Overclock.net › Forums › Software, Programming and Coding › Networking & Security › How do I become a System/Network Administrator? : Bring it on Everyone!
New Posts  All Forums:Forum Nav:

How do I become a System/Network Administrator? : Bring it on Everyone!

post #1 of 184
Thread Starter 
Let me begin with this, I have been studying on how to accomplish this type of endeavor for some time now. Happily, I have been making good progress and have become a "Network Technician". However most of the guys there aren't really a good source of information to help me continue growing, and I already have an alarming amount of school debt to pay off. So, more formal schooling is out of the question.

To continue, I would like to make this a guide of information for any and all subjects someone should (if not know) cover and understand. The information here on the stickies are awesome, and should cover that material. Though it is quite dated now, almost 4 years. I would like to focus this thread for those trying to pick up on Server 2008/2012 era tech and build from there.

I have been scouring the internet for helpful books and self-study guides to help one gain the knowledge needed, along with the certifications if applicable to either improve your current standing or starting fresh.

Some of you may have seen my other thread, which is the program that helped me get to this point through a school named MyComputerCareer.com. I have my own issues with it, but the knowledge is sound.

If there are other schools that are worth noting, post in the thread or PM and I will add it here.

I also would like to note that this isnt sourced from me, but the internet and what ever communities that we find information from.

Now I will list all the material that I have come across that the internet has suggested for acquiring. Please comment on the validity and content if you can so us newbies can learn what we need to become valid in the workforce.


Now Microsoft has been altering the naming scheme for their certifications recently. From what I can tell they are moving back to the older naming schemes again, I believe its for brand recognition for employers. Ultimately this is annoying, but I suppose it could be better for us in the long run provided they dont alter it again.

Windows Server Operating System


MCSA: Server Administrator 70-646 (2008) Compilation of Notes (Click to show)
Notes from Online Expert: Session 1 (Click to show)
Course Overview
Three exams required
Technology Specialist exams
70-640: 2008 Active Directory
70-642: 2008 Network Infrastructure
These exams also provide MCTS certification
Professional Series exam
70-646: 2008 Server Administration
Server deployment
Server Management
monitor and maintain servers
Application and data provisioning
Business continuity and high availability
Deploying and configuring servers
Day to day operation of servers, file systems, and directory services
Distribution of applications and updates
Server monitoring and vulnerability assessments
Strong familiarity with network technologies, including TCP/IP
Windows Server 2008
Biggest core changes since NT
More modular and componentized
TCP/IP stack has been completely rebuilt to allow for IPv6
Shares kernel and codebase with Vista SP1
This will allow coordinated service pack releases
Server 2008 Editions
Windows Server 2008 Standard
Windows Server 2008 Enterprise
Windows Server 2008 Datacenter
Windows Server 2008 for Itanium-Based Systems
Windows Web Server 2008
Each edition comes in 32-bit and 64-bit version
Windows HPC Server 2008
For high performance computing
For supercomputers
Server Requirements
Regardless of the edition you choose, the base system requirements will be the
same for every version except Itanium
CPU: 1.0 Ghz for x86, 1.4Ghz for x64
Itanium 2 processor for Itanium edition
Recommend: 2Ghz or better
RAM: 512MB minimum
2 GB recommended
Drive Space: 10 GB minimum
40GB recommended
Even more required if you have over 16GB of memory because of paging
DVD drive
Edition Differences

Special Considerations
Windows Web Server 2008 is only meant for Web Hosting
Does not require client access licenses
Will not run AD or other server roles meant for corporate use
Windows Server 2008 for Itanium
Designed for large databases and other line of business applications
not meant to be a general purpose server for AD, DNS, etc.
Planning for Deployment
Licensing Choices
Hyper-V is Microsoft's hypervisor software to enable virtualization
Requires 64-bit version of standard, Enterprise, or datacenter
Works with full or server core install
Excellent solution for server consolidation
Microsoft is offering Windows Server 2008 versions without Hyper-V for a reduced price
Server Core Installation
Offers many advantages over full install
Reduced maintenance
Reduced management
Reduced attack surface
Less disk space required
Great for single purpose core servers
Many applications will not run on server core
.NET will not run, limiting IIS somewhat
Internet Explorer not available
Installation Choices
After the decision making process, it is time to install Windows Server 2008
Clean install means you are starting from scratch
New network or just new server to host new applications and services
Migration means you are replacing a server with a newer one
Start with a clean install of 2008
Install applications and move data
Direct client computers to new server
Upgrade Choices
Upgrade from 2003 SPI or newer
Cannot upgrade from 32 bit to 64 or vice versa
Cannot upgrade Itanium to 32-bit or vice versa
Cannot upgrade from Web or Itanium
Cannot upgrade to server core
Performing an upgrade
Take a look at Technet upgrading guidelines for Windows Server 2008
Test applications for compatibility
Back up system and test it
Back up any printers using Print Management from Vista or Windows Server 2008
Upgrade removes all printers
The configurations can be restored after the upgrade
Prepare AD before upgrading domain controllers
Roll back to 2003 if upgrade fails
After first successful logon, this is no longer an option
This option is provided within the Boot Menu
Installation Process
Graphical installation process
Booting from DVD also allows system recovery functions
Choose the edition you are installing
Windows now bundles all facets if the Operating system into one package
Configure the hard drive as needed
Some special requirements are needed if you plan to use BitLocker
After the first boot, you are greeted by an initial configuration screen
Understanding BitLocker
Provides encryption for an entire volume
Can encrypt an entire hard drive
All of the data is protected, if something terrible should happen
Trusted Platform Module (TPM) Chip
Stores encryption keys for the hard drive and ensures that the boot environment is unchanged
Use a flash drive if TPM is not available
OS will not boot if environment changed
Must be unlocked with recovery key
Special partitioning needed for OS drive
Create a small partition for the system drive
Set up all servers this way, just in case
Performing the Installation
Repair you computer link will allow a user to add BitLocker settings to Win Server 2008
Shift+F10 will allow you to diskpart
Finishing the Installation
The initial configuration changes will not be made until the computer has restarted.
However you can configure other options before restarting
Configuring the Server
Go through the Initial Configuration Window to set the appropriate information
necessary for your machine
Windows Activation Methods
Activation Tools
MAK -Multiple Activation Key
Each computer activated with Microsoft or via MAK proxy
Both Windows Server 2008 and Vista have to connect to obtain
KMS - Key Management Service
At least 25 Windows Vista computers and five Windows Server 2008 computers
Service on KMS host tracks activations
Install without a key for a 60-day evaluation
Evaluation can be rearmed three times for a total of 240 days
Activation Considerations
Windows Server 2008 is a KMS client by default
Will attempt to contact a KMS host via SRV records in DNS
Provides easiest method of activation
Windows Server 2008 KMS can activate Windows Server 2008 and Vista
MAK can be used in proxy mode to activate non-Internet connected systems
VAMT - Volume Activation Management Tool
VAMT is a 32-bit program
VAMT manages MAK keys
VAMT gives a user the ability to change MAK to KMS activation
The evaluation key can be used to change MAK to KMS activation
Automated Deployment
Deployment Options
Several methods to choose
DVD with an answer file
Answer Files
Text files with answers to possible installation Questions
Can be stored on any type of media
Network share with an answer file
Windows Deployment Services
Windows Automated Installation Kit (WAIK)
Windows System Image Manager
Used to create answer files
autounattend.xml for auto-install

Windows Deployment Services
Update of Remote Installation Services
A collection of server technologies that allows the rollout of images very easily
Need AD, DHCP, and DNS on the network
WDS server must use NTFS
Configure WDS by pointing to /sources folder on Windows Server 2008 DVD
Copies over boot and install images
Windows Server 2008 network install now possible for PXE-capable client
Can further automate with answer files
Need one for WDS and one for setup
WAIK is available in a download from Microsoft
This will download as an .ISO, from you can decide how to utilize this file type
Configure Deployment Services
This service can function with Windows XP and Server 2003 up to Windows 8 and Server
PXE Server Setup
You can allow a computer that has been booted off of a network to access image from
another computer as long as you are PXE boot client network card
You can also tune the settings for the following
Do not respond to any client computer
Respond only to known client computers
Respond to all (known and unknown) client computers
When responding to unknown clients, users have the option to be
notified and then approve those clients use of boot images
Multicast Installation
Transport Server Options
Transport server component of WDS allows multicasting images to clients
Minimize the amount of network bandwidth going out over the network
Auto-Cast allows computers to join at any time
Scheduled-Cast lets you choose when installation runs
Only one copy of data is sent
All clients listen to the same stream
Routers must support multicast
Create Multicast Transmission
Auto-Cast begins as soon as the set up is done
You can also set it for a Scheduled-Cast
At a specified time
By the number of ready clients
Notes from Online Expert: Session 2 (Click to show)
File Server Role
Basic file sharing and permissions
Distributed File system
File server resource Manager
Services for Network File System
Windows Search Service
Enterprise-wide search capabilities to find the right resources
Windows Server 2003 File Services
Sharing Files
Concepts for file sharing are the same as previous Windows Server versions
Management tools are better integrated
Access-based enumeration
Introduced with 2003 SP1, but it was a separate download
Hide files and folders from users who do not have access to them
Managed under Advanced button on Sharing tab
Offline Files
Shares can be configured to allow offline caching of files
Mobile users can work with network data when not connected
Local users can work in files when the server is down
Configure to match your needs
Deny caching for sensitive documents
Configure the clients local cache to be encrypted
File Management
File Server Resource Manager
Manage quantity and type of data stored on servers
Quotas control how much data users can store in a volume of folder
File screening provides control on file types allow on a share
Quotas and screening can be used for monitoring rather than restricting
Based on templates that allow quick assignment of quotas
Define storage limits and events
Limits can be hard or soft
Events can be programs, emails, etc.
Updating a template can apply changes to all quotas derived from that template
Auto quotas apply to all subfolders
Quota on user share will auto create quotas on each home directory
You can find File Server Resource Manager (if installed) un Share and Storage Management
File Screening
Active or passive blocking based on file groups, which are filename patterns
can also exclude patterns if needed
File Screen template brings file groups. screening type, and actions together
Actives can be emails, events, etc
File Screens are applied to a folder and all subfolders
Exceptions can be created for subfolders
Active Screening never allows a user to save specific types of files
After a File Screen is created to block audio and video files from being saved, the
files that are already on the server are left alone
Storage Reporting
Generate reports on how storage is used
Identify trends or be alerted to issues
Duplicate files, frequently accessed, etc.
Report task is a container for scheduled reports and associated settings
Immediately generate a report, but this option does not create a report task
Some reports can be tweaked as needed
Windows Search Services
Accessing Data
Service that indexes most common file and nonfile data types on the server
Allows fast searches from Vista and Windows Server 2008 running as clients
XP and Windows Server 2003 if Windows Desktop Search is installed
Can index entire volumes or folders
Microsoft recommends indexing volumes only if they are used exclusively for
Can install legacy 2003 indexing service
Print Services Role
Print Services
Role aimed at managing printers
Includes additional services
Remember the terms for printing
Print device is the physical printer
Printer is the print driver on the server
Multiple printers can point to one print device for special configurations
One printer can point to multiple print devices for pooling
Planning Print Services
Configure clients to print through Windows Server 2008
Allows printers to be published in AD
Auditing and management centralized
Print Management Console allows consolidating printer management
Get status on all printers throughout entire enterprise
Scans subnet to file all printers
Manage printers on remote server
Even add printers remotely
Add Network Printer
Location will allow users to search AD to find a printer
Sharing tab in a printers properties dialog box will allow a user to publish a printer in AD
Notes from Online Expert: Session 3 (Click to show)
DFS Namespace
Managing Distributed files
Groups shared folders from different servers into logical file system
DFS Namespaces
DFS Replication
DFS folders target remote shares
Targets stored on multiple servers are kept in sync with DFS replication
DFS folders that do not have targets can be used for more structure
Stand-Alone Namespaces
Stand-alone namespace uses the DFS server as root
Can be set up on a failover cluster
Domain-Based Namespace
Domain-based namespace uses domain name as namespace root
Multiple DFS servers offer redundancy
Windows Server 2008 mode has access-based enumeration and scalability
DFS Replication
Synchronize folders between servers
Multimaster replication engine allows changes to happen on any server
DFS replication can be used for folders that are not even shared
DFSR now used for SYSVOL replication
DFS Implementations
Uses Remote Differential Compression
Delta Changes
Looks at a changed file and only sends the parts of the file that have changed
Data publication to remote sites
Use for pushing information to remote sites
Do not use for files that change frequently by multiple people
Branch office backups
Pulls data from branch offices to a central location to be backed up
The central office just holds a copy of the information kept at branch offices
Replication Groups are a collection of servers and folders that share information in
order to replicate data
Application Server and Services
Planning for Application Services
Class of servers aimed at hosting applications for multiple users
Line of business applications
Microsoft Office SharePoint Server 2007
not included on Server 2008 (3.0)
Web Server hosting applications
Terminal Services
Supporting Application Servers
Windows Server 2008 provides many services to client/server applications
Understand the resource requirements of the hosted applications
Many times applications are not compatible with each other
can virtualize servers to provide environment needed for application
Document installation, backups, and disaster recovery for the application
Add Application Server Role
.NET and Windows Process Activation Service are both required for this role
Server Virtualization
Planning for Virtualization
Hypervisor solution to virtualize servers
Runs below the operating system
64-bit versions of Windows Server 2008
Better use of underutilized hardware
Use other redundancy solutions so you do not have a single point of failure
Portability Benefits
Virtual servers are portable
No longer tied to one particular platform
Drives are actually flat files stored on the system or a SAN
Legacy Applications
Several solutions for P2V migration
Use standard imaging tools to duplicate a server into virtual hardware
Virtual Server Migration Toolkit
Uses Microsofts imaging technologies to migrate physical drives into VHDs
System Center Virtual Machine Manager
Provides full solution for monitoring and managing Hyper-V virtual servers
Licensing Considerations
Licensing is important for monitoring software
Standard allows running one virtual server with the same OS
Host OS cannot be used for anything other than running Hyper-V
Enterprise allows installing four copies
Host OS can perform other functions
DataCenter allows unlimited copies of Windows Server 2008
Managing hyper-V
Hyper-V Management Console
Snapshots allow point in time backups
If a mistake is made, it can be rolled back to the previous snapshot
Assign resources as needed
Add memory to the virtual server
Add processors
Limit processor use if needed by assigning relative weights to each server
Install OS Options
Floppy and .ISO's are methods of which you can install a new Virtual Machine
Start VM
Virtual server allows the user to consolidate multiple servers to one platform

Terminal Services
Implementing TS
Terminal Services has been available in Windows for quite some time
Provides ability for clients to connect to a desktop session on a server
All applications are run on the server
Used to solve many IT problems
Possible to use cheap terminals or computers at the desktop
Access to applications without deploying to each desktop
Planning for TS
Terminal Services has an impact on networks and licensing
Every user needs a Client Access License to connect to TS
This is an additional CAL on top of the Server CAL
Terminal Services License Server provides CALs allowing connection
Licensing scope can be domain or forest
TS CALs become permanently assigned to the user or device they are issued
Windows Server 2008 can manage licenses for earlier versions, but not
vice versa
Be wary of terminal server on a DC
Install terminal server before installing applications that users need access to
TS Security and Configuration
Network Level Authentication provides users authentication before RDP session
Requires RDP 6.0 on XP SP2 or newer
RDP 5.2 and below cannot use this
Terminal Services Configuration allows managing single servers settings
Most settings can be set via GPO
User logon mode allows denying new connections for maintenance
Configuring TS Role
Licensing can be configured in three ways
Setting Up TS Options
TS Session Broker
Maintains even load on terminal servers configured in a farm
Reconnects users to existing sessions
Network load balancing or DNS round robin spreads out initial connections
Requires Windows Server 2008 TS
Clients must support RDP 5.2
Add servers to Session Directory Computers local group on the broker
A Session Broker can maintain state for multiple farms
TS Gateway
Implement RDP over HTTPS
Connects authorized users to RDP resources inside the network
Use policies to determine authorization
CAP - connection authorization policy
RAP - resource authorization policy
CAP can use NAP for better security
Requires IIS and RPC over HTTP Proxy
Windows Server 2008 Standard supports 250 sessions
Terminal Service Application
TS RemoteApp
Single application RDP session
Similar benefits to Terminal Services
Single program to maintain and upgrade
Less confusing user experience
User is still essentially logging on terminal server so still needs rights
Distribute connection to RemoteApp with RDP or MSI file
RemoteApp can be accessed through TS Gateway
TS Web
Web interface for starting RDP sessions
Useful for presenting RemoteApps to users in the network
TS Web server on a different system
Add TS Web server to TS Web Access Computers group on terminal server
Configure TS Web servers data source
Best suited for single terminal server deployments
Difficult to use Web front end for farms
Notes from Online Expert: Session 4 (Click to show)
Deploying Applications
Application Deployment
Have a current hardware inventory
Group Policy application deployment
Assign versus Publish application
Deployment Options
System Center Configuration Manager 2007
SCC replaced system management Server (SMS)
Deploy applications to systems that meet requirements
Offers reports on installation results
Manage remote clients over the Internet
Application Virtualization
Part of the Microsoft Desktop Optimization Pack, which is part of Software Assurance
Formerly known as SoftGrid
Allows virtualizing applications and all associated resources
Programs can be dynamically deployed as needed to the desktop
Can be used with Terminal Services to reduce application siloing
Application Maintenance
Most applications utilize their own methods for managing updates
Work with vendors to understand automated methods for patching
System Center Configuration Manager
Ability to roll out applications to client computers throughout the network
Can be integrated with third party applications
Group Policy offers method of installing software as well (.MSI)
Maintaining Server 2008
Management Tools
2008 introduces several new tools
Server Manager collects all tools together in one spot
ServerManagerCMD can add roles and features at the command line
Server Management
Script repetitive processes for accuracy
Netsh, VBScript, batch files
Windows Powershell
Emergency Management Services
Provides a kernal connection to the serial port
Attempt to start an orderly shutdown
Remote Management
Server Manager meant for local administration
Many of the tools and role management utilities cannot be connected to a remote server
Individual administrative tools can typically manage remote server s
Do not always rely on Server Manager for everything
Remote Server Administration Tools
A collection of management utilities that can be installed whether or not the roles are installed
RSAT can installed on Vista
Remote desktop for management allows two administrative connections
Do not need a terminal Services Licensing server
Server Core
Server Core installation
The core of the OS, with just the command prompt
Things like scripting and netsh can be done at the Server Core, not .NET
RSAT can be used with Server Core
Will list all roles that are and are not installed
Ability to install or remove server roles
Software Management
Change Management
Document policies regarding modifications and changes to servers
Write down policies regarding changes made to the server, when they were made, and who made them
Decentralized administrative process
Maintain logs of what was done and by whom
As enterprises become larger, more network administrators become involved
One person might undo a change someone else made unless that change is documented
It is just good practice
Patch Management
Windows Update provides updates for Windows Server 2008 and other products
Larger organizations need to control the flow of patches from Microsoft>System
Test patches for problems
Good for small offices
Windows Server Update Services manages updates locally
computers use local WSUS for updates
Central or distributed management
Bandwidth management for updates
Service packs
Download service pack, test it, and release to network
Compatible with NLB, DFS, and clusters for redundancy
NLB eases the load by giving the desktops the ability to use multiple WSUS
DFS gives the ability to store updates and distributed them through enterprise
WSUS can tie into a SQL server on a failover cluster for better management
Local Server Security
Making sure the local servers are up to date and secure is very important
Windows Firewall enabled by default
Not the same product as Windows XP
Shares the same base code as Windows Vista Firewall
Granular control over inbound and outbound connections
May need to add firewall rules to allow applications to function
Firewalls can be self managed to make sure it can be enabled
Auditing allows tracking changes to the system
Auditing helps to track down and fix mistakes
Active Directory allows auditing changes to objects, recording old and new value
Delegating Administration
Delegation Guidelines
Delegate control of AD objects or servers and services
Always try to delegate to groups
Easy to add new users to groups to give them delegated authority
Removing delegation can leave some settings behind
Document delegation policies so it is easier to track who has what authority
Active Directory Delegation
Delegation of Control
Provides interface to delegate most common tasks in Active Directory
View delegations through Security Tab
Reset default permissions in an Organizational Unit (OU)
Management Delegation
Delegate management of groups
Manager can add and remove members
Delegate ability to install a RODC (read only domain controller)
User or group also becomes local administrator
Delegate Server Management
Done through rights assigned at the server level
Add users or groups to local groups on the server
Local administrators group on server is needed to add roles and features
Try not to delegate management of features on domain controllers
Groups on DCs apply to all DCs
Control group membership via GPO
Assigning Server Rights
The Computer Management snap in can give client rights to manage a server
Group Policy
Using Group Policy
Settings that are applied to groups of users and computers in domain
Registry entries are stored in ADMX files
Localized for language with ADML files
XML-based so they are easier to create
Group Policy Management Console is included in Windows Server 2008
Use only Windows Server 2008 or Windows Vista for management
Planning Group Policy
Structure of Active Directory is very important to GPO inheritance
OUs inherit all the GPOs in their parents
GPO applied directly to OU wins
Multiple GPOs on an OU have a priority
Possible to block inheritance and create filters, but this complicates matters
Use Group Policy Modeling to understand what policies will apply
Maintaining Group Policy
Back up and restore GPO through Group Policy Management
Good way to keep versions of GPOs
Restoring overwrites existing GPO

ADMX Files
Create central store for ADMX files to ensure consistency
Stored within the SYSVOL folder on a domain controller
Create folder call Policy Definitions
Copy files from Windows Vista and Windows Server 2008
Creating Central Store
User might run into some settings that are unexpectedly being applied
That is where the Group Policy results comes into play
Gives the user the ability to target the single computer with the problem
Monitoring Servers
Monitoring Tools
Several built-in tools for scripting
sc, ping, WMI scripts
use with the many monitoring tools to be notified when issues occur
Monitoring services by creating scripts for service failure
Send an e-mail if service fails
System Center Operations Manager
Monitoring and dynamically change thresholds on many servers
Event Viewer
Event Viewer has been reworked
initial view provides quick summary
Several new logs can assist in understanding server issues
Event subscriptions allow centralizing event log entries
Create subscription for only those events of interest
Create notifications for certain events
Performance Monitoring Tools
Task Manager offers a quick look at performance
Performance tab
CPU graph
Memory graph
Resource Monitor is quick look at four big performance categories
Performance Monitor shows statistics from live or historical data, locally or remotely
Data collector sets gather performance statistics over time or alert to issues
Reliability and Performance Monitor
Reliability monitor shows historical stability of the system
Based on several factors, such as software installs and different failures
Allocation of Resources
Windows System Resource Manager
Controls memory and CPU utilization for different processes on the system
Default policies provide guidance
Equal per process
Equal per user
Equal per session
Can use calendar rules to schedule different resource policies
policies to run based on specified time periods
Set up WSRM to profile performance
Profile Resources logs all memory and processor use in WSRM
Notes from Online Expert: Session 5 (Click to show)
Certificate Services
Active Directory Certificate Services
Manage public key certificates
Cannot be installed on Server Core
Not capable of running .NET
Certificate Options
Certification Authority and Web Enrollment in Standard and above
Online responder and Network Device enrollment Service in Enterprise
CA Types
Set up stand-alone or enterprise CA's
Stand alone
Entities that do not interact with Active Directory
Used when setting up a partner network or an extranet
Enterprise Certification
Computers will request and be granted a public key certificate
Root CA
When a Root CA expires, all the Certificates from it expire as well
PKI Considerations
Plan and build a proper PKI
Root CA is the pinnacle of security and needs to be protected
Implemented an offline root certification authority
Create a stand-alone root
Put the virtual server hard drives (VHDs) on a flash drive
Publish Trust Hierarchy
The root CA must be published within Active Directory for domain computers to trust it
Create an offline root
Use offline root to create enterprise subordinate certification authorities
Access Control
Limiting Entry
Technologies that control access to the network, based on policies
Network Policy and Access Services
Routing and Remote Access
Network Policy Server
Health Registration Authority
Host Credential Authorization Protocol
Network Policy Server contains policies that control access through NAP agents
Network Access Protection
Server and client work together to ensure client meets health standards
Windows Update, Antivirus, etc.
Requires Windows XP SP3 or later
Cannot implement NAP full scale on an older machine
Must enable client based enforcement

Restriction Option
NAP works by computers sending a request for authentication, trying to get on a network
Clients placed on restricted network if non-compliant or non compatible
Can access remediation servers for fixes
File share that offers an antivirus package
Ability to download Windows Update to come into compliance with NAP
Internal network protection
Wired Ethernet
Access can be controlled through VPN, DHCP, 802.1x, and others
802.1X: Integrates with wireless access points and with intelligent switches to allow access points to physical media if permission is granted
Use NPAS Service
IPSec encryption needs Health Registration Authority
To practice this technology, you can go to the Microsoft.com site
Planning NAP Defense
NAP is a complicated, but powerful, technology used to protect the network
Wireless security is only so good
NAP detects anyone that is not allowed to access the network
Plan carefully to ensure NAP works properly before deployment
Understand all methodologies for protecting the network
Ensure that the computers on the network are authorized to be there
Separate network resources from remediation resources for protection
Using 802.1 or IPSec
Look at the physical of security that are allowed
Try to implement 802.1X or IPSec
802.1X separates traffic onto separate VLANS
IPSec uses separate logical networks
Ensure that switches support 802.1X authentication and authorization
Each port on the switch will pass the connection through to a RADIUS server
The RADIUS server will ensure the computer is allowed
Remote Access
Server Remote Access Options
Support all people coming into the network, whether from home or a remote work
Windows Server 2008 can act as a dial in or VPN remote access server
Still provides PPTP and L2TP
PPTP and L2TP have been built into Windows Client
Easy to implement remote access into Windows Server and Windows Client
PPTP and L2TP do not use typical ports to get into the network
VPN Protocol SSTP
Preferred protocol now SSTP (Secure Socket Tunneling Protocol)
Implements VPN functions over HTTPS
Capable of using strong EAP authentication methods
Certificates, Passwords, Smart Cards

