Cryptography

The Cryptography tab includes the following settings Algorithm Name There are a number of cryptographic Algorithms that can be used to provide encryption for the keys. Valid methods under server 2008 are RSA, ECDH P256, ECDH P384, ECDH P521. Note If the Purpose is changed to Signature, additional algorithms become available ECDSA_P256, ECDSA_P384, ECDSA_P521. Hash Algorithm To provide one-way hashes for key exchanges, a number of algorithms are available. These include MD2, MD4, MD5, SHA1,...

Connection Security Rules

Connection security rules are different than inbound and outbound traffic rules. Firewall rules allow traffic through the firewall based on rules you've configured, but they do not enforce connection security. To secure traffic with IPsec, you must create connection security rules. Note that the creation of connection security rules does not allow the traffic to pass through the firewall. These are two separate but interrelated concepts. Connection security rules are not applied to programs or...

Manually Initiating Replication Using DNS Manager

To manually initiate a zone transfer using DNS Manager follow these steps 1. Open DNS Manager by clicking Start Administrative Tools DNS. 2. Expand the appropriate server node, expand Forward Lookup Zones or Reverse Lookup Zones, right-click the desired zone, and click one of the following options Transfer from Master. This option asks the secondary or stub zone to check its master and determine if it is up to date. If it isn't, a zone transfer to obtain any updates will be initiated. Reload...

The Next Generation Tcpip Stack

A full discussion of the changes to the TCP IP implementation in Windows Server 2008 is outside the scope of this book but you might be interested in reading about this topic, especially if you plan on implementing IPv6 in your organization anytime soon. Microsoft's TechNet has an article located at cg0905.mspx that discusses the Next Generation TCP IP Stack in Windows Vista and Windows Server 2008. There's also an article at www.microsoft. that discusses the changes in TCP IP in Windows Vista...

Creating a New Subscription

Go to the collector computer and run the Event Viewer as an administrator. 2. In the Event Viewer click Subscriptions in the console tree. If the Windows Event Collector service is not running, you will be prompted to run it if you receive this message click Yes. 3. Click Actions Create Subscription. The Subscription Properties box appears, as shown in Figure 5.64. Figure 5.64 The Subscription Properties Box Figure 5.64 The Subscription Properties Box 4. In the Subscription name box, type a...

Backup and Recovery

Most people never think about backup and recovery until they need it. Microsoft has been shipping a simple backup solution with Windows since Windows NT 3.1 back in 1993. The technology used today has changed since then, but the needs are still the same. Administrators need the ability to effectively back up servers, data, and the system state while also having an easy way to restore when needed. Windows Server 2008 does not support the old NTBackup.exe tool or its backup format. It now uses a...

Installing from Media

Install from media (IFM) is a feature that was available with Windows 2000 SP3 and Windows Server 2003. Historically, it has been a problem rolling out new DC and GC servers at remote sites. Restoring or rolling out a DC in a remote site also had the disadvantage of large amounts of data being replicated between the newly restored DC and an active DC in the domain. IFM offers you the option to restore or build a new DC from a recently made backup. To take advantage of this feature, you must...

Creating a Stub Zone

Follow these steps to create a stub zone 1. Open DNS Manager by clicking Start Administrative Tools DNS. 2. In the left pane, expand the node representing the server you want to configure, right-click Forward Lookup Zones, and click New Zone____ 3. Read the welcome page of the New Zone Wizard dialog box and click Next. 4. On the Zone Type wizard page, leave the default selection of Stub zone and click Next. See Figure 2.11. 5. On the Zone Name wizard page, enter the name of your domain in the...

Summary of Exam Objectives

The Window Server 2008 Network Infrastructure, Configuring Exam is going to contain a lot of new concepts and features and network access protection (NAP) is going to be one of those new concepts. Microsoft has made great strides in network infrastructure compliance and remediation with Windows 2008 Server. As mentioned earlier in this chapter, it is imperative that you actually sit down and play with the Network Policy Server Console and get to know the interface. Most questions on NAP will...

Active Directory Storage Allocation

As you've learned, the ntds.dit file can get quite large. With this comes concern regarding available drive space. To conserve drive space, we've already walked through defragging and compacting the ntds.dit file. Sometimes that's not enough, and you have to move it and its log files to another drive or partition. Before doing this, you have to confirm the size of the files in the C Windows NTDS folder. You need to check the amount of drive space used by the files in the directory when Active...

