Test Prep

Trainer Preparation

Conan Kezema

v-cokeze@microsoft.com



Course 6425C

Configuring and Troubleshooting Windows Server® 2008

Active Directory® Domain Services

Agenda



• High level course overview

• Classroom setup considerations

• Module level overview

High Level Course Overview

• Course format

• Intended audience and prerequisites

• Changes from 6425B

• Course duration and timing

Course Format

• NextGen (KonaH) – almost all content in the student

manual

• PowerPoint Deck– Instructor notes placed within the

Notes Page view (including detailed demonstration

steps)

• Course companion content now located at

http://www.microsoft.com/learning/companionmoc

– Module question and answers

– Detailed demonstration steps

– Lab review question and answers

– Resources: Links to additional information for each module

• Covers the objectives for 70-640: TS: Windows Server

2008 Active Directory, Configuring

Intended Audience and Prerequisites

• Intended Audience:

– Server and Enterprise administrators who need to learn

how to implement Active Directory in a distributed

environment, manage the environment using group policy

settings, secure Active Directory, and maintain Active

Directory.

• What you're likely to get:

– New administrators intending to become an Active

Directory Technology Specialist.

– Experienced Active Directory Administrators wanting to

learn new features included in Windows Server 2008 R2.

• Be prepared for a mix of new and experienced

students, and to provide extra technical detail when

required

Changes from 6425B

• KonaH version 2

– More information in the student workbook

– Lab answer keys printed with the student material

• Lab environment

– No longer uses Virtual Server 2005 and the Microsoft Lab Launcher

– Designed for Windows Server 2008 RTM and R2 Hyper-V (using pre-

import scripts)

– Designed for Hardware Level 6 (64-bit host machines with at least 4 GB

of RAM)

– Virtual machine names are changed to reflect the standard MSL VM

environment (Domain environment is the same)

• Content updates

– Now includes Windows Server 2008 R2 SP1 features related to Active

Directory

– Most existing modules revised\updated to reflect new features

– Some topics consolidated to make room for more important features

– Now 15 modules to help simplify the Group Policy topics and concepts

Course Duration and Timing

• Will be a challenge to cover all 15 modules in the

5 day time-frame

• Course duration and timing tips

– At the start of the course use introductions to

determine the student needs and interests

– Revise module delivery based upon student interests

and needs.

– For more experienced classes, minimize time spent

on base features to give more time for advanced (and

new) features

– If needed, minimize the time spent on

demonstrations.

– Follow aggressive time management from the START

of the course

Classroom Setup Considerations

• Base image/middle-tier requirements

• Virtual machine environment

• Setup tips

Base Image/Middle-Tier Requirements

• Base images used:

– Base10A-WS08R2-HV.vhd

– Base10B-WS08R2Core-HV.vhd

– Base10C-W7-HV.vhd

• Middle-tier images used:

– WS08R2-SVR2.vhd

– Win7-CL1.vhd

• Requirements

– Base images must be extracted to

C:\Program Files\Microsoft Learning\Base

– Middle-tier images must be extracted to

C:\Program Files\Microsoft Learning\Base\Drives

– To ease setup, do not change the location of the base\mid-tier

images

Virtual Machine Environment

Virtual machine Used as:

Windows Server 2008 R2 domain controller in the Contoso.com

6425C-NYC-DC1

domain



Windows Server 2008 R2 domain controller in the Contoso.com

6425C-NYC-DC2

domain



Windows Server 2008 R2 Server Core stand-alone computer

6425C-NYC-DC3

intended to become a domain controller



6425C-NYC-CL1 Windows 7 Client in the Contoso.com domain



6425C-NYC-CL2 Windows 7 Client the Contoso.com domain



6425C-BRANCHDC01 Windows Server 2008 R2 Workgroup member



Windows Server 2008 R2 Server Core domain controller in the

6425C-BRANCHDC02

Contoso.com domain



6425C-NYC-SVR1 Windows Server 2008 R2 Workgroup member



6425C-NYC-SVR2 Windows Server 2008 R2 Workgroup member



6425C-NYC-SVR-D Windows Server 2008 R2 Workgroup member



Windows Server 2008 R2 domain controller in the

6425C-TST-DC1

Tailspintoys.com domain

Setup Tips

• Be sure to run the VM-Pre-Import batch files for

each virtual machine before importing into Hyper-

V

• After importing and initially starting\connecting to a

virtual machine, consider the following:

– You will most likely get a message concerning

activation as well as a Restart Now message. Be sure

to restart as prompted.

– After the restart, you should not get any more

messages.

– If you continue to get activation messages, run

slmgr –rearm (but only if you still get the messages!)

