38676182.

doc

What is Active Directory?......................................................................................................................12

Understanding Active Directory Forest Structures............................................................................13
Preparing the Servers for Windows 2008............................................................................................14
Installing Active Directory with DCPromo.........................................................................................15
Windows 2008 Domain Decisions........................................................................................................17
System Changes with AD Install..........................................................................................................18
Domain Functional Levels.....................................................................................................................19
Windows 2000 Native........................................................................................................................19
Windows Server 2003.........................................................................................................................19
Windows Server 2008.........................................................................................................................19
Forest Functional Levels........................................................................................................................21
Windows Server 2003.........................................................................................................................21
Windows Server 2008.........................................................................................................................21
Single vs. Multi-Master Replication.....................................................................................................22
Single Master Operations......................................................................................................................23
Moving FSMO roles...............................................................................................................................25
Transfer Role...................................................................................................................................25
Seize Role.........................................................................................................................................26
Recover Roles..................................................................................................................................26
Directory Partitions................................................................................................................................27
Application Directory Partitions.......................................................................................................27
The Global Catalog.................................................................................................................................29
Universal Group Membership Caching.......................................................................................30
Managing UPN Suffixes........................................................................................................................31
Creating and Managing UPNs..........................................................................................................31
Trust Types in Windows Server 2008...................................................................................................32
Tree-Root Trust...................................................................................................................................32
Parent-Child Trust..............................................................................................................................32
Shortcut Trust......................................................................................................................................32
External trust.......................................................................................................................................32

7 December 2021 14:08 1 of 207

38676182.doc

Forest trust...........................................................................................................................................33
Realm trust..........................................................................................................................................34
Managing Trusts.....................................................................................................................................36
Access Resources using External/Forest Trusts.............................................................................36
Selective-authentication.................................................................................................................37
Read-Only Domain Controllers............................................................................................................38
Password Replication on RODCs.....................................................................................................39
Significant Points for RODCs........................................................................................................40
Managing and Maintaining an Active Directory Infrastructure.......................................................41
Managing Schema Modifications.........................................................................................................43
Replication...............................................................................................................................................44
Intra-Site...............................................................................................................................................44
Inter-Site...............................................................................................................................................45
Forest and Domain Replication............................................................................................................46
Intra-Site Replication..........................................................................................................................46
Intra-Site Replication..........................................................................................................................46
Active Directory Sites.............................................................................................................................47
Site Creation........................................................................................................................................48
Creating Subnets.............................................................................................................................48
Inter-Site Replication..........................................................................................................................49
Site Links..........................................................................................................................................49
Bridgehead Servers.........................................................................................................................50
Site Link Bridges.............................................................................................................................50
Inter-Site Transports.......................................................................................................................51
Managing AD Sites.................................................................................................................................52
Creating Boundaries with Subnets...................................................................................................52
Bridgehead Selection Process................................................................................................................53
Manually Selecting Bridgeheads.......................................................................................................53
Monitoring Replication..........................................................................................................................55
Event Viewer...................................................................................................................................55

7 December 2021 14:08 2 of 207

38676182.doc

File Replication Service Log..........................................................................................................55

Command-Line Utilities................................................................................................................55
Active Directory Replication Monitor..........................................................................................56
Backing-Up Active Directory................................................................................................................57
System State.........................................................................................................................................57
Server Backup Utility.........................................................................................................................57
WBAdmin................................................................................................................................................58
Restoring Active Directory....................................................................................................................60
Restore Options...................................................................................................................................60
Normal Restore...............................................................................................................................60
Authoritative Restore.....................................................................................................................61
Primary Restore..............................................................................................................................61
AD Replication Conflicts.......................................................................................................................62
Active Directory Garbage Collection...................................................................................................63
Troubleshooting Active Directory........................................................................................................64
Directory Services Restore Mode Password....................................................................................64
Resolving issues with AD..................................................................................................................64
Removing Active Directory...............................................................................................................64
ADSIEdit and LDP..........................................................................................................................65
Planning and Implementing User, Computer and Group Strategies Security Group Strategy....66
Group Scopes......................................................................................................................................66
Global...............................................................................................................................................66
Domain Local..................................................................................................................................67
Universal..........................................................................................................................................67
Group Nesting.....................................................................................................................................67
Changing Group Scope......................................................................................................................67
Removing Groups...............................................................................................................................67
Domain User Account Policy................................................................................................................68
Password Challenges.........................................................................................................................68
Planning Organization Units (OUs).....................................................................................................70

7 December 2021 14:08 3 of 207

38676182.doc

Planning and Implementing Group Policy Group Policies...............................................................71

Group Policy Processing....................................................................................................................71
Group Policy Filtering........................................................................................................................71
WMI Filters......................................................................................................................................71
Refreshing Group Policies.................................................................................................................72
Group Policy Settings.............................................................................................................................73
Categories............................................................................................................................................74
Group Policies and Security Templates...............................................................................................75
Group Policy Management Console....................................................................................................76
Resultant Set of Policies.....................................................................................................................76
Group Policy Result Wizard..............................................................................................................78
Software Deployment............................................................................................................................79
Windows Installer Service.................................................................................................................80
Windows Installer Packages..............................................................................................................80
Application (.zap) Files......................................................................................................................81
Software Distribution Point (SDP)....................................................................................................81
Creating Package................................................................................................................................81
Upgrading Software.......................................................................................................................82
Redeployment.....................................................................................................................................82
Removing Applications.....................................................................................................................82
Terminal Services and Software Installation...................................................................................83
Software Restriction Policies.................................................................................................................84
Software Rules.................................................................................................................................84
Designated File Types....................................................................................................................85
Enforcement....................................................................................................................................85
Redirected Folders..................................................................................................................................86
Target Folder Options........................................................................................................................87
Additional Policy Settings.....................................................................................................................88
Group Policy Loopback.....................................................................................................................88
Linking, Disabling, and Deleting GPOs...............................................................................................89

7 December 2021 14:08 4 of 207

38676182.doc

Disabling and Deleting GPOs...........................................................................................................89

Backing Up, Importing, and Restoring GPOs.....................................................................................90
Replacing Security Templates...............................................................................................................91
Security Templates.........................................................................................................................91
Troubleshooting Group Policy..............................................................................................................92
IP Addressing..........................................................................................................................................93
Address Classes..................................................................................................................................93
Private Addressing and APIPA........................................................................................................94
Automatic Private IP Addressing (APIPA).................................................................................94
Subnetting................................................................................................................................................95
Subnet Masks......................................................................................................................................95
Network/Broadcast Address............................................................................................................95
Determining Local and Remote Hosts.................................................................................................97
Common Ports to Know........................................................................................................................98
IPv6...........................................................................................................................................................99
Teredo..................................................................................................................................................99
Configuring TCP/IP.............................................................................................................................101
Advanced TCP/IP Settings.............................................................................................................101
Multiple IP Addresses..................................................................................................................102
Alternate (Static) IP Address.......................................................................................................102
IP Troubleshooting Tools.................................................................................................................102
IPConfig.........................................................................................................................................103
Ping.................................................................................................................................................103
Tracert............................................................................................................................................103
PathPing.........................................................................................................................................104
Implementing, Managing, and Maintaining Name Resolution DNS Namespace.......................105
Primary DNS suffix:.........................................................................................................................106
FQDN Rules:.....................................................................................................................................106
NetBIOS Names................................................................................................................................106
How to Get a Domain Name...........................................................................................................106

7 December 2021 14:08 5 of 207

38676182.doc

Some Basic DNS Naming Guidelines.........................................................................................107

DNS Zones.............................................................................................................................................108
DNS Name Resolution - Forward Lookup........................................................................................109
DNS Query Types.............................................................................................................................109
DNS Name Resolution Failure....................................................................................................109
Resolver Cache..................................................................................................................................110
Name Resolution..............................................................................................................................110
Resource Records..........................................................................................................................111
SRV Records..........................................................................................................................................112
Troubleshooting SRV Records........................................................................................................112
Managing Mail Server Records.......................................................................................................113
DNS Server Functions..........................................................................................................................114
Caching Only Server........................................................................................................................114
Forwarder..........................................................................................................................................114
Chained Forwarder..........................................................................................................................115
Installing DNS.......................................................................................................................................116
Manual Install...................................................................................................................................116
Active Directory Installation...........................................................................................................116
Default Installations.........................................................................................................................117
Windows Server 2008 DNS Zone Options.........................................................................................118
Standard Primary..............................................................................................................................118
Secondary..........................................................................................................................................118
Stub.....................................................................................................................................................118
Standard Primary Zone....................................................................................................................119
Secondary Zone.................................................................................................................................120
Stub Zone...........................................................................................................................................120
Active Directory Integrated Zone...................................................................................................121
Forwarding............................................................................................................................................122
Conditional Forwarding..................................................................................................................122
Advantages of Conditional Forwarding....................................................................................123

7 December 2021 14:08 6 of 207

38676182.doc

Disadvantages of Conditional Forwarding...............................................................................123

Simple Forwarding...........................................................................................................................123
Delegated DNS Zone........................................................................................................................124
Creating a Delegation...................................................................................................................124
DNS Design...........................................................................................................................................125
Dynamic Updates.................................................................................................................................126
DNS and DHCP Integration............................................................................................................126
Types of Dynamic Updates.........................................................................................................126
Zone Transfer........................................................................................................................................127
Default Settings for Zone Transfer.................................................................................................127
Zone Transfer via Notify..................................................................................................................127
Securing Zone Transfers..................................................................................................................128
SOA Record...........................................................................................................................................129
Zone Transfers......................................................................................................................................131
Full Transfer (AXFR)........................................................................................................................131
Incremental Transfer (IXFR)............................................................................................................131
Active Directory Integrated.............................................................................................................131
Win 2008 ADI Zone Replication..................................................................................................132
Root Name Servers...............................................................................................................................134
Creating a Root Server.....................................................................................................................134
Non-root Name Servers.......................................................................................................................135
DNS and BIND......................................................................................................................................136
Configure DNS Client..........................................................................................................................137
Appending Suffixes..........................................................................................................................137
Client Registration in DNS..............................................................................................................138
Manual Registration.....................................................................................................................138
Dynamic Registration...................................................................................................................138
Optimizing Name Resolution.............................................................................................................139
Round Robin.....................................................................................................................................139
Round Robin.....................................................................................................................................139

7 December 2021 14:08 7 of 207

38676182.doc

DNS Interfaces..................................................................................................................................139
Advanced DNS Server Properties......................................................................................................141
Test the DNS Server service................................................................................................................143
Manage and Monitor DNS..................................................................................................................144
DNS Debug Logging........................................................................................................................146
Group Policies and DNS......................................................................................................................147
Securing DNS........................................................................................................................................148
DNS Naming Considerations..........................................................................................................148
Enhancements to DNS in 2008............................................................................................................149
GlobalNames Zone...........................................................................................................................149
Background Zone Loading..............................................................................................................149
Enhanced Support for IPv6.............................................................................................................150
WINS Integration with DNS...............................................................................................................151
Troubleshooting DNS Issues...............................................................................................................152
Incorrect query results..................................................................................................................153
Too much zone transfer traffic....................................................................................................153
Event Viewer.........................................................................................................................................154
Event Subscriptions..........................................................................................................................154
Configure Forwarding computer................................................................................................155
Configure Collecting computer...................................................................................................155
Check the forwarded Event Viewer entries...............................................................................155
DFS -- Distributed File System............................................................................................................156
DFS Namespaces..................................................................................................................................157
Create a namespace :....................................................................................................................157
DFS Replication.....................................................................................................................................159
Create a replication group...........................................................................................................159
Create a replicated folder.............................................................................................................160
DFS Requirements............................................................................................................................161
DFS Commands....................................................................................................................................162
Server Manager.....................................................................................................................................164

7 December 2021 14:08 8 of 207

38676182.doc

Server Manager Interface.................................................................................................................164

Roles...............................................................................................................................................164
Diagnostics....................................................................................................................................164
Configuration................................................................................................................................165
Storage............................................................................................................................................165
Active Directory Lightweight Directory Services.............................................................................166
ADRMS - Active Directory Rights Management Services...............................................................168
AD RMS Benefits..........................................................................................................................169
AD FS - Active Directory Federation Services..................................................................................170
Federation and Web SSG.............................................................................................................170
Web Services (WS)-* interoperability.........................................................................................170
Extensible architecture.................................................................................................................170
Extending AD DS to the Internet................................................................................................171
WDS........................................................................................................................................................172
What is Windows Deployment Services?......................................................................................172
Server functionality modes..............................................................................................................172
Known issues with configuring Windows Deployment Services...........................................173
Prerequisites:.....................................................................................................................................174
Install & Configure:..........................................................................................................................174
Add Images:......................................................................................................................................174
To install an operating system....................................................................................................175
Unattended Installation...................................................................................................................176
Hyper-V.................................................................................................................................................178
Server Consolidation....................................................................................................................178
Business Continuity and Disaster Recovery..............................................................................178
Testing and Development............................................................................................................178
Dynamic Data Center...................................................................................................................178
Key Features of Hyper-V.............................................................................................................179
Live Migration...............................................................................................................................179
Increased Hardware Support for Hyper-V Virtual Machines.................................................179

7 December 2021 14:08 9 of 207

38676182.doc

Cluster Shared Volumes..............................................................................................................179

Cluster Validation Tool................................................................................................................179
Management of Virtual Data Centers.........................................................................................180
Enhanced Networking Support..................................................................................................180
Dynamic VM storage....................................................................................................................180
Broad OS Support.........................................................................................................................180
Network Load Balancing.............................................................................................................180
Virtual Machine Snapshot...........................................................................................................181
High Availability..................................................................................................................................182
Failover Clustering...........................................................................................................................182
Cluster Migration..........................................................................................................................182
Cluster Infrastructure...................................................................................................................182
Cluster Storage..............................................................................................................................182
Cluster Network...........................................................................................................................183
Cluster Security.............................................................................................................................183
Advantages of Network Load Balancing...................................................................................184
Host Priorities................................................................................................................................184
Port Rules.......................................................................................................................................184
Remote Control.............................................................................................................................185
How Network Load Balancing Works.......................................................................................185
Managing Application State........................................................................................................186
Windows System Resource Manager (WSRM).................................................................................188
Windows Server Update Services 3.0.................................................................................................189
Prerequisites for WSUS servers.......................................................................................................189
Prerequisites for using the WSUS 3.0 Administration Console..............................................189
Prerequisites for WSUS client computers..................................................................................189
How it works.....................................................................................................................................189
Client-side features...........................................................................................................................191
WSUS 3.0 Deployment Scenarios.......................................................................................................193
Single WSUS server (small-sized or simple network)..................................................................193

7 December 2021 14:08 10 of 207

38676182.doc

Multiple independent WSUS servers.............................................................................................194

Multiple internally synchronized WSUS servers..........................................................................195
Disconnected WSUS servers (limited or restricted Internet connectivity)................................196
More Information..........................................................................................................................196

7 December 2021 14:08 11 of 207

38676182.doc

What is Active Directory?

 A directory service database that allows for the creation of a hierarchical
management structure.
 The Windows Server 2008 Active Directory service consists of forest, trees,
domain, and organizational units created as a means of satisfying an organizations
resource management needs.
 The AD forest is a collection of domains that share a common schema,
configuration, and global catalog.
 The trees within the AD forest are a group of domains that share a contiguous
name space (Le. fabrikam.com, research.fabrikam.com, sales.fabrikam.com). A different
namespace (fabrikam.com, contososchool.com) constitutes a new tree.
 The organizational unit (OU) is the building block of an Active Directory domain
that provides for administrative delegation and policy implementation within a domain.
Active Directory is a directory service database that provides a centralized management
structure for objects within a network enterprise. The Microsoft Windows Server 2008 Active
Directory infrastructure is made up of logical components called forests, trees, domains, and
organizational units or OUs. One of the toughest concepts regarding Active Directory
infrastructure is to relinquish the idea that it should mirror the physical network or the
corporate organizational chart. Active Directory can and most likely will be influenced by one if
not both of these factors however, it does not HAVE TO have any relationship.
Active Directory infrastructure should be designed to suit your administrative and security
needs.
Active Directory should be built in a fashion that facilitates the management of networked
resources. Active Directory infrastructure does not have to mirror the organizational chart with
a physical configuration of the enterprise environment.

Domain vs Workgroup
A workgroup is Microsoft's terminology for a peer-to-peer PC computer network.
Microsoft operating systems in the same workgroup may allow each other access to their files,
printers, or Internet connection. Members of different workgroups on the same local area
network segment and TCP/IP network can only access resources in workgroups to which they
are joined.
A Windows Server domain is a logical group of computers running versions of the Microsoft
Windows operating system that share a central directory database. This central database
(known as the Active Directory starting with Windows 2000[1], also referred to as NT Directory
Services on Windows NT Server operating systems, or NTDS) contains the user accounts and
security information for the resources in that domain. Each person who uses computers within
a domain receives his or her own unique account, or user name. This account can then be
assigned access to resources within the domain.

7 December 2021 14:08 12 of 207

38676182.doc

In a domain, the directory resides on computers that are configured as "domain controllers." A
domain controller is a server that manages all security-related aspects between user and domain
interactions, centralizing security and administration. A Windows Server domain is normally
more suitable for moderately larger businesses and/or organizations.
Windows Workgroups, by contrast, is the other model for grouping computers running
Windows in a networking environment which ships with Windows. Workgroup computers are
considered to be 'standalone' - i.e. there is no formal membership or authentication process
formed by the workgroup. A workgroup does not have servers and clients, and as such, it
represents the Peer-to-Peer (or Client-to-Client) networking paradigm, rather than the
centralised architecture constituted by Server-Client. Workgroups are considered difficult to
manage beyond a dozen clients, and lack single sign on, scalability, resilience/disaster recovery
functionality, and many security features. Windows Workgroups are more suitable for small or
home-office networks.
A domain does not refer to a single location or specific type of network configuration. The
computers in a domain can share physical proximity on a small LAN or they can be located in
different parts of the world. As long as they can communicate, their physical position is
irrelevant.

7 December 2021 14:08 13 of 207

38676182.doc

Understanding Active Directory Forest Structures

 Forest
 Tree
 Schema
 Global catalog
The fabrikam.com forest is made up of 2 trees and 5 total domains. The fabrikam.com and
elabs.corp domains serve as tree roots. While the .research.fabrikam.com,
training.fabrikam.com, and dev.elabs.corp domains exist as child domains.
The fabrikam.com domain is known as the forest root. Each domain maintains its own set of
domain specific information, while every domain in the forest shares the same schema,
configuration, and global catalog.
The organizational unit is the building block for each Active Directory domain. Note,
organizational units do not cross domains; therefore, multiple domain environments could
contain organizational units of the same name.

7 December 2021 14:08 14 of 207

38676182.doc

What Is a Schema?
The Active Directory schema defines the kinds of objects, the types of information about those
objects, and the default security configuration for those objects that can be stored in Active
Directory.
The Active Directory schema contains the definitions of all objects, such as users, computers,
and printers that are stored in Active Directory. On domain controllers running Windows
Server 2003, there is only one schema for an entire forest. This way, all objects that are created in
Active Directory conform to the same rules.
The schema has two types of definitions: object classes and attributes. Object classes such as
user, computer, and printer describe the possible directory objects that you can create. Each
object class is a collection of attributes.
Attributes are defined separately from object classes. Each attribute is defined only once and
can be used in multiple object classes. For example, the Description attribute is used in many
object classes, but is defined only once in the schema to ensure consistency.
You can create new types of objects in Active Directory by extending the schema. For example,
for an e-mail server application, you could extend the user class in Active Directory with new
attributes that store additional information, such as users’ e-mail addresses.
On Windows Server 2003 domain controllers, you can reverse schema changes by deactivating
them, thus enabling organizations to better exploit Active Directory’s extensibility features.
You may also redefine a schema class or attribute. For example, you could change the Unicode
String syntax of an attribute called Department to Unit.

7 December 2021 14:08 15 of 207

38676182.doc

What Is the Global Catalog?

Resources in Active Directory can be shared across domains and forests. The global catalog
feature in Active Directory makes searching for resources across domains and forests
transparent to the user. For example, if you search for all of the printers in a forest, a global
catalog server processes the query in the global catalog and then returns the results. Without a
global catalog server, this query would require a search of every domain in the forest.
The global catalog is a repository of information that contains a subset of the attributes of all
objects in Active Directory. Members of the Schema Admins group can change which attributes
are stored in the global catalog, depending on an organization’s requirements. The global
catalog contains:
 The attributes that are most frequently used in queries, such as a user’s first
name, last name, and logon name.
 The information that is necessary to determine the location of any object in the
directory.
 A default subset of attributes for each object type.
 The access permissions for each object and attribute that is stored in the global
catalog. If you search for an object that you do not have the appropriate permissions to
view, the object will not appear in the search results. Access permissions ensure that
users can find only objects to which they have been assigned access.
A global catalog server is a domain controller that efficiently processes intraforest queries to the
global catalog. The first domain controller that you create in Active Directory automatically
becomes a global catalog server. You can configure additional global catalog servers to balance
the traffic for logon authentication and queries.
The global catalog enables users to perform two important functions:
 Find Active Directory information anywhere in the forest, regardless of the
location of the data.
 Use universal group membership information to log on to the network.

7 December 2021 14:08 16 of 207

38676182.doc

Preparing the Servers for Windows 2008

Windows 2000/2003 Domains and Forests must be prepared for the upgrade to Windows
Server 2008
ADPREP command-line utility extends the schema, updates security to selected objects, adds
new directory objects as required
 Adprep /forestprep
 Run first on Schema Master
 Must be member of Enterprise Admins and Schema Admins group or have
delegated authority
 make sure this is given time to replicate before proceeding to the domainprep
 Adprep /domainprep
 Run on Infrastructure Master in each domain after the forestprep has been
completed and given time to replicate
 Must be member of Domain Admins or Enterprise Admins group or have
delegated authority
 make sure to give this time to replicate to the other domain controllers before
proceeding to upgrade the domain controllers
The adprep utility is located on the Windows Server 2008 CD. It is used to prepare a Windows
2000/2003 domain to upgrade to Windows Server 2008 domain.
The utility extends the schema, updates security to selected objects and adds new directory
objects when required. It gets the Windows 2003 systems prepared for the new Active Directory
features in Windows Server 2008.
Once the ADPREP has been successfully replicated, both /forestprep and /domainprep, the
domain controllers can be left running Windows 2000/2003 for an indefinite period of time.

7 December 2021 14:08 17 of 207

38676182.doc

Installing Active Directory with DCPromo

Server Manager-Add Domain Controller Role Service Answer file to perform unattended
installation
 Part of DCPromo
 Network or Backup Media
 New in Windows 2008
 Reduces replication traffic when installing DCs in remote offices
 Start> Run> DCPromo /adv
References to old DCs must be removed with NTDSUtil > metadata cleanup before a DC name
can be re-used.
ADSIZER.exe estimates hardware requirements for deploying Active Directory in your
organization.
The wizard will walk through the creation of the domain. Several choices must be made
including if it is a new domain or becoming a replica in an existing domain, new tree or child
domain of existing tree, and new forest or join existing forest. The windows to follow depend
on the selections made. The server will look for a DNS server that is authoritative for the zone
for that domain. If none is found, DNS can be installed as part of the wizard. It will create an
AD I zone with the domain name as the zone name. If DNS has already been configured and it
just doesn't find it, select not to install and configure later. Make sure the DNS address is correct
in the IP settings.
New domain, new tree, new forest- the domain controller is the forest root server and will
install Active Directory, create the Global Catalog, create the Schema, have all FSMO roles, and
create the Enterprise Admins and Schema Admins groups, which are only available in the forest
root domain. No credentials are required to complete the installation. The DNS name of this
domain also becomes the name of the forest.
New domain, new tree, existing forest - the domain controller will become the tree root. The
name of the domain will be verified with the Domain Naming Master. Active Directory will be
installed and the Schema and Configuration information will be replicated from the forest root.
Only the domain FSMO roles will be created. Enterprise Admins credentials must be provided
in order to complete the installation. DNS is also required.
New domain, existing tree - the domain controller will become the first domain controller for a
child domain. The tree root domain must be specified along with the child name. The Domain
Naming Master must verify that the name is unique. AD is installed and the domain FSMO
roles created. It will also obtain the Schema and Configuration information from the forest root.
Enterprise Admins credentials must be provided in order to complete the installation. DNS is
also required.

7 December 2021 14:08 18 of 207

38676182.doc

Existing domain - the domain controller becomes an additional domain controller in an existing
domain. The domain name must be specified along with the Domain Admins credentials. AD is
installed and it receives all its information by replicating with an existing domain controller in
the domain.
NOTE: DCPROMO is also used to remove Active Directory. When the command is used, the
system detects it is already a domain controller and will start the wizard to remove Active
Directory.
After installing a domain controller, the settings for that domain controller can be saved as an
answer file through the wizard.
Use a current backup either from a network share or removable media to install Active
Directory. Must be from a domain controller in the same domain. Backup cannot be any older
than the "tombstone lifetime", typically 180 days. The more recent the backup, the less
replication traffic will be created during synchronization of the new domain controller after AD
installation. At the Run command, type DCPromo /adv.

7 December 2021 14:08 19 of 207

38676182.doc

Windows 2008 Domain Decisions

When installing Active Directory, there are three decision points that need to be considered. The
first is are you creating a new domain controller in a new domain or a domain controller in an
existing domain. If creating in an existing domain, you will be required to select the domain and
provide the proper credentials (domain admin) to join that domain.
If selected to be a new domain, the next decision is this going to be a new tree or become part of
an existing tree (child domain). Once the decision is made to become part of an existing tree, the
tree root and child name desired will need to be selected, along with the proper credentials
(Enterprise Admin) in order to join.
If creating a new tree, the last decision point is to create a new forest or become part of an
existing forest. If a new forest, then the domain name will also become the name of the forest.
This name cannot be changed unless a new forest is created and the existing forest will no
longer be valid.
If joining an existing forest was the decision, proper credentials (Enterprise admin) must be
provided to join the tree to the forest. The new domain will become the tree root.

7 December 2021 14:08 20 of 207

38676182.doc

System Changes with AD Install

AD Consoles in Administrative Tools
 dsa.msc: Active Directory Users and Computers
 dssite.msc: Active Directory Sites and Services
 domain.msc: Active Directory Domains and Trusts
 Sysvol folder created
 Permissions on system files modified
 The Active Directory database, ntds.dit, and log files created
 If possible put on separate hard disks for better performance
 Transaction Logs - Write operations (Raid-1)
 Database - Read/write operations (Raid-5)
 NTDSUTIL allows management of ntds.dit (move, compact, etc)
 Server account placed in domain controllers OU
 Local User and Computer accounts no longer available
There are some noticeable system changes after the installation of Active Directory, most
notably the additional administrative tools like Active Directory Users and Computer, Active
Directory Domains and Trusts, and Active Directory Sites and Services.
Digging a little further into a system that has been promoted to a domain controller you will
find the existence of the ntds.dit or The Active Directory database. "NTDS" obviously makes
references to it being the NT directory services and the dit represents the acronym "directory
information tree."
For optimal performance of The Active Directory database you should spread the information
across multiple physical hard drives. The Active Directory database should be separate from
Active Directory logs.
By default each new domain controller is automatically placed into the domain controllers'
organizational unit underneath the domain object.
After converting a system into a Domain controller it no longer houses a local user and
computer accounts database. (SAM)

7 December 2021 14:08 21 of 207

38676182.doc

Domain Functional Levels

Windows 2000 Native
 Universal groups are enabled for both distribution groups and security groups.
 Group nesting.
 Group conversion is enabled, which makes conversion between security groups
and distribution groups possible.
 Security identifier (SID) history.

Windows Server 2003

 The availability of the domain management tool, netdom.exe, to prepare for
domain controller rename.
 Update of the logon time stamp. The lastLogonTimestamp attribute will be
updated with the last logon time of the user or computer. This attribute is replicated
within the domain.
 The ability to set the userPassword attribute as the effective password on
inetOrgPerson and user objects.
 The ability to redirect Users and Computers containers. By default, two well-
known containers are provided for housing computer and user/group accounts:
namely, cn=Computers,<domain root> and cn=Users,<domain root>. This feature
makes possible the definition of a new well-known location for these accounts.
 Makes it possible for Authorization Manager to store its authorization policies in
Active Directory Domain Services (AD OS).
 Includes constrained delegation so that applications can take advantage of the
secure delegation of user credentials by means of the Kerberos authentication protocol.
Delegation can be configured to be allowed only to specific destination services.
 Supports selective authentication, through which it is possible to specify the
users and groups from a trusted forest who are allowed to authenticate to resource
servers in a trusting forest.

Windows Server 2008

 Distributed File System Replication support for SYSVOL, providing more robust
and detailed replication of SYSVOL contents.
 Advanced Encryption Services (AES 128 and 256) support for the Kerberos
protocol.
 Last Interactive Logon Information, which displays the time of the last successful
interactive logon for a user, from what workstation, and the number of failed logon
attempts since the last logon.
 Fine-grained password policies. Which make it possible for password and
account lockout policies to be specified for users and global security groups in a domain.

7 December 2021 14:08 22 of 207

38676182.doc

Forest Functional Levels

Windows Server 2003
 Forest trust.
 Domain rename.
 Linked-value replication (changes in group membership to store and replicate
values for individual members instead of replicating the entire membership as a single
unit). This change results in lower network bandwidth and processor usage during
replication and eliminates the possibility of lost updates when different members are
added or removed concurrently at different domain controllers.
 The ability to deploy a read-only domain controller (RODC) that runs Windows
Server 2008.
 Improved Knowledge Consistency Checker (KCC) algorithms and scalability.
 The Intersite Topology Generator (ISTG) uses improved algorithms that scale to
support forests with a greater number of sites than can be supported at the Windows
2000 forest functional level. The improved ISTG election algorithm is a less intrusive
mechanism for choosing the ISTG at the Windows 2000 forest functional level.
 The ability to create instances of the dynamic auxiliary class called
dynamicObject in a domain directory partition.
 The ability to convert an inetOrgPerson object instance into a User object instance
and the reverse.
 The ability to create instances of the new group types, called application basic
groups and Lightweight Directory Access Protocol (LDAP) query groups, to support
role-based authorization.
 Deactivation and redefinition of attributes and classes in the schema.

Windows Server 2008

This functional level provides all the features that are available at the Windows Server 2003
forest functional level, but no additional features. All domains that are subsequently added to
the forest, however, will operate at the Windows Server 2008 domain functional level by
default.

7 December 2021 14:08 23 of 207

38676182.doc

Implementing, Managing, and Maintaining Name

Resolution
DNS Namespace
 Domain Namespace is a hierarchical name structure
 “.”— Root is starting point
 Primary DNS suffix (e.g.: domain.com)
 Hostname (e.g.: www or JT-laptop)
 Characters a-z, A-Z, 0-9 and hyphens
 255 characters
 Not case sensitive
 Period between labels:
 No Spaces
 FQDN - Fully Qualified Domain Name (e.g.: www.domain.com)
 Identifies computer in name space
 Host name + domain name together
 Naming options
 Keep name as simple as possible
 Use .net or .local to keep separate from Internet domain name
The namespace for a domain has a hierarchical name structure. Each layer represents a different
part of the name. partnering.one.microsoft.com would be the namespace used to represent the
server "partnering". The root server at the top of the hierarchy is the top of the name chain. No
other namespace is available beyond the root. The'.' is normally invisible at the end of every full
name, but it can be seen within zone files. The root servers keep track of all the Top-level
domains. The top-level domains (.com, .org, .net) keep track of all the domain names. When a
domain name is registered, the corresponding Top-level domain knows the second-level
domain information and a DNS server address that is authorized for the domain name. Both the
Root and Top-level domains are publicly-managed layers.
The second-level and on down are managed by private entities such as companies and
government agencies. There can be a difference between public and private domain namespace.
The namespace known to the public would be the public namespace with a public IP address.
The private namespace represents the internal network and private IP addressing. They can be
the same namespace if a secure firewall is configured. In most cases, the public name and the
private name will be altered slightly.

Primary DNS suffix:

This is set to the DNS name of the AD domain to which the computer joins. Can be specified by
a GPO, in the Network Identification tab of the individual computer, or through DHCP scope
options.

7 December 2021 14:08 24 of 207

38676182.doc

FQDN Rules:
The FQDN can be viewed by using the IPCONFIG command at a prompt or by opening the
properties of the My Computer icon. One important difference between NetBIOS names and an
FQDN name is that a NetBIOS name cannot begin with a number. An FQDN is limited to 254
characters. DCs are limited to 155 characters for a FQDN. To read a FQDN, start from right to
left, beginning with the invisible '.' and proceeding to the far left, which is the host name.

NetBIOS Names
 Characters a-z, A-Z, 0-9 and hyphens (not case sensitive) .
 Cannot begin with a number.
 No more than 15 characters.
 A 16th Character is automatically added to identify the service.
 Spaces are OK
 While not case-sensitive but, always displayed in all capital letters.
During the creation of an Active Directory domain, that domain must be provided with DNS
and NetBIOS domain names. After creating a DNS name for the domain, a NetBIOS name will
automatically be generated using the first 15 characters, not including the dotted notation, of
the domain's DNS name. All NetBIOS names must be unique so the WINS server will not allow
the domain to have a duplicate NetBIOS name. If the first 15 characters are exactly the same, it
will give an error and the administrator must alter the name in some manner. NetBIOS is a flat
naming structure and it doesn't distinguish between domain, computer or user names. If there
is already a NetBIOS name of CHARLES for a domain, a computer or user cannot have a
NetBIOS name of CHARLES.

How to Get a Domain Name

Domain names must be registered with an appropriate authority so that the name is guaranteed
to be unique across the entire Internet. If you are planning on using a domain name for your
company and you plan to connect to the Internet, you should check to be sure the name has not
already been registered by another company.

Some Basic DNS Naming Guidelines

 Avoid namespaces that are too long or complicated. If the root of the domain is
three levels deep, adding further domains might become unwieldy and difficult for
users to remember.
 Delegate a sub-domain to maintain a single, manageable DNS hierarchy. Useful
when you need to leave an old DNS structure in place to support external resources
(Web) but want to manage both namespaces together.
 Register your internal namespace with ICANN. A simple solution is to register
the "company.com" and the "company.net" with the Internet, but reserve the .net for
internal usage. The disadvantage to this is the need to maintain two separate
namespaces.

7 December 2021 14:08 25 of 207

38676182.doc

 Use .net or .local to separate your public domain namespace and the private
namespace.

7 December 2021 14:08 26 of 207

38676182.doc

DNS Zones
Database file representing a portion of the namespace
 Divided up based on needs of network
 Single zone for the root domain with subdomains for each child domain
 Single zone for the root domain and one subdomain for one child with a
separate zone for he other child domain
 Cannot be two subdomains without the parent
A zone is a portion of the namespace that has a database file generated in DNS to support name
registration and name resolution for that zone. The namespace can be divided based on the
needs of the network.
A DNS domain is a portion of the namespace which allows multiple computers to have a name
in common. A zone must contain at least one domain and may contain multiple domains. E.g.
The left half of the slide shows one zone "fabrikam.com" which includes the parent domain
fabrikam.com and two child domains research and training. All records ending in
fabrikam.com, research.fabrikam.com, or training.fabrikam.com will be found in a single zone
file. The right half of the slide shows two zones. The first zone is called fabrikam.com and has
two domains fabrikam.com and research.fabrikam.com. The second zone has the single domain
training.fabrikam.com. Any records ending in .training.fabrikam.com are only on the DNS
server shown in the training.fabrikam.com domain. Zones are often divided like this to reduce
bandwidth consumption, allow for localized administration of DNS records, or to accommodate
differences that preclude sharing a single file between multiple entities.
Domains for an Active Directory tree can share the same zone. Since the parent and child
domain all share the same namespace (name of the parent), the parent will have an
authoritative server responsible for the entire namespace. If it is a larger network and the
infrastructure plan is to allow one of the child domains to take care of its own namespace, the
zone could be designated for just that child domain.
A zone cannot have two child domains together without the parent. They no longer have a
common namespace (parent is no longer involved), so they are not allowed to share a zone.
When creating zones, a parent must be with a child or a child can stand alone.
The zone name and the domain name match. Even though we have two separate naming
structures, an Active Directory namespace which represents objects in Active Directory and
DNS naming which represents resource records, the names look the same.
See also: DNS Namespace Planning (KB25468)

7 December 2021 14:08 27 of 207

38676182.doc

DNS Name Resolution - Forward Lookup

 DNS NetBIOS on TCP 53 and UDP 53 must be allowed through a router or
firewall
 Forward Lookup, provides name to IP address name resolution with:
 Recursive - full name query (all or nothing)
 Iterative – full name query (“Piece at a time”)
There are two categories of zones in DNS: Forward Lookup and Reverse Lookup. Forward
Lookup zones provide hostname to IP address resolution. This category is required. The
Reverse Lookup zone provides IP address to hostname resolution. This is optional, but must be
created for some tools to function. When trying to resolve a hostname, the resolver (client) will
check its own DNS cache first, if not able to resolve, it will then send the request (query) to its
Preferred DNS server as a Recursive (full name) query.

DNS Query Types

Recursive Query: A recursive is a full name query that is made usually from the client to the
DNS server. This query expects a response back for the full name resolution, either an IP
address to connect or a failed query message. The resolver has instructed the name server to go
up to the Root name servers if necessary. The recursive resolution is usually the responsibility
of the Preferred DNS server.
Iterative Query: An iterative query is a partial name query. Only part of the full name is being
requested and received. The process of iteration breaks a name down one piece at a time until
the IP address matching the final piece of the name has been found. This request is between
DNS servers, starting with the root server and working on down until the DNS server that is
authoritative for the full name is located.
Inverse Query: Inverse queries use the IP address to make a request instead of an FQDN. The
FQDN is returned by the server.

DNS Name Resolution Failure

If DNS name resolution fails and WINS is enabled on the client, the client will continue to
attempt resolution as follows:
1. Cache/Hosts file cached (text file on local system)
2. DNS
3. CACHE (NetBIOS Cache)
4. WINS (NetBIOS to IP address)
5. BROADCAST
6. LMHOSTS (Text file on local system)

7 December 2021 14:08 28 of 207

38676182.doc

Resolver Cache
Each time a client receives an answer to a DNS query from a DNS server, an entry is made in
the resolver's cache. The next time the client needs to resolve a name, it checks its cache to see if
it has already resolved this name in the recent past. The resolver cache is cleared and the
HOSTS file's contents are reloaded into cache each time the computer is booted. The resolver
cache is also updated each time the HOSTS file is saved.
The HOSTS file is a text file that is available on the local system. It can be configured to provide
hostname to IP address resolution, but each entry must be entered manually. To use the HOSTS
file in a domain, the file must be modified on each machine manually.
To display the resolver cache, type IPCONFIG /displaydns. To clear this cache, type IPCONFIG
/flushdns.

Name Resolution
 HOSTS File - Static, manually managed text file of name-to-IP mappings
 DNS Server is a distributed database made up of Resource Records (RRs):
o A (Host): name to IP resolution for computers and printers
o AAAA: Equivalent of A records, but for IPv6 PTR (pointer): IP to name
resolution
o NS (name servers): used to identify authoritative DNS servers
o SOA (start of authority): used to provide configuration to secondary zones
o SRV (service locator): use to locate Kerberos, GC, LDAP
o MX (mail exchanger): identifies mail servers CNAME (canonical name): aliases
helpful for server consolidation
o WINSLookup: required to integrate WINS with DNS for down-level clients.
There are two ways to provide name resolution to clients in a Windows Server 2008 network:
Hosts file or DNS server. The Hosts file is a text-based file that can have mappings entered for
name to IP resolution. All entries are made manually and the file must be created an each client.
This could be useful if there was a specific name to IP address resolution needed for an
individual server and not desired for the remaining servers. Since the Hosts file is checked
before going to the DNS server, it provides a way of doing this type of specialized entry.
The HOSTS file is located in the %systemroot%\system32\drivers\etc\ folder (similar to
UNIX). Open in a text editor (Notepad or WordPad) and modify accordingly. Notice the semi-
colon at the beginning of some of the lines. This indicates not to use these lines because they are
documentation only. The loopback address is in the Hosts file by default as localhost. When at a
command prompt, if you type ping localhost, it will resolve it to 127.0.0.1. After making any
entries, save the text file as the same name, "hosts" and do not allow Windows to add a file
extension or the file will not work.

