Visit us at
w w w. s y n g r e s s . c o m
Syngress is committed to publishing high-quality books for IT Professionals and
delivering those books in media and formats that fit the demands of our customers.
We are also committed to extending the utility of the book you purchase via additional
materials available from our Web site.

SOLUTIONS WEB SITE
To register your book, visit www.syngress.com/solutions. Once registered, you can
access our Web pages. There you may find an assortment
of valueadded features such as free e-books related to the topic of this book, URLs
of related Web sites, FAQs from the book, corrections, and any updates from the
author(s).

ULTIMATE CDs
Our Ultimate CD product line offers our readers budget-conscious compilations of
some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of
expertise, including Cisco Engineering, Microsoft Windows System Administration,
CyberCrime Investigation, Open Source Security, and Firewall Configuration, to
name a few.

DOWNLOADABLE E-BOOKS
For readers who can’t wait for hard copy, we offer most of our titles in downloadable
Adobe PDF form. These e-books are often available weeks before hard copies, and
are priced affordably.

SYNGRESS OUTLET
Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt
books at significant savings.

SITE LICENSING
Syngress has a well-established program for site licensing our e-books onto servers
in corporations, educational institutions, and large organizations. Contact us at
for more information.

CUSTOM PUBLISHING
Many organizations welcome the ability to combine parts of multiple Syngress
books, as well as their own content, into a single volume for their own internal
use. Contact us at for more information.use. Contact us at
for more information.


This page intentionally left blank


Tony Piltzecker

Technical Editor

Robert J. Shimonski
Naomi Alpern
Tariq Azad
Laura Hunter

Technical Reviewer

John Karnay
Jeffery Martin
Gene Whitley



Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production
(collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be
obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work
is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state
to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other
incidental or consequential damages arising out from the Work or its contents. Because some states do
not allow the exclusion or limitation of liability for consequential or incidental damages, the above
limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when
working with computers, networks, data, and files.
Syngress Media® and Syngress® are registered trademarks of Elsevier, Inc. Brands and product names
mentioned in this book are trademarks or service marks of their respective companies.
KEY
001
002
003
004
005
006
007
008
009
010

SERIAL NUMBER
HJIRTCV764
PO9873D5FG

829KM8NJH2
BPOQ48722D
CVPLQ6WQ23
VBP965T5T5
HJJJ863WD3E
2987GVTWMK
629MP5SDJT
IMWQ295T6T

PUBLISHED BY
Syngress Publishing, Inc.
Elsevier, Inc.
30 Corporate Drive
Burlington, MA 01803
The Real MCTS/MCITP Exam 70-640 Prep Kit

Copyright © 2008 by Elsevier, Inc. All rights reserved. Printed in the United States of America.
Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced
or distributed in any form or by any means, or stored in a database or retrieval system, without the
prior written permission of the publisher, with the exception that the program listings may be
entered, stored, and executed in a computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN 13: 978-1-59749-235-5
Publisher: Andrew Williams
Acquisitions Editor: David George
Technical Editor: Tony Piltzecker
Project Manager: Gary Byrne

Page Layout and Art: SPI

Copy Editors: Audrey Doyle, Mike McGee
Indexer: Ed Rush
Cover Designer: Michael Kavish

For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales
Director and Rights, at Syngress Publishing; email


Technical Editor
Tony Piltzecker (CISSP, MCSE, CCNA, CCVP, Check Point CCSA, Citrix
CCA), author and technical editor of Syngress Publishing’s MCSE Exam 70-296
Study Guide and DVD Training System and How to Cheat at Managing Microsoft
Operations Manager 2005, is an independent consultant based in Boston, MA.
Tony’s specialties include network security design, Microsoft operating system
and applications architecture, and Cisco IP Telephony implementations. Tony’s
background includes positions as systems practice manager for Presidio Networked Solutions, IT manager for SynQor Inc, network architect for Planning
Systems, Inc., and senior networking consultant with Integrated Information
Systems. Along with his various certifications, Tony holds a bachelor’s degree in
business administration. Tony currently resides in Leominster, MA, with his wife,
Melanie, and his daughters, Kaitlyn and Noelle.

