Adding Counters in the Performance Monitor
1. Open Reliability and Performance Monitor either by clicking Start Administrative Tools Reliability and Performance Monitor or Start Run. Type perfmon and press Enter. 2. In the console tree, click Monitoring Tools Performance Monitor. This will open the Performance Monitor. 3. Click the green plus sign in the Details pane and the Add Counters screen should come up and start loading a list of counters. 4. Now it's time to select the counters. We will be setting up counters to help us set up a...
Windows Server and Routing
Routing is one element that helps to ensure successful network traffic flow. It has always been the framework for a functional logical network regardless of which version ofWindows Server you may be working on. Because of this, Microsoft has taken some time to improve the overall ease of use for routing with this latest version. As you are probably aware, Windows Server 2003 used the Routing and Remote Access Service RRAS to handle many of the configuration needs for routing in the past....
Figure Windows Server DHCP Configuration
You have to provide a prefk lo create the scope_ You also have the option of providing a preference value for the scope Enter the IPv6 Prefix for the addresses that the scope distributes and the preference value for the scope A. The Preference Value is incorrect. It must be set to 1 for all addresses that use the 64 option. B. The Prefix Value is incorrect. It cannot begin with 0 0 0 . C. The Prefix Value is too long. It should contain fewer digits. E. The Prefix value and Preference values are...
Analyzing Certificate Needs within the Organization
We've just concluded a tour of most of the properties associated with a CA, but knowing what you can do does not mean that we know what you should do. To find out more about what you should do, you need to analyze the certificate needs of your organization, and then move on to create an appropriate CA structure. According to Microsoft's TechNet, the analysis of certificate needs springs primarily from the analysis of business requirements and the analysis of applications that benefit from...
Routing Internet Protocol RIP
The RIP was once the most commonly used Interior Gateway Protocol IGP on internal networks. It was also commonly used on networks connected to the Internet. RIP was used to help routers dynamically adapt to the variety of changes made to network connections. It accomplished this by relaying information about which networks each router had access to, and the distance those networks were from each other. Although RIP is still actively used and has an important place in some networks, it is...
Configuring Local IPv Settings
The Windows Server 2008 computer's network interface card can be configured with IPv4 and IPv6 addressing see Exercise 8.1 . As you know, you can access the computer's network settings in any one of several ways. Figure 8.1 shows the Local Area Connection Properties dialog box. IPv4 and IPv6 are both installed and enabled by default in Windows Server 2008 due to the implementation of Next Generation TCP IP stack, which supports a dual IP stack sharing common transport and framing layers. If for...
Exam Objectives Frequently Asked Questions Sss
Q What is the big deal about raising the functional levels of my domains and forests Shouldn't I raise the levels as soon as they meet the prerequisites A No. Remember that functional levels, once raised, cannot be lowered again. In addition, some situations are better suited to skipping a level, rather than raising to one level and then the other. In this case, known future restructuring and upgrade activities should be considered before raising functional levels. Q How much of the Active...
Creating a Standard Primary Forward Lookup Zone
Follow these steps to create a primary, forward lookup zone 1. Open DNS Manager by clicking Start Administrative Tools DNS. 2. In the left pane, expand the node representing the server you want to configure, right-click Forward Lookup Zones, and click New Zone____ 3. Read the welcome page of the New Zone Wizard dialog box and click Next. 4. On the Zone Type wizard page, leave the default selection of Primary zone and click Next. See Figure 2.11. Figure 2.11 The Zone Type Wizard Page The DN...
Adding Root Hint Records
Follow this procedure to add a new Root Hint 1. Open DNS Manager by clicking Start Administrative Tools DNS. 2. In the left pane, right-click the server you want to configure and select Properties. 3. Click the Root Hints tab to bring it forward. See Figure 2.2. 5. In the New Name Server Record dialog box, type the fully qualified domain name FQDN in the Server fully qualified domain name FQDN text box, and click Resolve. See Figure 2.3. Figure 2.3 The New Name Server Record Dialog Figure 2.3...
