Exam 70-640 TS: Upgrading Your MCSA on Windows Server 2003 to Windows Server 2008 – Short Notes

Configuring Domain Name System (DNS) for Active Directory

• In order to ensure that users are able to resolve host names for remotely located office network even if master DNS zone server fails, you will have to change the stub zone to a secondary DNS zone on the DNS server.
• Enable BIND secondaries in the DNS Manager console to allow zone transfers of the DNS zone to the Unix-based DNS server.
• To ensure that the replication of the zone is encrypted, convert the primary zone into an AD integrated zone and delete the secondary zone.
• Replication traffic prefers the site link that has the lower cost for the replication. By default, a site link cost is set to 100.
• To enable users of a domain to resolve names from its intranet domain, set the conditional forwarding for the intranet domain.
• Conditional forwarding provides administrators the ability to configure a DNS server to forward queries conditionally, based on the domain specified in the name resolution request.
• Conditional forwarding is used in situations where you want the DNS clients in separate networks to resolve each other’s names without having to query the DNS servers on the Internet. For this purpose, you should configure the DNS servers in each network to forward the DNS queries for the resources placed in other network.
• To make sure that only the domain members are able to register their DNS records dynamically, set the option to Secure only for Dynamic updates.
• By default, the DNS Server service uses local subnet prioritizing as the method for giving preference to IP addresses on the same network when a client query resolves to a host name that is mapped to more than one IP address. If more than one A resource record (RR) matches the queried host name, the DNS Server service can reorder the records by their subnet location.
• Primary DNS zone holds the writable copy of the zone data. An Active Directory-integrated zone also provides higher level of security and fault tolerance, as it contains DNS data on multiple domain controllers. A secondary DNS zone is a read-only copy of the primary DNS zone. A stub zone contains resource records necessary to identify the authoritative DNS server for the zone.
• A stub zone is used to resolve names between separate DNS namespaces.
• Enable debug logging to record all inbound DNS queries to the server.
• Microsoft recommends disabling recursion on a DNS server when DNS clients are limited to resolving names that are managed authoritatively on a specific server.
• A forwarder is a DNS server that receives queries from other DNS servers on the network.
• To configure a forwarder in a network, the DNS servers on the network are configured to send DNS queries to a particular DNS server. The DNS server acting as a forwarder need not require any special configuration. A forwarder has no secondary zone.
• In order to resolve external DNS names queried by the client computers on the network without exposing the internal network to an outside server, you will have to configure a DNS server inside the firewall to forward external queries to a single DNS forwarder outside the firewall.
• In order to configure a DNS server so that it does not forward those name requests that cannot be resolved from its own zone file, you should disable recursion on the DNS server.
• In order to ensure that the DNS server is able to answer queries for hosts on the company’s intranet, but not on the Internet, you will have to configure the DNS server as a root server and leave the forwarding turned off.
• The Scavenge stale resource records check box is used to specify whether stale resource records should be removed from the DNS database.
• In order to ensure that the stale resource records are removed from a standard primary zone, you will have to enable aging and scavenging for the zone on the DNS server.
• GlobalNames is a zone of Windows Server 2008 DNS. It provides single-label name resolution for networks where Windows Internet Name Service (WINS) is not deployed.
• Run the dnscmd /zoneexport command to copy the zone files of the DNS server.
• The dnscmd /zonerefresh command forces a secondary DNS zone to request any updates from the primary DNS zone.
• The dnscmd /zoneupdatefromds command is used to update the specified Active Directory-integrated zone from Active Directory.
• The dnscmd /clearcache command is used to clear the DNS cache of resource records.
• A forest trust is a two-way transitive trust. It is created explicitly (manually) by system administrators between two forest root domains.
• In order to minimize the network traffic, configure DNS for incremental zone transfer. Incremental zone transfer replicates only the changed portions of a zone, thereby conserving the network bandwidth.
• In order to enable zone transfers for a zone to the name servers only, administrators will have to select the Allow zone transfers check box and select the Only to servers listed on the Name Servers tab radio button.
• For secure updates, you are required to configure the zone as an Active Directory-integrated zone.
• Active Directory-integrated zone has the ability to store DNS zone data in Active Directory. The Active Directory-integrated zone enables Active Directory-based replication and secure dynamic updates.