7 December 2021 14:08 29 of 207

38676182.doc

Since the local system checks the Hosts file and cache first in the process of name resolution,
any entries in the Hosts file will be used instead of the DNS server entries. A stale entry in the
Hosts file will result in the client being unable to reach the server even if that server's record is
current in the DNS zones.
The DNS server provides a centralized database for all clients to register and use to resolve
hostnames. This can be a dynamic environment, if configured properly, where the resource
records are automatically recorded in the proper zone for that client. It provides a much better
way to maintain a name resolution environment than with distributed Hosts files.

Resource Records
The resource records are the entries made in the DNS server to represent the hosts, services and
other DNS specific items. The most popular resource records are listed below.
A - Host record, maps a FQDN to an IP address.
PTR - Pointer Record maps an IP address to a FQDN (Allows for reverse lookups) CNAME -
Canonical name maps an alias to the actual A record
SOA - Identifies key information about a zone including the authoritative server
NS - Identifies a name server that can answer queries for that zone
SRV - Identifies services within a specific domain including identifying domains, domain
controllers and sites. These records are required for Active Directory.
MX - Identifies a Mail server for a particular domain name. Needed for UNIX Sendmail, MS
Exchange, Novell Groupwise and other Mail Transfer Agents.
Some of the records can be created automatically. If it is necessary to create a resource record,
right-click the zone where the record is needed and select the appropriate record type. The
A(host) record is the only record which has an actual IP address entered. The remaining records
point to the A(host) record. Because of this, if the A (host) record is not correct, the other records
pointing to it will not function properly.

7 December 2021 14:08 30 of 207

38676182.doc

SRV Records
The SRV records are a very important part of the DNS server. They are created when Active
Directory is installed and the domain is created. The information contained in the SRV records
includes domain records, listing of domain controllers in each domain, the site structure
(associates domain controllers with the correct site), and pointers and information regarding
other services.
This information is required when: joining host systems to the domain, creating a new domain
controller in the domain, a computer or user performs a network logon, and connecting to
various services within Active Directory structure such as the Global Catalog. If the SRV
records are not available and accurate, these items will not work properly, if at all. Put another
way, "If DNS is broke, Active Directory is broke."
In addition to being identified by an FQDN in DNS and by a Windows full computer name,
domain controllers are also identified by the specific services that they provide. Windows uses
DNS to locate domain controllers by resolving a domain or computer name to an IP address.
This is accomplished by SRV resource records that map a particular service to the domain
controller that provides that service.
When a domain controller starts, the Net Logon service running on the domain controller uses
the DNS dynamic update feature to register with the DNS database the SRV resource records
for all Active Directory–related services that the domain controller provides. Therefore, a
computer running Windows can query a DNS server when it must contact a domain controller.
For Active Directory to function properly, DNS servers must provide support for SRV resource
records. SRV resource records allow client computers to locate servers that provide specific
services, such as authenticating logon requests and searching for information in Active
Directory. Windows uses SRV resource records to identify a computer as a domain controller.
SRV resource records link the name of a service to the DNS computer name for the domain
controller that offers that service.
SRV resource records also contain information that enables a DNS server to locate:
 A domain controller located in a specific Windows domain or forest.
 A domain controller located in the same site as a client computer.
 A domain controller that is configured as global catalog server.
 A domain controller that is configured as the PDC emulator.
 A computer that runs the Kerberos Key Distribution Center (KDC) service.
 SRV Resource Records and A Resource Records
When a domain controller starts, it registers SRV resource records which contain information
about the services that it provides. It also registers an A resource record that contains its DNS
computer name and its IP address. A DNS server then uses this combined information to
resolve DNS queries and return the IP address of a domain controller so that the client
computer can locate the domain controller.

7 December 2021 14:08 31 of 207

38676182.doc

In Windows, domain controllers are also referred to as Lightweight Directory Access Protocol
(LDAP) servers because they run the LDAP service that responds to requests to search for or
modify objects in Active Directory.
All SRV resource records use a standard format, which consists of fields that contain the
information used to map a specific service to the computer that provides the service. SRV
resource records use the following format:
_service_.protocol.name ttl class SRV priority weight port target

Troubleshooting SRV Records

 AD installation generates SRVs for domains, domain controllers, sites, and other
services.
 Error "Domain cannot be found"
 IF SRV Records are missing: Check DNS IP address for domain controller
 Stop and Restart Netlogon service on domain controller
The biggest indicator that there is something wrong with the SRV records is when "domain
cannot be found" or "no match for domain name" type of error message appears and Active
Directory has been installed. The first thing to do is to check that the IP address on the client
system has the proper DNS IP address in its configuration settings. If you are not pointing to
the correct DNS server, you will not be able to find the domain.
Next, look at the DNS server to verify if the SRV records are showing for the zone
corresponding to the domain you are attempting to join or connect. If the SRV records are not
there, check the IP address of the domain controllers to make sure the IP configuration is
pointing to the DNS server. Even if the domain controller and the DNS server are on the same
server, it must point to itself in order to register. The domain controller and DNS server must be
thought of as two separate services that are sharing the same physical machine. After verifying
and making any changes, go to a command prompt and type IPConfig /registerdns to force the
registration of the server in DNS.
Also make sure that dynamic updates are set on the zone in DNS. To determine this, go to the
Properties of the zone and view the settings for Allow Dynamic Updates on the General tab. If
None is displayed, dynamic updates are not configured and the drop-down menu will allow
you to choose either Nonsecure and Secure or Secure only. Secure only is an option when the
zone is an Active Directory Integrated Primary zone.
Once the IP address and dynamic updates have been confirmed, the next step is to Stop and
Start the netlogon service on the domain controller. This service can be found in the Services
console in Administrative Tools. The Netlogon service is set to Automatic startup after Active
Directory is installed and it is a responsibility of this service to create and maintain the SRV
records on behalf of this Domain Controller. Return to the DNS console and refresh the
window.

7 December 2021 14:08 32 of 207

38676182.doc

As domain controllers are added, they will register their information in the appropriate SRV
containers, also known as "the underscore subdomains". If records for domain controllers are
missing, make sure dynamic updates are allowed in the zone's properties. On the domain
controller that is missing SRV records, stop and restart the Netlogon service. An IPConfig
/registerdns will not update SRV records, only A and PTR records.

Managing Mail Server Records

 Mail servers are identified by MX records with assigned priorities.
 A lower priority has higher preference.
 A 10 server is used before a 20 server.
 MX records with equal priorities are used randomly.

7 December 2021 14:08 33 of 207

38676182.doc

DNS Server Functions

 Caching Only Servers
o Defined by a DNS server that does not have any zones - Provides Internet name
resolution - Caches DNS information for use at a later time
 Name Server
o A server authoritative for a given namespace due to the existence of a Primary,
Active Directory Integrated, or Secondary zone.
o The presence of a stub zone does not make a DNS server authoritative for the
data in that zone.
 Forwarder
o Receives queries from other DNS servers
o Configure forwarding DNS with the IP address of the Forwarder
 Chaining Forwarders
o Forwarder sends queries to other Forwarders
In Windows Server 2008 there are several different types of DNS servers. Each DNS server can
function as several different types.

Caching Only Server

This is the default server type when DNS is first installed. It has no zone information and
provides Internet name resolution only. When an answer is returned, a server caches the result
to be used at a later time. Caching Only is a good option if you only want to provide Internet
name resolution for a group of systems. A caching-only server can make a useful forwarder in a
DMZ aka "perimeter network".

Forwarder
When a DNS server cannot resolve a name request, it will then send the query to a Forwarder,
and if that fails, use its Root Hints which normally entails iterating the FQDN beginning with
the Internet's Root Name Servers. The Forwarder's role is to resolve the request or send it on to
the Roots for resolution. This can be a way to protect your internal network if you have multiple
DNS servers because there is only one connection between the internal network and the
Internet. If all DNS servers in an organization queried the Internet Roots, then there would be
multiple access points through the organization's firewall(s), which is not secure. To utilize the
forwarder for a single point of access, configure all of the other DNS servers with the IP address
of the Forwarder, the one system that is going to be able to send queries to the Internet.

7 December 2021 14:08 34 of 207

38676182.doc

Chained Forwarder
It is possible for a Forwarder to then send a query to another Forwarder. This creates a chain
and Internet name resolution is not provided until all Forwarders have not been able to
complete the query. If you had a main office and multiple branches where the main office had
the sole Internet connection (a hub and spoke arrangement), a Chained Forwarder arrangement
may be appropriate. Have one DNS server at the home office configured to use an ISP DNS
Server as a Forwarder. Each branch office would have its DNS server point to the central DNS
(Forwarder).

7 December 2021 14:08 35 of 207

38676182.doc

Installing DNS
Manual Install
To install the DNS Server service, use Server Managers Roles feature. It is not necessary to
reboot when the install is complete. When installed manually, no zones are created and it is
considered a Caching Only server.
When installing a DNS server in a workgroup, this is the only method available.

Active Directory Installation

During DCPROMO of a Windows Server 2008, there is an attempt to contact a DNS server
which is authoritative for the domain which the server is attempting to become a domain
controller. If the DNS server holds a Standard Primary or ADI Primary zone with the same
name as the AD domains' and that zone allows dynamic updates, there will not be a prompt to
install a DNS server locally. If there is not an authoritative DNS server for the domain name or
if the zone does not support dynamic updates (or is not configured to support them), you will
be prompted to install DNS locally. If this option is selected, DNS will be automatically installed
on the server.
Installing during Active Directory installation will install the DNS server with the following:
 Active Directory Integrated zone using the domain name for the zone name
Secure dynamic updates configured
 Zone transfers are disabled
If you are upgrading a server using DCPROMO, you might run into some issues with DNS. If
you select to connect to any available DNS servers, you will need to communicate with a DNS
server that is authoritative for that domain. If you are adding a new domain in an existing tree
or forest, you will need to be able to connect to a DNS server hosting the tree root's DNS
domain. If you are not able to find a DNS server, you will either be prompted with the option to
install DNS locally or to configure it later. If the DNS Server service was installed manually on
the same server that is now becoming a domain controller, it will present this message. Select to
'configure later' and it will register properly during the reboot for Active Directory Installation.
Groups
When installing DNS in a domain, as with many of the services, there are two groups created.
They are DNSAdmins and DNSUpdateProxy group. The DNSAdmins can manage the DNS
server. The DNSUpdateProxy group is used in the case of redundant DHCP servers registering
DNS.

Default Installations
 Basic install (not during DCPromo)
o Zones not created

7 December 2021 14:08 36 of 207

38676182.doc

o Server acts as caching-only server

o Root Hints are active
 Installed during DCPromo Forward-lookup zone automatically created for
domain
o AD Integrated Primary
o Secure Updates only
o Root Hints and forwarders might be inactive
o Creates a root zone if there is no connection to a root name server
When DNS is first installed, it creates both the Forward Lookup and Reverse Lookup folders.
Depending on the type of install completed, the folders will be empty (manual) or have the
zone information from the DCPromo install will be in the Forward Lookup zone. Reverse
Lookup zones must be created manually.
When DNS is installed manually, no zones are created. It is considered a caching-only server.
Root hints are active and forwarding is enabled. If a root zone is desired, it must be created.
When you run DCPromo with no DNS installed, DCPromo will prompt you to install DNS. It
will create a Forward Lookup zone using the domain name as the zone name. The zone is an
Active Directory Integrated zone with secure dynamic updates configured. Zone transfers are
disabled.

7 December 2021 14:08 37 of 207

38676182.doc

Windows Server 2008 DNS Zone Options

 Standard Primary Zone - Writable copy of the zone stored in a local file
 Secondary Zone - Read-only copy of the primary zone Only uses zone transfers
to replicate
o Avoid using across slow links
 Stub Zone - Copy of Primary zone that only contains Start of Authority (SOA)
record, Name Server (NS) records, and the Host (A) record of the authoritative servers
There are three types of zones: Primary, Secondary and Stub. The Primary and Stub zones can
be stored in Active Directory, as long as the DNS server is a domain controller. Otherwise, all
three zones are stored as a text file on the local drive.

Standard Primary - is the only copy of the zone that can be modified. A Standard
Primary is combined with servers hosting Secondary zone files in a traditional DNS zone of
authority. There can be only one Primary copy of the zone in a traditional DNS configuration of
a zone of authority.

Secondary - is a duplicate of the primary zone and is stored only as a text file. It is used for
name resolution only and uses Zone Transfers to replicate from its Master Name Server.

Stub - a partial copy of the Primary zone that includes only specific records. It has the Start of
Authority (SOA) record, all the Name Server (NS) records and the Host (A) record of the
authoritative server. When configured, the IP address of the serer that hosts the zone is
indicated in order to create the Stub zone. Most often implemented on a parent domain to keep
updated name server records for a child domain.
Example: Given a zone of authority made up of 1,500 records managed by 4 name servers, the
Standard Primary zone would have all 1,500 records and any new records must be created in
that copy of the zone. A name server with a Secondary copy of the zone would also have 1,500
records. A third server with a Stub copy of the zone would have 9 total records - 1 SOA record,
4 NS records, and the 4 A records of the name servers.
Store the Zone in Active Directory (Available only if DNS Server is a Domain Controller) Select
this checkbox in order to store either the Primary or Stub zone in Active Directory. Storing a
Primary zone in the AD database makes it an ADIP zone (Active Directory Integrated Primary).
This provides ease of administration, conserves network bandwidth and increases security. The
DNS records then synchronize automatically as part of Active Directory Replication. By default,
the database replicates to all other domain controllers running the DNS server in the AD
domain where the primary is located. Additional settings are available to specify the replication
behavior of the database. It can be directed to replicate to all domain controllers in the forest or
to all domain controllers in the domain, whether or not they are running DNS server. Also a
custom replication scope can be created.

7 December 2021 14:08 38 of 207

38676182.doc

During AD replication, the data is encrypted before sending it to another domain controller,-
This would provide encryption of DNS records passing between DCs with ADIP zones. A
secondary zone on another DNS server can be utilized when the database is being stored in
Active Directory, but zone transfers are not secured by encryption.
KEY POINT
It is technically incorrect to refer to a DNS server as a primary or secondary. For example, a
server that was providing DNS and Active Directory Services could participate in many
different zones of authority at the same time. That DC/DNS Sever could have the ADIP zone
"fabrikam.com", and the Standard Primary zone file "mlabs.com" and a Secondary zone file for
"elabs.net" and a stub zone file for "contoso.com".
How To: Configure a Secondary Name Server in Windows Server 2003 (KB816518)
How To: Replace the Current Primary DNS Server with a New Primary DNS Server in
Windows Server 2003 (KB323383)

Standard Primary Zone

A standard primary zone is a read/write copy of a DNS zone that is authoritative for all
resource records of a particular namespace. Standard primary zones will not accept updates
from any other DNS zones of the same namespace. Due to this limitation there should never be
more than one Standard Primary zone configured within the same Zone of Authority.
As a writable copy of the DNS data, a standard primary zone can be configured to allow
Windows 2000 and later client systems to register their own records in the zone thereby
significantly reducing the amount of administrative effort required to maintain a successful
name resolution infrastructure. Although it is recommended to allow DNS client registration,
the default setting for a standard primary zone is NOT to allow these client-initiated dynamic
updates and registrations. Since dynamic DNS is a recommended best practice, administrators
often assume that it is enabled by default. This is only true for new ADIP zones which have the
default settings of "Allow dynamic updates: secure only". For security reasons, Microsoft's
Standard Primary zones do not allow dynamic updates by default. Remember that there is no
"secure only" option for a Standard Primary zone.

Secondary Zone
A secondary zone is a read-only copy of a DNS zone that is authoritative for all resource records
in a particular namespace (one or multiple domains). Secondary zones are used to achieve fault
tolerance of name resolution, but due to their read-only nature, fault tolerance of name
registration is not available. Client systems must still register at the IP address of a server
hosting a Standard or ADI Primary zone.

7 December 2021 14:08 39 of 207

38676182.doc

Secondary zones obtain records and updates from the server listed as the Start of Authority. The
secondary zone configured on the screen shows that dc1.fabrikam.com is the Start of Authority
for the fabrikam.com zone of authority. The dc1.fabrikam.com server is the server that will be
queried for all changes to the DNS zone data. Note that the zone transfer that occurred resulted
in a copy of all available records from the SOA.

Stub Zone
Stub zones are new to Windows Server 2003 and are used to facilitate name resolution across
parallel domains or between parent and child domains broken into separate zones of authority.
Unlike a secondary zone, a stub zone does not copy all records from the Start of Authority. A
stub zone limits the records it keeps to only the SOA record, the Name Server records, and the
A (host) records for all the name servers authoritative for the zone. With a constant querying of
the SOA the list of name servers available for that particular namespace is maintained
dynamically. This is an excellent solution when the list of name servers needs to be kept current.
The alternatives to Stubs: conditional forwarding and "delegate down - forward up" are static
arrangements that require additional administrative effort to be kept current.
Servers with stub zones are NOT authoritative for that zone. An authoritative name server is
one that has ALL the records for a particular zone of authority.

Active Directory Integrated Zone

 An Active Directory-integrated Primary (ADIP) zone is a read/write copy of a
zone that stores all zone data inside Active Directory database and provides fault
tolerance of name resolution and name registration.
 ADI zones can only be configured on DNS servers that are also domain
controllers.
 ADI zones in multiple locations allow clients to securely register with local DNS
servers.
Active Directory-Integrated Primary (ADIP) zones are read/write copies of a DNS zone of
authority's records that stores the records inside The Active Directory database. ADIP zones
provide fault tolerance of name resolution and name registration. In fact, the only way to
achieve fault tolerance of name registration is to configure multiple ADIP zones. Only DNS
servers that are also functioning as domain controllers can host ADIP zones.

7 December 2021 14:08 40 of 207

38676182.doc

Forwarding
 Good solution for name resolution across slow links
 Conditional Forwarding
o Forwards all traffic for a specific domain
o Multiple IP addresses for each domain can be entered
o Good for multi-tree forest/partnerships
 Simple Forwarding
o If name query does not match any domain specified, server uses "All other DNS
domains" which may have different IP addresses specified, e.g. ISP DNS server
 Two drawbacks
o Administrative effort
o Static nature of configuration
When a name query cannot be resolved by the local DNS name server, the query can be
forwarded to another DNS name server. Queries will be sent to configured forwarders before
using the Root Hints, which point to the Internet root servers for resolution.
Forwarding is available whenever there is not a Root zone on the DNS name server.
Forwarding is configured on the Forwarders tab in the Properties of the DNS server. There is a
listing for All other DNS domains with no IP address provided. If there is a DNS name server in
the ISP being used or another specific name server that all requests should be forwarded,
supply the IP address with this entry. Multiple addresses can be configured and will be
contacted in order. If the first address is unable to resolve the query, it will then send it to the
second and so on.

Conditional Forwarding
Both Windows Server 2003 and 2008 support Conditional Forwarding. It provides the option to
direct specific name queries to the DNS name server for that domain. If names need to be
resolved to another area in our network or to a company we are working with on a project,
obtain the domain name and the IP address for the DNS name server for that domain. The
domain names are added in the Forwarders tab with the corresponding IP addresses for the
name servers. Any name queries that are received by the DNS name server that cannot be
resolved, will check the specific domain names in the Forwarders tab first and if a match if
found, will send the name query directly to the name server in that domain. If no matches are
found, it sends the name query to the IP address listed under All other DNS domains.
For Example: Users in contoso.com are working with one of our divisions, prep.com, on a
special project. They need to be able to contact them easily. Add a New domain entry for
prep.com with the address 192.168.4.5, which is the name server for prep.com. All name queries
that come through the DNS server will now go directly to the name server for prep.com.

7 December 2021 14:08 41 of 207

38676182.doc

The longest domain name will be checked first when trying to match domain names. If domain,
sales.prep.com and prep.com are both listed, the DNS server will try to match sales.prep.com
first. So if the name query is for server1.sales.prep.com, it will find the appropriate name server.
If sales.prep.com was not listed, it would try prep.com.

Advantages of Conditional Forwarding

There are a lot of advantages with Conditional Forwarding. The DNS traffic is kept on the
private network by not going to Root servers on the Internet to resolve names. It speeds up
name resolution for the same reason, the queries do not have to go through the entire iterative
process to the Root, .com, etc. before the name server responsible for that host name is located.
By not having to use the Internet to resolve names, it conserves bandwidth to the Internet.

Disadvantages of Conditional Forwarding

Since the information must be manually entered in to the Forwarders tab, it does take
considerable amount of administrative effort to configure it for a large network. Any changes
that may occur will also need to be made manually.
Do not use recursion for this domain: This option at the bottom window determines if the
Conditional Forwarding does not resolve the query, will it then be sent to the Root hints to be
resolved. If the box is checked, it will turn off recursion, which means if the name query fails
from the specific domain name server, it will not be sent to the Root hints for further resolution.
Conditional Forwarding in Windows Server 2003 (KB304491)
How To: Configure DNS for Internet Access in Windows Server 2003 (KB323380)

Simple Forwarding
When firewalls or routers prevent DNS traffic to all DNS servers except a specific external DNS
server, forwarding should be configured on the internal DNS servers rather than provide the
clients with the IP address of the external DNS. DNS forwarding eliminates a delay in name
resolution availability.
Allowing an internal DNS server to query an ISP name server is more secure as the Firewall
requires less modification and the internal server is likely hosting a DNS zone needed for an AD
domain that the DNS client PC would belong to.

7 December 2021 14:08 42 of 207

38676182.doc

Delegated DNS Zone

By delegating zone data, you can distribute name records by making other servers authoritative
for another domain name within the same namespace. The single zone of authority which
would have contained both the parent domain and the child domain's records, becomes two
zones of authority with the parent server responsible for the parent zone and the other server
responsible for the child zone. Queries sent to the parent server for records within the child
domain will be referred to the child zone's server based on the delegation. The parent server
only holds a reference (delegated subdomain) to the child zone.
The information maintained on the parent server includes the Delegation Records (NS record
for the authoritative server(s) in the child domain) and the Glue records (which is the A
record(s) for the child domain's authoritative name server(s)). This information is required
when delegating name resolution of subdomains.

Creating a Delegation
The first step to create a delegation is to create the Primary zone "ad.fabrikam.com" on server2.
Make sure to point the DNS address to it and change the DNS server address on clients in the
domain to point to server2. Configure a Forwarder ofserverl.fabrikam.com so any name queries
sent to the child DNS server that cannot be resolved will be sent to the parent.
On the parent server, run the New Delegation Wizard from the shortcut menu of the
"fabrikam.com" zone. A folder for the delegation will appear in the parent zone, containing a
NS record(s) specifying the DNS server(s) which is delegated control of the child zone of
authority.
Remember "Delegate Down / Forward Up"
The major drawback of "Delegate Down - Forward Up" is that it is a static arrangement. If new
name servers were to host additional copies of "ad.fabrikam.com", server1 would be unable to
direct queries to them until an administrator manually updated serverl.
How To: Integrate DNS with an Existing DNS Infrastructure If Active Directory Is Enabled in
Windows Server 2003 (KB323418)

7 December 2021 14:08 43 of 207

38676182.doc

DNS Design
 Stub zones are abbreviated copies of a zone that speed up name
 Resolution by dynamically maintaining SOA, NS, and Glue (A) records. Stubs
require zone transfer but are not authoritative for the names pace.
 Forwarding is used to speed up name resolution without the overhead of zone
transfer.
 Secondary zones are full copies of a zone that are authoritative for that
namespace but incur the overhead of zone transfers.
When a Stub zone is created, it only maintains the Start of Authority (SOA) record, Name
Server (NS) records and the Glue record that identifies the name server that is authoritative for
the zone. The SOA and NS records are updated on a regular interval by the Master Server
indicated during the configuration of the zone. Like a Secondary zone, information for the zone
of authority cannot be modified in the Stub Zone.
The use of Stub Zones makes the process of name resolution much more efficient and reliable.
Name queries can be resolved faster because the name server information is readily available
instead of having to query other DNS servers to get the information. Using the traditional
delegation without a stub zone, name server records would have to be manually updated to the
parent DNS server. With a Stub Zone, these records are kept up to date through scheduled zone
transfers.
Stub zones can also help with DNS administration for areas that require name resolution but
having data redundancy is not important. Instead of Secondary servers, use a Stub Zone. Name
resolution will occur and network traffic will be reduced because of not having the large zone
transfers for the secondary zones.
Updates for a Stub zone are determined by the refresh interval in the Start of Authority record.
There are three options to update the Secondary and Stub zone data manually.
 Reload - Reloads the Secondary or Stub zone from the local storage of the DNS
server hosting it (hard drive to memory)
 Transfer from Master - SOA record will be checked to see if the serial number has
changed and then executes a standard zone transfer from the master server
 Reload from Master - Executes a complete zone transfer even if the SOA serial
number has not changed. (This option places the largest load on the network.)

7 December 2021 14:08 44 of 207

38676182.doc

Dynamic Updates
 Windows 2000+ clients only
o Manual configuration or additional applications needed for MAC/UNIX
 Register A host record and PTR record
 Configure DHCP to dynamically update on behalf of down-level clients
 Secure updates available for Active Directory Integrated zones only
 Configure dynamic update on the properties of the zone after creation; the
default is set to None on a Standard Primary zone.
Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2008 clients are
capable of registering their A and PTR records dynamically. There are a couple things that will
influence whether or not they do. First, if the client is not a DHCP enabled client, it will be
responsible for both the (A) and (PTR) record all of the time. If it is a DHCP enabled client, the
results will solely depend on the configurations of the DHCP server.

DNS and DHCP Integration

DNS and DHCP work closely together to provide dynamic updates for resource records in
DNS. Depending on how the DHCP server is configured, it can allow those clients who support
dynamic updates to register their own A and PTR records. If the selection has been made to
have DHCP to register the records, it will register both the A and PTR for the DHCP clients. It
can also be configured to update the A and PTR records for the down-level clients that do not
support dynamic updates; Windows 9X and Windows NT.

Types of Dynamic Updates

There are three choices when configuring Dynamic Updates. The zone can support Nonsecure
and secure updates, secure updates only, or None. Making the choice is part of the wizard when
creating the zone and can be modified in the Properties of the zone. 'Secure only' is only
provided as an option for ADIP zones. It provides added security to the database being stored
in Active Directory and only those who have permission through the Security ACL of the zone
can create and modify the records.
If the DNS was installed as part of Active Directory installation, the ADIP zone is automatically
configured as Secure only.
How To: Configure DNS Dynamic Update in Windows 2003 (KB816592)

7 December 2021 14:08 45 of 207

38676182.doc

Zone Transfer
 Enabled on a Standard Primary
 Default setting Only Transfer to servers listed on name servers tab
 Add secondary servers to name servers tab
 AD Integrated zone - disabled
o Must be enabled on Zone Transfers tab and add secondary servers to Name
Servers tab
 Option to specify IP addresses of servers permitted to zone transfer
 "Transfer from master", on secondary, forces a zone transfer
 DNS notify reduces the zone latency as Primary server notifies all listed servers
of updates.
 DNS Notify SHOULD NOT be configured to systems that are caching-only DNS
servers or non-DNS servers.

Default Settings for Zone Transfer

When a Primary zone is created, zone transfers are enabled and configured as only transfer to
servers listed on name servers tab by default. This is different from the setting in Windows
2000, which was "Allow transfers to any server". In Windows Server 2003, by default the
secondary name servers must be listed in the Name Servers tab in order for them to obtain zone
transfers.
When an Active Directory zone is created, zone transfers are disabled by default. In order to
allow zone transfers to occur, enable zone transfers on the Zone Transfer tab in the Properties of
the zone. Be aware that when zone transfers are enabled, the default setting is To all servers. To
secure the zone transfer, select Only Transfer to servers listed on name servers or specify the
name servers by IP address. Make sure the secondary name servers are listed on the name
servers tab.

Zone Transfer via Notify

By default, a Master Server will notify the secondary servers when updates are made. The serial
number in the SOA record, which can be viewed on the SOA tab in the properties of the zone, is
incremented when changes occur to the database, which triggers the notification process. Only
those servers that have been listed to be notified will be contacted. A zone transfer is a Notify -
Pull transaction. The secondary servers are notified that there have been changes and the
secondary servers will request the updates from its Master Server.

Securing Zone Transfers

Zone transfers can be secured by either using the Only Transfer to servers listed on name
servers tab or Only to the following servers and specify the IP addresses of the servers that will
be transferred the data.

7 December 2021 14:08 46 of 207

38676182.doc

SOA Record
 Zone Transfer Process Controlled by SOA record
 Refresh Interval
o Frequency Secondary checks Master for updates
o Increasing this value delays next SOA request
 Retry Interval
o Time to wait before retrying after a failed zone transfer
 Expires after
o Length of time Secondary will attempt to contact Master
o Time expires, zone expires
o Zone expires, it will stop responding to queries
 TTL
o Length of time records are cached
o Increasing TTL allows records to be kept longer in cache – fewer authoritative
queries
The Start of Authority record controls the zone transfer process and provides information
regarding the authoritative server for the zone. The SOA tab can be accessed in the Properties of
the zone. The Serial number which increments when changes are made, can also be incremented
manually to initiate a transfer. It is the Serial number changing that triggers the notifications to
go to the secondary servers.
The Primary Server is the name of the authoritative server for the zone. The user account that
created the zone is the responsible person.
The bottom section pertains to the handling of the secondary zones, how they are to refresh,
time intervals to use and the life of the records they receive.
Refresh Interval- The frequency that the secondary servers check the Masters for updates. This
is outside of the Notification process. The default setting is that the secondary server will
request updates from the Master Server every 15 minutes.
Retry Interval - If the request was not successful for the Refresh Interval, the Retry interval will
be used and the secondary server will Retry the contact with the Master Server every 10
minutes by default.
Expires after - This is the length of time the secondary server will continue to attempt contacting
the Master Server. After one day (by default), the time expires and the zone expires. Once the
zone expires, the secondary server will no longer respond to queries for the expired zone.
TTL - The time to live is the amount of time cached records are maintained. The setting for all
cached records is 1 hour by default.
The TTL at the bottom of the window is for the SOA record itself. It has a default time-to-live of
1 hour.

7 December 2021 14:08 47 of 207

38676182.doc

Zone Transfers
 Zone Transfers occur from Master Server:
o Primary to Secondary
o Secondary to Secondary
o AD Integrated to Secondary
 Full Transfer (AXFR)
o Entire database replicated between two servers - Used when secondary is created
 Incremental Transfer (IXFR)
o Only modified records replicated
o Not supported by Windows NT
o BIND 8.2 and later support this option
Zone transfers help maintain the DNS data for a particular zone. Which servers can obtain a
zone transfer are controlled by the settings on the Zone Transfer tab in the Properties of the
zone. This allows the secondary to store a copy of the zone so that it can resolve client requests
without contacting the Primary Server.
When a secondary zone is created, it is required as part of the configuration wizard to provide
the IP address of the Master Server. This is the DNS that will be providing the updates to the
secondary zone. A Master Server can be a Primary server, another Secondary server, or a server
with an Active Directory Integrated zone.

Full Transfer (AXFR)

The Full Transfer copies all of the database information to the secondary server. This is used
when the secondary zone is first created. If the Secondary zone is configured on a DNS server
that does not support incremental transfers, then each time the transfer occurs it will be a full
transfer. An AXFR may also occur when the Secondary server determines that the SOA serial
numbers are significantly different.

Incremental Transfer (IXFR)

The Incremental Transfer will send only the changed records from a Master name server to the
secondary servers. This will still create network traffic, but not like the Full Transfer.

Active Directory Integrated

Active Directory Integrated zone only supports zone transfers when going to a secondary
server. The zone transfers tab is disabled by default and must be enabled and configured in
order to complete a zone transfer.
Zones which have configured as Active Directory Integrated zones do not use zone transfers.
The database is transferred as part of File Replication Service through Active Directory. The
DNS database replicates as part of the Domain partition and replicates to all domain controllers,
whether they have DNS installed or not.

7 December 2021 14:08 48 of 207

38676182.doc

How To: Configure a Secondary Name Server in Windows Server 2003 (KB816518)

Win 2008 ADI Zone Replication

In Windows 2000, Active Directory Integrated zone was replicated as part of Active Directory
replication, which was part of the domain partition. With Windows Server 200312008, there are
3 additional options that can be considered for replication of the DNS database in Active
Directory. These utilize the replication partitions for the domain (DomainDnsZone), forest
(ForestDnsZone) and custom partitions can be created which are all new features with
Windows Server 2003. The built-in application partition directory partitions, DomainDnsZone
and ForestDnsZone, can be viewed in the Primary zone that is being stored in Active Directory.
To configure and see the selections, select Properties for the zone and on the General Tab, select
Change. This button is only available when the zone is being stored in Active Directory. These
choices are also available when using the wizard to create the zone manually and the selection
to store in Active Directory has been checked.
There are four options provided. Details of each selection are listed below.
 To All DNS Servers in Active Directory Forest - replicate zone data to all DNS
Servers on domain controllers running Windows Server 2003/2008 in Active Directory
Forest. For this option, the database is stored in the ForestDnsZones directory
application partition. It creates the greatest network traffic but does increase the fault
tolerance of the zone information.
 To All DNS Servers in Active Directory Domain - replicates zone data to all DNS
Servers on domain controllers running Windows Server 200312008 in Active Directory
Domain. For this option, the database is stored in the DomainDnsZones directory
application partition.
 To All Domain Controllers in Active Directory Domain - replicates zone data to
all Domain Controllers in Active Directory domain. The database is stored in the
standard domain partition. This option must be selected if you have Windows 2000
domain controllers with the DNS server. Application partitions are not available with.
Windows 2000 so the ForestDnsZones and DomainDnsZones cannot be used.
 To All Domain Controllers Specified in the Scope of the Following Application
Directory Partition - custom application directory partitions can be created and specific
domain controllers running DNS and Windows Server 200312008 can be specified to be
part of the new partition. The database is only replicated to those domain controllers
which are hosting the custom application directory partition. Only members of the
Enterprise Admins group may create and populate the custom application directory
partitions.
In order to create application directory partitions, Support Tools must be installed. These can be
found on the Windows Server 2003 CD under Support/Tools. The file to install is suptools.msi.
The commands to both create and specific the domain controllers for the application directory
partition are executed from the command line.
Once at a command prompt, change directories until you are at c:/Program Files/Support
Tools. To create an application directory partition type the following command:

7 December 2021 14:08 49 of 207

38676182.doc

Dnscmd servername /createdirectorypartition FQDNofPartition (Servername is the name of the

server where you are creating the partition. The FQDNofPartition is the name of the partition
plus the domain name)
For example, if you were creating an application directory partition called partl in the
fabrikam.com zone and the servername was w2008server, the command would look like this:
Dnscmd w2008server /createdirectorypartition part1.fabrikam.com
To add domain controllers to the application directory partition use the following command:
dnscmd servername /enlistdirectorypartition FQDNofPartition
For instance, you are adding a domain controller named w2008server2 to the new partition. The
command would look like this:
Dnscmd w2008server2 /enlistdirectorypartition part1.fabrikam.com

7 December 2021 14:08 50 of 207

38676182.doc

Root Name Servers

 If connectivity to Internet is not required
 AND you desire only local name resolution
 Top node in DNS name structure
 Good for intranet performance
 Client queries stop at your root server
 Forwarding, Root hints not available
 Methods to complete configuration
 Delete Cache.dns file
 Create zone with period, "."
A Root server is the end of the namespace resolution. The "root" servers provided on the
Internet, are the end of the FQDN namespace for the Internet. Only for specific reasons would a
Root server on an internal DNS server be appropriate.
If the network is not connected to the Internet and no communication is required outside of the
network, a Root server could be created. If local name resolution is all that is required, then an
internal Root server might be appropriate. Without an Internet connection or a local root name
server, attempts to reach Internet sites will take a long time to fail.
The internal Root server becomes the top node in the DNS namespace. All name queries will
end at the Root server. It can be good for intranet performance. With a Root server in the
internal environment, the Root hints on other DNS servers should be modified to include only
the internal network's Root server.
When a Root zone is created, the capability to Forward or use Root Hints is disabled on that
server. Since the server is seen as being the top of the chain, there is nowhere else to go.

Creating a Root Server

To create a Root server, simply create a forward lookup zone named "."
The Cache.dns file is the file that contains the root hints for the Internet. It is updated each time
the DNS Server service is started. In order to receive a faster negative reply when an internal
root server is being used, delete the Cache.dns file on all DNS servers so they do not try to
resolve recursively through the root hints.
How to Delegate All Internet Top-Level Domains on an Internal Root DNS Server (KB294906)

7 December 2021 14:08 51 of 207

38676182.doc

Non-root Name Servers

 Multiple namespace support supports a:
o Need to interact with Internet
o Need to interact with intranet
 Non-root Name Server redirects unknown requests to root level servers
 Delete'.' zone to be able to forward and have root hints available
 Uses default Cache.dns file
 Contains A and NS records for Internet root servers
 Without root hints or forwarding a DNS server can only resolve for the zones
stored locally on the server
If you need to support access to the Internet from your internal DNS server, then you will need
to configure your DNS server to not be the root name server. As long as there is no '.' root zone,
the DNS server has access to root hints and forwarding. The only time a root zone is
automatically created is when the "Configure your Server" option is used to configure the DNS
server. All other methods will have the root hints and forwarding enabled.
The Root Hints can be viewed on the Root Hints tab in the Properties of the DNS server. The
Cache.dns file is located in the %systemroot%\system32\DNS\ folder. If you require the DNS
server be able to locate the actual Internet root servers, you should not remove this file.
The Internet Assigned Numbers Authority maintains a set of Root DNS servers that are
responsible for maintaining the Internet's Name Resolution Infrastructure. The Highest level
server is simply known as the "." root server. There are 13 root servers currently available on the
Internet. Each time the DNS Server service is started, the Cache.dns file is updated. The file
contains the A and NS records for the Internet root servers.
http://www.iana.org/about/popular-links/
How To: Configure DNS for Internet Access in Windows Server 2003 (KB323380) How To:
Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003 (KB816567)

7 December 2021 14:08 52 of 207

38676182.doc

DNS and BIND

 Requires a NS resource record be created for the UNIX server
 With both 2003 and BIND DNS, use 2003 as Primary and BIND as secondary
 Advanced features of DNS not supported in BIND
 Migrating from BIND to 2003 and supporting name resolution during the
process
o Create Primary on 2003 DNS using existing zone file.
o Create Secondary on 2003 DNS with BIND server as the master. Change 2003
DNS to Primary zone with BIND changing to Secondary zone.
UNIX BIND(Berkeley Internet Name Domain) DNS can work with a Windows Server 2008
network if the version of BIND is 8.1.2 or higher. In most cases, the latest version is being used,
which meets the criteria. In order for DNS to function with Windows Server 2003 AD, it must be
able to support SRV records and Dynamic Updates. To minimize network traffic, it would be
best to also support incremental transfers, which can be achieved with BIND version 8.2 and
higher.
When integrating BIND with a Windows Server 2008 DNS server, it is best to use the Windows
Server 2003 DNS as the Primary and use the Unix BIND as the secondary. Be sure to enable the
DNS server advanced property "BIND Secondaries" so that the UNIX server will be able to
successfully request zone transfers.
When migrating from BIND to Windows Server 2003 DNS, it may be necessary to keep both
DNS servers available to provide name resolution during the migration. The best way to
accomplish this is to establish the Windows Server 2003 DNS with a Primary DNS zone with a
new zone name. As the systems are migrated, they can be transferred to use the new DNS
server. In order to still provide name resolution for both zones, place a secondary on each of the
servers for the other zone: BIND host a secondary for the new Windows Server 2003 DNS
zone / Windows Server 2003 DNS host a secondary for the BIND DNS zone.

7 December 2021 14:08 53 of 207

38676182.doc

Configure DNS Client

 DNS Server List
o DNS server to register and send queries
o Subsequent servers only used when previous fails to respond
 Register this connection's addresses with DNS enables Dynamic Updates
Use Connection's DNS suffix Allows for a client to register its name in multiple zones, servers in
one domain that need to be accessed via FQDN for different domain. (I.E. server named www
in training.fabrikam.com registers DNS record in fabrikam.com for name resolution to
www.fabrikam.com)
To configure the systems in the network to be DNS clients, open the Properties of the network
interface card and view the Properties for the Internet Protocol. On the General tab, there are
two spaces provided for DNS server addresses. They are the Preferred DNS server, which will
be contacted for name registration and name resolution first. The Alternative DNS server will
only be contacted if the preferred server is not able to be contacted.
In the Advanced area of the IP settings, the DNS tab provides additional options that can be
configured.