– Create the Starting Image snapshot after the prompts

have been addressed

Module Level Overview

• Module 1: Introducing Active Directory® Domain Services



• Module 2: Administering Active Directory® Securely and Efficiently



• Module 3: Managing Users and Service Accounts



• Module 4: Managing Groups



• Module 5: Managing Computer Accounts



• Module 6: Implementing a Group Policy Infrastructure



• Module 7: Managing User Desktop with Group Policy



• Module 8: Managing Enterprise Security and Configuration with Group Policy Settings



• Module 9: Securing Administration



• Module 10: Improving the Security of Authentication in an AD DS Domain



• Module 11: Configuring Domain Name System



• Module 12: Planning and Configuring a Multiple Site Hierarchy



• Module 13: Managing Sites and Active Directory Replication



• Module 14: Directory Service Continuity



• Module 15: Managing Multiple Domains and Forests

Module 1:Introducing Active Directory®

Domain Services

• Content:

– Overview of Active Directory, Identity, and Access

– Active Directory components and concepts

– How to install Active Directory Domain Services

• Intended to provide the theory to understand the concepts and terminology related to Active

Directory Domain Services.

• Lots of concepts in this first module, be careful not to get carried away and spend significant

amount of time on unnecessary discussion.

• Gauge the depth of the discussion based upon the experience of your classroom participants;

novice learners may require more explanation whereas with experienced learners you may be

able to skim or skip specific topics.

• One “official” demonstration – designed to give a “tour” of the Active Directory Schema

• Labs:

– One lab in this module:

• Lab: Install an AD DS Domain Controller to Create a Single Domain Forest

• For experienced classes, you might want to consider skipping this lab based upon student interest

– Get into a habit of stressing which virtual machine the students should be using, and provide an overview of

the goals of the lab.

– At the end provide a summary and remind students to revert the virtual machines and start the VMs required

for the next module.

Module 2: Administering Active Directory®

Securely and Efficiently

• Content:

– Working with Active Directory Administration Tools

– Administering Active Directory using custom console and working with least privilege

– Finding objects in Active Directory

– Using Windows PowerShell to manage Active Directory tasks

• Intended to help establish methods for working securely and efficiently when administering Active

Directory:

– Working with built-in and customized consoles

– Searching for objects in Active Directory

– Integrates new R2 features such as the Active Directory Administrative Center and Active Directory administration

using Windows PowerShell

• Nine “official” demonstrations – This module is quite “demo heavy”. Again gauge your students on the

level of experience. You may find that some of the demos can be skipped based upon your audience.

• Labs:

– Three labs in this module:

• Lab A: Administer Active Directory by Using Administrative Tools

• Lab B: Find Objects in Active Directory

• Lab C: Use Windows PowerShell to Administer Active Directory

– Labs A, B, and C build upon each other (However each full module is self-contained)

– Explain to the students to be sure to verify who to log on as. For most labs, students will log on as

Contoso\Pat.Coleman, but then run all administrative tasks as Pat.Coleman_Admin.

– Some labs will have students log on as Contoso\Administrator; be sure to check the lab setup instructions!

– Most labs require a lab setup script to be run. Again be sure to check the Lab Setup instructions!

Module 3: Managing Users and Service

Accounts

• Content:

– Create an Administer User Accounts

– Configure User Object Attributes

– Automate User Account Creation

– Create and Configure Managed Service Accounts

• In lesson 1, when you discuss the concept of a user account, you

may also want to perform an ad-hoc demo on creating a user

account in Active Directory.

• A couple of new R2-based features including bulk administration

using Windows PowerShell and an introduction to Managed Service

Accounts.

• Demonstrations:

– Although there are a number of “official” demos, there are also a

number of opportunities for you to perform ad-hoc demos. Consider

demonstrating as you explain some of the concepts.

• Labs:

– Four labs in this module:

• Lab A: Create and Administer User Accounts

• Lab B: Configure User Object Attributes

• Lab C: Automate User Account Creation

• Lab D: Create and Administer Managed Service Accounts

Module 4: Managing Groups

• Content:

– Overview of Groups

– Administering Groups

– Best Practices for Group Management

• Intention is to emphasize the purpose of groups and their role in

allowing an organization to move towards “role-based” management

• Moves away from the common AGDLP approach and introduces a

new concept called IGDLA (Identity, Global group, Domain Local

group, Access). This is to align with current industry terminology and

focus towards role based management concepts which is now

relevant for many recent Microsoft products

• Introduces new R2-based tools such as the Active Directory

Administrative Center and Windows PowerShell

• Labs:

– Two labs in this module:

• Lab A: Administer Groups

• Lab B: Best Practices for Group Management

– Lab A contains two optional exercises to be completed only if you feel

there is time. Advanced students might also want to consider

completing the optional exercises.

Module 5: Managing Computer Accounts

• Content:

– Create computers and join the domain

– Administer computer objects and accounts

– Perform an offline domain join

• Provides various methods used to join a computer to a domain

including:

– Prestaging

– Automating computer account creation

– Importing computer accounts

• Introduces the new R2-based feature: Offline Domain Joins

• Labs:

– Three labs in this module:

• Lab A: Create Computers and Join the Domain

• Lab B: Administer Computer Objects and Accounts

• Lab C: Perform an Offline Domain Join

– Again stress on which user account to use for logging on (NYC-SVR2

uses the Contoso\Administrator account in Lab A, but then uses

Pat.Coleman in Lab B).