What Is PKI

The rapid growth of Internet use has given rise to new security concerns. Any company that does not configure a strong security infrastructure is literally putting the company at risk. An unscrupulous person could, if security were lax, steal information or modify business information in a way that could result in major financial disaster. To protect the organization's information, the middleman must be eliminated. Cryptographic technologies such as public key infrastructure (PKI) provide a way...

Creating IPsec Policy

IPsec policy is created either in Active Directory as a Group Policy or via the Windows Server 2008's Windows Firewall with Advanced Security. Clearly, IPsec settings in these two areas are related but are not interchangeable. Policy set in Active Directory is applied according to policies set at the domain level and will take precedence over local IPsec policy located on a member computer. IPsec policy will be applied according to AD and Windows Firewall with Advanced Security settings on a...

Other Audit Policies

Now let's discuss some other audit policies. This section includes brief descriptions of the following audit policies Audit account management This audit policy tracks all account management events. Some examples of what this policy covers include creation, change, or deletion of user or group accounts renaming or enabling disabling a user's account and changing a user's password. Audit policy change This audit policy tracks changes made to user rights assignment policies, audit policies, or...

Rep Admin

Another tool that comes with the installation of Windows Server 2008 is the command-line tool RepAdmin. Administrators can use RepAdmin to view replication topology, create replication topology, and force replication, whether it is for the entire directory or for specific portions of it. You also can use RepAdmin for monitoring an Active Directory forest. You must run the RepAdmin command in an elevated prompt, either by right-clicking the Command Prompt and then clicking Run as administrator...

Figure Creating a Custom Template

2 Certificate Templates (2K8-DCl.tes I Mmmurn Supported CA Ver ion Intended Purpocec Administrator 3 Authenticated Session SS& KKEFS 3 CA Exchange 51 CEP Encryption 53 Code Signing 51 Computer 51 Cross Certification Authority 51 fVfv-fiv FmaJ B pliratifln 51 Danan Controler 51 Domain Control Authentication 51 ffS Recovery Agent 5 Exchange Enrolment Aoent (offlne request) 3 PSec (Qfflrie request) 3 Kerberos Authentication Key Recovery Agent 51 QC5P Response Sigring 51 RAS aid IAS Server 51...

Working with Forests and Domains

Active Directory is composed of a number of components, each associated with a different type of Active Directory functionality you should understand each component before making any changes to the network. Active Directory Domain Services is a distributed database, which means it can be spread across multiple computers within a domain or a forest. Among the major logical components that you need to be familiar with are Administrative boundaries, network and directory performance, security,...

Placing GC Servers within Sites

Another consideration when it comes to replication is placement of your GC servers. In a small network with one physical location, GC server placement is easy. Your first DC that is configured will hold the GC role. If you have one site, but more than one DC, you can move the role to another DC if you want to or configure additional DCs as GCs. Most networks today consist of multiple physical locations, whether in the same city or across the country. If you have high-speed links connecting your...

Configuring IPv Scope Options

The options available in the IPv6 scope settings are different than those available in the IPv4 options section. When you select an IPv6 scope and click Scope Options, you can select from among numerous options listed here 2. SIP Servers IPV6 Address List 3. DNS Recursive Name Server IPV6 Address List 9. SNTP Servers IPv6 Address List SIP stands for Session Initiation Protocol and a SIP server is an outbound proxy server. See the IEFT draft on SIP and DHCPv6 for more information (www3. NIS...

Exclusions

Exclusions are used to prevent a range of addresses from being handed out from within the scope. There are numerous reasons you might do this, but clearly you want to ensure your reservations are part of the excluded range of IP addresses. This helps manage static IP addresses for devices that should remain stable such as servers, routers, and other hardware devices that always need to be found. If an IP address is reserved but not excluded, the device using the static IP address will get the...

Changes in Functionality from Windows Server with SP to Windows Server

Microsoft introduced many new features and technologies in the Windows Server 2008 operating system, as well as improved some existing features. These additions and changes will help to increase security and productivity and reduce administrative overhead. The following paragraphs describe some of these features and technologies. Active Directory Certificate Services (AD CS) provides customizable services for creating and managing public key certificates when employing public key technologies....