Appending Suffixes
This feature allows the users to use one word host names instead of a FQDN. The default
setting, "Append primary and connection specific DNS suffixes" means that a user in
sales.fabrikam.com requesting ServerA with NetBIOS over TCP/IP disabled would cause a
query to be sent to the DNS server asking for the IP address of serverA.sales.fabrikam.com. If
the checkbox "Append parent suffixes of the primary DNS suffix" was checked, then the client
would have attempted serverA.sales.fabrikam.com followed by serverA.fabrikam.com.
By specifying "Append these DNS suffixes (in order)" as shown in the screenshot, the computer
would send serverA.sales.fabrikam.com then serverA.fabrikam.com even though the DNS
client itself might belong to contoso.com. This "Append these DNS suffixes (in order)" option is
manually configured on each machine or there is a Group Policy setting that will configure this
for all clients where the policy is applied.
If you had a multi-homed server that needed to be accessible in two different zones, you could
use the "DNS suffix for this connection" setting. For example, enter sales.fabrikam.com on one
adapter's properties then contoso.com on the second. To maintain current listings, select the
checkbox "Use this connection's DNS suffix in DNS registration" and that server would have A
records in both zones. Please note that the default selection above reads "Append primary and
connection specific DNS suffixes."

7 December 2021 14:08 54 of 207

38676182.doc

Register this connection's addresses with DNS: This is enabled by default and enables the
system to dynamically register its Host (A) record and PTR record, depending on the DHCP
server setting. If the system has been statically assigned, it will register both records in DNS. If
this box is cleared, the system will not register its own records, no matter how the DHCP server
is configured.
Use Connection's DNS Suffix / DNS suffix for this Connection: The system is assigned a DNS
suffix that becomes part of the full name of the computer. It is seen in the System Properties /
Computer Name tab. In a multi-homed system, it may be required to have a different DNS
suffix used to identify a network interface. Check the box Use the Connection's DNS suffix and
insert the DNS suffix that should be used for that interface in the area provided. Remember the
DNS suffix is what is used to register with the DNS server, so there must be a zone with that
DNS suffix name or the interface will not be able to register.
Appending DNS suffixes allows users to find resources without needing to know the exact fully
qualified domain name. CAUTION! Resources with same host names in different domains may
return erroneous info. There are only two ways to specify multiple DNS suffixes for a client:
Manually on each client, or using a GPO. A DHCP lease can only specify one entry for option
015 - DNS domain name.

Client Registration in DNS

There are two ways DNS clients are registered. Manual registration is completed in the DNS
console and Dynamic is accomplished from either the client or DHCP.

Manual Registration
The proper records can be manually created in the DNS console. When creating the A record,
there is an option to also create the PTR record. In order to create the PTR, a Reverse Lookup
zone must be already created for the network address. There is also a checkbox to select that
will allow any authenticated user to update the DNS record with the same owner name. This
option is only available when the zone is being stored in Active Directory. It will create an ACL
that can be viewed in the Properties of the resource record.

Dynamic Registration
Clients running Windows 2000, Windows XP, Windows Server 2003 and 2008 support dynamic
registration. The clients will dynamically register their A and PTR records in DNS, if all settings
are in order. If a static IP address has been configured, the default setting is to dynamically
register (checkbox on DNS tab is checked for Register this connection's addresses with DNS). If
DHCP is providing the IP address, it then is dependent on the DNS settings in DHCP.
The client will register whenever the system is started. If the DNS address is incorrect or has not
registered for some reason, go to a command prompt and type IPConfig /registerdns.

7 December 2021 14:08 55 of 207

38676182.doc

Optimizing Name Resolution

For a better name resolution performance, it is best to configure the DNS clients with an IP
address of a DNS server that is on the local segment. Since DNS is a major part of
communication in the network, having it on the same segment as the clients allows registration
and name resolution to be much more efficient. It cuts down network traffic across the routers
and will enable name resolution to happen more quickly.

Round Robin
 Rotates Resource Records as it responds to Clients
 Provides Load Balancing of name resolution Does not verify host state so failure
can still occur
 Enabled by default on the properties of the DNS server
 Configure by creating multiple A resource records with the same name but
different IP address.

Round Robin
A Round Robin configuration allows a DNS server to return different IP addresses for the same
name. This strategy is used to balance the load on different servers that maintain the same data,
such as Web servers. The drawback is that it is not capable of determining the state of the server
so some requests may fail. If a request fails, it will have to make the request again. There is no
redirection or management of a failed request. It can also be used for a multi-homed computer
to balance out the network load on each adapter.
Round Robin is enabled by default. To configure records for Round Robin, create multiple Host
(A) resource records using the same name with different IP addresses. Round Robin is selected
in the Advanced tab in the DNS server Properties.
Hands on: To confirm round robin functionality, set up multiple A records with same
name/different IP addresses and then request that name multiple times from within nslookup.

DNS Interfaces
 Multi-homed DNS servers can be configured to respond on all interfaces or just
specific IP addresses.
 This allows DNS to ignore requests sent to network adapters not listed,
responses will not be sent.
 Commonly used when a DNS server is part of two networks but should be
authoritative for name resolution on one of the networks.
 For security, be sure to verify that only appropriate interfaces on the DNS servers
are responding to DNS clients. E.g. A clustered DNS server would typically not be
configured to respond to name queries on the intra-cluster interface.

7 December 2021 14:08 56 of 207

38676182.doc

Advanced DNS Server Properties

 Disable Recursion - cleared
o Full name resolution supported
o Disables Forwarding option
 BIND Secondaries - checked
o Selection causes slow transfers
o BIND versions earlier than 4.9.4 do not support fast transfer, so this option
should remain enabled when transferring only to BIND 4.9.3 and earlier
 Enable Net Mask Ordering - checked
o Answers query with -host record in same subnet, if more than one host name
record is available
 Secure Cache Against Pollution - checked
o Prevents a hacker from polluting the cache of a DNS server with resource records
that were not requested
Disable Recursion -Recursion is used when the DNS server queries other servers on behalf of
the client and attempt to fully resolve the FQDN. The default setting is for the DNS server to
provide full name resolution. If Disable Recursion is selected, the server will not resolve the
query for the client, but sent back to it referrals to allow the client to perform iterative queries
instead. If this option is selected, the server will not use Forwarders either. The only situation in
which this option should be selected is on an internal Root server.
BIND Secondaries - The key issue here is so-called fast zone transfers. In a fast zone transfer,
multiple DNS records can be placed into a single data packet. For example, an AXFR of 1,500
records using the fast transfer format might only require 50 data packets. The slow transfer
format would require at least 1,500 data packets with considerable attendant overhead. The fast
transfer format is always used between Microsoft DNS servers. Since this option is selected by
default, the Microsoft DNS server will perform a slow zone transfer to BIND servers. If the
version of BIND is 4.9.3 or earlier, leave this option checked to preserve the slow transfer
format. "ON is slow, OFF is fast."
Net Mask Ordering - Allows DNS to respond to a query for a host name which has multiple
records in DNS. DNS determines the host record that is in the same subnet as the client
requesting and that address is returned to the client. This should localize traffic so that clients
are directed to nearby servers. This supersedes Round Robin when configured. Round Robin
will be utilized if more than one server is in the same subnet.
Secure cache against pollution - By default, the DNS is secured from cache pollution that occurs
when DNS query responses contain nonauthoritative or malicious data. The Secure cache
against pollution option prevents a hacker from polluting the cache of a DNS server with
resource records that were not requested. Changing this default setting will increase the chances
that incorrect query results will be returned to the client.

7 December 2021 14:08 57 of 207

38676182.doc

Enable automatic scavenging of stale records - this setting is useful in networks of portable
computers which tend to get disconnected from the network without releasing their A and PTR
records. Enabling this setting in the server properties allows the DNS administrators to
configure individual zones for scavenging. By default, DNS zones are NOT enabled for
scavenging so this must be set by the administrators for each desired zone once the server has
been enabled for scavenging. When the DNS server scavenges a zone, it deletes records from
the zone file based on a somewhat complex sequence. To quote the Microsoft article: "It should
only be enabled when all parameters are fully understood. Otherwise, the server could be
accidentally configured to delete records that should not be deleted." Proceed with caution.
"Understanding aging and scavenging" Microsoft Windows Server 2003 TechCenter, January 21,
2005

7 December 2021 14:08 58 of 207

38676182.doc

Test the DNS Server service

 Simple Test
o Performs iterative test to local database
o Uses DNS resolver
o Tests A record of the server
 Recursive Test
o Performs recursive test to root, "."
o Will fail if not connected to a Root name server not present
o Will pass if the server tested is a root name server
o Will fail if Cache.dns file corrupt or missing
o Repair by replacing with Cache.dns from the samples folder and connecting to
the Internet

7 December 2021 14:08 59 of 207

38676182.doc

Manage and Monitor DNS

 Utilities
o IPCONFIG
o NSLookup
o PING
o DNSCmd
 /zoneexport
 /enumzones
 System Monitor DNS counters:
o Dynamic Updates Received/see
o Total Query Received/see
o IXFR Success/Request Received
o AXFR Success/Request Received
 Event Logging
o Logs errors, warnings, & other DNS events
Several tools are available to manage and monitor DHCP. They included command-line
utilities, System Monitor, Debug logging and Event logging.
IPConfig is a tool that can be used to display the resolver cache on a local machine, delete the
resolver cache and register the system with the DNS server. The parameters needed are:
IPConfig /displaydns, IPConfig /flushdns and IPConfig /registerdns. Be familiar with these
three and what they can do. Another one that can be included would be IPConfig /all, which
shows all of the configuration information for the interfaces. This will provide an easy way to
confirm the DNS addresses that are being used and the DNS suffix for the system.
NSLookup is used to verify resource records have been configured in DNS correctly. There are
two modes: noninteractive and interactive. Interactive mode is used when several queries need
to be checked. To enter NSLookup Interactive mode, type Nslookup at the command prompt. A
> prompt will be displayed. Noninteractive mode is only one query. To use noninteractive
mode, type Nslookup and the IP address or name you want to check. It will generate a response
and the return to the normal command prompt. NSLOOKUP used to query for records in a
zone requires the system performing the NSLOOKUP be allowed to perform a zone transfer.
Many different switches are available with NSLookup. To view them, type NSLookup /? at the
command prompt. In order for NSLookup to function properly, a Reverse Lookup zone with
the appropriate PTR records is required.
System Monitor has additional counters added when DNS is installed. The counters are for the
DNS object and include the following:
 AXFR Requests Received - number of full zone transfers requests received by the
Master server
 AXFR Requests Sent - number of full zone transfers requests sent by a secondary
server .Caching Memory - total cache memory being used by DNS
 Dynamic Update Received - number of dynamic update requests received
 Dynamic Updates Rejected - number of dynamic updates rejected

7 December 2021 14:08 60 of 207

38676182.doc

 IXFR Request Received - number of incremental zone transfer requests received

by Master server
 Recursive Queries/sec - average number of recursive queries received in one
second
 Secure Update Failure - number of secure updates that failed
 Total Query received - total of all queries received
 Zone Transfer failure - number of failed one transfer of the Master server
DNSLint is not installed by default. The Support Tools from the Windows Server 2003 CD must
be installed before this utility is available. "DNSLint is a Microsoft Windows utility that helps
you to diagnose common DNS name resolution issues." It also can be helpful for
troubleshooting replication problems. KB321045
DNSCmd is a command-line utility that also requires the Support Tools to be installed before it
is available. The DNSCmd can do anything that can be done within the DNS console. Because it
is text being executed at a command line, it can be scripted and then executed at a later time.
There are a lot of different commands that can be viewed at the command prompt by typing
dnscmd /? Some of the more frequently used that you want to be familiar with are listed below.
 /enumzones - lists all the zones on the DNS server
 /zoneinfo - displays zone information
 /zoneprint - displays all records in the zone
 /enumdirectorypartitions - lists all directory partitions
 /directorypartitioninfo - displays information regarding the directory partitions
 /zoneexport - allows administrator to push a zone's records to a file
When DNS is installed, another Event log is created called DNS Server. Make sure to check for
errors and warnings regarding the DNS Server service. The type of Events to log can be selected
in the Event Logging tab in the Properties of the DNS server. These same events can be viewed
within the DNS console. There is a folder for Event Viewer and when expanded the DNS Events
log is displayed. Within Event Viewer it is called DNS Server, but both areas display the same
events.
Changes in Windows Server 2003 DHCP Logging (KB328891)
Description of the DNSLint Utility (KB321045)
How To: Use DNSLint to Troubleshoot Active Directory Replication Issues (KB321 046)

DNS Debug Logging

In the Properties of the DNS server there is a tab for Debug Logging. In this tab logging can be
enabled for debugging and the specific types of packets and information to log is configured.
Debug Log in allows for monitoring of all types of DNS traffic sent to and from a DNS server
from client to DNS or from DNS to DNS. Logging this type of information is very resource
intensive and should only be done when there is a problem and this type of information may be
helpful. The file path can be designated at the bottom of the window or if DNS is being run
locally, the default path is Windows\System32\dns\dns.log.

7 December 2021 14:08 61 of 207

38676182.doc

To view either the default log or the log file designated in the configuration window, the DNS
service must be stopped. This can be accomplished in the DNS console by select the DNS server,
access the shortcut menu, and click All Tasks and Stop. Open WordPad and browse for the log
file. After closing the file, make sure to restart DNS.

7 December 2021 14:08 62 of 207

38676182.doc

Group Policies and DNS

 Settings include all settings configured on individual interface
o Primary DNS Suffix - configure automatically
o DNS Suffix Search List - provide the listing of DNS suffixes to use when using a
host name instead of an FQDN
o Register PTR records
o Connection-specific DNS suffix
Windows Server 2003 provides Group Policy configuration options for DNS. They are found
under Computer Configuration> Administrative Templates> Network> DNS Client. The
settings that can be configured are primarily all of the settings that can be set on the local client.
By applying them through a Group Policy, it is possible to configure all or a group of computers
at the same time.
Since these are Administrative Templates, the description of each element can be viewed in the
policy element on the Explain tab. Any settings that are configured as a Group Policy will
overwrite any settings that have been set locally or through DHCP.

7 December 2021 14:08 63 of 207

38676182.doc

Securing DNS
Securing the resources in the DNS server is a key factor in network security. Several items that
can help in that endeavor are listed.
Place a DNS server on the external and internal networks: The internal DNS server provides
name resolution for the internal network and then forwards any queries it cannot resolve to the
external DNS server. The external DNS server is the server the public uses to access resources
that have been made available to the public, such as public web servers. There is no forwarding
from the external to internal DNS server.
Limit DNS Interface Access: For a multi-homed system, identify the interface desired to receive
DNS requests and specify on the Interface tab in the Properties of the DNS server. The default
setting is All addresses. Remove any of the addresses that should not be accessing the DNS
server.
Secure Zone Transfers: The most secure method to replicate zone information is using Active
Directory Integrated zones. If that is not an option for the environment, select to transfer only to
specific IP addresses as the most secure alternative. Avoid allowing zone transfers "To all
servers" as this is the least secure option.
Secure cache against pollution: This is enabled by default on the Advanced tab in the Properties
of the DNS server. It prevents referrals entering the cache. It caches only records that match the
domain name from the original request. Any records that refer to a record outside of the
requested name will be dropped.
Use Secure Dynamic Updates: By storing the DNS database in Active Directory it can be
secured by applying an ACL to the records. This prevents anyone but the owner of the record
from modifying the information. Also, no one can add a record that does not have permission to
do so.

DNS Naming Considerations

 Internal AD DNS vs. External Internet DNS
 Determine Internal and External Naming Strategies
 • Delegated sub from the registered domain name (NEW PREFIX)
 Same DNS name for internal and external
 Different DNS name for internal and external (NEW SUFFIX)
Note: If an organization were to use two separate zones of authority that shared the same name,
one inside the firewalls and the other outside, clients on the internal network by default would
be unable to reach resources such as ftp or mail servers on the external network. In such a case,
it would be necessary to manually add records with the names and external IP addresses of
those external resources to the internal zone.

7 December 2021 14:08 64 of 207

38676182.doc

Enhancements to DNS in 2008

 GlobalNames Zone allows use of single-label names throughout an organization
 Background zone loading speeds up the process of loading zones and allows
DNS Servers to operate more efficiently
 IPv6 support - AAAA record

GlobalNames Zone
Allows DNS clients to connect to specific resources by a single-label name, such as Server 1.
Does not exist by default, but by deploying a zone with this name you can provide access to
resources by using a single label name without needed WINS. This functionality is only
supported on DNS servers running Server 2008, and cannot replicate to servers running earlier
versions. There are three basic steps to enabling this feature:
1. Enable the GlobalNames Zone support. On each server to which the GlobalNames zone will
be replicated run the following command:
Dnscmd /config /enableglobalnamessupport
2. Create the GlobalNames zone. This is not a special zone type. Instead it is an Active Directory
Integrated forward lookup zone that is named "GlobaINames". Make sure this is replicated to
all DNS servers in the forest
3. Populate the GlobalNames zone. For each server that you want to be able to provide single-
label name resolution for, create an alias (CNAME) record in the GlobalNames zone. The name
you give each record represents the single-label name that users will use to connect to the
resource. Note that each CNAME record points to a host record in another zone.

Background Zone Loading

The DNS Server service in Windows Server 2008 makes data retrieval faster by implementing
background zone loading. In the past, enterprises with zones containing large numbers of
records in Active Directory experienced delays of up to an hour or more when the DNS Server
service in Windows Server 2003 tried to retrieve the DNS data from Active Directory on restart.
During these delays, the DNS server was unavailable to service DNS client requests for any of
its hosted zones.
To address this issue, the DNS Server service in Windows Server 2008 retrieves zone data from
Active Directory in the background after it starts so that it can respond to requests for data from
other zones. When the service starts, it creates one or more threads of execution to load the
zones that are stored in Active Directory. Because there are separate threads for loading Active
Directory-based zones, the DNS Server service can respond to queries while zone loading is in
progress. If a DNS client requests data in a zone that has already been loaded, the DNS server
responds appropriately. If the request is for data in a zone that has not yet been entirely
retrieved, the DNS server retrieves the specific data from Active Directory instead.

7 December 2021 14:08 65 of 207

38676182.doc

This ability to retrieve specific data from Active Directory during zone loading provides an
additional advantage over storing zone information in files-namely that the DNS Server service
has the ability to respond to requests immediately. When the zone is stored in files, the service
must sequentially read through the file until the data is found.

Enhanced Support for IPv6

Forward name resolution for IPv6 addresses uses the IPv6 Host DNS record, known as the
AAAA record (pronounced "quad-A"). For reverse name resolution, IPv6 uses the IP6.ARPA
domain, and each hexadecimal digit in the 32-digit IPv6 address becomes a separate level in the
reverse domain hierarchy in inverse order. For example, the reverse lookup domain name for
the address FD91:2ADD:715A:2111:DD48:AB34:D07C:3914 is
4.1.9.3.C.7.0.DA.3.B.A.8A.D.D.l.l.l.2.A.5.1. 7.D.D.A.2.1.9.D.F.IP6.ARP A.
The DNS Server service in Windows Server 2003 supports forward and reverse name resolution
for IPv6; however, the support is not fully integrated. For example, to create an IPv6 address
record (the AAAA record we just discussed) in the Windows Server 2003 DNS Manager snap-
in, you must right-click the zone, click Other New Records, and then double-click IPv6 Host
(AAAA) as the resource record type. To add a AAAA record in the DNS Manager snap-in for
Windows Server 2008, right-click the zone name, and then click New Host (A or AAAA). In the
New Host dialog box, you can type an IPv4 or IPv6 address.

7 December 2021 14:08 66 of 207

38676182.doc

WINS Integration with DNS

 WINS can be integrated with DNS by enabling the WINS forward lookup option
on the WINS tab of the zone properties. Enabling this option creates a new WINS
Lookup record in the DNS database.
 This record should not be replicated to UNIX servers.
 If a GlobalNames Zone is not an option, single-names resolution can still be
handled in Windows
Using the WINS Lookup feature allows the DNS Server service to search the WINS database for
names not found in the DNS database. Enabling this option creates a WINS resource record
(RR) in the forward lookup zone and reverse lookup zone if one exists. DNS servers that do not
find a Host (A) record for a name forward the request to the WINS server configured in the
WINS RR.
This feature is only supported on DNS servers running Windows (including Windows NT and
2000). In heterogeneous DNS environments (e.g. Microsoft and UNIX/LINUX) the “Do not
replicate this record" option should be enabled to prevent transferring the record to a DNS
server that does not support WINS integration.

7 December 2021 14:08 67 of 207

38676182.doc

Troubleshooting DNS Issues

Problem: Incorrect query results
 Outdated zone info on secondary DNS
o Decrease refresh interval on the SOA
o Add secondary servers on the Notify list
o Configure Slave servers with additional Masters
 Hosts file can be incorrect
o Update file and save
o Updates resolve cache automatically
 Client can have negative entry in resolver cache
 Update DNS Server
o Run IPCONFIG /flushdns on client
o Submit a query with the FQDN and trailing dot
o Clear the DNS Server's cache (Action> Clear cache)
o Enable scavenging for the server and zones on it
Problem: Secure DNS replication across Public network
 Use AD integrated zones (data is encrypted by secure RPC session)
 Create standard secondaries at the branch locations
 Only include these DNS servers on the notify list Problem: Minimize DNS
replication over WAN link Solution(s):
 Create Active Directory -integrated zones (attribute level replication)
 Create caching-only servers in remote locations
 Verify DNS supports IXFR (e.g. BIND 8.2 and Windows 2000)
Problem: Too much zone transfer traffic
 AD-integrated - replication part of File Replication Service
 Increase refresh interval on the SOA
 Ensure all DNS servers support IXFR (BIND8.2, Windows 2000/03/08)
Problem: Client shows up in AD, but not DNS
 Configure Primary DNS zone to support Dynamic updates
 Configure AD Integrated zone to support Dynamic updates
 Run IPCONFIG /REGISTERDNS command on client
 Run net stop netlogon && net start netlogon on DCs
Problem: Too much network traffic due to name resolution
 Deploy multiple DNS servers
 Ensure client systems point to the nearest DNS server
 Increase TTL for longer caching

7 December 2021 14:08 68 of 207

38676182.doc

Incorrect query results

If clients are receiving incorrect results from a secondary server, it is most likely that the DNS
server has stale records that need to be updated. In this case, there are a couple of options that
can help eliminate this problem in the future. Of course the obvious option is to go to the
secondary server and manually update the zone information from the primary or AD integrated
DNS server.
For a more permanent solution, additional master servers can be configured for the secondary
servers. This will allow the secondary to contact one of many master servers to obtain the
correct information.
Another option is to decrease the refresh interval on the SOA. This will force the secondary
DNS servers to more frequently communicate with the Master to see if there are changes.
Another option that will help with this issue is to create a Notify list of secondary servers that
need to be updated when a change occurs on the master DNS server. The changes that occur on
the master will initiate a message to the secondary servers indicating that they need to get the
new information.
When an FQDN cannot be resolved, the client will append suffixes to it and keep trying. This is
normal handling of a relative FQDN query. An absolute FQDN includes the trailing dot. The
client and servers will not append suffixes to an FQDN which includes a trailing dot and the
query will be sent directly to the Root name servers as an absolute name cannot be resolved
from cache entries.
Portable computers can end up leaving stale records if they are disconnected from the network
without shutting down. A DNS administrator can enable scavenging in the properties of the
server. The DNS administrator would then need to enable scavenging in the properties of each
relevant DNS zone. Scavenging has no effect on DNS records that have been entered by hand,
only the records registered by computers. When a client registers a record, it includes a
timestamp which would later be used for scavenging.

Too much zone transfer traffic

This is almost the opposite issue from the first. There are some differences though. First, a
solution for this problem is to configure AD-integrated servers instead of using primary and
secondary servers. The reason this is beneficial is that the AD information will be obtained via
the AD database, which is replicated automatically and only changed attributes are replicated.
Another option to decrease the traffic is to increase the refresh interval on the SOA. This will
have the opposite effect from the first case, in that this will reduce the times the secondary
servers attempt to contact the primary DNS servers.

7 December 2021 14:08 69 of 207

38676182.doc

Single vs. Multi-Master Replication

The Windows NT 4.0 domain environment provided authentication and resource management
to the configuration of account domains and resource domains. These domains were built using
a single-master structure that began with ~ primary domain controller (PDC) and was
accompanied by one or more backup domain controllers (BDC)
Beginning with Windows 2000, 2003 and now with Windows Server 2008 the existence of the
PDC and BDC architecture is no longer necessary. Authentication and resource management
now uses a multimaster Domain controller methodology. Each individual domain controller is
permitted to make updates to The Active Directory database. With Windows Server 2008, it is
now possible to have Read Only Domain Controllers for situations in which writable domain
controllers are not appropriate, typically branch offices.
In a Windows Server 2008 Active Directory Domain, all domain controllers are equal. They all
share the same Active Directory information through AD Replication. The domain controllers in
a Windows 2003 domain are also equals and share their data through AD replication. Windows
NT had a single-master structure. There was one Primary Domain Controller (PDC) that held
the writable copy of the SAM database (Security Account Manager). All other domain
controllers were Backup Domain Controllers (BDC) and had a read-only copy of the SAM.
Anytime data was written to SAM, it was written to the PDC database.

7 December 2021 14:08 70 of 207

38676182.doc

Single Master Operations

There are some operations in the Windows Server 2008 network that are held by only one
Domain Controller. The function of the role determines the placement of the domain controller.
There are five roles, 2 pertain to the forest, the other three deal with the domain. The two roles
that work with the forest are Schema Master role and Domain Naming Master role. There are
only of each of these per forest. The three domain roles are PDC emulator, Infrastructure Master
and RID Master. There is one of each per domain.
 Domain Naming Master
 One per forest
 Maintains domain list and ensure unique domain names
 RID Master
 One per domain
 Generates SID and distributes to domain controllers
 Infrastructure Master
 One per domain
 Tracks moved objects
 Should not be collocated with GC unless the forest has only a single domain or
multi-domain where all DCs are also GCs.
 PDC Emulator
 One per domain
 Synchronizes domains in mixed mode, responsible for password changes,
 synchronizes time
 Place in a location with the greatest number of down-level clients
 Schema Master
 One per forest
 Controls Schema
The FSMO roles must be operational in the forest/domain in order for the network to function
properly. Some of the roles can be down for a brief period of time without impacting the
network. A way to memorize the roles is DRIPS.
Domain Naming Master - There is only one per forest and it is in charge of the domain names.
It is in the forest root on the first domain controller in the forest. It maintains the list of domain
names, makes sure all new domains have a unique name and must be available when domains
are removed from the forest. In the process of installing Active Directory to become a new
domain, the domain Naming Master is checked to verify the domain name.
RID Master - A SID is a combination of the domain number and RID (relative identifier) that is
assigned to all security objects in a domain. RID Master is a domain role and there is one per
domain. The RID Master is in charge of distributing the RIDs to the other domain controllers in
the domain. Since each DC can create objects, they all must have RIDs available. If no RID, no
object. RIDs are distributed in groups of 500. When a DC gets down to 200 in cache, it will query
the RID Master for more. If the RID Master is going to be down, the role must be transferred to
another DC or object creation will eventually fail.

7 December 2021 14:08 71 of 207

38676182.doc

Infrastructure Master - The Infrastructure Master is in charge of tracking objects and their
movement between domains. It keeps track as objects are moved and is responsible to update
any associations. When an object moves, it maintains its GUID but the SID will change to reflect
the new domain. The Infrastructure Master must not be on the same DC as a Global Catalog if
there is more than one domain in the forest. Since the Global Catalog records object movement,
the Infrastructure Master does not know how to function with a GC so it will do nothing. In that
case, the associations will not be updated properly and objects can't be located properly by the
DCs in the misconfigured domain.
PDC Emulator - The PDC Emulator is a domain role and there is only one per domain. It is
responsible for several different things. If in Domain Functional Level 2000 and there are BDCs
in the domain, it will be the 'go between' for Active Directory and the NT BDC. It will
coordinate replication of system policies, scripts and other information to the NT BDC. Place the
PDC Emulator in the site where the largest number of NT clients are located.
In both NT and 2008, it is responsible for password changes. If a password is changed; it knows
it second. The DC first contacted during a password change records the change locally then
replicates it to the PDC Emulator. When a user logs on right after a password has been changed,
there may be a delay if replication has not occurred informing all the other DCs of the password
change. All DCs will check with the PDC Emulator before generating a negative password
message for a logon request.
It is also the time keeper. Many of the features of Active Directory are dependent on time. Time
synchronization problems are most significant for Kerberos which requires timestamps to be
within five minutes of each other at times. All times in Windows 2X are maintained relative to
GMT. This means a replica domain controller in the Pacific Time Zone will be fine replicating
AD contents with a DC in the ***Eastern Time Zone as long as their clocks display a time
difference of three hours. All Windows 2X systems in a domain synchronize their clock with the
PDC Emulator. If a DC has the wrong time zone or time, it will have difficulties with replication
and will not be able to uninstall Active Directory. A time synchronization error will be
generated and the process will fail.
Schema Master - This is a forest-wide role and there is only one in the forest. It is held by the
first domain controller in the forest and can be relocated to any DC in the forest root only. It is
responsible for all changes to the Schema. The Schema Master holds the only writable copy of
the schema partition

7 December 2021 14:08 72 of 207

38676182.doc

Moving FSMO roles

 Transfer Role
 Planned maintenance
 Know server is going to be shutdown
 AD Users & Computer for domain roles
 AD Domains & Trusts - Domain Naming Master
 AD Schema snap-in - Schema Master
 Seize Role
 Catastrophic shutdown
 Not planned / no warning
 Use NTDSUTIL
 Reformat server before bringing back
 Domain Naming Master
 Schema Master
 RID Master
The FSMO roles must be available in the forest/domain as much as possible. When a role is not
going to be available or becomes unavailable unexpectedly, the roles can be transferred or
seized.

Transfer Role when maintenance is planned or it is known in advance that the server will be
unavailable. By transferring the role, it ensures the role will be available without any
interruption. To transfer the three domains roles, go to AD Users & Computers, either on the
DC that the role is being transferred or connect to the server remotely by right-clicking the
domain name and selecting Connect to Domain Controller. The Domain Controllers in the
domain will be displayed, select the one that will be receiving the role and connect to it. Once
connected, right-click the domain again and select Operation Masters. The window will have 3
tabs, one for each domain role. It will display the current DC assigned the role and the DC that
you are connected to will be displayed in the bottom area. Select the Change button to transfer
the role.
The same process is used to transfer the Domain naming master in AD Domains & Trusts and
the Schema Master in the Schema snap-in. Make sure that you are connected to the DC that will
be obtaining the role. If the Schema snap-in is not available in the MMC console, from a cmd
prompt, run regsvr32 schmmgmt.dll to register the schema snap-in.

7 December 2021 14:08 73 of 207

38676182.doc

Seize Role when the server has catastrophically failed or has gone down without having any
roles transferred. Some of the roles may not be missed right away, but if the server is down for a
longer time, it can cause a major impact in the environment. The Schema Master and Domain
Naming Master role servers would not be a major impact unless domains were planned to be
added, removed or schema changes were planned. In order to seize the role, the NTSDSUTIL
must be used from a command prompt. Seizing a role should not be done unless it is absolutely
necessary. Normally, the only role that will cause a major impact is the PDC emulator. It is
normally best to allow time to recover the server, but if you must bring them back up as quickly
as possible, then you will have to seize the role.
The steps to seizing the role are:
 From a command prompt type: NTDSUtil
 At the NTDSUtil command prompt, type roles
 At the fsmo maintenance command prompt, type connections
 At the server connections command prompt, type connect to server servername
At the server connections command prompt, type quit
 At the fsmo maintenance command prompt, type seize name of fsmo role

Recover Roles
The best thing is to not seize the role and just bring the server backup when repaired. If the role
has been seized, care must be taken on handling of the servers that had the original roles. For
the Infrastructure Master and PDC Emulator roles, the servers can be brought back on line and
the role transferred back to the DC.
When dealing with the Domain Naming Master, Schema Master and RID Master roles, they
cannot be brought back online as they are. They should be taken off the network and
reformatted, then perform a fresh install. If the AD database and log files are on other volumes,
they will not impact the network but the operating system must be totally blown away and
reinstalled. If they would be put back online in there previous state, they would forcibly take
back the role and there would then be two of each server in the forest/domain. This could have
catastrophic results in the network.

7 December 2021 14:08 74 of 207

38676182.doc

Directory Partitions
Active Directory contains a lot of different information regarding its own directory and the
forest. This information is contained and replicated by very specific partitions. Active Directory
contains 4 partitions:
 Schema Partition – Schema information replicated to all DCs in the forest.
 contains a copy of Active Directory Schema for a forest
 Configuration Partition – Forest, tree, and site configurations replicated to all
DCs in the forest.
 contains information about Active Directory sites and services
 Domain Partition – Domain data replicated by FRS to all DCs of the same
domain.
 contains all objects associated with a particular domain
 Application Directory Partition – Data from applications, files/folders replicated
to participating DCs.
 Stores data related to Active Directory-integrated applications and services.
Replicates to specified domain controllers in the domain/forest. Only Windows Server
2003/2008 Domain Controllers can have Application Directory partitions.

Application Directory Partitions

Application Directory Partitions are used to replicate information to specific Windows Server
2008 domain controllers. Without using Application Directory Partitions, any information that
is being replicated through Active Directory is being replicated to all domain controllers,
whether they actually use it or not. By using Application Directory Partitions, it cuts down the
network traffic by only replicating to the domain controllers specified while still allowing
applications requiring LDAP to use it. Any type of objects, files/folders, can be in the
Application Directory Partitions except Security Principals (users, groups, and computers).
Application Directory Partitions are replicated through the domain partition to all domain
controllers.
To create Application Directory Partitions, use NTSDUTIL. Some applications create their own
directory or have their own utilities to create them. Below find the steps on how to create an
Application Directory Partitions through NTDSUTIL.
Creating or Deleting an Application Directory Partition
1. From the Command Prompt, type NTDSUtil
2. At the NTDSUtil, type management
3. At the domain management prompt, type the appropriate command based on the task you
would like to complete.
* To create a partition - create nc application-directory partition DomainController where the
application-directory application is the distinguished name of the partition and the
DomainController is the DNS name of the domain controller

7 December 2021 14:08 75 of 207

38676182.doc

* To delete partition - delete nc application-directory-partition, where application-directory-

partition is the distinguished name of the partition
4. To create/remove a replica of an Application Directory partition, use the same commands as
above but use add instead of create / remove instead of delete
When removing AD or deleting a partition, all data in the replica will be lost. If the last DC,
move the partition or everything will be lost.

7 December 2021 14:08 76 of 207

38676182.doc

The Global Catalog

Though not actually considered one of the Directory Partitions, the Global Catalog is a subset of
all attributes of all objects in Active Directory forest. Replicates to all domain controllers
configured as Global Catalog servers in the same forest.
Data stored in the Application Directory Partition is not replicated to the Global Catalog.
However, a domain controller which is a Global Catalog Server can have an Application
Directory Partition.
A configurable partial replica set of every object in the forest based upon the attributes most
frequently used in Active Directory searches.
One Global Catalog is created by default for the entire forest on the first DC of the forest (all
domain directory partitions are included.)
At least 2 to GCs should be created to provide fault tolerance
Additional GCs can be configured for performance improvements
A GC is enabled through AD Sites & Services> Site Name> Server Name >NTDS Settings>
Properties
Logons require the DC query a GC to determine universal group memberships. If universal
groups are not used it is possible to edit the registry to disable the GC requirement for
authentication:
HKEY _LOCAL_MACH INE\System\CurrentControISet\Control\Lsa\lgnoreGCFailures
By default, only one Global Catalog is created and it is located on the first domain controller in
the Forest Root. To provide fault-tolerance and load balancing, it is recommended to always
have at least two global catalogs. If more than one site is in the network, it is best practice to
have a Global Catalog in each site.
For domains of all domain functional levels, the GC is used for forest-wide LDAP queries. Any
object in the forest can be found. For domains of functional level Windows 2000 Native,
Windows Server 2003, or Windows Server 2008, Universal Security Group SIDs must be
retrieved during logon. These SIDs can be retrieved from a Global Catalog server or a Windows
Server 2008 DC that is caching Universal Group memberships. The Global Catalog in Windows
2003/2008 does not replicate the entire catalog every time a schema change is made, unlike
Windows 2000. The Global Catalog DCs assist other domain controllers in authenticating logon
requests using the User Principal Name (UPN). If there are remote sites, having a Global
Catalog in the site will allow the authentication process to be expedited.

7 December 2021 14:08 77 of 207

38676182.doc

There are several factors that should be considered when determining what sites should have a
replica of the Global Catalog. If a site has more than 100 users, it would be best to have a Global
Catalog in the site. If there are less than 100, Universal Group Membership Caching will
facilitate the authentication needs. If Directory-aware applications, such as Exchange
200012003/2007, are being used in a site, a Global Catalog in the site is required. The application
queries the Global Catalog port of 3268.
Another consideration is the roaming users in the network. The transitive nature of the user's
and the functionality of being able to login from anywhere in the forest, cause a greater need for
the Global Catalog in each site. When a roaming user logs on from another domain, the request
queries the Global Catalog to locate the user accounts domain and directs the authentication
process to that domain. By having the Global Catalog in the site, it makes the authentication
process happen a lot faster.
WAN link availability is the last item to consider. If the WAN link is available 100% of the time
for Active Directory traffic, one Global Catalog between two sites is possible. If there is a
concern over WAN connectivity and it is not reliable, having a Global Catalog in each site
ensure that authentication will happen, even if the WAN link is down.
The Global Catalog is configured in Active Directory Sites and Services in the NTDS Settings of
the server.
Additional GCs should be enabled based upon:
 Number of users in the site ( >100)
 Existence of an AD-aware application that reads the global catalog .
 WAN link availability

Universal Group Membership Caching

Enabling UGMC for a site without a GC improves logon performance without adding the
overhead of GC replication across the wide area network (WAN) links.

7 December 2021 14:08 78 of 207

38676182.doc

Managing UPN Suffixes

 Protects domain name Cross-forest authentication
 Align with existing email account for easier user access
 Create in AD Domains and Trusts
 Stored in GC Select for User in user's account Logon window
 Use UPN & password only
 The UPN suffixes are created in Active Directory Domains and Trusts.
User Principal Name (UPN) suffixes are used for several reasons. It provides a method of using
alternative logons in order to protect the domain name space. Instead of using the domain name
to login, the user provides the UPN suffix that has been configured for their user account.
Multiple UPN suffixes can be created and are available throughout the forest.
When authenticating across a forest trust, the UPN suffix is used to identify the user. The Global
Catalog is contacted to resolve the user logon. The UPN suffix, the username and the domain it
is a member of is identified and the authentication is sent to an appropriate domain controller.
UPNs can also be used for cross-domain authentication in the same forest. The UPN
authentication passes across a transitive trust and which uses Kerberos across the trust.
When authenticating across an External Trust, only the Pre-Windows 2000 logon name can be
used. The trust is not transitive and so it uses NTLMv2 to pass the authentication.
Using a UPN suffix also allows the user to use their email address as their logon name, even if
the suffix portion is different than the domain name. It makes it user friendly but also provides
a way to protect the domain name by using a different suffix than the domain name for the
email accounts.

Creating and Managing UPNs

The UPNs are created in Active Director Domains and Trusts. Select Active Director Domains
and Trusts at the top left and right-click and select Properties. Add the UPN suffixes desired. In
the User account, select the Account tab and use the drop-down menu to select the UPN suffix
to use with the user's logon name. When using the UPN for logging in, the usemame will be
followed by the @ sign and then the UPN suffix. The user will only be required to provide the
UPN and password. The Log on to drop-down box is not available once the @ sign is keyed in
the usemame textbox.
A User Principal Name is used to simplify the login process and also provides a method of
securing the domain name by creating a UPN suffix different than the domain name.
When authenticating across a Forest Trust, UPN conflicts can occur. In the process of creating
the Forest Trust, the UPN suffixes available in each forest are checked and if there is a conflict
detected, the wizard will warn of the pending conflict.