Allows a VPN device or switches to authenticate users by passing off the authentication request to another server
Network Policy Server replaces Internet Authentication Service
Offers RADIUS services to authenticate users against Active Directory
Offers accounting services for logging connection requests
Integrates NAP into connection policies to enforce client health
Add Remote Access Services
Choose the Custom configuration option and then select VPN access
(for single NIC)
Disaster Recovery
Business Continuity
Planning to get business running again in event of technical issues or disaster
Redundancy is key
Know how to fix storage
Power Supply
Spare Parts
Hard drives
Data Centers
Test solutions for business continuity to ensure they work
Load Balancing - High Availability
Network Load Balancing splits network load between servers
All servers run the same application
Up to 32 members in a cluster
Included in all versions of Windows Server 2008
Not a good solution for data redundancy
Good candidates for Network Load Balancing
Web servers to provide better response
Terminal server farms where clients can connect to any member
POP servers
VPN servers
Failover clustering offers server and application redundancy
Failover node becomes active when other node goes offline
Available in Enterprise and Datacenter editions of Windows Server 2008
Also available in the Itanium edition
Failover Control Process
Failover controlled by majority vote
All nodes represent one vote
Disk or file share also represents a vote for clusters with an even number votes
One of the systems will become the new active system
Split brain syndrome
How is there going to be a majority?
A disk resource works when a clustering system is connected to a SAN
Node and File Share Majority quorum used for multi-site cluster
Storage Solutions
Traditional direct-attached storage
RAID solutions for redundancy
RAID 5 provides speed and the ability for a drive to fail without crashing the system
RAID 1 provides a mirroring solution with less disk space
Network Attached Storage (NAS) solutions offer storage expansion
Do not appear local to the server
SAN Solutions
SAN solutions offer flexibility and speed
RAID solutions for redundancy
Fibre Channel offers speed; iSCSI offers price benefit by using existing network
Multipath I/O offers path redundancy to get to storage resources
Backup and Recovery
Contingency Plan
Document methods for recovery before use
Depends on what needs recovering
AD Data Recovery
Active Directory recovery
Deleted objects are tombstoned
Set tombstone lifetime based on policies -Reanimation
Default 180 days for tombstone
AD Snapshots and Mounting Tool
AD snapshots and mounting tool
Cannot recover objects from snapshots, but it does allow exploring backups
Data corruption is bad because it is impossible to know when it happened
Mount the snapshots until the un-corrupted one is found
Shadow Copy Service
Shadow Copy Service keeps snapshots of files that can be quickly recovered
No need for restoration whatsoever
EFS Recovery with DRA
EFS recovery with DRA
Data recovery Agents can be assigned via Group Policy
The administrator can then can log on and decrypt the files
Be sure to leave a backdoor to get in
Can also give other users access to EFS encrypted files
BitLocker Recovery
BitLocker recovery keys can be backed up to AD
Turn on with a Group Policy setting
Backing Up Data
Windows Server Backup
Completely new tool
Microsoft has provided a tool that will allow restoration of NT Backup-created backups
Cannot create new ones; only restore existing onto Win Server 2008
Download from Microsoft's Web site
Must be a member of Administrators or Backup Operators
Back up full system, OS volumes, or non-OS volumes
Backups can be stored locally, on an external drive, or on a remote share
Tape drives are not supported with this program
Schedule backups to run regularly
Use Windows Server Backup
The first time WSB runs, notification will be displayed
That no backups have been scheduled for the computer
Volumes with OS components cant be deselected
Restoring Data
Several options to restore data
Files and folders
Applications that support VSS (Volume Shadow Service)
Microsoft Exchange
Entire volume
Entire operating system
System recovery is launched from Windows Server 2008 DVD
Plug in an external hard drive or point to a remote share
System Tools
Use Windows features to identify possibly failing hardware
Event Viewer
Performance and Reliability Monitor
Disk Management for RAID issues
Device manager driver rollback
Disk space issues
Memory issues
Memory Diagnostics Tools
Troubleshooting Security
Microsoft Baseline Security Analyzer
Identifies system misconfigurations and missing security updates
Evaluate Group Policy results to ensure policies are applied correctly
Might find inheritance issues blocking critical security policies
Make sure antivirus is up to date
Plan for regular audits of servers to check security
Network Troubleshooting
Evaluate the scope of the problem
Connectivity issues
Check firewall
Check IP address settings
Name resolution is critical for AD to function correctly
Make sure DNS zones are configured properly
Use a sniffer to watch network traffic for low level problems

MCSA: Network Infrastructure 70-642 (2008) Compilation of Notes (Click to show)
Notes from Online Expert: Session 1 (Click to show)
Microsoft Certifications
Microsoft Certified Technology Specialist (MCTS)
One certification exam
One specific technology
This course prepares for Exam 70-642
Microsoft Certified IT Professional
Requires one or more MCTS certifications
Requires one or more MCITP certifications
Microsoft Certified Architect (MCA)
Must hold at least one MCITP certification
Requires an interview with a panel of peers
Must submit a resume
Requires approval of peers
70-642 Exam Overview
Covers the network infrastructure services of Windows Server 2008
Internet Protocol and services
DNS (Domain Name System)
What it is
How to configure
How to configure replication among different DNS servers
Network access and security
Different authentication systems and how to deploy them
File and Print Services
Both tradition and advanced
Infrastructure monitoring
Interactive perspective
Alert (notification level) perspective
Client Computers
Understand how to select and install Windows server 2008 servers
Be familiar with Windows clients
Preparation Tips
Watch this entire program
Take Notes
Review new information
Do the labs yourself
Lab Diagram

Network Layers and OSI
OSI Model
Most networking technologies do not match the OSI model
Has four layers instead of seven
Both are similar
Application Layer
Layer seven of the OSI model
ISO/IEC 7498-1
The application layer is where the email message gets wrapped into SMTP (Simple Mail Transfer Protocol)
Presentation and Session Layers
Multipurpose Internet Mail Extensions
Physical Layer
Computers think in Binary 1's and 0's
FCS (Frame Check Sequence)
IP v4 Addressing
Understanding IP v4
TCP/IP is a protocol suite
IP operates at the network layer
32-bit addresses
A unique identifier for a node on a network
The addresses are divided into four octets or groups of eight bits
Represented in dotted decimal notation
Address Classes
IP addresses were originally broken into address classes
Classful addressing, or based on classes
Classes A-C provide IP's for nodes
Private Addresses
Private addresses are used heavily on networks
Addresses that have been set aside to be used on network that will not conflict with other Internet functions
Subnet Masks
Ability to break large IP pools into smaller IP pools
used to divide the IP address into the network (or subnetwork) address and the host address
Subnet masks are binary but cam be represented as decimal values
Default Gateway
IP networks allow for routing between networks
IP nodes must be able to determine the route out of their networks
Default gateway = default router
Configuring IP v4
IP v4 Configuration Types
Start > Network > Right clock to Properties > Network and sharing Center > manage

Command Line Address Config
Run Command prompt in administrator
netsh interface ipv4 set address “Local Area Connection” static
This will set the static address of server 2
netsh interface ipv4 set dnsserver “Local Area Aconnection” static primary
Should receive no response indicating that the action was successfully carried out.
Using Netsh Commands
Netsh > Enter
This will take you into the netsh interface
If you dont specify specifically what your dns is, it will default primary
Command Prompt > Ipconfig >Enter>
Ipconfig /all

IP v6 Addressing
IP v6 Addresses
128-bit addresses
64-bit network component : First
64- bit host component :Last
Network component is assigned by IANA (Internet Assigned Numbers Authority)
Host component is usually based on the 48-bit MAC address or is generated randomly
Only routers require manual configuration but it can be used for nodes, if desired
Address Types
Global Addresses
Link Local Addresses
Unique local Addresses
IP v6 addresses can be in three states
IP v6 Transition Technologies
Next Generation TCP/IP
IntraSite Automatic Tunnel Addressing Protocol (ISATAP)
Teredo (server) |host|
Understanding DHCP
Dynamic Host Configuration Protocol
Provides IP configuration settings to IP clients
Implemented through scopes
Scope – A range of IP addresses that should be given out to the network
Scopes include options
Client will broadcasts a DHCPDISCOVER packet onto the network
Server will respond with a DHCPOFFER
Client will then respond with a DHCPREQUEST
Server then confirms with the DHCPACK
Scope Settings
Starting and ending address
Subnet mask
Default Gateway
Subnet Type
Activated or not activated
Can create a scope before actually needed
Entire DHCP server
If a AD domain, must be activated before it will begin to function
Cant have two DHCP servers on the same subnet

DHCP for IP v6 – DHCPv6 Stateless Mode
DHCP for IP v6
Stateless mode is the default addressing mode for IP v6 hosts
Addresses are configured without the DHCP server
Options are obtained from the server
Client uses Router Solicitation and Router Advertisement messages for self configuration
DHCP also supports stateful addressing
Address Exclusions
Used to prevent the use of specified addresses
Useful for reserving addresses for infrastructure devices within the scopes
Address Reservations
Used to hold an address for a specific client
Mapped to the MAC address of the client
Useful for clients needing a pseudo-static address
DHCP Option Classes
Enables the DHCP server to configure options to specified clients
Two types exist
Vendor classes
User classes
May configure whether NetBIOS is enabled over TCP/IP or not
Provide a lot of power and flexibility, but require extra measures on the client computer
The Default User class is a class to which all users belong
Implementing DHCP
Current Environment Configuration

Post Assessment Notes
Open System Interconnection Model
Which are layers included in the OSI model?

Application Layer Heading
In the application layer, information is wrapped with a header that includes information about?
SMTP header

Presentation Layer
The presentation Layer is responsible for which function?
Data representation
Session Layer
In the Session Layer, information and accompanying protocol are wrapped with a Winsock API Message
Transport Layer
Within the transport layer, where is information about the destination port of a remote device
TCP header
Data-Link Layer
The Data link layer prepares the information for transmission by determining the physical
Transmission medium.
Binary Coding
Which layer contains the completed package of information represented through binary coding?
Physical Layer
TCP/IP Model
Which layers of the OSI model are represented in the application layer of the TCP/IP model?
Application, Presentation, and Session layers are represented by the Application
Layer of the TCP/IP model. While Transport and Network layers are represented
By the Transport layers of the TCP/IP model. Network and Data-Link layers are
Represented by the Internet layer of the TCP/IP model.
Internet Protocol Addresses
How can IPv4 addresses be represented?
IP v4 is represented with an 32-bit address, as well as Four octets represented in
Dotted decimal notation.
Address Class System
IP v4 addresses that contain 127 in the first octet are part of which class?
IP testing class
Private IP v4 Addresses
Which are private IPv4 addresses?
Class A 10.X.X.X 16.7 Million Addresses
Class B 172.16.X.X – 172.32.X.X 1 Million Addresses
Class C 192.168.X.X – 65,536 Addresses
Dividing IP’s
How do Subnet masks divide large IP pools into smaller IP pools?
By dividing the IP address into the network address and the host address
Binary Subnet Masking
In the binary codes of subnet masking, what does the 0 represent?
The host address
Dividing Subnet Masks
How are the binary codes of a subnet mask separated?
All the 1’s to the left, all 0’s to the right
IPv4 Configuration
Access the Internet Protocol Version 4 Properties dialog box.

Default Gateway
The default gateway address is the same as the IP address of the router through which a
User is connecting.
What can be appended automatically when a user tries to connect to a simple server name?
DNS Suffix
Command Prompt
In order to configure an IP address in Windows Server 2008, a user must be at a/an ________
Command prompt.
Administrative Command Prompt
Set IP Address from Command Prompt
What must be typed at the command prompt in order to set an IP address for the server?
Netsh interface ipv4 set address “Local Area Connection” static (the IP address)
(the subnet mask) (the default gateway)
DNS Server Setup
Which command will correctly configure the DNS server?
Netsh interface ipv4 set dnsserver “Local Area Connection” static (default
Gateway) primary
Netsh interface ipv4 set dnsserver “Local Area Connection” dhcp
Netsh Commands
View the current local area connection configuration using netsh commands
Netsh > interface > ipv4 > show config (within command prompt)
Ipconfig Command
What information is shown in the ipconfig command?
Ipv4 address, Subnet mask, Physical address, basic Information of the device
Ipconfig review
What is the function of the ipconfig /renew switch?
Renew the Ipv4 address for the specified adapter
Ping Request
Send a ping request to the default gateway using the command prompt.
Ping Switches
How can a user access a list of available ping switches using the command prompt?
Type ping /? At the C:\Users|Administrator> prompt
What information is displayed using the traceroute command?
The number of queries per hop, The IP address of the specified server, The
Traceroute response time of the specified server, All IP addresses passed through
In connection to specified server
IPv6 Address Division
AN IPv6 address is divided into what components?
A 64- bit network component and a 64-bit host component
Network Ipv6 Address Assignment
How is the network component of an IPv6 address assigned?
By IANA (Internet Assigned Numbers Authority)
Ipv6 Addresses
What types of Ipv6 addresses are available?
Global, Link-Local, Unique local addresses
IPv6 Address States
What happens to a link-local address after the unique IPv6 address has been verified?
It moves into the Preferred state
Next Generation TCP/IP
The next generation TCP/IP allows IPv4 and IPv6 addresses to co-exist on the same windows
Network at the same time.
Transition Capabilities
Which feature allows a user to access an IPv4 using an IPv6 address?
Through a router that has the ISATAP solution in place
Dynamic Host Configuration Protocol
What is the function of DHCP?
It provides entire IP configuration for IP clients
DHCP Functions
Which packet includes the IP address, the subnet mask, and the default gateway?
Scope Settings
Which settings can be configured in a scope?
Starting and ending address
Subnet mask
Default Gateway
Subnet Type
Activated or not activated
Default Addressing Mode
What is the default addressing mode for IPv6?
Stateless mode
Auto Configure
What features can a client use to auto configure DHCPv6?
Stateful, Auto Configure
Specified Address Exclusions
Within a scope, a user cannot reserve specified addresses for infrastructure devices.
Reserving an IP Address
DHCP can receive a specific IP address for a client by mapping the _______?
Pseudo-static address
DHCP Vendor Class
The DHCP vendor class allows a user to configure options for devices using different ________
Operating Systems
Optional Component
Access the Windows Optional Component graphic interface using the command prompt
Ocsetup > enter
DHCP Server Roles
Which programs is used to add DHCP server roles?
Server Manager

Role Options
What information is shown on the DHCP Server Roles Summary screen?
Server events, Running system services, Recommendations and resources
DHCP Manager
Where can a user access the DHCP Manager?
From Administrative Tools on the Start Menu
Managing DHCP IPv4 Options
Which are options that can be configured through the DHCP Server Options Pane?
Router, DNS Servers, Name Servers
Activating a Scope
How can a user activate a scope?
Right click Scope and then click activate
Notes from Online Expert: Session 2 (Click to show)
IP Routing
Basic Routing Concepts
Connects to two different networks by routing data at, 192.168.30.X
Routers are infrastructure devices, and computers can be configured with one default
Layer 2 and 3 Cooperation
Network – IP Routing
Steps for IP routing
1.Client discovers the MAC address of the first router and sends the IP packet to that router.
Address Resolution Protocol (ARP)
2.Router discovers the MAC address of the next router and forwards the IP packet to that router (repeated as many times as needed)
3.Final router discovers the MAC address of the destination node and forwards the IP packet to that node.
Routing Protocol
Windows Server 2008 supports Routing Information Protocol (RIP) version 2
Open Shortest Path First (OSPF) is no longer supported
Routing and routing protocols are implemented through routing and remote
Access services (RRAS)
RRAS role will need to be installed on the server
Understand how the Route Command works
Managing Routes

Understanding IPSec
Internet Protocol Security (IPSec) provides secure, IP-based communications
Applications include
Remote connection from branch offices to corporate headquarters
Secure connection within a LAN
VPN connections for multiple purposes

IPSec Functionality

When IP data is encrypted with IPSec, the IP device that is transmitting the data across a network will NOT notice the encryption.
Capabilities – IPSec Provisions
IPSec provisions three main facilities
An authentication- only function
Referred to an Authentication Header (AH)
A combination authentication/encryption function
Called Encapsulating Security Payload (ESP)
A key exchange function
Implementation – Practical IPSec Implementation
Both encryption and authentication are usually required
Helps assure that unauthorized users do not penetrate the virtual private
Helps assure that eavesdroppers on the Internet cannot read messages sent
Over the virtual private network
Most implementations will use ESP rather than AH
Security Associations – IPSec Security Associations
IPSec creates a connection Security Association (SA), when it first sets up
Used for both authentication (AH) and confidentiality (ESP)
A one way relationship between the sender and receiver that provides security services
To the traffic that is carried
When a peer relationship is needed, for two-way secure exchange, two
Security Associations are required
Security services are provided to an SA for the use of AH or ESP, but not both

Tunnel Mode
Normal operations use transport mode
A connection between two computers
L2TP/IPSec VPNs used transport mode
Tunnel mode is used when a VPN gateway does not support L2TP/IPSec
IP packet is protected and encapsulated within an unprotected IP Header
The inner IP header is used for the ultimate endpoints
The outer IP header is used for the tunnel endpoints

Preventing Attacks
Encrypting data when using ESP
Attackers will not see the information inside of the communications
Ensure that non repudiation is implemented
Certificates that can identify the user

Authentication Cracks
Using secure authentication with IPSec
Sending service based authentication through an encrypted tunnel
Data Insertion
Encrypted data + message digest = attacker cannot insert data
Configuring IPSec
Configuring Rules

DNS Defined
Name Resolution
Other name resolution techniques
DNS is not the only solution
Link-Local Mutlicast Name Resolution (LLMNR)
Name resolution enabled through Network Discovery
Used only in Windows Vista and Windows Server 2008
Windows XP can only notify Vista and 2008 machines that it exists
On the network
Link Layer Topology Mapper Service
Provides local subnet name resolution for IPv6 only at this time
NetBIOS name resolution
Broadcasts, LMHOSTS, or WINS
A text file that lists the name mapped to an IP address
Windows Internet Naming Service (WINS)
Allows a computer to query WINS server
Dealing with older windows technologies
Windows 3.1 | Windows for Workgroups 3.1| Windows 95 and 98
NetBIOS Node Types
Broadcast or B-node
Uses broadcasts for name resolution
Point to Point or P-node
Uses WINS for name resolution
Mixed or M-node
Uses broadcasts first and then WINS (if broadcasts doesn’t work)
Hybrid or H-node
Uses WINS first and then broadcasts
Domain Name System
Developed for the Internet
Replaced HOST files
Provided hierarchy
Implemented from Standards
Windows Server 2008 implements DNS according to RFC’s (Request for Comments)
DNS Zones
A DNS zone is a portion of the DNS namespace that is managed by a DND server
A DNS server can only respond authoritatively to requests for the zone that it manages
There is only one authoritative source for zone data
Primary - The authoritative element
Secondary –A copy of the primary zone
Stub – Houses the IP addresses of the primary and secondary zones
Active Directory Integration Benefits
Storing a zone in AD provides many benefits
Zone data is replicated throughout Active Directory
Configuration of replication between primary and secondary servers is no
Longer necessary
Fault tolerance is provided through redundancy
Replication of a single property, instead of an entire record, is possible
May require security for dynamic updates
A standard zone stores the DNS records in a text file
For large zones, the response time may be longer than an AD-integrated zone
The text files can be easily backed up and relocated
Standard zones allow for only one primary server
All other servers in the zone are read-only
Forward and Reverse Lookups
A forward lookup is used to resolve the IP address when the domain name is known
A reverse lookup is used to resolve the domain name when the IP address is known
Windows server 2008 DNS supports both lookup types
Dynamic Updates
Windows based DNS servers can accept dynamic updates to DNS entries
A client may submit an update to the server
Two types of updates are supported
Secure updates
Nonsecure updates
DNS Namespace

Configuring DNS
DNS Lab Review

ServerManager CMD

ServermanagerCMD –install [DNS]

Installing the DNS Role
Server manager > Roles > Add Roles > DNS Server

Creating Zones
Start > Administrative Tools > DNS
DNS Synchronization
Understanding Zone Transfers
Zone transfers are used for non-AD integrated DNS servers
Zone transfers act as pull operations initiated by the secondary zone
Three events can trigger a zone transfer
The refresh interval of the primary zones SOA record expires
The secondary zone server boots up
A change occurs in the primary zone and the primary zone is configured
to notify the secondary zone
Synchronization of authoritative DNS zone data between DNS servers
1.Secondary Server. SOA query for a zone
2.Primary Server, SOA query answered
3.Secondary Server, IXFR or AXFR query for a zone
4.Primary Zone, IXFR or AXFR query answered
Zone Replication
Replication of zone information occurs when DNS is running on AD integrated servers
The DNS zone information is actually stored in AD
AD integrated zones can only be installed on domain controllers
AD replication is responsible for synchronizing all AD-integrated DNS servers
Zone Replication Scope
AD zone replication can be configured to one of four scopes
To all DNS servers in the forest
To all DNS servers in the domain
To all domain controllers in the domain
To all domain controllers specified in the scope of a directory partition
Caching-Only DNS Server
A DNS server that has no local zones is a caching-only server
Creating a caching-only server involves the following three steps
1.Install the DNS role
2.Verify that server root hints are configured
3.Point users to the caching DNS server
Branch offices with little local expertise can benefit from a caching-only server
Network Authentication
NTLM vs. Kerberos
NT LAN Manager (NTLM) authentication is a remnant of the Windows NT age
NTLMv1 and NTLMv2 can be supported, but both protocols are less secure than
Kerberos was developed by MIT in the 1980s and has evolved over time
Windows networks use Kerberos version 5

Domains and Forests
An Active Directory environment consists of forests, domain trees, and domains
A forest is a collection of one or more domain trees
A domain tree is a collection of one or more domains sharing the same root
A domain is a potential security and administration boundary
Account Options
Start > Administrative Tools > Active Directory Users and Computers
Account Tab is the tab in a users Properties dialog box can an administrator manage
Authentication settings associated with that user
Group Memberships
Permissions are restrictive in nature, which can be used to your advantage

Dial-In Permissions
Network Access Permissions
Allow access
Deny Access
Control access through NPS Network Policy
Caller ID
Verify the caller’s location or Deny the access
Callback Options
No Callback
Set by Caller (Routing and remote Access Service only)
Always Callback to :
Assign Static IP Addresses
Assign Static IP Address
oDefine IP addresses to enable for the Dial-IN connection
Apply Static Routes
Apply Static Routes
oDefine routes to enable for this Dial-in connection
Remote Network Access
Remote Access Methods
No Internet connection required
Slower than high speed, Internet-based VPNs
VPN (virtual private network)
Fast connections possible
Low Cost
High latency due to encapsulation and encryption processes
Installing RRAS
Start > Server Manager > Roles > Add Roles > Network policy and Access Services

Configuring Dial-Up
Start > Routing and Remote Access > Configure and Enable Emote Access
Remote Access (dial up or VPN)
oAllow remote clients to connect via Dial up or VPN
Network Address Translation
oAll internal clients to connect to the internet using one public IP
Virtual private network access and NAT
oAllow remote clients to connect and local clients to connect to the internet with one public address using NAT
Secure connection between two private network
oConnect this network to a remote network, satellite location
Custom configuration
oSelect any combination of the features in Routing and Remote Access
Implementing VPNs
Notes from Online Expert: Session 3 (Click to show)
Shadow Copy
Recovering Files
Shadow Copy maintains previous versions of files
Gives users the ability to recover previous versions
The entire file is not retained, but the changed information is
A file is just a collection of 1s and 0s
Keeps track of only the sections where data has changed
Uses of Shadow Copy
Shadow copies are enabled per volume
All changes to files will be tracked
Shadow Copy allows the backup software to back up files that are in use
A shadow copy of the file is made and then the shadow Copy feature backs
Up the data
Useful for recovery from user errors
Beneficial for backups
Works as an overall timesaver
Enabling Shadow Copy
Start > Computer > Right click any volume | Properties > Shadow Copies
Automatically creates a shadow copy upon creation
Scheduling Shadow Copies
Can have this program running daily
Default setting for shadow copy is 10% of the drive space
Command Prompt > VSSADMIN | Enter

Vssadmin create shadow /for=e
Restoring Previous Versions
Right click a file and select previous versions

Reverting Volumes
Right click volume | Properties > Shadow Copies
You can revert the entire volume from this option, however any changes made
Will be lost.

