Visit us at w w w s y n g r e s s c o m Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our customers We are also committed to extending the utility of the book you purchase via additional materials available from our Web site SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions Once registered, you can access our solutions@syngress.com Web pages There you may find an assortment of valueadded features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s) ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form These e-books are often available weeks before hard copies, and are priced affordably SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations Contact us at sales@syngress.com for more information CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use Contact us at sales@syngress.com for more information.use Contact us at sales@syngress.com for more information This page intentionally left blank Tony Piltzecker Technical Editor Robert J Shimonski Naomi Alpern Tariq Azad Laura Hunter Technical Reviewer John Karnay Jeffery Martin Gene Whitley Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) not guarantee or warrant the results to be obtained from the Work There is no guarantee of any kind, expressed or implied, regarding the Work or its contents The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files Syngress Media® and Syngress® are registered trademarks of Elsevier, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER HJIRTCV764 PO9873D5FG 829KM8NJH2 BPOQ48722D CVPLQ6WQ23 VBP965T5T5 HJJJ863WD3E 2987GVTWMK 629MP5SDJT IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc Elsevier, Inc 30 Corporate Drive Burlington, MA 01803 The Real MCTS/MCITP Exam 70-640 Prep Kit Copyright © 2008 by Elsevier, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication Printed in the United States of America ISBN 13: 978-1-59749-235-5 Publisher: Andrew Williams Acquisitions Editor: David George Technical Editor: Tony Piltzecker Project Manager: Gary Byrne Page Layout and Art: SPI Copy Editors: Audrey Doyle, Mike McGee Indexer: Ed Rush Cover Designer: Michael Kavish For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email m.pedersen@elsevier.com Technical Editor Tony Piltzecker (CISSP, MCSE, CCNA, CCVP, Check Point CCSA, Citrix CCA), author and technical editor of Syngress Publishing’s MCSE Exam 70-296 Study Guide and DVD Training System and How to Cheat at Managing Microsoft Operations Manager 2005, is an independent consultant based in Boston, MA Tony’s specialties include network security design, Microsoft operating system and applications architecture, and Cisco IP Telephony implementations Tony’s background includes positions as systems practice manager for Presidio Networked Solutions, IT manager for SynQor Inc, network architect for Planning Systems, Inc., and senior networking consultant with Integrated Information Systems Along with his various certifications, Tony holds a bachelor’s degree in business administration Tony currently resides in Leominster, MA, with his wife, Melanie, and his daughters, Kaitlyn and Noelle v Technical Reviewer Robert J Shimonski (MCSE, etc) is an entrepreneur, a technology consultant, and a published author with more than 20 years of experience in business and technology Robert’s specialties include designing, deploying, and managing networks, systems, virtualization, storage-based technologies, and security analysis Robert also has many years of diverse experience deploying and engineering mainframes and Linux- and UNIX-based systems such as Red Hat and Sun Solaris Robert has in-depth work-related experience with and deep practical knowledge of globally deployed Microsoft- and Cisco-based systems and stays current on the latest industry trends Robert consults with business clients to help forge their designs, as well as to optimize their networks and keep them highly available, secure, and disaster free Robert is the author of many information technology-related articles and published books, including the best-selling Sniffer Network Optimization and Troubleshooting Handbook, Syngress (ISBN: 1931836574) Robert is also the author of other best-selling titles, including Security+ Study Guide and DVD Training System (ISBN: 1931836728), Network+ Study Guide & Practice Exams: Exam N10-003 (ISBN: 1931836426), and Building DMZs for Enterprise Networks (ISBN: 1931836884) also from Syngress His current book offerings include the newly published Vista for IT Security Professionals, Syngress (978-1-59749-139-6), as well as being a series editor on the new Windows Server 2008 MCITP series from Syngress publishing vi Contributing Authors Naomi J Alpern currently works for Microsoft as a consultant specializing in Unified Communications She holds many Microsoft certifications, including an MCSE and MCT, as well as additional industry certifications such as Citrix Certified Enterprise Administrator, Security+, Network+, and A+ Since the start of her technical career, she has worked in many facets of the technology world, including IT administration, technical