Windows Server 2008 Active Directory

This lesson covers new and enhanced features of AD in Windows Server 2008. It doesn’t cover the general day to day tasks which as an experienced System Administrator, you already know.

Introducing Windows Server 2008 Active Directory Server Role

What’s new:

• Read-Only Domain Controllers
• New Enhanced Tools and Wizards
• Fine-grain Security Policies
• Restartable AD DS
• AD DS Data Mining Tool
• Auditing Enhancements

Planning and Information on RODCs

Read only domain controllers are domain controllers you may install in areas where physical security is not guaranteed. Think a branch office where multiple people can access the server. Before you may have had a WAN connection to the branch office with the Domain Controller in the head office. If the WAN connection failed then the users on the other end were in trouble; RODCs address this problem. You need a writeable Windows Server 2008 in the domain. Your forest functional level and domain function level must be Windows Server 2003. When a user logs into the network on the remote end, the first login is authenticated across the WAN, but the RODC pulls that information to its machine so the subsequent logins are served by the RODC. You can also create Password Replication Policies which will control which passwords get cached on the RODC. You can delegate management (non-admin access) of the RODC to a local user. Finally, RODCs do not support client updates on DNS and does not register NS resource records. When a clients wants to update is DNS records against an RODC, the RODC points the client to a writeable DC.

Utilizing wizard Enhancements

A new option for dcpromo is a the /adv mode. The advanced mode allows you to select the source DC for the installation. You can also use backup media from an existing DC to cut down on network traffic on the initial replication. You can create a new domain tree and change the default NetBIOS name. You can set forest and domain functional levels when you create new forest or domain. You can configure the Password Replication Policy for an RODC. Another change is the selection of existing domain names instead typing. When creating a answer file password=* will make the system prompt instead of having a password stored in clear text in the answer file.

Delegating RODC Installation

You can have part of the RODC done at the HQ then have a branch user who is delegated authority to complete the task. A user with delegated authority can complete the task by running dcpromo /UseExistingAccount:Attach.

Utilizing MMC Enhancements

There are some enhancements. A find command has been added to the toolbar and action menu. You can easily discover which site a DC is in now. You can also use the MMC to determine which passwords have been sent to a RODC.

Planning Fine-Grained Password and Account Lockout Policies

I showed this in my presentation last February to the OWSUG. Fine grained passwords need a domain functional level of Windows Server 2008. Its best to create a group and change the settings on the group to what you want for your password policies (You can’t apply it to a GPO, user or group only). The tool you use to change the settings is either ADSIEdit or create an LDF file with the settings and then use ldifde command.

Planning the Use of the Data Mining Tool

You can create snapshots of your AD using dsamain.exe. You can use a LDAP tool to view the snapshot. Data mining will help you develop a backup and recovery plan for your AD data.

Planning AD DS Auditing

Windows Server 2008 turns on Audit Directory Service Access by default. Auditing in Windows Server 2008 has new levels, detailed or normal. Event IDs 5136 – Modify, 5137 – Create, 5138 – Undelete, 5139 – Move.

Planning Domain and Forest Functionality

Remember you can raise the functional level of a domain but it is almost impossible to lower them.

Domain Functional Level Considerations

Windows 2008 Server supports the following levels:

• Windows 2000 Native
• Windows Server 2003
• Windows Server 2008

Not covered was the domain mode (Windows 2003 interim) which allows an upgrade from Windows NT straight to Windows Server 2003.

Be sure to check out the table on page 153 of the book and remember some of the features of each of the levels. Remember to change a domain name, you need to be at a Windows Server 2003 level. For fine grained password policies, the level needs to be Windows Server 2008.

Forest Functional Level Considerations

On page 155 of the book, another good chart describing what has changed between Windows 2000  and the Windows Server 2003 levels. There has been no change so far between Windows Server 2003 and the Windows Server 2008 levels.

Forest Level Trusts

Trust Types

• Shortcut Trust – Makes it quicker for authentication for users in one child domain who access resources in a different child domain.
• External Trust – When a domain needs requires a trust with a domain that doesn’t belong to the forest. For example, a Windows Server 2008 domain trusting a Windows NT domain.
• Realm Trust – A trust between a Windows Domain and a Unix realm.