Backing Up Data
Windows Backup
Built in versus third party tools
Essential backup items
System and service configuration
Full Backups
Backup strategies
Backup types
Supported by Windows Backup
All of the data
Since last incremental backup
Since last full backup
Backup schedules
Scheduled backups only work with USB 2.0 or IEEE 1394 drives with built-in
Backup schedules vary depending on needs
Restoring Data
Be sure to practice the restoration process and document it
Know how to use wbadmin from the command prompt
Remember that most mistakes happen when you are stressed
Installing Windows Backup
Server Manager > Features > Right Click | Add feature > Windows Server backup
Using Windows Backup Tools
Start > Administrative Tools > Windows Server Backup
System State Backup
Command prompt > wbadmin
To create and run a system state backup type in the following
Wbadmin start systemstatebackup
Printer Sharing
Adding Printers
Start > Control Panel > Printers (Applet) > Add printer |Local
Print Drivers
From Windows Update
Off the Printer Driver Disk
From a list of known print drivers
Sharing Printers
Right click Printer |Sharing > Check both Share this printer | List in Directory
Configure Share Printer Permissions
Location of Printer?
To allow client computers to search Active Directory and find printers near them
Connecting to Shared Printers
Start > Control Panel > Printers > Networked Printers

Windows Update
Windows Server Update Services
All clients that are connected to the LAN > WSUS Server can download updates
However administrators can limit which updates they receive
Installing WSUS
WSUS does not come OOB with server 2008, so you must download the .exe
Then begin the Wizard and configure to your flavor
Before installing WSUS, the setup wizard shows the user a summary of selected WSUS
WSUS Configuration Wizard
You can synchronize from Microsoft update or another server
Can also configure along with a proxy server
Change languages
You can provide updates for a large amount of Operating systems and programs
Microsoft Office
Exchange 2000 Server
Windows OS programs
Windows Small business server
These are just to name a few, but is more expansive
Choosing Classifications
There are many classifications, they are as follows – Bolded options are defaults
•All Classifications
•Critical updates
•Definition updates (security)
•Feature packs
•Security Updates
•Service Packs
•Update Rollups

Can configure a synchronization schedule, or leave default to manual
As default, when installation finishes it will launch the console and begin
Synchronization automatically
Within the console, you can access the synchronization menu
From here you can select to “synchronize Now” to access the list of available
Updates from Microsoft.com
Managing Update Services
Within the Update Services Interface, you can view the updates that are awaiting approval.

To approve a specific update, you can view all that is available by clicking on the
Link as you see above.
Performance Monitor
Resource Overview
The four main performance components of your machine is the following

Reliability Monitor
This will allow you to see what errors the system may have experience, changes as well

•Software Installs
•Windows Failures
•Hardware Failures
•Application Failures
•Software uninstalls
•Misc Failures

Performance Monitor
Performance Monitor is a tool that allows a user to monitor performance in a line graph format
A user would use this tool when you know something will happen, and you wish to view the results of said scenario
Data Collector Sets
Data Collector Sets will enable a user to collect performance-related data on specific
Items and generate reports on the performance
Reports received within the Reliability and Performance Monitor will display many
Needed component levels for your viewing, however will not display anti spyware and antivirus software. That will be displayed within the WFAS.
Task Manager
Applications Tab
Displays active running applications
CPU Utilization
Memory Utilization
Background services that enable the OS to run correctly
This is where you can see specific information about the ongoing services
Network Monitoring
Installing Network Monitor
Typical, Custom, Complete installation presets
This program will allow you to see the specific frames that travel through your network provided the traffic isn’t encrypted.
The method of which you can view traffic through the monitor is by which of Captures
Filtering Traffic Data
Within the “Display Filter” right above the Summary you can type in specific Protocols
Running MBSA
Microsoft Baseline Security Analyzer is a tool that can be used to scan a machine and
Give a report of any potential vulnerabilities

MBSA Management

Creating Security templates
Add both Security Template and Security Configuration

Using Event Viewer

Filtering Logs

Creating Custom Views
A custom view can be filtered in order to narrow down which events are displayed

Attaching Tasks
Attach Task to this event > Name it >
This is where you can configure it to carry out a task, such as
•Start a Program
•Send an e-mail
•Display a message
When a task is attached to an event, it is attached based on the Event ID
Exporting Logs
You can import your logs into another machine, saving you time on creating your
Views into another machine
Notes from Online Expert: Session 4 (Click to show)
Network Access Protection
Introduction to NAP
Used to
Enforce health requirements
Enforce policy compliance
Provides solutions for computers that do not meet health and policy
This is called the Remedial network that can provide what is
Needed to bring the machines back to par
NAP cannot
Keep authorized users on healthy computers from performing attacks
A policy compliance enforcement solution
NAP Requirements
Clients running Windows XP SP2 or Vista
Health policy validation
Network access limitation
Automatic remediation
Ongoing compliance
NAP implementation methods
IPSec enforcement – Must have the health certificate if compliant with Net policies
802.1X enforcement
VPN enforcement
DHCP enforcement –Will not receive a valid IP until meeting Net policies
NAP Architecture Interactions
Configuring NAP
Lab Review
Adding NAP Roles
Start > Server Manager > Roles > Add Roles >DHCP|DNS > Network Policy Server >
Network Connection Bindings
Configuring DHCP

Health Policy Server
Start > NPS.msc | Enter > Configure NAP > Method | DHCP

Network Connection Method
•Dynamic Host Configuration Protocol (DHCP)
•IPSec with Health Registration Authority (HRA)
•IEEE 802.1X (Wired)
•IEEE 802.1X (Wireless)
•Virtual Private Network (VPN)
•Terminal Private Network (TS Gateway)
Specifying NAP Enforcement
NAP Enforcement Servers Running DHCP Server
This is for RADIUS that are Network access Servers and not local

DHCP Scopes
Can configure DHCP scopes at this window, if not configured one yetUser Groups and Machine Groups
These are groups that you can grant or deny access
NAP Remediation Server group and URL Network Access restrictions for NAP-ineligible client computers
•Deny full network access to NAP ineligible client computers
Allow access to a restricted Server only
•Allow full network access to NAP-ineligible client computers
Configuring Validators
Network Policy Server > Network Access Protection > System Health Validators > Double Click Windows Security Health Validator
This will bring up the Windows Security Health Validator Properties
Enter the Configuration
Windows Firewall
Demonstrate Connectivity
Use Ping to test network connectivity
Disallow Connectivity
Start > Windows Firewall with Advanced Security
Demonstrate Firewall Protection
Test whether or not your deny rule is implemented

Creating Firewall Rules
Start > Windows Firewall with Advanced Security > New Rule (Top right corner)
This will enter a Wizard for adding the rule, see predefined rules

•Active Directory Domain Services
•BITS Peercaching
•COM+ Network Access
•Core Networking
•DFS Management
•DFS Replication
•DHCP Server
•DHCP Server Management
•Distributed Transaction Coordinator
•DNS Service
•File and Printer Sharing
•File Replication
•iSCSI Service
•Kerberos Key Distribution Center
•Key Management Service
•Netlogon Service
•Network Discovery
•Performance Logs and Alerts
•Remote Administration
•Remote Desktop
•Remote Event Log Management
•Remote Scheduled Tasks Management
•Remote Service Management
•Remote Volume Management
•Routing and Remote Access
•Secure Socket Tunneling Protocol
•SNMP Trap
•Windows Firewall Remote Management
•Windows Management Instrumentation (WMI)
•Windows Remote Management

Custom Firewall Rules
Can be a combination of Program and Port Rules
Can also specify Services as well
Can also specify a Protocol, see below

•IPv6 Route

Firewall Properties
Right click windows Firewall > Properties
There is also a URL to take you to properties from the main page of WFAS

Windows FirewallCustomize Logging Settings for the Domain

Wireless Access
IEEE Standards
Standards that specifies the functional capabilities of wireless LANs
Released in 1997
Frequency-hopping spread spectrum (FHSS) and direct-sequence spread
Spectrum (DSSS)
1 or 2 Mbps
Operate in 2.4 Ghz
802.11b – 1999
High-rate direct-sequence spread spectrum (HR/DSSS)
Higher Data Rate
Operates in 2.4 Ghz
Orthogonal frequency division multiplexing (OFDM)
Up to 54 Mbps
Extended rate physical layer (ERP-OFDM)
Operates in 2.4 Ghz
High-Throughput (HT)
Operates in 2.4Ghz or 5.8Ghz
Operating Frequencies
802.11 operates in one of two frequency bands
2.4 Ghz
Industrial, scientific, and medical band (ISM)
5.8 Ghz
Unlicensed national information infrastructure (U-NII)
Sections of the space are set aside for channel usage
2.4 – 2.4835
Early Security Problems
Wired Equivalent Privacy (WEP) was used initially
Specified in 802.11 as a way to prevent casual eavesdropping
Still protects against eavesdropping, but it also needs to protect against hackers
WEP has several weaknesses
Initialization Vector problems
IV is a number used as part of an encryption key
Weak initialization vectors were created
Attack methods took advantage to weak IVs to attack the network
Brute force attacks
Dictionary attacks
Dictionary attacks use a list of possible passwords and encryption
Keys to find the right one
Brute force attacks use every possible combination of letters,
numbers, and special characters
WEP key storage attacks
Wireless vendors stored WEP keys on client computers and
Encryption tools were weak, making it easy to obtain
Current Security Problems
When some form of encryption is not in use, then anyone can access the
Package being sent
Denial of Service (DoS)
Attackers can use radio frequency jammers or wireless NICs to consume
Frequency space and block users
Open Systems
Not doing anything to secure the system and leaving it at default settings
False security solutions
Solutions people think provide wireless LAN, actually do not provide any security
SSID hiding
The Service Set ID is used to determine the basic communications in a
Wireless LAN
If SSID is hidden, people would not see the network and get on it
The clients still include the SSID with every frame they send
MAC filtering
Listing all MAC addresses on the access point will not guarantee safety
Most wireless NICs allow a certain address to be used
Power level reduction
Reducing the power level will create a smaller signal, blocking out people
Who should not have access
WPA and WPA2
WPA and WPA2 are Wi-Fi alliance certification
WPA is based on IEEE 802.11i draft
WPA2 is based on the IEEE 802.11i amendment
Both come in personal and enterprise implementations
Personal – preshared key
Enterprise – RADIUS authentication server
802.1x is a port-based authentication solution
RADIUS is an authentication framework that supports port-based authentication
Beginning connection attempt w/RADIUS environment

RADIUS response

Supplicant Response
RADIUS then validates or invalidates the client for access

Configuring Wireless Access
Configure NPS
Start > Server Manager > Roles > Add Roles > Server Roles > Network Policy and Access
Services | Active Directory Certificate Services > Network Policy Server |
Routing and Remote Access Services > Certificate Authority > Accept defaults
Until configuring the Cryptography for CA > sha1 (Most Secure in 2008) > Accept
All other defaults (default certificate authority is 5 years)
Selecting RADIUS for 802.1x
Refresh Server Manager by restarting the Window
Roles > Network Policy and Access > NPS (Local)
Within the Standard Configuration window, change your configuration to the
RADIUS server 802.1x Wireless or Wired Connections
RADIUS Client Setup

Setup > Wireless Settings >Manual Wireless network setup

File Services
Shares and Permissions
Shares can be created in order to provide access to file storage on servers
Permissions can be set at two levels
Share level
NTFS level
Encrypting File System
EFS protects files and folders with encryption
Storage level encryption only
Windows 2000 and later operating systems support EFS
Creating a recovery agent is important
Requires an enterprise Certificate Authority (CA)
Enable the recovery agent in Group Policy
Creating File Shares
Add Roles > File Services
Provision Share Wizard
SMB Settings allows you to limit the amount of users connecting to the share
Share Permissions
The options for shares within the SMB interface wizard are as follows
•All users and groups have only Read access
•Administrators have Full Control; all other users and groups have only read access
•Administrators have Full Control; all other users and groups have only Read and Write access
•Users and groups have custom share permissions

Creating Shares with Explorer
Right click the folder, and select share
Administrator will be on by default, but this is where you can add users
Encryption Using EFS
Right click the desired folder > Properties > Advanced > Check Encryptions box > Ok
This will encrypt the folder with EFS
Group Policy
Admin Tools > Group Policy Management > Forest > Domain > GPO > Default
Domain Policy | Edit
Distributed File System
DFS Overview - Added in NT 4.0 in the 90’s
The Distributed File System (DFS) provides fault-tolerant access to dispersed files
DFS technologies include
DFS namespace
DFS replication
Remote differential compression
DFS replication only happens once a file is closed
DFS Scenarios
Sharing files across branch offices
Allows users at the branch office to access the data locally
Data Collection
The data is never modified at the actual hub site
Data Distribution
The data is changed at the hub site and read only copies are sent to remote sites
DFS Namespaces

•Path \\Domainname\Namespace\\Servername\
•Location Active Directory and memory cacheServer registry and memory cache
•Size Up to 5k folders with targets with Windows 2000 (10x in 2008)Up to 50k folders with targets
•Availability Namespace hosted on multiple servers Server Cluster
•DFS Replication Supported Supported

Folders and Folder Targets
Folders are the primary elements of a namespace
They have at least one folder target
Share Folders
Folders in a shared folder
A path to another namespace

Installing the DFS Role
Server Manager > Roles > File Services > Add Role Services
Disk Quota’s
Disk Quota Evolution
Quotas were first introduced in Windows Server 2000
`Early implementations were limited to user by user quotas
New Quota Features
Share/folder level quotas
Group-based quotas
Command-line management of quotas
Allows the creation of scripts to apply quotas
Installing FSRM
Server manager >Roles > File Services > Add Role Services > File Server Resource Manager
Creating Quota Templates
Server Manager > Roles > File Servers > Share and Storage Management > File Server
Resource Manager > Quota Management
Can set your own template size
Applying Quotas

MCSA: Active Directory 70-640 (2008) Compilation of Notes (Click to show)
Personal Notes (Incomplete) (Click to show)
Notes for 70-640 Active Directory Configuring

Global Catalog
The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers. Examples of a Global Catalog scenarios are as follows :
•Forest-Wide searches. The Global catalog provides a resource for searching an AD DS forest. Forest-wide searches are identified by the LDAP port that they use. If the search query uses port 3268, the query is sent to a global catalog server.
•User logon. In a forest that has more than one domain, two conditions require the global catalog during user authentication.
•Universal Group Membership Caching. In a forest that has more than one domain, in sites that have one domain, in sites that have domain users but no global catalog server, universal Group membership caching can be used to enable caching of logon credentials so that the global catalog does not have to be contacted for subsequent user logons. This feature eliminates the need to retrieve universal group memberships across a WAN link from a global catalog server in a different site
•Exchange Address Book Lookups. Servers running Exchange Server rely on access to the global catalog for address information. Users use global catalog servers to access the global address list (GAL).
Special Note: Universal groups are available only in a domain that operates at the Windows 2000 native domain functional level or higher.
To configure the domain controller as a Global Catalog server, use the Active Directory Sites and Services console

Global Catalog Replication of Additions to the Partial Attribute Set
Each global catalog server in an AD DS forest hosts a copy of every existing object in that forest. For the objects of its own domain, a global catalog server has information related to all attributes that are associated with those objects. For the objects in domains other than its own, a global catalog server has only information that is related to the set of attributes that are marked in the AD DS schema to be included in the partial attribute set (PAS). As described earlier, the PAS is defined by Microsoft as those attributes that are most likely to be used for searches. These attributes are replicated to every global catalog server in an AD DS forest.
The attributes that are replicated to the global catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the MMC AD Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to designate an attributeSchema object as a member of the PAS, which sets the value of the isMemberOfPartialAttributeSet attribute to TRUE.

•Active Directory Domain Services
•Active Directory Domain Services replication
•Domain Name System
•Net Logon Service
•Domain controller Locator

Certutil Command Line interface
Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

Reference Groups / Group Types
Block Inheritance
You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects are linked to higher sites, domains, or OUs from being automatically inherited by the child-level. If a domain or OU is set to block inheritance, it will appear with a blue exclamation mark in the console tree

Reference dism command lines for server core

Configuring the RODC filtered attributed set
Reference Password properties

Authoritative restores of Group Policy
Moving Active Directory Database to another volume
Use ntdsutil.exe to move the database file, the log files, or both to a larger existing partition.

Backing up AD DS w/ Ntdsutil.exe

GPO Auditing / Change policies
Quick note : A global object access audit policy can be used to enforce object access audit policy for a computer, file share, or registry.
Quick Note: This security policy setting determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services. Audit Directory Service Changes
Auditing policies

Server Core
Server Core supports nine server roles
•Active Directory Domain Services
•To install RODC on a Server Core, you must perform an unattended installation of AD DS
•Active Directory Lightweight Directory Services
•Dynamic Host Configuration Protocol (DHCP) Server
•DNS Server
•File Services
•Printer Server
•Streaming Media Services
•Web Server (IIS) (as a static Web server-ASP.NET cannot be installed)
•Hyper-V (Windows Server Virtualization)
Server core also supports these 11 optional features
•Microsoft Failover Cluster
•Network Load Balancing
•Subsystem for UNIX-based applications
•Windows Backup
•Multipath I/O
•Removable Storage Management
•Windows BitLocker Drive Encryption
•Simple Network Management Protocol (SNMP)
•Widows Internet Naming Service (WINS)
•Telnet client
•Quality of Service (QoS)
Chapter 1 Notable Items
Global Catalog (or partial attribute set) A partition of the Active Directory data store that contains a subset of attributes for every object in the Active Directory forest. The global catalog is used for efficient object queries and location.

Identity Store A database of information regarding users, groups, computers, and other security principals. Attributes stored in an identity store include user names and passwords

Sites An Active Directory object that represents a portion of the network with reliable connectivity. Within a site, domain controllers replicate updates within seconds, and clients attempt to use the services within their site before obtaining the services from other sites

Chapter 2
A security group can be given permissions to resources. It can also be configured as an email distribution list.

A Distribution group is an email enabled group that cannot be given permissions to resources and is, therefore, used only when a group is an email distribution list that has no possible requirement for access to resources.

A Global group is used to identify users based on criteria such as job function, location, and so on.

A Domain local group is used to collect users and groups who share similar resource access needs, such as all users who need to be able to modify a project report.

A Universal group is used to collect users and groups from multiple domains

Note that if the domain which you are creating the group object is at a mixed or interim domain functional level, you can select only Domain Local or Global scopes for security groups.
Creating Links - Linked properties are properties of one object that refer to another object. Group Membership is, in fact, a linked property. Other linked properties, such as the Managed by attribute discussed earlier, are also links. When you specify the Managed by name, you must select the appropriate user or group.

CN = Common Name
OU= Organizational Unit
DC = Domain Component
RDN = Relative Distinguished Name
Must be unique within its container

DNS -Reference Primary/Secondary/Forward/Reverse/Root Zones
Conditional Forwarder vs. Stub Zone
Stub zones provide a way for DNS servers hosting a parent zone to maintain a current list of the authoritative DNS servers for the child zones. As authoritative DNS servers are added and removed, the list is automatically updated. Sub zones are dynamic and the name servers for the zone are automatically updated in the stub zone.

Conditional Forwarding, on the other hand, is used to control where a DNS server forwards queries for a specific domain. A DNS server on one network can be configured to forward queries to a DNS server on another network without having to query DNS servers on the Internet. Use conditional forwarders to forward queries for specific domain names to a specific DNS server, this reduces recursive DNS traffic.
Active Directory-Integrated zones
Benefits of AD DS integration
•DNS features multimaster replication and enhanced security based on the capabilities of AD DS.
•Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain.
•By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network.
•Directory-integrated replication is faster and more efficient than standard DNS replication
Note: Only Primary zones can be stored in the directory. A DNS server cannot store secondary zones in the directory. It must store them in standard text files. The multimaster replication model of AD DS removes the need for secondary zones when all zones are stored in Active Directory Domain Services.
Understanding Zone Delegation
Domain Name System provides the option of dividing up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS server. When you are deciding whether to divide your DNS namespace to make additional zones, consider the following reasons to use additional zones.
•You want to delegate management of part of your DNS namespace to another location or department in your organization.
•You want to divide one large zone into smaller zones to distributed traffic loads among multiple servers, improve DNS name resolution performance, or create a more fault tolerant DNS environment.
•You want to extend the namespace by adding numerous subdomains at once, for example, to accommodate the opening of a new branch or site.

If for any of these reasons, you can benefit from delegating zones, it might make sense to restructure your namespace by adding additional zones. When you are deciding how to structure zones, use a plan that reflects the structure of your organization.

When you delegate zones within your namespace, remember that for each new zone that you create, you need delegation records in other zones that point to authoritative DNS server for new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new server that are being made authoritative for the new zone.

When a standard primary zone is first created, all the resource record information is stored as a text file on a master for the zone. Zone information can be replicated to other DNS server to improve fault tolerance and server performance.

When you are structuring your zones, there are several good reasons to use additional DNS server for zone replication:
•Added DNS server provide zone redundancy, which makes it possible for DNS names in the zone to be resolved for clients if a primary server for the zone stops responding.
•Added DNS server can be placed so as to reduce DNS network traffic. For example, adding a DNS server to the opposing side of a low-speed, wide area network link can be useful in managing and reducing network traffic.
•Additional secondary servers can be used to reduce loads on a primary server for a zone.

SRV Record
The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controller registers this resource record whenever a domain controller is restarted. You can also re-register a domain controllers SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records.
Enable GlobalNames zone support
The GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitly enabled by using the following command on every authoritative DNS server in the forest.
DNSLint is a Microsoft Windows tool that can be used to help diagnose common DNS name resolution issues. It can be targeted to look for specific DNS record sets and ensure that they are consistent across multiple DNS server. It can also be used to verify that DNS records used specifically for AD replication are correct.

Manually Updating a Secondary Zone
By right clicking a secondary zone in the DNS Manager console tree, you can use the shortcut menu to perform the following secondary zone updates operations:
•Reload - This operation reloads the secondary zone from the local storage
•Transfer from Master -The server hosting the local secondary zone determines whether the serial number in the secondary zones SOA resource has expired and then pulls a zone transfer from the master server.
•Transfer New Copy of Zone from Master - This operation performs a zone transfer from the secondary zone master server regardless of the serial number in the secondary zones SOA resource's record.

Operations Master Roles
Active Directory supports multimaster replication of the directory data store between all domain controllers in the domain, so all domain controllers in a domain controllers in a domain are essentially peers. However, some changes are impractical to perform in using multimaster replication, so, for each of these types of changes, one domain controller, call the operations master, accepts requests for such changes.
In every forest, there are at least five operations master roles that are assigned to one or more domain controllers. Forest-wide operations master roles must appear only once in every forest. Domain-wide operations master must appear once in every domain in the forest. Note: The operations master roles are sometimes called flexible single master operations (FSMO) roles.

Forest-wide operations master roles
Every forest must have the following roles:
•Schema Master
•Domain naming master
These roles must be unique in the forest. This means that throughout the entire forest there can be only one schema master and one domain naming master.
Schema Master
The Schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can only one schema master in the entire forest.
To add a new schema class or attribute definition
Open the Active Directory Schema snap-in.
In the console tree, click Active Directory Schema.
Do one of the following:
•To add a class definition, in the console tree, right-click Classes, click Create Class, and then follow the instructions.
•To add an attribute definition, in the console tree, right-click Attributes, click Create Attribute, and then follow the instructions.
Special Note:
•To perform this procedure, you must be a member of the Schema Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
•The Active Directory Schema snap-in must be connected to the schema master to perform this procedure. The Active Directory Schema snap -in connects to the schema master by default when it is started.
•If the Active Directory Schema snap-in is not installed, see Other Resources.

Domain naming master
The domain controller holding the domain naming master role controls the addition or removal of domains in the forest. There can only be one domain naming master in the entire forest. Note: Any domain controller running Windows Server 2003 can hold the role of the domain naming master. A domain controller running Windows 2000 Server that holds the role of domain naming master must also be enabled as a global catalog server.
Domain-wide operations master roles
Every domain in the forest must have the following roles:
•Relative ID (RID) master
•Primary domain controller (PDC) emulator master
•Infrastructure master
These roles must be unique in each domain. This means that each domain in the forest can have only one RID master, PDC emulator master, and infrastructure master.
RID Master
The RID master allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the RID master in each domain in the forest.
Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID (SID). The SID consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain.
To move an object between domains (using Movetree.exe), you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object.
RID Master Failure
A failed RID master eventually prevents domain controllers from creating new SIDs and, therefore, prevents you from creating new accounts for users, groups, or computers. However, domain controllers receive a sizable pool of RIDs from the RID master, so unless you are generating numerous new accounts, you can often go for some time without the RID master online while it is being repaired. Seizing this role to another domain controller is a significant action. After the RID master role has been seized, the domain controller that had been performing the role cannot be brought back online.

PDC Emulator master
The PDC Emulator master processes password changes from client computers and replicates these updates to all domain controllers throughout the domain. At any time, there can be only one domain controller acting as the PDC Emulator master in each domain in the forest. The PDC Emulator role is used in the following ways:
•To provide consistent password experience for users across sites (can be turned off with AvoidPdconWan registry parameter) - The PDC emulator is used as a reference DC to double check incorrect passwords and it also receives new password changes. When the PDC is reachable, users can use a new password immediately and consistently across the environment.
•As a preferred point of administration for services (examples are Group Policy and DFS).
•As a point of contact for applications hard-coded to the PDC (often written for Windows NT 4.0 and older domains) - The legacy API often used for this is NetGetDcName. It is strongly suggested to change applications to use the new API to locate DCs. DcGetDcName by default does not target the PDC, and has more options that allows you to pick the type of DC needed to perform the operation.
•As a default time server for all other DCs in the domain - The time server configuration of a PDC requires manual consideration and should be reviewed when you change the owner of the PDC role.