Performing Authoritative and Nonauthoritative Restores

One day you may find yourself with a DC that has a corrupted copy of ntds.dit. To resolve issues such as this you would need to perform a nonauthoritative restore, which we will cover soon. Other times you may have accidentally deleted an object (user, computer, printer, etc.) from Active Directory and you have no way to restore it within Active Directory. This is usually because after the object is deleted, the change has already been replicated to the other DCs in the domain. To fix this you...

2003 Allow Dns Suffix Appending To Unqualified Multi-label Name Queries

How Name Resolution Works in Windows XP and Later Although some integration is possible, the NetBIOS and host name resolution methods are very different. Host names are used when a client attempts to use user friendly names (instead of IP addresses) with a TCP IP utility such as ping, an FTP client, or a web browser. By default, the following name resolution steps are taken when resolving host names the local host name > the local DNS resolver cache > the local HOSTS file > DNS > the...

Domain Password Policy

The default domain password policy contains the following configurable settings. The default settings for each and their location within group policy appear in Figure 6.18. Enforce password history Determines how many passwords Active Directory remembers for each user before allowing them to reuse a password. The maximum value is 24. Setting the value to 0 disables this option. Maximum password age Determines how many days a user can go without changing his or her password. The maximum value is...

Changes to PPTP and LTPIPsec Protocols

Warning This section refers to modifying the Windows registry file. Using Registry Editor incorrectly can cause serious problems that may make the system unstable or unusable and that may require you to reinstall the Windows operating system. There is no guarantee that problems resulting from the incorrect modification of the Registry file can be solved. Edit or modify the Registry at your own risk and do not do this on a live server unless you know exactly what you're doing and have a backup...

Figure Request Handling Tab of the New Template Property Sheet

Issuance Requirements Superseded Templates Extensions Security j Request Handling Cryptography Subject Name Delete revoked 01 expired certificates (do not archive) R Include symmetric algorithms allowed by the subject V Archive subject's encryption private key r Use advanced Symmetric algorithm to send the key L to the CA. . Add Read permissions to Network Service on the private key (enable for machine templates only) Do the following when the subject is enrolled and when the private key...

User Rights

Administrators can grant a wide array of user rights. Rights include things such as the ability to log on to a server locally or from a network connection, the ability to shut down a server, the ability for certain accounts to be able to log on as a service, and many others. You should take a moment before the exam to familiarize yourself with the range of options offered by this portion of group policy. User rights follow the standard group processing order, but are exclusive unless otherwise...

Figure DHCP Server IPv Options

El Active Directory Domain Services fcl DHCP Server B 2k3*64. Up Scope EfecC.P l 42df l MainOffice El Netwodc Policy and Access Services El Terminal Services fctl Web Server (115) Server options are addiwonai configuration parameters that a DHCP eer ercan aeegn lo DHCP ciente.For example, some commonly used options include IP addresses for default gateways (routers), WINS servers, drid DNS stsveis. Server options act as defau& s for a scopes. You can override eacti ot these server options by...

Figure The iSCSI Initiator Properties Page

Favorite Targets Volumes and Devices 5C5I devices are disk, tapes, CDs, and other storage devices on another computer on your network that ycu can connect to, Vour computer is called an initiator because it initiates the connection to the iSCSI device, which is called a target, To rename the initiator, dick Change. To use mutual CHAP authentication for verifying targets, set up a CHAP secret. To set up IPsec tunnel mode addresses, click Set up, The iSCSI target represents hard disk storage and...

Contents

Chapter 1 Deploying Installing Windows Server 2008 2 Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008 3 Installing Windows Server 2008 Enterprise Edition 8 What Is New in the AD DS Installing from Installing Server The Windows Deployment What Is Configuring Capturing WDS Deploying WDS Configuring RAID Network Attached Storage Area Fibre iSCSI Initiators and Mount Configuring High Failover Installing and Validating a Failover Cluster 66 Managing the Failover...

And Network Access Protection

In the RRAS there are a number of snap-in roles that can be used in configuring and setting up your network access needs for Windows Server 2008. In previous incarnations ofWindows Server 2003, Internet Authentication Service (IAS) snap-in was Microsoft's implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy. It was capable of performing localized connection AAA Protocol for many types of network access, including wireless and VPN connections. For Windows...