7 December 2021 14:08 79 of 207

38676182.doc

Trust Types in Windows Server 2008

The trust is the administrative connection between domains that allows cross-domain
authentication to pass across those connections. When Active Directory domains are created in
a forest, several types of trusts are created automatically and others can be created manually. In
Windows NT, all trusts had to be manually created. Within Windows Server 20001200312008
forests, the trusts are automatically created and are transitive. Transitive means if Tom logs on
with a domain controller in training.fabrikam.com, then he can potentially access file shares in
research.fabrikam.com, elabs.corp, and dev.elabs.corp even though his domain does not have a
direct trust relationship with those domains.
The principal of the trust is that the Resource trusts the User. When depicting a trust, the arrow
always points from the resource to the user. Remember that the ArrowHEAD points to trustED.
"Ed" would be our user in this mnemonic. Another thing to remember is that the directions of
the arrows reflect their description as Incoming and Outgoing. Ed would see an Incoming trust,
the resource sees it as an Outgoing trust.

Tree-Root Trust
This trust is automatically created between the tree root domain and the forest root domain.
These trusts are two-way and transitive.

Parent-Child Trust
This trust is automatically created between the child and parent domains. These trusts are two-
way and transitive.

Shortcut Trust
Shortcut Trust is a one-way, transitive trust between: Two domains of the same forest
A Shortcut Trust speeds authentication and resource access between different domains in the
same forest. This trust is manually created between two domains in the same forest. These
trusts are one-way and transitive.

External trust
Manually created between AD domains in different forests or between Windows Server 2008
and a Windows NT 4.0 domain - one-way or two-way, no transitive

7 December 2021 14:08 80 of 207

38676182.doc

The external trust is one-way or two-way and is non-transitive. The external trust is created
between specific domains and those domains are the only ones that have the trust relationship.
External trusts are created between domains in different AD forests. If one forest is a Windows
2000 forest or an NT domain, it must connect via an external trust. Also, an External Trust must
be used between two Windows Server 2008 forests unless they are both functioning at least at
the Windows Server 2003 forest functional level.
Must be a member of the Enterprise Admins or have the appropriate delegated authority in
order to create an External trust. A trust is essentially a managed breach of the forest's security
boundary.
External Trusts are created between domains and is non-transitive. It permits access to
resources only. Permissions must be applied to the resource in order for access. For a manual
trust, the Resource Trusts the User (arrow points to the user). The External trusts are created by
the New Trust Wizard. The wizard detects if the domains are at the proper functional level and
will automatically default to an external trust. If both forests are in Forest Functional Level
Windows Server 2003, the option will be given to create an External trust or Forest trust.
Required for migrations with Active Directory Migration Tool (ADMT)

Forest trust
Manually created between forest root domains in two separate forests – one-way or two-way,
transitive.
Forest trusts are created between the root domains of two separate forests. The forests must be
set to at least the Forest Functional Level of Windows Server 2003. It can be a one-way or two-
way trust. If it is a two-way trust, it allows both authentication and access to resources (as long
as permissions allow) in either forest. They are transitive between two forests only. If forestA
trusts forestB, and forestB trusts forestC, that doesn't mean that forestA trusts forestC. The trust
is only transitive between the two forests.
Some of the benefits of a Forest Trust include less external trusts are needed to share resources
across forests, UPN authentication can be used across the two forests, and administrators have
more flexibility because administrative efforts can be shared between the two trusting forests.
To create a Forest trust, the use must be a member of the Enterprise Admins or have delegated
authority in both forests.
Unless two forests are at the Windows Server 2003 forest functional level, they can only be
connected by External trusts. This means that if there was a two-domain forest connecting via
trusts with a three domain forest, and you wanted to add global groups from any domain to
local groups in any other domain, a total of 12 external trusts would have to be established.
Given the same scenario with the two forests at the Windows Server 2003 Forest Functional
Level, a single two-way forest trust could be configured between the forest root domains. This
is a huge advantage of Windows Server 2003 forests, especially if two companies using them
were merging.

7 December 2021 14:08 81 of 207

38676182.doc

Forest trusts are transitive and are created between forests that are in Forest Functional Level
Windows Server 2003 or 2008. The trust is created between the Forest Roots and is valid for only
those two forests. The forest trust can be used for cross-forest authentication using the UPN
suffix and the Global Catalog in each forest. During the creation of the Forest trust, UPN
suffixes are checked in both forests for duplication and a warning is given if duplicates exist. If
both forests use the same UPN suffix, the user trying to authenticate across the forest trust will
not be successful.
Access to resources is provided either as Forest-wide access or Selective access. With the
Selective trusts, users are granted access to specific servers only through the ACL of the server's
AD object.
Create the Forest trusts using the New Trust Wizard. Both the Incoming and Outgoing trusts
can be created at the same time. If the administrator has administrative rights in both forests,
both ends of the trust can be created at the same time. If not, the trust must be configured in
both forests.
When planning user access to resources across a forest trust, the Global group that the user
belongs to should be placed in a Universal group, which is then placed in the Domain Local
group where the resource is located. Since the Universal group is located in the Global Catalog
of the forest, the access across the forest is expedited. Global Catalog in both forests is queried
for access to resources and for authentication.

Realm trust
Manually created between non-Windows Kerberos and Windows Server 2003/2008 Active
Directory Domain - can be transitive or non-transitive, one-way or two-way
A reason to create a Realm trust would be to allow Active Directory users access to resources in
a UNIX environment without requiring them to authenticate separately. It could also be used to
provide access for those in the Unix Kerberos environment access to resources in a Windows
Server 2003/2008 AD domain.
Members of the Enterprise Admins group in the Windows Server 2008 domain can create a
Realm trust or someone who has the appropriate delegated privileges. The individual creating
the trust must also have the appropriate administrative privileges in the target Kerberos realm.
The trust can be transitive or non-transitive, one-way or two-way.
 External Trusts
 Non-transitive
 Access to resources only
 Domain-to-Domain
 Resource Trusts User
 Create using Trust Wizard in AD
 Domains and Trusts
 Forest Trusts
 Transitive within the two forests

7 December 2021 14:08 82 of 207

38676182.doc

 Authentication and access to resources

 Authentication uses UPN suffix
 Use Global/Universal/Domain Local groups for access to resources Must be
Forest Functional Level Windows Server 2003 to support Forest Trusts
 Create using Trust Wizard

7 December 2021 14:08 83 of 207

38676182.doc

Managing Trusts
Trusts are managed through Active Directory Domains and Trusts. To display the trusts that
are in place, access the Properties of the Root domain. On the Trusts tab, the trusts that are
currently in affect are displayed. The domain name, trust type and transitive state are listed.
The top pane shows domains that the domain trusts (outgoing) and the bottom pane shows
domains that trust this domain (incoming).
Incoming trust is created by the administrator in the domain where the users are located. It is
the trusted domain. The Outgoing trust is created on the domain where the resource is located
and is called the trusting domain. When a single administrator creates the complete trust, they
create both the Incoming and Outgoing trusts.
In order to create a manual trust, select the New Trust button at the bottom of the window. The
New Trust Wizard will be launched.
Windows Server 2003 added flexibility to trusts, offering "wide" and "selective" options. If two
companies needed to work on a project together, their domains could be joined using a selective
trust. This could limit access between the companies to only the shared resources needed for the
project. "
With a Forest trust, the choices are a little different. Since the trust is transitive for the entire
forest, the selection is forest-wide authentication and also selective authentication. With Forest-
wide authentication, the user can access any resource in the forest that they have appropriate
permissions. For the Selective authentication, the server must give Allowed to Authenticate
permissions in order for the user/group to access the server and then the level of access is
determined by the share and NTFS permissions.
Forest trusts between partner company's can be configured with different authentication
methods for better control of resource access.

Access Resources using External/Forest Trusts

A user connecting to a remote server to gain access to a resource must present its credentials to
the server in order to prove authentication. Once the credentials have bee~ verified, access to
the resource is then granted. This verification of credentials would generate an entry in the
server's Security Log: if someone had enabled" Audit logon events" for that server.
This is no difference accessing resources across a forest trust. When the forest trust is
configured, both incoming and outgoing trusts are configured (access authentication can be
configured differently for each) and the access authentication is selected. The level of access to
the resource is still dictated by the Share and NTFS permissions that have been placed on the
resource. The choices depend on the type of trust being configured.

7 December 2021 14:08 84 of 207

38676182.doc

An External trust has Domain-wide authentication and Selective authentication as choices. If

Domain-wide is selected, the users can have access to all resources in the domain that they have
permission to access. With Selective, the particular server that is going to be accessed must have
Allowed to Authenticate permission set for the user/group in order to gain access to the server.
Access to the resource is controlled with Share/NTFS permissions.

Selective-authentication
Servers must be manually configured with the Allowed to Authenticate permission for users in
trusted domain Permission is configured on the ACL of server in ADUC and for the specific
resource.

7 December 2021 14:08 85 of 207

38676182.doc

Read-Only Domain Controllers

For some environments, the most significant feature for AD DS in Windows Server 2008 is a
Read-Only Domain Controller (RQDC), which allows you to easily deploy a domain controller
that hosts a read-only replica of the domain database. This is well suited for locations where
physical security of the domain controller can't be guaranteed or where other applications must
run on the domain controller and be maintained by a server administrator (who, ideally, is not a
member of the Domain Admins Group). Both of these scenarios are common in branch office
deployments.
A read-only domain controller is installed by simply enabling one checkbox in the Installation
Wizard
Before the release of Windows Server 2008, if users had to authenticate with a domain controller
in a different location, the traffic would have to cross a wide-area network (W AN) link. WAN
links are often slower and more expensive than local area network (LAN) connections, and
sometimes are more susceptible to service disruption. One possible solution was to deploy a DC
into the remote site or branch office. However, this introduced other problems, including
replication traffic, and the need to maintain physical security over the DC in the branch office --
something that is all too often lacking in small and remote branch sites. In other cases, branch
offices have poor network bandwidth connected to a hub site, increasing the amount of time
required to log on.
With the exception of account passwords (unless specifically configured otherwise), an RODC
holds all Active Directory Domain Services objects and attributes that a writable domain
controller holds. However, locally originating changes cannot be made to the replica stored on
the RODC. Instead, changes are made on a writable domain controller and replicated back to
the RODC. This prevents changes made at branch locations from potentially polluting or
corrupting the forest via replication, thus eliminating one avenue of attack.
Local applications that request read access to the domain directory information can obtain
access directly from the RODC, while Lightweight Directory Access Protocol (LDAP)
applications that request write access receive an LDAP referral response. This referral response
directs them to a writable domain controller, normally in a hub site.
Because no changes are written directly to the RODC, no changes originate at the RODC.
Accordingly, writable domain controllers that are replication partners do not have to pull
changes from the RODC. This reduces the workload of bridgehead servers in the hub and the
effort required to monitor replication. RODC unidirectional replication applies to both AD DS
and Distributed File System (DFS) Replication. The RODC performs normal inbound replication
for AD DS and DFS Replication changes.

7 December 2021 14:08 86 of 207

38676182.doc

In the domain database, each security principal has a set of approximately 10 passwords or
secrets, called credentials. An RODC does not store user or computer credentials, except for its
own computer account and a special "krbtgt" account (the account that is used for Kerberos
authentication) for each RODC. The RODC is advertised as the Key Distribution Center (KDC)
for its site (usually the branch office). When the RODC signs or encrypts a ticket-granting ticket
(TGT) request, it uses a different krbtgt account and password than the KDC on a writable
domain controller.
The first time an account attempts to authenticate to an RODC, the RODC sends the request to a
writable domain controller at the hub site. If the authentication is successful, the RODC also
requests a copy of the appropriate credentials. The writable domain controller recognizes that
the request is coming from an RODC and consults the Password Replication Policy that's in
effect for that RODC.
The Password Replication Policy determines if the credentials are allowed to be replicated and
stored on the RODC. If so, a writable domain controller sends the credentials to the RODC, and
the RODC caches them. After the credentials are cached on the RODC, the next time that user
attempts to logon the request can be directly serviced by the RODC until the credentials change.
When a ticket is signed with the RODC's own krbtgt account, krbtgt, the RODC recognizes that
it has a cached copy of the credentials. If another DC has signed the TGT, the RODC will
forward requests to a writable domain controller.
By limiting credential caching only to users who have authenticated to the RODC, the potential
exposure of credentials by a compromise of the RODC is also limited.
By default, no user passwords will be cached on an RODC, but that's not necessarily the most
efficient scenario. Normally, only a few domain users need to have credentials cached on any
given RODC, compared with the total number of users in a domain. You can use the Password
Replication Policy to specify which groups of users can even be considered for caching. For
example, by limiting RODC caching to only users who are frequently at that branch office, or by
preventing the caching of high-value credentials, such as administrators, you can reduce the
potential exposure. Thus, in the event that the RODC is stolen or otherwise compromised, only
those credentials that have been cached need to be reset.

Password Replication on RODCs

When you initially deploy an RODC, YOU must configure the Password Replication Policy on
the writable domain controller that will be its replication partner.
The Password Replication Policy acts as an access control list (ACL). It determines if an RODC
should be permitted to cache a password. After the RODC receives an authenticated user or
computer logon request it refers to the Password Replication Policy to determine if the
password for the account should be cached. The same account can then perform subsequent
logons more efficiently.

7 December 2021 14:08 87 of 207

38676182.doc

The Password Replication Policy lists the accounts that are permitted to be cached, and accounts
that are explicitly denied from being cached. The list of user and computer accounts that are
permitted to be cached does not imply that the RODC has necessarily cached the passwords for
those accounts. An administrator can, for example, specify in advance any accounts that an
RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to
the hub site is offline.
Prerequisites for setting up an RODC
 The PDC Emulator of the domain must be Windows Server 2008
 Domain Functional Level must be Windows Server 2003
 Adprep /RODCprep must be run
 RODC must be able to replicate with a 2008 DC for initial sync

Significant Points for RODCs

An RODC still has a local Administrators group, independent of the one shared by the ordinary
DCs in the domain. A member of this group can fully administer only that RODC: very useful
for allowing installation of drivers, running Windows Update, etc without impacting the entire
domain.
Moving from RODC to writable DC requires reinstallation of Active Directory on that server

7 December 2021 14:08 88 of 207

38676182.doc

Managing and Maintaining an Active Directory

Infrastructure
 Delegation Strategy
o Plan OU structure to take advantage of Delegation
o Allows delegation to groups or users
o Use Delegation Authority Wizard or set special permissions on OU Create OUs
instead of domains and delegate
 Tasks to Delegate
o Select common tasks
o Customize your own
o Create delete and manage user accounts
o Reset user passwords and force password change at next logon
o Read all user information
o Create delete and manage groups
o Modify the membership of a group
o Manage Group Policy links
o Generate Resultant Set of Policy (Planning)
When designing the OU structure of Active Directory domain, the opportunity to use
Delegation must be considered. The ability to Delegate Authority provides a way to allow
specific users or groups to manage objects within an OU without giving them more permissions
than are required to complete the tasks. This is a good alternative to creating multiple domains
where the entire AD structure must be administered. By using Delegation, the user account
administration (Password/lockout) is handled in one location. The management tasks involved
with the individual objects can be passed to someone else who mayor may not be an
administrator.
To implement Delegation, right-click the OU and select Delegate Control. A wizard starts and
the users/groups that should be delegated authority are selected. Then next step is to select
what tasks should be delegated. There are common tasks that can be delegated, such as
Resetting passwords and creating/modifying user accounts. The tasks can also be customized.
To customize a delegation, select the AD objects the users/group will have authority over. Then
select the specific permissions for those objects. The permissions created by using the Delegate
Authority wizard can be viewed in the Security tab of the OU in the Advanced area. The
permissions are listed under Special Permissions. If the users/group that has been Delegated
Authority needs to be removed from the delegation, select the users/group name in the ACL of
the OU and remove them.
It is also possible to Delegate Authority manually by adding the users/group to the ACL in the
Security tab of the OU. Then go to Special Permissions in the Advanced area and manually set.
Using the wizard is a much better way to make sure the permissions required for the tasks
desired to delegate are correctly configured.

7 December 2021 14:08 89 of 207

38676182.doc

If implementing Delegation in the network environment, the security groups that are created
can be designed to accommodate the delegation plan. For example: create a group for IT staff
that will be assigned delegation tasks and delegate to the group instead of individual users.
Another example is a Help Desk staff that will be allowed to reset passwords. Create a security
group for HelpDesk and place the appropriate users in the group. Delegate authority to the
specific OU where they can reset passwords.
Disable inheritance of permissions for AD objects to prevent delegations from propagating.

7 December 2021 14:08 90 of 207

38676182.doc

Managing Schema Modifications

 Schema snap-in
o To register snap-in: “regsvr32 schmmgmt.dll” at run command
 Any changes to Schema makes a major impact on network
o Update cache copy on DCs by selecting Reload the Schema
 Modifying the Schema
o Schema Admin to make modifications
 Server with Schema Master role
 Cannot delete object classes or attributes
 Deactivate if no longer required or configured Incorrectly
 Some applications change the Schema as part of installation Exchange, ISA
Server, SQL
Schema snap-in must be registered in order to view through the Microsoft Management
Console. At the run command type regsvr32 schmmgmt.dll or install adminpak.msi to make
Schema snap-in available. Care must be taken before making any type of changes to the Schema
because it will impact the entire network. Until all of the Schema changes have been replicated,
the network is basically shutdown. To update the cached copies of the Schema on each domain
controller as soon as the changes are made, right-click the AD Schema node in the snap-in and
select Reload the Schema.
In order to make any modifications to the Schema, the user must be a member of the Schema
Admins group. This group has no members by default. All changes must be made on the
domain controller with the Schema Master role. Object classes and attributes cannot be deleted
but must be deactivated if they are no longer required or created in error. If errors, recreate the
object class or attribute as needed.
Some applications will make changes to the Schema as part of their installation. If the first part
of the application install fails, make sure the user doing the install is a member of the Schema
Admins group. Examples of applications that make Schema changes are Exchange 200012003
and ISA Server. Plan carefully when deploying these applications. If possible, deploy the
application in the beginning of the forest process so changes are made early and are replicated
correctly to domain controllers as they are added to the forest.

7 December 2021 14:08 91 of 207

38676182.doc

Replication
 Based on USN (update sequence number)
 Intra-Site
o Between DCs in same site
o Ring-based topology is maintained by KCC
o Uses Replication Partners
o Notify-Pull replication
 Inter-Site
o Managed by Site Links
o Use when replication needs to be scheduled
o Request-Pull replication
o Bridgehead servers receive replication at each site
Replication is used between domain controllers to update Active Directory information
throughout the domain and forest. The Schema and Configuration partition replicates to all
DCs in the forest. The Domain partition replicates to all DCs in the domain. The Application
Directory partition replicates to those DCs specific in the partition. The USN (update sequence
number) on objects is used to designate which objects have changed. When an object changes its
USN number will increase. When replication occurs the USN numbers are compared and the
higher USN is replicated. Two types of replication are used: Intra-Site (within the site) and
Inter-Site (between sites).

Intra-Site
The Intra-Site replication occurs between domain controllers in the same site. The replication is
a ring-based topology which provides a two-way replication. If one domain controller is not
available, the AD information is still replicated to all domain controllers. The replication
topology is established and maintained by the KCC (Knowledge Consistency Checker). It is
responsible to create the replication topology as well as reconfigure it when a domain controller
is added or removed.
The KCC creates Replication Partners for each domain controller in the site. These replication
partners are notified when changes have been made to an object in AD. It is called a Notify-Pull
replication because the replication partner is notified there are changes and it will then pull any
changes from the domain controller that sent the notification. When the change occurs, the
domain controller with the change waits 15 seconds before notifying the first replication
partner. The DC will then notify any remaining replication partners every 3 seconds in order
they are listed in AD Sites and Services. The replication topology is designed to be fully
replicated within 3 hops.

7 December 2021 14:08 92 of 207

38676182.doc

To view the replication partners for the domain controllers, in AD Sites and Services, expand
the Site name, expand Servers, expand the Server name and select NTDS Settings. The
replication partners will be displayed in the detail pane on the right. If there is a need to force
replication, right-click the replication partner and select Replicate Now. A command-line utility
called repadmin can also be used to force directory replication.

Inter-Site
The Inter-Site replication is replication that occurs between sites. The connections are normally
not as fast and reliable as the connections within the site. This depends on your site strategy and
the reasons you created the site. The replication is controlled by Site Links. There is a
DefaultSiteLink that all sites can be linked when the site is created. The replication between sites
is based on a schedule. When it is time for replication based on the schedule configured in the
site link, the domain controller designated will Request-Pull changes from a specified domain
controller in the other site. The schedule created includes the time window to use for
replication, the replication interval (how often to replicate) and the cost (priority) of the link.
The specified domain controller in the site is called the Bridgehead Server. It is automatically
designated by the ISTG (InterSite Topology Generator). The Bridgehead server can be manually
designated but it can have some major impact on the network which will be discussed in the
next few pages.

7 December 2021 14:08 93 of 207

38676182.doc

Forest and Domain Replication

Intra-Site Replication
 Uses a Notify-Pull process via RPC over IP (high bandwidth is required)
 Source DC notifies first Replication Partner after 15 seconds
 Additional Replication Partners are notified every 3 seconds
 Complete replication within 3 hops
 Account lockout, domain password policy, or DC password do not wait for
replication interval ( 15 seconds)
 Replication Partners
o Replication connection objects are created automatically by the KCC
o Replication connection objects can be created manually

Intra-Site Replication
Replication between domain controllers in the same site is automatically configured and
managed by the KCC (Knowledge Consistency Checker). If only one site is created (Default
First Site), replication will not need to be configured because it will happen automatically.
The topology of replication uses Replication Partners. Each domain controller in the site will
have replication partners automatically created by KCC when it becomes part of the site. In
most cases, there will be up to 3 replication partners (3 hop rule). In larger networks there may
be more than three. Replication Partners can be manually created by right-clicking the NTDS
setting for the domain controller where the new Replication Partner is desired. Select New
Active Directory Connection. A window is displayed with a listing of all domain controllers in
the site. Select the domain controller desired as a Replication Partner.
The Windows Server 2008 intra-site replication uses Notify-Pull to complete replication. When a
change is made to an AD object (created, moved or modified), the domain controller will wait
15 seconds and then Notify the first Replication Partner. The Replication Partner will then Pull
changes based on the USN (update sequence number) of the objects. The higher number will be
replicated. After the first Replication Partner is notified, the second is notified in 3 seconds.
Additional Replication Partners are notified in 3 second increments. Total replication will take
no more than a total of 3 hops.
The data that is being replicated is being sent uncompressed. The protocol being used to
transmit the data is RPC/IP, which is a reliable protocol standard used with Site replication
traffic.

7 December 2021 14:08 94 of 207

38676182.doc

Active Directory Sites

A collection of well connected TCP/IP subnets: Sites are used to:
 Control protocol, cost, & schedule of AD replication
 Control authentication traffic
 Optimize Active Directory-aware applications
 Sites are managed by Enterprise Admins thru AD Sites & Services
 Default First Site contains all DCs by default and all DCs on unassociated
subnets
 A Site can consist of multiple domains and a domain can span multiple sites
Sites are part of the physical structure of Active Directory in Windows Server 2008. They are
used to control replication of Active Directory within the site and between sites. A site can also
be used to keep logon traffic local to the site by having a Global Catalog in the site and by using
Universal Group Membership Caching. If a directory-aware application is used, the site where
the request for the application is requested and the location of the application is considered
when directing traffic to the application.
A site is defined as a collection of one or more subnets that have a 'fast and reliable' connection.
It is best to have all domain controllers within a site with a good connection to support the
replication of Active Directory. Subnets that do not have a 'fast and reliable' connection should
be in separate sites and replication configured between the two sites. Many times the physical
location is used to differentiate the site structure even if the connection is good. It all comes
down to how the replication of AD is going to be managed.
Active Directory Sites and Services is where Sites and replication is administered. Though AD
Sites and Services can be viewed from anywhere in the forest, it is managed in the Forest Root.
Any administration needs to be completed by a user in the Enterprise Admins group. There is a
site created by default when Active Directory is installed. It is called "Default First Site". If no
other site is created, all domain controllers will be listed under this site.
When implementing a Windows Server 2008 forest, it is best to create the site structure
immediately after installing Active Directory on the first domain controller. When the
subsequent domain controllers join the forest, they will be listed under the appropriate site
based on their IP address and the subnet it belongs. If this is not possible, the servers can be
moved to the appropriate site at a time after the site is created.
It is possible to have more than one domain in a site or have part of a domain in one site with
the other in another site. If more than one domain is in a site, it requires at least one Domain
Controller be listed in that site.

7 December 2021 14:08 95 of 207

38676182.doc

Site Creation
To create a new site, open AD Sites & Services located in Administrative Tools. Select Sites and
from the shortcut menu select New Site. In the window that is displayed, name the site and
associate it with a site link. This will be the DefaultSiteLink, if no other links have been created.
Name your sites so they can be easily recognized. If your site implementation is by location, use
the name of the location. Once the site is created, it is time to create the subnets.

Creating Subnets
In the left-hand pane select Subnets and from the shortcut menu select New Subnet. The IP
address to enter in the window displayed will be the network address with the appropriate
subnet mask. Select the site that is going to be associated with the subnet. Once the subnet is
created, the site association can be changed from the Properties of the subnet.
If the sites and subnets are created before any other domain controllers become part of the
forest, the domain controllers will be automatically listed in the appropriate site during the
installation of Active Directory. If not, expand the Servers folder under Default First Site to view
the domain controllers that are listed. Select to Move the domain controllers from the shortcut
menu on the server and select the site that is associated with their subnet.
Once the Sites are created and domain controllers are in place, select the Site and view in the
right pane a node for License Site Settings. The default Site License server is the first domain
controller created in the site. The Site License server is where the database regarding licensing
for Microsoft products is stored. The information is managed in the Licensing console, but
stored in the Site License server.
The five basic steps for creating a site are as follows:
 Create the site, and associate it with a site link (typically the DefaultSiteLink on
smaller networks)
 Create a subnet and associate it with a site-Sites must contain unique subnets to
make them useful.
 Connect the site to other sites by using site links-A site that does not have a site
link to other sites cannot replicate directory information outside of its own site.
 Move the domain controllers to the appropriate sites. - Future DCs will be placed
in the appropriate site based on subnet.
 Select a site license server - For compliance with Microsoft licensing rules, this is
a necessary step. All sites are registered by the License Logging Service and stored on a
central database.

Inter-Site Replication
Faster WAN connections should be assigned lower site link costs, while slower WAN
connections should be assigned higher site link costs.
Inter-Site replication occurs between sites that have been created in AD Sites and Services. To
manage the replication, Site Links must be created.

7 December 2021 14:08 96 of 207

38676182.doc

Site Links
There is a DefaultSiteLink that is created when AD Sites & Services is created. When new sites
are created, they can be associated with the DefaultSiteLink. If all site connections are equal and
there is no preference in how the data replicates, the DefaultSiteLink is used and no other
configuration is required. The default settings for the DefaultSiteLink include Cost of 100,
replication every 180 minutes (3 hours) and scheduled time is 24/7 availability. If the type of
connections between the sites is different and there is a need to differentiate when the different
sites replicate, a site link is created to configure the specific settings required.
To create a Site Link, select the Inter-Site Transport desired. There are two options: IP (RPC/IP)
and SMTP. IP provides a reliable connection and all partitions can be replicated across this type
of transport. The SMTP is an e-mail based replication and is designed for unreliable
connections. Only the Schema and Configuration partitions can be replicated using SMTP. In
order to use SMTP, there must be a SMTP server in each site. The transport of choice is going to
be IP.
Select New Site Link from the shortcut menu of IP node. Name the Site link (user friendly name
for easy identification) and indicate the Sites that are going to be linked with this Site link. Once
the Site Link is created, access the Properties area to configure settings. The default cost
assigned to a Site Link is 100. When deciding the Cost to assign to a link, determine the
preferred link to replicate to first and then make that link a lower cost. For example, if SiteA and
SiteB have a link that is 100, SiteB and SiteC have a link that is 75. SiteB will replicate to SiteC
first, because it has the lower cost.
The Replication interval default setting is 180 minutes (3 hours). This represents the interval of
requests to pull changes from the Bridgehead server from the linked site. It is not recommended
to make the time any shorter. Recommended is to make sure at least 2 replications occur during
the time schedule allotted.
The Schedule is the days and times available for replication to occur. Default is 24 hours a day,
seven days a week. The schedule can be set to only allow replications during a certain period of
time. For example: Replication is desired for off-hours, it can be scheduled to only occur from 8
p.m. to 6 p.m. It is a 24 hour time schedule - midnight to midnight. Be careful when setting time
frames to ensure it corresponds with the desired results.
If the Replication is scheduled for a 4 hour time frame and replication interval is every 3 hours,
the 2 replication rule will be accomplished. It will initiate replication at the beginning of the
time and then again in 3 hours later. The time frame available and the intervals of replication
are very important when getting the desired result. If replication is set to occur between
multiple sites and one site does not get the changes until the next day, the schedule and
intervals need to be examined to make sure all changes are replicated to all sites within a given
time.

7 December 2021 14:08 97 of 207

38676182.doc

Bridgehead Servers
The Bridgehead server is the domain controller in each site that has been designated by the
ISTG for that domain to Request and Pull the changes to the AD database. It will then turn
around and start notifying its own Replication Partners that it has changes to initiate the Intra-
Site replication. The ISTG will maintain the Bridgehead server topology by replace it
automatically should it fail for any reason. If a different Bridgehead server is desired, right-click
the server name under the site and select Properties. It will show if the server has been assigned
the role of Bridgehead server. If it is not already the Bridgehead server, select the Transport
protocol it should be responsible for and move to the right side.
Note: After manually designating a Bridgehead server, the ISTG will no longer maintain the
environment. It will not designate any Bridgehead server at all, even if the one manually
created fails. If manually creating a Bridgehead server, make sure to specify at least two so there
is another one available, should one fail. If the Bridgehead server is manually created on one
site, it must also be manually created on the site that it is linked. The Site replication will fail if
only one Bridgehead server has been manually created and the other has been created by ISTG.

Site Link Bridges

By default all site links are bridged (transitive). If the option to "Bridge all site links" is disabled,
the DCs in the fabrikam.com domain would not successfully perform replication without the
manual creation of a site link bridge.
By default, Windows Server 2008 will automatically bridge between non-adjacent sites, creating
connection objects between the DCs in the non-adjacent sites. If SiteA is linked to SiteB, and
SiteB is linked to SiteC, bridging is automatic between SiteA and SiteC. This allows SiteA and
SiteC to exchange AD changes through site links A-B and B-C. To turn off this feature, clear the
checkbox "Bridge all site links" in the Properties of the IP node under the Inter-Site Transports
section. With this turned off, any bridges desired must be created manually. If "Bridge all site
links" has been unchecked, the AD network can then be described as "not fully routed".
To create a Site Link Bridge, from the shortcut menu of the IP node, select New Site Link Bridge.
Name the bridge and specify the sites that are to be bridged. No other configuration is required.
The Cost of the Site Link Bridge is the combined Site Link Costs of the two links the Site Link
Bridge has in common. For example: SiteA and SiteB have a link Cost of 100, SiteB and SiteC
have a link Cost of 75, the Cost of the Site Link Bridge between SiteA and SiteC is a Cost of 175.
Manual bridging is used instead of creating a site link in environments that are not routed to
one another and when there are an excessive amount of sites in the routed environment.
Another term for a bridged site is a Transitive site. If a bridge is not created it is Non-Transitive.
Costs are not assigned to site link bridges. The cost of a site link bridge is the sum of the costs of
the site links involved in the creation of the site link bridge. Therefore the JAX-HOU-SEA-SLB
created to solve the problem in the diagram above would have a replication cost of 200 (100 +
100).

7 December 2021 14:08 98 of 207

38676182.doc

Inter-Site Transports
 Fast, reliable WAN links
o Only domain controllers of the same domain
o Built in security
 SMTP
o Slow unreliable WAN links
o DCs of different domains, same forest
o Certificates and SMTP on replication partners
Inter-Site replication occurs between sites that have been created in AD Sites and Services. To
manage the replication, Site Links must be created.
Rules to follow:
 Domain controllers of the same domain must use RPC over IP regardless of
WAN connectivity speeds.
 When WAN connections are fast and reliable use RPC over IP even when
replicating between DCs of different domains.
 When replicating between DCs of different domains across a slow, unreliable
link use the SMTP inter-site transport.
 When using SMTP, certificates need to be used to enhance security and the SMTP
protocol will need to be installed on the DCs participating in the inter-site replication.

7 December 2021 14:08 99 of 207

38676182.doc

Managing AD Sites
Inter-site Replication Strategy
 Schedule: Site schedules should be configured with overlapping times to provide
at least two replication cycles.
 Link Costs: Site link costs should be configured proportionately to the speed of
the physical link connecting the sites. (Faster speeds, lower costs)
 Create Boundaries with Subnets - Subnets assigned to only one site
o Subnet association dictates what DCs clients will use for authentication.
The replication strategy for both Intra-site and Inter-site replication can be managed through
AD Sites and Services. For Intra-site replication, place all of the domain controllers belonging to
the same subnet in the appropriate site. Make sure the connectivity between the domain
controllers in a given subnet is fast and reliable to support the Intra-site replication. There is
more to managing Inter-Site replication. The Site Links that are created between the sites must
be configured properly in order to obtain the desired result. If only the default settings are
required, the DefaultSiteLink can be used to connect all sites. Otherwise a site link must be
created and customized. Items to be carefully configured include the cost, schedule and
replication interval. These will be discussed in detail in the pages to follow.

Creating Boundaries with Subnets

Sites are important for AD replication but also play a key roll in authentication. When
authenticating, a domain controller located in the same site as the user is selected to complete
the authentication. If a specific domain controller is desired to authenticate, make sure the
client's subnet is part of that site. The subnet is the identifying factor for both the user and the
domain controller.
Sites are not domain specific so if there are a lot of users who travel to other sites and require
cross-domain authentication, place a domain controller in the site they are physically located.
The domain controller will require an IP address from one of the subnets associated with the
site and a site link created to a site with other domain controllers from the same domain.

7 December 2021 14:08 100 of 207

38676182.doc

Bridgehead Selection Process

The inter-site topology generator automatically selects a bridgehead server to be responsible for
inter-site replication.
Bridgehead servers can be manually selected in the properties of the server object, however
when manually selecting a bridgehead, at least two should be selected to prevent a single point
of failure. ISTG will forgo an election if a bridgehead is manually assigned.
A bridgehead server is required for each directory partition that must be replicated to other
sites.
When the Knowledge Consistency Checker builds the inter-site replication topology, it selects
one or more servers in each site to act as a bridgehead server. The bridgehead server is
responsible for the inter-site replication. This auto-selection process ensures that once a site link
opens for replication all domain controllers within each site do not attempt to establish
connection objects outside the boundaries of the site.
Microsoft recommends allowing the bridgehead servers to be chosen automatically instead of
manually. Once a bridgehead server is chosen manually KCC will not select one. Thus if your
pre-selected bridgehead becomes unavailable inter-site replication could be interrupted.

Manually Selecting Bridgeheads

The minimum number of DCs to select as a bridgehead servers to prevent an election would be
one DC to account for each directory partition requiring replication, however, best practice
would suggest configure a two bridgeheads for each directory partition.
If a preferred bridgehead server has been selected then updates to the domain directory
partition hosted by that server can be replicated only from a preferred bridgehead server. If at
the time of replication a preferred bridgehead server is not available for that directory partition,
replication fails.
If a bridgehead servers has been selected but no domain controller is designated as a preferred
bridgehead server for a specific directory partition that has replicas in another site or sites, the
KCC selects a domain controller to act as the bridgehead server, if one is available that can
replicate the directory partition to the other site or sites. Therefore, to select preferred
bridgehead servers effectively be sure to assign at least two or more bridgehead servers for each
of the following:
 Any domain directory partition that has a replica in another site.
 Any application directory partition that has a replica in another site.
 The schema and configuration directory partitions if no domains in the site have
replicas in other sites.
If the site has a global catalog server, select the global catalog server as one of the preferred
bridgehead servers.

7 December 2021 14:08 101 of 207

38676182.doc

Monitoring Replication
 Command-line Utilities
o Repadmin
o Dcdiag
 Event Viewer
 Directory Services log
 Active Directory Replication Monitor (replmon)

Event Viewer
There are two Event Logs that pertain to Replication and Active Directory. These logs are
automatically added when Active Directory is installed. The Directory Services log records
events having to do with the Directory Services service. These events include connections
between the domain controller and the Global catalog. The File Replication Service log records
events regarding the File Replication service. Failures during replication of Active Directory can
be found in this log.

File Replication Service Log

Several tools are available to monitor both Active Directory replication and File Replication.
None of the tools, except Event Viewer, are installed by default. Install the suptools.msi package
from the \Support\Tools folder on the Windows Server 2008 CD. Two of the tools, repadmin
and dcdiag are command-line utilities. Replmon (Active Directory Replication Monitor) is has a
GUI interface and can be accessed from the Run command by typing replmon.

Command-Line Utilities
The repadmin (Replication Diagnostic Tool) utility is used to diagnose Active Directory
replication problems between domain controllers. It can be used to force replication or to
manually create a replication topology.
Dcdiag (Domain Controller Diagnostic tool) is used to analyze the domain controllers either in
the domain or forest. Domain controllers can be specified to run diagnostic tests.

Active Directory Replication Monitor

Access Active Directory Replication Monitor by typing replmon in the Run command. The GUI
interface will be displayed. To connect to a domain controller, right-click Monitored Servers and
select Add Monitored Server. The domain controller can be selected by name or browse to select
the domain controller desired. This is tool will allow the administrator to see what is being
replicated. Replication can be forced, a map of the replication topology viewed, along with
other reports that can be generated to analyze the performance of Active Directory replication.
See the listing of the reports in the picture above.

7 December 2021 14:08 102 of 207

38676182.doc

Backing-Up Active Directory

 System State – A set of components that are backed up and restored as a single
unit and cannot be managed individually
 Server Backup Utility
o Backs up immediately or use Task Scheduler to schedule
o Always full backup
 NTBackup in Directory Services Restore Mode for restore of SSD
 Must be Domain Admin or Backup Operators group
 Only interactive backups Local Disk (C) and restores are allowed
 Includes AD, Sysvol (scripts, My Documents, GPOs) registry, boot files, & My
Network Places
o Possibly more depending on system configuration

System State
System State is the collection of all system components and distributed services that Active
Directory requires to function. It is a logical group that cannot be separated and backed up
individually. Included the System State is the registry, system boot files, files protected by
Windows File Protection, and Certificate Services database. It can include Active Directory
components and the Sysvol folder if the server is a domain controller.

Server Backup Utility

The backup utility provided with Windows Server 2008 can be used to backup the System State.
It can either be selected to back up separately or it can be selected along with other data to
backup. No matter what type of backup is being performed, the System State will always be
backed up as a full backup. Use the same utility to restore System State while in Directory
Services Restore Mode.
The user performing the System State backup must be either a member of the Domain Admins
group or Backup Operators group. It can be backup job can be run immediately or can be
scheduled to run after hours by creating a Scheduled Task through the Backup wizard.
The System State backup can only be configured on the local machine but the System State
backup can be stored in a network share.