The domain controller configured with the PDC emulator role supports two authentication protocols.
•The Kerberos V5 protocol
•The NTLM protocol

Infrastructure Master
At any time, there can be only one domain controller acting as the infrastructure master in each domain. The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog. Global catalogs receive regular updates for objects in all domains through replication, so the global catalog data will always be up to date, it requests the updated data from a global catalog. The infrastructure master then replicates the updated data to the other domain controllers in the domain.
Note: Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain.
Adprep /domanprep must be run on the server holding the Infrastructure Master role. The role was originally installed on the first domain controller in the forest. Now its down and another domain controller must get the Infrastructure Master role.
Planning Operations Master Role Placement
Operations master role holders are assigned automatically when the first domain controller in a given domain is created. The two forest-level roles (schema master and domain naming master) are assigned to the first domain controller created in a forest. In addition, the three domain-level roles (RID mater, infrastructure master, and PDC Emulator) are assigned to the forest domain controller created in a domain.

In the case where all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role.

The infrastructure master is also responsible for updating the group to user references whenever the members of groups are renamed or changed. When you rename or move a member of a group (and that member resides in a different domain from the group), the group may temporarily appear not to contain that member. The infrastructure master of the groups domain is responsible for updating the group so it knows the new name or location of the member. This prevents the loss of group memberships associated with a user account when the user account is renamed or moved. The infrastructure master distributes the update via multimaster replication.

There is no compromise to security during the time between the member rename and the group update. Only an administrator looking at that particular group membership would notice the temporary inconsistency.

Transferring operations master roles
Transferring an operations master role means moving it from one domain controller to another with the cooperation of the original role holder. Depending upon the operations master role to be transferred, you perform the role transfer using one of the three Active Directory consoles in MMC.
•Schema Master Active Directory Schema
•Domain naming masterActive Directory Domains and Trusts
•RID master Active Directory Users and Computers
•PDC EmulatorActive Directory Users and Computers
•Infrastructure masterActive Directory Users and Computers

Publishing Applications
Publishing an application makes the application available to users beginning with their next logon. You can publish any application that is contained within a Windows installer package or a .ZAP file. When you've published an application, a user can install (or uninstall) it by using the Add/Remove Programs applet in Control Panel. Likewise, the application is automatically installed should the user try to open a file that requires it. For Example, suppose you've published Microsoft Excel 2000. If a user attempts to open an .XLS file, the system will automatically install Excel and load the file the user was trying to open.

Assigning Applications
Assigning applications works a little bit differently. You can assign an application to a user, or you can assign an application to a computer. The effect of assigning an application is different depending on whether it is assigned to a user or to another computer.

If you assign an application to a user, the application will be available after their next login. At that time, the shortcut to the application will already exist on the desktop or on the Start menu, depending on where you placed it. Even though the shortcut exists, the application isn't actually installed yet. The application is installed when the user tries to access the shortcut or when the user attempts to open a file that requires the application. Should the user try to uninstall the application, it will automatically become available again at the next login. Only applications contained within a Windows installer package can be assigned.

Assigning an application to the computer works a little bit differently. As with assigning the applications bundled within a Windows installer package can be assigned. At the time an application is assigned, it's actually installed on the PC without user intervention. The application becomes available to users after the next reboot. Because the application is assigned at the PC level, only an administrator is permitted to uninstall it. Should the application become damaged or partially deleted, the system is usually smart enough to detect the problem and reinstall the application to repair it.

What is AD FS?
AD FS is an identity access solution that provides browser-based clients (internal or external to your network) with seamless, "one prompt" access to one or more protected Internet-facing applications, even when the user accounts and applications are located in completely different networks or organizations.
When an application is in one network and user accounts are in another network, it is typical for users to encounter prompts for secondary credentials when they attempt to access the application. These secondary credentials represent the identity of the users in the realm where the application resides. The Web server that hosts the application usually requires these credentials so that it can make the most appropriate authorization decision.
AD FS makes secondary accounts and their credentials unnecessary by providing trust relationships that you can use to project a users digital identity and access rights to trusted partners. In a federated environment, each organization continues to manage its own identities, but each organization can also securely project and accept identities from other organizations.
Furthermore, you can deploy federation servers in multiple organizations to facilitate business to business (B2B) transactions between trusted partner organizations. Federated B2B partnerships identify business partners as one of the following types of organization.
•Resource organization: Organization that own and manage resources that are accessible from the Internet can deploy AD FS federation servers and AD FS-enabled Web servers that manage access to protected resources for trusted partners. These trusted partners can included external third parties or other departments or subsidiaries in the same organization.
•Account Organization: Organizations that own and manage user accounts can deploy AD FS federation servers that authenticate local users and create security tokens that federations servers in the resource organization use later to make authorization decisions.
The process of authenticating to one network while accessing resources in another network -without the burden of repeated logon actions by users - is known as single sign-on (SSO). AD FS provides a Web-based, SSO solution that authenticates users to multiple Web applications over the life of a single browser session.
AD FS role services
Depending on your organizations requirements, you can deploy servers running any one of the following AD FS role services:
•Federation Service: The Federation Service comprises one or more federation servers that share a common trust policy. You use federation servers to route authentication requests from user accounts in other organizations or from clients that may be located anywhere on the Internet.
•Federation Service Proxy: The Federation Service Proxy is a proxy to the Federation Service in the perimeter network (also known as a DMZ and screened subnet). The Federation Service Proxy uses WS-Federation Passive Requester Profile (WS-F PRP) protocols to collect user credential information from browser clients, and it sends the user credential information to the Federation Service on their behalf.
•Claims-Aware Agent: You use the claims-aware agent on a Web server that hosts a claims-aware application to allow the querying of AD FS security token claims. A claims-aware application is a Microsoft ASP.NET application that uses claims that are present in an AD FS security token to make authorization decisions and personalize applications.
•Windows token-based agent: You use the Windows token-based agent on a Web server that hosts a Windows NT token-based application to support conversion from AD FS security token to an impersonation-level, Windows NT access token. A Windows NT token-based application is an application that uses Windows-based authorization mechanisms. When you deploy the first federation server in a new AD FS 2.0 installation, you must obtain a token-signing certificate and install it in the local computer personal certificate store on that federation server.
Who will be interested in this feature?
AD FS is designed to be deployed in medium to large organizations that have the following:
•At least one directory service: Active Directory Domain Services or AD LDS
•Computers running various operating system platforms
•Domain-joined computers
•Computers that are connected to the Internet
•One or more Web-based applications
Are there any special considerations?
If you have an existing AD FS infrastructure, there are some special considerations to be aware of before you begin upgrading federations servers, federations server proxies, and AD FS-enabled Web servers running Windows Server 2003 R2 to Windows Server 2008. These considerations apply only when you have AD FS servers that have been manually configured to use unique service accounts.
AD FS uses the Network service account as the default account for both the AD FS Web Agent Authentication Service and the identity of the ASFSAppPool applications pool. If you manually configured one or more AD FS servers in your existing AD FS deployment to use a service account other than the default Network Service account, track which of the AD FS servers use these unique service accounts and record the user name and password for each service account.
When you upgrade a server to Windows Server 2008, the upgrade process automatically restores all service accounts to their original default values. Therefore, you must enter service account information again manually for each applicable server after Windows Server 2008 is fully installed.
Integration with AD RMS
AD RMS and AD FS have been integrated in a such a way that organizations can take advantage of existing federated trust relationships to collaborate with external partners and share rights-protected content. For example, an organization that has deployed AD RMS can set up federation with an external organization by using AD FS. The organization can then use this relationship to share rights-protected content across the two organizations without requiring a deployment of AD RMS in both organizations.
It is not necessary to create trust or federation relationships between the Active Directory forests of organizations to be able to share rights-protected information between separate organizations. AD RMS provides two types of trust relationships that provide this kind of rights-protected information exchange. A trusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS root cluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster to trust.

Verification of AD FS
Verify that specific even (ID 674) was generated on the federation server proxy computer. This event is generated when the federation server proxy is able to successfully communicate with the Federation Service.
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
1.Log on to a client computer with Internet access.
2.Open a browser windows, and then type the Uniform Resource Locator (URL) for the Federation Service endpoint, along with the path to the clientlogon.aspx page tht is stored on the federation server proxy.
3.Press Enter
•At this point your browser should display the error Server in '/adfs' Application. This step is necessary to generate event message 674 to verify that the clientlogon.aspx page is being loaded properly by Internet Information Services (IIS).

Reference : ADAM account stores
Account Stores
Active Directory Federation Services uses account stores to log on users and extract security claims for those users. You can configure multiple account stores for a single Federation Service and define their priority. The Federation Service uses LDAP to communicate with account stores.
Active Directory account stores
ADFS is tightly integrated with Active Directory. ADFS retrieves user attributes and authenticates users against AD. ADFS also uses Windows Integrated Authentication and security tokens that Active Directory creates.
For a user to logon to AD, a user name must be in the UPN format (user@adatum.com) or in the Security Accounts Manager (SAM) account name format (adatum\user). After the user is logged on and impersonated, user security IDs (SIDs) are enumerated from the access token. The SIDs are then mapped to organization group Claims.
Email claims, common name claims, and custom claims can be extracted from user object attributes that are defined in Active Directory when the Federation Service account is used to perform an LDAP search of an object.
The Federation Service account must have access to the user object. If the user object resides in a domain different from the domain where the Federation Service account resides, the former domain must have AD domain trust in place to the latter domain.
There is no direct way of determining where any given user name exists in AD and in all directories that are trusted (either directly or transitively) by Active Directory. Active Directory returns an authoritative failure only if the logon attempt fails as a result of policy restrictions. Examples of policy restriction failures include the following:
•The account is disabled
•The account password has expired
•The account is not allowed to log on to this computer
•The account has logon time restrictions and is not allowed to log on at this time

Otherwise, AD account store logon failures are always nonauthoritative, and the next-priority account store is tried. The following is the list of configuration items for the AD account store:
•A setting indicating whether this entry is enabled
•The display name for the trusted Active Directory account store
•Optional: A list of SIDs that map to particular organization group claims
•Optional: Configuration defining how to extract organization claims from user object attributes in Active Directory
oEmail identity claim or common name identity claim
oCustom organization claim

About account partners
An account partner is the organization in the federation trust relationship that physically stores user accounts in either an Active Directory store or an ADAM store. The account partner is responsible for collecting and authenticating a users credentials, building up claims for that user, and packaging the claims into security tokens. These tokens can then be presented across federation trust to enable access to Web-based resources that are located in the resources that are located in the resource partner organization.
In other words, an account partner represents the organization for whose users the account-side Federation Service issues security tokens. The Federation Service in the account partner organization authenticates local users and creates security tokens that are used by resource partner in making authorization decisions.
With regard to Active Directory, the account partner in ADFS is conceptually equivalent to a single AD forest who accounts need access to resources that are physically located in another forest. Accounts in this situation forest can access resources in the resource forest only when an external trust or forest trust relationship exists between the two forests and the resources to which the users are trying to gain access have been set with the proper authorization permissions.

About resource partners
The resource partner is the organization in an ADFS deployment where ADFS-enabled Web servers are located. The resource partner trusts the account partner to authenticate users. Therefore, to make authorization decisions, the resource partner consumes the claims that are packaged in security tokens coming from users in the account partner.
In other words, a resource partner represents the organization whose Web servers are protected by the resource-side Federation Service. The Federation Service at the resource partner uses the security tokens that are produced by the account partner to make authorization decisions for Web servers in the resource partner.
To function as an ADFS resource, Web servers in the resource partner organization must have the ADFS Web Agent component of ADFS installed. Web servers that function as an ADFS resource can host either claims-aware applications or Windows NT token–based applications.

Domain and Trusts
You can use the New Trust Wizard or the Netdom command line tool to create four types of trusts: external, realm, forest, and shortcut trusts. The following information describes these trust types.

External Non transitive One way or two way
Use External trusts to provide access to resources that are located on a Windows NT 4.0 domain or a domain that is located in a separate forest that is not joined by a forest trust. A one-way, incoming, external trust allows users in your domain to access resources in another Active Directory domain.
RealmTransitive/Non transitiveOne way or two way
Use realm trusts to form a trust relationship between a non windows Kerberos realm and an Active Directory domain.
ForestTransitive One way or two way
Use forest trusts to share resource between forests. If a forest trust is two-way trust, authentication requests that are made in either forest can reach the other forest. You can specify whether the forest trust is one-way, incoming or outgoing, or two-way. As mentioned earlier, a forest trust is transitive, allowing all domains in a trusting forest to trust all domains in a trusted forest. However, forest trusts are not themselves transitive. For example, if the tailspintosy.com forest trusts the worldwideimporters.com forest, and the worldwideimporters.com forest trusts the nothwindtraders.com forest, those two trust relationships do not allow the tailspintoys.com forest to trust the northwindtraders.com forest. If you want those two forests to trust each other, you must create a specific forest trust between them.
ShortcutTransitive One way or two way
Use shortcut trusts to improve user logon times between two domains within an Active Directory forest. This is useful when two domains are separated by two domain tress.

Creating Forest Trusts
You can link two disjoined Active Directory Domain Services (AD DS) forests together to form a trust relationship. The following are required to create forest trusts successfully.
•You can create a forest trust between two Windows Server 2003 forests, between two Windows Server 2008 forests, between two Windows Server 2008 R2 forests, betwen a Windows Server 2003 forest and a Windows Server 2008 forest, between a Windows Server 2003 forest and a Windows 2008 R2 forest, or a Windows Server 2008 forest and a Windows Server 2008 R2 forest. Forest trusts cannot be extended implicitly to a third forest.
•To create a forest trust, the minimum forest functional level for the forests that are involved in the trust relationship is Windows Server 2003
Sites Overview - unfinished
Sites and AD DS represent the physical structure, or topology, of your network. AD DS uses network topology information, which is store in the directory as site, subnet, and site link objects, to build the most efficient replication topology. The replication topology itself consists of the set of connection objects that enable inbound replication from a source domain controller to the destination domain controller that stores the connection object. The Knowledge Consistency Checker (KCC) creates these connection objects automatically on each domain controller.
To enable Universal Group Membership Caching in a Site
1.Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.
2.In the details pane, right-click the NTDS Site Settings object, and then click properties.
3.Under Universal Group Membership Caching, select Enable Universal Group Membership Caching.
4.In the Refresh cache from list, click the site that you want the domain controller to contact when the Universal Group Membership cache must be updated, and then click ok
Creating a new site and assigning a subnet of with subnet mask of, it means only ONE IP (The DC2 IP) will be included on the site1 subnet coverage. Therefore all the request will be processed from the DC1 in the default-first-site and DC2 will authenticate only itself
Enable Clients to Locate a Domain Controller in the Next Closest Site
You can modify the Default Domain Policy to enable Windows Vista and Windows Server 2003 clients in the domain controllers in the next closest site if no domain controller in their own site or the closest site is available.
To enable clients to located a domain controller in the next closest site
1.Click Start, click Administrative Tools, and then click Group Policy Management.
2.If the user Account Control dialog box appears, confirm that the action it displays is what you want, and then Continue.
3.Double-Click Forest:forest_name, double click Domains, and then double click domain_name.
4.Right-click Default Domain Policy, and then click Edit.
5.In Group Policy Management Editor, in the console tree, go to Computer Configuration/Policies/Administrative Templates/System/Netlogon/DC Locator DNS Records.
6.In the details pane, double click Try Next Closest Site, click Enabled, and then click OK.

Performing Non-authoritative Restore of Active Directory Domain Services
A non-authoritative restore is the method for restoring Active Directory Domain Services from a system state, critical-volumes, or full server backup. A non authoritative restore returns the domain controller to its state at the time of backup and then allows normal replication to overwrite that state with any changes that occurred after the backup was taken. After you restore AD DS from backup, the domain controller queries its replication partners. Replication partners use the standard replication protocols to update AD DS and associated information, including the SYSVOL shared folder, on the restored domain controller.
You can use a non-authoritative restore to restore the directory service on a domain controller without reintroducing or changing objects that have been modified since the backup. The most common use of a non-authoritative restore is to reinstate a domain controller, often after catastrophic or debilitating hardware failures. In the case of data corruption, do not use non-authoritative restore unless you have confirmed that the problem is with AD DS.
Note: If your objective is to recover objects that were deleted since the last backup, first perform a non-authoritative restore from backup to reinstate the deleted objects and then perform an authoritative restore to mark deleted objects authoritative so that they are not overwritten during replication. When you are performing both a non-authoritative restore and an authoritative restore, do not allow the domain controller to restart after the non-authoritative restore.
Non-authoritative Restore Requirements
You can perform a non-authoritative restore from backup on a Windows Server 2008 system that is a stand-alone server, member server, or domain controller.
On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service. Therefore, in Windows Server 2008, performing offline defragmentation and other database management tasks does not require restarting the domain controller in Directory Services Restore Mode (DSRM). However, you cannot perform a nonauthoritative restore after simply stopping the AD DS service in regular startup mode. You must be able to start the domain controller in Directory Services Restore Mode (DSRM).
To perform a nonauthoritative restore, you need one of the following types of backup for your backup source:
•System state backup: Use this type of backup to restore AD DS. If you have reinstalled the operating system, you must use a critical-volumes or full server backup. If you are restoring a system state backup, use the wbadmin start systemstaterecovery command.
•Critical-volumes backup: A critical-volumes backup includes all data on all volumes that contain operating system and registry files, boot files, SYSVOL files, or Active Directory files. Use this type of backup if you want to restore more than the system state. To restore a critical-volumes backup, use the wbadmin start recovery command.
•Full server backup: Use this type of backup only if you cannot start the server or you do not have a system state or critical-volumes backup. A full server backup is generally larger than a critical-volumes backup. Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in all other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS.
SYSVOL restore
SYSVOL is always restored non-authoritatively during a restore of AD DS. Restoring SYSVOL requires no additional procedures. If you deleted file system policy and have a backup of policy that you created by using Group Policy Management Console, you can recover the policy by using that tool. If you deleted the Default Domain Policy or Default Domain Controllers Policy, you can use Dcgpofix.exe to rebuild the policy.
When you use System Recovery Options in Windows Server Backup to restore a Windows Server 2008 domain controller in an environment that has DFS Replication implemented, the SYSVOL restore is performed nonauthoritatively by default. To perform an authoritative restore of SYSVOL, include the -authsysvol switch in your recovery command, as shown in the following example:
wbadmin start systemstaterecovery -authsysvol
If you use File Replication Service (FRS), the restore operation sets the BURFLAGS registry entries for FRS, which affects all replica sets that are replicated by FRS.
Task Requirements:
•Remote Desktop Connection (optional)
Reference Authoritative Restore

.ADMX and .ADML File Structure
In order to support the multilingual display of policy settings, the ADMX file structure must be broken into two types of files:
•A language-neutral file, .admx, describing the structure of the categories and Administrative template policy settings displayed in the Group Policy Management Console (GPMC) or Local Group Policy Editor.
•A set of language-dependent files, .adml, providing the localized portions displayed in the GPMC or Local Group Policy Editor. Each .adml file represents a single language you wish to support.
Language-neutral file (.admx) structure
The language-neutral file, .admx, determines the number and type of policy settings and their location by category in the GPMC or the Local Group Policy Editor display. The .admx file is divided into seven main sections.
•The XML declaration that is required in order to validate as an XML-based file.
•The policyDefinitions Element, which contains all other elements for an .admx file.
•The policyNamespaces Element, which defines the unique namespace for this .admx file. The policyNamespaces element also provides a mapping to external file namespaces if this .admx file will reference category elements defined in a different .admx file.
•The resources Element (.admx) which specifies the requirements for the language-specific resources; the minimum required version of the associated .adml file.
•The supportedOn Element, which specifies references to localized text strings defining the operating systems or applications affected by a specific policy setting.
•The categories Element, which specifies categories under which the policy setting in this .admx file will be displayed in the GPMC or Local Group Policy Editor. If you specify a category name that already exists in a different .admx file, you will create a duplicate node.
•T he policies Element, which contains the individual policy setting definitions.

Language resource file (.adml) structure
the language resource files, .adml, provide the language specific information needed by the language neutral file. The language neutral file will then reference specific sections of the language resource file in order for the GPMC or Local Group Policy Editor to display setting in the correct language. The .adml file contains the following main sections:
•The XML declaration, required to validate as an XML-based file.
•The policyDefinitionResources Element, which contains all other elements for an .adml file.
•The resources Element (.adml), which contains a stringTable Element and a presentationTableElement for a specified language. These two elements must be defined in the .adml file in the specific order of stringTable element followed by presentationTable element, as required by the ADMX schema. The parser for the Group Policy tools will give an error if the order of these two is reversed.

What is Administrative Templates Extension? (.adm)
The Administrative Templates Extension is the largest of all available Group Policy extensions and includes more than 700 policy settings for applications and operating system components. These policy settings are applied by modifying the registry on target clients. Administrative Templates policy settings is also referred to as registry based policy or simply registry policy.
.Adm files are Unicode files which consist of a hierarchy of categories and subcategories that define how the options are displayed through the Group Policy Object Editor and GPMC. They also indicate the registry locations where changes should be made if a particular selection is made, specify any options or restrictions (in values) that are associated with the selection, in some cases, indicate a default value to use if a selection is activated. Its important to note that the functionality of .adm files is limited. The only purpose of .adm files is to enable a user interface to configure policy settings. .Adm files do not contain actual policy settings; these are contained in registry.pol files located in the Sysvol on domain controllers.

Active Directory Certificate Services Overview
Active Directory Certificate Services provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.

Features in AD CS
•Certification Authorities. Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.
•Web enrollment : Web enrollment allows users to connect to a CA by means of a Web browser to request certificates and retrieve certificate revocation lists (CRLs)
Installation Requirements
Before installing the Certificate Enrollment Web services, ensure that your environment meets these requirements:
•A host computer ad a domain member running Windows Server 2008 R2
•An Active Directory forest with a Windows Server 2008 R2 Schema
•An enterprise certificate Authority (CA) running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003

•Online Responder : The Online Responder service decodes revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.
•Network Device Enrollment Service : The Network Device Enrollment Service allows routers and other network devices that do not have domain accounts to obtain certificates.
Benefits of AD CS
•Improved enrollment capabilities that enable delegated enrollment agents to be assigned on per-template basis.
•Integrated Simple Certificate Enrollment Protocol (SCEP)enrollment services for issuing certificates to network devices such as routers.
•Scalable, high speed revocation status response services combining both CRLs and integrated Online Responder services.

Intermediate Certificate Authorities
An intermediate CA issues certificates only to subordinate CAs

Enterprise Root Certificate Authorities
The Enterprise Administrator can install Certificate Services to create an enterprise certification authority. Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME, authentication to a secure Web server using Secure Sockets Layer or Transport Layer Security.
•An enterprise CA requires the Active Directory, Directory service.
•When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. You must be a Domain Admin or be an admin with write access to Active Directory to install an enterprise root CA.
•Certificates can be issued for logging on to a Windows Server 2003 family using smart cards
•The enterprise exit module publishes user certificates and the certificate revocation list to Active Directory. In order to publish certificates to Active Directory, the server that the CA is installed on must be a member of the Certificate Publishers group. This is automatic for the domain the server is in, but the server must be delegated the proper security permissions to publish certificates in other domains.
An enterprise CA uses certificate types, which are based on a certificate template. The following functionality is possible when you use certificate templates.
•Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate template has a security permission set in Active Directory that determines whether the certificate requester is authorized to receive the type of certificate they have requested.
•The certificate subject name can be generated automatically from the information in Active Directory or supplied explicitly by the requester.
•The policy module adds a predefined list of certificate extensions to the issued certificates. The extensions are defined by the certificate template. This reduces the amount of information a certification requester has to provide about the certificate and its intended use.
In order to install Enterprise CA you must have Enterprise Admins permissions, because Configuration naming context is replicated between domain controllers in the forest(not only current domain) and are writable for Enterprise Admins (domain admins permissions are insufficient)
Re-Enroll All Certificate Holders
This procedure is used when a critical change is made to the certificate template and you want all subjects that hold a certificate that is based on this template to re-enroll as quickly as possible. The next time the subject verifies the version of the certificate against the version of the template on the certificate authority (CA), the subject will re-enroll. Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure.

Configure Certificate Auto-enrollment
Many certificates can be distributed without the client even being aware that enrollment is taking place. These can include most types of certificates issues to computers and services, as well as many certificates issued to users. To automatically enroll clients for certificate in a domain environment, you must:
•Configure a certificate template with Auto-enroll permissions
•Configure an autoenrollment policy for the domain

To configure auto-enrollment Group Policy for a domain
1.On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click start, point to Administrative Tools, and then click Group Policy Management.
2.In the consol tree, double click GPO in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.
3. http://technet.microsoft.com/en-us/library/cc731522.aspx

Deploying Certificate Templates
After creating a new certificate template, the next step is to deploy the certificate template so that a certification authority can issue certificates based on it. Deployment includes publishing the certificate template to one or more CAs, defining which security principals have Enroll permissions for the certificate template, and deciding whether to configure auto-enrollment for the certificate template.