Module 6: Implementing a Group Policy

Infrastructure

• Content:

– Overview of Group Policy

– How to implement Group Policy Objects

– How to manage Group Policy scope

– How Group Policy objects are processed

– Troubleshooting Group Policy application

• The goal of lesson 1 is to provide a high-level understanding

of what Group Policy is. It concludes with a quick

demonstration and exploration of Group Policy settings.

• The rest of the module describes the “architecture” of Group

Policy. The next two modules will go into details on specific

uses of Group Policy.

• Labs:

– Three labs in this module:

• Lab A: Implement Group Policy

• Lab B: Manage Group Policy Scope

• Lab C: Troubleshoot Policy Application

Module 7: Managing User Desktop with

Group Policy

• Content:

– Implement Administrative Templates

– Configure Group Policy Preferences

– Manage Software with GPSI

• This module is intended to illustrate what can be

accomplished with Group Policy by using

Administrative templates and Group Policy

Preferences. Software distribution is also a

primary focus of this module.

• Labs:

– Three labs in this module:

• Lab A: Manage Settings and GPOs

• Lab B: Manage Group Policy Preferences

• Lab C: Manage Software with GPSI

Module 8: Managing Enterprise Security and

Configuration with Group Policy Settings

• Content:

– Manage Group Membership using Group Policy

Settings

– Manage Security Settings

– Auditing

– Software Restriction Policy and Applocker

• Content has been focused to the more relevant

tools such as the Security Configuration Wizard

and Application Control Policies (AppLocker)

• Labs:

– Four labs in this module:

• Lab A: Use Group Policy to Manage Group Membership

• Lab B: Manage Security Settings

• Lab C: Audit File System Access

• Lab D: Configure Application Control Policies

Module 9: Securing Administration



• Content:

– Delegate Administrative Permissions

– Audit Active Directory administration

• The main goals of this module include how

to:

– delegate permissions

– View and determine effective permissions

– Determine when permissions have changed

• Labs:

– Two labs in this module:

• Lab A: Delegate Administration

Module 10: Improving the Security of

Authentication in an AD DS Domain

• Content:

– Configure Password and Lockout Policies

– Audit authentication to Active Directory

– Configure Read-Only Domain Controllers

• Labs:

– Three labs in this module:

• Lab A: Configure Password and Account Lockout

Policies

• Lab B: Audit authentication

• Lab C: Configure Read-Only Domain Controllers

Module 11: Configuring Domain Name

System

• Content:

– Install and configure DNS

– Overview of how AD DS, DNS, and Windows

integrate

– Advanced DNS configuration and

administration

• If students are familiar with DNS, do not

spend much time on Lesson 1

• Labs:

– Two labs in this module:

• Lab A: Install The DNS Service

• Lab B: Advanced Configuration of DNS

Module 12: Administering AD DS Domain

Controllers

• Content:

– Domain Controller installation options

– Installing a domain controller based upon the Server

Core installation

– Managing Operations masters

– Configuring Global Catalogs

– Configuring DFS-R Replication of SYSVOL

• Labs:

– Five labs in this module:

• Lab A: Install Domain Controllers

• Lab B: Install a Server Core Domain Controller

• Lab C: Transfer Operations Master Roles

• Lab D: Configure the Global Catalog and Universal Group

Membership Caching

• Lab E: Configure DFS Replication of SYSVOL

Module 13: Managing Sites and Active

Directory Replication



• Content:

– Configure Sites and Subnets

– Configure replication

• Emphasize that the correct site design is not

just for domain controller replication, but also

plays a significant role in controlling

authentication and for service localization as

more applications are becoming “location-

aware”

• Labs:

– Two labs in this module:

• Lab A: Configure Sites and Subnets

• Lab B: Configure Replication

Module 14: Directory Service Continuity



• Content:

– Monitor Active Directory

– Manage the Active Directory Database

– Overview of the Active Directory Recycle Bin

– Backup and restore AD DS and Domain Controllers



• Labs:

– Four labs in this module:

• Lab A: Monitor Active Directory Events and Performance

• Lab B: Manage the Active Directory Database

• Lab C: Using Active Directory Recycle Bin

• Lab D: Back Up and Restore Active Directory

Module 15: Managing Multiple Domains and

Forests



• Content:

– Configure Domain and Forest functional levels

– Manage multiple domains and trust relationships

– Move objects between domains and forests

• It is important that students understand that some

domain and forest functional levels introduce

additional features within Active Directory (i.e.:

Active Directory Recycle bin for Windows Server

2008 R2)

• Labs:

– One lab in this module:

• Lab A: Administer Trust Relationships

Final Tips

• Be sure to understand feature differences between

Windows Servers 2008 RTM, R2, and SP1

• Spend extra time preparing for:

– Active Directory administration using Windows PowerShell

– R2 features related to Active Directory administration

• Always direct students to start the virtual machines at

the beginning of the lecture, so that they are ready for

the Lab. Startup times will vary based upon hardware.

• Be sure that students are logging on as the correct

user and that lab setup scripts have been run as

directed at the beginning of each lab

• In order to cover all intended topics, determine a

timing strategy on the first day of the course