should be

familiar with how to monitor and maintain Active Directory and be able to recover from various types of failures.

. Configuring Active Directory Certificate Services—You must be able

to install Certificate Services and configure server settings, certificate templates, and certificate enrollments and revocations in Active Directory.

How to Prepare for the Exam

Preparing for any Windows Server 2008–related exam requires that you obtain and study materials designed to provide comprehensive information about the product and its capabilities that will appear on the specific exam for which you are preparing. The following list of materials will help you study and prepare:

. The Windows Server 2008 product DVD-ROM, which includes

com-prehensive online documentation and related materials; it should be a primary resource when you are preparing for the test.

. The exam preparation materials, practice tests, and self-assessment exams

on the Microsoft Certified Professional and Office Specialist Exams page at http://www.microsoft.com/learning/mcpexams/default.mspx; the Testing Innovations page (http://www.microsoft.com/learning/mcpex-ams/policies/innovations.mspx) offers examples of the new question types found on the Windows Server 2008 MCTS and MCITP exams. Find the material, download it, and use it!

. The exam-preparation advice, practice tests, questions of the day, and

discussion groups on the ExamCram.com e-learning and certification destination website (http://www.informit.com/imprint/index.aspx?st= 61087).

In addition, you’ll probably find any or all of the following materials useful in your quest for Active Directory configuration expertise:

. Microsoft training kits—Microsoft Press offers a training kit that

specifically targets Exam 70-640. For more information, visit

http://www.microsoft.com/MSPress/books/11754.aspx. This training kit contains information useful in preparing for the test.

. Microsoft TechNet Subscriptions—This Microsoft resource delivers

. Study guides—Several publishers, including Que, offer Windows Server

2008 titles. Que Certification includes the following:

. TheExam Cramseries—These books provide information about

the material you need to know to pass the tests.

. TheExam Prepseries—For some Microsoft exams, Que also offers Exam Prepbooks, which provide a greater level of detail than the

Exam Crambooks and are designed to teach you everything you need to know from an exam perspective. Each book comes with a CD-ROM that contains interactive practice exams in a variety of testing formats.

. Multimedia—The MeasureUp Practice Tests CD-ROM that comes

with each Exam Cramand Exam Preptitle features a powerful, state-of-the-art test engine that prepares you for the actual exam. MeasureUp Practice Tests are developed by certified IT professionals and are trusted by certification students around the world. For more information, visit www.measureup.com.

. Classroom training—CTECs and third-party training companies (such

as Learning Tree International, Global Knowledge, New Horizons, triOS College, and others) offer classroom training on Windows Server 2008. Although such training runs upward of $350 per day in class, most of the individuals lucky enough to partake find it to be quite worthwhile.

. Other publications—There’s no shortage of materials available about

Active Directory configuration. The resource sections in Appendix A, “Need to Know More?” should give you an idea of where you should look for further discussion.

You cannot adequately prepare for this exam or other Microsoft certification exams by simply rote-memorizing terms and definitions. You need to be able to analyze a scenario and answer by combining various knowledge points from var-ious topic areas. Successfully completing this exam requires a great deal of thought and analysis to properly choose the “best” solution from several “viable” solutions in many cases.

Taking a Certification Exam

After you’ve prepared for your exam, you need to register with a testing center. Each computer-based MCP exam costs $125, and if you don’t pass, you may retest for an additional $125 for each try. In the United States and Canada, all tests after January 1, 2008, are administered by Prometric. You can sign up for an exam through the company’s website at securereg3.prometric.com, or you can register by phone at 800-755-3926 (within the United States and Canada) or at 410-843-8000 (outside the United States and Canada).

To sign up for a test, you must possess a valid credit card, or you can contact Prometric for mailing instructions to send in a check (in the United States). Only when payment is verified or your check has cleared can you actually regis-ter for a test.

To schedule an exam, call the number or visit the web page at least one day in advance. To cancel or reschedule an exam, you must call before 7 p.m. Pacific Standard Time the day before the scheduled test time (or you may be charged, even if you don’t appear to take the test). When you want to schedule a test, have the following information ready:

. Your name, organization, and mailing address.

