Chapter Deploying Certificates
1. Assume that a custom version 2 certificate template is created for code signing that requires CA certificate manager approval. What enrollment method should you use for deploying the custom code signing certificates to the three members of the Quality Assurance team The Certificate Services Web Enrollment site method is recommended because the Web site implements cookies to allow the user to return and complete a pending certificate request. 2. Assume that a custom version 2 certificate...
Active Directory Hosting Its Own DNS Namespace
The next option is similar in design to the option just described, with the exception that the Active Directory namespace connects to another internal rather than an external namespace. Active Directory-integrated zones can be used for the Active Directory namespace, but in the event that the Active Directory-integrated namespace needs to replicate with a non-Active Directory namespace, standard zones must be used for replication between the Active Directory namespace and the third-party...
Understanding Group Policy
The change-control tool on Windows Server 2003 is the Group Policy Object Editor GPOE or just GPE . Shown in Figure 14-2, this application is an MMC snap-in from which policy can be applied to the security principals computer, users, and groups of a Windows 2000 and Windows Server 2003 network. 2 Login Scripts jacsOI .HQ.LATirW S Computer Configuration ffl l Software Settings Windows Settings B AdWiinistrative Templates B LJ Windows Componer NetMeeting T l Internet Explorer I l Application Com...
Multimedia Logon and Authentication
This activity presents information about Difference between local and domain authentic alio 11 How to perform a secondary logon Contents of an access token File location To start the Logon and Authentication activity, open the Web page on the Student Materials compact disc, click Multimedia, and then click the title of the activity. Questions Review the information and processes in Logon and Authentication, and then 1. What is the difference between authentication of a local logon and...
Failover Cluster Infrastructure Requirements
Failover clusters depend on infrastructure services, and require that each server node must be in the same Active Directory domain and, if you use DNS, the nodes should use the same Domain Name System DNS servers for name resolution. We recommend that you install the same Windows Server 2008 features and roles on each node. In addition, you should not install the Active Directory Domain Services AD DS role on any of the cluster nodes. If you install the AD DS role on one of the nodes, you must...
The Cluster Validation Test Storage
The storage test validates Disk access latency SCSI device vital product data VPD The storage tests list and test the capabilities of all disks available to the cluster. These tests are comprehensive however, some specific tests may not run after the cluster is running nor in a multi-site cluster. The Validate a Configuration Wizard performs the following storage validation Lists all disks that are visible to one or more tested servers. The test lists Disks that can support clustering and can...
Guidelines for Placing the Infrastructure Master
The infrastructure master does not need to be a highly available or high-capacity domain controller, and it should not host the global catalog The infrastructure master is responsible for making fast updates of cross-domain references, such as membership changes in a group that contains user accounts from other domains. There is only one infrastructure master in a domain. Apply the following guidelines to determine the placement of the infrastructure master Do not require that the...
For more information see Whats New in Failover Clusters in Windows Server Azq
Storage features include the following features Parallel SCSI, which previous versions of server clusters supported, is no longer supported for shared disk devices in a failover cluster. In Windows Server 2008, the cluster disk driver is a stand-alone component that communicates with the Partition Manager driver PartMgr.sys , for managing clustered disks. During the installation process, the driver is registered as a system Plug-n-Play PNP device, and is started during the normal Windows...
How to Create User Accounts
Yo u r i n structor wi 11 de rrio n strate how to Create a domain user account Create a local use account Introduction Domain user accounts enable users to log on to a domain and access resources anywhere on the network, and local user accounts enable users to log on and access resources only on the computer on which you create the local user account. As a systems administrator, you must create domain and local user accounts to manage your network environment. Important You cannot create local...
What Is a User Account Template
A user account template is a user account that contains ihe properties that apply to users with common requirements User ac count tem plates m a ke creati n g u ser ac counts with standardized configurations more efficient Definition You can simplify the process of creating domain user accounts by creating a user account template. A user account template is an account that has commonly used settings and properties already configured. Using account templates For each new user account, you only...