Creating Forest Trusts

Forest trusts are created in Active Directory Domains and Trusts from the admin tools. You need to connect to a DC in the forest root domain before creating the trust. Right click on the domain, click properties and go to the Trust tab. Click new to launch the wizard. You get the choice on type of trust and you can select one-way incoming, one-way outgoing and two-way. You then get the option of deciding your side of the trust or both. If you do both, you need to know the admin password for the other domain as well. After that, you can select Forest Wide authentication or Selective Authentication.

Whew, this was a big lesson and lots to digest. Spend significant amounts of time on this lesson as you can bet you will see a few questions on this subject on the exam. Active Directory is the bread and butter of Windows Server.

*Disclaimer:

My notes in helping me prepare for the 70-646 Exam, PRO: Windows Server 2008, Server Administrator are just those, notes and I am trying to help highlight what is covered in the book, not replicate it. If you want to pass the exam, you will need more than just these notes to pass. I suggest you get a good book and get familiar with the product. The expectation is that you have about one year of experience with Windows 2008 Server (your mileage may vary) when writing this exam. The book I am using  for my preparation and where I am drawing the information for these notes is the Microsoft Press book, MCITP Exam Prep 70-646: Windows Server Administration; ISBN: 0735625107.

Goals of this lesson are:

• List and explain Windows Server 2008 DNS features
• List and explain Windows Server 2008 enhancements to DNS
• Configure static IPv6 DNS records
• Configure an IPv6 Reverse Lookup Zone
• Administer DNS using the MMC snap-in and command-line tools

 Using Windows Server 2008 DNS

Compliance and Support

Windows 2003 retains all the features introduced in Windows Server 2003. DNS is automatically installed if you install AD DS role and a DNS server that meets AD DS requirements cannot be found. Windows Server 2008 supports stub zones. Stub zones is a copy of a zone that only contains the records needed to identify the authoritative DNS servers for that zone. (I use stub zones for identifying records on my corporate forest from the library services forest.)

Zone Replication

DNS zones are replicated between DNS servers which helps for failover and load balancing. Prior to Windows Server 2003 a full zone transfer was required replicate any changes from the primary to the secondary DNS. Introduced in Windows Server 2003 is the ability to transfer only the delta changes. You can also restrict to which servers Zone transfers are allowed.

DNS Forwarders

DNS servers to which other DNS servers forward requests are known as forwarders. you have a few options to configuring. you can forward all unresolved requests to another DNS server or you can forward a selective request. (I.e., requests for domain tailspintoys.com is forwarded to a specific server)

Administering DNS

There is several ways to administer DNS. One way is to use DNS Manager MMC Gui, another way is to use the dnscmd tool. If you need to troubleshoot, use command like nslookup or ipconfig to help with resolving the problems.

DNS Records

Common IPv4 DNS records types include A, SOA, PTR, CNAME, NS, MX. A host record for a IPv6 is AAAA. If an IPv6 client cannot create its own record then you will need to by creating a AAAA record.

New DNS Features and Enhancements

• Background zone loading
• Support for Read-Only Domain Controllers (RODCs)
• Global Single Names
• IPv6 support

Background Zone Loading

This new feature allows Windows Server 2008 DNS servers to be available to resolve DNS requests sooner than Windows Server 2003 by loading zones in the background.

Supporting RODCs

Advised to be used where the physical security of the server cannot be secured. Only keeps a read only copy of the Active Directory partitions.

Using GlobalNames DNS Zone

While WINS is still available in Windows Server 2008, the suggested replacement for WINS is to use the GlobalNames zone. Not used for peer-to-peer name resolution.

Supporting IPv6 Addresses

Fully supported in Windows Server 2008.