7 December 2021 14:08 103 of 207

38676182.doc

WBAdmin
 Not installed by default
 Must be installed as a Feature with Server Manager
 “wbadmin startsystemstatebackup" backs up the system state, including AD on a
domain controller.
Windows Server 2008 includes a new backup application named Windows Server Backup.
Windows Server Backup is not installed by default. You must install it by using the Add
Features option in Server Manager before you can use the Wbadmin.exe command-line tool or
Windows Server Backup on the Administrative Tools menu.
To back up a domain controller, you should use the wbadmin startsystemstatebackup
command to back up system state data. If you use the wbadmin startsystemstatebackup
command, the backup contains only system state data, which minimizes the size of the backup.
This method provides system state data backups that are similar to the system state backups
that are provided by the Ntbackup tool in previous versions of Windows Server. As another
option, you can use the wbadmin start backup command with the -allcritical parameter or use
Windows Server Backup to perform a backup of all critical volumes, rather than only backing
up system state data. However, this method backs up all the critical volumes entirely. A volume
is considered critical if any system state file is reported on that particular volume.
In Windows Server 2008, the system components that make up system state data depend on the
server roles that are installed on the computer. The system state data includes at least the
following data, plus additional data, depending on the server roles that are installed:
 RegistryCOM+ Class Registration database
 Boot files
 Active Directory Certificate Services (AD CS) database
 The Active Directory database (Ntds.dit)
 SYSVOL directory
 Cluster service information
 Microsoft Internet Information Services (IIS) metadirectory
 System files that are under Windows Resource Protection
When you use Windows Server Backup to back up the critical volumes on a domain controller,
the backup includes all data that resides on the volumes that include the following:
 The volume that hosts the boot files, which consist of the Bootmgr file and the
Boot Configuration Data (BCD) store
 The volume that hosts the Windows operating system and the registry
 The volume that hosts the SYSVOL tree
 The volume that hosts The Active Directory database (Ntds.dit)The volume that
hosts The Active Directory database log files
Windows Server 2008 supports the following types of backup:
 Manual backup: A member of the Administrators group or the or Backup
Operators group can initiate a manual backup by using Server Backup or the

7 December 2021 14:08 104 of 207

38676182.doc

Wbadmin.exe command line tool each time that a backup is needed. If the target volume
is not included in the backup set, you can make manual backups on a remote network
share or on a volume on a local hard drive.
 Scheduled backup: A member of the Administrators group can use the
Windows Server Backup or the Wbadmin.exe command line tool to schedule backups.
The scheduled backups must be made on a local, physical drive that does not host any
critical volumes. Because scheduled backups reformat the target drive that hosts the
backup files, we recommend that you use a dedicated backup volume.
Windows Server Backup supports DVDs or CDs as backup media. You cannot use magnetic
tape cartridges. You cannot use a dynamic volume as a backup target.
Windows Server Backup does not support backing up individual files or directories. You must
back up the entire volume that hosts the files that you want to back up.
For Install from Media (IFM) installations, use the enhanced version of Ntdsutil.exe that is
included in Windows Server 2008 to create the installation media, rather than Windows Server
Backup. Ntdsutil.exe in Windows Server 2008 includes a new ifm command that creates
installation media for additional domain controllers. For read-only domain controller (RODC)
installations, the NTDSUtil ifm command can create secure installation media, in which the
command strips secrets from Active Directory data. You can also include SYSVOL data in the
installation media.
When you need to restore a domain controller, you can use Bcdedit.exe to toggle the default
startup mode between normal and Directory Services Restore Mode (DSRM).
To start the server in DSRM by using Bcdedit.exe, at a command prompt, type the following
command: bcdedit /set safeboot dsrepair. To restart the server normally, at a command
prompt, type the following command: bcdedit /deletevalue safeboot.
Windows Server backup in Windows Server 2008 has three recovery modes:
 Full server recovery
 System state recovery
 File/folder recovery
As with previous versions of Active Directory, you can perform a system state recovery only by
starting the domain controller in DSRM, which you access by pressing F8 during the initial boot
phase of Windows Server 2008. If you cannot start the server, you must perform a full server
recovery. For more information, see Performing a Full Server Recovery of a Domain Controller.

7 December 2021 14:08 105 of 207

38676182.doc

Restoring Active Directory

 Must be in Directory Services Restore Mode (Though Directory Services can be
stopped and started, to restore AD, you must enter DSRM)
 Use Backup Utility and select Restore
 Cannot restore individual components of System State
 Must be local restore
 Three types of Restore available:
o Normal Restore (non authoritative) – Allows replication to update
o Authoritative Restore – Marks objects to be restored and replicated
o Primary Restore – Marks entire restore as the one to replicate
To restore Active Directory, enter Directory Services Restore Mode from the Advanced Options
during start. You will be required to use the password created during AD installation for
Directory Service Restore Mode. By going to Directory Services Restore Mode, directory
services are not running so Active Directory portion of the System State can be restored. Use the
same Backup Utility and select the Restore Wizard. Like the Backup, to restore System State, it
must be entirely restored because it is not possible to select individual components.

Restore Options
Three options are available when restoring Active Directory: Normal Restore, Authoritative
Restore and Primary Restore. Depending on the situation and the objects desired to restore will
determine the type of restore that is appropriate. All restores are executed in Directory Services
Restore Mode which can be accessed from the Advanced Options Menu. Directory Services
Restore Mode turns Active Directory off allowing restoring the System State. The ntdsutil.exe
function is a command-line utility used in Directory Services Restore mode to complete other
Directory Services functions such as moving the database, using metadata cleanup to remove
old objects and an offline defrag, among others.

Normal Restore
Normal Restore is also called nonauthoritative. Run the Backup Utility to restore the System
State backup. It restores the entire System State to its original location. Once complete, the
domain controller is rebooted and it will synchronize with the other domain controllers in the
domain to receive the most up-to-date changes to Active Directory.
Reasons for using a Normal Restore include:
 Restoring a single domain controller when there are other domain controllers
 Attempt to restore Sysvol or File Replication service data on domain controller
other than first replica

7 December 2021 14:08 106 of 207

38676182.doc

Authoritative Restore
An Authoritative Restore allows the administrator to specify objects in The Active Directory
database that should be restored to the entire network upon reboot. It 'marks' the objects so they
are not written over when the domain controller is synchronized at reboot. It will replicate those
marked objects to the other domain controllers in the network instead.
To accomplish an Authoritative restore, a non-authoritative restore is completed, but the system
is not rebooted. From a command prompt, complete the restore by using the Ntdsutil.exe
utility. It is in this utility that the objects are indicated that should be replicated to the other
domain controllers. The items are marked by increasing the USN number by 100,000 per day of
the backup. This makes them the highest USN, which causes them to be replicated.
Reasons to use the Authoritative restore include:
 Rolling back or undoing changes to Active Directory objects
 Resetting the data stored in the Sysvol folder

Primary Restore
The Primary Restore is similar to the Normal Restore. When executing the Backup Utility to
restore the backup file, select the Advanced Options and indicate in the Advanced Restore
Options dialog box "When restoring replicated data sets, mark the restored data as the primary
data for all replicas' which marks it to be the data that is to be replicated to the other domain
controllers, whether the data is older or not. It affectively marks the entire restored System State
to be the authoritative objects for the domain. Reasons to use the Primary Restore include:
 Restoring the only domain controller in an Active Directory environment
.Restoring the first of several domain controllers
 Restoring the first domain controller in a replica set
The Restore function must be configured on the local machine.
Note: When doing an authoritative restore, the objects that are being restored are sometimes
referred to as subtrees. This would be an OU that is being restored. The LDAP path might look
like: OU=Sales, DC=contoso, DC=com.

7 December 2021 14:08 107 of 207

38676182.doc

AD Replication Conflicts
Replication is at Attribute level: Same object, different attribute, no conflict
Types of Conflicts:
 Attribute conflict: Uses latest date stamp
 Objects created in OU on one DC & OU deleted on another DC: OU deleted and
objects placed in Lost and Found
 Same object created on 2 DCs: Both objects created Second object includes GUID
Replication for objects in Active Directory is executed at the attribute level. If changes to the
same object are being made on two separate domain controllers, as long as the changes are
being made to different attributes of the object, the replication will occur without any conflicts.
For example, the home phone number is changed on one DC and the fax number is changed on
another DC. Since these are different attributes, they will both replicate with no conflicts.
Attribute conflicts will occur when the same attribute is modified on two DCs and then
replicated at the same time. When this occurs, the date stamp is checked and the most recent
change will be replicated.
Objects created in OU on one DC and OU is deleted on another DC provides a challenge. The
OU will be deleted and the objects that were created in the OU will be placed in the Lost and
Found in AD Users and Computers. This will maintain the SIDs on the security principals. The
OU can be recreated and the security principals moved from Lost and Found to the new OU.
Same object created on 2 DCs and replicated at the same time will cause both objects to be
created but one of the objects will have the GUID appended to the end of the name. It will be
necessary to check the Properties of each account to determine the account that should be
maintained.

7 December 2021 14:08 108 of 207

38676182.doc

Active Directory Garbage Collection

On Windows Server 2008, the DC from which an object is deleted informs the other DCs in the
environment about the deletion by replicating what is known as a tombstone. It is necessary for
the tombstone to stay in Active Directory until the deletion state can be replicated to all domain
controllers so that the object is flagged as a tombstone for later removal.
By default the tombstone lifetime is set at 180 days. (value is listed as <Not Set>) Backups older
than the tombstone lifetime cannot be restored.
When a new object is added to Active Directory, it is replicated to all other domain controllers
so that they all have the same information.
A garbage collection service runs every 12 hours to
 Delete tombstones whose lifetime has expired
 Delete unnecessary log files
 Start online defragmentation
Garbage collection attributes
 tombstoneLifetime
 garbageCollPeriod
These attributes can be changed in Active Directory by using ADSIEdit as shown in the slide.
The attributes are in the object:
CN =Directory Service, CN = Windows NT, CN =Services, CN=configuration,DC=forest root

7 December 2021 14:08 109 of 207

38676182.doc

Troubleshooting Active Directory

 FSMO Roles Failure Troubleshooting:
o Objects can't be created - RID Master
o Domain can't be created - Domain Naming Master
o Infrastructure Master Password can't be changed - PDC Emulator
 Directory Services Restore Mode password
o Change in NTDSUTIL
 Resolving issues with Active Directory
o Use NTDSUTIL to move, compact, remove objects
 Removing Active Directory
o DCPromo /Forceremoval

Directory Services Restore Mode Password

Windows Server 2008 provides a way to change the Directory Services Restore Mode password
that was originally created when AD was installed. To change it, go to a command prompt and
enter NTSDUTIL > set dsrm password. Make sure you are logged in to the domain controller
and Active Directory is running.

Resolving issues with AD

In order to manage AD database and log files, the domain controller must be in Directory
Services Restore Mode. From the command prompt, use the NTDSUTIL to move, compact and
remove objects from Active Directory. The part of the utility that allows objects to be removed is
called Metadata Cleanup. An example where this is used would be when a domain controller
fails and is not able to be removed from the domain properly. In order to remove any
indications of the domain controller from Active Directory, use the Metadata Cleanup.

Removing Active Directory

The command to uninstall Active Directory is the same command as installing. Go to the Run
command and type DCPROMO. The wizard will detect that the server has AD installed and
will start the wizard to remove Active Directory. There is a checkbox to indicate if this is the last
domain controller in the domain. The process of removing Active Directory will synchronize
with another DC in the same domain, replicate any changes that have been made in Active
Directory, transfer any FSMO roles the DC has and replicate any information it has in any of the
partitions. If this is the last DC in the domain, make sure to check the box and it will contact the
Forest Root server to replicate any pertinent information before removing AD. Once Active
Directory is removed, all data in any of the partitions will be gone.

7 December 2021 14:08 110 of 207

38676182.doc

If another DC in the same domain is not available or the time is not synchronized with the other
DCs, the process will fail. In that case there are two options, run the DCPROMO again with the
switch /forceremoval. This will force it to uninstall and will not attempt to contact another DC.
It can also be taken off line, reinstalled, and any occurrence removed from AD through
NTDSUTIL Metadata Cleanup.

ADSIEdit and LDP

Two GUI utilities used to view all objects in the directory (including schema and configuration
information), modify objects and set access control lists on objects. ADSIEdit can also be used to
create LDAP queries. ADSI scripting combined with VBScript can be used for bulk import,
export, and modifications of AD objects.

7 December 2021 14:08 111 of 207

38676182.doc

Planning and Implementing User, Computer and Group

Strategies

7 December 2021 14:08 112 of 207

38676182.doc

File Permissions
On a Windows computer, you can share files among both local and remote users. Local users
log on to your computer directly through their own accounts or through a Guest account.
Remote users connect to your computer over the network and access the files that are shared on
your computer.
You can access the Simple File Sharing UI (the default in some XP & Vista versions) by viewing
a folder's properties. Through the Simple File Sharing UI, you can configure both share and
NTFS file system permissions at the folder level. These permissions apply to the folder, all the
files in that folder, subfolders, and all the files in the subfolders. Files and folders that are
created in or copied to a folder inherit the permissions that are defined for their parent folder.
This article describes how to configure access to your files, depending on permission levels.
Some information that this article contains about these permission levels is not documented in
the operating system files or in the Help file.

Turning on and turning off Simple File Sharing

Simple File Sharing is always turned on in Windows XP Home Edition-based computers. By
default, the Simple File Sharing UI is turned on in Windows XP Professional-based computers
that are joined to a workgroup. Windows XP Professional-based computers that are joined to a
domain use only the classic file sharing and security interface. When you use the Simple File
Sharing UI (that is located in the folder's properties), both share and file permissions are
configured.
You can use Simple File Sharing to configure five levels of access to shares and files:• Level 1:
My Documents (Private)
Level 2: My Documents (Default)
Level 3: Files in shared documents available to local users
Level 4: Shared Files on the Network (Readable by Everyone)
Level 5: Shared Files on the Network (Readable and Writable by Everyone)
If you turn off Simple File Sharing, you have more control over the permissions to individual
users. However, you must have advanced knowledge of NTFS and share permissions to help
keep your folders and files more secure. If you turn off Simple File Sharing, the Shared
Documents feature is not turned off.
To turn Simple File Sharing on or off in Windows XP Professional, follow these steps: 1. Double-
click My Computer on the desktop.
2. On the Tools menu, click Folder Options.
3. Click the View tab, and then select the Use Simple File Sharing (Recommended) check box to
turn on Simple File Sharing. (Clear this check box to turn off this feature.)

7 December 2021 14:08 113 of 207

38676182.doc

To view a video about how to turn Simple File Sharing on or off, click the Play button () on the
following Windows Media Player viewer:

Enabling the Security Tab in Windows XP

Like most other useful functions, the Security tab is not easy to find in the default Windows XP
user interface. To enable the tab:
 Open any Windows Explorer window.
 From the Tools menu, select Folder Options.
 Select the View tab.
 Scroll down the list of Advanced Settings (sic) and unselect the option Use simple
file sharng (Recommended).

To examine the ACLs on a file (or folder), right-click on its

icon and select Properties from the pop-up menu. In the
Properties window, click on the Security tab to display a
window similar to the one opposite.
If you are using Windows XP and the Security tab is not
present, check the setting described in the previous section.
Alternatively, you may be looking at a file on a FAT rather
than an NTFS partition. Windows does not protect files using
ACLs on FAT format partitions. You can check a partition's
format by examining the Properties of the disk icon.
The top pane of the window lists all of the Users (or Groups of
Users) that have permissions to the file; only listed Users and
Groups can access the file.
When a User is selected in the top pane, their permissions are shown in the lower pane. The
Allow and Deny check boxes determine the permissions granted to a user:
 If neither box is checked, the user is not allowed that right.
 If the allow box only is checked, the user is allowed that right
 If the deny box is checked, the user is always denied, even when the allow box is
checked.
In the above case, all of the Allow boxes are checked to give the Local Administrator Full
Control over the file. The six main permissions are described below. They can be used in
different combinations to allow various levels of access to users.

NTFS Permissions
Folder permissions include Full Control, Modify, Read & Execute, List Folder Contents, Read,
and Write. Each of these permissions consists of a logical group of special permissions that are
listed and defined in the following sections.

7 December 2021 14:08 114 of 207

38676182.doc

Troubleshooting
If the Security tab is not available and you cannot configure special permissions for users and
groups, you may be experiencing the following issues :
The file or folder where you want to apply special permissions is not on an NTFS drive. You can
set permissions only on drives that are formatted to use NTFS.
Simple file sharing is turned on. By default, simplified sharing is turned on.
IMPORTANT: Groups or users who are granted Full Control on a folder can delete any files in
that folder regardless of the permissions that protect the file.
Note Although the List Folder Contents and the Read & Executefolder permissions appear to
have the same special permissions, these permissions are inherited differently. List Folder
Contents is inherited by folders but not files and it only appears when you view folder
permissions. Read & Execute is inherited by both files and folders and is always present when
you view file or folder permissions.
In Windows XP Professional, the Everyone group does not include the Anonymous Logon
group.
Traverse Folder/Execute File – For folders: The Traverse Folder permission applies only to
folders. This permission allows or denies the user from moving through folders to reach other
files or folders, even if the user has no permissions for the traversed folders. Traverse Folder
takes effect only when the group or user is not granted the Bypass Traverse Checking user right.
The Bypass Traverse Checking user right checks user rights in the Group Policy snap-in. By
default, the Everyone group is given the Bypass Traverse Checking user right. For files: The
Execute File permission allows or denies access to program files that are running. If you set the
Traverse Folder permission on a folder, the Execute File permission is not automatically set on
all files in that folder.
List Folder/Read Data – The List Folder permission allows or denies the user from viewing file
names and subfolder names in the folder. The List Folder permission applies only to folders and
affects only the contents of that folder. This permission is not affected if the folder that you are
setting the permission on is listed in the folder list. The Read Data permission applies only to
files and allows or denies the user from viewing data in files.
Read Attributes – The Read Attributes permission allows or denies the user from viewing the
attributes of a file or folder, such as read-only and hidden attributes. Attributes are defined by
NTFS.
Read Extended Attributes – The Read Extended Attributes permission allows or denies the user
from viewing the extended attributes of a file or folder. Extended attributes are defined by
programs and they may vary by program.

7 December 2021 14:08 115 of 207

38676182.doc

Create Files/Write Data – The Create Files permission applies only to folders and allows or
denies the user from creating files in the folder. The Write Data permission applies only to files
and allows or denies the user from making changes to the file and overwriting existing content
by NTFS.
Create Folders/Append Data – The Create Folders permission applies only to folders and
allows or denies the user from creating folders in the folder. The Append Data permission
applies only to files and allows or denies the user from making changes to the end of the file but
not from changing, deleting, or overwriting existing data .
Write Attributes – The Write Attributes permission allows or denies the user from changing the
attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS. The
Write Attributes permission does not imply that you can create or delete files or folders,. It
includes only the permission to make changes to the attributes of a file or folder. To allow or to
deny create or delete operations, see Create Files/Write Data, Create Folders/Append Data,
Delete Subfolders and Files, and Delete.
Write Extended Attributes – The Write Extended Attributes permission allows or denies the
user from changing the extended attributes of a file or folder. Extended attributes are defined by
programs and may vary by program. The Write Extended Attributes permission does not imply
that the user can create or delete files or folders, it includes only the permission to make
changes to the attributes of a file or folder. To allow or to deny create or delete operations, view
the Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and
Delete sections in this article.
Delete Subfolders and Files – The Delete Subfolders and Files permission applies only to folders
and allows or denies the user from deleting subfolders and files, even if the Delete permission is
not granted on the subfolder or file.
Delete – The Delete permission allows or denies the user from deleting the file or folder. If you
do not have a Delete permission on a file or folder, you can delete the file or folder if you are
granted Delete Subfolders and Files permissions on the parent folder.
Read Permissions – The Read Permissions permission allows or denies the user from reading
permissions about the file or folder, such as Full Control, Read, and Write.
Change Permissions – The Change Permissions permission allows or denies the user from
changing permissions on the file or folder, such as Full Control, Read, and Write.
Take Ownership – The Take Ownership permission allows or denies the user from taking
ownership of the file or folder. The owner of a file or folder can change permissions on it,
regardless of any existing permissions that protect the file or folder.
Synchronize – The Synchronize permission allows or denies different threads to wait on the
handle for the file or folder and synchronize with another thread that may signal it. This
permission applies only to multiple-threaded, multiple-process programs.

7 December 2021 14:08 116 of 207

38676182.doc

Set, view, change, or remove special permissions for files and folders

NTFS Permissions

1. Click Start, click My Computer, and then locate the file or folder where you want to set
special permissions.
2. Right-click the file or folder, click Properties, and then click the Security tab.
3. Click Advanced, and then use one of the following steps:
• To set special permissions for an additional group or user, click Add, and then in Name
box, type the name of the user or group, and then click OK.
• To view or change special permissions for an existing group or user, click the name of
the group or user, and then click Edit.
• To remove an existing group or user and the special permissions, click the name of the
group or user, and then click Remove. If the Remove button is unavailable, click to clear the
Inherit from parent the permission entries that apply to child objects. Include these with entries
explicitly defined here check box, click Remove, and then skip steps 4 and 5.

4. In the Permissions box, click to select or click to clear the appropriate Allow or Deny
check box.
5. In the Apply onto box, click the folders or subfolders where you want these permissions
applied.

7 December 2021 14:08 117 of 207

38676182.doc

6. To configure security so that the subfolders and files do not inherit these permissions,
click to clear the Apply these permissions to objects and/or containers within this container
only check box.
7. Click OK two times, and then click OK in the Advanced Security Settings for
FolderName box, where FolderName is the folder name.
CAUTION: You can click to select the Replace permission entries on all child objects with
entries shown here that apply to child objects. Include these with entries explicitly defined here
check box. Therefore,all subfolders and files have all their permission entries reset to the same
permissions as the parent object.If you do this, after you click Apply or OK, you cannot undo
this operation if you click to clear the check boxes.

7 December 2021 14:08 118 of 207

38676182.doc

Security Group Strategy

 Use Built-in Groups when possible
 Group scopes
o Domain local: assign permissions
o Global: organize users
o Universal: ease permissions management in multi-domain forests
 Accounts> Global > (Universal) > Domain local > Permissions: AG(U)DLP
 Changing Group Scope
 Changing Group Type
o Security: used for purposes of permission for resources.
o Distribution: used for e-mail only.
 Remove groups no longer being used -- Does not impact user account
When deciding what security groups need to be used and created in the Windows Server 2008
network, keep in mind to create groups and add users based on common access and tasks.
There are built-in groups that can be used to assign rights and permissions to users to perform
certain tasks in the network. In example would be the Backup Operators group. Instead of
creating a group for the users who will be performing the backup task, just place them in the
built-in group. The concept of creating groups to minimize administration tasks should be kept
in mind when adding users to groups. Since users can belong to more than one group, it is easy
to have them be members of a lot of groups. This can be an added administrative burden when
access to a resource is not what is expected and the users group membership must be tracked
down to determine which group is not allowing the access required. Keep group membership
to a minimum, to make tracking permissions easier.

Group Scopes
Global
There are three different group scopes. The Global group is created in the domain where the
users are located. The user accounts are placed in the Global groups. It is stored in the local
domain but is referenced in the Global Catalog by its name with the domain where it is located.
Only the name is recorded, not the group membership. Since it is in the Global Catalog, it can be
viewed in other domains. It can 'travel' across the trusts to other domains.

Domain Local
The Domain Local groups are created in the domain where the resource is located and are used
to assign permissions. Global groups should be added to the Domain Local groups. They are
stored in the local domain only and cannot be viewed from any other domain.

7 December 2021 14:08 119 of 207

38676182.doc

Universal
When in Domain Functional Level Windows 2000 Native or higher, Universal groups are
available. The Universal groups are stored in the Global Catalog and can have membership
from any domain in the forest. Since it is stored in the GC, the membership should be fairly
static so there are not many changes to the Global Catalog. By placing Global groups into
Universal groups they are able to remain static, since it only has the Global group name, not the
actual membership. When the Global group membership changes, it will not impact the
Universal group.

Group Nesting
With Domain Functional Level Windows 2000 Native and higher, Group Nesting is available.
This allows a Global group to be a member of another Global group in the same domain, or a
Domain Local group is a member of another Domain Local group in the same domain. Nesting
should be limited to only 2 levels to minimize the impact of combined permissions.

Changing Group Scope

When the domain is in Domain Functional Level Windows 2000 Native or higher, it is possible
to change the scope of the group. The Global group goes to Universal, Universal to Domain
Local, Domain Local to Universal, and Universal to Global group. The Global group cannot be
changed to Domain Local group directly or vice versa.

Removing Groups
Remove groups when they are no longer needed. Whenever a group is deleted, the users that
belong to that group are not impacted because they are only associated with the group. The user
account is maintained separately from the groups.
Command line account management
You can also use the command-line tools Dsadd, Dsmod, and Dsrm to manage user, computer,
and group accounts in Active Directory. You must specify the type of object that you want to
create, modify, or delete. For example, use the dsadd user command to create a user account.
Use the dsrm group command to delete a group account. Although you can use Directory
Service tools to create only one Active Directory object at a time, you can use the tools in batch
files and scripts.
The Csvde command-line tool uses a comma-delimited text file, also known as a comma-
separated value format (Csvde format) as input to create multiple accounts in Active Directory.
You use the Csvde format to add user objects and other types of objects to Active Directory.
You cannot use the Csvde format to delete or modify objects in Active Directory. Before
importing a Csvde file, ensure that the file is properly formatted.
The input file:

7 December 2021 14:08 120 of 207

38676182.doc

 Must include the path to the user account in Active Directory, the object type,
which is the user account, and the user logon name (for Microsoft Windows NT® 4.0
and earlier).
 Should include the user principal name (UPN) and whether the user account is
disabled or enabled. If you do not specify a value, the account is disabled.
 Can include personal information.for example, telephone numbers or home
addresses. Include as much user account information as possible so that users can search
in Active Directory successfully.
 Cannot include passwords. Bulk import leaves the password blank for user
accounts. Because a blank password allows an unauthorized person to access the
network by knowing only the user logon name, disable the user accounts until users
start logging on.
To edit and format the input text file, use an application that has good editing capabilities, such
as Microsoft Excel or Microsoft Word. Next, save the file as a comma-delimited text file. You
can export data from Active Directory to an Excel spreadsheet or import data from a
spreadsheet into Active Directory.
The Ldifde command-line tool uses a line-separated value format to create, modify, and delete
objects in Active Directory. An Ldifde input file consists of a series of records that are separated
by a blank line. A record describes a single directory object or a set of modifications to the
attributes of an existing object and consists of one or more lines in the file. Most database
applications can create text files that you can import in one of these formats. The requirements
for the input file are similar to those of the Csvde command-line tool.

How to Create Accounts Using the Csvde Tool

You can use the Csvde command-line tool to create multiple accounts in Active Directory. You
can only use the Csvde tool to create accounts, not to change them.
To create accounts by using the Csvde command-line tool, perform the following steps:
 Create the Csvde file for importing. Format the file so that it contains the
following information:
 The attribute line. This is the first line of the file. It specifies the name of each
attribute that you want to define for the new user accounts. You can put the attributes in
any order, but you must separate the attributes with commas. The following sample
code is an example of an attribute line:

DN,objectClass,sAMAccountName,userPrincipalName,
displayName,userAccountControl
 The user account line. For each user account that you create, the import file
contains a line that specifies the value for each attribute in the attribute line. The
following rules apply to the values in a user account line:
 The attribute values must follow the sequence of the attribute line.
 If a value is missing for an attribute, leave it blank, but include all of the commas.
 If a value contains commas, include the value in quotation marks.
 The following sample code is an example of a user account line:

7 December 2021 14:08 121 of 207

38676182.doc

"cn=Suzan Fine,ou=HumanResources,dc=asia,
dc=contoso,dc=msft",user,suzanf,[email protected],Suzan Fine,514
You cannot use Csvde to create enabled user accounts if the domain password policy requires a
minimum password length or requires complex passwords. In this case, use a
userAccountControl value of 514, which disables the user account, and then enable the account
using Windows Script Host or Active Directory Users and Computers.
Run the csvde command by typing the following command at the command prompt:

csvde -i -f filename -b UserName Domain Password

Where:
 -i indicates that you are importing a file into Active Directory
 -f indicates that the next parameter is the name of the file that you are importing
 -b sets the command to run as username, domain, and password.
The csvde command provides status information about the success or the failure of the process.
It also lists the name of the file to view for detailed error information. Even if the status
information indicates that the process was successful, use Active Directory Users and
Computers to verify some of the user accounts that you created to ensure that they contain all of
the information that you provided.

How to Create and Manage Accounts Using the Ldifde Tool

You can use the Ldifde command-line tool to create and make changes to multiple accounts.
To create accounts by using the Ldifde command-line tool, perform the following steps:
 Prepare the Ldifde file for importing.
 Format the Ldifde file so that it contains a record that consists of a sequence of
lines that describe either an entry for a user account or a set of changes to a user account
in Active Directory. The user account entry specifies the name of each attribute that you
want to define for the new user account. The Active Directory schema defines the
attribute names. For each user account that you create, the file contains a line that
specifies the value for each attribute in the attribute line. The following rules apply to
the values for each attribute:
 Any line that begins with a pound-sign (#) is a comment line and is ignored
when you run the Ldifde file.
 If a value is missing for an attribute, it must be represented as
AttributeDescription ":" FILL SEP.
 The following sample code is an example of an entry in an Ldifde import file:

# Create Suzan Fine

dn: cn=Suzan Fine,ou=Human

Resources,dc=NG,dc=DS,dc=ARMY, dc=MIL

7 December 2021 14:08 122 of 207

38676182.doc

Changetype: Add

objectClass: user

sAMAccountName: suzanf

userPrincipalName: [email protected]

displayName: Suzan Fine

userAccountControl: 514
Run the ldifde command to import the file and create multiple user accounts in Active
Directory.
Type the following command at the command prompt:

ldifde -i -k -f filename -b UserName Domain Password

Where:
 -i specifies the import mode. If not specified, the default mode is export.
 -k ignores errors during an import operation and continues processing.
 -f specifies the import or export filename.
 -b specifies the user name, the domain name, and the password for the user
account that will be used to perform the import or export operation.

7 December 2021 14:08 123 of 207

38676182.doc

Domain User Account Policy

 Domain user account policy is configurable only at the domain object level up to
2003 Forest level & 2008 Domain level
 Account Password Policy includes:
 Enforce password history- how many passwords to remember. Maximum
password age- how long before change is required.
 Minimum password age- how long before change is allowed.
 Minimum password length- how many characters are required. Password must
meet complexity- upper case, lower case, alpha-numeric. Enabled by default.
 Store passwords using reversible encryption- not a good option to enable.
 Account Lockout Policy includes:
 Account lockout duration- how long are you locked out after invalid attempts. A
value of 0 signifies indefinite lockout, an administrator must reset the account. Account
lockout threshold- how many invalid attempts are allowed before lockout.
 Reset account lockout counter after- when does threshold count return to 0.
 These are the domain-level settings. Fine-grained password policies will be
covered later.

Password Challenges
When resetting user passwords the following information is no longer accessible:
 Files that the user encrypted
 E-mail that is encrypted with the user's public key
 Internet passwords that are saved on the computer
Domain Accounts
 Recover by archiving the Certificate private key of the users
 Recovery Key Agent can then add the certificate key
Local user accounts
 Use a Password Reset Disk to prevent losing access
 Allows user to connect and change password instead of resetting
Local users can create a Password Reset Disk ahead of time to avoid losing access to the
information listed above. It allows the user to login to the computer and then change the
password, rather than reset it.
Creating a Password Reset Disk:
 Put a blank disk into the floppy drive.
 Press CTRL+ALT+DEL, and click to Change Password Enter the usemame for
which you are creating the Reset Disk. In Log On To, select the local computer.
 Don't change the password.
 Click Backup to launch the Forgotten Password Wizard. Enter the current
password for this user.
 When Reset Disk is complete, click Next, then click Finish. Label disk and store
in secure place.

7 December 2021 14:08 124 of 207

38676182.doc

Forgotten Password Wizard: This wizard creates a security key pair; a private key is written to
the password reset disk and a public key encrypts the local user's password on the computer.
The private key is used to decrypt the public key. The user will be prompted to create a new
password. Since the user is only changing the password, no user access to data is lost.
Resetting a Password with the Reset Disk:
 Open the Log On to Windows dialog box.
 Enter the usemame and select the local computer.
 Click OK without entering a password (or enter a bad password)
 The Logon Failed dialog box appears, which includes an invitation to use a
password reset disk, is one exists.
 Click Reset and insert your Password Reset Disk into the floppy drive.
 Follow the prompts in the Password Reset Wizard to create a new password.
(Option to create a hint to remember the password is provided)
 Log on to the computer with the new password.

7 December 2021 14:08 125 of 207

38676182.doc

Planning Organization Units (OUs)

 OU as a management tool
 Delegation
 Group Policies
 Organize objects
 OU as an organizational tool
 Location
 Department
 Project
 Command Structure
 Create in ADUC
 Can have parent/child relationships (nesting)
 Do not nest more than 3 deep
The Organizational Unit (OU) is a management tool that should be thought out carefully. It can
play a major role in network administration since it can be used to delegate authority and apply
group policies. There is only one OU created by default, which is the Domain Controllers OU.
All others are containers. Along with delegation and group policies, it can be used to manage
the AD objects.
When deciding how to build the OU structure, an analysis of the current and future network
should be conducted. The OU structure should be designed for IT administration, not to follow
the organizational chart of the company. Determine the current and potential needs for either
delegation or group policies. Use the inheritance factor to your benefit by creating the OU
structure to allow a higher level OU to apply the majority of the policies and then child OUs for
specific role-based needs.
There are a lot of different designs that can be used when creating the OU structure. For a
smaller network, creating OUs for the different departments might be the best plan. If designing
for a larger company with several divisions, create a parent OU for each division and then child
OUs for the different departments. Department OUs then Project child OUs is another option. It
is up to the administrator to create a complete picture of what the network requires and then
structure the OUs accordingly.
The OUs are created in Active Directory Users and Computers. It can be created from the
shortcut menu of the domain, then New> Organizational Unit or there is an icon on the toolbar
to create an OU. To create a child OU, select the parent and then create the child OU.
Objects can be moved to the new OUs by right-clicking the object and selecting Move. A display
of Active Directory structure will be displayed. Select the OU where the object is to be moved.
Another new option with Windows Server 2008 is to use Drag and Drop. Care must be taken
when using this method because it is easy to 'drop' the object in a location that is not desired.

7 December 2021 14:08 126 of 207

38676182.doc

Planning and Implementing Group Policy

Group Policies
 Apply to Users and Computers - NOT GROUPS
 It is a group or collection of policy elements
 Default Polices
 Local Security Policy
 Default Domain Policy
 Default Domain Controller Policy
 Creating GPOs requires membership in Domain Admins or Group Policy
Creator/Owner group.
 Applied only to Windows 2000 systems and up
 All pre-Windows 2000 systems use system policies
 L-S-D-OU
 Linking policies requires delegation of Manage GP Links
 Multiples linked to same site, domain or OU
 Bottom to the top (top being applied last)
 Last has the highest priority)

Group Policy Processing

 Policies are cumulative, last one applied wins
 Policies inherit down to child objects in the domain
 Use No Override (Enforce) and Block Policy Inheritance sparingly
By default, Group Policy is inherited and cumulative. GPOs are processed according to the
following order:
 Local GPO. Each computer has exactly one GPO that is stored locally, shared by
all users of that computer.
 Site. Any GPOs that have been linked to the site that the computer belongs to are
processed next. Processing is in the order that is specified by the administrator, on the
Linked Group Policy Objects tab for the site in GPMC. The GPO with the lowest link
order is processed last, and therefore has the highest precedence.
 Domain. Processing of multiple domain-linked GPOs is in the order specified by
the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The
GPO with the lowest link order is processed last, and therefore has the highest
precedence.
 Organizational units. GPOs that are linked to the organizational unit that is
highest in the Active Directory hierarchy are processed first, then GPOs that are linked
to its child organizational unit, and so on. Finally, the GPOs that are linked to the
organizational unit that contains the user or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no
GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in
the order in which GPOs are linked to the organizational unit. Alternatively, you can specify the
order on the Linked Group Policy Objects tab for the organizational unit in GPMC.

7 December 2021 14:08 127 of 207

38676182.doc

Plan Policy Application Sequence

Linking and Options
There are several Group Policy options that can alter this default inheritance behavior. These
options include:
 Changing the link order. Within each domain, site, and organizational unit, the
link order controls when links are applied. To change the precedence of a link, you can
change the link order, moving each link up or down in the list to the appropriate
location. The link with the higher order (with 1 being the highest order) has the higher
precedence for a given site, domain, or organizational unit. For example, if you add six
GPO links and later decide that you want the last one that you added to have highest
precedence, you can move the GPO link to the top of the list. However, the link order of
an inherited GPO cannot be altered.
 Blocking Group Policy inheritance. You can block policy inheritance for a
domain or organizational unit. Using block inheritance prevents GPOs linked to higher
sites, domains, or organizational units from being automatically inherited by the child-
level. By default, children inherit all GPOs from the parent, but it is sometimes useful to
block inheritance. For example, if you want to apply a single set of policies to an entire
domain except for one organizational unit, you can link the required GPOs at the
domain level (from which all organizational units inherit policies by default), and then
block inheritance only on the organizational unit to which the policies should not be
applied. Blocking does not affect Local GPOs.
 Enforcing a GPO link. You can specify that the settings in a GPO link should
take precedence over the settings of any child object by setting that link to Enforced
(formerly known as “no override”). GPO-links that are enforced cannot be blocked from
the parent container. Without enforcement from above, the settings of the GPO links at
the higher level (parent) are overwritten by settings in GPOs linked to child
organizational units, if the GPOs contain conflicting settings. With enforcement, the
parent GPO link always has precedence. Note that Enforce policy options always take
precedence over Block Inheritance.
 Disabling a GPO link. By default, processing is enabled for all GPO links. You
can completely block the application of a GPO for a given site, domain, or organizational
unit by disabling the GPO link for that domain, site, or organizational unit. Note that
this does not disable the GPO itself, and if the GPO is linked to other sites, domains or
organizational units, they will continue to process the GPO, if their links are enabled.
 Disabling user and/or computer settings. A GPO may have its user settings
disabled, its computer settings disabled, or all settings disabled. By default, neither user
settings nor computer settings are disabled on a GPO.
Notes: Every computer has a single local GPO that is always processed regardless of whether
the computer is part of a domain or is a stand-alone computer. The Local GPO can’t be blocked
by domain-based GPOs. However, settings in domain GPOs always take precedence since they
are processed after the Local GPO.
A GPO link may be enforced, or disabled, or both. By default, a GPO link is neither enforced
nor disabled. If the link is enforced and disabled, the disabled link has precedence.

7 December 2021 14:08 128 of 207

38676182.doc

Group Policy Filtering

Group Policy filtering can be configured to allow or deny a policy from applying to a specific
group, user, or computer. There are 2 ways to configure a GPO filter.
 Leave the default permissions and set Deny-Read and Deny-Apply Group Policy
permission to the group that should not get the policy.
 Remove the Authenticated Users from the DACL of the policy. Add the group
that should be affected by the policy and configure the Allow-Read and Apply-Group
Policy permission.

WMI Filters
WMI filters can be use to allow or deny GPOs to specific systems based upon hardware and
software configuration specifications and is useful for:
 Deploying software upgrades to systems that already have a previous manually
-installed version
 Deploying software to systems that meet hardware/software specifications

Refreshing Group Policies

 Member servers, workstations, users every 90 - 120 minutes
 DCs every 5 minutes
 Refreshes only changes unless set to process regardless of change
 GPUPDATE
 This utility takes the place of secedit /refreshpolicy. It is executed from a
command prompt and can be issued without any parameters, which refreshes both the
user and computer policy settings. Certain switches can be used to specify certain
results.
 /Target [computer/user] - specify to refresh only computer or user policy
settings
 /Force - reapplies all policy settings even if there are no changes. By default, only
policies that have been changed are refreshed.
 /Wait: [value] - set the number of seconds to wait for any policy setting to finish
 /Logoff - causes the session to log off after the Group Policy settings have been
refreshed. This enables those policies that are invoked at logon to be processed by
forcing the user to logon to the system.
 /Boot - causes the computer to restart after the Group Policy settings are
updated. This enables those policies that specifically need to be invoked at startup to be
processed.
 A Description of the Group Policy Update Utility (KB298444)

7 December 2021 14:08 129 of 207

38676182.doc

Group Policy Settings

Two Types
 Computer Configuration
 User Configuration
Categories
 Software Settings
o Software Installation
 Windows Settings
o Scripts
o Security Settings
o IE Maintenance
o Remote Installation
o Folder Redirection
 Administrative Templates -- Registry-based settings
o Desktop
o Control Panel
o Network
o Printers
o Start Menu
o System
o Windows Components
Group Policies are a collection (group) of policy elements that affect both users and computers.
It is a great way to administer and secure the network environment. The features provided
allow for ease of management along with increased security features in order to lockdown the
environment. There are over 700 different policy elements that can be configured.
There are two types of policies that can be applied: Computer Configuration and User
Configuration. The Computer Configuration applies to computers and the User Configuration
applies to Users. Group Policies DO NOT apply to groups. Any settings configured in the
Computer Configuration area will be applied at Startup or Shutdown. Setting in User
Configuration will be applied at logon or logoff. Policies are also refresh regularly to make sure
the environment has the new security settings when a policy is changed. It can also be forced to
take affect by going to a command prompt at the client and typing GPUPDATE. This command
alone will pull any changes to the policy from both the Computer and User Configurations.