training, and, most recently, full-time consulting She likes to spend her time reading cheesy horror and mystery novels when she isn’t browsing the Web She is also the mother of two fabulous boys, Darien & Justin, who mostly keep her running around like a headless chicken Tariq Bin Azad is the principal consultant and founder of NetSoft Communications Inc., a consulting company located in Toronto, Canada He is considered a top IT professional by his peers, coworkers, colleagues, and customers He obtained this status by continuously learning and improving his knowledge and information in the field of information technology Currently, he holds more than 100 certifications, including MCSA, MCSE, MCTS, MCITP (Vista, Mobile 5.0, Microsoft Communications Server 2007, Windows 2008, and Microsoft Exchange Server 2007), MCT, CIW-CI, CCA, CCSP, CCEA, CCI,VCP, CCNA, CCDA, CCNP, CCDP, CSE, and many more Most recently, Tariq has been concentrating on Microsoft Windows 2000/2003/2008, Exchange 2000/2003/2007, Active Directory, and Citrix implementations He is a professional speaker and has trained architects, consultants, and engineers on topics such as Windows 2008 Active Directory, Citrix Presentation Server, and Microsoft Exchange 2007 In addition to owning and operating an independent consulting company, Tariq works as a senior consultant and has utilized his training skills in numerous workshops, corporate trainings, and presentations Tariq holds a Bachelor of Science in Information Technology from Capella University, USA, a bachelor’s vii degree in Commerce from University of Karachi, Pakistan, and is working on his ALMIT (Masters of Liberal Arts in Information Technology) from Harvard University Tariq has been a coauthor on multiple books, including the best-selling MCITP: Microsoft Exchange Server 2007 Messaging Design and Deployment Study Guide: Exams 70-237 and 70-238 (ISBN: 047018146X) and The Real MCTS/ MCITP Exam 640 Preparation Kit (ISBN: 978-1-59749-235-5) Tariq has worked on projects or trained for major companies and organizations, including Rogers Communications Inc Flynn Canada, Cap Gemini, HP, Direct Energy, Toyota Motors, Comaq, IBM, Citrix Systems Inc., Unicom Technologies, and Amica Insurance Company He lives in Toronto, Canada, and would like to thank his father, Azad Bin Haider, and his mother, Sitara Begum, for his lifetime of guidance for their understanding and support to give him the skills that have allowed him to excel in work and life Laura E Hunter (CISSP, MCSE, MCT, MCDBA, MCP, MCP+I, CCNA, A+, Network+, iNet+, Security+, CNE-4, CNE-5) is a senior it specialist with the University of Pennsylvania, where she provides network planning, implementation, and troubleshooting services for various business units and schools within the university Her specialties include Microsoft Windows 2000/2003 design and implementation, troubleshooting, and security topics As an “MCSE Early Achiever” on Windows 2000, Laura was one of the first in the country to renew her Microsoft credentials under the Windows 2000 certification structure Laura’s previous experience includes a position as the director of computer services for the Salvation Army and as the LAN administrator for a medical supply firm She also operates as an independent consultant for small businesses in the Philadelphia metropolitan area and is a regular contributor to the TechTarget family of Web sites Laura has previously contributed to Syngress Publishing’s Configuring Symantec Antivirus, Corporate Edition (ISBN 1-931836-81-7) She has also contributed to several other exam guides in the Syngress Windows Server 2003 MCSE/MCSA DVD Guide and Training System series as a DVD presenter, contributing author, and technical reviewer viii Laura holds a bachelor’s degree from the University of Pennsylvania and is a member of the Network of Women in Computer Technology, the Information Systems Security Association, and InfraGard, a cooperative undertaking between the U.S Government other participants dedicated to increasing the security of United States critical infrastructures John Karnay is a freelance writer, editor, and book author living in Queens, NY John specializes in Windows server and desktop deployments utilizing Microsoft and Apple products and technology John has been working with Microsoft products since Windows 95 and NT 4.0 and consults for many clients in New York City and Long Island, helping them plan migrations to XP/Vista and Windows Server 2003/2008 When not working and writing, John enjoys recording and writing music as well as spending quality time with his wife, Gloria, and daughter, Aurora Jeffery A Martin MS/IT, MS/M (MCSE, MCSE:Security, MCSE: Messaging, MCDBA, MCT, MCSA, MCSA:Security, MCSE:Messaging, MCP+I, MCNE, CNE, CNA, CCA, CTT, A+, Network+, I-Net+, Project+, Linux+, CIW, ADPM) has been working with computer networks for more than 20 years He is an editor, coeditor, author, or coauthor of more than 15 books and enjoys training others in the use of technology Gene Whitley (MBA, MCSE, MCSA, MCTS, MCP, Six