Self Test 1
1. You are the administrator for a Windows Server 2008 network. You've been tasked with designing a secure facility and have recommended that it be isolated from the Internet. Which of the following do you recommend for DNS Select all that apply. A. You recommend a private DNS infrastructure with internal root hints servers. B. You recommend the use of AD integrated zones. C. You recommend the use of secure dynamic updates. D. You recommend the use of secondary zones. 2. You are the...
The Task Manager
along with what processes and executables are using resources, causing strain on a DC. You can pull up the Task Manager in quite a few ways. The easiest way is to just click Start Run and type taskmgr.exe and press Enter. Other ways to launch the Task Manager include right-clicking the task bar and selecting Task Manager, pressing Ctrl Shift Esc, and pressing Ctrl Alt Delete and selecting Start Task Manager. The Task Manager is very useful for administrators looking for an immediate view of...
Figure DHCP IPv Scope Prefix Dialog Box
You have to provide a prefix to create the scop . You also have ihe option of providing a preference value for the scope. Enter the IPv6 Prefix for he addresses that Ihe scope distributes and the preference value for the scope. The preference value is optional and it sets the preference for a particular scope, meaning addresses will be assigned from the scope with the lowest preference first. This is an optional setting. Unless you're sure how to use this feature, leave the default value at 0....
IPsec Settings
If you click the IPsec Settings tab in the Windows Firewall with Advanced Security Properties dialog box, you'll be able to access the IPsec settings, as shown in Figure 8.28. The key exchange using ISAKMP if you recall the earlier discussion of IPsec basics is the main mode. You can use the default settings or customize these settings by clicking the radio button to the left of Advanced, then clicking the Customize button, which will be enabled if you select Advanced. The quick mode for data...
Figure Replmons Default Screen
Active Directory Replication Monitor Right-click on the Monitored Servers icon in the upper left. You now have the option to Add Monitored Server. In the Add Monitored Server Wizard you have the choice to explicitly type in the name of the DC you want to add or enter a name of a domain within the forest from which to read site data. Figure 5.68 shows that we have decided to search the directory for a server and that our domain is MMA.LOCAL. Once you've done this select Next. Figure 5.68 The Add...
To configure IPv settings click to select Internet Protocol Version TCPIPv then
an IP address automatically so the client can utilize the DHCP server for dynamic addressing. In the case of a server, however, you typically choose a static IP address. We'll discuss creating a reservation within the DHCP server scope later in this chapter. You create a reservation on the DCHP server to ensure that the static IP address assigned to this server is not used by any other computer on the network. As you can see in this example, the server is manually configured to use 192.168.0.91...
Bridgehead Servers
A bridgehead server is a server that is mainly used for intersite replication. You can configure a bridgehead server for every site that is created for each intersite replication protocol. This helps to control the server that is used to replicate information to other servers. To configure a server as a bridgehead server, follow these steps 1. Choose Start Administrative Tools Active Directory Sites and Services. 3. Expand the site in which a bridgehead server has to be created, and then expand...
Account Lockout Policy
Account lockout is used to prevent successful brute force password guessing. If it's not enabled, someone can keep attempting to guess username password combinations very rapidly using a software-based attack. The proper combination of settings can effectively block these types of security vulnerabilities. The default domain account lockout policy contains the following configurable settings. The default settings for each and their location within Active Directory appear in Figure 6.19. Account...
The preceding command returns the queue of inbound replication requests that a
Table 5.5 Continued. RepAdmin Commands Triggers immediate replication of the specified directory partition to a target DC from a source DC. Example repadmin replicate SIGMA FMEA DC MMA, DC com The preceding command replicates the MMA naming context from the SIGMA DC to the FMEA DC. Replicates a single object between two DCs that share common directory partitions. Example repadmin replsingleobj SIGMA FMEA cn swhitley, ou sales, dc MMA, dc com The preceding command triggers replication of the...
What Is New in the AD DS Installation
AD DS has several new installation options in Windows Server 2008, including the following Global Catalog GC servers New OS installation options include Full Install and Core Server Install. The first thing you must do when adding a Windows Server 2008 DC to a Windows 2003 forest is to prepare the forest for the Windows 2008 server by extending the schema to accommodate the new server To prepare the forest for Windows Server 2008 run the following command adprep forestprep. To prepare the...