. Your Microsoft Test ID. (Inside the United States, this means your

Social Security Number and in Canada, it means your Social Insurance Number. Citizens of other nations should call ahead to find out what type of identification number is required to register for a test.)

. The name and number of the exam you want to take.

. A method of payment. Besides the methods already mentioned, you

might be able to purchase a voucher online before registering.

After you sign up for a test, you are informed as to when and where the test is scheduled. Try to arrive at least 15 minutes early. You must supply two forms of identification—one of which must be a photo ID—to be admitted into the test-ing room.

record this information, and take a sample orientation exam before you begin the real thing. It’s best to take the orientation test before taking your first exam, but because they’re all more or less identical in layout, behavior, and controls, you probably don’t need to do this more than once.

When you complete a Microsoft certification exam, the software tells you whether you’ve passed or failed. If you need to retake an exam, you have to schedule a new test with Prometric and pay another $125.

NOTE

The first time you fail a test, you can retake it the next day. However, if you fail a second time, you must wait 14 days before retaking that test. The 14-day waiting period remains in effect for all retakes after the second failure.

What This Book Will Do

This book is designed to be read as a pointer to the areas of knowledge you will be tested on. In other words, you might want to read this book one time just to get insight into how comprehensive your knowledge of this topic is. The book is also designed to be read shortly before you go for the actual test. You can use this book to get a sense of the underlying context of any topic in the chapters or to skim-read for Exam Alerts, bulleted points, summaries, and topic headings.

This book draws on material from Microsoft’s own listing of knowledge require-ments, from other preparation guides, and from the exams. It also draws from a battery of technical websites, as well as from my own experience with Microsoft servers and the exam. The goal is to walk you through the knowledge you will need. By reading this book, you will gain from the experience of real-world pro-fessional development.

What This Book Will Not Do

This book uses a variety of teaching and memorization techniques to analyze the exam-related topics and to provide you with everything you need to know to pass the test.

About This Book

Read this book from front to back. You won’t be wasting your time because nothing written here is a guess about an unknown exam. I have had to explain certain underlying information on such a regular basis that I have included those explanations here.

After you have read this book, you can brush up on a certain area by using the index or the table of contents to go straight to the topics and questions you want to re-examine. I have tried to use the headings and subheadings to provide out-line information about each given topic. After you have been certified, you will find this book useful as a tightly focused reference and an essential foundation of Active Directory configuration and management.

Each Exam Cramchapter follows a regular structure and offers graphical cues about especially important or useful material. The structure of a typical chapter is as follows:

. Opening hotlists—Each chapter begins with lists of the terms you need

to understand and the concepts you need to master before you can be fully conversant in the chapter’s subject matter. The hotlists are followed with a few introductory paragraphs, setting the stage for the rest of the chapter.

. Topical coverage—After the opening hotlists, each chapter covers the

topics related to the chapter’s subject.

. Exam Alerts—Throughout the text, the material that is most likely to

appear on the exam is highlighted by using a special Exam Alert that looks like this:

EXAM ALERT

Even if material is not flagged as an Exam Alert, all the content in this book is associated in some way with test-related material. What appears in the chapter content is critical knowledge.

. Notes—This book is an overall examination of Active Directory

config-uration, management, and troubleshooting. As such, it delves into many aspects of computer networks. Where a body of knowledge is deeper than the scope of the book, this book uses Notes to indicate areas of concern.

NOTE

Cramming for an exam will get you through a test, but it will not make you a competent Active Directory professional. Although you can memorize just the facts you need to become certified, your daily work in the field will rapidly put you in water over your head if you do not know the underlying principles.

. Tips—This book provides Tips that will help you build a better

founda-tion of knowledge or to focus your attenfounda-tion on an important concept that reappears later in the book. Tips provide a helpful way to remind you of the context surrounding a particular area of a topic under discussion.

This is how Tips are formatted. Keep your eyes open for them, and you’ll become an Active Directory configuration guru in no time!