Categories
There are 3 categories of settings that can be applied in both the Computer and User
Configuration settings. There are not many duplicate settings between the two areas. When
there are duplicates, the computer policies will take precedence over the user policies. The
categories of settings are:
 Software Settings - provides software deployment using Microsoft Installer
packages (.msi)

7 December 2021 14:08 130 of 207

38676182.doc

 Windows Settings - some of the items located in this section include applying
scripts (logon, logoff, startup, and shutdown), security settings, IE maintenance, remote
installation, and folder redirection.
 Administrative Templates - these settings are Registry-based settings. These
include desktop configurations, control panel access, network access, printers, start
menu configuration, system information and Windows components.
There is no way to know all the policy settings that are available. There will be definite items
that you will want to know for the exam and also knowing the general area where the item
might be found is helpful.

7 December 2021 14:08 131 of 207

38676182.doc

Group Policies and Security Templates

 Import GPO
 Apply to computers in domain
 Security Configuration and Analysis Tool
o Create, modify, merge templates
o Monitor settings
 Secedit
o Useful for batch file administration
o /analyze to compare, /configure to deploy
o Run under Task Scheduler for consistent configuration
The instructor will demonstrate the use of the STIG to analyze and deploy templates..

7 December 2021 14:08 132 of 207

38676182.doc

Group Policy Management Console

 Installing
 Takes the place of the Group Policy tab
 Resultant Set of Policies
 Planning Mode “what if”
 Simulate policy results if object moved to new location
 Generated on Windows Server 2008 domain controller
 Group Policy Modeling (GPMC)
 Group Policy Results (GPMC)
 Logging Mode "what's there"
 Result of what has already been applied
 Target computer must be on, firewall off, and user must have logged on
The Group Policy Management Console (GPMC) must be downloaded from Microsoft's
download website. The file name is gpmc.msi. Once this console is installed, it takes the place of
the Group Policy tab. The tab will remain but there will now be a message referring to the
GPMC with a button to open it.

Resultant Set of Policies

The Resultant Set of Policies feature is available both in Active Directory Users and Computers
and through the Group Policy Management Console. It is used to evaluate policy settings under
two different circumstances: simulating an object being moved and the policies that will be
applied OR analyzing what is currently being applied to a computer or user. The report
generated when using ADUC is similar to the Group Policy Editor and displays only those
policies elements that are in affect or will be. When executing the report through the GPMC, it
generates a HTML report which contains a lot more detailed information about the query and
what is being applied.
However, ADUC and GPMC call the queries something different. The report that simulates
what policies will be applied if the OU, computer or user account is moved is called the
Resultant Set of Policy (Planning) in ADUC. It is called Group Policy Modeling in the GPMC.
The report generated to show what policies are currently being applied to a computer or user is
called in ADUC Resultant Set of Policy (Logging) and in GMPC Group Policy Results.
In order to execute either query for an existing user or computer, the user must be a member of
the local Administrators, Domain Admins or Enterprise Admins groups. Specific permissions
can be applied on the container to allow for other users to run the query remotely (logging). The
permissions can be set in AD Users and Computers in the Security tab of the container. The
Permissions are Generate Resultant Set of Policy (Logging) or Generate Resultant Set of Policy
(Planning). Permissions on the OU is Generate Resultant Set of Policy (Planning) only.
If the RSoP query includes site GPOs that cross domain boundaries in the same forest, an
Enterprise Admin must execute the query.

7 December 2021 14:08 133 of 207

38676182.doc

There are several places that the Resultant Set of Policy Wizard can be accessed. The Group
Policy Management Console has a node for both Group Policy Modeling and Resultant Set of
Policy. The Resultant Set of Policy snap-in can be added to a MMC console, Both Active
Directory Users and Computers and Active Directory Sites and Services provides access to the
wizard by right-clicking the object desired to view, select All Tasks, then either Resultant Set of
Policy Planning or Logging.
 Planning Mode - enables you to plan by seeing what would happen if a policy
was applied to a particular computer or user. Policy settings, software installations and
security can all be viewed in various scenarios. Different scenarios can be simulated to
view the impact on the computer and/or user accounts. This includes being able to
determine the impact of an object/objects move from one place to another.
 Logging Mode- enables you to review existing GPO settings, software
installation applications and security for a user account or computer account that has
already been applied.
 Whether called Resultant Set of Policy (Planning) in Active Directory Users &
Computers/Sites & Services or Group Policy Modeling in the Group Policy
Management Console, the wizard steps and the end results are the same.
 Select the domain desired to conduct the analysis then select any domain
controller or a specific domain controller to conduct the analysis.
 In order to run Group Policy Modeling, at least one Domain Controller is
required. You must also have the correct permissions set on Active Directory container
where you want to run the analysis. Set the permission on the Security tab of the
container and select Resultant Set of Policy - Planning
 Select either the container or specific user/computer desired for the analysis.
 Select advanced simulation options. Options include to simulate a Slow Network
Connection, analyze using the Loopback processing and an option is given to select the
site desired.
 Select the user security groups desired to view how the policies affect them,
should they be part of that container.
 Select the computer security groups desired to view how the policies affect them
should they be moved to the that container.
 Select specific WMI filters for users/computers to be associated with the
analysis. Filters have to already be created in order to select them.
 Confirm selections and select Next to run the analysis.
 Once completed, if using Resultant Set of Policy (Planning), an MMC console
will open and the results can be viewed. Save the MMC console to the Administrative
Tools folder in order to use the analysis another time. If executing as part of the GPMC,
the report will appear in the detail window. To permanently save the report, right-click
the report and click Save Reports.

7 December 2021 14:08 134 of 207

38676182.doc

Group Policy Result Wizard

Group Policy Result Wizard is queried either through the Group Policy Management Console
or by using Active Directory Users & Computers or Active Directory Sites & Services (Resultant
Set of Policy - Logging). The person executing the query must have the appropriate permissions
by being part of the Local Admins, Domain Admins or Enterprise Admins group or have
specific permissions applied through the Security tab of the container.
 Select the computer to be queried. Options include to select the computer where
the query is being configured or select another computer. A checkbox is provided to
select not to show the computer results as part of the final report.
 Select the user to be queried. Options include the current logged on user where
the query is being configured or to select another user. A checkbox is provided to select
not to show the user results as part of the final report.
 Summary of selections is provided and the query is started.
 If query has been configured through Active Directory Users & Computers or
Active Directory Sites & Services, the final report will appear in an MMC console. Save
the console in order to run the report again. Please note that the RSoP console is saved,
not the actual report.
 Using Group Policy Management Console, the report is saved as part of the
console but can be permanently saved by right-clicking the report and selecting Save
Report.
 When using the Group Policy Management Console to generate the Resultant Set
of Policy query, the report generates 3 different sections.
 Summary - Lists information regarding the container being analyzed, lists
information for both user and computer configuration settings including the Group
Policy Objects that have been Applied/Denied, Simulated Security Groups involved in
the analysis, and WMI filters that were applied as part of the simulation.
 Settings - Lists information for both Computer and User Configurations.
Provides detailed listing of the Group Policy, the effective setting and the Winning
Group Policy Object (the policy that caused the effective policy setting).
 Policy Events - Gives a listing of all event entries pertaining to the policies that
apply to the queried computer/user.

7 December 2021 14:08 135 of 207

38676182.doc

Software Deployment
Software can be deployed using a native or custom .msi package to either
 Computers or Users
 Computer - Assign only
 Users - Assign or Publish
 Published Software is installed by selecting
o Shortcut icon
o Add/Remove Programs
o file extension activation
 Application without a Windows Installer – assigned only
o Package can use Application (.zap) files
 Users can manually install from a file share with limited permissions if the
"Always install with elevated privileges" option is enabled in a policy.
 Publish optional applications to users. Assign mandatory applications to users or
computers.
 Enable the Uninstall application when it falls out of the scope of management
option to prevent continued use
Windows 2000 introduced the feature of Software Deployment through a Group Policy Object.
Now with Windows Server 2008, several features have been added. Software Deployment can
be used as long as there is an Active Directory domain and the clients are Windows 2000
Professional or later.
Software Deployment is available in both the User and Computer Configuration of the Group
Policy. Decision points on where to execute the deployment depends if the software is to be
available to anyone on the computer or if it is to be available to only certain users. Another
deciding factor is how the software is deployed. Two choices are available. It can either be
Assign or Publish.
A deployment that has been Assigned indicates that the shortcut is available on Start Menu and
is installed if the user selects the shortcut. It can also be installed if a file with the software
extension is selected. For example, if Adobe Acrobat has been Assigned, double-clicking an
attached .pdf file would cause Acrobat to install. An application that is assigned can be
deployed either to Computers or Users.
When Published, the availability of the software is listed in Add/Remove Programs and will be
installed when requested by the user. It will also install if a file with the software extension is
selected. Only Users can have a Published deployment.

7 December 2021 14:08 136 of 207

38676182.doc

Windows Installer Service

The Windows Installer Service works in the background allowing the Windows Installer files to
process the installation of the software according to the instructions in the installer file. It
provides a way back to the original state should there be a problem during software installation.
It provides a self-repairing feature that detects if files are missing or corrupted and will reinstall
the files. The Windows Installer Service also provides a means of removing the software
package completely when it is no longer needed. Any shortcuts that the Windows Installer
package created, it will remove. Any shortcuts that are created by the user must be deleted
separately.

Windows Installer Packages

Native Windows Installer Package (.msi) files - are available as part of the application and take
advantage of all aspects of the Windows Installer service. The publisher of the software can
usually provide a Native .msi package upon request if not included with the original
distribution. Multiple applications may be contained in a single .msi package. Features can be
selected to vary the installation through a transform file.
Repackaged application (.msi) files - the repackaged .msi file is very similar to the native file
except it is one single product in one file. It must be installed in its entirety with no choices of
features to install. In order to allow users to install, a policy settings must also be made to use
Elevated privileges for software deployment. Users, by default, do not have the rights to install
software. By elevating privileges, the software is installed using administrator privileges and
then lowed back to the user's privilege as soon as the install is complete.
Customizing Windows Installer Package - Two methods can be used to customize the Windows
Installer Package. They are a Transform file (.mst) and a Patch file (.msp). The Transform file is
used to customize the installation. The publisher of the application provides a configuration
tool that allows the transform file to be created.
For example, Microsoft Office 2007 has Microsoft Word, Excel, PowerPoint and Access as
applications that can be installed. A Transform file can be created to specify to only install
Microsoft Excel. The Microsoft Office 2007.msi package is configured to be deployed through a
Group Policy Object and the transform file (.mst) is added to the configuration to only allow
Microsoft Excel to be installed.
The Patch file (.msp) is used to add software patches, service packs and some updates files to
the existing Installer package (.msi) file deployment.

7 December 2021 14:08 137 of 207

38676182.doc

Application (.zap) Files

For those applications that do not have a Native or Repackaged installer package available, an
Application Files (.zap) can be used to deploy software. The files are text files that contain
instructions about how to publish an application and point to an existing setup program
(setup.exe, install.exe). An application being deployed by a .zap file can only be published. It is
only available in Add/Remove Programs and cannot be installed by selecting a software file
extension. For a how to: http://support.microsoft.com/kb/231747

Software Distribution Point (SDP)

 Access to all of the installation files can be controlled with NTFS permissions.
 Users - Read
 Administrators - Full Control
All files relating to the deployment of the software must be copied to a Software Distribution
Point. This is the network location for the installer files for the Group Policy Object and will also
be the location used when the application is installed. With Windows Server 2008, this SDP can
be in another forest, as long as there is a two-way trust in place. Once the SDP is created, copy
the software packages, modifications, all necessary files, and components to a folder. Some
software provides commands to facilitate the copying of the files to the SDP. For example: if
you use setup for with Office XP, it allows you to enter the software key once for all users and it
copies the files to the folder on the Software Distribution Point.

Creating Package
To create the software package, Right-click the Software Installation node, select New/Package.
Make sure to select a UNC path for the Software Distribution Point, not a local path.
Once the path has been entered, select whether to Assign or Publish. If you are configuring a
deployment under the Computer Configuration section of the GPO, publish will be grayed out
because it is not a valid option.
Once the package is created you can then modify the settings. To go directly to the properties of
the package, select Advanced instead of Assign or Publish. This opens up the dialog box so
additional settings can be selected. If adding a Transform or Patch file, make sure to select
Advanced to add the appropriate files before the package is deployed.
On the Deployment tab is the option to Publish or Assign, Uninstall application when it falls
out of the scope of management, option to not show in Add/Remove Programs, and the newest
option, Install the application at logon.

7 December 2021 14:08 138 of 207

38676182.doc

Uninstall application when it falls out of the scope of management option will uninstall the
application when the user account is moved from the OU where the policy is linked. For
example, Sue's user account is in the accounting OU and special accounting software has been
deployed. When she changes to the marketing department, her use account is moved to the
marketing OU. Any accounting software that was deployed to Sue will be removed when she
logs on after the user account is moved. The Install application at logon completely installs the
application at logon instead of having to select a shortcut or file extension. This option is only
available when the package is Assigned to Users.

Upgrading Software
In order to upgrade a software deployment, create a new package for the new version and select
Advanced to open the Properties of the package, On the Deployment tab select either Assign
(users or computers) or Publish (users),
On the Upgrade tab select Add to select the software package this one is going to upgrade. At
the bottom of the window are options to install over the existing software or uninstall the
existing software and then install the upgrade. After making the desired selection, select OK to
return to the Upgrade tab. The package that is being replaced will be seen in the top window.
The last configuration for the upgrade is to determine if the upgrade is required or not. If it is
required, check the box in the center of the Upgrade window that states "Required upgrade for
existing packages."
Once the upgrade has been configured, the original package will display the upgrade package
in the bottom of the Upgrade tab.

Redeployment - can be used when small changes are made to the original deployment
package. Most of the time redeployment is used when new features are desired from the
original deployment.

Removing Applications
To remove an application that has been installed by a software installation package, right-click
the software package in the Group Policy Object and select All Tasks/Remove. There are two
selections: Forced Removal which causes "immediate uninstall" or Optional Removal which
allows users to continue using but no installations are provided.
Note: An "immediate removal" does not trigger uninstallation until the user logs off and back
on for an application deployed to Users. For an application Assigned to Computers, the
machine must be rebooted to uninstall the application.

7 December 2021 14:08 139 of 207

38676182.doc

Another option is to setup the uninstall as part of the original installation package by selecting
to Uninstall the application if the user/computer falls out of the scope of management. If the
user/computer is moved from the original location where the Group Policy Object with the
installation package is deployed, the application will uninstall at the next logon/reboot. This
provides a means of removing software specific for an OU when the user/computer no longer
belongs to that OU. For instance: a user's account belongs to an Accounting OU and has special
Accounting software deployed. When that user's account is moved to the Marketing OU, the
Accounting software will be removed. This can prevent potential licensing problems.

Terminal Services and Software Installation

Terminal Services does not support software deployment for a user. Any software that needs to
be available for a Terminal Services session must be installed on the computer and access
controlled through permissions.

7 December 2021 14:08 140 of 207

38676182.doc

Software Restriction Policies

Available for Windows XP, Vista, Windows Server 2003, and Windows Server 2008 to regulate
unknown, unwanted or untrusted code. The Software Restriction Policies are provided to
protect the computer environment from unknown code by allowing identification of approved
applications to run on the systems. The policies can apply to either computer or users. To create
the Software Restriction Policies, a combination of Security levels and Rules are used to
determine what files and applications can be used.
Software Restrictions Policies provide the following:
 Control ability of specific programs to be run on the system. Can disallow certain
types of file extensions so they are not able to be executed.
 Permit users to run only specific files on a computer that is shared with multiple
users. This ensures the user is only able to use applications and files that are specific for
their needs.
 Provide a method of specifying who can add trusted publishers to the computer
 Control if software restriction policies are applied to all users or just to certain
users
 Prevent specific files from being executed on a local computer, site, domain or
OU.
Two security levels are provided, Unrestricted and Disallowed. The default setting is
Unrestricted. The Unrestricted option allows all software to run using the user's full rights
whereas Disallowed does not allow software to run, no matter what the user's access rights. If
Unrestricted is used, rules can be created to prohibit the undesirable programs from being run.
With Disallowed, rules must be created for all programs desired to run. The rules created
provide exceptions to the Default Security Levels.
Because of the nature of the Disallowed security level, four Registry rules are automatically
created when Disallowed is selected. This allows certain operating system programs that are
required to still function. Consider the impact of selecting Disallow before implementing this
level. There are many items that are considered programs such as logon scripts that will have to
have exception rules created to make them usable.
The default setting has a check mark beside the item in the Group Policy. To change the default
setting, right-click the other option and select Set as Default.

Software Rules
 Rules override default security level
 Determine as part of rule if it is allowed to run
 Select Unrestricted or Disallowed within the rule
 Rules include: Hash rule, Certificate Rule, Path Rule and Internet Zone Rule

7 December 2021 14:08 141 of 207

38676182.doc

The Software Rules determine the programs and files that can be executed on a computer
system and override the Security Levels. Each Software Rule will specify if that program/file
will be allowed to run by selecting either Unrestricted (allow to run) or Disallowed (not allowed
to run).
There are four rules besides the Registry rules created when Disallowed Security level is
selected. These four are: Hash Rule, Certificate Rule, Path Rule and Internet Zone Rule. The
rules are applied in the order listed.
Hash Rule - A Hash Rule allows the file that is being either restricted or allowed to be identified
by a hash, which is a series of bytes that uniquely identifies a program or file. The file is selected
in the New Hash Rule Dialog box and it automatically creates the hash. Information about the
file: filename, size and creation date, populates the rule automatically. Select whether to allow
the hash (unrestricted) or restrict (disallowed).
Certificate Rule - A Certificate Rule identifies the software by the signed certificate. This
indicates the software is from a trusted source and will not prompt the user. Certificate Rules
can be applies to scripts and Windows Installer Packages. They do not apply to .exe or .dll file
extensions. To create the rule, select the certificate and then whether to allow (unrestricted) or
restrict (disallowed).
Path Rule - A Path Rule identifies the file by the file path. If the file is moved, the Rule will no
longer apply. Select to allow (unrestricted) or restrict (disallowed).
Internet Zone Rule - An Internet Zone Rule apply only to Windows Installer packages. It
identifies software through the Internet Zone specified in the rule. Select to allow (unrestricted)
or restrict (disallowed).

Designated File Types

All of the rules use specific file types and those must be identified in the Designated File Types
dialog box. It can be located by selecting the Software Restriction Policies node, then double-
click the Designated File Types in the details pane. Basic file extensions are already listed. Check
to make sure the file extension being designated in the rules is listed, then Add the extension if
it is not listed.

Enforcement
To prevent the Software Restriction Rules from being applied to the local administrator, double-
click Enforcement, located in the details pane when the Software Restrictions node is selected.
Under Apply software restrictions to the following users: select All users except local
administrator.

7 December 2021 14:08 142 of 207

38676182.doc

Redirected Folders
 My Documents
 Desktop Settings
 Start Menu
 Application Settings

 Basic: Redirect for all users

 Advanced: redirect by security group

 Four possible options available for target location depending on what is being
redirected
o Redirect back to local
o Redirect to following location -- %userprofile%\My Documents
o Redirect to the local user profile
o Settings tab, redirect back when policy deleted
There are four areas of the user's profile that can be redirected to another location. The four
areas are My Documents, Start Menu, Desktop Settings and Application Settings. Using
Redirect Folders can be a definite asset for Roaming Profiles since the information is being
stored in a location other than the profile, it will not be downloaded to the client system every
time the user logs in. For My Documents, this is a big advantage. Besides the profile loading
faster and not using excessive bandwidth, there are no documents cached on the local system
that might cause a security breach. The Start Menu and Desktop Settings can have permissions
applied to them to be Read only so the user cannot change any of the settings stored in either of
these areas.
There are two settings available for all redirected folders: Basic - to redirect the folders for all
users or Advanced - select the security group and the location for the target for each security
group separately. There are some significant changes with where the folders can be redirected
and the choices provided for the administrator when configuring.
The first key difference is My Documents can be redirected to a user's home folder, as long as
the home folder structure is already in place. This is not the preferred method but is provided
for organizations that have already deployed the home folder environment. It is restricted to
Windows XP Professional clients.
In order to redirect to the home folder certain things must be taken in consideration by the
administrator. By redirecting to home folder, the security of the network environment is relaxed
and the security of the contents of My Documents is not guaranteed secure because of the
following items:
 Security - There is no security settings checked or altered in the process of the
redirection.
 Ownership - Redirection occurs without any type of ownership check to make
sure the user redirecting is actually the owner of the folder.

7 December 2021 14:08 143 of 207

38676182.doc

 Home directory - The Home Folder location indicated in the Properties of the
User's account in Active Directory is used to redirect. If this path fails or is incorrect in
anyway, the redirect fails.

Target Folder Options

Depending on the type of redirection, several options are now available to assist with the
configuration of Redirected Folders. The options are listed in the drop-down box for both all
users (Basic) and for a specific security group (advanced).
Create a Folder for Each User Under the Root Path - creates a folder for the user in the root path
(\\servername\SYSVOL\%usemame%) and automatically applies the usemame and folder
name when policy is applied. This option is not available for Start Menu redirection.
Redirect to the Following Location - specify the UNC path or valid local path to redirect the
folders. If using the UNC path (\\servemame\sharename), add the parameter %usemame% at
the end of the path to automatically create the folder for the user and to change the permissions
of the folder so the user is the only one with permissions to the folder.
Redirect to the Local Userprofile Location - redirects to the local default user profile folder
Redirect to the User's Home Directory - redirect the My Documents folder to the user's home
folder location. Only available for the My Documents folder. With this option, the domain
administrators automatically have Full Control permission, even if the Grant the User Exclusive
Rights to My Documents has been selected.

7 December 2021 14:08 144 of 207

38676182.doc

Additional Policy Settings

 Automatically enroll computer/user certificates
 Allow cross-forest user policy and Roaming User profile
 IPSec settings for computer
 Message Text and Message Title for configuring log on warnings and messages.
 Slow link detection
o Only security settings and Registry settings
o Software deployment will not run
 Turn off background refresh to improve performance and delay refresh until
logoff/logon or reboot

Group Policy Loopback

GP Loopback forces a specific User Configuration to a computer no matter who the user is that
is attempting logon. Replace is absolute, merge combines the user configurations.
Loopback was introduced with Windows 2000 Server Active Directory. The Loopback Replace
option allows administrators to configure GPO for machines that must always have the same
GPO settings regardless of who logs on.

7 December 2021 14:08 145 of 207

38676182.doc

Linking, Disabling, and Deleting GPOs

 Policies can be linked, disabled and deleted from within the Group Policy
Management Console
 Polices can be created and linked at the same time or link existing policies
 Can use drag and drop to link policies from the Group Policy Container to a site,
domain or OU
 To disable, right-click the Policy and deselect Link Enabled
o Arrow on the icon will be grayed out to show it is disabled
 To delete, right-click the Policy and select Delete
o If deleting policy on a site, domain, or OU - it will delete from this object only
o If delete policy from Group Policy Container - it will delete from domain but not
from other domain

Disabling and Deleting GPOs

Right-click the Domain or OU to view the options that are available in the Group Policy
Management Console. Among the options when the Domain has been selected are the options
to Create and Link a GPO, Link an Existing GPO, Block Inheritance (entire container), run the
Group Policy Modeling Wizard, and create an OU There is also an option to open Active
Directory Users and Computers directly from the GPMC.
When viewing the shortcut menu for a policy, Edit will open the Group Policy Editor to view
and modify the policy settings. Enforce is the same as No Override. It will mark the policy icon
to indicate the policy has Enforce applied. Disable the policy by selecting the Link Enabled
listing to remove the check mark. To enable, select to add the check mark. Save Report option
gives the opportunity to permanently save the reports viewed in the details pane to the right
regarding the current policy settings and how it is applied to the different areas.
Notice you can view the policies under the item it is linked to as well as viewing all of the
policies under the Group Policy Object node. If you select the policy under the item where it is
linked and select delete, it will only delete the link, not the policy settings. To remove the policy
from all linked areas and delete the policy from the domain, select the policy under the Group
Policy Objects node and delete. If the policy is linked in other domains, it will not remove them.

GP processing
By default in Windows XP Professional, the Fast Logon Optimization feature is set for both
domain and workgroup members. This results in the asynchronous application of policies
when the computer starts and when the user logs on. This application of policies is similar to a
background refresh process and can reduce the length of time it takes for the Logon dialog box
to display and the length of time it takes for the shell to be available to the user. An
administrator can change the default by using the Group Policy Object Editor.
Fast Logon Optimization is always off during logon under the following conditions:
 When a user first logs on to a computer.

7 December 2021 14:08 146 of 207

38676182.doc

 When a user has a roaming user profile or a home directory for logon purposes.
 When a user has synchronous logon scripts.

7 December 2021 14:08 147 of 207

38676182.doc

Backing Up, Importing, and Restoring GPOs

 Use GPMC to backup, import and restore GPOs and to manage backups
 Select the Group Policy Container to view all GPOs
Backup - only backs up components of a GPO that are in the GPO in Active Directory and in the
GPO file in SYSVOL. Does not capture items stored outside the GPO, such as the WMI filters,
links to the site, domain or OUs and IP Security policies. It will maintain the link to a WMI
filter, but not the filter itself. Backup contains an XML report of the GPO settings, date and time
stamp, and the user-supplied description. Can be viewed within the GPMC as HTML.
Each backup has a unique ID which allows one or multiple GPOs to be backed up to the same
location. To backup all GPOs right-click the Group Policy Object node and select Back Up All.
To specify the GPOs to backup, select the them in the Contents tab of the Group Policy Objects
details node. Right-click and select Back-Up.
Managing Backups - provides a way to view the GPOs that are backed up. In the Manage
Backups dialog box, you can sort, delete, restore or view the backup settings.
Restore - allows the GPO to be restored to a previous state, whether it has been deleted or is
currently available, but needs to be rolled back to a previous state.
To Restore, right-click the Group Policy Object node and select Restore from Backup or select
the GPO desired in Manage Backups dialog box and select Restore.
To restore to an existing GPO, the user must have Edit settings, delete, and modify security
permissions on the GPO. Must also have Read permissions to the backup file location. Restoring
a deleted GPO requires the user to have the right to create GPOs in the domain, as well as Read
access to the backup file location. This is necessary because the GPO is being recreated as part of
the Restore and the person who performs the restore becomes the new creator owner.
Importing - used to transfer settings across GPOs within the same domain, to other domains in
the same forest, and to domains in a separate forest. The target of an import is an existing GPO
on a Windows Server 2008 domain controller. Requires Edit permission on the target GPO. To
perform an import, in the GPMC of the target domain, select Import Settings. A wizard
provides prompts needed to complete the import operation. You may need to build a migration
table to accomplish this.
Copy - used to transfer settings of an existing GPO in Active Directory as the source and creates
a new GPO at its destination. Can be used to create a new GPO in the same domain, a domain
in the same forest, or a domain in a separate forest. Trusts are required between the source and
destination domains.
Copying a GPO requires GPO Creation rights on both the source and destination domains since
a new GPO is being created.

7 December 2021 14:08 148 of 207

38676182.doc

Replacing Security Templates

DCGPOFIX -- This utility will revert the default domain and default domain controller policies
to their original state when first installed. This would be used if the security templates had been
modified and there was a need to go back to the default settings.
Import GptTmpl.inf -- The Domain GPO uses a template, and, by default, it enables default
security settings that are related to account policy only. None of the other settings are enabled
initially. Sometimes, changing the default settings or enabling or disabling other settings may
produce undesirable outcomes. This may result in a condition where unexpected restrictions
exist on user accounts. If the changes are unexpected, or if the changes were not recorded so
that you do not know what changes were made, it may be necessary to reset these security
settings to their defaults.
Open the Gpttmpl.inf file with a text editor, such as Notepad. This file is located in the your
Sysvol folder. The default path for the Sysvol is %SystemRoot%\Sysvol.
To completely reset the security settings to the default settings, replace the existing inform in
the Gpttmpl.inf file with the default information that you can copy from a freshly installed
machine.

Security Templates
Any customized security templates can be backed up from one domain and then imported into
another domain.

7 December 2021 14:08 149 of 207

38676182.doc

Troubleshooting Group Policy

 Computer/User configurations conflict
o Computer configuration will be applied
 Software not installed as expected:
o Is it Assigned or Published?
o Is the SDP available?
o Check permissions
 Policy settings didn't take affect:
o Is it linked properly?
o And enabled?
 Troubleshooting Tools
o Event Viewer
o RSoP
o Log files
o Gpresult.exe
o Gpupdate.exe
Resultant Set of Policy Wizard provides a detailed report showing the policies that are being
applied and the result of those policies.
Gpresult is a command-line utility which is used to show the policies that are being applied to
both the user and computer. The actual result of the application is not provided. It creates
returns the same information as Resultant Set of Policies (logging mode). If GPRESULT returns
an error message that the Sysvol folder was not able to be contacted, a file in the Sysvol may be
corrupted. Recover the Sysvol folder from the last backup.
Gpupdate is used to force a refresh of the Group Policies for the user/computer. Using the
/Force switch will force all policy settings to be reapplied whereas using the Gpudate without a
parameter will only update the policy settings that have been changed.
Event Viewer and Log Files are always good resources to view whether policies have been
executed successfully or if there were errors in the process.
New user and computer accounts are created in the CN=Users and CN=Computers containers
by default. It is not possible to apply Group Policy directly to these containers, although they
inherit GPOs linked to the domain. Redirusr.exe (for user accounts) and Redircomp.exe (for
computer accounts) are two new tools included with Windows Server 2003 that enable you to
change the default location where new user and computer accounts are created so you can more
easily scope GPOs directly to newly created user and computer objects. By running
Redirusr.exe and Redircomp.exe once for each domain, the domain administrator can specify
the organizational units into which all new user and computer accounts are placed at the time
of creation. These tools are located in %windir%\system32.

7 December 2021 14:08 150 of 207

38676182.doc

IP Addressing
An IP address is a 32 bit binary number that identifies a node (computer, interface card). A
binary number is a sequence of 0s and 1s. The 32 bits are interpreted as 4 groups of 8 bits. The IP
address as we know it is called an IPv4 (4 octets). The 4 octets, when converted to decimal, can
be any value between 0-255.
When converting from binary to decimal, draw lines representing the 8 bits. Starting from the
right, write a 1 under the first line. Then proceeding to the left, multiply by 2. The numbers
under each line represent the value of that bit. Each bit can have either a 1 or 0 as its binary
value. Compare any binary number to the value chart. Any bit that has a 1 is considered to be
'on' and all the values of the '1' bits are added together to get the decimal conversion.
For instance: a binary number of 10110011 could be converted to decimal by determining the
value of all the' I' bits and adding them together which would be: 128+32+16+2+1=179.
To convert a decimal number to binary, use the value chart, starting from left to right.
Determine if the decimal number can have 128 subtracted, if yes, place a 1 in the 128 spot.
Determine the value left. Can 64 be subtracted? If yes, place a 1 in the 64 spot. Determine the
value left and continue through until the total decimal number has been converted.
For Example: Consider the decimal number 203. We can subtract 128 from 203, so there is a 1 in
the 128 place. The value left is 75. We can subtract 64 from 75, so a 1 goes in the 64 place. We
have 11 remaining. We can't take 32 or 16 from 11, so0s go in those places. We can take 8 from
11 with 3 left over. Place a 1 in the 8 spot. We can't subtract 4 from 3. Place a 0 in the 4 spot. The
last two bits equal 3, which is what we have left, so place a 1 in the 2 and 1 spot. Our new binary
number is: 11001011.
With some practice, converting from binary to decimal and back is not a difficult process. Learn
the bit value table and it will get you a long way.

Address Classes
There are 5 classes of addresses, 3 of those classes can be assigned to individual systems. The
first three classes, A, B, and C, are the classes that can be used to address clients. Class D is used
for Multicasting, which provides a central pool of addresses for video conferencing and other
types of multicasting traffic. There are a series of addresses that are Reserved for future growth.
The first octet of the IP address will identify the class of the address. The ranges listed in the
chart above should be memorized. Each IP address has two parts: network and host. The
network portion is used to determine if the packet being sent from a source is local to the
computer or remote. If the network portions do not match, they cannot communicate without a
router. The host portion must be unique to the segment.

7 December 2021 14:08 151 of 207

38676182.doc

By identifying the class of the address, you determine the portion of that address that is being
used for the network and the host. Class A addresses use the first octet as the host or the first 8
bits. The network bits are often times represented as a slash or CIDR notation at the end of the
IP address. This indicates the number of bits that are being used to represent the network. The
remaining bits are for the host.

Private Addressing and APIPA

Three ranges of addresses are considered as Private addresses and will not be assigned by the
Internet for public use. These addresses are often times used to address the private networks,
since it is more secure they will not match any public address. These ranges are:
 10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
 172.16.0.0/12 (172.16.0.0 - 172.31. 255.255)
 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)
Also the 127.0.0.0/8 (127.0.0.0 - 127.255.255.255) range is excluded from assignment. This range
is reserved for the Loopback, which is 127.0.0.1. This is used to test connectivity of the network
interface and installation of TCP/IP. It is used for troubleshooting only.

Automatic Private IP Addressing (APIPA)

The Automatic Private IP addressing is a way for hosts to obtain addresses and communicate
locally on the network without a DHCP server or a static address. When a Windows 2000,
Windows XP or Windows Server 2003 host is installed, the IP address is configured to be
automatically assigned. If there is no server available to assign an address, it will take an APIPA
address.
It is also used as a troubleshooting tool. If a DHCP server is not running, has run out of
addresses in its address scope, or the connection has been severed for some reason, the APIPA
address will appear in the IPConfig on the client. This is a sure sign that there is something
wrong. The APIPA address is 169.254.x.x. Make sure and memorize this. If this is seen as the IP
configurations on a system, it is not getting an address from DHCP for one of the reasons listed
above.
When the host cannot obtain an address, it will select an address from the 169.254.0.0 range and
send out a broadcast to see if any other host has that address. If it does not receive a reply, it
will assign that address to the host. The system will continue to try to obtain a valid address.
The APIPA address will be maintained until the server or connection problem is corrected or a
static address is assigned.
APIPA can be disabled by making a registry change but it is not recommended.

7 December 2021 14:08 152 of 207

38676182.doc

Subnetting
 The process of creating more networks with fewer hosts per network by
"borrowing" bits in the subnet mask.
 Supernetting aggregates multiple routes to a single network via the opposite
process
 Why subnet?
o Make communication more efficient.
o Reduce network broadcasts by creating broadcast domains.
o Dividing large IP networks into smaller, more efficient ones.

Subnet Masks
Use Decimal notation (255.0.0.0) or CIDR Notation (/8) to identify the subnet mask value.
Each IP address has an associated subnet mask which is used by the computer to identify the
network portion of the address. When converted to binary, the 1sin the subnet mask represent
the network portion and the0s represent the host portion. The 3 classes have default subnet
masks, which represent the full range of addresses in the available bits. With a class A network
address, 16,777,216 (21\24) hosts can be configured. For a class B, 65,536 (21\16) hosts are
available. In a class C, 256 (21\8) hosts are available. In order to calculate the number of valid
addresses available, count how many bits are available for the hosts and use that number as the
exponent. (2 to the power of u) The 2 comes from the possibilities in 1 bit - 0 or 1. The u
represents the number of unmasked bits in the IP address.

Network/Broadcast Address
Another item to consider in determining the valid number of hosts that can be configured, is the
rule that the host bits cannot be all 0s or all 1s in binary. When the host bits are all0s it is called
the Network Address. It is the first address in the range and is not available to address a host.
Network addresses appear in routing tables on PCs and routers. When the host bits of an IP
address are all 1 's, that is the Broadcast Address used by all PCs in that network. It is the last
address in the range and cannot be configured to a host. When a PC broadcasts an
announcement, it will send that packet to the Broadcast Address.
With this in mind, the Class A can have 16,777,214 (16,777,216 - 2) hosts, class B can have 65,534
(65,536 - 2) hosts and a Class C can have 254 (256 - 2) hosts.
All 0s in 8 bits has a decimal value of 0 and all 1s has a decimal value of 255. Don't get confused
that any address ending in decimal 0 or 255 is invalid. It is binary host bits that need to be
considered. If a class B address is being used, it could have a 0 or 255 at the end of some
addresses, but there would be a 1 or 0 somewhere in the total number of host bits.

7 December 2021 14:08 153 of 207

38676182.doc

In order to manage the range of addresses available, it is possible to break those addresses into
portions or subnets. The network borrows bits from the host in order to create the subnets. If a
class B address borrows bits from the host portion, it will still be a class B address (16 bits) plus
have additional bits that can identify the subnet. The subnet bits will allow the hosts to be
identified as local or remote by comparing the bits that have been borrowed for the network.
The 1s in the subnet mask must be consecutive so there are only 9 possibilities for subnet masks:
0, 128, 192,224,240,248,252,254, and 255. Notice in the chart the l's are consecutive. There are no
other possibilities.

7 December 2021 14:08 154 of 207

38676182.doc

Determining Local and Remote Hosts

An address that is local is one that shares the same network. This may be using the default
network only or the total network bits if it is subnetted. The remote address is on a different
network than the source.
There are two methods available to determine if an address is local or remote. One is called
ANDing, which requires converting both the source, destination, and subnet mask to binary
and then comparing bits. The other method is Ranging. With this method you determine the
valid ranges from the subnet mask and then compare the addresses to see if they are in the same
range.
You can do a modified ANDing by only converting the subnetted octet values to binary and
comparing the bits.

7 December 2021 14:08 155 of 207

38676182.doc

Common Ports to Know

In order to designate specific communications for applications and services, ports numbers are
used to designate the data being sent. This is the port the system service listens for incoming
traffic. Port numbers range from 1 to 1024 are commonly used ports. Ports above that are
assigned to specific services or applications.
These ports are ones you need to know for the exam.
 20/21 FTP (File Transfer Protocol)
 22 ssh (secure shell
 23 Telnet
 25 SMTP (Simple Mail Transport Protocol)
 53 DNS (Domain Naming Service) (udp < 512 bytes < tcp)
 67 DHCP
 80 HTTP (Hypertext Transfer Protocol)
 88 Kerberos
 110 POP3 (Post Office Protocol 3)
 123 NTP
 135 RPC
 137-139 NetBIOS names (WINS)
 220 imap
 389 ldap
 443 https—SSL (Secure Socket Layer)
 445 Microsoft DS, SMB
 464 Kerberos v5
 636 LDAP SSL
 993 IMAP over SSL
 996 POP over SSL
 1701 L2TP
 1723 PPTP
 3269 Global Catalog
 3389 Remote Desktop

 IPSec has no set port but is protocol 51 (AH) & 50 (ESP)

 See also :Port Requirements for the Microsoft Windows Server System
(KB832017)

7 December 2021 14:08 156 of 207

38676182.doc

IPv6
 128 bit address
o Unicast IPv6 addresses are divided into 2 parts: a 64 bit network and 64 bit host.
o Host component is typically based on MAC, or can be randomly generated
 Eight blocks for four hexadecimal digits
 Coloned hexadecimal
 Can be shortened by eliminating leading Os:
o 2001:0db8:0000:0000:0000:0000:1428:57ab
o 2001:0db8:0000:0000:0000::1428:57ab
o 2001:0db8:0:0:0:0:1428:57ab
o 2001:0db8:0:0::1428:57ab
o 2001:0db8::1428:57ab
o 2001:db8::1428:57ab
 Special addresses
o :: -- unspecified address
o ::1 – loopback
o fe80::/10 – link local (auto-configuration address, not routable)
o 2001::/32 – Teredo
o 2002::/16 – 6to4 addressing
o fd00::/8 – routable unicast (normal)

Since all Link-Local Addresses (LLAs) share the same network id (fe80::), you can't determine
which interface an LLA is bound to just by looking at the address. If a PC has multiple network
interface cards bound to different networks, each network is identified by a zone id. The zone id
will follow a "%" sign.