v


Technical Reviewer
Robert J. Shimonski (MCSE, etc) is an entrepreneur, a technology consultant,
and a published author with more than 20 years of experience in business and
technology. Robert’s specialties include designing, deploying, and managing
networks, systems, virtualization, storage-based technologies, and security analysis.
Robert also has many years of diverse experience deploying and engineering

mainframes and Linux- and UNIX-based systems such as Red Hat and Sun
Solaris. Robert has in-depth work-related experience with and deep practical
knowledge of globally deployed Microsoft- and Cisco-based systems and stays
current on the latest industry trends. Robert consults with business clients to help
forge their designs, as well as to optimize their networks and keep them highly
available, secure, and disaster free.
Robert is the author of many information technology-related articles and
published books, including the best-selling Sniffer Network Optimization and
Troubleshooting Handbook, Syngress (ISBN: 1931836574). Robert is also the
author of other best-selling titles, including Security+ Study Guide and DVD
Training System (ISBN: 1931836728), Network+ Study Guide & Practice Exams:
Exam N10-003 (ISBN: 1931836426), and Building DMZs for Enterprise Networks
(ISBN: 1931836884) also from Syngress. His current book offerings include the
newly published Vista for IT Security Professionals, Syngress (978-1-59749-139-6),
as well as being a series editor on the new Windows Server 2008 MCITP series
from Syngress publishing.

vi


Contributing Authors
Naomi J. Alpern currently works for Microsoft as a consultant
specializing in Unified Communications. She holds many Microsoft
certifications, including an MCSE and MCT, as well as additional
industry certifications such as Citrix Certified Enterprise Administrator,
Security+, Network+, and A+. Since the start of her technical career,
she has worked in many facets of the technology world, including
IT administration, technical training, and, most recently, full-time
consulting. She likes to spend her time reading cheesy horror and
mystery novels when she isn’t browsing the Web. She is also the

mother of two fabulous boys, Darien & Justin, who mostly keep her
running around like a headless chicken.
Tariq Bin Azad is the principal consultant and founder of NetSoft
Communications Inc., a consulting company located in Toronto,
Canada. He is considered a top IT professional by his peers,
coworkers, colleagues, and customers. He obtained this status by
continuously learning and improving his knowledge and information
in the field of information technology. Currently, he holds more than
100 certifications, including MCSA, MCSE, MCTS, MCITP (Vista,
Mobile 5.0, Microsoft Communications Server 2007, Windows 2008,
and Microsoft Exchange Server 2007), MCT, CIW-CI, CCA, CCSP,
CCEA, CCI,VCP, CCNA, CCDA, CCNP, CCDP, CSE, and many
more. Most recently, Tariq has been concentrating on Microsoft
Windows 2000/2003/2008, Exchange 2000/2003/2007, Active
Directory, and Citrix implementations. He is a professional speaker
and has trained architects, consultants, and engineers on topics such
as Windows 2008 Active Directory, Citrix Presentation Server, and
Microsoft Exchange 2007. In addition to owning and operating an
independent consulting company, Tariq works as a senior consultant
and has utilized his training skills in numerous workshops, corporate
trainings, and presentations. Tariq holds a Bachelor of Science in
Information Technology from Capella University, USA, a bachelor’s
vii


degree in Commerce from University of Karachi, Pakistan, and is
working on his ALMIT (Masters of Liberal Arts in Information
Technology) from Harvard University. Tariq has been a coauthor on
multiple books, including the best-selling MCITP: Microsoft Exchange
Server 2007 Messaging Design and Deployment Study Guide: Exams

70-237 and 70-238 (ISBN: 047018146X) and The Real MCTS/
MCITP Exam 640 Preparation Kit (ISBN: 978-1-59749-235-5). Tariq
has worked on projects or trained for major companies and organizations, including Rogers Communications Inc. Flynn Canada, Cap
Gemini, HP, Direct Energy, Toyota Motors, Comaq, IBM, Citrix
Systems Inc., Unicom Technologies, and Amica Insurance Company.
He lives in Toronto, Canada, and would like to thank his father, Azad
Bin Haider, and his mother, Sitara Begum, for his lifetime of guidance
for their understanding and support to give him the skills that have
allowed him to excel in work and life.
Laura E. Hunter (CISSP, MCSE, MCT, MCDBA, MCP, MCP+I,
CCNA, A+, Network+, iNet+, Security+, CNE-4, CNE-5) is a senior
it specialist with the University of Pennsylvania, where she provides
network planning, implementation, and troubleshooting services for
various business units and schools within the university. Her specialties
include Microsoft Windows 2000/2003 design and implementation,
troubleshooting, and security topics. As an “MCSE Early Achiever” on
Windows 2000, Laura was one of the first in the country to renew her
Microsoft credentials under the Windows 2000 certification structure.
Laura’s previous experience includes a position as the director of
computer services for the Salvation Army and as the LAN administrator for a medical supply firm. She also operates as an independent
consultant for small businesses in the Philadelphia metropolitan area
and is a regular contributor to the TechTarget family of Web sites.
Laura has previously contributed to Syngress Publishing’s
Configuring Symantec Antivirus, Corporate Edition (ISBN 1-931836-81-7).
She has also contributed to several other exam guides in the Syngress
Windows Server 2003 MCSE/MCSA DVD Guide and Training
System series as a DVD presenter, contributing author, and technical
reviewer.
viii