TIP

. Practice questions—These present a short list of test questions related

to the specific chapter topic. Following each question is an explanation of both correct and incorrect answers. The practice questions highlight the areas that are the most important on the exam.

The bulk of this book follows this chapter structure, but I would like to point out a few other elements:

. Details and resources—Appendix A at the end of this book is titled

once probably represents an expense that many network administrators and would-be MCTSs and MCITPs might find hard to justify).

. Glossary—This book has an extensive glossary of important terms used

throughout the book.

. The Cram Sheet—This appears as a tearcard inside the front cover of

this Exam Crambook. It is a valuable tool that represents a collection of the most difficult-to-remember facts and numbers you should memorize before taking the test. Remember, you can dump this information out of your head onto a piece of paper as soon as you enter the testing room. This tearcard has facts that require brute-force memorization. You need to remember this information only long enough to write it down when you walk into the test room. Be advised that you will be asked to surren-der all personal belongings other than pencils before you enter the exam room.

Before you attempt to take the exam covered by this book, it is imperative that you know considerable information about Windows Server 2008. There is so much breadth to this exam that I felt it nec-essary to include a Self-Assessment in this book to help you evaluate your exam readiness. This portion of the book looks at what you need to pass the exam and achieve further Microsoft certifications. When you go through the actual Self-Assessment contained in this element, you will have a good idea about how far along you are in your readiness for taking the exam.

MCTSs and MCITPs in the Real

World

To complete the Microsoft Certified Information Technology Professional (MCITP) certification as a Windows Server 2008 administrator, you have to be a well-rounded server-aware individual. The new generation of Microsoft certifications is much more meaning-ful and map more closely to the everyday work environment found in the real world.

Increasing numbers of people are attaining Microsoft certifications, so the goal is within reach. You can get all the real-world motivation you need from know-ing that many others have gone before, so you can follow in their footsteps. If you’re willing to tackle the process seriously and do what it takes to obtain the necessary experience and knowledge, you can take—and pass—all the certifica-tion tests involved in obtaining an MCITP certificacertifica-tion. If you’re willing to tackle the preparation process seriously and do what it takes to gain the neces-sary experience and knowledge, you can take and pass the exam. In fact, the

Exam Cramsand the companion Exam Prepsare designed to make it as easy as possible for you to prepare for these exams, but prepare you must!

The Ideal MCITP Candidate

To give you some idea of what an ideal candidate is like, following is relevant information about the background and experience such an individual should have. Don’t worry if you don’t meet these qualifications or don’t even come close—this is a far-from-ideal world, and where you fall short is simply where you have more work to do:

. Academic or professional training in network theory, concepts, and

oper-ations. This includes everything from networking media and transmis-sion techniques to network operating systems, services, and applications.

. Three-plus years of professional networking experience, including

expe-rience with various types of networking media, including Ethernet and wireless. This must include installation, configuration, upgrading, and troubleshooting experience.

. Two-plus years in a networked environment that includes hands-on

experience with Windows Server 2000/2003/2008, Windows 2000 Professional, Windows XP Professional, and Windows Vista Business/ Enterprise/Ultimate. A solid understanding of each system’s architecture, installation, configuration, maintenance, and troubleshooting is also essential.

. Knowledge of the various methods for installing Windows Server 2008,

including manual and automated installations and server virtualization. Appendix C, “Installing Windows Server 2008,” takes a quick look at manual installation and use of virtual servers.

. A thorough understanding of networking protocols, most specifically

. Familiarity with key Windows Server 2008–based TCP/IP-based services,

including HTTP (web servers), DHCP, WINS, and DNS, plus familiarity with one or more of the following: Internet Information Services (IIS), Index Server, and Internet Security and Acceleration Server.

. An understanding of how to implement security for key network data in

a Windows Server 2008 environment.