Configuring the Active Directory Infrastructure

• The first step to include a Windows Server 2008 in a Windows Server 2003 domain environment after the installation is to run the ADPREP/forestprep command on an existing domain controller.
• The ADPREP (adprep.exe) command-line tool prepares a forest and domain to accommodate a domain controller that runs the Windows Server 2008 operating system.
• ADMT v3 can be used for interforest and intraforest migration of users and computer.
• SID filtering is a security mechanism that uses the SIDHistory attribute of a security principal to verify incoming requests.
• A trust relationship has the following three characteristics: 1- Trusts can be created explicitly (manually) or implicitly (automatically). 2- Trusts can be either bound by the domains in the trust relationship (nontransitive) or not bound by the domains in the trust relationship (transitive). 3- Trusts can be one-way or two-way.
• The forest trust allows administrators to federate two Active Directory forests with a single trust relationship to provide a seamless authentication and authorization experience across the forests.
• A preferred bridgehead server is a domain controller in a site, specified by an administrator, to act as a bridgehead server. Administrators can specify more than one preferred bridgehead server, however, only one server is active at a time in a site.
• A site is a collection of one or more well-connected (usually a local area network) TCP/IP subnets. The network between the subnets must be highly reliable and fast (512 Kbps and higher). Although the sites are defined on the basis of location, they can be spanned over more than one location.
• Subnets are subdivisions of an IP address network. They are used to create smaller broadcast domains and to better utilize the bits in the host ID.
• Creating a separate site for each location minimizes the replication traffic on the WAN. This can be made more effective by configuring the frequency and replication of site links between the sites.
• To ensure that the SYSVOL share replicates by using DFS Replication, raise the functional level of the domain to Windows Server 2008.
• If a firewall is used to protect a site, you must specify a preferred bridgehead server in the company’s network. You should establish your firewall proxy server as the preferred bridgehead server, making it the contact point for exchanging information with the servers outside the firewall. If this is not done, the directory information may not be successfully exchanged.
• Configure the computer with the highest bandwidth as a preferred bridgehead server.
• Deactivating UGMC option at Site level will deactivate UGMC from all domain controllers at a remote location.
• The Active Directory Sites and Services console is used to configure the domain controller as a Global Catalog server.
• Place a global catalog server in remote sites to localize authentication traffic and to enhance performance of Active Directory searches.
• The global catalog is built automatically by the Active Directory replication system. All directory partitions on a Global Catalog server, whether full or partial partitions, are stored in a single directory database (NTDS.DIT) on the same server.
• Additional global catalogs improve response time, provide redundancy, and reduce network traffic.
• The global catalog enables network logon by providing group membership information to the domain controller, and enables the finding of objects and directory information even in a large multi-domain environment.
• The domain controller, with universal group membership caching enabled, contacts a Global Catalog server whenever a user attempts to log on for the first time. The server then caches the user information locally and uses this information to authenticate the user the next time he attempts to log on.
• Seizing an operations master role refers to moving it without the cooperation of its current owner. This is also termed as forcing the transfer of the operations master role. A domain controller whose schema, domain naming, or RID master role has been seized must never be brought back online without first reformatting the drives and reloading the operating system.
• To transfer Schema Master (or any master role) that is not online, seize the role to the new server.
• Domain Naming Master and Schema Master are forest-wide operation masters.
• Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file.
• The relative ID (RID) master, PDC emulator master, and infrastructure master roles are necessary within each domain. At least one domain controller must fulfill each of these roles.
• Schema master and domain naming master are operations master roles that are applied to the entire forest within an Active Directory network.

