M6425: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services Version: B Length: 5 Days Published: December 01, 2009 Language(s): English Audience(s): IT Professionals Level: 200 Technology: Windows Server 2008 Type: Course Delivery Method: Instructor-led (classroom) About this Course This five-day instructor-led course provides to teach Active Directory Technology Specialists with the knowledge and skills to configure Active Directory Domain Services in a distributed environment, implement Group Policies, perform backup and restore, and monitor and troubleshoot Active Directory related issues. Audience Profile The primary audience for this course are AD Technology Specialists, Server Administrators, and Enterprise Administrators who want to learn how to implement AD in a distributed environment, secure domains using Group Policies, and perform backup, restore, and monitor and troubleshoot AD configuration to ensure trouble free operation. At Course Completion After completing this course, students will be able to implement and configure Active Directory domain services in their enterprise environment. Before attending this course, students must have: oBasic understanding of networking. oIntermediate understanding of network operating systems. oAn awareness of security best practices. oBasic knowledge of server hardware. oSome experience creating objects in Active Directory. oFoundation course (6424) or equivalent knowledge. oBasic concepts of backup and recovery in a Windows Server Environment. Course Outline Module 1: Introducing Active Directory Domain Services (AD DS) This module explains how to install and configure Active Directory Domain Services and install and configure a read-only domain controller. Lessons oIntroducing Active Directory, Identity, and access oActive Directory Components and Concepts oInstall Active Directory Domain Services oExtend IDA with Active Directory Services Lab : Install an AD DS DC to Create a Single Domain Forest oExercise 1: Perform Post-Installation Configuration Tasks oExercise 2: Install a New Windows Server 2008 Forest with the Windows Interface After completing this module, students will be able to: oPosition the strategic role a directory service in an enterprise in relation to identity and access. oExplain authentication and authorization processes. oIdentify the major components of ADDS. oUnderstand the requirements for installing a domain controller to create a new forest oIdentify the roles of and relationships between ADDS, ADLDS, ADRMS, ADFS, and ADCS Module 2: Secure and Efficient Administration of Active Directory This module explains how to work securely and efficiently in Active Directory. Lessons oWork with Active Directory Snap-ins oCustom Consoles and Least Privilege oFind Objects in Active Directory oUse DS Commands to Administer Active Directory Lab : Create and Run a Custom Administrative Console oExercise 1: Perform Basic Administrative Tasks Using the Active Directory Users and Computers Snap-in oExercise 2: Create a Custom Active Directory Administrative Console oExercise 3: Perform Administrative Tasks with Least Privilege, Run as Administrator and User Account Control oExercise 4: (Advanced Optional) Advanced MMC Customization and Remote Administration Lab : Find Objects in Active Directory oExercise 1: Finding Objects in Active Directory oExercise 2: Using Saved Queries oExercise 3: (Advanced Optional) Explore Saved Queries Lab : Use DS Commands to Administer Active Directory oExercise 1: Use DS Commands to Administer Active Directory After completing this module, students will be able to: oInstall, locate, and describe the snap-ins used to administer AD DS oPerform basic administrative tasks with the Active Directory Users and Computers snap-in oCreate a custom MMC console for administration oPerform administrative tasks while logged on as a user oControl the view of objects in the Active Directory Users and Computers snap-in oLocate objects in Active Directory oWork with saved queries oIdentify the distinguished name (DN), relative distinguished name (RDN), and common name (CN) of an Active Directory object oUse the DS commands to administer Active Directory from the command line Module 3: Manage Users This module explains how to manage and support user accounts in Active Directory. Lessons oCreate and Administer User Accounts oConfigure User Object Attributes oAutomate User Account Creation Lab : Create and Administer User Accounts oExercise 1: Create User Accounts oExercise 2: Administer User Accounts oExercise 3: (Advanced Optional) Explore User Account Name Attributes Lab : Configure User Object Attributes oExercise 1: Examine User Object Attirbutes oExercise 2: Manage User Object Attributes oExercise 3: Create Users from a Template oExercise 4: (Advanced Optional) Create Users with a Batch File Lab : Automate User Account Creation oExercise 1: Export and Import Users with CSVDE oExercise 2: Import Users with LDIFDE After completing this module, students will be able to: oCreate and configure the account-related properties of a user object oIdentify the purpose and requirements of user account attributes oPerform common administrative tasks to support user accounts including password reset and account unlock oEnable and disable user accounts oDelete, move and rename user accounts oView and modify hidden attributes