Planning a DNS Infrastructure

Planning a DNS Namespace

• you can use a corporate namespace for both internal and external portions of the network.
• you can use delegated namespaces to identify the internal namespace (Internal.tailspintoys.com). maximum length of a FQDN is 255 bytes, FQDNs for DCs  are limited to 155 bytes.
• You can use completely seperate domain names for internal and external namespaces. tailspintoys.internal and external.tailspintoys.com

Planning DNS Zone Type

This section talks about using Active Directory integrated zones for internal name resolution. You can also use standard primary zones where access to the AD database is seen as a security risk.  Secondary zones can be used in remote locations to speed up name resolution.

Planning DNS Forwarding

Use conditional forwarding if you want to have internal name resolution forwarded to a master server. You can also configure servers to forward internet name request to one server. Exam Tip – Forwarding servers rely on recursion.

Next lesson – Active Directory and Group Policy

*Disclaimer:

My notes in helping me prepare for the 70-646 Exam, PRO: Windows Server 2008, Server Administrator are just those, notes and I am trying to help highlight what is covered in the book, not replicate it. If you want to pass the exam, you will need more than just these notes to pass. I suggest you get a good book and get familiar with the product. The expectation is that you have about one year of experience with Windows 2008 Server (your mileage may vary) when writing this exam. The book I am using  for my preparation and where I am drawing the information for these notes is the Microsoft Press book, MCITP Exam Prep 70-646: Windows Server Administration; ISBN: 0735625107.

Using IPv6 in Windows Server 2008

IPv6 Addresses problems in IPv4

• Automatic Address Configuration – Stateful hosts use DHCPv6. Stateless hosts configure themselves.
• Header Size – Non-essential and optional fields are found in extension headers.
• Routing Table Size – Designed to be more efficient.
• Network Level Security – IPSec is now mandatory.
• Real Time Data Delivery – payload encryption does not affect QoS.
• Removal of Broadcast Traffic – Neighbour discovery replaces ARP broadcasts, ICMPv4, Router Discovery and ICMPv4 redirect messages.
• IPV6 Address Structure
• IPv6 Address Syntax

IPv6 is a 128-address divided into 16-bit boundaries. Each 16 bit block is converted to a 4 bit hex number and colons are used to separate the bits. Leading zeros can be removed and long sequences of zeros can be compressed. For example 21cd:0048:0000:0000:03ac:ae45:8e4c can be expressed as 21cd:48::3ac:ae45:8e4c

IPv6 Address Prefix

Like we do in IPv4 and express subnets as 192.168.12.0/24, we can also do this in IPv6 and would look like 21cd:53::/64

IPv6 Address Types

• Unicast
• Multicast
• Anycast

IPv6 Unicast Addresses

• Global
• Link-Local
• Site-Local
• Special
• Network Service Access Point and Internet Packet Exchange mapped addresses

Planning an IPv4 to IPv6 Transition Strategy

Those Strategies include:

• Dual Stack Transition
• Configured Tunneling Transition
• Automatic Tunneling
• 6to4
• Teredo
• Intra-Site Automatic Tunnel Addressing Protocol

Implementing IPv4-to-IPv6 Compatibility

• IPv4 Compatible Address
• IPv4 Mapped Address
• Teredo Address
• ISATAP Addresses

Using IPv6 Tools

Ping works by specifying the IPv6 address. IPconfig /all will show you the IPv6 setting and IPv4 settings. Netsh interface ipv6 – ipv6 added to netsh interface commands specifies the IPv6 stack

Configuring Clients through DHCPv6

Configuring a DHCPv6 scope is very much the same as configuring an IPv4 DHCP scope. Page 87 of the book goes through a great description of configuring DHCPv6. Remember the 80/20 rule.

Planning an IPv6 Network

There are three steps to planning your IPv6 network. First step is to identify and analyze hardware requirements. Look at all the hardware you have and identify if it will all work with IPv6. If not, will you replace this hardware or continue to support the hardware.

The second step is to analyze software and application requirements. Does everything work with IPv6? If not, how will you support these applications?

Finally your last step is to document the requirements. How many sites are there, how should the prefix allocation be delegated, etc. These three steps will take a lot of time but once complete, you can draw up the project plan. Project planning isn’t covered in this lesson.

That’s all for Chapter 2, Lesson 1. There is a lot of information to digest there and for most of us, its relatively new and will take some time work through and understand it. Lesson 2 of the chapter covers Configuring DNS.