Configuring Additional Active Directory Server Roles

• To install a new virtual machine on a Server Core installation of a Windows Server 2008 computer, you need to use Hyper-V Manager.
• Hyper-V enables users to run multiple, different operating systems such as Windows, Linux, etc. in parallel on a computer.
• Hyper-V maximizes utilization of test hardware, which can help reduce costs, improve life cycle management, and improve test coverage.
• Windows Server 2008 has the following new server roles: RODC, AD LDS, AD RMS, and AD FS.
• ServerManagerCMD.exe is a command-line utility to add or remove server roles and features on a server running Windows Server 2008.
• Active Directory Federation Services (AD FS) provides single sign-on facility to users for accessing multiple Web applications from a single Web browser session. AD FS provides inter-organization, federated identity management services allowing large corporations to selectively open their infrastructure to trusted partners and customers.
• AD FS requires either the Windows Server 2008 Enterprise edition or the Datacenter edition.
• The LDP.EXE tool is used to test the certificate with AD LDS.
• AD LDS is used for providing services to directory-aware applications. It is very useful to install it where there is no need for the overhead of a complete forest or domain structure.
• AD RMS cannot be deployed on a domain controller.
• To utilize AD RMS, all clients must have installed RMS client. Windows XP also require having latest service pack installed.
• In order to enable users (Domain User accounts) to use AD RMS for protecting their contents, the user e-mail address must be registered in AD DS.
• The three main functions of AD RMS are creating rights-protected files and templates, licensing rights-protected information, and acquiring licenses to decrypt rights-protected content and applying usage policies.
• AD RMS provides the flexibility to delegate certain RMS roles out to other users/administrators. There are four roles available in RMS: AD RMS Service Group, AD RMS Enterprise Administrators, AD RMS Template Administrators, and AD RMS Auditors.
• AD RMS provides information-protection solutions for an Active Directory-based network.
• Only unattended installations of AD DS can be performed to install RODC on a computer running Server Core. For this, use the DCPROMO.EXE /unattend command.
• To enable the dynamic DNS updates on RODC, you should uninstall AD DS on it and reinstall as a writeable domain controller.
• Add Administrative account to the domain Allowed RODC Password Replication group to enable administrative accounts to replicate authentication information to RODCs.
• Configure the administrative accounts to be added in the Domain RODC Password Replication Denied group to ensure that the RODC server is cached with non-administrative account passwords only.
• In order to ensure that the users at the remote location can log on to the domain through the local RODC, you should use the Password Replication Policy on each RODC.
• Active Directory Users and Computers can be used to recover the user accounts cached on the stolen RODC server.
• The RODC filtered attribute set is configured on the server that holds the schema operations master role.
• If you try to add a system-critical attribute to the RODC filtered attribute set on a Windows Server 2003 schema master, the operation appears to succeed, but the attribute is not actually added. Therefore, it is recommended that the schema master be a Windows Server 2008 domain controller.
• In the environment where the function level of the AD forest is Windows Server 2003, to deploy a RODC at the remote office, run the adprep /rodcprep command and add a domain controller running Windows Server 2008 on the network.
• RODCs can only replicate with full domain controllers.
• Unidirectional replication prevents RODCs from replicating information to a writable domain controller.
• If schema modification has not taken place in a Windows Server 2008 mixed mode domain, the RODC installation will fail.
• Replace a domain controller with RODC if a remote location has loose security.
• RODCs that are deployed in the remote sites can relieve the inbound replication load on bridgehead servers because RODCs do not replicate any changes.
• Members of the Denied RODC Password Replication group cannot have their passwords replicated to any read-only domain controllers in the domain.
• BitLocker is used for full volume protection.
• BitLocker encryption can encrypt only the NTFS file system.
• In order to change the server name, use the NETDOM.EXE utility.