. A good working understanding of Active Directory. Obviously, this book

prepares you for the Active Directory configuration exam, but it is helpful if you have real-world exposure to an Active Directory environment. The more you work with Windows Server 2008, the more you’ll realize that this operating system is quite different from Windows NT. Newer technologies such as Active Directory have really changed the way that Windows is configured and used. Find out as much as you can about Active Directory, and acquire as much experience using this technology as possible. The time you take learning about Active Directory is time well spent!

Although a bachelor’s degree in computer science can be helpful, a strong will-ingness to learn new techniques and technologies combined with as many of these qualifications as possible is key to your success. Well under half of all cer-tification candidates possess such experience, and most meet less than half of these requirements—at least when they begin the certification process. But because all the people who already have been certified have survived this ordeal, you can survive it, too, especially if you heed what this Self-Assessment can tell you about what you already know and what you need to learn.

Put Yourself to the Test

The following series of questions and observations are designed to help you figure out how much work is ahead in pursuing your Microsoft certification and what kinds of resources you can consult on your quest. Be absolutely honest in your answers, or you’ll end up wasting money on an exam you’re not ready to take. There are no right or wrong answers—only steps along the path to certification. Only youcan decide when you’re ready.

Two things should be clear from the outset, however:

. Even a modest background in computer science will be helpful.

. Hands-on experience with Microsoft products and technologies is an

Educational Background

1. Have you ever taken computer-related classes? (Yes or No)

If Yes, proceed to question 2; if No, proceed to question 4.

2. Have you taken any classes on computer operating systems? (Yes or No)

If Yes, you will probably be able to handle Microsoft’s architecture and system component discussions. If you think your skills or knowledge could be improved, brush up on basic operating system concepts, espe-cially virtual memory, multitasking regimes, user mode versus kernel mode operation, and general computer security topics.

If No, consider some basic reading in this area. I strongly recommend a good general operating systems book, such as Operating System Concepts, 8th edition, by Abraham Silberschatz, Peter Baer Galvin, and Greg Gagne (John Wiley & Sons, 2008, ISBN 978-0-470-12872-5). If this title doesn’t appeal to you, check out reviews for other similar titles at your favorite online bookstore.

3. Have you taken any networking concepts or technologies classes? (Yes or No)

If Yes, you will probably be able to handle Microsoft’s networking terminol-ogy, concepts, and technologies. (Brace yourself for frequent departures from normal usage). If you think your skills or knowledge could be improved, brush up on basic networking concepts and terminology, espe-cially networking media, transmission type, the OSI Reference Model, and networking technologies such as Ethernet, WAN links, and wireless networking concepts and protocols.

If No, you might want to read one or two books in this topic area. The two best books that I know of are Computer Networks, 4th edition, by Andrew S. Tanenbaum (Prentice-Hall, 2002, ISBN 0-13-066102-3) and

Computer Networks and Internets with Internet Applications, 4th edition, by Douglas E. Comer (Prentice-Hall, 2004, ISBN 0-13-143351-2).

Skip to the next section, “Hands-on Experience.”

4. Have you done any reading on operating systems or networks? (Yes or No)

Hands-On Experience

Perhaps the most important key to success on any certification exam is hands-on experience, especially with Windows Server 2008 and Windows Vista, plus the many add-on services and BackOffice components around which so many of the Microsoft certification exams revolve. If you leave with only one realization after taking this Self-Assessment, it should be that there’s no substitute for time spent installing, configuring, and using the various Microsoft products on which you’ll be tested repeatedly and in depth.

5. Have you installed, configured, and worked with any of the following?

. Windows 2000 Server, Windows Server 2003, or Windows Server

2008? (Yes or No)

If Yes, make sure you understand basic concepts as covered in Exam 70-290 or Exam 70-646. You should also study the TCP/IP inter-faces, utilities, and services for Exam 70-291 and 70-293 or Exam 70-642, plus implementing security features for Exam 70-220 or Exam 70-299.

You can download objectives, practice exams, and other data about Microsoft exams from the Microsoft Learning page at

http://www.microsoft.com/learning/default.mspx. Use the Find an Exam link to obtain specific exam information.