Sigma Green Belt) is a senior systems engineer with Nucentric Solutions (www.nucentric.com), a technology integration firm in Davidson, NC Gene started his IT career in 1992 with Microsoft, earning his MCP in 1993 and MCSE in 1994 He has been the lead consultant and project manager on numerous Active Directory and Exchange migration projects for companies throughout the U.S Gene has been a contributing author on such books as How To Cheat At IIS Server Administration, How To Cheat At Microsoft Vista Administration, and Microsoft Forefront Security Administration Guide.When not working, he spends his time with his wife and best friend, Samantha Gene holds an MBA from Winthrop University and a BSBA in Management Information Systems from The University of North Carolina at Charlotte ix 696 Appendix • Self Test Appendix C Go into the Task Manager and into the Process tab Find CustApp.exe and end the process D Purchase a second server to run only the CustApp.exe application Correct Answer & Explanation: A The Windows System Resource Manager (WSRM) allows administrators to set policies and thresholds on applications and processes on the number of CPU cycles they can max out at and the amount of memory they are allowed to consume Setting a calendar policy allows the administrator to allow the application to run at high CPU levels if needed after hours; that way, it doesn’t affect the end-users at work Incorrect Answers & Explanations: B, C, D Answer B is incorrect, because by setting the priority level to below normal it is possible that the threads within the CustApp.exe will never execute depending on whether there are a large number of threads with higher-priority numbers in the queue Answer C is incorrect, because it completely stops the CustApp.exe process which may belong to a mission-critical application, thereby affecting productivity in a highly negative manner Answer D is incorrect, because the scenario clearly states that there is no money in the budget for additional hardware www.syngress.com Index A Account lockout policy, 380–394, 437, 438 Account Policies, configuration of See Configuration of Account Policies Accounts See Computer accounts; User accounts Active Directory Application Mode (ADAM), 2, 23 bandwidth and network traffic, 217–218 configuring event logging, 265–266 directory service access, 401–404 Domain Services (ADDS), 2–3, 584–587 Domain Services Role installation, 12–15 editing attributes of objects, 189 Federation Services See ADFS (Active Directory Federation Services) Lightweight Directory Service See LDS (Active Directory Lightweight Directory Service) navigation of, 189 records, 85–86 restartable, 584–587 Rights Management Service See RMS (Active Directory Rights Management Service) Users and Computers administration tool, 126–129 See also Backing up; Computer accounts; Monitoring Active Directory; Offline maintenance; Recovering; User accounts; Users and Computers console AD-integrated zones, 81, 118 ADAM (Active Directory Application Mode), 2, 23 Add Role Wizard, 6–8 ADDS (Active Directory Domain Services), 2–3, 584–587 ADFS (Active Directory Federation Services) configuration, 39–51 description, 3, 37–38 federating with Windows Server 2003 R2 forest, 54 structure, 38 use of, 38 ADLDS (Active Directory Lightweight Directory Service) See LDS (Active Directory Lightweight Directory Service) Adlem, Leonard, 453 ADM (Administrative Template) templates, adding to GPOs, 424–432 Admin logs, 606 Administrative Templates, 420–421 Administrator account, built-in, 130, 189 ADMX (XML-based format) central store, 422–423, 439 files, 421 adprep, 17, 54 ADRMS (Active Directory Rights Management Service) See RMS (Active Directory Rights Management Service) ADSIEdit.msc graphical console, 189 Allocation for Active Directory, 590–591 Analytic logs, 606 Application certificates, 480 Application-push technologies, 81 Application-specific content in Group Policies, 348 Applications, monitoring, 596–597 Applications logs, 606 697 698 Index Assigning software to computers, 368–369 Assigning software to users, 364–368 Attacks, elevation-of-privilege, 275 Attributes of objects, editing, 189 Audit Policies, configuration of See Configuration of Audit Policies Auditing changes from ADAM, 23 logon events, 438 in Windows Server 2008, 438 Authentication of UPNs, 212 Authoritative restoring, 568–574, 637–638 Autoenrollment for user certificates, 527 Automatic partner configuration, 105–106 B Backing up CA servers, 489–492 critical volumes, 556–557 description, 534–535 Group Policy objects (GPOs), 575–580, 638 key files, 555 Starter GPOs, 579, 638 system state data, 551–554, 637 Volume Shadow Copy Service (VSS), 551 See also Windows Server Backup Bandwidth and network traffic in Global Catalog (GC), 217–218 BIND servers, 117 BitLocker Drive Encryption, 12 bkf files, 534–535, 553, 637 Block Inheritance in GPOs, 322–323, 330 Block symmetric algorithms, 453 Bridgehead servers, 259 Brute force password attacks, 437 Bulk data encryption without prior shared secrets, 466–479 www.syngress.com C Caching, Universal