Prerequisites and Preparation
Certification as an MCSA on Windows Server 2003 is a mandatory prerequisite for taking Exam 70-648. Preparation for this exam should include the following Visit the Web site at www.microsoft.com learning exams 70-648.mspx to review the updated exam objectives. Work your way through this book, studying the material thoroughly and marking any items you don't understand. Answer all practice exam questions at the end of each chapter. Complete all hands-on exercises in each chapter. Review any...
IPsec Using the Command Line
As with many other functions in Windows Server 2008 management, you can configure IPsec policy via the command line. This section briefly outlines some of the more commonly used IPsec commands. However, you may want to explore the command line options for IPsec on your own so you're familiar with these options. You can configure static mode and dynamic mode options, as shown in Table 8.4. You can type netsh ipsec to get a full list of command line options related to IPsec. Table 8.4 IPsec...
Using the New GlobalNames Zone Feature
There are two primary forms of name resolution on Windows networks NetBIOS and DNS. NetBIOS name resolution goes back to the early days ofWindows. Recent operating system releases from Microsoft increasingly have moved away from it toward DNS. Although still in wide deployment, Microsoft's NetBIOS name resolution services do not support IPv6. Windows Server 2008 is the first server release from Microsoft that deeply integrates IPv6 technology into all aspects of the operating system and its...
PE APM SC HAPv
Extended Authentication Protocol-Transport Layer Security EAP-TLS and Protected Extended Authentication Protocol-Transport Layer Security PEAP-TLS are used in conjunction with Public Key Infrastructure PKI and computer certificates, user certificates, or smart cards. Using EAP-TLS, a wireless client sends its certificate computer, user, or smart card for authentication and the RADIUS server sends its computer certificate for authentication. By default, the wireless client authenticates the...
Enabling Clients to Use KMS
When deploying clients and servers from volume license media, they will look for a KMS host to process their activation request. This is done through automatic service location using an SRV record in the primary domain or through a specified IP address. When the system is joined to the domain it will first look in the domain's DNS zone. If the system runs in workgroup mode it will search DNS based on the primary DNS suffix of the machine, or the one assigned via DHCP option 15. If neither of...
Creating Conditional Forwarders
To specify one or more domains for conditional forwarding, follow these steps 1. Open DNS Manager by clicking Start Administrative Tools DNS. 2. In the left pane, expand the node representing the server you want to configure, right-click Conditional Forwarders, and select New Conditioner Forwarder____See Figure 2.7. Figure 2.7 Creating a New Conditional Forwarder 3. In the New Conditional Forward dialog box, in the DNS Domain text box, type the name of the domain you want queries forwarded to....
the Active Directory Infrastructure
1. A large company has just merged with yours. This organization has recently converted its internal network from IPv4 addressing to IPv6 to support a number of new network applications that required it. You must now begin to plan for IPv6 support on your own internal network. You are creating training materials for your junior networking staff. Which of the following features is built into IPv6 that was not required in IPv4 A. Classless Inter-Domain Routing CIDR B. IP Security through the use...
Restricted Groups
The Restricted Groups object allows you to exert some control over group membership using group policy. By default, no groups are configured for management in any default or new GPO, so the first step is to choose which groups you want to manage using the policy. Microsoft recommends primarily using restricted groups to manage critical security groups such as Enterprise and Schema Admins. Once a group as been added for management, two configuration options apply to it Members of this group This...
Configuring RMS
Configuring Rights Management Server 1. Select Start Administrative Tools Internet Information Services IIS Manager. We installed the IIS role earlier in this chapter. In the details pane, double-click Server Certificates. In the Common name field, type the FQDN name of your server Figure 3.14 . Figure 3.14 Creating a Domain Certificate Figure 3.14 Creating a Domain Certificate 6. In the Organization field, enter a company name. 7. In the Organization Unit field, enter a division. 8. In the...
Lists all known DCs
Table 5.4 Continued. Replmon Options Described Show Replication Topologies Show Group Policy Object Status Show Global Catalog Servers in Enterprise Show Attribute Meta-Data for Active Directory Object Shows a graphical view of the replication topology Lists all the Domain's Group Policies and their respective Active Directory and SYSVOL version numbers Two options are available In This Server's Site and In the Enterprise. Will show bridgehead servers based on information provided by the...