If you haven’t worked with Windows Server 2008, you must obtain one or two machines and a copy of the operating system. Then learn the operating system and any other software components on which you’ll be tested. Search on the Microsoft website for low-cost options to obtain evaluation copies of the software that you need.

In fact, I recommend that you obtain two computers, each with a network interface, and set up a two-node network on which to prac-tice. You can also download Microsoft Virtual PC 2007 for free at http://www.microsoft.com/windows/downloads/virtualpc/default.mspx. Use the links on this page to learn more about how you can run multiple operating systems from a single computer using this product.

. Windows Vista Business or Windows Vista Ultimate? (Yes or No)

If Yes, make sure you understand the concepts covered in Exam 70-620.

If No, you will want to obtain a copy of Windows Vista Business or Ultimate and learn how to install, configure, and maintain it. You can use MCTS 70-620 Exam Prep: Microsoft Windows Vista,

ISBN 0-7897-3687-x) to guide your activities and studies, or you can work straight from Microsoft’s test objectives if you prefer.

For any and all of these Microsoft exams, the Resource Kitsfor the topics involved are a good study resource. You can purchase soft cover Resource Kits from Microsoft Press. Along with the Exam Cram

and Exam Prepseries, Resource Kitsare among the best tools you can use to prepare for Microsoft exams.

If you have the funds or your employer is willing to pay your way, consider taking a class led by a professional instructor. In particular, those just starting out or with limited knowl-edge or access to state-of-the-art computer systems should take a class. Microsoft has designed very good courses that are available in most communities. In addition, the course includes trial versions of the software that is the focus of your course, along with the operating system that it requires.

TIP

Testing Your Exam Readiness

Whether you attend a formal class on a specific topic to get ready for an exam or use written materials to study on your own, some preparation for the certifi-cation exams is essential. You pay for your exam attempts pass or fail, so you want to do everything you can to pass on your first try. Not only can failed attempts be expensive to your pocketbook, but they can be very discouraging.

This book includes Exam Cramquestions at the end of each chapter as well as two practice exams, so if you don’t score well on the chapter questions, you can study more and then tackle the practice exams at the end of the book.

For any given subject, consider taking a class if you’ve tackled self-study mate-rials, taken the practice test, and failed anyway. If you can afford the privilege, the opportunity to interact with an instructor and fellow students can make all the difference in the world. For information about systems auditing classes, visit the Microsoft Learning page at http://learning.microsoft.com/Manager/ Catalog.aspx.

6. Have you taken a practice exam on your chosen test subject? (Yes or No)

If Yes and you scored 90 percent or better, you’re probably ready to tackle the real thing. If your score isn’t above that crucial threshold, keep at it until you break that barrier. If you answered No, go back and study the book some more, and repeat the practice exams. Keep at it until you can comfortably break the passing threshold.

There is no better way to assess your test readiness than to take a good-quality practice exam and pass with a score of 90% or better. When I’m preparing, I shoot for 95%, just to leave room for the “weirdness factor” that sometimes shows up on Microsoft exams. TIP

One last note: I hope it makes sense to stress the importance of hands-on expe-rience in the context of the exams. As you review the material for the exams, you’ll realize that hands-on experience with server configuration and best prac-tices is invaluable.

Well, Let’s Get to It

✓ Active Directory Migration Tool (ADMT)

✓ Domain Name System (DNS)

✓ Domain naming master

✓ Primary Domain Controller (PDC) emulator

✓ Read-only domain controller (RODC) ✓ Relative Identifier (RID) master

✓ Schema

✓ User principal name (UPN) ✓ UPN suffix

Terms You’ll Need to Understand

Concepts/Techniques You’ll Need to Master

✓ _{Understanding forests, trees, and} domains

✓ _{Understanding the major components} of Active Directory

✓ _{Installing Active Directory under} various types of conditions ✓ _{Upgrading forests, domains, and}

Windows 2003 domain controllers to Windows Server 2008

✓ _{Configuring global catalog servers} ✓ _{Configuring operations masters} ✓ _{Enabling Universal Group}