Group, 218–220 Cards, smart, 140, 479, 514, 527–528 CAs (certification authorities) Certificate Practice Statement (CPS), 484–485 certificate requests, 484–489 configuring, 481–482 description, 482 hierarchy, 527 root vs subordinate, 483–484 standard vs enterprise, 482–483 Certificate Practice Statement (CPS), 484–485 Certificate requests, 484–489 Certificate revocation lists (CRLs), 499–501, 524, 527 Certificate Services installing, 468–477 See also CAs (certification authorities); Certificate templates; Certificates; Key recovery Certificate templates cryptography, 506–507 custom, 516–519 description, 501–502 general properties, 503–504 issuance requirements, 509–512 key recovery agent, 521–522 permissions model, 519–520 request handling, 505 security settings, 512–513 subject information, 508 types of, 513–516 versioning, 520–521 Certificates application certificates, 480 computer certificates, 514–516 description, 460–463 EFS and overseas travel, 526 formats, 526 Index machine certificates, 480 needs, analyzing, 480–481 reviewing, 467–468 types of, 513–516 user certificates, 479, 513–514 validity period, 527, 528 visibility, 526 Certification authorities (CAs) See CAs (certification authorities) Client-management technologies, 81 CNG (Cryptography Next Generation), 452 Compaction, 587–590 Computer accounts creating, 161–162 description, 160–161 modifying, 162–167 password storage limit, 190 purpose, 190 resetting, 167–168 Computer certificates, 514–516 Computer configuration in GPOs, 308–309 Confidentiality, 449 Configuration Active Directory event logging, 265–266 ADFS (Active Directory Federation Services), 39–51 CAs (certification authorities), 481–482 DHCP (Dynamic Host Configuration Protocol), 98–99 directory service access in group policy, 405 Directory Services role, 12 directory services role, 12–15 DNS (Domain Name System), 73–76 fine-grain policies, 384–394 LDS (Active Directory Lightweight Directory Service), 23–26 object level auditing, 405–408 replication between sites, 263 resolution of zones, 91 restricting some users, 439 reverse lookup zones, 87–91 RMS (Active Directory Rights Management Service), 30–37 RODC (read-only domain controllers), 16–21 site link costs, 252–254 Universal Group caching, 219 WINS (Windows Internet Naming Service), 103–105, 111, 112–113 WMI (Windows Management Instrumentation) filtering, 331 See also Configuration of Account Policies; Configuration of Audit Policies; Configuration of security-related policies; Software configuration and Group Policies Configuration Manager, System Center, 81 Configuration of Account Policies account lockout policy, 380–394, 437, 438 Default Domain Policy GPO, 378 domain password policy, 379–380, 381–384 fine-grain policies, 384–394 PSO, applying users and groups to, 394–397 Configuration of Audit Policies description, 397–399 directory service access, 401–404 logon events, 399–401 object access, 404–408 other audit policies, 408–409 Configuration of security-related policies ADM (Administrative Template) templates, adding to GPOs, 424–432 Administrative Templates, 420–421 ADMX central store, 422–423 Restricted Groups objects, 415–420 www.syngress.com 699 700 Index Configuration of security-related policies (Continued) security options, 411–415 users rights, 409–411 Configuration partition, 202 CPS (Certificate Practice Statement), 484–485 Creating GPOs, 314–315, 316–318 CRLs (certificate revocation lists), 499–501, 524, 527 Cryptography algorithms, types of, 453 basics, 459 certificate templates, 506–507 symmetric key, 453 Cryptography Next Generation (CNG), 452 Custom certificate templates, 516–519 Custom Views in Event Viewer, 602–605 D Data Collector Sets, 629–631 Data encryption without prior shared secrets, 466–479 Database files for DNS, 64–65 Database Mounting Tool, 23 DCs (domain controllers) Global Catalog (GC), 210–211 master roles, 220–221 refreshing cache, 219 schema partition, 202 software, not assigning to DCs, 361 UPN authentication, 212 See also RODCs (read-only domain controllers) Debug logs, 606 Default settings, Microsoft, 421 Default trusts, 272 Defragmenting, 587–590, 638 Delegating tasks, 177–183, 191 Delegation of Control Wizard, 178–183 www.syngress.com Desktop settings for user accounts, 189 Destination disk, labeling, 545 DH (Diffie-Hellman) algorithms, 453–454 DHCP (Dynamic Host Configuration Protocol) configuring, 93–95, 98–99, 102–103 description, 62 design principles, 95–97 DNS (Domain Name System), 102–103 installing, 97 Server Core, 100–102 servers and placement, 96–97 Diffie-Hellman (DH) algorithms, 453–454 Digital certificates, reviewing, 467–468 Digital rights management (DRM) in Vista, 29–30, 54 Digital signatures, 464–465, 526 Directory information search in GC, 212–214 Directory service access, 401–404 Directory Services Restore Mode (DSRM), 565–568, 637 Directory Services role configuring, 12 omitting, 55 Distinguished names (DNs), 202 Distribution groups, 170 DNs (distinguished names), 202 DNS (Domain Name System) BIND and Windows servers, 117 configuration, 63–68, 73–76 database