Laura holds a bachelor’s degree from the University of Pennsylvania
and is a member of the Network of Women in Computer Technology, the
Information Systems Security Association, and InfraGard, a cooperative
undertaking between the U.S. Government other participants dedicated
to increasing the security of United States critical infrastructures.
John Karnay is a freelance writer, editor, and book author living in
Queens, NY. John specializes in Windows server and desktop deployments utilizing Microsoft and Apple products and technology. John
has been working with Microsoft products since Windows 95 and
NT 4.0 and consults for many clients in New York City and Long
Island, helping them plan migrations to XP/Vista and Windows
Server 2003/2008. When not working and writing, John enjoys
recording and writing music as well as spending quality time with
his wife, Gloria, and daughter, Aurora.
Jeffery A. Martin MS/IT, MS/M (MCSE, MCSE:Security, MCSE:
Messaging, MCDBA, MCT, MCSA, MCSA:Security, MCSE:Messaging, MCP+I, MCNE, CNE, CNA, CCA, CTT, A+, Network+,
I-Net+, Project+, Linux+, CIW, ADPM) has been working with
computer networks for more than 20 years. He is an editor, coeditor,
author, or coauthor of more than 15 books and enjoys training others
in the use of technology.
Gene Whitley (MBA, MCSE, MCSA, MCTS, MCP, Six Sigma
Green Belt) is a senior systems engineer with Nucentric Solutions
(www.nucentric.com), a technology integration firm in Davidson, NC.
Gene started his IT career in 1992 with Microsoft, earning his MCP in
1993 and MCSE in 1994. He has been the lead consultant and project
manager on numerous Active Directory and Exchange migration projects
for companies throughout the U.S. Gene has been a contributing
author on such books as How To Cheat At IIS 7 Server Administration,
How To Cheat At Microsoft Vista Administration, and Microsoft Forefront
Security Administration Guide.When not working, he spends his time

with his wife and best friend, Samantha. Gene holds an MBA from
Winthrop University and a BSBA in Management Information Systems
from The University of North Carolina at Charlotte.
ix


This page intentionally left blank


Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Chapter 1 Configuring Server Roles in Windows 2008 . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
New Roles in 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Using Server Manager to Implement Roles . . . . . . . . . . . . . . . . . . . . . . 3
Using Server Core and Active Directory . . . . . . . . . . . . . . . . . . . . . . . . 9
What Is Server Core? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Read-Only Domain Controllers (RODCs) . . . . . . . . . . . . . . . . . . . . . . . . 15
Introduction to RODC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Its Purpose in Life . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Its Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configuring RODC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Removing an RODC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Active Directory Lightweight Directory Service (LDS) . . . . . . . . . . . . . . . 22
When to Use AD LDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Changes from Active Directory Application Mode (ADAM) . . . . . . . . . 23
Configuring AD LDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Working with AD LDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Active Directory Rights Management Service (RMS) . . . . . . . . . . . . . . . . 28
What’s New in RMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

RMS vs. DRMS in Vista . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Configuring RMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Active Directory Federation Services (ADFS) . . . . . . . . . . . . . . . . . . . . . . 37
What Is Federation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Why and When to Use Federation . . . . . . . . . . . . . . . . . . . . . . . . . 38
Configuring ADFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . 54
Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Chapter 2 Configuring Network Services . . . . . . . . . . . . . . . . . . . . . . .
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Domain Name System (DNS) . . . . . . . . . . . . . . . . . . . . . . . .
Identifying DNS Record Requirements . . . . . . . . . . . . . . . . . . . . .