WSUS on Disconnected Networks
Some organizations have networks partitioned from the Internet but which also host computers that need updates regularly applied. Although you can apply updates to all these computers manually, some isolated networks have so many hosts on them that such an approach is impractical. In this situation, you can deploy WSUS in disconnected mode, which enables you to use WSUS when the WSUS server is unable to obtain updates from an upstream server. In essence, you transfer updates and metadata from...
Delegation and Security Issues
You have two methods for transferring administrative permissions to selected users you can use the Delegation of Control Wizard, or you can add access control entries ACEs to discretionary access control lists DACLs of individual OUs. The Delegation of Control Wizard appears to be easier to use although this is rather subjective . This wizard takes you step-by-step through the delegation process whereas manual configuration is more susceptible to human error and may take more time. To delegate...
Capturing Data with Network Monitor
To capture network data from the Network Monitor interface, click Create A New Capture Tab. Clicking Play starts a capture, clicking Pause pauses a capture, and clicking Stop finishes a capture. You are most likely to use Network Monitor when trying to diagnose a network-related problem with the server on which you have installed the network monitor. When doing this, start a Network Monitor capture, attempt to replicate the problem, finish the capture, and then analyze the capture data....
Domain Modes and Functional Levels
Let us first discuss certain general domain and forest functionalities that, to some degree, are common for both Windows 2000 and Windows .NET domains. Windows 2000 domains can operate in either default mixed mode when a domain can contain Windows 4.0 Backup Domain Controllers, BDC or native mode when a domain contains only Windows 2000-based domain controllers . When a domain's mode is changed to native, the following considerations should be taken into account Domain controllers DC no longer...
What Are Domain Functional Levels
W rdows N Server 4,0, lAlrdows mo, Definition The characteristics of groups in Active Directory depend on the domain functional level. Domain functionality enables features that will affect the entire domain and that domain only. Three domain functional levels are available Microsoft Windows 2000 mixed, Windows 2000 native, and Microsoft Windows Server 2003. By default, domains operate at the Windows 2000 mixed functional level. You can raise the domain functional level to either Windows 2000...
Server Specifications
This section displays high-level information about the server hardware, including the processor type and frequency, and the total amount of RAM. It also displays the operating system name and OS service pack number that is installed on the server. Both the OS name and service pack number will be collected from WMI not from the monitoring database when the report is generated. If the server has multiple CPUs, the report will list a single string with the CPU information separated by commas. If...
Objective Answers Xax
A. Incorrect This command has the correct distinguished name syntax but is missing the computer keyword. B. Incorrect This command has the correct computer keyword but does not list the computer to be reset with the correct distinguished name syntax. C. Incorrect This command omits the computer keyword and fails to use the correct distinguished name syntax. D. Correct This command correctly uses the computer keyword and distinguished name syntax. A. Incorrect This action would be appropriate...
Testing the High CPU Usage Alert
In this exercise, you will test the high CPU usage alert. Start the following program In Performance, view System Monitor. In the CPU Stress dialog box, change the activity for Thread 1 to Maximum. When the CPU usage exceeds 50 , the alert will trigger a message every 5 seconds. Close CPU Stress to stop the messages.
Application isolation settings 1
Earlier versions of IIS can host Web sites and applications in pooled or isolated process configurations. For information about how to view the current application isolation mode, see View Application Isolation Configuration in IIS Deployment Procedures in this book. If you are running IIS 4.0 on Windows NT Server 4.0, your applications are isolated in one of the following ways In-process running in-process with Inetinfo.exe Isolated running under MTS If you are running IIS 5.0 on Windows 2000,...
Backup Operator
Performs backups of the CA database, the CA configuration, and the CA's private and public key pair also known as a key pair . Note If the CA's private and public key pair is stored on a hardware secu rity module HSM , backup operators can only back up the CA key pair if the HSM's security context allows this ability. You can use one of the following methods to perform the backup of CA information Windows Server 2003 backup utility. By including the System State in the backup set, you ensure...
Delegating Administrative Control
One of the most remarkable features that Active Directory realizes is the possibility of delegating all or part of administrative power over an OU or a directory container to a group or a user in both Windows 2000 and Windows .NET domains . Delegation of control is essentially the same thing as wizard-aided granting of permissions on Active Directory objects to a user or group. You can manually assign the permissions necessary for performing this administrative task to a user or group, but this...