files, 64–65 description, 62 design, 90 DHCP (Dynamic Host Configuration Protocol), 102–103 domain suffixes, 66–67, 117 installation, 72–73 record types, 63–64 Resource Records (RRs), 68–72 root domain (“.”), 118 Index Server Core, 76–79 WINS (Windows Internet Naming Service), 112–113 zone transfer, 82–83 zones, configuring, 79–82 zones, creating, 83–85 Domain controllers See DCs (domain controllers) Domain functional levels description, 202 list of, 203 raising, 281 use of, 203–204 Windows 2000, 204 Windows 2003, 204–205 Windows 2008, 205–206 Domain local groups, 171 Domain Name System (DNS) See DNS (Domain Name System) Domain Naming DC, 220 Domain partition, 202 Domain password policy, 379–380, 381–384 Domain Services, Active Directory (ADDS), 2–3, 584–587 Domain user accounts, 189 Domains description, 199–202 sites, relationship with, 234–235 suffixes, 66–67, 117 DRM (digital rights management) in Vista, 29–30, 54 dsadd tool, 190 DSRM (Directory Services Restore Mode), 565–568, 637 DVD, backing up to, 548–551 Dynamic Host Configuration Protocol (DHCP) See DHCP (Dynamic Host Configuration Protocol) Dynamic Updates, Secure, 81 E EAP (Extensible Authentication Protocol), 528 Editing attributes of objects, 189 EFS (Encrypting File System) and overseas travel, 526 Elevation-of-privilege attacks, 275 Encrypting File System (EFS) and overseas travel, 526 Encryption, secret key, 453 Encryption without prior shared secrets, 466–479 Enforcing Group Policies, 318–322, 330 membership of groups, 439 Enterprise CAs (certification authorities), 482–483 Enterprise PKI (PKIView), 451 Event logging in Active Directory, 265–266 Event Viewer Applications and Services logs, 606 Custom Views, 602–605 description, 602 new benefits, 638 subscriptions, 607–611 Windows logs, 605 Exchange Server and Global Catalog (GC), 217 Explicit trusts, 271, 282 Extensible Authentication Protocol (EAP), 528 External trusts, 267, 273–274, 281 F Federating with Windows Server 2003 R2 forest, 54 Federation Services See ADFS (Active Directory Federation Services) Filtering Group Policy objects (GPOs), 331–333 SIDs (Security Identifiers), 275–276 www.syngress.com 701 702 Index Filtering (Continued) WMI (Windows Management Instrumentation), 304–305, 330–331 Fine-grain policies, 384–394 Flash drives, backing up to, 548, 637 Flexible Single Manager Operation roles See FSMO (Flexible Single Manager Operation) roles Forcing replication, 261 Foreign travel and EFS (Encrypting File System), 526 Forest functional levels description, 202 list of, 203 raising, 208–209, 281 Windows 2000, 206–207 Windows 2003, 207–208 Windows 2008, 208 Forest trusts, 272–273 Forests, 199–200 FSMO (Flexible Single Manager Operation) roles description, 220 Domain Naming role, locating and transferring, 227–228 Infrastructure, RID, and PDC Operations Master Roles, locating and transferring, 228–230 master roles, 220–221 master roles, seizing, 230–231 placing in Active Directory environment, 232 role holders, seizing, 223–224 role holders, transferring, 223 Schema Master role, locating and transferring, 224–227 valid authorization levels, 221–222 Functional levels See Domain functional levels; Forest functional levels www.syngress.com G GC See Global Catalog (GC) Global Catalog (GC) attributes, 215–216 bandwidth and network traffic, 217–218 description, 202, 210–212 directory information search, 212–214 Exchange Server, 217 placing GC servers within sites, 216–217 replication, 214–215 server, number of users for, 283 Universal Group membership, 214, 215 UPN authentication, 212 Global groups, 171 GlobalNames zone, 91–93, 117 GPMC (Group Policy Management Console), 638 GPO See Group Policy objects (GPOs) Group Policies See Configuration of Account Policies; Group Policy Modeling Wizard; Group Policy objects (GPOs); Group Policy Results Wizard; Software configuration and Group Policies Group Policy Management Console (GPMC), 638 Group Policy Modeling Wizard, 327–330 Group Policy objects (GPOs) ADM (Administrative Template) templates, adding to GPOs, 424–432 application-specific content, 348 backing up, 575–580, 638 Block Inheritance, 322–323, 330 computer configuration, 308–309 creating, 314–315, 316–318 Default Domain Policy GPO, 378 enforcing, 318–322, 330 features, 348 filtering, 331–333 Group Policy description, 348 hierarchy, 309–311 Index linking, 315–318 Local Group Policies, 293–296 loopback, 334, 349 modeling, 327–330 Multiple Local GPOs (MLGPOs), 293–296 network location awareness, 306–307 non-local, 296–306 Preferences, 303–306 processing priority, 311–314 recovering, 581–585 results, 323–325 Starter GPOs, 341–345, 348, 579 Templates, Administrative, 335–337 Templates, Security, 335–337, 337–341 types, 292–293 user configuration, 307–308 Windows 2008 new features, 348 WMI (Windows Management Instrumentation) filtering, 304–305, 330–331 Group Policy Results Wizard, 323–325 Groups creating by scripts, 176–177 creating by Users and Computers console, 172–173 description, 169 enforcing membership of, 439 managing, 190–191 modifying by Users and Computers console, 173–176 