Stand-alone certificate authorities
You can install Certificate Services to create a stand-alone certification authority (CA). Stand-alone CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions), and authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
A stand-alone CA has the following characteristics:
•Unlike an enterprise CA, a stand-alone CA does not require the use of the Active Directory service. Stand-alone CAs are primarily intended to be used as Trusted Offline Root CAs in a CA hierarchy or when extranets and the Internet are involved. Additionally, if you want to use a custom policy module for a CA, you would first install a stand-alone CA and then replace the stand-alone policy module with your custom policy module.
•When submitting a certificate request to a stand-alone CA, a certificate requester must explicitly supply all identifying information about themselves and the type of certificate that is wanted in the certificate request. (This does not need to be done when submitting a request to an enterprise CA, since the enterprise users information is already in Active Directory and the certificate type is described by a certificate template). The authentication information for requests is obtained from the local computers Security Accounts Manager database.
•By default, all certificate requests sent to the stand-alone CA are set to Pending until the administrator of the stand-alone CA verifies the identity of the requester and approves the request. This is done for security reasons, because the certificate requesters credentials are not verified by the stand-alone CA.
•Certificate templates are not used
•No certificates can be issued for logging in to a Windows Server 2003 family using smart card, but other types of certificates can be issued and stored on a smart card.
•The administrator has to explicitly distribute the stand-alone CA's certificate to the domain users trusted root store or users must perform that task themselves.
When a stand-alone CA uses Active Directory, it has these additional features:
•If a member of the Domain Administrators group or an administrator with write access to Active Directory, install a stand-alone CA, it is automatically added to the Trusted Root Certificate Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester.
•IF a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active Directory.

Online Responder
An Online Responder is a trusted server that receives and responds to individual client requests for information about the status of a certificate. In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs. For Example:
•Clients who connect to the network remotely and either do not need nor have the high speed connections required to download large CRLs.
•A network needs to handle large peaks in revocation checking activity, such as when large numbers of users log on or send signed email simultaneously.
•An organization needs an efficient means to distribute revocation data for certificates issued from a non Microsoft certification authority
•An organization wants to provide only the revocation checking data needed to verify individual certificate status requests, rather than make available information about all revoked or suspended certificates
Managing Array Members
For each array, one member is defined as the Array Controller; the role of the Array controller is to help resolve synchronization conflicts and to apply updated revocation configuration information to all Array members. To designate an Array controller
1.Open the Online Responder snap-in
2.In the console tree, click Array Configuration Members
3.Select the Online Responder that you want to designate as the Array Controller
4.In the Actions pane, click Set as Array Controller

Online Certificate Status Protocol
OCSP is one of two common schemes for maintaining the security of a server and other network resources. The other, older method, which OCSP has superseded in some scenarios, is known as Certificate Revocation List.
OCSP overcomes the chief limitation of CRL: the fact that updates must be frequently downloaded to keep the list current at the client end. When a user attempts to access a server, OCSP sends a request for a certificate status information. The server sends back a response of "current", "expired", or "unknown". The protocol specifies the syntax for communication between the server (which contains the certificate status) and the client application (which is informed of that status). OCSP allows users with expired certificates a grace period, so they can access servers for a limited time before renewing.
This service is designed to respond to specific certificate validation requests through the Online Certificate Status Protocol (OCSP). Using an online responder, the system relying on PKI does not need to obtain a full CRL and can submit a validation request for a specific certificate. The online responder decodes the validation request and determines whether the certificate is valid. When it determines the status of the requested certificate, it sends back an encrypted response containing the information to the requester. using online responders is much faster and more efficient than using CRLs. AD CS includes online responders as a new feature in Windows Server 2008 R2.
Reference Certificate Revocation List

Certificate Enrollment Web Service Overview
The Certificate Enrollment Web Service is an Active Directory Certificate Services role service that enables users and computers to perform certificate enrollment by using the HTTPS protocol. Together with the Certificate Enrollment Policy Web Service, this enables policy based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain. Certificate enrollment over HTTPS enables the following new deployment scenarios:
•Certificate enrollment across forest boundaries to reduce the number of CAs in an enterprise.
•Extranet deployment to issue certificates to mobile workers and business partners.
The Certificate Enrollment Web Service can process enrollment requests for new certificates and for certificate renewal. In both cases, the client computer submits the request to the Web service and the Web service submits the request to the certification authority on behalf of the client computer. For this reason, the Web service account must be trusted for delegation in order to present the client identity to the CA.
Delegation is required for the Certificate Enrollment Web Service account when all of the following are true:
•The CA is not on the same computer as the Certificate Enrollment Web Service
•Certificate Enrollment Web Service needs to be able to process initial enrollment requests, as opposed to only processing certificate renewal requests
•The authentication type is set to Windows Integrated Authentication or Client certificate authentication
Certificate Web enrollment cannot be used with version 3 certificate templates

Version 3 certificate templates are supported by CAs installed on Windows Server 2008 Enterprise and Datacenter editions. They are also supported by CAs installed on Windows Server 2008 R2 Standard, Enterprise, Datacenter, Foundation and Server Core Editions.

The reason for this blog post is that one of our customers called after noticing some unexpected behavior when they were trying to use the Server 2008 certificate Web enrollment page to request a Version 3 Template based certificate. The problem was that no matter what they did the Version 3 templates would not appear as certificates which could be requested via the web page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates.

Authority Information Access
The authority information access indicates how to access CA information and services for the issuer of the certificate in which the extension appears. Information and services may include on-line validation services and CA policy data. (The location of CRLSs is not specified in this extension; that information is provided by the cRLDistributionPoints extension.) This extension may be included in subject or CA certificates, and it is always non-critical.

Configuring NDES
NDES stores its configuration in the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP
To change NDES configuration, edit the NDES registry settings by using Regedit.exe, then restart IIS. If necessary, create the key and value using the names and data types.

Adding attributes to the RODC filtered attribute set
The RODC filtered attribute set is a dynamic set of attributes that is not replicated to any RODCs in the forest. You can configure the RODC filtered attribute set on a schema master that runs Windows Server 2008. When the attributes are prevented from replicating to RODCs, that data cannot be exposed unnecessarily if an RODC is stolen or compromised.
A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2008, the replication request is denied. However, if the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003, the replication request could succeed.
Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC that is compromised cannot be exploited in this manner because domain controllers that are running Windows Server 2003 are not allowed in the forest.

Resetting DSRM Administrator Password
1.Click, Start, click Run, type ntdsutil, and then click OK.
2.At the Ntdsutil command prompt, type set dsrm password.
3.At the DSRM command prompt, type one of the following lines:
oTo reset the password on the server on which you are working, type reset password on server null. The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted. Note that no characters appear while you type the password.

oTo reset the password for another server, type reset password on server servername, where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted. Note that no characters appear while you type the password.
4.At the DSRM command prompt, type q.
5.At the Ntdsutil command prompt, type q to exit.
Dial-in properties of a user account
You can use this property to set remote access permission to be explicitly allowed, denied, or determined through remote access policies. In all cases, remote access policies are used to authorize the connection attempt. If access is explicitly allowed, remote access policy conditions, user account properties, or profile properties can still deny the connection attempt. The Control access through Remote Access Policy option is only available on user accounts in a Windows 2000 native domain, a Windows Server 2003 domain, standard edition; server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition.
By default, the Administrator and Guest accounts on a stand-alone server or in a Windows 2000 native domain are set to Control access through Remote Access Policy. In a Windows 2000 mixed domain, they are set to Deny Access. New accounts that are created on a stand-alone server or in a Windows 2000 native domain are set to Control access through Remote Access Policy. New accounts that are created in a Windows 2000 mixed domain are set to Deny Access.

Configure Computers to Forward and Collect Events
We need to do three things:
1.run winrm quickconfig on the source computer (Company 2)
2.run wecutil qc on the collector computer (Company 1)
3.add the computer account of the collector computer to the local Administrators group on the source computer

Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events will be collected (source).

1.Log on to all collector and source computers. It is a best practice to use a domain account with administrative privileges.
2.On each source computer, type the following at an elevated command prompt: winrm quickconfig
3.On the collector computer, type the following at an elevated command prompt: wecutil qc
4.Add the computer account of the collector computer to the local Administrators group on each of the source computers.
5.The computers are now configured to forward and collect events. Follow the steps in Create a New Subscription to specify the events you want to have forwarded to the collector.

Implement Role-Based Administration
You can use role-based administration to organize CA administrators into separate, predefined CA roles, each with its own set of tasks. Roles are assigned by using each users security settings. You assign a role to a user by assigning that user the specific security settings that are associated with the role. A user that has one type of permission. such as Manage CA permission, can perform specific CA tasks that a user with another type of permission, such as Issue and Manage Certificates permission, cannot perform.
Prerequisites for Deploying an RODC
Complete the following prerequisites before you deploy a RODC:
•Ensure that the forest functional level is Windows Server 2003 or higher, so that linked-value replication (LVR) is available

Activate non-administrative accounts passwords
To populate the RODC server with non-administrative accounts passwords, you should configure the administrative accounts to be added in the Domain RODC Password Replication Denied group. The password replication policy is like an access control list. It verifies if the RODC is permitted to cache a password. When the RODC receives a user or computer logon request, it forwards the request to Password Replication Policy allows RODC to cache a password, the same account can perform subsequent logon in a more efficient manner. For non-administrative passwords, you have to add the administrative accounts in the RODC password replication denied group so that the password could not be cached. The Password Replication policy lists the accounts that are permitted to be cached and the account that are denied from being cached.

Reference Active Directory Lightweight Directory Service
Quick note: To create an OU within AD LDS, use ADSI Edit
Quick note: Backing up AD LDS instance data with dsdbutil.exe
With the dsdbutil.exe tool, you can create installation media that corresponds only to the AD LDS instance that you want to back up, as opposed to backing up entire volumes that contain the AD LDS instance
To create users in AD LDS, you must first import the optional user classes that are provided with AD LDS into the AD LDS schema. These user classes are provided in importable .ldf files, which you can find in the directory %windir%adam on the computer where AD LDS is installed.

Create a Replica AD LDS Instance
To create an AD LDS instance and join it to an existing configuration set, use the Active Directory Lightweight Directory Services Set Wizard to create a replica AD LDS instance.

To create a replica AD LDS instance
1.Click start, point to Administrative Tools, and then click Active Directory Lightweight Directory Services Setup Wizard.
2.On the Welcome to the AD LDS Setup Wizard page, click Next.
3.On the Setup Options page, click A replica of an existing instance, and click Next.
4.Finish creating the new instance by following the wizard instructions.

Configuring the AD RMS client
The automated scheduled task will not query the AD RMS template distribution each time that this scheduled task runs. Instead, it checks updatedFrequency DWORD value registry entry. This registry entry specifies the time interval (in days) after which the client should updated its rights policy templates. By default the registry is not present on the client computer. To configure an interval other than 30 days, create a registry entry at the following location: HKEY_CURRENT_USER\Software\Policies\Microsoft\MSDRM\TemplateManagement. In this registry key, you can also configure the updatelfLastUpdatedBeforeTime, which forces the client computer to update its rights policy template.
If you plan to use AD RMS with Kerberos authentication, you must take additional steps to configure the server running AD RMS after installing the AD RMS server and provisioning the server. Specifically, you must perform these procedures:
•Set the Internet Information Services (IIS) useAppPoolCredentials variable to True
•Set the Service Principal Names (SPN) value for the AD RMS service account

Bridgehead Severs
A bridgehead server is the domain controller designated by each sites KCC to take control of intersite replication. The bridgehead server receives information replicated from other sites and replicates it to its sites other domain controllers. It ensures that the greatest portion of replication occurs within sites rather than between them.
In most cases, the KCC automatically decides which domain controller acts as the bridgehead server. However, you can use AD Sites and Services to specify which domain controller will be the preferred bridgehead server by using the following steps:
1.In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgehead server.
2.Expand the Servers folder to locate the desired server, right click it, then choose properties.
3.From the list labeled Transports available for intersite data transfer, select the protocols for which you want to designate this server as a preferred bridgehead server and then click Add .

Key Archival

You enable key archival on the Recovery Agents tab of the CA Properties in the CA console by selecting the Archive Key option and specifying a key recovery agent. In the number of recovery agents to use, select the number of key recovery agent (KRA) certificates you have added to the CA. This ensures that each KRA can be used to recover a private key. If you specify a smaller number than the number of KRA certificates installed, the CA will randomly select that number of KRA certificates from the available total and encrypt the private key, using those certificates. This complicates recovery because you then have to figure out which recovery agent certificate was used to encrypt the private key before beginning recovery.
Identify a Key Recovery Agent
A key recovery agent is a person who is authorized to recover a certificate on behalf of an end user. Because the role of key recovery agents can involve sensitive data, only highly trusted individuals should be assigned to this role.
To identify a key recovery agent, you must configure the Key Recovery Agent certificate template to allow the person assigned to this role to enroll for a key recovery agent certificate.

Configure a Certificate Template for Key Archival
The key archival process takes place when a certificate is issued. Therefore, a certificate template must be modified to archive keys before any certificates are issued based on this template.
Key archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificate template in order to protect users from data loss, but it can also be useful when applied to other types of certificates.

Instance 1 is running, otherwise you'd get a different message at the snapshot: create step. (AD service must be running in order to perform this operation, on your virtual server). Disabling Instance1 makes no sense because you need it, nor is setting the Startup Type for the VSS to Manual

Account lockout settings deal with logon security, like how many times a wrong password can be entered before an account gets locked out, or after how many minute a locked out user can try again. To really restrict access to the User1 account it has to be disabled, by modifying the account options

Disabling a user account prevents user access to email and Microsoft SharePoint Online data, but retains the users data. Disabling a user account keeps the user license associated with that account. This is the best option o utilize when a person leaves an organization temporarily.

Demonstration adding a UPN Suffix
To add or modify a UPN Suffix for your forest, open Active Directory Domains and Trusts from the start menu. Right click Active Directory Domains and Trusts at the top and open the properties. From here you can add and remove additional domain UPN suffixes for the forest.

Setting up a Source Initiated Subscription
Source-initiated subscriptions allow you to define a subscription on an event collector computer without defining the event source computers, and then multiple remote event source computers can be set up (using a group policy setting) to forward events to the event collector computer. This differs from a collector initiated subscription because in the collector initiated subscription model, the event collector must define all the event sources in the event subscriptions.

Password Replication Policy Allowed and Denied lists
Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC password replication group.
These groups help implement a default Allowed List and Denied List for the RODC Password Replication Policy. By default, the two groups are respectively added to the msDS-RevealOnDemandGroup and msDS-NeverRevealGrouip Active Directory attributes mentioned earlier.

SYSVOL is a collection of folders that contain a copy of the domains public files, including system policies, logon scripts, and important elements of GPOs

To perform an unattended install of an AD LDS instance
1.Create a new text file by using any text editor
2.Specify the installation parameters
3.At a command prompt (or in a batch or script file.) Change to the drive and directory that contains the AD LDS setup files.
4.At the command prompt, type the following command, and then press ENTER: %systemroot%\ADAM\adaminstall.exe /answer:drive:\\.txt

Windows Installer Features
Diagnoses and repairs corrupted applications- An application can query Windows Installer to determine whether an installed application has missing or corrupted files. If any are detected, Windows Installer repairs the application by recopying only those files found to be missing or corrupted.

Backing up GPOs
When you backup a GPO using the Group Policy Management console or the Backup-GPO cmdlet, the links to domains/sites/OUs are not included. The link is indicated in an accompanying gpreport.xml, but its not in the backup itself. If you restore the backup, then the GPO is not linked to anything.
Microsoft recommends that you do not modify the sysvol structure. This recommendation also applies to backup and restore operations of the sysvol structure. OIn top of that, the SYSVOL folder only contains the GPT part of a GPO, so it would be an incomplete backup anyway.
The link between GPO and for example an OU is an attribute (gPLink) of the OU, not of the GPO. So, to backup the GPOs, including the links, we have to perform a system state backup.

To issue a pending certificate request:
1.Log on to your root CA by using an account that is a certificate manager.
2.Start the Certification Authority Snap-in
3.In the console tree, expand your root CA, and click Pending Certificates.
4.In the details pane, right click the pending CA certificate, and click issue.

installing AD DS From Media
You can use the Ntdsutil.exe tool to create installation for additional domain controllers that you are creating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites from efficiently.

Enabling Active Directory Recycle Bin
After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable Active Directory Recycle Bin by using the following methods:
•Enable-ADOptionalFeature Active Directory module cmdlet

Loopback processing with merge or replace
Setting loopback causes the User Configuration settings in GPOs that apply to the computer to be applied to every user logging on to that computer, instead of (in replace mode) or in addition to (in merge mode) the User Configuration settings of the user. This allows you to ensure thata consistent set of policies is applied to any user logging on to a particular computer, regardless of their location in Active Directory.

Loopback can be set to Not Configured, Enabled, or Disabled. In the Enabled state, loopback can be set to Merge or Replace. In either case the user only receives user-related policy settings.

•Loopback with Replace- In the case of Loopback with Replace, the GPO list for the user is replaced in its entirety by the GPO list that is already obtained for the computer at computer startup (during step 2 in Group Policy processing and precedence). The User Configuration settings from this list are applied to the user.
•Loopback with Merge- In the case of Loopback with Merge, the Group Policy object list is a concatenation. The default list of GPOs for the user object is obtained, as normal, but then the list of GPOs for the computer (obtained during computer startup) is appended to this list. Because the computers GPOs are processed after the users GPOs, they have precedence if any of the settings conflict.

adprep /domainprep
Prepares a domain for the introduction of a domain controller that runs Windows Server 2008. You run this command after the forestprep command finishes and after the changes replicate to all the domain controllers in the forest.
Run this command in each domain where you plan to add a domain controller that runs Windows Server 2008. You must run this command on the domain controller that holds the infrastructure operations master role for the domain. You must be a member of the Domain Admins group to run this command.
Notes from Online Expert: Session 1 (Click to show)
Server Core
Server Core Installation and Management
A slimmed down version of Windows
Useful for roles like AD, DNS, and DHCP
Installed by choosing Server Core during initial installation
One Way – Cant convert to full installation
Management done from command line
No GUI components available for management
Remote management still a possibility
Reduced attack surface makes it safer and more efficient
Server Core DC
Oclist shows status of roles and functions that can be installed
Ocsetup allows installation and removal of roles and functions
Can not do the following
•Active Directory Certificate Services
Use netsh to set IP addresses
Dcpromo promotes domain controller
Must use answer file for installation
Use answer file from GUI installation
Once installed, server core can be managed from another system
Configure IP Address
Netsh interface ipv4 show interfaces will display your ipv4 settings
The following is require when assigning an IP address through command prompt
•IP Address
•Index number
•Subnet Mask
Configure DNS
Netsh interface ipv4 add dnsserver name-2 address- index-1
This will be how you can configure DNS through command prompt
Always test your DNS to make sure it is functioning
Configure DCPROMO Script
Use an unattended answer file for setting up DCPROMO

Also must make sure the proper texts are fulfilled for it to work correctly
Understanding DNS
Active Directory relies on DNS for finding and advertising services
2008 DNS is dynamic so clients can update their own records
Install with Server Manager or dcpromo
Ocsetup DNS-Server-Core-Role
Manage DNS with DNS Management
Dnscmd can be used as well on Server Core or in scripts
DNS Server Settings
DNS environments can be mixed between Windows and UNIX
Enable BIND secondaries on 2008 DNS
Support dynamic updates
Disabling recursion enhances security
Round robin enables pseudo load balancing
Debug logging allows capturing all DNS packets to a file
DNS Forwarding
Root hints for recursive queries
Beware of servers hosting the root zone
Configure DNS to use forwarders to direct all queries to specific servers
Used for all FQDNs that server is not authoritative for
Conditional forwarders set specific forwarders per FQDN
DNS Zones
DNS Zone Basics
Zones store records associated with domain name
Can also store records for sub domains
Delegate a sub domain to another zone
DNS Zone Types
Primary zones are authoritative for all records in a domain
Secondary zones are read only copies
Stub zones hold SOA and NS records needed to find delegated zones
Forward and Reverse Zones
Forward lookup zones store name to IP address mappings
Internal DNS usually stored in AD
Public DNS can be hosted anywhere
Reverse lookup zones store IP to name mappings
Internal reverse lookup zones on own DNS servers
Reverse lookup for public IPs typically stored with Internet service provider
Stub Zones
Stub zone vs. conditional forwarders
Zone that holds SOA, NS, and A records for a remote domain
Can streamline traffic in large networks
Can assist parent domain in staying up to date with child domain
Stay up to date
Used with AD forests and disjoint name spaces to assist with name resolution
Used instead of conditional forwarding because name servers are updated

Zone Settings
Zones have many settings to keep track of to ensure a healthy DNS server
Resolving IP addresses from names and the information is not current
Aging and scavenging deletes dynamic records that have not been refreshed
Automatically deletes records that have not been in a certain amount of time
Turn on scavenging on the server as well
TTL sets how long client caches record
Time to live settings are configured globally for zone
Change on a per-record basis as needed
SOA and NS settings can be configured in zone properties
Configure Zone Properties
SOA tab will allow the user to change the default settings within the DNS zone

The general tab will allow a user to configure dynamic updates
Aging and scavenging settings are not configured by default
Enabling Aging and Scavenging
No-Refresh interval
•The time between the most recent refresh of a record time stamp and the moment when the timestamp may be refreshed again.
Refresh Interval
•The time between the earliest moment when a record timestamp can be refreshed and the earliest moment when the record can be scavenged. The refresh interval must be longer than the maximum record refresh period.
This is important for making sure you network isn’t clustered with old and unused
Records. This is a tool to maintain a lean record system for your DNS
AD DNS Integration
Zone Delegation
Split up DNS domain zones for better manageability
Delegate responsibility for subdomain of namespace to another server
A subdomain is a child domain of Active Directory DNS Namespace
Contosso.com delegates sales.contosso.com to DNS server for sales department
A delegation is a record inside the parent zone that points to the child domain
Typically done when organization or geographic area has its own staff
Some environments use stub zones for delegation
Zone Transfers
Zone data must be sent from primary secondary namesavers
SOA record specifies refresh interval
Full zone transfers copy the entire zone during every refresh
Incremental zone transfers only copy changed records
DNS Notify notifies servers of changes
Zone transfer settings configured in properties of the zone
Configuring Zone Transfers
By default, Zone Transfers are NOT configured at all
To any server – Least secure, since any server can request the information
Only to servers listed on the Name Servers Tab – Typical configuration
Only to the following servers – if you have a hidden master DNS that is not accessible
Active Directory Integration
Zone data stored in Active Directory
•Application partitions in AD allow storing DNS data separately from other AD data
•Dnscmd can create custom partitions
•Control replication of the DNS zone data
•Set up servers to be single purposed, specialized systems that run AD services
DNS server must also be a DC in order to use AD integrated zone
Allows secure updates so clients can update their own records
AD Zone Replication
Control replication traffic by limiting replications scope of DNS zone
DNS zone data in application partition not replicated to global catalog
How widely replicated
All domain controllers in the domain
Windows 2000 requires this setting
All DNS servers in the forest
Forest root zone is the most important zone inside AD
All DNS servers in the domain
All domain controllers in a specified application directory partition
Zone Replication Scope
Within the properties of the Zone, within the General tab the “Change” icon can
Alter your scopes
Notes from Online Expert: Session 2 (Click to show)
Domain Name Resolution
WINS – Resolving Single Names
Windows Internet Naming Service used to resolve single names in the past
http://intranet for example
DNS resolution appends local domain suffix first, then other search suffixes
Name passed to WINS if configured
Need a solution as WINS is phased
Creating records in all domains becomes difficult to manage very quickly
GlobalNames Zone
Special zone created in 2008 DNS
Zone should be AD integrated
Does not support dynamic updates
All AD DNS servers must run 2008
Not all DCs must be 2008, however
Use dnscmd to enable GlobalNames
dnscmd (Server Name) /Config /enableglobalnamessupport 1
Create a zone named GlobalNames
Add CNAME records as necessary
Active Directory Infrastructure
Active Directory Infrastructure Review
Domains, tress, and forests
Domains act as an administrative boundary in Active Directory
Subdivide with organizational Units
Trees made up of domains and children
Forests consists of one or more domain trees
Many networks consists of one domain, one tree, and one forest
Operations Masters
Active Directory is a multi master model
Object changes can be made at any DC
Certain functions must be restricted to a single server
Flexible Single Master Operation roles control forest and domain critical tasks
Certain changes cannot be accomplished if FSMO is offline
Protects AD from conflicts
FSMO Roles
Two forest-wide roles
Schema Master holds AD schema
Domain Naming Master manages domain names through forest
Three roles exist in each domain
Infrastructure Master maintains relationships between objects
RID Master assigns IDs to objects
PDC Emulator acts as Domain Master Browser and main source for time
synchronization in domain

Role Placement
Many roles can be shared on a server
First server installed in forest contains all five roles
First server installed in a child domain contains all three domain roles
Infrastructure Master should not reside on a global catalog server
Not the case in a single domain network
RID Master and PDC Emulator should be on the same server if possible
Transferring Roles
Transfer roles for optimum placement or before demoting a server
Seizing roles can be done if current role holder is no longer available
Take care when bringing the domain controller (DC) back online if a role it
hosted was seized
RID Masters and Schema Masters should never be brought back online if role
is seized
Active Directory Users and Computers
Active Directory Domains and Trusts
Active Directory Schema
Transferring Domain Roles
netdom query fsmo
This command will allow you to locate where your FSMOs are located
Transferring the PDC, RID, and Infrastructure can be done within the
AD Users and Computers interface within Administrative Tools
The first step is to right click your Domain > Select Operations Masters
This interface will display the three Operations Masters and also allow
you to change their locations within your Domain Controller
Manage Schema Master
By default the Active Directory Schema interface will NOT be accessible, even if
you have it running on your system
In order to interface with the Schema Master, you first go into your command prompt
and register your system with the following command
regsvr32 c:\windows\system32\schmmgmt.dll
From this point on you can select the AD Schema will appear within the MMC
This process is fairly quick within the GUI interface of MMC, however might take
additional time to actually implement
Active Directory Migration
AD Functional Levels
Domain functional level dictates what features are available in the domain
Windows 2000 Native
Windows Server 2003
Windows Server 2008
Determines minimum operating system (OS) for domain controller (DC)
Forest functional level dictates minimum domain functional level
Windows Server 2003 added many new features
Windows Server 2008 adds no new features