Supernetting
Another IP innovation that was developed prior to the implementation of IPv6 is supernetting. Supernetting is the combining of several smaller Class C networks into one larger network in order to accommodate the need for a network larger than Class C but not as large as a Class B. It is, in essence, the opposite of subnetting. This is also called Classless Inter-Domain Routing CIDR and is used to express a range of Class C networks at a single route. A supernetted subnet mask contains fewer...
SID Filtering
Security principal is a term used to describe any account that has a SID automatically assigned. Examples of security principals are users, groups, services, and computers. Part of each security principal is the domain SID to identify the domain in which the account was created. SID filtering uses the domain SID to verify each security principal. If a security principal includes a domain SID other than one from trusted domains, the SID filtering process removes the SID in question. This is done...
Offline Defrag and Compaction
Active Directory's database file is ntds.dit, and it is based on the Extensible Storage Engine ESE and is located in C Windows NTDS. One of the biggest reasons, if not the only reason, to defrag compact the ntds.dit file is if you are running low on disk space. Depending on the size of your environment, the ntds.dit file can grow to more than 6 GB in size, even though the database within it may only be 1 GB. Back in the days ofWindows 2000 and Windows Server 2003, we had to perform offline...
With the KMS key installed you can activate the KMS host using either online or
SCRIPT SYSTEMROOT SYSTEM32 SLMgr.vbs ato 4. To active the host using the telephone, open a command prompt and execute the following command Both MAK and KMS keys are broken into groups to simplify activation. Each group applies to a specific set of products. MAK keys will activate only products within the group, whereas KMS keys are hierarchical, meaning that they will activate products within the group and lower groups as well. The groups are listed in Table 1.5. Since KMS keys are...
Exercise Yaf
1. Open Windows Explorer by clicking Start Computer. 2. Navigate to your systemroot folder, probably C Windows. 3. Select the PolicyDefinitions folder and press CTRL C to let Windows know you want to copy it. 4. Navigate to your SYSVOL folder's Policies folder, probably C Windows SYSVOL sysvol lt Your Domain Name gt Policies. 5. Press CTRL V to finish copying the PolicyDefinitions to this location. 6. When the folder has finished copying, open it and verify that the ADMX files and at least one...
Exercise 1
1. In Windows Server Backup go to the Actions pane and select Backup Schedule. This will kick off the Backup Schedule Wizard Figure 5.6 The Backup Schedule Wizard's Getting Started Screen Figure 5.6 The Backup Schedule Wizard's Getting Started Screen 2. Next you're asked what type of configuration you want to schedule. You can select Full Server or you can select Custom, as shown in Figure 5.7. The full server configuration will back up all data, applications, and system state. Selecting...
Server and Domain Isolation
As an experienced network administrator, you're probably familiar with the concept and practice of isolation. You know that you can physically and or logically isolate network segments for a variety of reasons. You can use these segments to speed up the network by keeping local traffic local or you can use these segments as a way to increase network security. In a Windows Server-based network, you can isolate server and domain resources to limit access to authenticated and authorized computers...
The Windows Reliability and Performance Monitor
The Windows Reliability and Performance Monitor allows administrators to monitor application and hardware performance in real time and customize data they want to collect in logs, predefined thresholds for alerts, and automatic actions. Administrators can generate reports and view past performance data in a variety of ways. The Windows Reliability and Performance Monitor is a combination of pervious tools such as Performance Logs and Alerts, Server Performance Advisor, and System Monitor. It...
Configuring IPv Settings
When you access the local area connection properties of the Windows Server 2008 computer, you also have the option of configuring IPv6 settings if IPv6 is installed it is installed by default in Windows Server 2008, so it should be there . You should be able to access IPv6 settings from the Local Area Connection Properties dialog box. If IPv6 is not shown, the protocol is not installed. Click the Install button and follow the on-screen prompts to install IPv6. Then, access the Local Area...
Windows System Resource Manager
Sometimes an application, process, or service will take up a majority of the CPU cycles to the point that it affects everything else running on the server. To combat that Microsoft has provided a feature in Windows Server 2008 called Windows System Resource Manager WSRM . WSRM provides an interface where administrators can configure how both processor and memory resources are allocated among applications, services, and processes. The ability to do this allows administrators to ensure server...