Configure Group Policy to Support EFS
In this exercise, you will configure Group Policy settings relating to EFS. Ensure the 2823_DC1 and 2823_Client1 virtual machines are started. Perform tasks from the 2823_Client1 virtual machine as the user Don Hall unless otherwise directed. Don Hall's username is donh cohovineyard.com and his password is P ssw0rd. Don Hall does not have any administrative rights. Perform all administrative tasks by using the RUNAS command or the secondary logon service. When performing administrative tasks,...
Group Scopes
Each group in Windows Server 2003 has a scope attribute, which determines which security principals can be members of the group and where you can use that group in a multidomain or multiforest environment. Windows Server 2003 supports the following group scopes Tip Security groups do everything distribution groups do, and more. However, distribution groups should be used whenever possible because they do not become part of a user's security token. This makes the authentication process quicker...
Intersite Replication Essentials
While intrasite replication is focused on speed, intersite replication is focused on efficiency. The primary goal of intersite replication is to transfer replication information between sites while making the most efficient use of the available resources. With efficiency as a goal, intersite replication traffic uses designated bridgehead servers and a default configuration that is scheduled rather than automatic, and compressed rather than uncompressed. With designated bridgehead servers, the...
Terminal Services Gateway
Terminal Services Gateway enables you to access RDP servers on your protected network from clients on the Internet without implementing a full VPN solution. Although you will use this technology primarily to grant remote access to Terminal Services servers, it is also possible to allow Remote Desktop access to clients and servers through TS Gateway. Hence, a person can connect from his or her home computer over the Internet to his or her workstation or to a Terminal Services server in the...
Microsoft Cluster Server relies heavily on the underlying components
- Local and shared storage -Multi-homed networks Fibre Channel, SSA, or ServeRAID Systems management software -Microsoft Cluster Administrator -IBM Cluster Systems Manager ICSM Microsoft Cluster Server relies heavily on properly configured hardware and software. It is important, therefore, that you configure and test each device and software application before attempting to install MSCS. The same is true for determining problems. MSCS is designed to interact with the hardware and software...
Controlling Printer Security
Windows Server 2003 allows you to control printer usage and administration by assigning permissions through the Security tab of the printer's Properties dialog box. You can assign permissions to control who can use a printer and who can administer the printer or documents processed by the printer. A typical printer Security tab of a printer's Properties dialog box is shown in Figure 8-5. General Sharing Ports Advanced Security Device Settings Group or user names J3 Administrators C0NT0S0...
Publishing to Active Directory
The certificate object is published automatically into the CN AIA,CN Public Key container as a CrossCA object. The certificate is never distributed to the target CA in the other organization's CA hierarchy. Instead, it is downloaded via autoenrollment to all domain member computers so that the Cross Certification Authority certificate can be used to build certificate chains between the two CA hierarchies. This allows recognition of the partner CA's certificates that meet the qualified...
Identifying DNS Record Requirements
Address Record Maps FQDN to 32-bit IPv6 address record Maps FQDN to 128-bit IPv6 address Maps a DNS domain name in the owner field to an ATM address referenced in the atm_address field. Maps an FQDN to an ISDN RFC1183 telephone number Contains a public key that is associated with a zone. In full DNSSEC defined later in this chapter implementation, resolvers, and servers use KEY resource records to authenticate SIG resource records received from signed zones. KEY resource records are signed by...
CommandLine Method
To install the NAS components from a command line 1. If you're installing from the CD, insert the Server Appliance Kit 3.0 CD into the CD-ROM drive. Alternatively, you can install from a network directory. 2. At a command prompt, type the following note that while the syntax is printed here on multiple lines, this is actually a single command msiexec i path sasetup30.msi ARPHELPLINK support_URL qn The fully qualified path of the NAS sasetup30.msi file. If the sasetup30.msi file is in the...
Note Semantic Database Analysis
You can optionally carry out a further check on the Ntds.dit database by performing a semantic database analysis. This analyzes data with respect to Active Directory semantics similar to checking a program file for syntax errors. To carry out this check directly after you have checked integrity, type quit to exit from the file maintenance prompt. At this point, the AD DS database is still stopped, and the activate instance is set to ntds. Enter semantic database analysis, followed by go fixup....