of user objects oIdentify the purpose and requirements of user object attributes oCreate users from user account templates oModify attributes of multiple users simultaneously oExport user attributes with CSVDE oImport users with CSVDE oImport users with LDIFDE Module 4: Manage Groups This module explains how to create, modify, delete, and support group objects in Active Directory. Lessons oManage an Enterprise with Groups oAdminister Groups oBest Practices for Group Management Lab : Administer Groups oExercise 1: Implement Role-Based Management Using Groups oExercise 2: Manage Group Membership from the Command Line oExercise 3: (Advanced Optional) Explore Group Membership Reporting Tools oExercise 4: (Advanced Optional) Understand "Account Unknown" Permissions Lab : Best Practices for Group Management oExercise 1: Implement Best Practices for Group Management After completing this module, students will be able to: oUnderstand the role of groups in managing an enterprise oCreate well-documented, secure, delegated groups oUnderstand group types, scope, and nesting oUnderstand the best practice for group nesting to achieve role-based management oCreate, delete and manage groups with DSCommands, CSVDE and LDIFDE oEnumerate and copy group membership oUnderstand Default (Built In) groups oUnderstand Special Identities Module 5: Support Computer Accounts This module explains how to create and configure computer accounts. Lessons oCreate Computers and Join the Domain oAdminister Computer Objects and Accounts Lab : Create Computers and Join the Domain oExercise 1: Join a Computer to the Domain with the Windows Interface oExercise 2: Securing Computer Joins oExercise 3: Managing Computer Account Creation with Best Practices Lab : Administer Computer Objects and Accounts oExercise 1: Administer Computer Objects through their Lifecycle oExercise 2: Administer and Troubleshoot Computer Accounts After completing this module, students will be able to: oUnderstand the relationship between a domain member and the domain in terms of identity and access oIdentify the requirements for joining a computer to the domain oImplement best practice processes for computer joins oSecure AD DS to prevent the creation of unmanaged computer accounts oManage computer objects and their attributes using the Windows Interface and command line tools oAdminister computer accounts through their lifecycle Module 6: Implement a Group Policy Infrastructure This module explains what Group Policy is, how it works, and how best to implement Group Policy in your organization. Lessons oUnderstand Group Policy oImplement a Group Policy oExplore Group Policy Settings and Features oManage Group Policy Scope oGroup Policy Processing oTroubleshoot Policy Application Lab : Implement Group Policy oCreate, Edit and Link GPOs Lab : Explore Group Policy Settings and Features oExercise 1: Use Filtering and Commenting oExercise 2: Mange Administrative Templates Lab : Manage Group Policy Scope oExercise 1: Configure GPO Scope with Links oExercise 2: Configure GPO Scope with Filtering oExercise 3: Configure Loopback Processing Lab : Troubleshoot Policy Application oExercise 1: Perform RSoP Analysis oExercise 2: using the Group Policy Results Wizard oExercise 3: View Policy Events After completing this module, students will be able to: oIdentify the business drivers for configuration management oUnderstand the components and technologies that comprise the Group Policy framework oManage Group Policy objects oConfigure and understand a variety of policy setting types oScope GPOs using links, security group, WMI filters, loopback processing, and Preference targeting oExplain GPO storage, replication, and versioning oAdminister a Group Policy infrastructure oEvaluate GPO inheritance, precedence, and Resultant Set of Policy (RSoP) oLocate the event logs containing Group Policy related events Module 7: Manage Enterprise Security and Configuration with Group Policy Settings This module explains how to manage security and software installation and how to audit files and folders. Lessons oDelegate the Support of Computers oManage Security Settings oManage software with GPSI oAuditing Lab : Delegate the Support of Computers oExercise 1: Configure the Membership of Administrators Using Restricted Groups Policies Lab : Manage Security Settings oExercise 1: Manage Local Security Settings oExercise 2: Create a Security Template oExercise 3: Use Security Configuration and Analysis oExercise 4: Use the Security Configuration Wizard Lab : Manage Software with GPSI oExercise 1: Deploy Software with GPSI oExercise 2: Upgrade Applications with GPSI Lab : Audit File System Access oExercise 1: Configure Permissions and Audit Settings oExercise 2: Configure Audit Policy oExercise 3: Examine Audit Events After completing this module, students will be able to: oDelegate the administration of computers oUse Restricted Groups policies to modify or enforce the membership of groups oUse Group Policy Preferences to modify the membership of groups oConfigure security settings using the Local Security policy oCreate and apply security templates to manage security configuration oAnalyze security configuration based on security templates oCreate, edit, and apply security policies using the Security Configuration Wizard oDeploy security configuration with Group Policy oDeploy software