2008 Domain Functionality
Distributed File System Replication can now be used for SYSVOL replication
Replaced File Replication Service
AES 128 and 256 support for Kerberos
Last Interactive Logon Information
Records time and workstation last successful logon was made
Number of unsuccessful logon attempts
Fine-grained security policies
Forest Functional Levels
All domains must be this level or above
Windows 2000 – Usually by default
Windows Server 2003
Many new features, such as domain rename, forests trusts, etc
Windows Server 2008
No new features over 2003
Once raised to 2008 level, no DCs below 2008 can be introduced
Raising Functionality
Active Directory Users and Computers used to raise domain functional level
Active Directory Domains and Trusts used to raise forest functional level
Raising functional level restricts OS of new domain controllers
Does not restrict OS of member servers
Can have mixed functional levels between domains
May need to decommission some DCs
Remove Active Directory
Remove single domain controller
Transfer any FSMO roles held
Remove global catalog after confirming there is another in the domain
Wait for child objects to be deleted from AD Sites and Services
Delete server object from site
Remove last domain controller in a domain
Removes domain from forest
Decommissioning Server 2003
DCPROMO and decommission with the wizard
Raising Domain Functionality
The interface needed in order to raise the domain functionality is the Active Directory
Users and Computers
However for the Forest Functional level, this is done within the AD Domains and Trusts
Active Directory Sites
Understanding Active Directory Sites
Define physical structure of network
Group of well-connected computers based on IP subnets
AD traffic is mostly contained in site
Clients find logon server in site
Subnet objects mirror physical subnets
One site can have multiple subnets
Servers are associated with site based on their subnet

Site Links
Connect sites for AD replication
Based on TCP/IP or SMTP replication traffic
May assign DC as preferred bridgehead
Sites are added to site link objects
Multiple sites can be in one site link
Site links are transitive
KCC – knowledge consistency checker
Multiple Site Benefits
Set replication parameters for site link
Adding New AD Sites
You can add new AD sites within the Active Directory Sites and Services
Without a specified subnet the domain controller decide at random for which site to
connect to
Subnets limit replication traffic between domain controllers within a site
Managing IP Site Links
By default, replication takes place within the default site link every 180 minutes
Active Directory Replication
Understanding Replication
Domain fully replicated to all Dcs
Replication within a site is continual
Intersite replication occurs on schedule
SYSVOL is part of replication as well
Mixed domains use FRS (File Replication Service) to replicate
New Windows Server 2008 domains use DFS-R
Solves previous problems
More efficient
Upgraded domains migrate to DFS-R
Manual migration
dfsmig.exe migrates through various states, ending in full DFS-R
Configuring AD Replication
dfsrmig /getglobalstate
This will state the current DFS-R migration state
The different states are as follows
0 – Start
1 - Prepared
2 – Redirected
3 – Eliminated
NOTE : Look up DFSR command within the server

Global Catalog Server
Global Catalog
DC role that caches partial replica of all partitions and objects
Used during logon process for universal group membership information
2.May become large and busy
Used by applications to locate items in the forest
Searching for printers using AD
First DC in a forest is GC (global catalog) by default
Other global catalog servers must be designated
Global Catalog Location
Small environments may need only one
Two is best for fault tolerance and load balancing
Larger environments require more
One GC per site if it has more than 50 users
Evaluate network traffic when placing global catalog servers
Replication traffic versus authentication and lookup traffic
Universal Group Membership Caching
GC store universal group membership
DC need to query GC for membership
Benefits to setting up universal group membership caching
Speeds logon time for sites without GC
Reduces replication traffic associated with global catalogs
Must be enabled at site level
All domain controllers in site will cache universal group membership
Notes from Online Expert: Session 3 (Click to show)
Active Directory Trusts
Trust Concept
Trusts allow users on one domain to be authenticated by a DC in another domain
Can access resources if granted permissions
Forests have automatic transitive trusts
If forest A trusts forest B, and forest B trust C, Then A auto trusts C
Resource access can be used forest wide, if permissions are granted
Parent and child domain
Between trees in forest
Managed with AD Domains and Trusts
Forest Trusts
Trust established between forest root domains in spate forests
One way or two way trust
Transitive trust between the forests and their children domains
Transitivity does not extend beyond the two forests, however
Establishing Forest Trusts
A Stub zone is needed to establish name resolution between two AD forests
Trust Direction
IN order to create a Forest Trust, you need to access the Administrative Tool AD
Domains and Trusts
Within this interface, seek your properties and trusts tab > New Trusts
Trust Settings
You can configure the following Forest Trusts in the following configurations
•One way: Incoming
•One way: Outgoing
Verifying Trust Configuration
Remote into the desired server with your AD Trust, and verify the information that you
Configured within the Global Catalog/Stub Zone and AD Domain and Trusts
You can remote into the other machine with the Run command and mstsc
Other Trust Types
Shortcut trusts
Transitive one or two way trust between domains in a forest
Speeds authentication in large network
External Trusts are one or two way nontransitive trusts
Can be established between individual domains when forest trust not wanted
Can be used with NT 4 domains
Trust Security
Selective authentication allows control of which users can use a trust to which computer
On the computers within the domains, administrator will give the permissions
Forest-wide authentication allows all
Security Identifier (SID) is a unique number that identifies a user within an AD
Elevation of privilege attack

Read-Only Domain Controllers
RODC Basics
Offers better availability and security for remote or branch offices
Implements one way replication of AD
Only certain attributes are replicated
Passwords are not replicated by default
Redirection to writeable DC, if needed
Read-only DNS also enabled if DNS server role installed on RODC
Clients attempting to update their records will be directed to writeable DNS
Installing an RODC
Need at least one writeable 2008 DC in the domain that will house RODC
Must prepare domain schema
Adprep /rodcprep
Staged installation gives most flexibility
Admin creates RODC account in AD and delegates installation to user or group
Dcpromo /UseExistingAccount:Attach
Computer to become RODC cannot already be a domain member
Creating RODC Account
Creating a security group that has permission to install the RODC is the first step in
Pre-staging an RODC account for a domain
The DNS name a user assigns to the RODC computer must be the same as the
Computer original name.
DNS Server and Global Catalog are additional features that are offered when pre-
Creating an RODC
Password Replication Policy
Specifies which passwords and which users it is allowed to cache passwords for
Attribute of the Read-Only Domain Controller account in AD
By default, accounts in allowed RODC Password Replication group are cached
Leave this group empty for security
Decreased initial connection speed
Add branch users for balance
Add all users for ease of management
If server is stolen or compromised, only need to reset cached accounts
Configuring Password Replication Policy
Resultant Policy displays information on whether or not specific users are allowed
Password caching
RODC Security
By default RODC is already secure
Does not store sensitive AD information
BitLocker can encrypt an entire volume
OS will not boot if environment changed
SYSKEY can encrypt just AD
Requires password or key media to boot
Protects AD against offline attacks

Active Directory Accounts
Types of Users
Local user accounts
Exist in the account database of a local workstation or member server
Only have access to local resources
Domain user accounts
Exist in the Active Directory database
Grant access to resources on any system that trusts Active Directory
Computers are joined to Active Directory to enable this account trust
User Account Management
Entails processes to provision and deprovision user accounts
Disabling user accounts preferred over deletion of user accounts
Enable and rename when position is filled
Organizational units allow arrangement of users for administrative purposes
Contacts are AD objects that point to an external email address
User Account Control
Windows Server 2008 implements User Account Control
Standard users will be prompted for administrator credentials for certain tasks
Administrators will be prompted for approval for certain tasks
These are known as protected administrator accounts
Computer Accounts
Windows clients are joined to a domain
Creates an account in the domain for the computer to log on to
Password on account is managed by the Active Directory
Changed Every 30 days to ensure security
Once joined, computer trusts accounts that exist in AD
Enables single sign on capabilities
Computer password may get out of sync with domain
Reset the computer account
Using UAC
You can find UAC within the Control Panel > User Accounts
Vista is quite limited with UAC options that was refined with Win7
Active Directory Groups
Organize users as a single unit to allow easier administration
File server has 50 shares and 100 users added to network
Grant share permissions to groups
Add users to necessary groups
Can nest groups to achieve better management, if necessary
AGDLP – Account, Global, Domain, Local, Permissions
Group Types and Scope
Domain from which objects can be added
Domain in which permissions are valid
Computer local
Scope limited to computer from which it was created
Users and global groups can be members

Domain Local Groups
Users, Global groups, and universal groups
Domain local groups from same domain
Member of
Other domain locals in same domain
Apply to resources in their own domain
Global and Universal Groups
Users and global groups from same domain
Member of
Other groups anywhere in the forest
Apply to resources anywhere in the forest
Users, global, and universal groups from any domain in the forest
Member of
Other groups anywhere in the forest
Apply to resources anywhere in the forest
When using a high number of Universal groups can decrease replication speed
Active Directory Delegation
Understanding Delegation
Delegation of Control Wizard
Provides interface to delegate most common tasks in AD
View delegations through Security tab
Reset default permissions on OU
Delegate management of groups
Manager can add and remove members
Delegate ability to install RODC
User or group also becomes local admin
Delegating OU Management

Automating Active Directory
Directory service command line tools
Dsadd user “CN=aaron, CN=Users, DC=contosso, DC=COM
-upn aaron@contosso.com –pwd (Password)
Can also add groups, computers, etc
Dsmod modifies AD objects
Dsrm removes AD objects
Use in scripts and batch files to mass create or change users
Understanding DS Tools

Automating Active Directory
Csvde can import and export data from Active Directory with CSV files
Can create Exchange mailboxes as well
Cannot add passwords
Cannot edit existing accounts
Ldifde can export, import, modify, and delete Active Directory data
More difficult, but more powerful than csvde
Line separated values rather than CSV
Start with an export to understand the file format csvde expects
Header row specifies fields
Limit export container with –d switch
Edit exported CSV file in Excel
Make any changes necessary, removing unnecessary columns
Import the resulting CSV file back into Active Directory to bulk create accounts
Csvde –I –f import.csv
Active Directory Templates
Template Accounts
Disabled user accounts with settings configured as needed
Group memberships, home folders, office addresses, etc.
When a user is needed to matches the template, coup the template
Change the items that are unique
Confirm new account is not disabled
Create multiple templates as needed

Creating Template Accounts
You can create a template like you would any new Object – User
A common practice is to have a punctiuation mark or some sort to
Elevate the template to the top of the user list so its easily accessible
Notes from Online Expert: Session 4 (Click to show)
Group Policy
Implementing a Group Policy
Allows administrator to control domain settings and desktops through AD
Group Policy can be powerful or lax
Enforce standards and configurations, set group membership, install software
Policy objects are split into user and computer settings
Windows Server 2008 introduces Group Policy preferences
Settings that a user can change
Applying Group Policies
GPOs are linked to various areas in AD
Site level affects everyone in the site
Can cross domain boundaries
Domain level GPO applies to all users
OU GPO applies to users in that OU
Multiple GPOs linked to OU prioritized
GPO from parent OUs applied as well
Group Policy Modeling can help understand how GPO will be applied
Configuring Group Policy
The GPOs are located within the root domain folder
Inheritance is the term used to describe the hierarchy of applying GP
Tweaking Policy Application
Security filtering designates objects that policy applies to
If a user does not match the filter, they don’t get that policy applied to them
Organizational units can be set to block inheritance, essentially creating a clean GPO
GPO higher in hierarchy can be set as enforced, which overrides the block
Enforcing a GPO also overrides policies that would supersede it via inheritance
Modifying Inheritance
Windows Management Instrumentation (WMI) filters can be applied to GPO
Specify criteria in which that target must match before GPO is applied to it
Check OS version, free disk space, etc.
GPO can be created that is targeted specifically at computers or users
Inside GPO, disable portions that do not apply
Can disable the entire GPO, if necessary
Group Policy Loopback
Special policy applied to a computer
Users logging on to this computer have user policy applied differently
User policy is evaluated as if the user was in the same OU as the computer
Merge mode applies to user policy, based on their user object first then it
Applies user policy, based on computer policy object
Replace mode only applies user policy, based on computer object location
Editing GPOs
Preferences are suggestions that can be configured by the user
Policies are policies that are enforced and cannot be changed by the user

Verifying GPO Inheritance
Within the Group Policy Modeling interface, certain information is displayed
Winning GPO
Computer Configuration and User Configuration summaries
Managing Group Policy
Administrative Templates
Majority of policies deal with registry changes that will be made to systems
Registry entries to change are described in ADMX files
They are called AMDX files now because they are XML files
ADML files allow language localization
XML-based so they are easier to create
Create custom administrative templates for settings not offered otherwise
Programs may provide administrative templates for GPO configuration
ADMX Central Store
Previously all templates stored with GPO itself
Created issues due to replication latency and size of templates themselves
Create central store for ADMX files to ensure consistency
Create folder called PolicyDefinitions
Copy files from Vista or 2008
Managing ADMX Central Store
By placing ADMX files in SYSOL the administrator ensures that GPOs will be replicated
To all domain controllers
Maintaining Group Policy
Group Policy Highlights
Moving beyond controlling settings
Windows security options
User rights assignments and security options can be controlled
Restricted groups can be managed
Security templates can be used for quick configuration
Scripts can be deployed
Startup, shutdown, logon, and logoff
Folder redirection can be configured
Starter Group Policies
Problem in past was not being able to create baseline policies with ease
Group Policies were domain-specific
Act as the starting point for creation of other Group Policy Objects (GPO)
Only administrative template settings
Designate Start GPO when creating full GPO to be applied in domain
Starter GPOs can be saved as a cabinet (CAB) file loaded in other domains
No longer have to back up and import GPO in another domain
Administering Group Policy
Back and restore Group Policy Object (GPO) through Group Policy Management
Good way to keep versions of GPOs
Restoring overwrites existing GPO
Be sure to secure folder for backups
Delegate management of GPO
Create GPOs
Link GPO to a domain or organizational unit
Create start policies
Auditing with Group Policy
Auditing tracks different events
Logon, account management, etc.
Need to decided what to audit
Which categories should be enabled
Success and/or failure of actions
Be selective so auditing is not overwhelming
Auditing of object access also requires enabling auditing in the file system
Same goes for auditing directory access
Configuring GPO Auditing
Within GP Management, each domain and OU has a Delegation tab that allows a user
To create GPOs
Audit logon events process audits the physical at a specified workstation
Auditing Directory Service Access
Once a user has turn on auditing capabilities, they can find the auditing process within
The Auditing Tab of Advanced Security properties of a user or computer
Software Management Policies
Group Policy can provide basic application management
Assigning a program to a user places an icon on the desktop and start menu
Application is installed upon first use
Publishing a program for a user adds it to the programs and features control panel
Assigning a program to a computer automatically installs it for all users
Software Lifecycle Maintenance
Redeploying software can be forced
May be used to install a service pack
Upgrading software can be done as well
Assign or publish new version
Select managed program it upgrades
Software removal can be optional or forced
Forced is removed at next boot or logon
Optional simply lists the program in programs and Features to be removed
Creating an MIS Package
The MSI file must be located in a shared location
Most often a network share

Account Policies
Account Policy Components
Password policies dictate requirements for passwords throughout the domain
Maximum password age
Maximum password length
Account lockout policies set values for entire domain
Number of logon attempts before the account is locked
Length of time the account is locked
Configuring Default Account Policies
You must apply and set your security settings within your domain controller
Fine-grained Security Policies
AD only allowed one password and lockout policy per domain
Password filter or multiple domains
Windows Server 2008 allows configuration of different password and lockout policies
Applied to groups or individual users
Policy applied directly to user wins
Policies applied to groups are evaluated, based on precedence
Default domain policy used otherwise
Password Settings Objects
PSOs are stored as AD objects
Use ADSI Edit to manage them
Only domain admins can create PSOs
Domain functional level must be Windows Server 2008
Create the Password Settings Container in the system container
Create a new object with a class of msDS-PasswordsSettings
Define policy settings in this object
Add distinguished names of users or groups
Creating PSOs
Start > Run > adsiedit.msc
Server Virtualization
Hypervisor solution to virtualize servers
Runs below the operating system
64-bit versions of Windows Server 2008
Better use of underutilized hardware
Use other redundancy solutions so there is not a single point of failure
Virtual Servers are portable
Drives are actually flat files stored on the system or a SAN (Storage area network)
Virtualization Roles
Certain roles are better suited to run as a virtual server
RODC in a branch can be virtualized for better use of hardware resources
Active Directory Certificate Services
Store on external hard drive that can be locked in a safe
Core infrastructure roles
Nice to run on separate servers without expense on physical hardware

Using Hyper-V
A connection bar at the top of the screen in server manager is used to show that a
Hyper-V Server is running below the OS
Notes from Online Expert: Session 5 (Click to show)
Lightweight Directory Services
Understanding LDS
Previously known as ADAM
Active Directory Application Mode
LDAP directory without the operating system components of Active Directory
Store application configuration information, such as ISA 2006
Store user accounts for DMZ
Synchronization accounts from AD
Perfect role for Server Core
Working with AD LDS
Install AD LDS just like any other role
Define instance with setup wizard
Define administrative user
Import LDIF files for default objects
Manage data with standard AD tools
ADSI Edit to work with data
AD Schema for the LDAP schema
AD sites and Services to configure replication for AD LDS data
Ldp.exe for advanced management
Create AD LDS Instance
The purpose of Application Directory Partition is to store application specific data
Connecting to AD LDS
The application used to connect to AD LDS and work with the data involved is ADSIEDIT.msc
The type of information needed to connect to AD LDS is the following
Port Number
Distinguished name or naming context
Upgrade ADAM to AD LDS
Upgrade server running Windows Server 2003 R2 with an ADAM instance
During upgrade, ADAM is converted to AD LDS
Full replication functionality is maintained between ADAM and AD LDS
Upgrade configuration partition
Import ms-ADAM-Upgrade-1.ldf into upgraded AD LDS instance using ldifde
Rights Management Services
Understanding RMS
Protect and control the use of information created by users
Opening, printing, forwarding, and more
Role meant to be run as a cluster
Single server deployments can use the Windows Internal Database
Larger deployments need SQL Server
How it Works
Series of certificates authorize server and users of the service
Certificate authorize users to publish rights protected content
Certificates state allowed uses of content
Certificates are granted to consumers of protected material to allow decryption
Establish trust policies between RMS clusters to allow interoperability
Installing AD RMS
By default the Identity Federation Support role is not installed
Dsa.msc will open Active Directory Users and Computers
AD RMS Cluster Properties
The types of cluster key storage that is available within AD RMS Installation are
CSP Key storage
AD RMS centrally managed key storage
Managing AD RMS
Documents can be shared in an extranet with remote users
Configure an external URL they connect with to download certificates
Super users group allows members to decrypt all rights protected content
Disabled by default and should only be enabled as needed
Decommission AD RMS properly
All content will be decrypted
Extranet URL
By default Extranet is not utilized
Federation Services
Microsoft implementation of Web Services Federation
Web Services Federation
WS-* represents all of the Web Services
Allows sharing Web Applications with trusted partner organization
Does not require a Windows trust
Works over the Internet
Interoperable with other WS-F implementations
Federation Components
Resource partner has Web application to be accessed
Account partner has the accounts that need access to the application
Claims represent credentials passing from account to resource partner
WS-F PRP protocol used to send claims
Web Services Federation Passive Requestor Profile
Claims are mapped to security principles by the partners
Certificates used extensively
Web Applications
ADFS Web Agents translate incoming claims into organization claims
Claims passed to Federation Server
Claims-aware applications
ASP.NET applications that understand WS-F claims
Windows NT token-based applications
Traditional Web application written for standard Windows authentication types
Installing AD FS
Refer to AD FS Lab from class

Configuring AD FS
Resource Partner
Contains Web applications to be shared
AD groups created to represent partner
Permissions granted to this group
Account store added to link AD
Organization claim created to represent this group
Incoming claim created to map to organization claim
Partner must use this same claim name
Account Partner
Contains users who will be granted permissions to Web application
Certificate used to sign claims must be exported from account partner
Import certificate on resource partner
Add account store and link to Active Directory to extract users and groups
Organization claim mapped to group
Outgoing claim created to match incoming claim at resource partner
Creating Account Partner
The types of information needed to create a new account partner is the following
Display name
Federation Service URI
Federation Service endpoint URL
Map Incoming Claim
In order for a claim to be mapped, the following attributes must be used
Each side uses the same name
The claim name is case sensitive
Certificate Services
Public Key Certificates
Active Directory Certificate Services
Manage public key certificates
Cannot be installed on Server Core
Certification authority and Web enrollment in Standard and above
Online responder and network device enrollment service in Enterprise
Decide between enterprise or stand-alone and root or subordinate CA
Stand-Alone CA
Stand-alone CA stores its certificates locally
Administrator must monitor and approve or deny certificate requests
Enterprise CA is integrated with AD
Automatic certificate approval
Set up certain certificates for auto enrollment
Able to publish certificates to AD
Required for user account certificates, such as smart card logon
Can mix both in PKI for flexibility

Root or Subordinate
Root CA is top of hierarchy
Self-signed certificate validating itself
Authorizes subordinate CAs
All trust flows from here
Subordinate CAs typically organized by type of certificates they issue
Internal Enterprise CA
Subordinate CA
Known as intermediate CA if it authorizes other subordinate CAs
Issues end-user certificates
Installing AD CA
AD Certificate Services is installed as a Role
CA Types
You cant change the name and domain settings after CA has been installed
Make sure you have the proper settings you need for the CA
PKI Hierarchy
Might need Extra Windows Server 2008 for best results
Implement an offline root certification authority (CA)
Most organizations set up stand alone CA
Hyper-V is a very good candidate for a virtual server
Store offline CA on an external USB drive can be locked up
Publish root certificate in Active Directory so all domain computers trust it
Use enterprise subordinate CAs for issuing certificates
Administering CAs
Managing CA
Assign permissions to proper groups
Permissions to manage certification authority (CA) or just to issue and manage certificates
Further restrict certificate managers to templates they are allowed to manage
Back up CA from in the CA console
Must be CA Administrator or member of Backup Operators group
Restore CA from same location
Disaster Recovery Plan
Certificate Templates
Enterprise CA uses certificate templates
Permissions specify who can enroll using a particular template
Manage templates via Certification Authority console
Version designates OS version required
Version 1 can be issued by Windows 2000 and above
Version 2 requires Windows Server 2003 Enterprise and above
Versions 3 requires Windows Server 2008 as CA and 2008 or Vista client

Certificate Enrollment
User Certificate
Use Certificates MMC for requests
Can use Web-based enrollment as well
Needed for stand-alone CA and external users
Autoenrollment creates certificates for users and computers in AD
Requires an Enterprise CA
Template must allow autoenrollment
Add certificate template to CA
Configure autoenrollment Group Policy
Device Enrollment
Network Device Enrollment Service
Allows devices to enroll for certificates
Forwards request to internal CA
Smart card enrollment issues keys for smart card logon to Windows
Add appropriate templates to CA
Create enrollment agent to enroll on behalf of other users
Control enrollment agents by setting up enrollment agent restrictions
Notes from Online Expert: Session 6 (Click to show)
Public Key Archival
Key Archival
Certificates are used for EFS
User keys are used to encrypt and decrypt files as needed
Keys can be archived for recovery
Configure EFS templates for key archival
Designate a user as a recovery agent
Recovery agent must enroll for recovery agent certificate
Add recovery agent template in CA properties
Key recovery
Admin can recover certificate details
Find serial number to certificate to recover in CA console
Certutil-getkey outputblob
Key recovery again uses certificated file to recover private key
Certutil-recoverykey outputblob .pfx
PFX can now be imported on original computer by user or administrator
Preparing Key Archival / Recovering Private Keys
When copying and pasting the certificate serial number from the GUI to the command
Prompt, the user must remove extra spaces
The reason why there are spaces is just because of how its displayed within the
GUI interface.