Creating and Maintaining Active Directory Objects

• As the UPN suffix must be unique for the entire forest, add the new UPN suffix to the forest to ensure that it is available for user accounts in all the domains.
• To move existing user and computer objects to different OUs, use either the DSMOVE or the AD Users and Computers utilities.
• Microsoft recommends the following structure of groups and rights for planning a security group strategy:
  1. Create universal groups for groups that contain members from multiple domains in more than one forest. Make global groups members of the universal groups. Use the universal groups when providing access to resources across multiple forests.
  2. Create domain global groups for groups that contain members from a single domain, but that will be granted access to resources within other domains. Make universal groups members of domain global groups as applicable. Make users members of domain global groups.
  3. Create domain local groups for groups that contain members from a single domain whether or not they will be granted access to resources within other domains. Make domain global groups members for the appropriate domain global groups. Grant domain-wide rights to domain local groups.
  4. Create local groups on member servers and computers. Make domain local groups members of local groups. Grant local rights to local groups.
• Implement the AGDLP strategy for granting permissions on resources. AGDLP (Account > Global groups > Domain Local group > Permission) is the strategy recommended by Microsoft for providing permissions to users on network resources. When groups are created in a single domain, administrators should use the AGDLP strategy. The following steps are required to be performed for implementing the AGDLP strategy:
  • Put user accounts (A) into global groups (G).
  • Put the global groups into domain local groups (DL).
  • Grant permissions (P) to the domain local group.

  Following this strategy will reduce the burden of maintenance on administrators.

• In order for the policies to be applied, users must be having the Read and Apply rights for the GPO.
• All domains within a forest share a common schema and Global Catalog.
• Creating different organizational units (OUs) and delegating the authority for the resource administration will allow local Administrators of the remotely located offices to have control of their own resources, whereas only members of the Domain Admins group will be able to administer the user accounts of the domain.
• Windows Management Instrumentation (WMI) filters are used to filter the effect of a group policy object (GPO) on the basis of characteristics such as RAM, processor speed, disk capacity, IP address, operating system version and service pack level, installed applications, and printer properties.
• If the GPO containing the restriction policy is set at the OU level and is applied first and then another GPO is configured with a different policy and is applied at the domain level, the domain policy will overwrite the OU policy. However, if you set the no override attribute to the OU policy, it will prevent the OU policy from being overwritten even though the Domain GPO will take precedence.
• Starter GPO is a group policy object (GPO) that is used as a template for creating new GPOs.
• An administrative template can be used to specify the options available for setting the group policy.
• Configure a GPO to disable the slow link detection setting if it is required to apply policies set in the GPO on an OU connected through slow link.
• A terminal server cannot accept published programs because they are published on a per-user basis. You will have to deploy it on a per-computer basis.
• If at any point of time, an application is no longer required, you should remove it by using the removal option in the GPO through which the application is installed. There are two types of removal that you can choose from: Forced and Optional. The Forced removal option immediately uninstalls the software from users and computers. The Optional removal option allows users to continue using the software but prevents new installations. After software removal is processed, you should delete the GPO so that the application is no longer available.
• Assigning an application requires the least user intervention. When a GPO is applied, the application appears on the Start menu, and the User Configuration and the registry of the local computer are updated.
• Software restriction policies are supported by Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and later operating systems.
• The published application can be installed in one of the following two ways: using Add or Remove Programs in Control Panel and double-clicking a document file associated with the published application.
• When an application is published to a user, the published application stores the advertisement attributes in Active Directory. Users can then install the application either by using Add/Remove Programs in the Control Panel or by clicking any file associated with the application.
• By using the group policy object, the task of software installation is automated and the administrative burden is reduced.
• Raise the functional level of the domain to Windows Server 2008 to support the application of multiple password policies.
• In order to prevent users from using the recently expired passwords, you should configure the Default Domain Policy group policy object (GPO) to set the Interactive Logon: Number of previous logons to cache setting to 0.
• To have a separate set of policies for a separate set of users, fine-grain password policies should be configured.
• A Password Settings object (PSO) can be created through the ADSI Edit and LIDFDE tools.
• The msDS-LockoutThreshold element of the fine-grain account lockout policy determines the number of failed logon attempts that cause a user account to be locked out.
• Account policy controls the password expiration policy, the lockout policy, and other password features.
• The account lockout duration group policy option sets the length of time that the account should be locked.
• Account policy controls the password expiration policy, the lockout policy, and other password features.
• In order to track network connections to the servers placed in an OU, configure GPO to activate Audit Logon events.
• To track the cause of abrupt shutdown on servers, audit System Events of servers.
• Administrators should audit system events to track shutdown events.
• Auditing is used to track user accounts for file and object access, logon attempts, system shutdown, etc. This enhances the security of the network.
• The Audit object access policy determines whether to audit the event of a user accessing an object such as a file, folder, registry key, printer, etc.
• Auditing is used to track user accounts for file and object access, logon attempts, system shutdown, etc. This enhances the security of the network.
• Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller’s security log. Account logoff events are not generated.