61
62
63
68
xi


xii

Contents

Installing and Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Using Server Core and DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Configuring Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Zone Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Active Directory Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Reverse Lookup Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Configuring Reverse Lookup Zones . . . . . . . . . . . . . . . . . . . . . 87
Configuring Zone Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Configuring Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . 93
DHCP Design Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
DHCP Servers and Placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Installing and Configuring DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Using Server Core and DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Configuring DHCP for DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Configuring Windows Internet Naming Service (WINS). . . . . . . . . . . . . .103
Understanding WINS Replication . . . . . . . . . . . . . . . . . . . . . . . . .105
Automatic Partner Configuration . . . . . . . . . . . . . . . . . . . . . . . .105
Push Partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Pull Partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Push/Pull Partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Replication Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Ring Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Hub-and-Spoke Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Hybrid Replication Models . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Static WINS Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Installing and Configuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Using Server Core for WINS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Configuring WINS for DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .117
Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

Chapter 3 Working with Users, Groups, and Computers . . . . . . . . . . 125
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Navigating Active Directory Users and Computers . . . . . . . . . . . . . . . . . .126
Creating and Modifying User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . .129
User Account Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
Creating a New Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130


Contents

Domain User Account Considerations . . . . . . . . . . . . . . . . . . . . . . . . .131
Password Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Creating a New Account Using Active Directory Users
and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Modifying a Domain User Account Using Active Directory Users
and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Common User Management Options . . . . . . . . . . . . . . . . . . . . . . . . .156
Creating a New User Account Using Script. . . . . . . . . . . . . . . . . . . . .157
Creating User Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Configuring User Principal Names . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Creating and Modifying Computer Accounts . . . . . . . . . . . . . . . . . . . . . .160
Creating a New Computer Account Using Active Directory Users
and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Modifying a Computer Account Using Active Directory Users
and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Creating a New Computer Account Using a Script . . . . . . . . . . . . . . .167
Resetting a Computer Account Using Active Directory Users
and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Creating and Modifying Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Creating a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169

Types of Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Group Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Universal Groups Replication Concerns . . . . . . . . . . . . . . . . . . . . .171
Group Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
Creating a New Group Using Active Directory Users
and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Modifying a Group Using Active Directory Users
and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
Creating a New Group Using Script . . . . . . . . . . . . . . . . . . . . . . . . . .176
The Delegation of Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
RODC (Read-Only Domain Controller) . . . . . . . . . . . . . . . . . . . . . .184
Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .189
Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Chapter 4 Configuring the Active Directory Infrastructure . . . . . . . . 197
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
Working with Forests and Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Understanding Forests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200

xiii


xiv

Contents

Understanding Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Forest and Domain Functional Levels . . . . . . . . . . . . . . . . . . . . . . . . .202
Using Domain Functional Levels . . . . . . . . . . . . . . . . . . . . . . . . . .203

Using the Windows 2000 Domain Functional Level . . . . . . . . . .204
Windows Server 2003 Domain Functional Level . . . . . . . . . . . . .204
Windows Server 2008 Domain Functional Level . . . . . . . . . . . . .205
Configuring Forest Functional Levels . . . . . . . . . . . . . . . . . . . . . . .206
Windows 2000 Forest Functional Level (default) . . . . . . . . . . . . .206
Windows Server 2003 Forest Functional Level . . . . . . . . . . . . . .207
Windows Server 2008 Forest Functional Level . . . . . . . . . . . . . .208
Raising Forest and Domain Functional Levels . . . . . . . . . . . . . . . . .208
Raising the Domain Functional Level . . . . . . . . . . . . . . . . . . . . .209
Understanding the Global Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . .210
UPN Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
Directory Information Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
Universal Group Membership Information . . . . . . . . . . . . . . . . . . .214
Understanding GC Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Universal Group Membership . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
Attributes in the Global Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . .215
Placing GC Servers within Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
Bandwidth and Network Traffic Considerations. . . . . . . . . . . . . . . .217
Universal Group Membership Caching . . . . . . . . . . . . . . . . . . . . . .218
Working with Flexible Single Master Operation (FSMO) Roles . . . . . .220
Placing, Transferring, and Seizing FSMO Role Holders . . . . . . . . . .223
Locating and Transferring the Schema Master Role . . . . . . . . . . .224
Locating and Transferring the Domain Naming Master Role . . . .227
Locating and Transferring the Infrastructure, RID, and PDC
Operations Master Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Placing the FSMO Roles within an Active Directory
Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232
Working with Sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Understanding Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236