Certification Revocation
Certificate Authority
Certificate revocation list maintains list of all revoked certificates from CA
Client need to be able to check CRL
Download from CRL distribution point
Online Responder checks status of individual certificates
Only available in Enterprise Edition
Can be run in network load balancing cluster for high availability
Online Responder Configuration
Prepare online certificate status protocol (OCSP) certificate template
Set security to allow computers running Online Responder to enroll
Configure authority information access (AIA) extensions on CA
Extensions tab in CA Properties
Configure Online Responder
Assign CA and signing certificate
Assign CRL location
Revoking Certificates

Then continue on to specify reason for Certification Revocation

OCSP Certificates
When configuring a CA template for use. If you want your CA to be able to function
You need to make sure it has the following privileges…
You can also configure your CA as part of a group to manage a specific group
Go back to properties > Extensions Tab
Select the AIA extension then give it a location to find for an Online Responder
One finished with your configuration, you must restart your Server machine
Add the computer that will be hosting the Online Responder to the Securities tab
Grant the host computer read and enroll privileges
Configuring Online Responder
Begin with add Revocation Configuration to begin the setup wizard for an Online
AD Maintenance
Performing Maintenance
Stop and start AD for maintenance
Stop all dependent services as well
Most common maintenance task is defragmenting Active Directory
Ntdsutil used to accomplish this
Designate temporary folder for defragmentation to use
Move compacted files back to original location
Back up system before this process
Series of command to use
Activate instance ntds
Compact to
Can also type information in file maintenance area for current database information
Defragmenting AD
Select the AD Services then use the sub menu to stop the service and its dependencies
You are now ready to defrag your machine
A temporary database location must be created before files are compacted and actual
Defragmentation can occur
Database Maintenance
Choose locations carefully during promotions of domain controller
Can split database and log files for better performance
Be sure there is enough room to grow
Move database and log files to new locations, if running low
Can also move AD LDS instances
Moving Files
Series of commands to use
Activate instance ntds
Move db to
Move logs to
Perform full system backup after this so restores do not reset the location
Moving AD Database

Monitoring Performance
AD Performance Monitoring
Task Manager offers a look at performance of programs and resource usage
Resource Monitor offers information on four big performance categories
Performance Monitor shows live data related to performance of systems
Active Directory Diagnostic Data Collector Sets gathers key AD performance
Reliability Monitor
Reliability Monitor allows checks on the historical stability of the system
Based on several factors, such as software installs and different failures
Task Manager
System Idle Process is the process that generally uses the greatest portion of CPU
Reliability and Performance Monitor
System Data Collector Sets
The following are predefined by Microsoft
LAN Diagnostic
System Diagnostic
Active Directory Diagnostic
System Performance
Monitoring Network Activity
This utility has to be downloaded from Microsofts Web Site
Network monitor shows traffic on the wire for the system it runs on
Focus on traffic between domain controllers to narrow in on a problem
Download latest version from Microsoft
Repadmin command line tool for viewing and working with AD replication
Replsummary checks replication station
Syncall forces replication with partners of specified domain controller
Diagnostic Tools
Event Viewer
Event Viewer has been reworked
Initial view provides quick summary
Several new logs can assist in understanding server issues
Custom views can contain events of interest
Event subscriptions allow centralizing event log entries
Create notifications for certain events
Using Event Viewer
The following are displayed in the Summary of Admin Events window
The following logs are contained in the Windows Log Folder
Forwarded events
Creating Event Tasks
Certain actions are available for attachment to an event task, such as the following
Start a program
Send an e-mail
Display a Message
By default, Forwarded Events are created for subscription events
Collector initiated
This computer contacts the selected source computers and provides the subscription
Source computer Initiated
Source computers in the selected groups must be configured through a policy
Or local configuration to contact this computer and receive the subscription
Event Viewer Custom Views
Event Viewer custom views have been pre-configured to display system events
Related to Server roles
Allocating Resources
Windows System Resource Manager
Controls memory and CPU utilization for different processes on the system
Default policies provide guidance
Equal per process
Equal per user
Equal per session
Can use calendar rules to schedule different resource policies
Set up WSRM to profile performance
Backing Up
Data Recovery Options
Windows Server Backup
Install feature from Server Manager
Must be a member of Administrators or Backup Operators
Back up full system, OS volumes, or non-OS volumes
Backups can be stored locally, on an external drive, or on a remote share
Tape drives are not supported
Schedule backups to run regularly
Restoring Data
Several options to restore data
Files and folders
Applications that support VSS
Entire volume
Entire operating system
System recovery is launched from Windows Server 2008 DVD
Command-Line Backup
Wbadmin can be used for more power
Back up to removable media
Back up to the system state separately from the volume
Launch restore process
Very easy to incorporate into scripts
Also several PowerShell cmdlets are included that can be used
Backup Schedule
Scheduled backups through the GUI can only be saved to a local drive
Active Directory Recovery
Recovery Types
Two different types of recovery
Non-authoritative means restoring the system state and rebooting the system
Normal replication processes take over and bring the DC up-to-date
Authoritative restore means certain objects will become the master objects
After restore, use ntdsutil to mark objects as authoritative
Used to recover accidental deletion
Object Recovery
Recover deleted objects using tombstone reanimation
Tombstone lifetime defaults to 180 days
Deleted objects have attributes stripped
Active Directory (AD) data mining tool
Use dsamain.exe to mount snapshots
Use Lightweight Directory Access Protocol (LDAP) tools to search snapshots
Adrestore from Sysinternals can automate the process
Add attributes back to object
AD Snapshots
Ntdsutil > Snapshot > Create >
- This will display all Snapshots for your AD
Recover AD
Boot into Directory Services Restore Mode from F8 boot menu
Log on as administrator with Directory Services Restore Mode (DSRM) password
Pass set during domain controller (DC) promotion
Change DSRM password with ntdsutil
Set dsrm password
Reset password on server null (or specify remote server)


Recommended Links:
Edited by TheReciever - 9/15/13 at 8:45pm
i5 2500k @ 4.8Ghz EVGA Z77 Stinger MSI Gaming 290x 1100c/1300m 8GB 1600mhz 
Hard DriveHard DriveCoolingOS
512 Mushkin Eco2 SSD  2TB Western Digital Green CM Seidon 120v Windows 8.1 w/update x64 
2x 1920x1080 EVGA 750 B2 Cooler Master Elite 130 Corsair M40 
USB Sound Blaster Omni 5.1 Sound Card 
  hide details  
i5 2500k @ 4.8Ghz EVGA Z77 Stinger MSI Gaming 290x 1100c/1300m 8GB 1600mhz 
Hard DriveHard DriveCoolingOS
512 Mushkin Eco2 SSD  2TB Western Digital Green CM Seidon 120v Windows 8.1 w/update x64 
2x 1920x1080 EVGA 750 B2 Cooler Master Elite 130 Corsair M40 
USB Sound Blaster Omni 5.1 Sound Card 
  hide details  
post #2 of 184
Thread Starter 
Windows Operating System

Windows 7:

Notable Links:



MCSA: WIndows 7, Configuring 70-680
Compilation of Notes (Click to show)
Notes from Online Expert: Session 1 (Click to show)
Why Windows 7?
Windows 7 offers a lot of features that the industry has been waiting for, for aong time.
Why did Microsoft create it?
What would interest users?
It is the launching pad for several newer technologies
Focus on 64-bit computing
Still supports 32-bit
It will be the first OS deployed on a large scale that provides 64-bit
Server 2008 R2 only runs in 64-bit mode
Backward compatibility through XP Mode
Runs applications that would not work on Vista
Advanced remote networking features
Allows users from multiple locations to connect to a corporate network without
initiating a VPN (virtual private network)
When the computer comes online a secure connection is made for it
Enhanced user interface experience
New features that are different from Windows XP and similar to Windows Vista
These features help improve efficiency
Enhanced encryption solutions
Provides entire drive encryption
Includes USB flash drive encryption
Vista Pain Repairs
Vista had a lot of problems that caused IT professionals to resist using it in their environment
Hardware compatibility
Many new hardware devices were incompatible with Vista
Software compatibility
Many problems solved with XP mode in Windows 7
Most environments have upgraded to systems that handle windows 7 better
Less overhead and shorter boot time with Windows 7
70-680 Exam
Focuses on the installation and configuration of Windows 7 systems
Installation is addressed from different perspectives
Single installs
Small business rollouts
Enterprise rollouts
Configuration tasks focus on the complete system
Networking Hardware
SoftwareSecurity Mobility

A prerequisite to the MCITP (Microsoft Certified Information Technology Professional)
The MCTS (Microsoft Certified Technology Specialist) certification is acquired from exam 70-680
70-680 Objectives
Installing, upgrading, and migrating to Windows 7
Deploying Windows 7
Configuring hardware and application
Configuring network connectivity
Configuring access to resources
Configuring mobile computing
Monitoring and maintaining systems
Configuring backup and recovery
Windows 7 Network

Installation Methods
Previous Installation Methods
Before in the older days you had to replace your hardware in order to replace the OS
Current Boot Practices
Boot Manager allowed for easy multi boot abilities
Current Installation Methods
Network Share
Windows Deployment services

Sole Operating System
One large partition or volume
Multiple partitions or volumes are possible
Can still partition the disk into multiple volumes
Uses the Windows 7 Boot Manager
Dual Booting
Before implementing a dual boot configuration, always consider virtualization
There is a business application that in not compatible
Dual booting is good for graphic intensive applications like games
To dual boot effectively, follow best practices
Install each operating system on its own volume
Cannot be installed on the same partition anymore
Install the operating systems in order of their release
Ensure that each operating system is updated as needed
Windows Vista and 7 have a volume shrinking feature in Disk Management tool
used for a later dual boot after installation
Would need a third party application for Windows XP
Using a VHD to dual boot will remove the requirement of unique partitions
Using bcdedit
Command Prompt > Run as administrator
bcdedit /default theidofthesystem
Can highlight information in Command Prompt with the mouse, then enter to
save within the clip board, Right click to paste
Deleting Database Entries
Upgrade Methods
Upgrade Considerations
Cannot upgrade from any operating system, other than Windows Vista, to Windows 7
Can migrate from an earlier OS
An upgrade from Vista to 7 keeps all documents, applications, and settings
Will also keep any misconfigurations
The Windows 7 Upgrade Advisor can be used to locate potential problems
Before upgrading from Vista
Perform a full backup
Ensure that SP1 is installed
Ensure architecture compatibility
Installing the Advisor
Shield will display a need to elevate the privileges because changes in registry will be made
Running the Advisor
Starting the application will start the Wizard for the Advisor program
Will show results for 32-bit and 64-bit
Anytime Upgrade
Windows Anytime Upgrade allows an upgrade from one Windows 7 edition to another
in the same architecture (x86 or x64)
Cannot change from one architecture to another
Possible to upgrade to a higher edition but cannot upgrade to a lower edition
Anytime Upgrades include

Starter to Home Premium
Home Premium to Professional
Home Premium to Ultimate
Anytime upgrade is not available if running Home Basic
Home Basic is for emerging markets only
Clean Installation Planning
Hardware Requirements
Windows 7 Starter and Home Basic

All other editions

Booting from a USB Drive
Many small form factor computers (netbooks) do not have a CD or DVD drive
USB Flash drives can be used to boot these machines
Must be 4 GB or larger to hold the WIM images
Drive must be formatted as FAT32
USB flash drives can also be used for standard computers
More easily update a USB installation media than a DVD
Create a Bootable USB Drive
Command Prompt > Run as Administrator >diskpart > list disk
select disk (disc number)
Any commands from this point will applied to designatd disc
Clean – This will wipe the partitions
Create Primary Partition
format fs=fat32 quick (for a quick format in fat 32 allocation)
Active – make it a active bootable drive on said drive
Then you put the files needed to install Win7, then configure BIOS to boot from said drive

preparing a Network Share
A network share can be used to store the installation
Copy the contents of the windows 7 DVD to the Network share
Boot from a Windows PE disc
Connect to the network share
Run SETUP.EXE to begin the installation
May need to create a custom Windows PE Disc
A network share can be centrally updated
The Windows PE disc may need to be updated periodically for new NICs
Preparing WDS
WDS (Windows Deployment Services) can be used to install Windows 7
Requires AD DS
Requires at least one Windows Server 2008 server
WDS is a role that is added to the Windows Server 2008 server
The clients use PXE compliant NICs to boot from the WDS server
With a WDS server, the insall.wim file is imported into the server instead of copying all
the DVD files
Performing a Clean Install
Clean Install Process
Insert the DVD
Power on the system
Choose to boot from the DVD drive
Process through the installation
Install Windows 7
Choose language, currency format and time, keyboard or input method
Then begin process
Migrating Windows
Migrating Options
Manual backup and restore
WET (Windows Easy Transfer)
Supports migrating from Windows XP or Vista
Can use network storage or the live network
USMT (user State Migration Tool) 4.0
Comes along with the Windows Automated Installation Kit
Upgrade to Vista first
Upgrade from Windows XP to Vista first without losing settings
A wipe-and-load migration involves four or five steps
First, the user state data is backed up
Second, the partition is wiped
Third, Windows 7 is installed
Fourth, the applications are reinstalled
Fifth, the user state data is restored
A side by side migration is easier
First, the windows 7 machine is installed
Second, all applications are installed
Third, the user state data is migrated from the other machine

Can also perform a side by side migration within a single computer
The old OS is on one volume and the Windows 7 OS is on another
Boot from a Windows PE disc and run Scanstate against the old OS
Boot into Windows 7 and run LoadState
Previous Versions
Migrating from Windows 2000
Upgrade to Windows XP and then migrate
manual backup and restore
Migrating from Windows 9x
Use the Windows XP migration tools to migrate the machine to Windows XP
Migrate from XP to Windows 7
Windows Easy Transfer
Start > All Programs > Accessories > System Tools > Windows Easy Transfer > Run in
Practice the Virtual labs to get a better understanding of this program
Migrating from XP
You would want to install the programs you wish to migrate the settings from in your
previous OS
Image-Based Deployment
The History of Imaging
First there was Ghost
Windows 3.X and DOS deployments
Symentac purchased Ghost software
Many followed
True image
Microsoft developed their own solution
WIM (Windows Imaging) Format
First available with Vista
WIM Files
WIM (Windows Imaging) files are used to store Microsoft system images
WIM files are file based images instead of sector based
Can be deployed to any size volume that meets the minimum requirements
Can be easily modified
WIM files are created and manipulated with several tools
Deployment Workbench
Manual Image Deployment
Manual deployments use Windows PE disks just like automated deployments
Boot from the Windows PE disk that contains the WIM file for installation
The WIM is expanded to the target partition and the partition is made active (bootable)
the boot manager is configured to boot from the active partition

Automated Image Deployment
WDS (Windows Deployment Services)
Requires an AD environment
Works with PXE-compliant client
Can perform mutlicasting for optimized multiclient deployments
Windows PE with Unattend.xml or AutoUnattend.xml
Both may be created with the Deployment Workbench
The Deployment Workbench is part of the Microsoft Deployment Toolkit
Microsoft Deployment Toolkit
Search for Microsoft Deployment Toolkit 2010 on the Microsoft website
Be sure to deploy the correct bit version of Windows (x64 or x86)
Installing MDT 2010
The installation goes fairly quickly, as it is about 10MB in size
It will download additional content as needed which will be much larger in size
The Deployment Workbench
It is included with a lot of documentation relating to MDT, go over this content to
familiarize yourself with the tool kit
Capturing System Images
Creating a Deployment Share
Start > Search MBT
Importing an OS Image
Operating System > Right Click > Import OS
Customizing the Share
Notes from Online Expert: Session 2 (Click to show)
Manipulating Tools
Deployment Tools
Start > All programs > Microsoft Windows AIK > Deployment Tools Command Prompt
Run as administrator
ImageX > Enter > then view the different commands that are available to you.
DISM tool
Start > All programs > Microsoft Windows AIK > Deployment Tool Command Prompt
> type dism > enter (review commands)
To mount you must enter something in the lines of this command
dism /mount -wim then the file destination then add \install.wim
Make sure that the desired path is in existence otherwise this command will end in error
Mounted Image Directory
Image Application Management
dism /image:c:\myimage /get-app
Image Driver Management
dism /image#c#\myimage /get-drivers
Adding Drivers to Images
This command will tell the command line to insert a large number of provided
drivers of which you have preloaded
Image Update Management
Then also direct to the desired patch you wish to update
Advanced Imaging Techniques
WinSIM tool
Start > All Programs > Microsoft Windows AIK > Windows System Image Manager
Creating an Answer File
VHD File
Boot from VHD
The Windows 7 Boot manager now supports booting from a VHD file
Only the Enterprise and Ultimate editions support VHD boot
DiskPart and Disk Management can be used to create and work with a VHD file
Booting from a VHD requires the Windows 7 boot environment
A local standard install of Windows 7 is performed first
The local install enables the Windows Boot Manager and the BCD
(Boot Configuration Data)
Working with a VHD
Several tools and utilities can be used
Disk Management

Creating a VHD Disk Management
Disk Management > Right click and notice your available commands
Working with Device Drivers
Device Drivers
Device drivers are just software applications
Device drivers run in the kernel mode of the Windows 7 operating system
Signed Device Drivers
Signed using certificates issued by trusted sources
sigverif.exe can be used to verify certificates
By default, only administrators can install device drivers
UAC (User Account Control) prompts will appear if running as a nonadminstrator
Updating Device Drivers
Dynamic update
Works during installation of Windows 7
Windows Update
Works after installation
Manufacturer Web sites
Requires manual interaction
Device Manager
The old way but still a stable method
Compatibility report
Works during an upgrade
Using Device Manager to Update Drivers
Right click on Computer > Manage > Device Manager
This will display all of the hardware that you have drivers attached to
Right click and select driver software
Search automatically will search the internet
Manually, this will allow you to browse your files to the driver
Disable or Uninstall Drivers
Disabling a driver will allow you to see if that device was causing the issue
Driver store is a secure location, not accessed directly by anyone
Advanced Options
Driver Certification Verification
This program will verify all the device drivers on your system are signed by Windows
Hardware Compatibility
Windows 7 Hardware Compatibility
Windows 7 is more compatible with common hardware devices
Windows 7 can use Vista drivers
Microsoft has provided incentives to hardware vendors
Windows XP is expiring and hardware vendors expect rapid adoption of Windows 7
Windows 7 still uses plug and play, which was first introduced in Windows 95

Driver Install Process

Installing Vista Drivers
Right click Computer > Manage > Device Manager
Troubleshoot Compatibility
Verify Driver Installation
Find the device you installed is recognized by your system
Devices and Printers
A new interface where you can manage peripherals
Device Stage
A custom interface within Devices and Printers that is built specifically for the device
Internet Explorer 8
Compatibility View
gpedit.msc > run as administrator
Security Settings
Security Zones
Tools > Internet Options > Security (Zones)
Local Intranet
Trusted Sites
Restricted Sites

Add-ons and Provider Management
Tools > Manage Add-ons
From here you can work with many different extensions for IE8
InPrivate Filtering
Safety > Inprivate filtering
All this does is turn this option on
InPrivate Mode
Right click IE > Start InPrivate Browsing
A ticket that Verisign issues to a website
This will also show the time span that it is authorized for
Understanding Application Compatibility
Application Compatibility
Windows 7 introduces new features to assist with application compatibility
Troubleshoot compatibility menu option
The ACT (Application Compatibility Toolkit) is updated to support Windows 7
Must be downloaded from Microsoft
Agents must be deployed to network clients
The internal database connects with Microsofts database
The internal database is a SQL server database
Know what it can do
Take a look at this toolset
Compatibility Properties
Right click a non Microsoft application > Properties > Compatibility Tab
Compatibility Wizard
Right click program > Select Compatibility Troubleshooting
Windows XP Mode
Free to download from Microsoft.com
Installation is a rather simple wizard
16-Bit Example
Microsoft does not support 16 -bit applications from 64 bit OS but a 32-bit system can
Windows XP Mode Applications
Start > Windows Virtual PC > Windows XP Mode applications
This folder will hold your Virtual PC XP applications
This will also load as if it will be locally
Using Application Restrictions
Application Restrictions
Allow administrators to prevent users from running certain programs
They provide several benefits
Consistent environment with easier troubleshooting
Prevention of spyware and other malware attacks
Users are more productive when they cannot run nonbusiness applications
Application restrictions come in two forms
Software restriction policies
Do not apply to Windows 7 Enterprise and Ultimate
Application control policies (AppLocker)
Works only on Enterprise and Ultimate editions of Windows 7
More powerful than software restrictions
Software Restriction Policy
Start > All Programs > Administrative Tools > Local Security Policy > Software
Restriction Policies
Within Software Restriction Policies > Application Control Policies > AppLocker
Understanding IP v4 and IP v6
Networking in Windows 7
The Network Stack
Network Discovery
Will locate different devices on network
Link Local Multicast Name Resolution
IP v4
IP v6
Dual Stack
It has been common to run more than one networking protocol
More management overhead
Ipv4 Addressing
IP v4 address identifies a computer to other computers and devices on a network
MAC addresses would be used if IP v4 was not implemented
Each device that is connected to the same network must have a unique IP v4 address
Subnet Masks

Default Gateway
The default gateway is the router that connects one network segment to another
All devices that require communications outside of the local network segment must
know the default gateway
The default gateway is not used for communications within the segment
A windows machine may act as a router
Most environments use dedicated hardware routers

Public vs. Private Addressing
Public addresses
used by devices connected directly to the Internet
Are unique
Can be routed on the internet
Are assigned by IANA
Private Addresses
Cannot be routed on the internet
Are locally assigned using DHCP or static configurations
Must use NAT or PAT for Internet communications
Device Naming

IP v6
Windows 7 implements IP v6 support
Enabled by default
A dual stack is implemented
DirectAccess requires IP v6 in the central network
Microsoft only tests the network stack with IP v6 enabled
No assurance that it will work with IP v6 turned off
Generally, always keep it on
To reduce overhead, turn off IP v6 as long as the needed features do not require it
IP v6 Benefit
Massive address pool

128-bit address

The IP v4 address pool is much smaller
Private addresses and NAT devices were very important
Hosts can be self-configured even without DHCP
Using specially formed messages on the local segment to ensure there is a locally
unique IP address
DHCPv6 can assign IP addresses
Security is built-in
QoS is improved
Routing is more efficient
IP v6 Address Space
128-bits are used
IP v4 used 32-bits
Bits double the pool size
Number of addresses available
The first 64 bits represent the network ID and the last 64 bits represent the host ID
Prefixes are used instead of subnet masks
Hex is used to represent the 128 binary bits using the 32 characters
IP v6 Address Types
Used for one to many data transfers
Special type of IP v6 where a computer sends data once and multiple nodes
receive it
Used for service location or for locating the nearest router
The first device that sees the data responds as the closest
Similar to the IP v4 public addresses
Used for communications on the local segment
Similar to the IP v4 private addresses
Notes from Online Expert: Session 3 (Click to show)
Configuring IP Protocols
The need for Configuration
Network Connection Properties
Right click on Network Icon > Properties (Network and sharing Center) > Manage
IP v4 Properties

IP v4 Advanced Settings
Can have multiple IP addresses with a Subnet mask
More common on servers to multiple addresses
If you have multiple routers you can add multiple gateways for redundancy and fault
Can also add multiple DNS servers as well as WINS servers
IP v6 Properties
For the most part, will be configured dynamically.

Setting a Static address

Commands Directly from Command Prompt

Windows Firewall
The Windows Firewall
Uses two complementary firewalls
Windows Firewall
WFAS (Windows Firewall with Advanced Security)
Windows Firewall uses simple rules for firewall configuration
WFAS uses more complicated and advanced options
Unless a rule exists that explicitly allows traffic, the windows Firewalls will drop that traffic
Pinging is not allowed by default
Windows 7 Firewalls also block outbound traffic unless an allow filter is specified
Notification will be given when communications are blocked
Networking Concepts
Using the Windows Firewalls require the understanding of some fundamental networking concepts
Allow communication on the network
Ex. HTTP (Port 80), FTP (Port 21), SMTP (Port 25)
Network addresses
Inbound traffic
Originates from the network and contacts the device
Not requested from the client machine, but instead soliciting the client
Outbound traffic
Originates from the device and contacts the networks
Solicits another machine on the network
Network Interfaces
Different firewall rules for different interfaces
IPSec (Internet Protocol Security)
Gives the ability to have authentication, non repudiation, and
confidentiality or encryption on network communications
Windows Firewalls are also configured based on network profiles
Any custom firewall rules specified will only apply to the current profile
Configuring Windows Firewall
Start > Type Windows Firewall (OR Advanced)
This is where you can allow or disallow certain programs that use the internet in
order to function like skype or something similar
In most cases, when installing a program if it uses the internet the firewall should
prompt you to allow or disallow the action of that program communicating
Turning the Firewall On/Off
Sometimes it can be needed to turn the firewall on or off.
Certain programs will be disallowed because the Firewall is not familiar with it or
it is a suspected malicious program, however if you trust the program then
you will likely need to change the firewall settings.
The WFAS Interface
This will display a large number of protocols and rules that apply with the firewall, most
of which will have been there to begin with as a default
Authenticated Exceptions
This is when you want to allow a secured, encrypted connection
This can be further developed with only allowing administrators to
connect or possibly only specific users etc etc .
These rules can also be configured through Netsh as well
Connection Security Rules
Generic all encompassing rules for when you dont want to set up rules explicitly.