Maintaining the Active Directory Environment

• The smallest object that can be backed up through Windows Server Backup is a volume.
• Only members of the Administrators local group can schedule backups on Windows Server 2008.
• Use the NTDSUTIL utility to change a DSRM password.
• WBADMIN.EXE is a command-line utility for performing backup and restore operations on a Windows operating system.
• In order to use the Windows Backup utility, you need to add the Backup feature from the Server Manager.
• Authoritative restore makes a computer authoritative over other domain controllers. Data restored authoritatively in a computer takes precedence over other domain controllers’ data, despite the fact that the restored data is older than the current replicas.
• If the restored backup of an Active Directory database is non-authoritative and has an older timestamp, it is replaced by the existing copy of the database in the other domain controllers through replication.
• In a nonauthoritative restore operation, the objects in the restored directory are not treated as authoritative. The restored objects are updated with changes held on other domain controllers in the domain.
• Place the NTDS.DIT file on the RAID-5 array and log the file to a disk other than the one used in RAID-5 or used by the operating system to improve the read-write performance of the Active Directory database.
• In order to remove the AD DS role from a domain controller, run the DCPROMO utility and remove the AD DS role.
• To move the AD database to a new volume, open the Files option in the NTDSUTIL utility and move the NTDS.DIT file to the new volume.
• To defrag an AD database for offline maintenance, take these four steps in the given order – Stop the AD DS service > Compact NTDS.DIT > Move the file to %windir%ntds > Start the AD DS service.
• To perform offline critical updates on a domain controller without rebooting the server, you need to stop the AD domain services, install the updates, and then start the AD domain services.
• Restartable Active Directory Domain Services allows administrators to take Active Directory Domain Services offline without booting the domain controller in Directory Services Restore Mode (DSRM).
• The DHCP service is not affected by stopping Active Directory Domain Services.
• Offline defrag and compaction of the Active Directory database enhances the performance of Active Directory database operations.
• Space allocation of an Active Directory database should be 1GB or twenty percent more than the current combined size of NTDS.DIT and the log file.
• Basic Authentication requires a user to provide logon credentials so that only authenticated users are able to access the SMTP virtual server.
• To identify the logon attempts on the domain controllers, access the Even Viewer and check the logon attempts.
• While monitoring the performance of a server running Windows Server 2008, the following information must be kept in mind:
  1. The Disk Queue Length average over time should be below four requests per physical disk.
  2. Memory Pages/Sec should be an average value lower than 50.
  3. Processor % Processor Time should not exceed 85 percent.
  4. Network Total Bytes/Sec should not exceed 90 percent of line capacity.
• Network Monitor works as a protocol analyzer and captures packets from the network and analyzes their contents in detail.
• In order to capture only a specific type of traffic, configure a capture filter.
• The Task Manager utility provides information about programs and processes running on a computer. By using Task Manager, a user can end or run programs, end processes, and display a dynamic overview of his computer’s performance. Task Manager provides an immediate overview of system activity and performance.
• Run the Event Viewer utility to check the System log.
• The Audit account management security setting determines whether to audit each event of account management on a computer.
• Resultant Set of Policy (RSoP) is the sum of the group policies applied to a user or a computer. RSoP includes the application of filters and exceptions.
• The GPRESULT command-line tool is used to create and display an RSoP query through a command line.