ADSI Access to User Parameters
Under Win2K, the only Terminal Services parameter of a user object that was accessible from the command line was the Terminal Services Profile Path attribute accessing this attribute required the TSPROF tool. WS2K3 exposes all Terminal Services attributes to ADSI. Using the Windows Script Host WSH and your preferred scripting language, you can now easily configure users' Terminal Services settings. I'll discuss the ADSI objects and provide some sample scripts in Chapter 4, but for now, here is...
Designing Applications and Proper Bandwidth
What will you be running on this cluster This is going to bring you back to planning your hardware solution appropriately. In each of the following chapters, you'll be given a set of basic requirements, which you'll need to get your job done with the solution you're implementing. Of course, when you add services on top of the cluster itself, you'll also need to consider adding resources to the hardware. You should also consider the bandwidth connections based on the application. Bandwidth and...
Figure Unidirectional trust relationship between two domains
When the trust is mutual, the trust relationship becomes bi-directional, or two-way. Bi-directional trust enables the users or devices in each domain to access resources in the other's domains see Figure 3-3 . Windows NT trusts are limited by the underlying database and security technology, which endows the operating system with a less than suitable cognitive ability. In other words, Windows NT domains are always mistrusting and as such, whenever two domains need to interoperate, explicit...
For the Default Web Site
1. Disable socket pooling by setting MD_DISABLE_SOCKET_POOLING at the W3SVC level. 2. Modify the IIS metabase to only listen on the IP address of the internal network adapter, and include support for the localhost alias by adding the 127.0.0.1 IP. 3. Configure IIS to allow a maximum of 500 concurrent connections. For the SharePoint Web Site 1. Disable socket pooling by setting MD_DISABLE_SOCKET_POOLING at the W3SVC level. 2. Modify the IIS metabase to only listen on the IP address of the...
Group Policy User Security
You can find associated security policies in the Computer Configuration section I Policies I Windows Settings I Security Settings I Account Policies, which contain three main groups of settings Password Policy, Account Lockout Policy, and Kerberos Policy. Let's reiterate once again, that these settings cannot be modified on an organizational unit or site level settings defined in the domain policy will become effective. Password policy, account lockout policy, and Kerberos policy were reviewed...
Enabling ActiveX Controls
The Certificate Services Web Enrollment site must be defined as a Local intranet site for all computers in the forest. This allows the automatic passing of authentication credentials to the CA by using Windows Integrated authentication. In addition, the download settings for ActiveX controls must be modified to allow the activation and use of required ActiveX controls. Note For smart card deployment, the ActiveX control settings are only required at the smart card enrollment station. But, if...
Troubleshooting WINS Servers
Troubleshooting WINS server problems can be largely avoided by making sure you understand and correctly set up and configure your WINS database topology. Following are a few key clues that you may come across that point to a server-side WINS problem. All of these were discussed throughout the chapter, so we just reference them here as things to be aware of when troubleshooting your WINS server. To go over the configuration steps refer back to the related section of the chapter. WINS replication...
Namespace Considerations
AD uses the DNS namespace as the basis for naming AD domains. Careful planning of the namespace will invariably make it easier to expand AD into new trees and domains, and will also make it easier to access resources using intuitive names. Ease of adding child domains as your network grows will prove critical in the Active Directory namespace life cycle. Choosing a naming structure most appropriate for your organization will undoubtedly be influenced by the business factors. Obviously, domain...
Terminal Services Manager
When you launch the Terminal Services Manger administrative tool, you are presented with a list of all servers that have Terminal Services enabled in the domain. Using this tool, you can easily see to which servers users are connected, from which client devices they're accessing the servers, and which processes and applications they are running in their sessions. Figure 4.16 shows the Terminal Services Manger interface. pf TS2K3 - Terminal Services Manager lt amp RDP-Tcp listener -SJj Console...