Teredo
Teredo client: computer enabled with both IPv6 and IPv4 and that is located behind a router
performing IPv4 NAT. The Teredo client creates a Teredo tunneling interface and configures a
routable IPv6 address with the help of a Teredo server. Through this interface, Teredo clients
communicate with other Teredo clients or with other IPv6 hosts on the IPv6 Internet
Teredo Server: Public server connected both to the IPv4 Internet and the IPv6 Internet. Its job is
to perform configuration of addresses of the Teredo clients while also configuring the initial
communication.
Teredo Relay: A Teredo Relay is a Teredo tunnel endpoint. It is an IPv6/IPv4 router that can
forward packets between Teredo clients on the IPv4 Internet and IPv6-only hosts

7 December 2021 14:08 157 of 207

38676182.doc

DHCP
When a DHCP client boots it broadcasts a DHCP Discover packet. All DHCP servers with a
valid available address will respond to this packet with a DHPC Offer. The client will select one
of these offers to accept, it then sends a DHCP Request. The issuing server responds with a
DHCP Acknowledgement. This process is commonly known as DORA.
If no offer is received, the client will rebroadcast its Discover at 2, 4, 8, and 16 seconds (+/- a
randomized delay of up to 1 second). If after all this no Offer is received, the client will revert to
APIPA and retry the process every five minutes. APIPA ensures that computers in a broadcast
domain can communicate with each other even without a DHCP server.
At 50% of the lease duration, the client will begin renewal attempts. This consists of a renewal
Request from the client, and an Ack by the originally issuing server. If the issuing server is not
available at 87.5% of the lease duration, a general Discover packet is issued as in the initial boot
process. If a client requests renewal of an invalid address, the server will issue a DHCP deny
(NAK), which forces the client to release its current address and begin the DORA process again.
Information contained in a DHCP offer must include an IP address and subnet mask. It may
include a number of optional parameters: gateway address, DNS server address, WINS server
address, disable NetBIOS over TCP, and release DHCP Lease on Shutdown. Note that APIPA
configuration contains no information beyond IP address and subnet mask.
The DHCP process occurs on UPD ports 67 & 68, which may not be forwarded by some
switches in default configuration. It may be necessary to configure broadcast forwarding on
these ports before deploying DHCP.
Unless otherwise specified in the DHCP options, a client will not release its DHCP address on
shutdown. It will automatically attempt renewal on restart. If the issuing server is not
available, but the gateway is reachable, the client will continue using the lease until its
expiration. If the default gateway is also unreachable, the client will release the IP and use
APIPA until a DHCP server is available.
DHCP clients can be manually manipulated using the ipconfig /release & /renew command.
These can be useful when moving computers, or renumbering a network.

7 December 2021 14:08 158 of 207

38676182.doc

Configuring TCP/IP
 Dynamically
o Obtain an IP address automatically
o Default setting
 Statically
o Use the following IP address
o Manually enter
 IP address
o Subnet Mask
o Default Gateway
o DNS Server
 Use alternate for Fault Tolerance, alternate will respond when preferred does not
 Optimize name resolution by directing clients to local DNS servers
IP addresses can be configured either dynamically or statically. To configure the settings, go to
the Properties of the Network Interface Card located in the Network Connections dialog box.
On the General tab, select Internet Protocol and Properties. The Properties for the IP settings
will open.
The General tab provides radio buttons to choose either to Obtain in IP address automatically or
to assign a static address. When selecting to obtain an address dynamically, a DHCP server
must be running in the network in order to obtain an address. If not, an APIP A address will be
assigned. This is the default setting.
To statically enter an IP address, select to Use the Following IP address. The IP address and
subnet mask must be manually keyed. The Default Gateway, which is the near side of the
router, is optional. It must be provided if Internet or remote communication is desired.
When obtaining an IP address automatically, all other options can be configured dynamically as
well, including the DNS server addresses. DNS provides name resolution for the network and is
necessary for the Windows Server 2008 network along with communicating on the Internet.
This address points to a DNS server that can provide name resolution. If statically entered, the
Preferred DNS server is the first server that will be contacted. The Alternate DNS server is only
used if the preferred server is unavailable.

Advanced TCP/IP Settings

 Multiple IP Addresses
o More than one IP address per adapter
o Select Advanced from General tab
 Alternate IP Address
o Tab available with "Obtain an IP address automatically" enabled
o Provides alternate address in case DHCP server is not available
o APIPA is default (169.254.X.Y)
o Static address can be configured

7 December 2021 14:08 159 of 207

38676182.doc

The advanced settings include the capability of statically assigning multiple addresses to one
network interface and configuring an alternate static address for an automatically assigned IP
address.

Multiple IP Addresses
There are a lot of reasons multiple IP addresses may be required on a single interface. One
reason would be for a web server hosting multiple web sites. To accomplish multiple IP
address,
Select the Advanced button at the bottom of the Properties window where the original IP
address has been assigned. At the top of the IP settings tab, there is an Add button. Select this
and enter the additional IP address and subnet mask. Once the addresses are added here, they
will then be available to select throughout the system.

Alternate (Static) IP Address

This feature provides an alternative to APIPA if a DHCP server is not available. When
configuring the IP address, if automatically assigned is selected, a second tab is available for
Alternate Configuration. Select the tab to see that APIPA is selected by default. When User
Configured is selected, an alternative, static configuration can be entered. IP address, subnet
mask, default gateway, 2 DNS servers and 2 WINS servers can be configured. These options
will not be used unless DHCP is unavailable.

IP Troubleshooting Tools
 IPConfig
o View IP settings
 Ping
o Check name resolution
o Test connectivity
o IP address or FQDN
 Tracert
o Trace the route (hops) for a specific IP address or FQDN
o –d for ‘no name resolution’
 Path Ping
o Combination of Tracert and Ping Traces route and provides statistics for lost
packets
o Slower than the others

7 December 2021 14:08 160 of 207

38676182.doc

IPConfig
This is probably the most used tools, next to PING. This tool displays a view of the IP
configuration along with executing other tasks. When entered by itself, IPConfig will show the
network interfaces configured with the IP address, subnet mask and default gateway. To see all
the configuration settings, type IPConfig /all. This will show all the network interface
information including any additional options that have been configured (DNS, WINS), if it is
enabled for DHCP, the DHCP server address where it obtained its address, the lease for the
address, the host name, the DNS suffix being used and the MAC address of the interface.
Some of the other tasks that can be executed with IPConfig involve DNS and DHCP. Use
/release and /renew to refresh a DHCP configured address and /registerdns, /flushdns,
/displaydns for DNS. They force registration of the client to DNS, flush the DNS cache, and will
show the entries in the DNS cache.

Ping
Ping is a command-line utility used to test connectivity. The IP address or fully qualified
domain name (FQDN) can be used to execute a ping. A Ping sends out 4 packets to the specific
address/FQDN and waits for a reply. The four responses are then displayed. This is the first
thing to do when troubleshooting a connection.
The rule for troubleshooting is to start with yourself and then work out. Ping the loopback
address (127.0.0.1), then the local host address. Then try a host on the same subnet. Then try the
default gateway address. If all those work, then ping a remote address. If all hosts return a ping,
then start looking at other possibilities. Most of the time, if there is connectivity problems, one
of the ping attempts will fail. It can be a bad cable, bad device or incorrect addressing that can
be causing the failure. This gives a better place to start looking for the problem.

Tracert
The Tracert command is used with either IP address or fully qualified domain names (FQDN)
to trace the route of the packet.- It will display each time the packet touches a router as a hop. If
the packet is not reaching its destination, this can assist with tracking down where it is
dropping. Many times it may be a firewall or proxy server that has been instituted that does not
allow packets from the source area to pass.

PathPing
Traces the route a packet takes to a destination and displays information on packet losses for
each router in the path. This gives detailed statistics about the packet and its path.

7 December 2021 14:08 161 of 207

38676182.doc

Event Viewer
 View events from multiple event logs
 Save useful event filters as custom views that can be reused
 Schedule a task to run in response to an event
 Create and manage subscriptions
Event Viewer is a Microsoft Management Console that allows you to browse and manage event
logs. It is a useful tool for monitoring the health of systems and troubleshooting issues when
they arise.
When looking for improper logon events, an administrator must examine the Security log of
every DC that may have received the logon requests.
Viewing events from Multiple Logs: When you use Event Viewer to troubleshoot a problem,
you need to locate events related to the problem, regardless of which event log they appear in.
To specify a filter that spans multiple logs, you need to create a custom View.
Reusable Custom Views: When you work with Event Logs, your primary challenge is to narrow
the set of events to just those that you are interested in. Sometimes this involves a good deal of
effort. Now, Event Viewer allows you to save these custom views once they are created.
Integration with Task Scheduler: By right-clicking on a task, you are now able to schedule a task
to run when that specific event is logged in the future.
Event Subscriptions: You can collect events from remote computers and store them locally by
creating event subscriptions. This is definitely testable!!!

Event Subscriptions
 Configure Forwarding computer
o Winrm quickconfig (Windows Remote Management)
o Add the server to the Event Log Readers Group
 Configure Collecting Computer
o Wecutil qc (Windows Event Collector) - Configure the subscription
o Setup collection of Event Viewer data
You will have one machine that will forward Event Viewer data (Forwarding computer) and
one computer to collect the data (Collector) and then create an subscription on the Collecting
computer for what should be collected (all entries are probably not so interesting).

Configure Forwarding computer

1. On the Forwarding computer run an elevated cmd (or power shell) and configure Windows
Remote Management service to be started and create a listener on default port tcp/80 (it is
encrypted by SSP even under HTTP, it is possible to setup to run under HTTPS if needed, but
that is not included in this KB), run the following command: winrm quickconfig

7 December 2021 14:08 162 of 207

38676182.doc

2. If you have Windows Firewall enabled it will ask you if you want to create an exception for
this port, type Y to do so.
3. To decide who can collect Event Viewer data from this Forwarding computer you must add
the people or machine to the Event Log Readers group.
This can be done with the graphical mmc but since we already have an elevated cmd from
running the winrm command we will use that to add our Collecting computer to the Event Log
Readers group by using net localgroup command:
Net local "Event Log Readers" [email protected] /add
Notice: Don't forget the $ sign after the computer name.

Configure Collecting computer

On the collecting computer (must run Windows Vista or Windows Server 2008) run the
following command in an elevated cmd to collect data from the Forwarding computer:
1. Wecutil /qc normally you are more interested in errors than in entries of telling information
that services started successfully so we will create an Event Subscription that only forward
entries from Event Viewer on the Collecting computer that has the Event level Critical and Error
status.
2. In Event viewer right click on the folder Subscriptions and choose Create Subscription.
3. Add the following data at minimum: Subscription Name 4. Press Add button and add the
Forwarding machine
a. NOTICE: Don't panic with the message "Error: Source status unavailable" it is normal
and will be gone when you save the subscription!
5. Press Select Events.

Check the forwarded Event Viewer entries

Event Viewer -> Windows Logs -> Forwarded Events
**It may take up to 15 minutes before the error messages show up in the Forwarded Events Log.

7 December 2021 14:08 163 of 207

38676182.doc

DFS -- Distributed File System

 WAN-friendly replication
 Simplified, highly-available access to geographically dispersed files
 Two technologies in DFS:
o DFS Namespaces
o DFS Replication
DFS Namespaces. Enables you to group shared folders that are located on different servers into
one or more logically structured namespaces. Each namespace appears to users as a single
shared folder with a series of subfolders. This structure increases availability and automatically
connects users to shared folders in the same Active Directory Domain Services site, when
available; instead of routing them over WAN connections.
DFS Replication. DFS Replication is an efficient, multiple-master replication engine that you can
use to keep folders synchronized between servers across limited bandwidth network
connections. It replaces the File Replication Service (FRS) as the replication engine for DFS
Namespaces, as well as for replicating the AD DSSYSVOL folder in domains that use the
Windows Server 2008 domain functional level.

7 December 2021 14:08 164 of 207

38676182.doc

DFS Namespaces
A namespace is a virtual view of shared folders in an organization. The path to a namespace is
similar to a Universal Naming Convention (UNC) path to a shared folder, such as
\\Server1\Public\Software\Tools. In this example, the shared folder Public and its subfolders
Software and Tools are all hosted on Serverl.
A namespace server hosts a namespace. The namespace server can be a member server or a
domain controller.
The namespace root is the starting point of the namespace. In the previous figure, the name of
the root is Public, and the namespace path is \\Contoso\Public. This type of namespace is a
domain-based namespace because it begins with a domain name (for example, Contoso) and its
metadata is stored in Active Directory Domain Services (AD DS). Although a single namespace
server is shown in the previous figure, a domain-based namespace can be hosted on multiple
namespace servers to increase the availability of the namespace.
Folders without folder targets add structure and hierarchy to the namespace, and folders with
folder targets provide users with actual content. When users browse a folder that has folder
targets in the namespace, the client computer receives a referral that transparently redirects the
client computer to one of the folder targets.
A folder target is the UNC path of a shared folder or another namespace that is associated with
a folder in a namespace. The folder target is where data and content is stored. In the previous
figure, the folder named Tools has two folder targets, one in London and one in New York, and
the folder named Training Guides has a single folder target in New York. A user who browses
to \\Contoso\Public\Software\Tools is transparently redirected to the shared folder \\LDN-
SVR-O1\Tools or \\NYC-SVR-01\Tools, depending on which site the user is currently located
in.

Create a namespace :
1. Click Start, point to Administrative Tools, and then click DFS Management.
2. In the console tree, right-click the Namespaces node, and then click New Namespace.
3. Follow the instructions in the New Namespace Wizard.
To create a folder in a namespace
1. Click Start, point to Administrative Tools, and then click DFS Management.
2. In the console tree, under the Namespaces node, right-click a namespace or a folder within a
namespace, and then click New Folder.
3. In the Name text box, type the name of the new folder.
4. To add one or more folder targets to the folder, click Add and specify the Universal Naming
Convention (UNC) path of the folder target, and then click OK.

7 December 2021 14:08 165 of 207

38676182.doc

To add a folder target

1. Click Start, point to Administrative Tools, and then click DFS Management.
2. In the console tree, under the Namespaces node, right-click a folder, and then click Add
Folder Target.
3. Type the path to the folder target, or click Browse to locate the folder target.
4. If the folder is replicated by using DFS Replication, you can specify whether to add the new
folder target to the replication group.
Note - Folders can contain folder targets or other DFS folders, but not both, at the same level in
the folder hierarchy.

7 December 2021 14:08 166 of 207

38676182.doc

DFS Replication
DFS Replication is an efficient, multiple-master replication engine that you can use to keep
folders synchronized between servers across limited bandwidth network connections. It
replaces the File Replication service (FRS) as the replication engine for DFS Namespaces, as well
as for replicating Active Directory Domain Services (AD DS) SYSVOL folder in domains that
use the Windows Server 2008 domain functional level. For more information about replicating
SYSVOL using DFS Replication, see the Microsoft Web site (http://go.microsoft.com/fwlink/?
Linkld=93057).
DFS Replication uses a compression algorithm known as remote differential compression
(RDC). RDC detects changes to the data in a file and enables DFS Replication to replicate only
the changed file blocks instead of the entire file.
To use DFS Replication, you must create replication groups and add replicated folders to the
groups. Replication groups, replicated folders, and members are illustrated in the above figure.
This figure shows that a replication group is a set of servers, known as members, which
participates in the replication of one or more replicated folders. A replicated folder is a folder
that stays synchronized on each member. In the figure, there are two replicated folders: Projects
and Proposals. As the data changes in each replicated folder, the changes are replicated across
connections between the members of the replication group. The connections between all
members form the replication topology.
Creating multiple replicated folders in a single replication group simplifies the process of
deploying replicated folders because the topology, schedule, and bandwidth throttling for the
replication group are applied to each replicated folder. To deploy additional replicated folders,
you can use Dfsradmin.exe or a follow the instructions in a wizard to define the local path and
permissions for the new replicated folder.
Each replicated folder has unique settings, such as file and subfolder filters, so that you can
filter out different files and subfolders for each replicated folder.
The replicated folders stored on each member can be located on different volumes in the
member, and the replicated folders do not need to be shared folders or part of a namespace.
However, the DFS Management snap-in makes it easy to share replicated folders and optionally
publish them in an existing namespace.
You can administer DFS Replication by using DFS Management, the DfsrAdmin and Dfsrdiag
commands, or scripts that call WMI.

Create a replication group

1. Click Start, point to Administrative Tools, and then click DFS Management.
2. In the console tree, right-click the Replication node, and then click New Replication Group.
3. Follow the instructions in the New Replication Group Wizard.

7 December 2021 14:08 167 of 207

38676182.doc

When you first set up replication, you must choose a primary member. Choose the member that
has the most up-to-date files that you want to replicate to all other members of the replication
group, because the primary member's content is considered "authoritative." This means that
during initial replication, the primary member's files will always win the conflict resolution that
occurs when the receiving members have files that are older or newer than the associated files
on the primary member.
The following concepts will help you better understand the initial replication process: Initial
replication does not begin immediately. The topology and DFS Replication settings must be
replicated to all domain controllers, and each member in the replication group must poll its
closest domain controller to obtain these settings. The amount of time this takes depends on AD
DS replication latency and the long polling interval (60 minutes) on each member.
Initial replication always occurs between the primary member and the receiving replication
partners of the primary member. After a member has received all files from the primary
member, that member will replicate files to its receiving partners as well. In this way,
replication for a new replicated folder starts from the primary member and then progresses to
the other members of the replication group.
When receiving files from the primary member during initial replication, if a receiving member
contains files that are not present on the primary member, those files are moved to their
respective DfsrPrivate\PreExisting folder. If a file is identical to a file on the primary member,
the file is not replicated. If the version of a file on the receiving member is different from the
primary member's version, the receiving member's version is moved to the Conflict and Deleted
folder and remote differential compression (RDC) can be used to download only the changed
blocks.
To determine whether files are identical on the primary member and receiving member, DFS
Replication compares the files by using a hash algorithm. If the files are identical, only minimal
metadata is transferred.
After the initialization of the replicated folder, when all existing files in the replicated folder are
added to the DFS Replication database, the primary member designation is removed. That
member is then treated like any other member and its files are no longer considered
authoritative over other members that have completed initial replication. Any member that has
completed initial replication is considered authoritative over members that have not completed
initial replication.

Create a replicated folder

1. Click Start, point to Administrative Tools, and then click DFS Management.
2. In the console tree, under the Replication node, right-click a replication group, and then click
New Replicated Folders. Follow the instructions in the New Replicated Folders Wizard.

7 December 2021 14:08 168 of 207

38676182.doc

3. Note Replication of the new replicated folder does not begin immediately. The new DFS
Replication settings must be replicated to all domain controllers, and each member in the
replication group must poll its closest domain controller to obtain these settings. The amount of
time this takes depends on AD OS replication latency and the long polling interval ( 60 minutes)
on each member.

DFS Requirements
 Members of the replication group must be running 2003 R2 or 2008
 Install File Services Role with DFS Replication Role Service
 Replicated folders must be stored on NTFS volumes
 Not available on Server Core
 Single Forest Only
 Third-party software compatible with DFS Replication.
o Defragmentation/disk maintenance
o Antivirus
o Backup
 Not fully compatible with/aware of clustering, if deployed on a cluster node
locate replicated folders on the local storage of the node, not shared.

7 December 2021 14:08 169 of 207

38676182.doc

DFS Commands
 DFSUtil
 DFSdiag
 DFSradmin
Windows Server 2008 includes an updated version of the DFSUtil command, the new DFSdiag
command, and the new DFSradmin which you can use to diagnose namespace issues. The test
is mainly concerned with DFSUtil.
DFSUtil Examples
Example 1: Control a DFS Client's Ability to Link to Sites
Enabling the insite setting of a DFS server is useful when:
You don't want the DFS clients to connect outside the site. You don't want the DFS client to
connect to a site other than the site it is in, and hence avoid using expensive WAN links. Dfsutil
/insite:\\example.com\dfsroot /enable
After using this command statement, clients will not get any referral for a replica outside the
dfsroot site. This means that if the Replica sets in the client Site are down, the client will not do a
failover to a Replica set in another site. Disabling the insite setting of a DFS server is useful
when you want to enable outside site referrals.
If you want your DFS clients to be able to link to outside sites when no local server is available,
and the DFS clients never seem to link outside the site, it may be because connectivity has been
limited to an internal site using the /insite enable setting. Disabling this setting will restore the
ability of clients to link outside the site. To reset your site preferences, type the following at the
command prompt:
DFSUtil /insite:\\example.com\Sales /disable
Example 2: Configure a DFS Server to be Site Cost Aware
You want DFS clients to be able to connect outside the internal site, but you want clients to
connect to the closest site first, saving the expensive network bandwidth. You want to maintain
high availability as a priority, but obviously you want DFS clients to connect to closer sites
rather than farther sites when the former are reachable and up. To configure the server to be site
cost aware, type either of the following statements at the command line:
DFSUtil /sitecosting:\\example.com\sales /enable
DFSUtil /root:\\example.com\sales /sitecosting /enable
Now the server sends the referral list composed of the randomly ranked targets in the same site
as the client, followed by the targets in the next closest site from the site in which the client
resides, followed by targets in the second closest site, and then the third and so on.
Example 3: Back up the DFS Namespace

7 December 2021 14:08 170 of 207

38676182.doc

You want to back up the DFS namespace for a specified root so that you can restore it later in
case of system crash and loss of namespace from the system. Backing up namespace
information is especially important when you have large namespaces. Using a single command
statement per root, you can back up the namespaces into simple files. The files are in an XML
format. To back up a namespace, type the following at the command line:
DFSUtil /root: \\example.com\sales /export: c:\NameSpaceBackups\Dir\file.txt
Note: The output of the export file is in XML in Windows Server 2003 DFS. This means that, if
your current DFS is a prior version and the output file is coming from a prior version, it should
be converted to the XML format used by the /import parameter. Example 4: Restore the DFS
Namespace from a Back Up
Your system has crashed and you have lost your namespace data. In order to restore the
namespace, type the following at the command line:
DFSUtil /root: \\example.com\sales /import: c:\NameSpaceBackups\Dir\file.txt /set

7 December 2021 14:08 171 of 207

38676182.doc

Shadow Copy
Shadow copying of files in shared folders is a feature administrators can use to create backup
copies of files on designated volumes automatically. You can think of these backup copies as
point-in-time snapshots that can be used to recover previous versions of files. Normally, when a
user deletes a file from a shared folder, it is immediately deleted and doesn’t go to the local
Recycle Bin. This means the only way to recover it is from backup. The reason for this is that
when you delete files over the network, the files are permanently deleted on the remote server
and never make it to the Recycle Bin. This problem changes with shadow copying. If a user
deletes a file from a network share, she can go back to a previous version and recover it—and
she can do this without needing assistance from an administrator.
Volume Shadow Copy service is a new feature of Microsoft Windows Server 2003. It offers two
important features:
Shadow copying of files in shared folders: Allows you to configure volumes so that shadow
copies of files in shared folders are created automatically at specific intervals during the day.
This allows you to go back and look at earlier versions of files stored in shared folders. You can
use these earlier versions to recover deleted, incorrectly modified, or overwritten files. You can
also compare versions of files to see what changes were made over time. Up to 64 versions of
files are maintained.
Shadow copying of open or locked files for backups: Allows you to use backup programs, such
as Windows Backup, to back up files that are open or locked. This means you can back up when
applications are using the files and no longer have to worry about backups failing because files
were in use. Backup programs must implement the Volume Shadow Copy application
programming interface (API).
Both features are independent of each other. You do not need to enable shadow copying of a
volume to be able to back up open or locked files on a volume.

Using Shadow Copies of Shared Folders

Shadow copies of shared folders are designed to help recover files that were accidentally
deleted, corrupted, or inappropriately edited. Once you configure shadow copies on a server,
the server creates and maintains previous versions of all files and folders created on the
volumes you’ve specified. It does this by creating snapshots of shared folders at predetermined
intervals and storing these images in shadow copy storage in such a way that users and
administrators can easily access the data to recover previous versions of files and folders.
Shadow Copies for Shared Folders is made possible through the Shadow Copy API. The
shadow copy driver (Volsnap.sys) and the Volume Shadow Copy service executable (Vssvc.exe)
are key components used by this API.

7 December 2021 14:08 172 of 207

38676182.doc

Shadow copy client configuration

Before users can access previous versions, the client must be installed on their computer. Two
clients are available:
 Previous Versions Client
 Shadow Copy Client
With either client, users can access the Previous Versions tab by right-clicking a shared file or
folder, selecting Properties, and choosing Previous Versions. Users will then be able to view a
version of a file, save a version of a file to a new location, or restore a previous version of a file.
The clients can be distributed through Group Policy or Microsoft Systems Management Server
(SMS).
You can use Group Policy or SMS to distribute either client. You can also simply copy the file to
a user’s computer. Both clients are made available as MSI packages that require Microsoft
Windows Installer 2 or later, which is available automatically on Microsoft Windows XP or later
versions of the Windows operating system.

Installing the Previous Versions Client

The Previous Version client is stored in the: %SystemRoot
%\System32\Clients\Twclient\X86 folder
Its installer is named Twcli32.msi.
Computers running:
 Windows Server 2003
 Windows XP
 Microsoft Windows 2000 Service Pack 3+
 Microsoft Windows 98
can use this client. Once the client is on the user’s computer, you run it by double-clicking it.
This starts the Previous Versions Client Setup Wizard. The wizard automatically installs the
client, and you only need to click Next and then click Finish.

Installing the Shadow Copy Client

The Shadow Copy Client can be downloaded from the Microsoft Web site. Its installer is
ShadowCopyClient.msi.
Computers running:
 Windows Server 2003
 Windows XP
 Windows 2000 Service Pack 3+

7 December 2021 14:08 173 of 207

38676182.doc

can use this client. If you use this client with earlier versions of the Windows operating system,
you must install the Shadow Copy Client on both the servers using shadow copies and the user
computers that must access shadow copies.

Configuring Shadow Copies in Computer Management

You can use Computer Management to configure shadow copying by following these steps:
 Start Computer Management
 Expand Storage
 Select Disk
Management
 Right-click a
volume in the Disk
Management Volume List or
Graphical View
 Select Properties
 In the Properties
dialog box:Select the
Shadow Copies tab
 Select the volume
for which you want to
configure shadow copies,
and then click Settings.
This displays the Settings
dialog box:
 Use the Located
On This Volume selection
list to specify where the
shadow copies should be
created. Shadow copies can
be created on the volume
you are configuring or any
other volume available on
the computer.
 Click Details to see
the free space and total
available disk space on the
selected volume, and then
click OK.
 Use the Maximum
Size options to set the
maximum size that shadow copies for this volume can use.
 Click Schedule to display the dialog box shown. Two run schedules are set
automatically. Use the selection list to view these schedules. If you don’t want to use a
scheduled run time, select it, and then click Delete. To add a run schedule, configure the
run times using the Schedule Task, Start Time, and Schedule Task Weekly options, then

7 December 2021 14:08 174 of 207

38676182.doc

click New. When you are finished configuring run times, click OK twice to return to the
volume’s Properties dialog box.

 Select the volume on which you want to enable shadow copies
 Click Enable
 When prompted, click Yes to confirm the action
 Windows will then create a snapshot of the volume.
 Configure any additional volumes for shadow copying by repeating steps 3
through 8.
 Click OK when you are finished.

Enabling Shadow Copying from the Command Line

To enable shadow copying of a volume, you use the ADD SHADOWSTORAGE command. The
syntax is as follows:

vssadmin add shadowstorage /for=ForVolumeSpec /on=OnVolumeSpec

With the following parameter definitions:
/for=ForVolumeSpec is used to specify the local volume for which you are configuring or
managing shadow copies.
/on=OnVolumeSpec is used to specify the volume on which the shadow copy data will be
stored.
Consider the following example:

vssadmin add shadowstorage /for=c: /on=d:

Here, you are configuring the C volume to use shadow copies, and the shadow copy data is
stored on D.
Both values can be set to the same volume as well, such as

vssadmin add shadowstorage /for=e: /on=e:

Here, you are configuring the E volume to use shadow copies, and the shadow copy data is
stored on that same volume.
With vssadmin, shadow copying is configured by default so that there is no maximum size limit
for shadow storage. To set a specific limit, you can use the /MaxSize parameter. This parameter
expects to be passed a numeric value with one of the following suffixes:
 KB = kilobytes
 MB = megabytes
 GB = gigabytes
 TB = terabytes
 PB = petabytes
 EB = exabytes
 This parameter must be set to 100 MB or greater.

7 December 2021 14:08 175 of 207

38676182.doc

Consider the following example:

vssadmin add shadowstorage /for=c: /on=d: /maxsize=2GB

Here, you are configuring the C volume to use shadow copies, and the shadow copy data is
stored on D. The maximum size allowed for the shadow storage is 2 GB.
The following table describes some common command-line tools to use when you manage
Active Directory.

Tool Description
Dsadd Adds objects, such as computers, users, groups, organizational
units, and contacts, to Active Directory.
Dsmod Modifies objects, such as computers, servers, users, groups,
organizational units, and contacts, in Active Directory.
Dsquery Runs queries in Active Directory according to specified criteria.
You can run queries against servers, computers, groups, users,
sites, organizational units, and partitions.
Dsmove Moves a single object, within a domain, to a new location in Active
Directory, or renames a single object without moving it.
Dsrm Deletes an object from Active Directory.
Dsget Displays selected attributes of a computer, contact, group,
organizational unit, server, or user in Active Directory.
Csvde Imports and exports Active Directory data by using comma-
separated format.
Ldifde Creates, modifies, and deletes Active Directory objects. Can also
extend the Active Directory schema, export user and group
information to other applications or services, and populate Active
Directory with data from other directory services.

7 December 2021 14:08 176 of 207

38676182.doc

Server Manager
Provides a console with which to manage the basic functions of the server. This utility has
replaced Computer Management and has enhanced the functionality while still retaining some
of the original features.

Server Manager Interface

 Roles
 Features
 Diagnostics
 Configuration
 Storage
 Replaces "Configure Your Server" and Add/Remove Programs~ Windows
Components

Roles
No Roles are installed by default. For instance, DNS is now configured as a role of the server. To
install DNS, you would need to add that role. Many roles have Role Services that can be
installed. For instance, File Services is an available role on the server. The role services
associated with the File Services Role are things like DFS (Distributed File System), Windows
Search Services, etc. Role Services add the functionality to the Role. Another example of a role
and role service is Active Directory Domain Service Role. The role service that gives its
functionality is Active Directory Domain Controller Role Service.
Roles and Role Services can be added, removed and their status monitored from within the
Roles page.
Features are software programs that enhance the functionality of the server. Features do not
necessarily correspond with roles, though they sometimes do. For instance, the Failover
Clustering feature can be used to augment the roles of File Services or DHCP services, by
enabling them to join server clusters. However, Bitlocker drive encryption is a feature that is
available regardless of the roles installed.

Diagnostics
 Event Viewer: An advanced tool that displays detailed information about
significant events on your computer. Event viewer's main logs are the Application Log,
the System Log, and the Security Log. Other logs are available, depending upon what
roles and services are installed on the system
 Reliability and Performance Monitor: MMC snap-in utility that provides tools for
analyzing system's performance. Reliability and Performance monitor allows an
administrator to monitor hardware and software performance in real time. Customize
what data is collected configure alerts and generate reports.
 Device Manger: Allows a user to view the installed devices on a system, verify
hardware functionality and upgrade or rollback drivers.

7 December 2021 14:08 177 of 207

38676182.doc

Configuration
 Task Scheduler: Allows scheduling of automated tasks to perform actions at a
specific time
 Windows Firewall with Advanced Security: Combines a host firewall and IPSec.
This is an extension of the Windows Basic Firewall that includes stateful packet
inspection and filtering
 Services: Provides access to configure how services run. Services are programs or
processes that run in the background that provide support to other program.
 WMI control: Windows Management Instrumentation (WMI) is the primary
management technology for Windows operating systems. It enables consistent and
uniform management, control, and monitoring of systems throughout your enterprise.
Based on industry standards, WMI allows system administrators to query, change, and
monitor configuration settings on desktop and server systems, applications, networks,
and other enterprise components. System administrators can write scripts that use the
WMI Scripting Library to work with WMI and create a wide range of systems
management and monitoring scripts.

Storage
 Windows Server Backup: MMC snap-in and command-line utility that provides
a complete solution for day-to-day backup and recovery needs. The GUI is Wizard-
driven to enable ease of use. This utility allows for the backup and recovery of the entire
server, selected volumes only or the system state data. The command-line is
wbadmin.exe
 Disk Management: System utility for managing the hard disks and volumes or
partitions which they contain. As always, this utility is used to initialize disks, create
volumes or partitions, format those volumes or partitions and most other disk-related
tasks. New functionality includes the ability to extend or shrink volumes, regardless of
whether or not the disk is basic or dynamic.

7 December 2021 14:08 178 of 207

38676182.doc

Active Directory Lightweight Directory Services

By using the Windows Server 2008 Active Directory Lightweight Directory Services (AD LDS)
role, formerly known as Active Directory Application Mode (ADAM), you can provide
directory services for directory-enabled applications without incurring the overhead of domains
and forests and the requirements of a single schema throughout a forest.
AD LDS is a Lightweight Directory Access Protocol (LDAP) directory service that provides
flexible support for directory-enabled applications, without the dependencies that are required
for Active Directory Domain Services (AD DS). AD LDS provides much of the same
functionality as AD DS, but it does not require the deployment of domains or domain
controllers. You can run multiple instances of AD LDS concurrently on a single computer, with
an independently managed schema for each AD LDS instance.
AD DS provides directory services for both the Windows Server operating system and for
directory-enabled applications. For the server operating system, AD DS stores critical
information about the network infrastructure, users and groups, network services, and so on. In
this role, AD OS must adhere to a single schema throughout an entire forest.
The AD LDS server role, on the other hand, provides directory services specifically for
directory-enabled applications. AD LDS does not require or rely on Active Directory domains
or forests. However, in environments where AD DS exists. AD LDS can use AD DS for the
authentication of Windows security principals.
You can use the AD LDS server role to create multiple AD LDS instances on a single computer.
Each instance runs as a separate service in its own execution context. The AD LDS server role
includes the following features to make it easy to create, configure, and manage AD LDS
instances:
 A wizard that guides you through the process of creating an AD LDS instance
 Command-line tools for performing unattended installation and removal of AD
LOS instances .Microsoft Management Console (MMC) snap-ins for configuring and
managing AD LDS instances, including the schema for each instance
 AD LDS-specific command-line tools for managing, populating, and
synchronizing AD LDS instances
 In addition to these tools, you can also use many Active Directory tools to
administer AD LDS instances.
The Windows Server 2008 operating system includes the additional AD LDS features:
 Install from Media - with this feature, you can use a one-step Ntdsutil.exe or
Dsdbutil.exe process (IFM) Generation to create installation media for subsequent AD
LDS installations. With this feature, you can set up AD LDS auditing with a new audit
subcategory to log old and new values when changes are made to objects and their
attributes.
 Audit AD LDS changes - with this feature. You can view directory data that is
stored online in snapshots that are taken at different points in time to better decide
which data to restore without having to restart the server.

7 December 2021 14:08 179 of 207

38676182.doc

 Data Mining Tool- (aka database Mounting Tool) - although The Active
Directory database mounting tool does not recover deleted objects by itself, it helps
streamline the process for recovering objects that have been accidentally deleted.
Before the Windows Server@ 2008 operating system, when objects or organizational
units (OUs) were accidentally deleted, the only way to determine exactly which objects
were deleted was to restore data from backups. This approach had two drawbacks:
Active Directory had to be restarted in Directory Services Restore Mode to perform an
authoritative restore; and an administrator could not compare data in backups that were
taken at different points in time (unless the backups were restored to various domain
controllers, a process which is not feasible). The purpose of the Active Directory
database mounting tool is to expose AD DS data that is stored in snapshots or backups
online. Administrators can then compare data in snapshots or backups that are taken at
different points in time, which in turn helps them to make better decisions about which
data to restore, without incurring service downtime.
 Support for Active Directory Sites and Services - with this feature, you can use
Active Directory Sites and Services snap-in to manage replication among AD LDS
instances. To use this tool, you must import the classes in MS-ADLDS-
DisplaySpecifiers.LDF to extend the schema Active Directory Sites of a configuration set
that you want to manage. To connect to an AD LDS and Services instance that hosts
your configuration set, specify the computer name and the port number of a server that
hosts this AD LOS instance.
 Dynamic list of LDAP Data Interchange - with this feature, you can make custom
LDIF files available during AD LOS Format (LDIF) files instance setup -in addition to
the default LDIF files that are provided with AD LOS-by adding the files to the
%systemroot%\ADAM directory during instance setup
To learn more about AD LDS, click the AD LDS Help link in Server Manager.

7 December 2021 14:08 180 of 207

38676182.doc

ADRMS - Active Directory Rights Management Services

Active Directory Rights Management Services. Active Directory Rights Management Services
(AD RMS) role service is a required role service that installs the AD RMS components used to
publish and consume rights-protected content.
The goal of an AD RMS deployment is to be able to protect information, no matter where it is
moved. Once AD RMS protection is added to a digital file, the protection stays with the file. By
default, only the content owner is able to remove the protection from the file. The owner can
grant rights to other users to perform actions on the content, such as the ability to view, copy, or
print the file.
By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you
can augment an organization's security strategy by protecting information through persistent
usage policies, which remain with the information, no matter where it is moved. You can use
AD RMS to help prevent sensitive information-such as financial reports, product specifications,
customer data, and confidential e-mail messages-from intentionally or accidentally getting into
the wrong hands.
An AD RMS system includes a Windows Server 2008-based server running Active Directory
Rights Management Services (AD RMS) server role that handles certificates and licensing, a
database server, and the AD RMS client. The latest version of the AD RMS client is included as
part of the Windows Vista operating system.
AD RMS runs on a computer running the Windows Server 2008 operating system. When the
AD RMS server role is installed, the required services are installed, one of which is Internet
Information Services (lIS). AD RMS also requires a database such as Microsoft SOL Server
which can be run either on the same server as AD RMS or on a remote server and an Active
Directory Domain Services forest.
The AD RMS-enabled client must have an AD RMS-enabled browser or application, such as
Microsoft Word, Outlook, or PowerPoint in Microsoft Office 2007. In order to create rights-
protected content, Microsoft Office 2007 Enterprise, Professional Plus, or Ultimate is required.
For additional security, AD RMS can be integrated with other technologies such as smart cards.
Windows Vista includes the AD RMS client by default, but other client operating systems must
have the RMS client installed. The RMS client with Service Pack 2 (SP2) can be downloaded
from the Microsoft Download Center and works on versions of the client operating system
earlier than Windows Vista and Windows Server 2008.

7 December 2021 14:08 181 of 207

38676182.doc

AD RMS Benefits
Safeguard sensitive information. Applications such as word processors, e-mail clients, and line-
of-business applications can be AD RMS-enabled to help safeguard sensitive information Users
can define who can open, modify, print, forward, or take other actions with the information.
Organizations can create custom usage policy templates such as "confidential - read only" that
can be applied directly to the information.
Persistent protection. AD RMS augments existing perimeter-based security solutions, such as
firewalls and access control lists (ACLs), for better information protection by locking the usage
rights within the document itself, controlling how information is used even after it has been
opened by intended recipients.
Flexible and customizable technology. Independent software vendors (ISVs) and developers can
AD RMS-enable any application or enable other servers, such as content management systems
or portal servers running on Windows or other operating systems, to work with AD RMS to
help safeguard sensitive information. ISVs are enabled to integrate information protection into
server-based solutions such as document and records management, e-mail gateways and
archival systems, automated workflows, and content inspection.
Identity Federation Support. The identity federation support role service is an optional role
service that allows federated identities to consume rights-protected content by using Active
Directory Federation Services.
AD RMS combines the features of Rights Management Services (RMS) in Windows Server 2003,
developer tools, and industry security technologies-including encryption, certificates, and
authentication-to help organizations create reliable information protection solutions.
For more detailed information about hardware and software considerations with AD RMS, see
the Pre-installation Information for Active Directory Rights Management Services topic on the
Windows Server 2008 Technical Library (http://go.microsoft.comlfwlink/?Linkld=84733).
For detailed instructions about installing and configuring AD RMS in a test environment, see
the AD RMS installation Step-by-Step Guide (http://go.microsoft.com/fwlink/?Linkld=72134).
To learn more about AD RMS, you can view the Help on your server. To do this, open Active
Directory Rights Management Services console, and then press F 1, or visit Active Directory
Rights Management Services TechCenter (http://go.microsoft.comlfwlink/?Linkld=80907).

7 December 2021 14:08 182 of 207

38676182.doc

AD FS - Active Directory Federation Services

 Active Directory Federation Services
 Provides Web Single-Sign-On to authenticate a user to multiple Web
Applications, even across forest boundaries with partner organizations
 Bypass the need for secondary accounts
Active Directory Federation Services (AD FS) is a feature in the Server2003 R2 and Windows
Server 2008 operating systems that provides Web single-sign-on (SSG) technologies to
authenticate a user to multiple, related Web applications over the life of a single online session.
AD FS accomplishes this by securely sharing digital identity and entitlement rights, or "claims,"
across security and enterprise boundaries.