using GPSI oRemove software originally installed with GPSI Module 8: Secure Administration This module explains how to administer Active Directory Domain Services Securely. Lessons oDelegate Administrative Permissions oAudit Active Directory Changes Lab : Delegate Administration oExercise 1: Delegate Permission to create and support User Accounts oExercise 2: View Delegated Permissions oExercise 3: Remove and Reset Permissions Lab : Audit Active Directory Changes oExercise 1: Audit Changes to Active Directory using Default Audit Policy oExercise 2: Audit Changes to Active Directory using Directory Service Changes auditing After completing this module, students will be able to: oDescribe the business purpose of delegation. oAssign permissions to Active Directory objects using the security editor user interfaces and the Delegation of Control Wizard. oView and report permissions on Active Directory objects by using user interface and command line tools. oReset the permissions on an object to its default. oDescribe the relationship between delegation and OU design. oConfigure Directory Service Changes auditing oSpecify auditing settings on Active Directory objects oIdentify event log entries created by Directory Access auditing and Directory Service Changes auditing Module 9: Improve the Security of Authentication in an Active Directory Domain Services (AD DS) Domain This module explains the domain-side components of authentication, including the policies that specify password requirements and the auditing of authentication-related activities. Lessons oConfigure Password and Lockout Policies oAudit Authentication oConfigure Read-Only Domain Controllers Lab : Configure Password and Account Lockout Policies oExercise 1: Configure the Domain`s Password and Lockout Policies. oExercise 2: Configure Fine-Grained Password Policy Lab : Audit Authentication oExercise 1: Audit Authentication Lab : Configure Read-Only Domain Controllers oExercise 1: Install RODC oExercise 2: Configure Password Replication Policy oExercise 3: Manage Credential Caching After completing this module, students will be able to: oImplement your domain password and account lockout policy oConfigure and assign fine-grained password policies oConfigure auditing of authentication-related activity oDistinguish between account logon and logon events oIdentify authentication-related events in the Security log oIdentify the business requirements for RODCs oInstall an RODC oConfigure password replication policy oMonitor the caching of credentials on an RODC Module 10: Configure Domain Name System (DNS) This module explains how to implement DNS to support name resolution both within your AD DS domain and outside your domain and your intranet. Lessons oReview DNS Concepts, Components, and Processes oInstall and Configure DNS Server in an AD DS Domain oAD DS,DNS, and Windows oAdvanced DNS Configuration and Administration Lab : Installing the DNS Service oExercise 1: Add the DNS Server Role oExercise 2: Configure Forward Lookup Zones and Resource Records Lab : Advanced Configuration of DNS oExercise 1: Enable Scavenging of DNS Zones oExercise 2: Create Reverse Lookup Zones oExercise 3: Explore Domain Controller Location oExercise 4: Configure Name Resolution for External Domains After completing this module, students will be able to: oUnderstand the structure role, structure and functionality of the domain name system (DNS) oDescribe client and server name resolution processes oInstall DNS oManage DNS records oConfigure DNS server settings oUnderstand the integration between AD DS and DNS oChoose a DNS domain for an Active Directory domain oCreate a zone delegation for a new Active Directory domain oConfigure replication for Active Directory integrated zones oDescribe the purpose of SRV records in the domain controller location process oUnderstand read-only DNS servers oUnderstand and configure single-label name resolution oConfigure advanced DNS server settings oAudit, maintain, and troubleshoot the DNS server role Module 11: Administer Active Directory Domain Services (AD DS) Domain Controllers This module explains how to add Windows Server 2008 domain controllers to a forest or domain, how to prepare a Microsoft Windows Server 2003 forest or domain for its first Windows Server 2008 DC, how to manage the roles performed by DCs, and how to migrate the replication of SYSVOL from the File Replication Service (FRS) used in previous versions of Windows to the Distributed File System Replication (DFS-R) mechanism that provides more robust and manageable replication. Lessons oDomain Controller Installation Options oInstall a Server Core DC oManage Operations Masters oConfigure DFS Replication of SYSVOL Lab : Install Domain Controllers oExercise 1: Create an Additional DC with the Active Directory Domain Services Installation Wizard. oExercise 2: Add ad Domain Controller from the Command Line oExercise 3: Remove a Domain Controller oExercise 4: Create a Domain Controller from Installation Media Lab : Install a Server Core DC oExercise 1: Perform Post-Installation Configuration on Server Core oExercise 2: Create a Domain Controller with Server Core Lab : Transfer Operations Master Roles oExercise 1: Identify Operations Masters. oExercise 2: Transfer Operations Master Roles Lab : Configure DFS-R Replication of SYSVOL oExercise 1: Observe the Replication