*Disclaimer:

My notes in helping me prepare for the 70-646 Exam, PRO: Windows Server 2008, Server Administrator are just those, notes and I am trying to help highlight what is covered in the book, not replicate it. If you want to pass the exam, you will need more than just these notes to pass. I suggest you get a good book and get familiar with the product. The expectation is that you have about one year of experience with Windows 2008 Server (your mileage may vary) when writing this exam. The book I am using  for my preparation and where I am drawing the information for these notes is the Microsoft Press book, MCITP Exam Prep 70-646: Windows Server Administration; ISBN: 0735625107.

In this lesson the book looks at:

• Windows Server 2008 Answer Files
• Windows Deployment Services
• Multicast, Scheduled and Automatic Deployment
• Windows Deployment Services Images
• WDS and Product Activation
• Rollback Preparation

Windows Server 2008 Answer Files

The first part of the lesson covers the answer file. If you want to create an answer file the recommendation is to download the Windows System Image Manager (Windows SIM) which is included in the Windows Automated Installation Kit (WAIK). Once you are done save the autounattended.xml file to a removable media. Windows Server 2008 setup as part of its routine, will look for this file on a removable media. If you are running setup.exe from a network location the if mapping the location on the file as X:, the setup command is setup.exe /unattend:x:\autounattended.xml

Windows Deployment Services

The next part of the lesson covers WDS. WDS cannot be installed onto a computer running Server Core. WDS requires that it be installed to a computer which is a member of an Active Directory domain. A DNS server is required along with a DHCP server and a NTFS partition for storing images. If a DHCP server is running on the same machine as WDS, configure WDS not to listen on port 67. You also need to add option tag 60 on your DHCP server so PXE clients are able to detect the WDS server. In the GUI you can also change Multicast settings, add an unattended xml file and you can configure how the WDS server will respond to PXE request. The three responses are:

• Do not respond to Any Client
• Respond only to known Client Computers
• Respond to All (Known and Unknown) Client Computers

Multicast, Scheduled and Automatic Deployment

This section covers setting up WDS to use multicast and the benefits of using it. The main benefit is it allows a reduction of network bandwidth for multiple installs. Scheduling allows an admin to limit impact on a companies network bandwidth during peak time and allows the install to be scheduled for off-peak time. Auto-cast means to install as soon as a client asks for an install image.

Windows Deployment Services Images

There are two types of images, boot images and install images. You will need separate images for x64, x32 and Itanium. Boot images are used to boot a computer prior to installing an operating system. Discover images are created for booting a computer without a PXE enabled network card from media (USB, Floppy, CD or DVD)

WDS and Product Activation

There are to types of keys, Multiple Activation Key (MAK) and Key Management System (KMS). MAK allows for a specific number of activations against a key. A MAK proxy allows for a single connection Microsoft’s activation servers. Independent Activation requires each computer connects to Microsoft.

KMS activation uses a server in your environment which computers must authenticate against every 180 days. You also need to have at least 25 computers before activation can occur.

Rollback Preparation

You can rollback an upgrade of Windows Server 2003 to Windows Server 2008 if something goes wrong during installation. Once there is a successful login to Windows Server 2008, you cannot rollback. If you need to rollback then one must follow the procedure for disaster recovery under Windows Server 2003.

The next chapter covers IPV6 and configuring the Domain Name System

*Disclaimer:

My notes in helping me prepare for the 70-646 Exam, PRO: Windows Server 2008, Server Administrator are just those, notes and I am trying to help highlight what is covered in the book, not replicate it. If you want to pass the exam, you will need more than just these notes to pass. I suggest you get a good book and get familiar with the product. The expectation is that you have about one year of experience with Windows 2008 Server (your mileage may vary) when writing this exam. The book I am using for my preparation and where I am drawing the information for these notes is the Microsoft Press book, MCITP Exam Prep 70-646: Windows Server Administration; ISBN: 0735625107.

As I am reading the book, I am summarizing key points as this helps me to remember what I have read, and I will post my summaries to my blog, one chapter per week, with lesson’s spread throughout the week. Remember, this is only a highlight of the book and I am not trying to rewrite the book on this blog.