Configuring Active Directory Certificate Services

• Join the standalone server to the domain to install the AD CS role as an Enterprise CA.
• Following are the three methods used to authenticate the computers communicating through IPSec:
  • Kerberos
  • Certificates
  • Preshared key
• Raise the domain functional level to Windows Server 2008 to enable the Kerberos AES encryption.
• In order to prevent penetration of the security of one high-level CA taking place, the higher-level CAs should be taken offline once they issue certificates to their subordinate CAs.
• In order to configure the CA servers to support for certificate revocation, you will have to take the following steps:
• On the root CA, configure the CRL distribution point (CDP) setting to point to a shared folder by using the Certification Authority snap-in.
• Regularly copy the CRL file from the root CA to the shared folder.
• Enterprise certificate authority (CA) is a type of CA that is integrated into the Active Directory directory services of Windows. As the clients of an enterprise CA must have access to Active Directory to receive certificates, enterprise CAs are best suitable in scenarios where only internal clients of an enterprise are required to get certificates. Enterprise CAs use the information in the Active Directory database to approve or deny certificate enrolment requests automatically.
• Server Manager can be used to set up CA and other components after completion of the installation of Windows Server 2008.
• AD CS cannot be installed on Server Core.
• PKIView is used to view details for all CA certificates published in Active Directory.
• IPSec cannot be used with Point-to-Point Tunnelling Protocol (PPTP).
• In order to ensure that a message is not read by anyone but the recipient, you will have to encrypt the message by using the recipient’s public key. As the message sent by you is encrypted by the recipient’s public key, it will only be decrypted by the recipient’s private key. Even if someone intercepts the message, he/she will not be able to decrypt it because he/she does not possess a private key required to decrypt the message.
• If an intruder successfully penetrates the security of one high-level CA, the security of all its subordinates is compromised. In order to prevent such a penetration from taking place, it is highly recommended that the higher-level CAs be taken offline once they issue certificates to their subordinate CAs.
• An Online Responder receives and responds only to individual requests from clients regarding information about the status of a certificate. Even if there are many revoked certificates, the Online Responder sends only the data that is requested. This enables the amount of data retrieved to remain low.
• In order to use PKI structure for authentication, implement certificate-based authentication.
• To issue Key Recovery Agent certificates, the Allow-Issue and Manage Certificates permission is required.
• In order to backup copy of Windows CardSpace cards on your USB drive to use them on other computers, Run Windows CardSpace application to backup the data on your USB drive.
• In order to ensure that a message cannot be read by anyone but the recipient, you will have to encrypt the message by using the recipient’s public key. As the message sent by you is encrypted by the recipient’s public key, it will only be decrypted by the recipient’s private key. Even if someone intercepts the message, he/she will not be able to decrypt it because he/she does not possess the private key required to decrypt the message.
• The IEEE 802.1X standard defines a method of authenticating and authorizing users to connect to an IEEE 802 LAN. It blocks users from accessing the network on the failure of authentication.
• A certificate is a set of data that completely identifies an entity. It is a digitally signed statement that binds the value of a public key to the identity of a person. It can be issued to perform a number of functions such as Web server authentication, secure e-mail, etc.
• The Enrol permission is required for the user who is requesting a certificate. By default, the Authenticated Users group and all other groups, including the Administrators group, have this permission.
• Clients can request certificates through Autoenrolment, Web enrolment, or manual enrolment.
• Certification authority (CA) is an entity in a network. It manages security credentials and public keys for message encryption.
• An Online Responder receives and responds only to individual requests from clients for information about the status of a certificate.

• Pass MCITP in first attampt.
• Pass MCITP Enterprise Administrator in first attampt.
• Download free practice test for mcitp-windows-server MCITP Microsoft Windows Server exam.
• Download practice question and study guide for mcitp-server-administrator for exam.
• Get certified in first attempt download mcts - MCTS simulation.
• Get certified in first attempt download mcts-windows-server-2008 - MCTS Windows Server 2008 simulation.
• Pass MCTS Windows Technology in first attampt.
• Download practice question and study guide for 70-640 for exam.

• Previous Entry: What is preliminary project scope statement?
• Next Entry: How to create a hyperlink to an e-mail address ?