of SYSVOL oExercise 2: Prepare to Migrate to DFS-R oExercise 3: Migrate SYSVOL Replication to DFS-R oExercise 4: Verify DFS-R Replicaton of SYSVOL After completing this module, students will be able to: oInstall a standard or read-only domain controller into new or existing domains or trees oAdd and remove domain controllers using a variety of GUI or command-line methods oConfigure a domain controller on Server Core oUnderstand and identify operations master roles oManage the placement, transfer, and seizure of operations master roles oMigrate SYSVOL replication from FRS to DFS-R Module 12: Manage Sites and Active Directory Replication This module explains how to create a distributed directory service that supports domain controllers in portions of your network that are separated by expensive, slow, or unreliable links. Lessons oConfigure Sites and Subnets oConfigure the Global Catalog and Application Partitions oConfigure Replication Lab : Configure Sites and Subnets oExercise 1: Configure the Default Site oExercise 2: Create Additional Sites Lab : Configure the Global Catalog and Application Partitions oExercise 1: Configure a Global Catalog oExercise 2: Configure Universal Group Membership oExercise 3: Examine DNS and Application Directory Partitions Lab : Configure Replication oExercise 1: Create a Connection Object oExercise 2: Create Site Links oExercise 3: Move Domain Controllers into Sites oExercise 4: Designate a Preferred Bridgehead Server oExercise 5: Configure Intersite Replication After completing this module, students will be able to: oConfigure sites and subnets oUnderstand domain controller location and manage domain controllers in sites oConfigure replication of the partial attribute set to global catalog servers oImplement universal group membership caching oUnderstand the role of application directory partitions oConfigure replication topology with connection objects, bridgehead servers, site links, and site link bridges oReport, analyze, and troubleshoot replication with repadmin.exe and dcdiag.exe Module 13: Directory Service Continuity This module explains about the technologies and tools that are available to help ensure the health and longevity of the directory service. You will explore tools that help you monitor performance in real time, and you will learn to log performance over time so that you can keep an eye on performance trends in order to spot potential problems. Lessons oMonitor Active Directory oManage the Active Directory Database oBack Up and Restore AD DS and Domain Controllers Lab : Monitor Active Directory oExercise 1: Monitor Real-Time Performance Using Task Manager and Resource Monitor oExercise 2: Use Reliability Monitor and Event Viewer to Identify Performance-Related Events oExercise 3: Monitor Events on Remote Computers with Event Subscriptions oExercise 4: Attach Tasks to Event Logs and Events oExercise 5: Monitor AD DS with Performance Monitor oExercise 6: Work with Data Collector Sets Lab : Manage the Active Directory Database oExercise 1: Perform Database Maintenance oExercise 2: Work with Snapshots and Recovering a Deleted User Lab : Backup and Restore Active Directory oExercise 1: Back up Active Directory oExercise 2: Restore Active Directory and a Deleted OU After completing this module, students will be able to: oMonitor real-time performance and events with Task Manager, Event Viewer, and Windows Reliability and Performance Monitor oLeverage new features of Event Viewer in Windows Server 2008, including custom views and event subscriptions oMonitor real-time and logged performance with Performance Monitor, data collection sets, and reports oIdentify sources of performance and event information for AD DS domain controllers oCreate alerts based on events and performance metrics oMaintain and optimize the Active Directory database oBack up and restore AD DS and domain controllers oRecover deleted objects and attributes Module 14: Manage Multiple Domains and Forests This module explains how to raise the domain and forest functionality levels within your environment, how to design the optimal AD DS infrastructure for your enterprise, how to migrate objects between domains and forests, and how to enable authentication and resources access across multiple domains and forests. Lessons oConfigure Domain and Forest Functional Levels oManage Multiple Domains and Trust Relationships Lab : Raise Domain and Forest Functional Levels oExercise 1: Raise the Domain Functional Level to Windows Server 2003. oExercise 2: Raise the Forest Functional Level to Windows Server 2003 oExercise 3: Raise the Domain Functional Level to Windows Server 2008 Lab : Administer a Trust Relationships oExercise 1: Configure DNS oExercise 2: Create a Trust Relationship oExercise 3: Validate a Trust Relationship oExercise 4: Assign Permission to Trusted Identities oExercise 5: Implement Selective Authentication After completing this module, students will be able to: oUnderstand domain and forest functional levels oRaise domain and forest functional levels oIdentify capabilities added by each functional level oDesign an effective domain and tree structure for AD DS oIdentify the role of the Active Directory Migration Tool, and the issues related to object migration and domain restructure oUnderstand trust relationships oConfigure, administer, and secure trust relationships