Membership Caching

Beginning with Windows 2000, Microsoft completely revolutionized its concept of Windows domains. Gone was the limited size, flat namespace of Windows NT domains, and in its place was the hierarchical Active Directory domain structure built upon the concepts of X.500 and Lightweight Directory Access Protocol (LDAP). Active Directory has matured since its beginnings with Windows Server 2003 and now Windows Server 2008’s new features, improved functionality, and ease of configuration and management. Those of you who have worked with Active Directory in Windows 2000 or Windows Server 2003 will be familiar with much of the content of this book. For those of you who are new to server and network management or who have worked with only Windows NT networks, this book begins with a brief introduction to the con-cepts that Microsoft used to put Active Directory together.

The Building Blocks of Active

Directory

In creating the hierarchical database structure of Active Directory, Microsoft facilitated locating resources such as folders and printers by name rather than by physical location. These logical building blocks include domains, trees, forests, and organizational units (OU). The physical location of objects within Active Directory is represented by including all objects in a given location in its own site.

Domains

Trees

A tree is a group of domains that shares a contiguous namespace. In other words, a tree consists of a parent domain plus one or more sets of child domains whose name reflects that of a parent. For example, a parent domain named examcram.com can include child domains with names such as products. examcram.com, sales.examcram.com, and manufacturing.examcram.com. Furthermore, the tree structure can contain grandchild domains such as america.sales.examcram.com or europe.sales.examcram.com, and so on, as shown in Figure 1.1. All domains in a tree are linked with two-way, transitive trust relationships; in other words, accounts in any one domain can access resources in another domain and vice versa. See Chapter 5, “Active Directory Objects and Trusts,” for more information on trust relationships.

examcram.com

sales.examcram.com

america.sales.examcram.com

manufacturing.examcram.com products.examcram.com

europe.sales.examcram.com

que.com

sales.que.com

FIGURE 1.1 A forest can contain multiple trees, and trees can contain multiple levels of child domains.

Forests

Organizational Units

An organizational unit (OU)is a logical subgroup within a domain. It is conven-ient for locating resources used by a single work group, section, or department in a company and applying policies that apply to only these resources. You can create a hierarchy of OUs and child OUs organized in much the same way as that of a hierarchy of folders, subfolders, and sub-subfolders on a disk. You can also delegate control of administrative activities to users within a single OU, such as creating and working with user accounts, groups, and printers. Further, you can control users and computers within an OU by means of Group Policy; this is the smallest unit to which you can deploy Group Policy.

Sites

In contrast to the logical grouping of Active Directory into forests, trees, domains, and OUs, Microsoft includes the concept of sites to group resources within a forest according to their physical location or subnet. A site can contain objects from more than one tree or domain within a single forest, and individ-ual trees and domains can encompass more than one site. The use of sites enables you to control the replication of data within the Active Directory data-base as well as to apply policies to all users and computers or delegate adminis-trative control to these objects within a single physical location. In addition, sites enable users to be authenticated by domain controllers in the same physical location rather than a distant location as often as possible. You should configure a single site for all work locations connected within a high-speed, always-available local area network (LAN) link and designate additional sites for locations separated from each other by a slower wide area network (WAN) link.

Domain Controllers

Global Catalog

The global catalogis a subset of domain information created for the purpose of enabling domain controllers in other domains in the same forest to locate resources in any domain. Users searching for objects such as files, folders, or printers in another domain are directed to a global catalog for searching the entire directory database. A global catalog server provides information on uni-versal group membership, which can include users or groups from any domain in the forest. The global catalog server also enables users to log on to a domain other than their home domain by using their user principal name (UPN), which is a username constructed in the format of an email address (for example, user@products.examcram.com).

Operations Masters

Microsoft designed Active Directory in such a fashion that you can perform most configuration activities from any domain controller. However, certain functions within the directory are restricted to specific domain controllers, which are known as flexible single-master operations (FSMO) servers, or simply

operations masters. These functions include the following:

. Schema master—Holds the only writable copy of the Active Directory

Schema. This is a configuration database that describes all available object and function types in the Active Directory forest. Only one domain controller in the forest holds this role.