Self Test Erg
1. You've just finished installing a new Windows Server 2008 DC. It is the policy of the IT department to perform a full backup of newly installed DCs. You click on Start Administrative Tools Windows Server Backup. When Windows Server Backup loads you see the following screen. What do you need to do to ensure that the backup takes place B. Install the Windows Server Backup feature C. Go to a command prompt and run wbadmin.exe D. Boot into DSRM and conduct the backup from there 2. You are...
Understanding Replication
Replication is defined as the practice of transferring data from a data store present on a source computer to an identical data store present on a destination computer to synchronize the data. In a network, the directory data must live in one or more places on the network to be equally available to all users. The Active Directory directory service manages a replica of directory data on one or more DCs, ensuring the availability of directory data to all users. The Active Directory works on the...
Understanding GC Replication
You know now that GC servers hold information for all of the objects in their own domains and a partial copy of the objects from other domains in the forest. For this to be possible, some type of replication has to happen between the GC servers. The default attributes included in the GC make up the most commonly searched for items. These items are part of normal Active Directory replication. The Knowledge Consistency Checker KCC generates the GC replication topology. The GC is only replicated...
IPv Address Format
As you know, IPv6 provides an alternative to the shortage of IPv4 addresses. As such, it uses 128 bits instead of the 32 bits used in IPv4. This enables 75 trillion trillion yes, two trillions follow the number 75 potential unique IP addresses or 296 . Much of the newer hardware and software now supports IPv6 addressing IPv6 has been around a while but you can't simply plug in IPv6 equipment and expect everything to work. There are numerous transition technologies available, a full discussion...
Summary of Exam Objectives Fax
You can use group policy to deploy, maintain, and remove software in Windows 2000 and later computers. Three elements are necessary for software deployment a software distribution point to make the software available across the network, a GPO to link to the appropriate containers in Active Directory to manage which users and computers receive the software, and a properly configured deployment package within the GPO. In addition to initial deployment, you can use group policy to redeploy...
Security Options
Microsoft provides administrators with a large list of security parameters that can be defined using group policy. Items available in the Security Options portion of group policy include preventing users from installing printer drivers, blocking access to the CD-ROM drive, specifying various digital signing and encryption settings, restricting access to the Registry, and many more. You should take a moment before the exam to familiarize yourself with the range of options offered by this portion...
Configuring RODC
Configuring an RODC isn't all that different from adding a traditional domain controller. The most important thing to remember about an RODC is that a writable domain controller must exist somewhere in the domain. Once this prerequisite is met, we can go ahead and configure our RODC. Let's assume that our writable DC is in place, using the domain information from the previous exercise. Adding an RODC to an Existing Forest A read-only domain controller can be added to a preexisting forest, but...
Exam Objectives Frequently Asked Questions Yud
A Static routing describes a system that does not implement adaptive routing in its configuration. In these systems, routes through a network are defined by set paths referred to as static routes. Q What changes have been made to Windows Server 2008 in regards to routing A These are the major changes present in Windows Server 2008 in regards to routing BAP is no longer supported by Windows Server 2008. X.25 is also no longer supported. SLIP, an encapsulation of IP meant for use over serial...
Chapter Configuring DNS
1. You are the administrator for a Windows Server 2008 network. You've been tasked with designing a secure facility and have recommended that it be isolated from the Internet. Which of the following do you recommend for DNS Select all that apply. A. You recommend a private DNS infrastructure with internal root hints servers. B. You recommend the use of AD integrated zones. C. You recommend the use of secure dynamic updates. D. You recommend the use of secondary zones. Correct Answers amp...
Changes to Authentication Protocols
PPP-based connections no longer support the SPAP, EAP-MD5-CHAP and MS-CHAPv1 authentication protocols. Remote access PPP-based connections now support the use of Protected EAP PEAP with PEAP-MS-CHAP v2 and PEAP-TLS. Keep this in mind as you plan out your new Windows Server 2008 remote access options. EAPHost architecture in Windows Server 2008 and Windows Vista includes new features not supported in Windows Server 2003 and Windows XP including Support for additional EAP methods Network...