Todd's Blog

Todd's Tips for System Adminstrators

Connect

Windows Server Administration 70-646 – Chapter 3 Lesson 1 – Active Directory

posted on

Back from March break, hope yours was as good as mine. Lets get back to studying.

Windows Server 2008 Active Directory

This lesson covers new and enhanced features of AD in Windows Server 2008. It doesn’t cover the general day to day tasks which as an experienced System Administrator, you already know.

Microsoft Press MCITP Self Paced Training Kit exam 70 646 Windows Server 2008 Administration

Introducing Windows Server 2008 Active Directory Server Role

What’s new:

  • Read-Only Domain Controllers
  • New Enhanced Tools and Wizards
  • Fine-grain Security Policies
  • Restartable AD DS
  • AD DS Data Mining Tool
  • Auditing Enhancements

Planning and Information on RODCs

Read only domain controllers are domain controllers you may install in areas where physical security is not guaranteed. Think a branch office where multiple people can access the server. Before you may have had a WAN connection to the branch office with the Domain Controller in the head office. If the WAN connection failed then the users on the other end were in trouble; RODCs address this problem. You need a writeable Windows Server 2008 in the domain. Your forest functional level and domain function level must be Windows Server 2003. When a user logs into the network on the remote end, the first login is authenticated across the WAN, but the RODC pulls that information to its machine so the subsequent logins are served by the RODC. You can also create Password Replication Policies which will control which passwords get cached on the RODC. You can delegate management (non-admin access) of the RODC to a local user. Finally, RODCs do not support client updates on DNS and does not register NS resource records. When a clients wants to update is DNS records against an RODC, the RODC points the client to a writeable DC.

Utilizing wizard Enhancements

A new option for dcpromo is a the /adv mode. The advanced mode allows you to select the source DC for the installation. You can also use backup media from an existing DC to cut down on network traffic on the initial replication. You can create a new domain tree and change the default NetBIOS name. You can set forest and domain functional levels when you create new forest or domain. You can configure the Password Replication Policy for an RODC. Another change is the selection of existing domain names instead typing. When creating a answer file password=* will make the system prompt instead of having a password stored in clear text in the answer file.

Delegating RODC Installation

You can have part of the RODC done at the HQ then have a branch user who is delegated authority to complete the task. A user with delegated authority can complete the task by running dcpromo /UseExistingAccount:Attach.

Utilizing MMC Enhancements

There are some enhancements. A find command has been added to the toolbar and action menu. You can easily discover which site a DC is in now. You can also use the MMC to determine which passwords have been sent to a RODC.

Planning Fine-Grained Password and Account Lockout Policies

I showed this in my presentation last February to the OWSUG. Fine grained passwords need a domain functional level of Windows Server 2008. Its best to create a group and change the settings on the group to what you want for your password policies (You can’t apply it to a GPO, user or group only). The tool you use to change the settings is either ADSIEdit or create an LDF file with the settings and then use ldifde command.

Planning the Use of the Data Mining Tool

You can create snapshots of your AD using dsamain.exe. You can use a LDAP tool to view the snapshot. Data mining will help you develop a backup and recovery plan for your AD data.

Planning AD DS Auditing

Windows Server 2008 turns on Audit Directory Service Access by default. Auditing in Windows Server 2008 has new levels, detailed or normal. Event IDs 5136 – Modify, 5137 – Create, 5138 – Undelete, 5139 – Move.

Planning Domain and Forest Functionality

Remember you can raise the functional level of a domain but it is almost impossible to lower them.

Domain Functional Level Considerations

Windows 2008 Server supports the following levels:

  • Windows 2000 Native
  • Windows Server 2003
  • Windows Server 2008
Domain Functional Level Supported DCs
Windows 2000 Native Windows 2000 Server
Windows Server 2003
Windows Server 2008
Windows Server 2003 Windows Server 2003
Windows Server 2008
Windows Server 2008 Windows Server 2008

Not covered was the domain mode (Windows 2003 interim) which allows an upgrade from Windows NT straight to Windows Server 2003.

Be sure to check out the table on page 153 of the book and remember some of the features of each of the levels. Remember to change a domain name, you need to be at a Windows Server 2003 level. For fine grained password policies, the level needs to be Windows Server 2008.

Forest Functional Level Considerations

Forest Functional Level Supported DCs
Windows 2000 Windows NT 4.0
Windows 2000 Server
Windows Server 2003
Windows Server 2008
Windows Server 2003 Windows Server 2003
Windows Server 2008
Windows Server 2008 Windows Server 2008

On page 155 of the book, another good chart describing what has changed between Windows 2000  and the Windows Server 2003 levels. There has been no change so far between Windows Server 2003 and the Windows Server 2008 levels.

Forest Level Trusts

Trust Types

  • Shortcut Trust – Makes it quicker for authentication for users in one child domain who access resources in a different child domain.
  • External Trust – When a domain needs requires a trust with a domain that doesn’t belong to the forest. For example, a Windows Server 2008 domain trusting a Windows NT domain.
  • Realm Trust – A trust between a Windows Domain and a Unix realm.