Firewall Monitoring
You can configure the firewall to log everything into the system
You can customize the logging for each firewall profile
Dropped packets are defaulted to be disabled, so unless you feel you need it, it will
remain disabled
Can configure your firewall through Group Policy

Remote System Management
Right click computer > Properties > Advanced system settings > Remote Tab
Using RDC
Start > All programs > Accessories > Remote Desktop Connection
Remote Assistance
Right click computer > Properties > Advanced system settings > Remote Tab
With assistance, the client sends the request for remote assistance
WinRM -Remote Management
winrm quickconfig (in command prompt)

WinRS -Remote Shell
You first enable WinRM, which then allows you to be able to use WinRS
This will allow you to connect to another PC
Remote PowerShell
PowerShell provides remote processing with the invoke command cmdlet
Invoke-Command hostname {command}
Invoke-Command cpu13.company.local {get process}
Enable WinRM
Requires a domain environment
By default, only administrators can run Remote PowerShell commands
Updating Windows 7
Update Operations
Start > Search Windows Update

Configuring via Group Policy Editor
Start > GPEDIT.MSC > Windows update
Checking for updates
Dont ever just install what ever updates come across, trusted or not
Check into the update itself and see what they entail
Once you see what the updates are, if you want them then try downloading
Viewing Update History
Windows Update > View update history
Roll Back
Open Install history
To uninstall certain updates, you have to uninstall the dependent updates before
commencing with the uninstall
System Event Monitoring
The Event Viewer
Start > All programs > Administrative Tools > Event Viewer
Configuring Event Logging
Can set the log size and can configure what it does with the logs when filled
Can also be configured with Group Policy

Filtering the Log

Custom Views
These views can be imported and exported from other machines

Event Subscriptions

Assigning Tasks to Events
This is how you can assign tasks for when certain events occurs then it will take action
The Three options that occur are as follows :
Start a Program
Send an Email
Display a Message

Command Line Event Management
Command Line > Tab will bring the next likely command you wish to use
System Performance Monitoring
Performance Analysis
Vista introduced the Performance and Reliability Monitor
Windows 7 uses only the Performance Monitor tool
Reliability Monitor is a separate application in Windows 7
Task Manager is all new in Windows 7
Has an enhanced Resource Monitor Tool
Performance logs have been removed
Instead, there are data collector sets
Reports are generated automatically
Task Manager
There are many different ways to access the Task Manager
CTRL + ALT + Delete
This program will show the following
The Resource Monitor
Displays the 4 Core components of the machine
The Reliability Monitor
Start > Reliability > Click Reliability History
Performance Monitor
Start > All Programs > Administrative Tools > Performance Monitor
Data Collector Sets
Right Click > Select New Data Set > Then go through the wizard for creating a new set
You can set a time to to run the collection as well as how long to run it
Notes from Online Expert: Session 4 (Click to show)
Performance Tuning
Optimizing Performance

TCP Windows Size
Administrative Command Prompt
netsh >interface >tcp >set global > autotuninglevel

Page File
Computer > Properties > Advanced System Settings >Advanced > Virtual Memory
Power Management
Power Icon > More power options
This will take you to Control Panel > Hardware and Sound > Power Options

Advanced Power Settings

Adjusting Visual Effects
Right Click Computer > Properties > Performance Information and Tools >
Adjust Visual Effects
Management of Services
Right Click Computer > Manage > Services and Applications > Services

Processor Scheduling
Task Manager > right click a service Set Processor Affinity
Managing Storage
Disk Management
Right click Computer > Manage > Disk Management
This tool will display your disks, Basic or Dynamic

Additional menu Items

RAID Arrays
Can be implemented within the Disk Management UI
RAID 0 (Striping)

RAID 1 (Mirroring)

RAID 5 (Striping with Parity)

Removable Storage

The Hard Drive Cache
RC Computer > Manage > Device Manager > Double click HDD > Policies


Defrag (Command Line)

Defrag Report (Command Line)

Disk Defragment
Start > All Programs > Accessories > System Tools > Disk Defragmenter
You can set a schedule and which discs it will perform this on
Disk Cleanup
Start > All Programs > Accessories > System Tools > Disk Cleanup
This program will remove certain files to free up HDD space

Securing Authentication
Authentication is the process by which a user or system is identified
Secure authentication provides proof of identity over a secure channel
Windows 7 supports Kerberos in AD DS environments
Peer to Peer authentication still uses NTLM (Version 2) unless in a Home Group
HomeGroup uses the new PKU2U (Public Key Cryptography based user to User) protocol
Troubleshooting Authentication Issues
Computer > Manage > Local Users and Groups (Properties)
User Accounts
Control Panel > User Accounts
Manage another account
Multifactor Authentications
More than one method of identification is used
More than one method is required
Authentication factors
Something the user knows
Something the user has
Something the user is
User Rights
Windows Settings > Security Settings > Local Policies > User Rights Assignments
Administrative Tools > Local Security Policy
Credential Manager
Start > Control Panel > Credential Manager
Certificate Manager
MMC as administrator
Certificate can be found as an MMC snap in
Can export certificates with MMC
Sharing Resources
Folder Virtualization

Share Permissions
Right click a folder > Share with... > then select any users you want to be able to access
to that folder

Deny will implicate that function in all portions that the user belongs to
NTFS Permissions

Effective permissions

HomeGroup Management

Printer Sharing
Control Panel > Hardware and Sound > Devices and Printers

User Rights Management
User Account Control
UAC (User Account Control) works by running all accounts in nonadministrative mode
When administrative actions are required
The account can be elevated
New credentials may be required
Standard users must provide credentials to elevate
Administrative users may either provide credentials or simply authorize the elevation
UAC can be configured through the GUI or through Group Policies
Configuring User Account Control
Control Panel > All Control Panel Items > User Accounts
Change User Account Settings
Group Policy Settings
Start > All Programs > Admin Tools > Local Security Policies
Admin Approval Mode

User Rights within Group Policy
Windows Settings > Security Settings Local Policies > User Rights > Assignment
Add user to local backup user on the machine
Profile System Performance
The user that has this permission is able to run Performance monitor and the tools that
come with that utility

Windows 7 Encryption
Encryption Technologies
EFS (Encryption File System)
Requires NTFS
Uses symmetric key cryptography for data encryption
Uses the same key to encrypt and decrypt
Encrypts the FEK (File encryption key) with asymmetric key cryptography
The FEK is used to encrypt the data
Uses two different keys to encrypt and to decrypt
Public key cryptography
Slower than symmetric encryption
Allows an entire volume to be encrypted
Requires a TPM (Trusted Platofrom Module) or a USB flash drive
Hardware already in the computer
BitLocker To Go
Provides encryption for flash drives
Can be opened on Windows XP systems
Cannot enable BitLocker on XP
Encrypted File System
Encrypted Files or Folders appear in Green Text
Dynamic in the background
Point is to encrypt sensitive data in the case of physical theft of system
Recommendations for EFS
Is to encrypt at the Folder level
Reason being that hidden files may also be present in the folder you may want
to be encrypted.
Also if you encrypt one file but another is dependent then you will cause a
security flaw since the temp file can be retrieved
EFS within Group Policy Mode
Local Group Policy Editor > Computer configuration > Security Settings > Public keys
Policies > Encrypting File System

BitLocker To Go
Control Panel > BitLocker Drive Encryption
BitLocker Recovery Key
This is a method to recover a password
The process can take quite some time to fully encrypt
Compatible with Windows XP w/SP2 or later

BitLocker Options

Viewing the BitLocker Recovery Key
Recovery ID and then password to match
Remote Connectivity
Network Access Protection is a network feature that prohibits connections to the
network from unhealthy clients
An unhealthy client is defined as a machine not meeting the organizations security
Does the machine have a firewall enabled?
Is antivirus software installed?
Is automatic updates enabled?
Have required (by the network) updates been installed
NAP remediation attempts to resolve noncompliance issues automatically
Unhealthy machines can be put into a special subsection for remediation
A machine that cannot be made healthy will be blocked from the network
A VPN (virtual private network) is usually an encrypted Internet-based connection
A VPN can run from a client on a wired network
VPNs were once used to secure wireless connections
A connection is made to the internet
An encrypted association is made with a VPN server
Windows Server 2008 and 2008 R2 can be made viable VPN servers
This encrypted association is known as a tunnel
Standard TCP/IP communications take place inside the VPN tunnel
Several VPN protocols exist and Windows 7 supports the two most popular
PPTP – Point to Point Tunneling Protocol
L2TP – Layer Two Tunneling Protocol
L2TP forms the tunnel and IPSec is used to provide the encryption
Establish a TCP/IP Connection to the Internet
PPTP runs across the TCP/IP connection
TCP/IP runs inside of the PPTP connection
TCP/IP and PPTP on TCP/IP on the internet to get a VPN

Creating a VPN Connection
Start > Control Panel > Network and Sharing Center
Set up a new connection or network
Select connect to a workplace
Use my internet connection (VPN)
Need the IP or DNS address of the location you are attempting to login into
User name and password is also required
VPN Settings/Options
Displays as an adapter in network Connections

VPN Reconnect
New feature in Windows 7
Allows a VPN connection to be automatically reconnected if it is lost
Traditionally, VPN solutions would require in-progress communications to be
reestablished and to start over if the VPN connection was lost
Allows reconnection for up to eight hours
As a user moves from one internet connection to another, the VPN connection is
automatically reestablished
The in progress communications are resumed
Requires the use of the IKEv2 protocol
Only Windows Server 2008 R2 supports IKEv2
Works with all editions of Windows 7
Enabling VPN reconnect
Enable IKEv2 first > Advanced Settings > Enable Mobility
Connecting a Dial Up Connection
Notes from Online Expert: Session 5 (Click to show)
Configuring Mobility Options
Offline Files
Computer Configuration > Administrative Templates > Network > Offline Files
Has many Settings to view and change
User Configuration > Administrative Templates > Network > Offline Files
Not as many settings to be able to change
Both have the same policies but Computer has more available to it
Enabling Offline Files

Sharing Offline Files
Right Click Folder and select Always available offline
You can also select a file and select Always available offline
Managing Offline Files

Migrating Power Configuration
powercfg /?

Basically gives you the ability to export power settings to another machine

Understanding BranchCache
New technology introduced in Windows 7
It is only supported in enterprise and Ultimate editions
Data is cached on the LAN when it is first accessed
On future access, the data is evaluated to determine if it has changed
If the data has changed, the server copy is cached again
IF the data has not changed, the local copy is used
Requires two major things
Windows 7 clients
Windows Server 2008 R2 Servers
Operating Modes
BranchCache can operate in either Hosted Cache mode or Distributed Cache mode
Hosted Cache mode requires a Windows Server 2008 R2 machine at each LAN location
Local Windows 7 machines retrieve cached data from the local server
Distributed Cache mode caches the data on Windows 7 machines within the LAN
Local Windows 7 machines retrieve cached data from each other
A local Windows Server 2008 R2 machine is not required
BranchCache Facts
BrancCache only kicks in when the round trip latency is greater than the configured
The default is 80 milliseconds
BranchCache requires firewall rules to be set
BranchCache – Content Retrieval (Uses HTTP)
Enables an allowance for TCP port 80
BranchCache – Peer Discovery (Uses WSD)
Enables an allowance for UDP port 3702
BranchCache – Hosted Cache Client (Uses HTTPs-OUT)
Enables an allowance for TCP port 443
Can be configured with Group Policies or with Netsh
Netsh BranchCache
Can use login scripts if you so desire
netsh branchcache

Group Policy BranchCache
Computer Configuration > Administrative Templates > Network > BranchCache

Implementing DirectAccess
Compare to VPN to understand its benefits
A replacement for VPN technology in Windows 7
The connection is automatic
VPNs usually require user actions
Administrators can easily control access to internal resources
VPNs act as standard node connections to the network
Communications are bidirectional as the servers see the DirectAccess client like a local
VPNs did not usually show the clients as a local node to the internal servers
DirectAccess Requirements
DirectAccess has very specific requirements
A windows Server 2008 R2 server that is Internet facing
A public IP address on the Internet
Windows 7 clients running either Enterprise or Ultimate editions
IP v6 must be enabled on both the Windows Server 2008 R2 server and the
Windows 7 clients
Windows 7 clients must be members of a domain
Connection requirements must be met
Direct IP v6 connection
6to4 for public IP address nodes (Rare)
Teredo for NAT nodes (common)
IP-HTTPS for nodes behind firewalls
Group Policy DirectAccess
GPEDIT.MSC > Computer Configuration > Administrative Templates > Network >
TCP/IP Settings > IP v6 Transition Technologies

Netsh DirectAccess
You can use Netshell to troubleshoot multiple interfaces for DirectAccess

Backing Up Windows 7
System Recovery Disc
Start > Control Panel > Backup and Restore
This will create a disc that can repair your system in the event that you need to repair the
boot process, then troubleshoot your issues if they are still present
Verifying the System Recovery Disc
Computer > View the Disc that contains your backup disc
should appear as boot.wim
Full System Backup
Control Panel > All Control Panel Items > Backup and Restore
Select the location where you like to perform your Backup
When you choose what to back up, you select specific drives to back up
The last window will let you review exactly what you are about to backup
While it is performing the backup, you can have it run in the background,
however system performance will be a little slower because the system
is using the HDD to perform the backup while you are at the workstation
Scheduling Backups
Control Panel > System and Security > Backup and Restore
It will be a similar process as a regular Full backup until you get to a certain point in the
wizard, then you can select what kind of schedule to use
System Restore and Recovery
System Protection
Computer > Properties > Advanced System Settings > System Protection Tab
Configure System Protection Settings
Make sure you are protecting the appropriate drive when beginning the process
System Restore
Selecting the System Restore will take you into a Wizard which will enable to set up a
manual restore point, although many times the OS will do it automatically
when making any large changes to the system
Reverting to a Restore Point
Select said restore point and click next then go through the short wizard to being the
Last Known Good
Press F8 to enter the Advanced Boot Options
IF you have added a device driver and cant boot to your Desktop, you can use Last
Known Good to restore before you installed said device.
Keep in mind that if you make it to desktop, this option loses its potential for fixing your
problem, as every boot saves in the registry that you booted successfully
File Management and Recovery
Shadow Copies
Start > Control Panel > System and Security > System > System Properties >
System Protection > Configure
Previous File Versions
Right Click file > properties > Previous Versions
Copy Previous File Version
Right click file > Properties > Previous Versions > Copy
Restore Previous File Version
Right Click file > Properties > Previous Versions > Restore
This is based on Restore Points of the system made in the system protection
Scheduling Restore Points
Start > All Programs > Administrative Tools > task Scheduler
Task Scheduler Library > Microsoft > Windows > System Restore

Windows Vista:

Notable Links:



Windows 8?
Edited by TheReciever - 9/15/13 at 9:00pm
i5 2500k @ 4.8Ghz EVGA Z77 Stinger MSI Gaming 290x 1100c/1300m 8GB 1600mhz 
Hard DriveHard DriveCoolingOS
512 Mushkin Eco2 SSD  2TB Western Digital Green CM Seidon 120v Windows 8.1 w/update x64 
2x 1920x1080 EVGA 750 B2 Cooler Master Elite 130 Corsair M40 
USB Sound Blaster Omni 5.1 Sound Card 
  hide details  
i5 2500k @ 4.8Ghz EVGA Z77 Stinger MSI Gaming 290x 1100c/1300m 8GB 1600mhz 
Hard DriveHard DriveCoolingOS
512 Mushkin Eco2 SSD  2TB Western Digital Green CM Seidon 120v Windows 8.1 w/update x64 
2x 1920x1080 EVGA 750 B2 Cooler Master Elite 130 Corsair M40 
USB Sound Blaster Omni 5.1 Sound Card 
  hide details  
post #3 of 184
Thread Starter 

With regards to Linux, any guides for server administration should be terminal based because:

  1. Most servers will run headless anyway (ie you wouldn't have a GUI for a Linux server - it's surplus to requirements and only adds a memory / CPU footprint)
  2. GUIs tend to change often from release to release and distro to distro. In fact GUIs will change quite a lot even on the same distro and release depending on what desktop environment you prefer. Where as terminal commands are typically more consistent.

Recommended Guides:

Recommended Books:

Unix and Linux system administration Handbook: Fourth Edition

A Practical Guide to Fedora and Red Hat Enterprise Linux
Originally Posted by Nixalot View Post

I've got a book recommendation for *nix administrators. It's all about how to setup sudo properly so users can't break out of the restrictions imposed by sudo.

Sudo Mastery: Access Control for Real People by Michael W Lucas
A fairly short (130 pages) ebook that provides a very good and well-written grounding in how to use sudo properly. It goes over in detail various problems that can be solved with sudo and how to create the sudo policies
Book site: https://www.michaelwlucas.com/nonfiction/sudo-mastery

Edited by TheReciever - 11/9/13 at 5:11pm
i5 2500k @ 4.8Ghz EVGA Z77 Stinger MSI Gaming 290x 1100c/1300m 8GB 1600mhz 
Hard DriveHard DriveCoolingOS
512 Mushkin Eco2 SSD  2TB Western Digital Green CM Seidon 120v Windows 8.1 w/update x64 
2x 1920x1080 EVGA 750 B2 Cooler Master Elite 130 Corsair M40 
USB Sound Blaster Omni 5.1 Sound Card 
  hide details  
i5 2500k @ 4.8Ghz EVGA Z77 Stinger MSI Gaming 290x 1100c/1300m 8GB 1600mhz 
Hard DriveHard DriveCoolingOS
512 Mushkin Eco2 SSD  2TB Western Digital Green CM Seidon 120v Windows 8.1 w/update x64 
2x 1920x1080 EVGA 750 B2 Cooler Master Elite 130 Corsair M40 
USB Sound Blaster Omni 5.1 Sound Card 
  hide details  
post #4 of 184
Thread Starter 

Edited by TheReciever - 9/12/13 at 12:05pm
i5 2500k @ 4.8Ghz EVGA Z77 Stinger MSI Gaming 290x 1100c/1300m 8GB 1600mhz 
Hard DriveHard DriveCoolingOS
512 Mushkin Eco2 SSD  2TB Western Digital Green CM Seidon 120v Windows 8.1 w/update x64 
2x 1920x1080 EVGA 750 B2 Cooler Master Elite 130 Corsair M40 
USB Sound Blaster Omni 5.1 Sound Card 
  hide details  
i5 2500k @ 4.8Ghz EVGA Z77 Stinger MSI Gaming 290x 1100c/1300m 8GB 1600mhz 
Hard DriveHard DriveCoolingOS
512 Mushkin Eco2 SSD  2TB Western Digital Green CM Seidon 120v Windows 8.1 w/update x64 
2x 1920x1080 EVGA 750 B2 Cooler Master Elite 130 Corsair M40 
USB Sound Blaster Omni 5.1 Sound Card 
  hide details  
post #5 of 184
Thread Starter 

Now Cisco is a whole different animal when compared to Servers or Operating Systems. I think it would be accurate to say that Cisco is the Networking aspect of an infrastructure. Popular for Routers and Switches, there are of course other solutions for this, however Cisco is quite a popular choice in the Enterprise area.


Recommended Guides:

Recommended Books:
I have been told by many people within the work force that have CCNA's that if going the self study route, the Cisco press books are the best resource to pick up on. So this usually means that you will be reading from Wendell Odom. I would recommend looking into Network+ or MTA: Networking Fundamentals if your new to networking first. Its not impossible to learn the material for CCENT though, just depends on your ability to absorb material.

Cisco CCENT/CCNA ICND1 100-101 Official Cert Guide
This is the new guide for the 100-101, so far good reviews. I will be getting this soon to give you guys feedback

Cisco CCNA Routing and Switching 200-120 Official Cert Guide
This is a new guide for the 200-120, so far good reviews. I'll get this in time and give you guys feedback.

CCNA Routing and Switching Study Guide
Bratas recommends Todd Lammle's publications on the Cisco exam guides. Both are very knowledgeable so this would be up to preference. You can preview both on amazon or in store to find your preference.

Home Lab Kit:

Now there are many different ways to go about this. You can do one of the following...
  1. Purchase a simulator or use freeware to achieve near real world simulation. You can often find these in Cert guide books to reinforce the content they provide, may be limited in functionality for just what book covers. There are also freeware solutions as well, I believe Packet Tracer is one such option.
  2. Rent a rack from various sources, one such option is fleabay. I have seen a few sellers renting out their racks specifically for prepping for the CCNA exam. This may be a viable solution if you don't want to have the equipment in your house or apartment.
  3. Purchase the actual equipment and develop your own environment. I personally like this method only because you can say you have worked within a live Cisco environment. I will detail the parts needed below.
  4. You could just be a lucky son of a gun and inherit some equipment from your company that upgraded to something else.

What equipment should I purchase?

According to Wendell Odom, you dont need to get the latest equipment for the new exam (ICND1/2 v2.0) which features the IOS 15.0. There isnt enough of a change between 12.4T to 15.0 to warrant upping your budget to that level. 12.4T will still be able to just about everything the new exam covers save for a few things. So with that in mind, I would look into the following:

  • Straight Ethernet
  • Crossover Ethernet
  • Serial Crossover
  • Rollover (Console)
  • Power

*The amount of cables you would need are dependent on how much hardware you are working with.

Recommended Links:

CCNA Build Lists
Edited by TheReciever - 9/16/13 at 11:56am
i5 2500k @ 4.8Ghz EVGA Z77 Stinger MSI Gaming 290x 1100c/1300m 8GB 1600mhz 
Hard DriveHard DriveCoolingOS
512 Mushkin Eco2 SSD  2TB Western Digital Green CM Seidon 120v Windows 8.1 w/update x64 
2x 1920x1080 EVGA 750 B2 Cooler Master Elite 130 Corsair M40 
USB Sound Blaster Omni 5.1 Sound Card 
  hide details  
i5 2500k @ 4.8Ghz EVGA Z77 Stinger MSI Gaming 290x 1100c/1300m 8GB 1600mhz 
Hard DriveHard DriveCoolingOS
512 Mushkin Eco2 SSD  2TB Western Digital Green CM Seidon 120v Windows 8.1 w/update x64 
2x 1920x1080 EVGA 750 B2 Cooler Master Elite 130 Corsair M40 
USB Sound Blaster Omni 5.1 Sound Card 
  hide details  
post #6 of 184
Thread Starter 
ITILv3 Change Management

From what I understand, they cover Change Management theories and best practices for the industry. I have been seeing more and more of this certification as a desired skill for within the IT workforce.

40 Question Exam
26/40 to pass
60 Minutes
150.00 per exam


ITIL v3 Study Guide (Sybex)

This book is kind of recent, though it has pretty strong reviews thus far and is significantly cheaper than the alternative at the moment

Complete Certification Kit

This has the strongest reviews for this certification, I will be getting this soon and will let you guys know my experience with it, though it is also one of the most expensive.
Edited by TheReciever - 9/12/13 at 1:06pm
i5 2500k @ 4.8Ghz EVGA Z77 Stinger MSI Gaming 290x 1100c/1300m 8GB 1600mhz 
Hard DriveHard DriveCoolingOS
512 Mushkin Eco2 SSD  2TB Western Digital Green CM Seidon 120v Windows 8.1 w/update x64 
2x 1920x1080 EVGA 750 B2 Cooler Master Elite 130 Corsair M40 
USB Sound Blaster Omni 5.1 Sound Card 
  hide details  
i5 2500k @ 4.8Ghz EVGA Z77 Stinger MSI Gaming 290x 1100c/1300m 8GB 1600mhz 
Hard DriveHard DriveCoolingOS
512 Mushkin Eco2 SSD  2TB Western Digital Green CM Seidon 120v Windows 8.1 w/update x64 
2x 1920x1080 EVGA 750 B2 Cooler Master Elite 130 Corsair M40 
USB Sound Blaster Omni 5.1 Sound Card 
  hide details  
post #7 of 184
Thread Starter 
And last one, I have high hopes for the thread as you can see lol

This will be an ongoing work of progress, I will be updating this as I have time!!

I want anything and everything related to topic chimed in here, Windows Server 2008/2012, Windows Vista, Windows 7, Windows 8?, Red Hat, Linux/Unix, Various Distro's, Thin Clients/Servers, Storage, Security, ITILv3 Change Management, CCENT/CCNA/CCNP, CompTIA worthiness? Web servers, Scripting, Exchange, SharePoint, Patch and Vulnerability management, encryption methods for data in transit and data at rest, firewall/filtering principles, Ethical Hacking basics, compliance, printers, backup and restores, Different methods of virtualization, Vulnerability Auditing and more!

The current certifications that I have are the following:
MCSA: Active Directory, Configuring (2008)
CompTIA A+
CompTIA Net+
MTA: Operating System Fundamentals
MTA: Networking Fundamentals
MTA: Server Administration Fundamentals
MTA: Security

Edited by TheReciever - 9/13/13 at 10:55am
i5 2500k @ 4.8Ghz EVGA Z77 Stinger MSI Gaming 290x 1100c/1300m 8GB 1600mhz 
Hard DriveHard DriveCoolingOS
512 Mushkin Eco2 SSD  2TB Western Digital Green CM Seidon 120v Windows 8.1 w/update x64 
2x 1920x1080 EVGA 750 B2 Cooler Master Elite 130 Corsair M40 
USB Sound Blaster Omni 5.1 Sound Card 
  hide details  
i5 2500k @ 4.8Ghz EVGA Z77 Stinger MSI Gaming 290x 1100c/1300m 8GB 1600mhz 
Hard DriveHard DriveCoolingOS
512 Mushkin Eco2 SSD  2TB Western Digital Green CM Seidon 120v Windows 8.1 w/update x64 
2x 1920x1080 EVGA 750 B2 Cooler Master Elite 130 Corsair M40 
USB Sound Blaster Omni 5.1 Sound Card 
  hide details  
post #8 of 184
well ive just joined an it level 2 course at college and asked near enough the same question. i was told i had to complete level 2,3,4 then there's 2 or 3 years at university then your qualified, i think that's what he said anyways thumb.gif
my toy :D
(16 items)
my toy :D
(16 items)
post #9 of 184
Looks good man, I am currently working as a Network Tech as well. Looking forward to seeing how this goes.
post #10 of 184
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › How do I become a System/Network Administrator? : Bring it on Everyone!