scopes of, 170–171 strategies, 171–172 types of, 170 Guest account, built-in, 131 H Hash function, 453 Hierarchy CAs (certification authorities), 527 Group Policies, 309–311 Hub-and-spoke models for WINS (Windows Internet Naming Service), 109–110 Hybrid replication models for WINS (Windows Internet Naming Service), 110 I IANA (Internet Assigned Numbers Authority), 72 Implicit trusts, 271, 282 Implied trusts, 282 Incoming trusts, 270 Infrastructure Master DC, 220 Installation Certificate Services, 468–477 DHCP (Dynamic Host Configuration Protocol), 97 DNS (Domain Name System), 72–73 Domain Services Role, 12–15 software configuration and Group Policies, 358–361 Windows Server Backup, 535–540 WINS (Windows Internet Naming Service), 111 Internet Assigned Numbers Authority (IANA), 72 Intersite or intrasite replication, 217 IP replication, 262 IPv6, 245–246 K KCC (Knowledge Consistency Checker), 207, 215, 255–258, 282 Key files backing up, 555 recovering, 559–565 Key infrastructure See PKI (public key infrastructure) Key recovery agent, 521–522 www.syngress.com 703 704 Index Key recovery (Continued) backing up CA servers, 489–492 restoring CA servers, 492–495 Knowledge Consistency Checker (KCC), 207, 215, 255–258, 282 L Labeling the destination disk, 545 LDS (Active Directory Lightweight Directory Service) configuration, 23–26 description, 2–3 managing, 26–27 running AD internally, 54 use of, 22 Linked value replication (LVR), 575 Linking GPOs, 315–318 LMHOSTS files, static entries in, 110–111 Local Group Policies, 293–296 Local user accounts, 189 Local user profiles, 145 Lockout policy, 380–394, 437, 438 Logon events, auditing, 438 Logs Applications, 606 Services, 606 Windows, 605 Loopback, Group Policy, 334, 349 Loopback address in IPv6, 246 LVR (linked value replication), 575 M Machine certificates, 480 Maintenance, offline See Offline maintenance Maintenance, software, 370–375 Mandatory profiles, 145, 189 Masks, 244–245 Master roles, FSMO, 220–221 Membership of groups, enforcing, 439 Microsoft default settings, 421 www.syngress.com MLGPOs (Multiple Local GPOs), 293–296 Modeling, Group Policy, 327–330 Monitoring Active Directory description, 591 Event Viewer, 602–608 Network Monitor (netmon), 591–594 Task Manager, 594–601 See also Windows Reliability and Performance Monitor MS-CHAP protocols, 528 MSI (Windows installer) files, 378 Multiple Local GPOs (MLGPOs), 293–296 N Navigation of Active Directory, 189 Network Device Enrollment Service (NDES), 452 Network location awareness and Group Policies, 306–307 Network Monitor (netmon), 591–594 Network traffic in Global Catalog (GC), 217–218 Networking, monitoring, 599–600 New Zone Wizard, 83–85 Non-local GPOs, 296–306 Nonauthoritative restoring, 575, 637–638 Nonrepudiation, 449 O OCSP (Online Certificate Status Protocol), 452 Offline maintenance defragmenting and compaction, 587–590, 638 restartable Active Directory, 584–587 storage allocation, 590–591 One-way trusts, 269–270 Online Certificate Status Protocol (OCSP), 452 Operational logs, 606 Organizational units (OUs) Index Block Inheritance, 322–323 defaults, 128 description, 198 permissions, 178 OU See Organizational units (OUs) Outgoing trusts, 270 Overseas travel and EFS (Encrypting File System), 526 P Partner configuration, automatic, 105–106 Password Settings objects (PSOs) See PSOs (Password Settings objects) Passwords brute force password attacks, 437 domain password policy, 379–380, 381–384 DSRM (Directory Services Restore Mode), 637 options, 139–141 resetting, 157 storage limit for computer accounts, 190 strength traits, 132, 190, 438 Users and Computers administration tool, 134–135 PDC Emulator DC, 221 Performance, monitoring, 598–599 Performance Monitor, 625–627 PKCS (Public-Key Cryptography Standards), 454–458 PKI (public key infrastructure) application certificates, 480 authentication, 465–466 bulk data encryption without prior shared secrets, 466–479 certificate services, installing, 468–477 components, 450–452 description, 446–449 digital certificates, reviewing, 467–468 digital signatures, 464–465, 526 enhancements in Windows Server 2008, 450–452 function of, 449–450 history of, 452–453 machine certificates, 480 user certificates, 479 See also CAs (certification authorities); Certificate templates; Key recovery PKIView, 451 Preferences for Group Policies, 303–306 Primary zones, 79 Processes, monitoring, 597 Processing priority in Group Policies, 311–314 Profiles mandatory, 189 public and private keys, 457 Terminal Service, 154 types of, 145 Users and Computers administration tool, 144–145 WS-Federation Passive Requestor Profile (WS-F PRP), 37 Protocols for replication, 261–262 PSOs (Password Settings objects) applying users and groups to, 394–397 description, 386 Public-Key Cryptography Standards (PKCS), 454–458 Public key infrastructure See PKI (public key infrastructure) Publishing software to users, 361–364 Pull partnerships, 107 Push partnerships, 106–107 Push/pull partnerships, 108 R Raising functional levels, 208–210, 281 Read-only domain controllers See RODCs (read-only domain