Creating Forest Trusts

Forest trusts are created in Active Directory Domains and Trusts from the admin tools. You need to connect to a DC in the forest root domain before creating the trust. Right click on the domain, click properties and go to the Trust tab. Click new to launch the wizard. You get the choice on type of trust and you can select one-way incoming, one-way outgoing and two-way. You then get the option of deciding your side of the trust or both. If you do both, you need to know the admin password for the other domain as well. After that, you can select Forest Wide authentication or Selective Authentication.

Whew, this was a big lesson and lots to digest. Spend significant amounts of time on this lesson as you can bet you will see a few questions on this subject on the exam. Active Directory is the bread and butter of Windows Server.

*Disclaimer:

My notes in helping me prepare for the 70-646 Exam, PRO: Windows Server 2008, Server Administrator are just those, notes and I am trying to help highlight what is covered in the book, not replicate it. If you want to pass the exam, you will need more than just these notes to pass. I suggest you get a good book and get familiar with the product. The expectation is that you have about one year of experience with Windows 2008 Server (your mileage may vary) when writing this exam. The book I am using  for my preparation and where I am drawing the information for these notes is the Microsoft Press book, MCITP Exam Prep 70-646: Windows Server Administration; ISBN: 0735625107.

Windows Server Administration 70-646 – Chapter 2 Lesson 2 – DNS

posted on

This lesson from the book covers configuring DNS.

Goals of this lesson are:

  • List and explain Windows Server 2008 DNS features
  • List and explain Windows Server 2008 enhancements to DNS
  • Configure static IPv6 DNS records
  • Configure an IPv6 Reverse Lookup Zone
  • Administer DNS using the MMC snap-in and command-line tools

mcitp-self-paced-training-kit-exam-70-646-windows-server-2008-administrator

Using Windows Server 2008 DNS

Compliance and Support

Windows 2003 retains all the features introduced in Windows Server 2003. DNS is automatically installed if you install AD DS role and a DNS server that meets AD DS requirements cannot be found. Windows Server 2008 supports stub zones. Stub zones is a copy of a zone that only contains the records needed to identify the authoritative DNS servers for that zone. (I use stub zones for identifying records on my corporate forest from the library services forest.)

Zone Replication

DNS zones are replicated between DNS servers which helps for failover and load balancing. Prior to Windows Server 2003 a full zone transfer was required replicate any changes from the primary to the secondary DNS. Introduced in Windows Server 2003 is the ability to transfer only the delta changes. You can also restrict to which servers Zone transfers are allowed.

DNS Forwarders

DNS servers to which other DNS servers forward requests are known as forwarders. you have a few options to configuring. you can forward all unresolved requests to another DNS server or you can forward a selective request. (I.e., requests for domain tailspintoys.com is forwarded to a specific server)

Administering DNS

There is several ways to administer DNS. One way is to use DNS Manager MMC Gui, another way is to use the dnscmd tool. If you need to troubleshoot, use command like nslookup or ipconfig to help with resolving the problems.

DNS Records

Common IPv4 DNS records types include A, SOA, PTR, CNAME, NS, MX. A host record for a IPv6 is AAAA. If an IPv6 client cannot create its own record then you will need to by creating a AAAA record.

New DNS Features and Enhancements

  • Background zone loading
  • Support for Read-Only Domain Controllers (RODCs)
  • Global Single Names
  • IPv6 support

Background Zone Loading

This new feature allows Windows Server 2008 DNS servers to be available to resolve DNS requests sooner than Windows Server 2003 by loading zones in the background.

Supporting RODCs

Advised to be used where the physical security of the server cannot be secured. Only keeps a read only copy of the Active Directory partitions.

Using GlobalNames DNS Zone

While WINS is still available in Windows Server 2008, the suggested replacement for WINS is to use the GlobalNames zone. Not used for peer-to-peer name resolution.

Supporting IPv6 Addresses

Fully supported in Windows Server 2008.

Planning a DNS Infrastructure

Planning a DNS Namespace

  • you can use a corporate namespace for both internal and external portions of the network.
  • you can use delegated namespaces to identify the internal namespace (Internal.tailspintoys.com). maximum length of a FQDN is 255 bytes, FQDNs for DCs  are limited to 155 bytes.
  • You can use completely seperate domain names for internal and external namespaces. tailspintoys.internal and external.tailspintoys.com

Planning DNS Zone Type

This section talks about using Active Directory integrated zones for internal name resolution. You can also use standard primary zones where access to the AD database is seen as a security risk.  Secondary zones can be used in remote locations to speed up name resolution.

Planning DNS Forwarding

Use conditional forwarding if you want to have internal name resolution forwarded to a master server. You can also configure servers to forward internet name request to one server. Exam Tip – Forwarding servers rely on recursion.

Next lesson – Active Directory and Group Policy

*Disclaimer:

My notes in helping me prepare for the 70-646 Exam, PRO: Windows Server 2008, Server Administrator are just those, notes and I am trying to help highlight what is covered in the book, not replicate it. If you want to pass the exam, you will need more than just these notes to pass. I suggest you get a good book and get familiar with the product. The expectation is that you have about one year of experience with Windows 2008 Server (your mileage may vary) when writing this exam. The book I am using  for my preparation and where I am drawing the information for these notes is the Microsoft Press book, MCITP Exam Prep 70-646: Windows Server Administration; ISBN: 0735625107.