Chapter 1 – Lesson 1: Planning Windows Server 2008 Installation and Upgrade

This week, we start at the beginning, Chapter 1 – Lesson 1. This lesson covers the basic points on Windows 2008 which are:

• System Requirements
• Editions
• Server Core
• Upgrade Path
• BitLocker

System Requirements

The minimum system requirements are 1 GHz processor, 512 MB RAM and 15 GB of hard disk space. Recommended are 2 GHz processor, 2 GB RAM and 40 GB of hard disk space.

Editions

Considerable information is presented on the various versions of Windows Server 2008. There is Web, Standard, Enterprise and Data Center, each available are 32bit and 64bit and that Core editions are available for each. There is also an Itanium edition as well.

• Standard Edition – network load balancing supported, failover clustering is not supported. 32bit – supports 4 GB of RAM and 4 processors in SMP configuration. 64bit – supports 32 GB of RAM and 4 processors in SMP configuration.
• Enterprise Edition – supports network failover and Active Directory Federation Services (ADFS). 32bit – supports 64 GB of RAM and 8 processors in SMP configuration. 64bit – supports 2 TB of RAM and 8 processors in SMP configuration.
• Datacenter Edition – supports failover clustering and ADFS. Unlimited virtual image rights. 32bit – supports 64 GB of RAM and 32 processors in SMP configuration. 64bit – supports 2 TB of RAM and 64 processors in SMP configuration.
• Web Edition – domain services not supported, network load balancing supported. As the name implies, meant for web servers. 32bit – supports 4 GB of RAM and 4 processors in SMP configuration. 64bit – supports 32 GB of RAM and 4 processors in SMP configuration.
• Itanium Edition – limited number of roles supported. Requires Itanium 2 processor. Supports 2 TB of RAM and 64 processors in SMP configuration.

Server Core

Benefits of Server Core:

• Reduced Attack Surface
• Lower Hardware Requirements

You will need to learn how to join a machine to the domain and some of the other basic commands you will need to know for server core. Check out Pierre’s post titled  My Core box. How to turn a near obsolete PC in a Lab Domain Controller for a description of how to get a machine up and going running Server Core. The book also mentions ocsetup.exe to install roles and oclist.exe to see what roles are available.

Upgrading From Windows Server 2003

This section covers upgrading. You can upgrade from Windows Server 2003. To upgrade from Windows Server 2000 you will need to upgrade 2003 first. The book doesn’t mention Windows NT 4 Server, so neither will I.  You can only upgrade to the same processor edition, i.e., 64 bit to 64 bit, not 32 bit to 64 bit. Also you can’t upgrade to a core installation and most editions can only upgrade to the same edition. The exception is Windows Server 2003 Standard. You can upgrade to Windows Server 2008 Standard or Enterprise. Upgrades must be initiated by starting the installation from within Windows Server 2003.

BitLocker

Windows Server 2008 now contains BitLocker. BitLocker protects the server data through volume encryption and also provided integrity-checking. A system administrator must disable BitLocker during maintenance windows. To support BitLocker, prior to installing Windows Server 2008, a partition of 1.5 GB in size must created and, formatted and made the system partition prior to creating a larger partition. Also available are BitLocker group policies and the book lists some of them. Be sure to also know the difference between BitLocker and Encrypting File System. Finally, the last part covers turning off BitLocker.

That’s the extent of the material covered in Lesson 1. Lesson 2 covers Automated Server Deployment.

*Disclaimer:

My notes in helping me prepare for the 70-646 Exam, PRO: Windows Server 2008, Server Administrator are just those, notes and I am trying to help highlight what is covered in the book, not replicate it. If you want to pass the exam, you will need more than just these notes to pass. I suggest you get a good book and get familiar with the product. The expectation is that you have about one year of experience with Windows 2008 Server (your mileage may vary) when writing this exam. The book I am using for my preparation and where I am drawing the information for these notes is the Microsoft Press book, MCITP Exam Prep 70-646: Windows Server Administration; ISBN: 0735625107.