Site Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237
Criteria for Establishing Separate Sites . . . . . . . . . . . . . . . . . . . . . .237
Creating a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Renaming a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243
Creating Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Associating Subnets with Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
Creating Site Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249


Contents

Configuring Site Link Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Understanding Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Intrasite Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
Intersite Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258
Bridgehead Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
Site Link Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
Scheduling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260
Forcing Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Replication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Planning, Creating, and Managing the Replication Topology . . . . . . . .262
Planning Replication Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Creating Replication Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Configuring Replication between Sites . . . . . . . . . . . . . . . . . . . . . . . .263
Troubleshooting Replication Failure . . . . . . . . . . . . . . . . . . . . . . . . . .264
Troubleshooting Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264
Using Event Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265
Working with Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266
Default Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
Forest Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272

External Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
Shortcut Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274
SID Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .281
Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Chapter 5 Understanding Group Policy . . . . . . . . . . . . . . . . . . . . . . . . 291
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
Types of Group Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
Local Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
Non-Local Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Network Location Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Group Policy Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
Site, Domain, and OU Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
Group Policy Processing Priority. . . . . . . . . . . . . . . . . . . . . . . . . . . . .311

xv


xvi

Contents

Creating and Linking GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
Creating Stand-Alone GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314

Linking Existing GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Creating and Linking at One Time . . . . . . . . . . . . . . . . . . . . . . . . . . .316
Controlling Application of Group Policies . . . . . . . . . . . . . . . . . . . . . . . . .318
Enforce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318
Block Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Group Policy Results and Group Policy Modeling . . . . . . . . . . . . . . . .323
WMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330
Group Policy Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
Group Policy Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
GPO Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
Administrative Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335
Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
Starter GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346
Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .348
Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Chapter 6 Configuring Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Configuring Software Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Publishing to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
Assigning to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364
Assigning to Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368
Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370
Redeploying Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370
Upgrading Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371
Removing Software Deployed with Group Policy . . . . . . . . . . . . . . . .375
Forced Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
Optional Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377

Configuring Account Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Domain Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
Account Lockout Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Fine-Grain Password and Account Lockout Policies . . . . . . . . . . . . . . .384
Configuring a Fine-Grain Password Policy . . . . . . . . . . . . . . . . . . .386
Applying Users and Groups to a PSO with Active Directory
Users and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394


Contents

Configuring Audit Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397
Logon Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399
Directory Service Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401
Configuring Directory Service Access Auditing in
Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401
Configuring Active Directory Object Auditing . . . . . . . . . . . . . .402
Object Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404
Configuring Object Access Auditing in Group Policy . . . . . . . . . . .405
Configuring Object Level Auditing . . . . . . . . . . . . . . . . . . . . . . . .405
Other Audit Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Configuring Additional Security-Related Policies . . . . . . . . . . . . . . . . . . .409
User Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409
Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .411
Restricted Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
Adding a New Restricted Group . . . . . . . . . . . . . . . . . . . . . . . . . .416
Modifying a Restricted Group . . . . . . . . . . . . . . . . . . . . . . . . . . . .419
Deleting a Restricted Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420
Administrative Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420
ADMX Central Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422

Adding ADM Templates to a GPO . . . . . . . . . . . . . . . . . . . . . . . . .424
Converting ADM Files to the ADMX Format. . . . . . . . . . . . . . . . .427
Converting ADM Files to ADMX Files Using the
Command Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427
Converting ADM Files to ADMX Files Using the
MMC Snap-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427
Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432
Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .437
Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .440
Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444
Chapter 7 Configuring Certificate Services and PKI . . . . . . . . . . . . . . 445
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446
What Is PKI? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447
The Function of the PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
Components of PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .450
How PKI Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452
PKCS Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454
How Certificates Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460
Public Key Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463

xvii


xviii Contents

Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465
Secret Key Agreement via Public Key . . . . . . . . . . . . . . . . . . . . . . .466
Bulk Data Encryption without Prior Shared Secrets . . . . . . . . . . . .466

User Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479
Machine Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480
Application Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480
Analyzing Certificate Needs within the Organization . . . . . . . . . . . . . . . .480
Working with Certificate Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
Configuring a Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . .481
Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482
Standard vs. Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482
Root vs. Subordinate Certificate Authorities . . . . . . . . . . . . . . . .483
Certificate Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .484
Certificate Practice Statement . . . . . . . . . . . . . . . . . . . . . . . . . .489
Key Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489
Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489
Assigning Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .496
Enrollments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .496
Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .497
Working with Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501
General Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503
Request Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .505
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506
Subject Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .508
Issuance Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .509
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512
Types of Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513
User Certificate Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513
Computer Certificate Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .514
Other Certificate Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .516
Custom Certificate Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . .516
Securing Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .519
Versioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .520

Key Recovery Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .521
Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .523
Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .524
Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .526
Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .529
Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .532


Contents

Chapter 8 Maintaining an Active Directory Environment . . . . . . . . . 533
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534
Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534
Using Windows Server Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535
Scheduling a Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .540
Backing Up to Removable Media . . . . . . . . . . . . . . . . . . . . . . . . .548
Backing Up System State Data . . . . . . . . . . . . . . . . . . . . . . . . . . . .551
Backing Up Key Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555
Backing Up Critical Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . .556
Recovering System State Data . . . . . . . . . . . . . . . . . . . . . . . . . . . .557
Recovering Key Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .559
Directory Services Restore Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . .565
Performing Authoritative and Nonauthoritative Restores . . . . . . . . . . .568
Authoritative Restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568
Nonauthoritative Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .575
Linked Value Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .575
Backing Up and Restoring GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . .575
Off line Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584
Restartable Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584
Offline Defrag and Compaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . .587

Active Directory Storage Allocation. . . . . . . . . . . . . . . . . . . . . . . . . . .590
Monitoring Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .591
The Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .591
The Task Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594
The Applications Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .596
The Processes Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597
The Services Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .598
The Performance Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .598
The Networking Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599
The Users Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .601
The Event Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .602
Custom Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .602
Windows Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .605
Applications and Services Logs . . . . . . . . . . . . . . . . . . . . . . . . . .606
Subscriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .607
Replmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .611
Using Replmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .611
RepAdmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .618
Windows System Resource Manager . . . . . . . . . . . . . . . . . . . . . . . . . .621
The Windows Reliability and Performance Monitor . . . . . . . . . . . . . .623

xix


xx

Contents

Resource Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .624
The Performance Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .625

The Reliability Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .627
Data Collector Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .629
Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .631
Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .633
Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .635
Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .637
Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .639
Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .644
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697


Foreword

This book’s primary goal is to help you prepare to take and pass Microsoft’s Exam
70-640, Windows Server 2008 Active Directory, Configuring. Our secondary purpose in
writing this book is to provide exam candidates with knowledge and skills that go
beyond the minimum requirements for passing the exam and help to prepare them
to work in the real world of Microsoft computer networking.

What Is MCTS Exam 70-640?
Microsoft Certified Technology Specialist (MCTS) Exam 70-640 is both a standalone test for those wishing to master Active Directory technology and a requirement
for those pursuing certification as a Microsoft Certified Information Technology
Professional (MCITP) for Windows Server 2008. Microsoft’s stated target audience
consists of IT professionals with at least one year of work experience on a mediumsized or large company network. This means a multisite network with at least three
domain controllers running typical network services such as file and print services,
messaging, database, firewall services, proxy services, remote access services, an
intranet, and Internet connectivity.
However, not everyone who takes Exam 70-640 will have this ideal background. Many people will take this exam after classroom instruction or self-study as
an entry into the networking field. Many of those who do have job experience in

IT will not have had the opportunity to work with all of the technologies covered
by the exam. In this book, our goal is to provide background information that will
help you to understand the concepts and procedures described even if you don’t
have the requisite experience, while keeping our focus on the exam objectives.
xxi


xxii

Foreword

Exam 70-640 covers the basics of managing and maintaining a network
environment that is built around Microsoft’s Windows Server 2008. The book
includes the following task-oriented objectives:
■

Configuring Domain Name System (DNS) for Active Directory
This objective includes configuring zones, configuring DNS server settings,
and configuring zone transfers and replication.

■

Configuring the Active Directory Infrastructure This objective
includes configuring a forest or domain, configuring trusts, configuring
sites, configuring Active Directory replication, configuring the global
catalog, and configuring operations masters.

■

Configuring Additional Active Directory Server Roles This

objective includes configuring Active Directory Lightweight Directory
Service (AD LDS), configuring Active Directory Rights Management
Service (AD RMS), configuring the read-only domain controller
(RODC), and configuring Active Directory Federation Services (AD FS).