controllers) Realm trusts, 281 www.syngress.com 705 706 Index Record types for DNS, 63–64 Recovering authoritative restoring, 568–574, 637–638 bkf files, 534–535, 553, 637 CA servers, 492–495 description, 534–535 Directory Services Restore Mode (DSRM), 565–568, 637 Group Policy objects (GPOs), 581–585 key files, 559–565 nonauthoritative restoring, 575, 637–638 Recovery, key See Key recovery Redeploying software, 370–371, 437 Relative ID (RID) Master DC, 221 Reliability and Performance Monitor See Windows Reliability and Performance Monitor Reliability Monitor, 627–629 Removable media, backing up to, 548–551 Removal RODC (read-only domain controllers), 21–22 software, 375–378 Renaming sites, 242–243, 283 RepAdmin command, 618–621 Replication bridgehead servers, 259 configuring between sites, 263 description, 255–256 forcing, 261 intersite, 217, 258–259 intrasite, 217, 256 monitoring, 638 protocols, 261–262 ring topology, 257 RODCs, 54 scheduling, 260–261 three-hop rule, 258 topology, 262–263 transitive site links, 259 www.syngress.com troubleshooting, 264–266 Universal Group, 171 Replication and WINS (Windows Internet Naming Service), 105–110 Replication Monitor (Replmon), 611–617 Reports, 631–632 Resource Records (RRs) for DNS, 68–72 Restartable Active Directory, 584–587 Restoring See Recovering Restricted Groups objects adding, 416–419 deleting, 420 description, 415–416 enforcing membership of groups, 439 modifying, 419–420 Restricting some users, 439 Results, Group Policy, 323–325 Reverse lookup zones configuration, 87–91 description, 80, 86 security considerations, 87 Ring models for WINS (Windows Internet Naming Service), 109 Ring topology for replication, 257 Rivest, Ronald, 453 RMS (Active Directory Rights Management Service) configuration, 30–37 description, digital rights management (DRM) in Vista, 29–30, 54 features, 28–29 Roaming user profiles, 145 RODCs (read-only domain controllers) configuration, 16–21 description, 2, 184, 191 features, 16 mixed-mode (Windows 2003 and 2008) domain, 54 purpose, 15–16 Index removal, 21–22 replication, 54 Role deployment Add Role Wizard, 6–8 directory services role configuration, 12–15 Server Manager, 55 Windows Server 2008 new roles, 2–3 Root CAs (certification authorities), 483–484 Root domain (“.”) in DNS, 118 RRs (Resource Records) for DNS, 68–72 RSA Labs, 453 S SACL (system access control list), 401 Scheduling replication, 260–261 Schema Master DC, 220 Schema partition, 202 Scripts computer accounts, creating, 167 eased by Web Enrollment, 451–452 groups, creating, 176 logon, 145 role deployment, 9, 55 user accounts, creating, 157–158 Windows PowerShell, 537 Searching Global Catalog (GC), 212–214 Secondary zones, 79 Secret key agreement, 466 Secret key encryption, 453 Secure Dynamic Updates, 81 Security groups, 170 Security options, 411–415 Security principals, 276 Server Backup, Windows See Windows Server Backup Server Core 32-bit and 64-bit editions, 55 description, 3, 10–12 DHCP (Dynamic Host Configuration Protocol), 100–102 directory services role, configuring, 12–15 DNS (Domain Name System), 76–79 WINS (Windows Internet Naming Service), 111–112 Server Manager description, features, implementing roles, 3–9 role deployment, 55 Services, monitoring, 598 Services logs, 606 Settings, Microsoft default, 421 Shamir, Adi, 453 Shared secret key cryptography, 454 Shortcut trusts, 267, 274–275, 281 SIDs (Security Identifiers) filtering, 275–276, 282 RID Masters, 221 Signatures, digital, 464–465, 526 Site link bridges, 259–260 Site links, transitive, 259–260, 283 Sites associating subnets with, 247–249 creating, 238–242 creating links, 249–252 description, 233–235 domains, relationship with, 234–235 link costs, 252–254 planning, 237–242 renaming, 242–243, 283 servers, 282–283 subnets, 236 Slash notation, 244–245 Smart cards, 140, 479, 514, 527–528 SMTP replication, 261–262 Software, redeploying, 370–371, 437 Software configuration and Group Policies assigning to computers, 368–369 assigning to users, 364–368 deployment, 358, 437 www.syngress.com 707 708 Index Software configuration and Group Policies (Continued) installation overview, 358–361 maintenance, 370–375 publishing to users, 361–364 redeploying, 370–371, 437 removing, 375–378, 437 software distribution point recommendations, 359, 437 upgrading, 371–375 Software distribution point recommendations, 359, 437 Standard CAs (certification authorities), 482–483 Starter GPOs backing up, 638 description, 341–342, 348 enabling, 342–345 not included in GPOs backup, 579 State data, backing up, 551–554, 637 Static entries in LMHOSTS files, 110–111 Storage allocation for Active Directory, 590–591 Stream symmetric algorithms, 453 Stub zones, 79–81 Subnets associating with sites, 247–249 description, 233, 236 masks and slash notation, 244–245 Subordinate CAs (certification authorities), 483–484 Subscriptions in Event Viewer, 607–611 Suffixes, domain, 66–67, 117 Symmetric algorithms, types of, 453 Symmetric key cryptography, 453 System access control list (SACL), 401 System Center Configuration Manager, 81 System state