. Domain naming master—Ensures that any newly created domains are

uniquely identified by names that adhere to the proper naming conven-tions for new trees or child domains in existing trees. Only one domain controller in the forest holds this role.

. PDC emulator—Serves as a primary domain controller (PDC) for

Windows NT 4.0 client computers authenticating to the domain and processes any changes to user properties on these clients, such as pass-word changes. This server also acts as a time synchronization master to synchronize the time on the remaining domain controllers in the domain. One domain controller in each domain holds this role.

. Infrastructure master—Updates references in its domain from objects

. RID master—Assigns security identifiers (SIDs) to objects created in its

domain. A SID consists of a domain identifier common to all objects in its domain and a relative identifier (RID) that is unique to each object. This server ensures that no two objects have the same RID and hands out pools of RIDs to every domain controller in its domain. One domain controller in each domain holds this role.

New Features of Active Directory in

Windows Server 2008

As with each previous version of Windows Server, Microsoft has introduced many new components that improve the functionality and manageability of Active Directory and of Windows Server 2008 as a whole. This section briefly summarizes these components, most of which you will learn about later in this book:

. Server roles and features—Microsoft has organized the capabilities of a

computer into various roles and features. Simply put, a roleis a specific function that a server can perform on the network, including file servic-es, terminal servicservic-es, and certificate services. Active Directory Domain Services (AD DS) is the server role that encompasses all domain control functions. A featureis an optional component that adds a specific func-tion, such as .NET Framework 3.0, BitLocker Drive Encrypfunc-tion, Network Load Balancing, and so on. Certain roles require specific fea-tures to be installed, and these are automatically installed when you add this role. You can add roles and features from the Initial Configuration Tasks window, the Server Manager, or the command line. These are dis-cussed later in this chapter.

. Read-only domain controller—A read-only domain controller (RODC)is

a domain controller that contains a read-only copy of the directory data-base. It can perform all client-based actions, such as authenticating users and distributing group policies to clients, but administrators cannot make changes to the database directly from the RODC. It is particularly useful for branch office deployment, where security might not be as high as in the central office and no administrative personnel are present for day-to-day operations.

. Server Core—A Server Coreis a stripped-down version of Windows

After logging on, you are presented with a command prompt window, where you perform all administrative actions. A Server Core computer uses less hardware and memory resources than a normal server, and it is able to perform most (but not all) of the roles that a normal server per-forms. Furthermore, a Server Core computer is more secure because it presents a smaller attack footprint than a normal server.

. Restartable Active Directory Domain Services—You can now

per-form many actions, such as offline defragmentation of the database, sim-ply by stopping Active Directory. This reduces the number of instances that you must restart the server in Directory Services Restore Mode; thereby, it reduces the length of time the domain controller is unavail-able to serve requests from client computers.

. Active Directory Certificate Services (AD CS)—Certificate Services

has been enhanced considerably from Windows Server 2003. For exam-ple, you can enroll network devices such as routers for certificates, you can use new certificate templates that support new cryptographic algo-rithms, you can designate several limited roles for delegating administra-tive tasks to different individuals, and you can use the online responder service as an alternative to traditional certificate revocation lists.

. Active Directory Lightweight Directory Services (AD LDS)—

Microsoft has enhanced and modified the previous Active Directory Application Mode (ADAM) feature introduced in Windows Server 2003 Release 2 (R2).

. Active Directory Rights Management Services (AD RMS)—Microsoft

has added numerous features, such as a new interface, delegation of administration, and integration with Active Directory Federation Services (AD FS).

. Enhancements to Group Policy—Microsoft has added many new

poli-cy settings. In particular, these settings enhance the management of Windows Vista client computers. All policy management is now handled by means of the Group Policy Management Console (GPMC), which was an optional feature first added to Windows Server 2003 R2. In addi-tion, Microsoft has added new auditing capabilities to Group Policy and added a searchable database for locating policy settings from within GPMC.