■

Creating and Maintaining Active Directory Objects This objective
includes automating the creation of Active Directory accounts, maintaining
Active Directory accounts, creating and applying Group Policy Objects
(GPOs), configuring GPO templates, configuring software deployment
GPOs, configuring account policies, and configuring audit policies
using GPOs.

■

Configuring Active Directory Certificate Services This objective
includes installing Active Directory certificate services, configuring certificate
authority (CA) server settings, managing certificate templates, managing
enrollments, and managing certificate revocations.

Path to
MCTS/MCITP/MS Certified Architect
Microsoft certification is recognized throughout the IT industry as a way to
demonstrate mastery of basic concepts and skills required to perform the tasks
involved in implementing and maintaining Windows-based networks. The certification program is constantly evaluated and improved, while the nature of information
technology is changing rapidly; consequently, requirements and specifications for

www.syngress.com



Foreword xxiii

certification can also change rapidly. This book is based on the exam objectives as
stated by Microsoft at the time of writing; however, Microsoft reserves the right to
make changes to the objectives and to the exam itself at any time. Exam candidates
should regularly visit the Certification and Training Web site at www.microsoft.
com/learning/mcp/default.mspx for the most updated information on each
Microsoft exam.
Microsoft currently offers three basic levels of certification on the technology
level, professional level, and architect level:
■

Technology Series This level of certification is the most basic, and
it includes the Microsoft Certified Technology Specialist (MCTS)
certification. The MCTS certification is focused on one particular
Microsoft technology. There are 19 MCTS exams at the time of this
writing. Each MCTS certification consists of one to three exams, does
not include job-role skills, and will be retired when the technology is
retired. Microsoft Certified Technology Specialists will be proficient
in implementing, building, troubleshooting, and debugging a specific
Microsoft technology.

■

Professional Series This is the second level of Microsoft certification,
and it includes the Microsoft Certified Information Technology
Professional (MCITP) and Microsoft Certified Professional
Developer (MCPD) certifications. These certifications consist of one
to three exams, have prerequisites from the Technology Series, focus on

a specific job role, and require an exam refresh to remain current. The
MCITP certification offers nine separate tracks as of the time of this
writing. There are two Windows Server 2008 tracks, Server Administrator
and Enterprise Administrator. To achieve the Server Administrator MCITP
for Windows Server 2008, you must successfully complete one Technology
Series exam and one Professional Series exam. To achieve the Enterprise
Administrator MCITP for Windows Server 2008, you must successfully
complete four Technology Series exams and one Professional Series exam.

■

Architect Series This is the highest level of Microsoft certification,
and it requires the candidate to have at least 10 years’ industry experience.
Candidates must pass a rigorous review by a review board of existing
architects, and they must work with an architect mentor for a period of
time before taking the exam.

www.syngress.com


xxiv Foreword

NOTE
Those who already hold the MCSA or MCSE in Windows 2003 can
upgrade their certifications to MCITP Server Administrator by passing
one upgrade exam and one Professional Series exam. Those who already
hold the MCSA or MCSE in Windows 2003 can upgrade their certifications to MCITP Enterprise Administrator by passing one upgrade exam,
two Technology Series exams, and one Professional Series exam.

Prerequisites and Preparation

There are no mandatory prerequisites for taking Exam 70-640, although Microsoft
recommends that you meet the target audience profile described earlier. Exam
70-640 is the logical choice for the first step in completing the requirements for
the MCITP.
Preparation for this exam should include the following:
■

Visit the Web site at www.microsoft.com/learning/exams/70-640.mspx to
review the updated exam objectives.

■

Work your way through this book, studying the material thoroughly and
marking any items you don’t understand.

■

Answer all practice exam questions at the end of each chapter.

■

Complete all hands-on exercises in each chapter.

■

Review any topics that you don’t thoroughly understand

■

Consult Microsoft online resources such as TechNet (www.microsoft.com/

technet/), white papers on the Microsoft Web site, and so forth, for better
understanding of difficult topics.

■

Participate in Microsoft’s product-specific and training and certification
newsgroups if you have specific questions that you still need answered.

■

Take at least one practice exam, such as the one included on the Syngress/
Elsevier certification Web site, www.syngress.com/certification.

Exam Overview
In this book, we have tried to follow Microsoft’s exam objectives as closely as possible.
However, we have rearranged the order of some topics for a better flow and included
background material to help you understand the concepts and procedures that are
www.syngress.com