Federation and Web SSG

When an organization uses Active Directory Domain Services (AD DS), it experiences the
benefit of SSG functionality through Windows Integrated Authentication within the
organization's security or enterprise boundaries. AD FS extends this functionality to Internet-
facing applications. This makes it possible for customers, partners, and suppliers to have a
similar streamlined Web SSO user experience when the access the organization's Web-based
applications. Furthermore federation servers can be deployed in multiple organizations to
facilitate business-to-business B2B federated transactions between partner organizations.

Web Services (WS)-* interoperability

AD FS provides a federated identity management solution that interoperates with other security
products that support the WS-* Web Services Architecture. AD FS does this by employing the
federation specification of WS-*, called WS-Federation. The WS-Federation specification makes
it possible for environments that do not use the Windows identity model to federate with
Windows environments. For more information about WS-* specifications, see Resources for AD
FS.

Extensible architecture
AD FS provides an extensible architecture that supports the Security Assertion Markup
Language (SAML) 1.1 token type and Kerberos authentication (in the Federated Web SSO with
. Forest Trust design. AD FS can also perform claim mapping, for example, modifying claims
using custom business logic as a variable in an access request. Organizations can use this
extensibility to modify AD FS to coexist with their current security infrastructure and business
policies. For more information about modifying claims, see Understanding Claims.

7 December 2021 14:08 183 of 207

38676182.doc

Extending AD DS to the Internet

AD DS serves as a primary identity and authentication service in many organizations. With
Windows Server 2003 Active Directory and Windows Server 2008 AD DS, forest trusts can be
created between two or more Windows Server 2003 forests or Windows Server 2008 forests to
provide access to resources that are located in different business units or organizations. For
more information about forest trusts, see How Domain and Forest Trusts Work
(http://go.microsoft.comlfwlink/?LinkId=3 5356).
However, there are designs in which forest trusts are not a viable option. For example, access
across organizations may have to be limited to only a small subset of individuals, not every
member of a forest.
By employing AD FS, organizations can extend their existing Active Directory infrastructures to
provide access to resources that are offered by trusted partners across the Internet. These
trusted partners can include external third parties or other departments or subsidiaries in the
same organization.
AD FS supports distributed authentication and authorization over the Internet. AD FS can be
integrated into an organization's or department's existing access management solution to
translate the claims that are used in the organization into claims that are agreed on as part of a
federation. AD FS can create, secure, and verify the claims that move between organizations. It
can also audit and monitor the communication activity between organizations and departments
to help ensure secure transactions.
A typical setup of two partner organizations establishing an ADFS relationship would entail the
installation of at least one server with ADFS in each organization.

7 December 2021 14:08 184 of 207

38676182.doc

WDS
Windows Deployment Services is included in the Windows Automated Installation Kit
(Windows AIK) and in Windows Server 2003 SP2. For more information about the Windows
Deployment Services role, see http://go.microsoft.com/fwlink/?LinkId=81873.

What is Windows Deployment Services?

The Windows Deployment Services is the updated and redesigned version of Remote
Installation Services (RIS). Windows Deployment Services enables you to deploy Windows
operating systems, particularly Windows Vista. You can use it to set up new computers by
using a network-based installation. This means that you do not have to install each operating
system directly from a CD or DVD.
Windows Deployment Services includes changes to the RIS feature set, including the following:
 Ability to deploy Windows Vista and Windows Server 2008.
 Windows PE is the boot operating system.
 Image-based installation, using Windows image (.wim) files.
 An extensible and higher-performing PXE server component.
 A new boot menu format for selecting boot operating systems.
 A new graphical user interface on the client computer that you use to select
images.
 The Windows Deployment Services Microsoft Management Console (MMC)
snap-in and the WDSUTIL command-line tool, which enable you to configure and
manage Windows Deployment Services.
 Deploys Windows images to computers without operating systems.
 Supports mixed environments that include Windows Vista, Microsoft Windows
XP and Microsoft Windows Server 2003.
 Built on standard Windows Vista setup technologies including Windows PE,
.wim files, and image-based setup.

Server functionality modes

There are three server modes with Windows Deployment Services in Windows Server 2003. To
check the operating mode that the server is in, you can either right-click the server in the MMC
snap-in, click Properties, and view the General tab, or you can run WDSUTIL /get-server
/show:config.
The Legacy mode is equivalent RIS; it is Windows Deployment Services binaries with RIS
functionality. To run in this mode, install and configure RIS and then install (but do not
configure) Windows Deployment Services. In general, if you do not have Windows Vista in
your environment, you should use Legacy mode. Windows Deployment Services was designed
to deploy these new operating systems and while it is compatible with older operating systems,
you need the Windows Vista installation media in order to deploy images.

7 December 2021 14:08 185 of 207

38676182.doc

Boot environment: OSChooser

Image Types: RISETUP and RIPREP
Administration experience: RIS toolset
In mixed mode, you can deploy RISETUP and RIPREP image types using OSChooser, and you
can deploy Windows image (.wim) files using the Windows Deployment Services management
tools. From the client computer, you can choose to boot into RIS or into one of the boot images
that contain Windows PE. To run in Mixed mode, configure Windows Deployment Services on
a RIS server that has existing RIS images. For instructions, see Steps for configuring Windows
Deployment Services.
Boot environment: OSChooser and Windows PE
Image Types: .wim, RISETUP, and RIPREP
Administration experience: RIS toolset to manage RISETUP and RIPREP images and Windows
Deployment Services management tools to manage .wim images.
With Native mode, you use Windows Deployment Services to deploy only .wim images. To
configure your server in Native mode, install and configure Windows Deployment Services on
a server that has RIS installed but not configured (that is, there are no RIS images on the server).
For instructions, see Steps for configuring Windows Deployment Services. If you already
configured RIS, then you will need to uninstall RIS and reinstall it before installing Windows
Deployment Services.
Boot environment: Windows PE
Image Types: .wim
Administration experience: Windows Deployment Services management tools

Known issues with configuring Windows Deployment Services

If you are running Windows Deployment Services and a non-Microsoft DHCP server on the
same computer, in addition to configuring the server to not listen on port 67, you will need to
use your DHCP tools to add Option 60 to their DHCP scopes.
If DHCP is installed on a server that is located in a different subnet, then you will need to do
one of the following:
 (recommended) Configure your IP Helper tables. All DHCP broadcasts on UDP
port 67 by client computers should be forwarded directly to both the DHCP server and
the Windows Deployment Services PXE server. Also, all traffic to UDP port 4011 from
the client computers to the Windows Deployment Services PXE server should be routed
appropriately (these requests direct traffic to the server, not broadcasts).
 Add DHCP options 66 and 67. Option 66 should be set to the Windows
Deployment Services server, and option 67 should be set to boot\x86\wdsnbp.com.

7 December 2021 14:08 186 of 207

38676182.doc

Prerequisites:
 Active Directory. A Windows Deployment Services server must be either a
member of an Active Directory domain or a domain controller for an Active Directory
domain. The Active Directory domain and forest versions are irrelevant; all domain and
forest configurations support Windows Deployment Services.
 DHCP. You must have a working Dynamic Host Configuration Protocol (DHCP)
server with an active scope on the network because Windows Deployment Services uses
PXE, which relies on DHCP for IP addressing.
 DNS. You must have a working Dynamic Name Services (DNS) server on the
network to run Windows Deployment Services.

Install & Configure:

 If you already had RIS installed and configured. When you install SP2, your
computer will automatically be upgraded to Windows Deployment Services.
 If you had RIS installed but not configured. Install the Windows Deployment
Services component from Add/Remove Windows Components. When the installation is
complete, restart the server.
On the PXE Server Initial Settings page, select how you want the server to respond to clients.
Known client computers are computers that have been created (prestaged) in Active Directory
before the operating system is installed. For more information, see the PXE Boot chapter at
http://go.microsoft.com/fwlink/?LinkId=81031.

Add Images:
After you configure Windows Deployment Services, you must add at least one boot image, and
one install image before you will be able to PXE boot a computer to install an operating system
(unless you use RIS). Once you have added the default images using the instructions in this
section, you will be ready to deploy operating systems. Alternatively, you can use the
instructions in the rest of this guide to perform more advanced tasks like creating your own
install images, creating discover images, or configuring an unattended installation.
 Boot images. Boot images are images that you boot a client computer into to
perform an operating system installation. In most scenarios, you can use the Boot.wim
from the installation DVD (in the \Sources directory). The Boot.wim contains Windows
PE and the Windows Deployment Services client (which is basically Windows Vista
Setup.exe and supporting files).
 Install images. Install images are the operating system images that you deploy to
the client computer. You can also use the install.wim from the installation DVD, or you
can create your own install image using the steps in creating custom install images.
To add the default boot image included in the product installation DVD:
1. In the left-hand pane of the Windows Deployment Services MMC snap-in, right-click the
Boot Images node, and then click Add Boot Image.

7 December 2021 14:08 187 of 207

38676182.doc

2. Browse to choose the default boot image (Boot.wim) located on the Windows Vista
DVD, in the \Sources directory.
3. Click Open, and then click Next.
4. Follow the instructions in the wizard to add the image.
To add the default install image included in the product installation DVD
1. In the Windows Deployment Services MMC snap-in, right-click the Install Images node,
and then click Add Install Image.
2. Specify a name for the image group, and then click Next.
3. Browse to select the default install image (install.wim) located on the Windows Vista
DVD, in the \Sources directory, and then click Open.
4. To add a subset of the images included in the install.wim, clear the check boxes for the
images that you do not want to add to the server. You should only add the images for which
you have licenses.
5. Follow the instructions in the wizard to add the images.
6. Now that you have a boot image and an install image on the server, you can PXE boot a
client computer to install an operating system using the instructions in the following section.

To install an operating system

1. Configure the BIOS of the computer to enable PXE boot, and set the boot order so that it
is booting from the network is first.
2. Restart the computer and when prompted, press F12 to start the network boot.
3. Select the appropriate boot image from the boot menu. (This boot image selection menu
will only be available if you have two or more boot images on the server. For more information,
see Configuring the boot menu)
4. Follow the instructions in the Windows Deployment Services user interface screens.
5. When installation is complete, the computer will restart and Setup will continue.
For more information, see Windows PE Customization How-To Topics
(http://go.microsoft.com/fwlink/?LinkId=122641).

Unattended Installation
Optionally, you can automate the entire installation. To do this, you use two different unattend
files: one for the Windows Deployment Services UI screens, and one for the latter phases of
Setup. Two files are necessary because Windows Deployment Services can deploy two image
types: Windows Vista images that support the Unattend.xml format, and Windows XP and
Windows Server 2003 images, which do not support the Unattend.xml format.

7 December 2021 14:08 188 of 207

38676182.doc

 Windows Deployment Services client unattend file. This file uses the
Unattend.xml format, and it is stored on the Windows Deployment Services server in
the \WDSClientUnattend folder. It is used to automate the Windows Deployment
Services client user-interface screens (such as entering credentials, choosing an install
image, and configuring the disk).
 Image unattend file. This file uses either the Unattend.xml or Sysprep.inf format,
depending upon the version of the operating system of the image. It is used to configure
unattended installation options during Windows Setup and to automate the remaining
phases of Setup (for example, offline servicing, Sysprep specialize, and mini-setup). It is
stored in a subfolder (either $OEM$ structure or \Unattend) of the per-image folder.
Two unattend files are necessary because Windows Deployment Services can deploy two image
types: Windows Vista and Windows Server 2008 images that support the Unattend.xml format,
and Windows XP and Windows Server 2003 images, which do not support the Unattend.xml
format.
To automate the installation, create the appropriate unattend file depending on whether you are
configuring the Windows Deployment Services screens or Windows Setup. We recommend that
you use Windows System Image Manager, (included as part of the Windows AIK) to author the
unattend files. Then copy the unattend file to the appropriate location, and assign it for use. You
can assign it at the server level or the client level. The server level assignment can further be
broken down by architecture, allowing you to have different settings for x86-based and x64-
based clients. Assignment at the client level overrides the server-level settings. For more
information, see Performing Unattended Installations (http://go.microsoft.com/fwlink/?
LinkId=89226) and Sample Unattend Files (http://go.microsoft.com/fwlink/?LinkId=122642).
Additional references
 For more detailed information, see Deploying and Managing the Windows
Deployment Services Update on Windows Server 2003
http://go.microsoft.com/fwlink/?LinkId=81031
 For more information about the Windows Deployment Services role that is
included in Windows Server 2008 see http://go.microsoft.com/fwlink/?LinkId=81873
 For a newsgroup about Windows Deployment Services, see Setup and
Deployment (http://go.microsoft.com/fwlink/?LinkId=87628)
 Windows AIK (http://go.microsoft.com/fwlink/?LinkId=81030)
 Windows AIK User's Guide for Windows Vista
(http://go.microsoft.com/fwlink/?LinkID=53552

7 December 2021 14:08 189 of 207

38676182.doc

Hyper-V
Server Consolidation
Businesses are under pressure to ease management and reduce costs while retaining and
enhancing competitive advantages, such as flexibility, reliability, scalability, and security. The
fundamental use of virtualization to help consolidate many servers on a single system while
maintaining isolation helps address these demands. One of the main benefits of server
consolidation is a lower total cost of ownership (TCO), not just from lowering hardware
requirements but also from lower power, cooling, and management costs.

Business Continuity and Disaster Recovery

Business continuity is the ability to minimize both scheduled and unscheduled downtime. That
includes time lost to routine functions, such as maintenance and backup, as well as
unanticipated outages. Hyper-V includes powerful business continuity features, such as live
backup and quick migration, enabling businesses to meet stringent uptime and response
metrics.

Testing and Development

Using virtual machines, development staffs can create and test a wide variety of scenarios in a
safe, self-contained environment that accurately approximates the operation of physical servers
and clients. Hyper-V maximizes utilization of test hardware which can help reduce costs,
improve life cycle management, and improve test coverage.

Dynamic Data Center

Hyper-V, together with your existing system management solutions, such as Microsoft System
Center, can help you realize the dynamic data center vision of providing self-managing
dynamic systems and operational agility. With features like automated virtual machine
reconfiguration, flexible resource control, and quick migration, you can create a dynamic IT
environment that uses virtualization to not only respond to problems, but also to anticipate
increased demands.

Key Features of Hyper-V

Windows Server 2008 R2 Hyper-V adds new features to the first version of Hyper-V. For
example, by using live migration in Windows Server 2008 R2 Hyper-V, you can migrate
running VMs from one physical computer to another, and add or remove storage from a VM
while it is running. In addition, Windows Server 2008 R2 Hyper-V takes better advantage of
physical computer hardware with greater processor support and deeper support for physical
computer hardware.

7 December 2021 14:08 190 of 207

38676182.doc

Live Migration
Hyper-V in Windows Server 2008 R2 includes the much-anticipated live migration feature,
which allows you to move a virtual machine between two virtualization host servers without
any interruption of service. Hyper-V live migration is integrated with Windows Server 2008 R2
Hyper-V and Microsoft Hyper-V Server 2008 R2. With it you can move running VMs from one
Hyper-V physical host to another without any disruption of service or perceived downtime.

Increased Hardware Support for Hyper-V Virtual Machines

Hyper-V in Windows Server 2008 R2 now supports up to 64 logical processors in the host
processor pool. This is a significant upgrade from previous versions and allows not only greater
VM density per host, but also gives IT administrators more flexibility in assigning CPU
resources to VMs. Also new, Hyper-V processor compatibility mode for live migration allows
migration across different CPU versions within the same processor family (for example, ”Intel
Core 2-to-Intel Pentium 4” or “AMD Opteron-to-AMD Athlon”), enabling migration across a
broader range of server host hardware.

Cluster Shared Volumes

With Windows Server 2008 R2, Hyper-V uses Cluster Shared Volumes (CSV) storage to simplify
and enhance shared storage usage. CSV enables multiple Windows Servers to access SAN
storage using a single consistent namespace for all volumes on all hosts. Multiple hosts can
access the same Logical Unit Number (LUN) on SAN storage. CSV enables faster live migration
and easier storage management for Hyper-V when used in a cluster configuration. Cluster
Shared Volumes are available as part of the Windows Failover Clustering feature of Windows
Server 2008 R2.

Cluster Validation Tool

Windows Server 2008 R2 includes a Best Practices Analyzer (BPA) for all major server roles,
including Failover Clustering. This analyzer examines the best practices configuration settings
for a cluster and cluster nodes.

Management of Virtual Data Centers

Even with all the efficiency gained from virtualization, VMs still need to be managed. The
number of VMs tends to proliferate much faster than physical computers because machines
typically do not require a hardware acquisition. Therefore, management of virtual data centers
is even more imperative than ever before.

7 December 2021 14:08 191 of 207

38676182.doc

Enhanced Networking Support

In Windows Server 2008 R2 there are three new networking features that improve the
performance of virtual networks. Support for Jumbo frames, previously available in non-virtual
environments, has been extended to work with VMs. This feature enables VMs to use Jumbo
Frames up to 9014 bytes if the underlying physical network supports it. Supporting Jumbo
frames reduces the network stack overhead incurred per byte and increases throughput. In
addition, there is a significant reduction of CPU utilization due to the fewer number of calls
from the network stack to the network driver.
TCP Chimney (TCP Offload Engine or TOE), which allows the offloading of TCP/IP
processing to the network hardware, has been extended to the virtual environment. It improves
VM performance by allowing the VM to offload network processing to hardware, especially on
networks with bandwidth over 1 GB. This feature is especially beneficial for roles involving
large amounts of data transfer, such as the file server role.
The Virtual Machine Queue (VMQ) feature allows physical computer network interface cards
(NICs) to use direct memory access (DMA) to place the contents of packets directly into VM
memory, increasing I/O performance.

Dynamic VM storage
Windows Server 2008 R2 Hyper-V supports hot plug-in and hot removal of storage. By
supporting the addition or removal of Virtual Hard Drive (VHD) files and pass-through disks
while a VM is running, Windows Server 2008 R2 Hyper-V makes it possible to reconfigure VMs
quickly to meet changing workload requirements. This feature allows the addition and removal
of both VHD files and pass-through disks to existing SCSI controllers for VMs.

Broad OS Support
Broad support for simultaneously running different types of operating systems, including 32-bit
and 64-bit systems across different server platforms, such as Windows, Linux, and others.

Network Load Balancing

Hyper-V includes new virtual switch capabilities. This means virtual machines can be easily
configured to run with Windows Network Load Balancing (NLB) Service to balance load across
virtual machines on different servers.

Virtual Machine Snapshot

Hyper-V provides the ability to take snapshots of a running virtual machine so you can easily
revert to a previous state, and improve the overall backup and recoverability solution.

7 December 2021 14:08 192 of 207

38676182.doc

High Availability
Providing High Availability solutions to mission-critical applications, services, and data is a
primary objective of successful IT departments. When services are down or fail, business
continuity is interrupted, which can result in significant losses. Windows Server 2008 R2
supports High Availability features to help organizations meet their uptime requirements for
their critical systems.

Failover Clustering
Failover clustering can help you build redundancy into your network and eliminate single
points of failure. The improvements to failover clusters (formerly known as server clusters) in
Windows Server 2008 R2 are aimed at simplifying clusters, making them more secure, and
enhancing cluster stability.

Cluster Migration
When migrating a clustered service from one cluster to another, cluster settings can be captured
and copied to another cluster. This reduces the time it takes to build the new cluster and
configure the services. The migration process supports every workload currently supported on
Windows Server 2003 and Windows Server 2008, including DFS-N, DHCP, DTC, File Server,
Generic Application, Generic Script, Generic Service, iSNS, MSMS, NFS, Other Server, TSSB,
and WINS, and supports most common network configurations.

Cluster Infrastructure
The cluster quorum contains the configuration settings for the entire cluster. With Windows
Server 2008 R2, you can configure a cluster so that the quorum resource is not a single point of
failure by using the majority node set or a hybrid of the majority node set and the quorum
resource model. The cluster service can also isolate DLLs that perform actions incorrectly to
minimize impact to the cluster, as well as verify consistency among copies of the quorum
resource.

Cluster Storage
Failover clusters now support GUID partition table (GPT) disks that can have capacities of
larger than 2 terabytes, for increased disk size and robustness. Administrators can now modify
resource dependencies while resources are online, which means they can make an additional
disk available without interrupting access to the application that will use it.

7 December 2021 14:08 193 of 207

38676182.doc

Cluster Network
Networking has been enhanced to support Internet Protocol version 6 (IPv6) as well as Domain
Name System (DNS) for name resolution, removing the requirement to have WINS and
NetBIOS name broadcasts. Other network improvements include managing dependencies
between network names and IP addresses: If either of the IP addresses associated with a
network name is available, the network name will remain available. Because of the architecture
of Cluster Shared Volumes (CSV), there is improved cluster node connectivity fault tolerance
that directly affects Virtual Machines running on the cluster. The CSV architecture implements a
mechanism, known as dynamic I/O redirection, in which I/O can be rerouted within the
failover cluster based on connection availability.

Cluster Security
Internet Protocol security (IPsec) can be used between clients and the cluster nodes, as well as
between nodes so that you can authenticate and encrypt the data. Access to the cluster can also
be audited to determine who connected to the cluster and when.

Network Load Balancing

Network Load Balancing, a clustering technology included in the Microsoft Windows 2000
Advanced Server and Datacenter Server operating systems, enhances the scalability and
availability of mission-critical, TCP/IP-based services, such as Web, Terminal Services, virtual
private networking, and streaming media servers. This component runs within cluster hosts as
part of the Windows 2000 operating system and requires no dedicated hardware support. To
scale performance, Network Load Balancing distributes IP traffic across multiple cluster hosts.
It also ensures high availability by detecting host failures and automatically redistributing
traffic to the surviving hosts. Network Load Balancing provides remote controllability and
supports rolling upgrades from the Windows NT 4.0 operating system.
The Microsoft Windows 2000 Advanced Server and Datacenter Server operating systems
include two clustering technologies designed for this purpose: Cluster service, which is
intended primarily to provide failover support for critical line-of-business applications such as
databases, messaging systems, and file/print services; and Network Load Balancing, which
serves to balance incoming IP traffic among multi-node clusters. We will treat this latter
technology in detail here.
Network Load Balancing provides scalability and high availability to enterprise-wide TCP/IP
services, such as Web, Terminal Services, proxy, Virtual Private Networking (VPN), and
streaming media services. Network Load Balancing brings special value to enterprises
deploying TCP/IP services, such as e-commerce applications, that link clients with
transaction applications and back-end databases.

7 December 2021 14:08 194 of 207

38676182.doc

Network Load Balancing distributes IP traffic to multiple copies (or instances) of a TCP/IP
service, such as a Web server, each running on a host within the cluster. Network Load
Balancing transparently partitions the client requests among the hosts and lets the clients access
the cluster using one or more "virtual" IP addresses. From the client's point of view, the cluster
appears to be a single server that answers these client requests. As enterprise traffic increases,
network administrators can simply plug another server into the cluster.

Advantages of Network Load Balancing

Network Load Balancing is superior to other software solutions such as round robin DNS
(RRDNS), which distributes workload among multiple servers but does not provide a
mechanism for server availability. If a server within the host fails, RRDNS, unlike Network
Load Balancing, will continue to send it work until a network administrator detects the failure
and removes the server from the DNS address list. This results in service disruption for clients.
Network Load Balancing also has advantages over other load balancing solutions—both
hardware- and software-based—that introduce single points of failure or performance
bottlenecks by using a centralized dispatcher. Because Network Load Balancing has no
proprietary hardware requirements, any industry-standard compatible computer can be used.
This provides significant cost savings when compared to proprietary hardware load balancing
solutions.

Host Priorities
Each cluster host is assigned a unique host priority in the range of 1 to 32, where lower numbers
denote higher priorities. The host with the highest host priority (lowest numeric value) is called
the default host. It handles all client traffic for the virtual IP addresses that is not specifically
intended to be load-balanced. This ensures that server applications not configured for load
balancing only receive client traffic on a single host. If the default host fails, the host with the
next highest priority takes over as default host.

Port Rules
Network Load Balancing uses port rules to customize load balancing for a consecutive numeric
range of server ports. Port rules can select either multiple-host or single-host load-balancing
policies. With multiple-host load balancing, incoming client requests are distributed among all
cluster hosts, and a load percentage can be specified for each host. Load percentages allow
hosts with higher capacity to receive a larger fraction of the total client load. Single-host load
balancing directs all client requests to the host with highest handling priority. The handling
priority essentially overrides the host priority for the port range and allows different hosts to
individually handle all client traffic for specific server applications. Port rules also can be used
to block undesired network access to certain IP ports.

7 December 2021 14:08 195 of 207

38676182.doc

When a port rule uses multiple-host load balancing, one of three client affinity modes is
selected. When no client affinity mode is selected, Network Load Balancing load-balances client
traffic from one IP address and different source ports on multiple-cluster hosts. This maximizes
the granularity of load balancing and minimizes response time to clients. To assist in managing
client sessions, the default single-client affinity mode load-balances all network traffic from a
given client's IP address on a single-cluster host. The class C affinity mode further constrains
this to load-balance all client traffic from a single class C address space.
By default, Network Load Balancing is configured with a single port rule that covers all ports
(0-65,535) with multiple-host load balancing and single-client affinity. This rule can be used for
most applications. It is important that this rule not be modified for VPN applications and
whenever IP fragmentation is expected. This ensures that fragments are efficiently handled by
the cluster hosts.

Remote Control
Network Load Balancing provides a remote control program (Wlbs.exe) that allows system
administrators to remotely query the status of clusters and control operations from a cluster
host or from any networked computer running Windows 2000. This program can be
incorporated into scripts and monitoring programs to automate cluster control. Monitoring
services are widely available for most client/server applications. Remote control operations
include starting and stopping either single hosts or the entire cluster. In addition, load
balancing for individual port rules can be enabled or disabled on one or more hosts. New traffic
can be blocked on a host while allowing ongoing TCP connections to complete prior to
removing the host from the cluster. Although remote control commands are password-
protected, individual cluster hosts can disable remote control operations to enhance security.

How Network Load Balancing Works

Network Load Balancing scales the performance of a server-based program, such as a Web
server, by distributing its client requests among multiple servers within the cluster. With
Network Load Balancing, each incoming IP packet is received by each host, but only accepted
by the intended recipient. The cluster hosts concurrently respond to different client requests,
even multiple requests from the same client. For example, a Web browser may obtain the
various images within a single Web page from different hosts in a load-balanced cluster. This
speeds up processing and shortens the response time to clients.

7 December 2021 14:08 196 of 207

38676182.doc

Each Network Load Balancing host can specify the load percentage that it will handle, or the
load can be equally distributed among all of the hosts. Using these load percentages, each
Network Load Balancing server selects and handles a portion of the workload. Clients are
statistically distributed among cluster hosts so that each server receives its percentage of
incoming requests. This load balance dynamically changes when hosts enter or leave the cluster.
In this version, the load balance does not change in response to varying server loads (such as
CPU or memory usage). For applications, such as Web servers, which have numerous clients
and relatively short-lived client requests, the ability of Network Load Balancing to distribute
workload through statistical mapping efficiently balances loads and provides fast response to
cluster changes.
Network Load Balancing cluster servers emit a heartbeat message to other hosts in the cluster,
and listen for the heartbeat of other hosts. If a server in a cluster fails, the remaining hosts adjust
and redistribute the workload while maintaining continuous service to their clients. Although
existing connections to an offline host are lost, the Internet services nevertheless remain
continuously available. In most cases (for example, with Web servers), client software
automatically retries the failed connections, and the clients experience only a few seconds' delay
in receiving a response.

Managing Application State

Application state refers to data maintained by a server application on behalf of its clients. If a
server application (such as a Web server) maintains state information about a client session—
that is, when it maintains a client's session state—that spans multiple TCP connections, it is
usually important that all TCP connections for this client be directed to the same cluster host.
Shopping cart contents at an e-commerce site and Secure Sockets Layer (SSL) authentication
data are examples of a client's session state. Network Load Balancing can be used to scale
applications that manage session state spanning multiple connections. When its client
affinity parameter setting is enabled, Network Load Balancing directs all TCP connections
from one client IP address to the same cluster host. This allows session state to be
maintained in host memory. However, should a server or network failure occur during a client
session, a new logon may be required to re-authenticate the client and re-establish session state.
Also, adding a new cluster host redirects some client traffic to the new host, which can affect
sessions, although ongoing TCP connections are not disturbed. Client/server applications that
manage client state so that it can be retrieved from any cluster host (for example, by embedding
state within cookies or pushing it to a back-end database) do not need to use client affinity.

7 December 2021 14:08 197 of 207

38676182.doc

To further assist in managing session state, Network Load Balancing provides an optional client
affinity setting that directs all client requests from a TCP/IP class C address range to a single
cluster host. With this feature, clients that use multiple proxy servers can have their TCP
connections directed to the same cluster host. The use of multiple proxy servers at the client's
site causes requests from a single client to appear to originate from different systems. Assuming
that all of the client's proxy servers are located within the same 254-host class C address range,
Network Load Balancing ensures that the same host handles client sessions with minimum
impact on load distribution among the cluster hosts. Some very large client sites may use
multiple proxy servers that span class C address spaces.
In addition to session state, server applications often maintain persistent, server-based state
information that is updated by client transactions, such as merchandise inventory at an e-
commerce site. Network Load Balancing should not be used to directly scale applications,
such as Microsoft SQL Server(other than for read-only database access), that independently
update inter-client state because updates made on one cluster host will not be visible to other
cluster hosts. To benefit from Network Load Balancing, applications must be designed to permit
multiple instances to simultaneously access a shared database server that synchronizes updates.
For example, Web servers with Active Server Pages should have their client updates pushed to
a shared back-end database serve

7 December 2021 14:08 198 of 207

38676182.doc

Windows System Resource Manager (WSRM)

Windows System Resource Manager (WSRM) on Windows Server 2008 allows you to control
how CPU and memory resources are allocated to applications, services, and processes on the
computer. Managing resources in this way improves system performance and reduces the
chance that applications, services, or processes will take CPU or memory resources away from
one another and slow down the performance of the computer. Managing resources also creates
a more consistent and predictable experience for users of applications and services running on
the computer.
You can use WSRM to manage multiple applications on a single computer or users on a
computer on which Terminal Services is installed.
For more information about WSRM, see the WSRM Help in the Windows Server 2008 Technical
Library (http://go.microsoft.com/fwlink/?LinkId=106538).
Resource-Allocation Policies
WSRM uses resource-allocation policies to determine how computer resources, such as CPU
and memory, are allocated to processes running on the computer. There are two resource-
allocation policies that are specifically designed for computers running Terminal Services. The
two Terminal Services-specific resource-allocation policies are:
Equal_Per_User
Equal_Per_Session

7 December 2021 14:08 199 of 207

38676182.doc

Windows Server Update Services 3.0

The WSUS server allows administrators to manage and distribute updates through the WSUS
3.0 Administration console, which can be installed on any Windows computer in the domain. In
addition, a WSUS server can be the update source for other WSUS servers within the
organization. At least one WSUS server in the network must connect to Microsoft Update to get
available update information. The administrator can determine, based on network security and
configuration, whether or not other servers should connect directly to Microsoft Update.
Automatic Updates is built into the Windows Server 2008, Windows Vista, Windows Server
2003, Windows XP, and Windows 2000 SP4 operating systems. Automatic Updates enables both
server and client computers to receive updates from Microsoft Update or from a WSUS server.

Prerequisites for WSUS servers

 Windows Server 2003 SP1 or later, or Windows Server 2008
 Microsoft Internet Information Services (IIS) 6.0 or later
 Windows Installer 3.1 or later
 Microsoft .NET Framework 2.0

Prerequisites for using the WSUS 3.0 Administration Console

 Windows XP SP2, Windows Vista, Windows Server 2003, or Windows Server
2008
 Microsoft Management Console 3.0
 Microsoft Report Viewer Redistributable 2005

Prerequisites for WSUS client computers

Windows Vista, Windows Server 2003 (any edition), Windows Server 2008, Windows XP, or
Windows 2000 SP4.

How it works
At least one upstream WSUS server connects to Microsoft Update to get available updates and
update information, while other downstream servers get their updates from the upstream
server.
Administrators can choose which updates are downloaded to a WSUS server during
synchronization, based on the following criteria:
 Product or product family (for example, Microsoft Windows Server 2003 or
Microsoft Office)
 Update classification (for example, critical updates, and drivers)
 Language (for example, English and Japanese only)
In addition, administrators can specify a schedule for synchronization to initiate automatically.

7 December 2021 14:08 200 of 207

38676182.doc

An administrator must approve every automated action to be carried out for the update.
Approval actions include the following:
 Approve
 Remove (this action is possible only if the update supports uninstall)
 Decline
In addition, the administrator can enforce a deadline: a specific date and time to install or
remove (uninstall) updates. The administrator can force an immediate download by setting a
deadline for a time in the past.
WSUS 3.0 can be configured to send e-mail notification of new updates and status reports.
Specified recipients can receive update notifications as they arrive on the WSUS server. Status
reports can be sent at specified times and intervals.
WSUS 3.0 now automatically scans updates to determine the computers on which they should
be installed. Before actually planning and deploying the update for installation, the
administrator can analyze the update’s impact by means of a status report that can be generated
directly from the update view for a single update, a subset of updates, or all updates.
Targeting enables administrators to deploy updates to specific computers and groups of
computers. Targeting can be configured either on the WSUS server directly, on the WSUS server
by using Group Policy in an Active Directory network environment, or on the client computer
by editing registry settings.
The WSUS database stores update information, event information about update actions on
client computers, and WSUS server settings. Administrators have the following options for the
WSUS 3.0 database:
 The Windows Internal Database that WSUS can install during setup on Windows
Server 2003.
 An existing Microsoft SQL Server™ 2005 Service Pack 1 database.
WSUS enables administrators to create an update management infrastructure consisting of a
hierarchy of WSUS servers. WSUS servers can be scaled out to handle any number of clients.
With replica synchronization, the administrator of the central WSUS server can create updates,
target groups, and approvals that are automatically propagated to WSUS servers designated as
replica servers. This means that branch office clients can get centrally approved updates from a
local server without the need for a local WSUS administrator. Also, offices with a low-
bandwidth link to the central server pose less of a problem, because the branch WSUS server
connects only to the central WSUS server. Update status reports can be generated for all the
clients of a replica server.
WSUS 3.0 now allows administrators to manage a WSUS server hierarchy from a single WSUS
console. The WSUS administration snap-in to the Microsoft Management Console can be
installed on any computer in the network.
Using WSUS reports, administrators can monitor the following activity (all reports are in a
printable format and can be exported to Excel spreadsheets or Adobe .pdf files):

7 December 2021 14:08 201 of 207

38676182.doc

 Update status: Administrators can monitor the level of update compliance for
their client computers on an ongoing basis using Update Status reports, which can
provide status for update approval and deployment per update, per computer, and per
computer group, based on all events that are sent from the client computer.
 Computer status: Administrators can assess the status of updates on client
computers. For example, they can request a summary of updates that have been
installed or are needed for a particular computer.
 Computer compliance status: Administrators can view or print a summary of
compliance information for a specific computer, including basic software and hardware
information, WSUS activity, and update status.
 Update compliance status: Administrators can view or print a summary of
compliance information for a specific update, including the update properties and
cumulative status for each computer group.
 Synchronization (or download) status: Administrators can monitor
synchronization activity and status for a given time period, and view the latest updates
that have been downloaded.
 WSUS configuration settings: Administrators can see a summary of options they
have specified for their WSUS implementation.
Administrators have the flexibility of configuring computers to get updates directly from
Microsoft Update, from an intranet WSUS server that distributes updates internally, or from a
combination of both, depending on the network configuration.
Administrators can configure a WSUS server to use a custom port for connecting to the intranet
or Internet, if appropriate. (The default port used by a WSUS server is port 80.) It is also possible
to connect via SSL, in which case the default port is 443.

Client-side features
In an Active Directory service environment, administrators can configure the behavior of
Automatic Updates by using Group Policy. In other cases, administrators can remotely
configure Automatic Updates using registry keys through the use of a logon script or similar
mechanism.
 Administrator capabilities for configuring client computers include the
following:
 Configuring notification and scheduling options for users through Group Policy.
 Configuring how often the client computer checks the update source (either
Microsoft Update or another WSUS server) for new updates.
 Configuring Automatic Updates to install updates that do not require reboots or
service interruptions as soon as it finds them and not to wait until the scheduled
automatic installation time.
 Managing client computers through the Component Object Model (COM)–based
API. An SDK is available.
 Self-updating for client computers
 WSUS client computers can detect from the WSUS server if a newer version of
Automatic Updates is available, and then upgrade their Automatic Updates service
automatically.

7 December 2021 14:08 202 of 207

38676182.doc

 Automatic detection of applicable updates

 Automatic Updates can download and install specific updates that are truly
applicable to the computer. Automatic Updates works with the WSUS server to evaluate
which updates should be applied to a specific client computer.
 Under-the-hood efficiency
 The Automatic Updates service works in the background so that the perceptible
impact on employee productivity and network functionality is minimal.
 Automatic Updates consolidates updates that require computer restarts into a
single restart.
 Automatic Updates eliminates the need for users in a managed environment to
interact with Microsoft Software License Terms. License terms are accepted on the
WSUS server by administrators on behalf of client computers.
 BITS 2.0 employs delta compression to facilitate downloads that are invisible to
the user. For example, after Automatic Updates downloads an update to a client
computer, it will continue to monitor either the upstream WSUS server or Microsoft
Update, and then download only changes in an update file to the client computer. This
technology also enables efficient distribution of service packs through Automatic
Updates.

7 December 2021 14:08 203 of 207

38676182.doc

WSUS 3.0 Deployment Scenarios

WSUS is flexible enough to meet the update management needs of a wide range of
organizations—from small businesses with dial-up connectivity to the largest businesses with
thousands of users distributed across multiple sites. Depending on the size of the organization,
its location, and its connectivity infrastructure, administrators can determine the most efficient
way to scale out their WSUS servers—a decision that might involve one or many WSUS servers.
In this section, you can learn more about the common scenarios for deploying WSUS
components in small, medium, and restricted networks.

Single WSUS server (small-sized or simple network)

In a single WSUS server scenario, administrators can set up a
server running WSUS inside their corporate firewall, which
synchronizes content directly with Microsoft Update and
distributes updates to client computers, as shown in the
following figure.
Multiple WSUS servers (medium-sized or more complex
network)
The following are common scenarios for deploying WSUS
components in a medium-sized or more complex network.

7 December 2021 14:08 204 of 207

38676182.doc

Multiple independent WSUS servers

Administrators can deploy multiple servers that are configured so that each server is managed
independently and each server synchronizes its content from Microsoft Update, as shown in the
following figure.
The deployment method in this scenario would be appropriate for situations in which different
local area network (LAN) or wide area network (WAN) segments are managed as separate
entities (for example, a branch office). It would also be appropriate when one server running
WSUS is configured to deploy updates only to client computers running a certain operating
system (such as Windows 2000), while another server is configured to deploy updates only to
client computers running another operating system (such as Windows XP).

7 December 2021 14:08 205 of 207

38676182.doc

Multiple internally synchronized WSUS servers

Administrators can deploy multiple servers running WSUS that synchronize all content within
their organization’s intranet. In the following figure, only one server is exposed to the Internet.
In this configuration, this is the only server that downloads updates from Microsoft Update.
This server is set up as the upstream server—the source to which the downstream server
synchronizes. When applicable, servers can be located throughout a geographically dispersed
network to provide the best connectivity to all client computers.

7 December 2021 14:08 206 of 207

38676182.doc

Disconnected WSUS servers (limited or restricted Internet

connectivity)

If corporate policy or other conditions limit computer access to the Internet, administrators can
set up an internal server running WSUS, as illustrated in the following figure. In this example, a
server is created that is connected to the Internet but is isolated from the intranet. After
downloading, testing, and approving the updates on this server, an administrator would then
export the update metadata and content to the appropriate media; then, from the media, the
administrator would import the update metadata and content to servers running WSUS within
the intranet. Although the following figure illustrates this model in its simplest form, it could be
scaled to a deployment of any size.

More Information
Windows Server Update Services site: (http://go.microsoft.com/fwlink/?LinkId=71198) to:
Step-by-Step Guide to Getting Started: (http://go.microsoft.com/fwlink/?LinkID=71190)
Readme for Server Update Services: (http://go.microsoft.com/fwlink/?LinkId=71220)

7 December 2021 14:08 207 of 207