. Fine-Grained Password Policies—Microsoft has added the capability

. Security enhancements—Microsoft has hardened Windows Server

2008 to provide the most secure server operating system to date. The most significant security enhancements include the RODC already intro-duced; Network Access Protection (NAP), which enables you to isolate computers that are noncompliant with security policies; improved clus-tering features; an improved version of Internet Information Services (IIS); expanded Group Policy settings; and User Account Control (UAC).

Server Manager

Is Server Manager a throwback to Windows NT 4.0? Not at all. It is true in name only. Server Manager is a new Microsoft Management Console (MMC) console that replaces the Computer Management console found in previous Windows Server versions and adds considerable new management functionality. In particular, it includes the management tools formerly part of the Manage Your Server, Configure Your Server, and Add or Remove Windows Components applications in Windows Server 2003. Because this book deals with Server Manager considerably throughout, I’ve included a brief introduction of its capa-bilities here.

When you first log on to a Windows Server 2008 computer, Server Manager opens by default. If Server Manager is not open, you can open it by using any of the following methods:

. Click Start, right-click Computer, and select Manage.

. Click Start, Administrative Tools, Server Manager.

. Click Start, Run, type compmgmtlauncher, and then press Enter.

FIGURE 1.2 Server Manager, showing the default options in a new Windows Server 2008 installation.

Several of the more significant administrative actions you can perform from Server Manager are as follows:

. Add or remove roles, role service, and server features

. View, manage, and modify the configuration of installed roles and features

. Perform general management tasks, such as configuration of local user

accounts and groups, disk management, and service management

. Verify server status, identify critical errors and other events, and

trou-bleshoot configuration problems or server failures

NOTE

The Computer Management snap-in is still available in Windows Server 2008 and con-tains a subset of the controls available in Server Manager. You can open Computer Management from the Tools tab of the System Configuration dialog box or by typing

Adding Roles and Features

Server Manager facilitates the adding of roles and features. To add a role, right-click Roles in the console tree and choose Add Roles. This starts the Add Roles Wizard. Figure 1.3 shows the roles you can add to the server using this wizard. To add a feature, right-click Features and choose Add Features. Simply follow the instructions provided by the wizard, and reboot the server if requested.

If you do not want Server Manager to open when you start your domain controller, select the check box labeled Do Not Show Me This Console at Logon, found on the Server Summary page of Server Manager.

TIP

FIGURE 1.3 The Add Roles Wizard enables you to select from a series of roles that you can add to your server.

Command-Line Server Management

Server Manager also provides a command-line version, ServerManagerCmd.exe. You can perform many tasks without the GUI, such as adding or removing roles, role services, and features. You can use the command-line version from either the full version of Windows Server 2008 or from Server Core. To obtain infor-mation on the available commands, open a command prompt and type ServerManagerCmd /?.

Configuring Forests and Domains

As already mentioned, the domain is the primary administrative unit in Active Directory. Windows Server 2008 uses the concept of domains to separate avail-able resources among registered users. Therefore, all activities of planning and implementing an Active Directory namespace arise from the viewpoint of the domain structure.

The first domain installed in any Active Directory setup is always the forest root domain. All subdomains in the forest root domain tree contain the root domain name in their own domain name. Domains in another tree contain a different domain name structure. In addition, the top-level domain names are defined in the DNS hierarchy that will be established in the forest.

CAUTION

Before installing Active Directory for the first time on any company network, you need to plan the proposed domain namespace. Decide how many domains your forest needs and whether multiple trees or child domains are needed. Refer to Exam Cram or Exam Prep books on Exams 70-298, 70-646, or 70-647 for details of planning a domain namespace.

Requirements for Installing Active Directory

Domain Services

Before you can install AD DS, you must have at least one server that meets the following requirements:

. Operating system—The server must be running the Standard,

Enterprise, or Datacenter edition of Windows Server 2008. Note that a server running the Web edition cannot act as a domain controller.

. Adequate hard disk space—Beyond the space used for installing