Determining the Host Capacity of a n Network
To determine the host capacity of a network whose subnet mask is expressed in slash notation as n, use the following formula c 2 32_n - 2, where c represents the number of computers that can be accommodated by a given network, and n represents the number of bits in the network ID of that network. For example, in a 20 network, n 20. Therefore c 2 32-20 - 2, or 212 - 2, or 4096 - 2, or 4094. So, a 20 network can accommodate 4094 computers. Here is another example In a 28 network, n 28. Therefore,...
More Info Windows Authentication
To learn more about Windows authentication, see the following page on TechNet 1. What is the default authentication protocol Windows Server 2008 uses in a domain environment 2. To which Active Directory objects can you apply fine-grained password policies Quick Check Answers 1. Kerberos version 5 is the default authentication protocol. NTLMv2 is used when Kerberos version 5 cannot be used. 2. Fine-grained password policies can be applied to user accounts and global security groups.
Understanding Automatic Private IP Addressing APIPA Ymz
12. You are the systems administrator for a small network of fewer than 10 users on a single network segment, which is configured for peer-to-peer network resource sharing.You are using Windows XP and Windows 2000 on all of your client desktops and you decide to avoid the hassle of installing DHCP or manually configuring static IP addresses by using APIPA.You are using two file servers, both running Windows Server 2003, which also have the ability to use APIPA. Everything is running smoothly...
Extending a Basic Volume
Even though you cannot use Disk Management to extend a basic volume, let's open it anyway so that we can see our volume as it gets extended. We will use diskpart.exe to actually do the extending. For this exercise we will be extending the primary partition F on Disk 2. 1. Open Computer Management by right-clicking My Computer and choosing Manage. 2. Expand Storage and click Disk Management. This will give you the window shown in Figure 2.37. Use this window to see the before and after of...
Scenario RRAS Passes Requests to Another DHCP Server
Scenario 2 assumes that you have chosen the Dynamic Host Configuration Protocol DHCP radio button in Figure 3.41.When you choose this option, all DHCP lease traffic is sent through the RRAS server by means of the DHCP Relay Agent.The DHCP server configured in the DHCP Relay Agent's properties is responsible for carrying out the entire DHCP lease process with the client, again by means of the DHCP Relay Agent. Both the client IP address and all IP configured options are distributed by the...
Managing Shares with the Shared Folders Utility
Shared Folders is a computer management utility for creating and managing shared folders on the computer. The Shared Folders window displays all of the shares that have been created on the computer, the user sessions that are open on each share, and the files that are currently open, listed by user. To access Shared Folders, select Administrative Tools gt Computer Management, expand System Tools, and then expand Shared Folders. In the following sections you will learn how to use the Shared...
The Sybex Test Engine
These are a collection of multiple-choice questions that will help you prepare for your exam. There are three sets of questions Two bonus exams designed to simulate the actual live exam All the questions from the Study Guide, presented in a test engine for your review Here is a sample screen from the Sybex MCSE test engine Here is a sample screen from the Sybex MCSE test engine
Establishing an IPsec Connection
The Internet Key Exchange IKE protocol establishes SAs dynamically between IPsec peers . IKE sets up a mutually agreeable policy that defines the SA . This policy defines security services, protection mechanisms, and cryptographic keys between communicating peers . In establishing the SA, IKE provides the security keys and negotiation for the AH and ESP IPsec security protocols . IKE performs a two-phase negotiation operation, each phase with its own SAs . Phase 1 negotiation is known as main...
Adding Counters in the Performance Monitor
1. Open Reliability and Performance Monitor either by clicking Start Administrative Tools Reliability and Performance Monitor or Start Run. Type perfmon and press Enter. 2. In the console tree, click Monitoring Tools Performance Monitor. This will open the Performance Monitor. 3. Click the green plus sign in the Details pane and the Add Counters screen should come up and start loading a list of counters. 4. Now it's time to select the counters. We will be setting up counters to help us set up a...
Understanding How EFS Works Under the Hood
Instead of using passwords that the user must remember each time he or she wants to access a file, EFS uses a system of keys based on public key technology.When a user encrypts a file on an EFS-enabled NTFS volume, several keys are created related to the file. First, if the user does not have a digital certificate suitable for EFS, one is automatically created by the system, which also generates a public key for the user based on the certificate. Next, a randomly generated key is created and...