data backing up, 551–554, 637 recovering, 557–558 www.syngress.com T Tape, backing up to, 637 Task Manager applications, 596–597 description, 594–596 networking, 599–600 performance, 598–599 processes, 597 services, 598 users, 601 Tasks, delegating, 177–183, 191 Technologies, application-push, 81 Templates, GPO, Administrative, 335–337 Templates, SPO, Security, 335–337, 337–341 Templates for user accounts, 158–159 Temporary user profiles, 145 Terminal Service profile, 154 Three-hop rule of intrasite replication, 258 Thumb drives, backing up to, 548, 637 Topology, replication, 262–263 Transferring zones, 82–83, 91 Transitive site links, 259–260, 283 Travel and EFS (Encrypting File System), 526 Trees description, 199 Troubleshooting replication, 264–266 Trust relationships default trusts, 272 description, 198–199, 266–271 direction and transitivity, 267 external trusts, 267, 273–274, 281 forest trusts, 272–273 implicit or explicit trusts, 271, 282 implied trusts, 282 incoming or outgoing trusts, 270 nontransitive trusts, 268 one-way trusts, 269–270 realm trusts, 281 shortcut trusts, 267, 274–275, 281 Index transitive trusts, 268–269 two-way trusts, 267–269 Trusted third parties (TTPs), 446 Two-way trusts, 267–269 U Universal Group caching, 218–220 membership, maintaining, 215 membership information, 214 replication impact, 171 Updates, Secure Dynamic, 81 Upgrading software, 371–375 UPNs (user principal names) authenticating, 212 configuring, 159–160 USB-based flash drives, backing up to, 548, 637 User accounts administrator account, built-in, 130, 189 creating by scripts, 157–158 creating by Users and Computers console, 133–136 description, 129 desktop settings, 189 domain and local, 189 guest account, built-in, 131 management actions, 156–157 mandatory profiles, 189 modifying, 136–156 monitoring, 601 restricting, 439 rules and practices, 131–132 templates for, 158–159 types, 129–130 See also Passwords User certificates autoenrollment, 527 description, 479 types of, 513–514 User configuration in GPOs, 307–308 User principal names See UPNs (user principal names) Users and Computers administration tool, 126–129 ADSIEdit.msc graphical console, 189 profiles, 144–145 PSO, applying users and groups to, 394–397 See also Computer accounts Users and Computers console creating user accounts, 133–136 managing user accounts, 156–157 modifying user accounts, 136–156 V Validity period of certificates, 527, 528 Versioning of certificate templates, 520–521 Views, custom, in Event Viewer, 602–605 Vista digital rights management (DRM), 29–30, 54 Volume Shadow Copy Service (VSS), 551 W wbadmin.exe command, 547–548, 551 WBS Wizard, 551 Web Enrollment, 451–452 Windows File Protection (WFP), 551 Windows installer (MSI) files, 378 Windows Internet Naming Service (WINS) See WINS (Windows Internet Naming Service) Windows logs, 605 Windows Management Instrumentation (WMI) filtering, 304–305, 330–331 Windows PowerShell, 537 Windows Reliability and Performance Monitor Data Collector Sets, 629–631 description, 623–624, 638 www.syngress.com 709 710 Index Windows Reliability and Performance Monitor (Continued) Performance Monitor, 625–627 Reliability Monitor, 627–629 reports, 631–632 Resource Overview screen, 624–625 Windows Resource Protection (WRP), 551 Windows Server 2003 Active Directory Application Mode (ADAM), 2, 23 Windows Server 2008, new roles in, 2–3 Windows Server Backup critical volumes, backing up, 556–557 destination disk, labeling, 545 installing, 535–540 removable media, 548–551 scheduling, 540–548 tape, 637 wbadmin.exe command, 547–548 Windows System Resource Manager (WSRM), 621–623 WINS (Windows Internet Naming Service) automatic partner configuration, 105–106 configuration, 103–105, 111, 112–113 description, 62 DNS (Domain Name System), 112–113 GlobalNames zone, 91–93, 117 installation, 111 www.syngress.com phasing out, 91 pull partnerships, 107 push partnerships, 106–107 push/pull partnerships, 108 replication, 105–110 Server Core, 111–112 static entries in LMHOSTS files, 110–111 Wizards Add Role Wizard, 6–8 Delegation of Control Wizard, 178–183 Group Policy Modeling Wizard, 327–330 Group Policy Results Wizard, 323–325 New Zone Wizard, 83–85 WBS Wizard, 551 WMI (Windows Management Instrumentation) filtering, 304–305, 330–331 WRP (Windows Resource Protection), 551 WSRM (Windows System Resource Manager), 621–623 Z Zones configuring in DNS, 79–82 configuring resolution of, 91 creating, 83–85 transferring, 82–83, 91 ... including the best-selling MCITP: Microsoft Exchange Server 2007 Messaging Design and Deployment Study Guide: Exams 70-237 and 70-238 (ISBN: 047018146X) and The Real MCTS/ MCITP Exam 640 Preparation Kit. .. as of the time of this writing There are two Windows Server 2008 tracks, Server Administrator and Enterprise Administrator To achieve the Server Administrator MCITP for Windows Server 2008, you... sites, configuring Active Directory replication, configuring the global catalog, and configuring operations masters ■ Configuring Additional Active Directory Server Roles This objective includes configuring