Active Directory Federation Services ADFS

Federation Services were originally introduced in Windows Server 2003 R2. F provides an identity access solution, and AD Federation Services provides authenticated access to users inside (and outside) an organization to publicly (via the Internet) accessible applications. Federation Services provides an identity management solution that interoperates with WS-* Web Services Architecture-enabled security products. WS-Federation Passive Requestor Profile (WS-F PRP) also makes it possible for...

Exam Objectives Frequently Asked Questions

Q In what format do CAs issue certificates A Microsoft certificate services use the standard X.509 specifications for issued certificates and the Public Key Cryptography Standard (PKCS) 10 standard for certificate requests. The PKCS 7 certificate renewal standard is also supported. Windows Server 2003 also supports other formats, such as PKCS 12, DER encoded binary X.509, and Base64 Encoded X.509, for exporting certificates to computers running non-Windows operating systems. Q If certificates...

Exercise

You must back up GPOs from the Group Policy Management Console (GPMC). You can get to it by clicking on Start Administrative Tools Group Policy Management. Let's walk through the process of backing up GPOs 2. In the console tree, click on the plus sign (+) next to the forest. In our case, we click on the plus sign next to Forest MMA.LOCAL. 3. Scroll down the tree Domains < Domain Name> Group Policy Objects. In Figure 5.37, you see that we have four GPOs. In reality, you would probably have...

Capturing WDS Images

WDS allows you to capture the following kinds of images using the Windows Image (.wim) format Boot Image Windows PE 2.0 is the new boot image format and it presents you with a boot menu that contains a list of images that users can install. The standard boot images included with Vista and Server 2008 are located on the installation media at Sources boot.wim. Capture Image This launches the WDS capture utility instead of Set-up. The reference computer previously prepared with Sysprep boots into...

Ad Hoc vs Infrastructure Mode

To set up an ad hoc wireless network, each wireless adapter must be configured for ad hoc mode versus the alternative infrastructure mode. In addition, all wireless adapters on the ad hoc network must use the same SSID and the same channel number. An ad hoc network tends to feature a small group of devices all in very close proximity to each other. Performance suffers as the number of devices grows, and a large ad hoc network quickly becomes difficult to manage. Ad hoc networks cannot bridge to...

Removing Software Deployed with Group Policy

The final stage of the software life cycle is removal. Group policy provides two methods of software removal forced and optional. As you might guess, forced removal does not give users the option of keeping the software loaded on their computers, whereas optional removal does. In addition to removing any installed software, both options also remove the user's ability to reinstall the software through group policy, unless it is published or assigned again through group policy. It's important to...

Figure DNS Prompts

1 Active Directory Domain Services Installation Wizard A delegation for this DIMS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DIMS server, If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent lone to ensure reliable name resolution from outside the domain syngress.com. Otherwise, no action is required. 12. On the Location for Database, Log Files, and...

New Roles in

Windows Server 2008 offers many new ways to skin the Active Directory cat, if you will. With the introduction of these new roles is a new way to determine how they are implemented, configured, and managed within an Active Directory domain or forest. We will be discussing each of these Active Directory roles in depth later in this chapter, but the new roles (and the official Microsoft definitions) are as follows Read-only domain controller (RODC) This new type of domain controller, as its name...

Self Test

The CIO has asked you to configure a GPO that will ensure that antivirus software is installed on every computer in the company. You are the most senior administrator in the company and have full access to every computer, and to Active Directory. Your company has a single domain and site. Which one of the following actions do you take A. You configure a GPO at the domain level, and publish the application to all computers. B. You configure a GPO at the site level, and assign the application to...

Certificate Authorities

Certificates are a way to transfer keys securely across an insecure network. If any arbitrary user were allowed to issue certificates, it would be no different than that user simply signing the data. In order for a certificate to be of any use, it must be issued by a trusted entity an entity that both the sender and receiver trust. Such a trusted entity is known as a Certification Authority CA . Third-party CAs such as VeriSign or Entrust can be trusted because they are highly visible, and...

Failover Clusters

A failover cluster consists of two or more independent servers configured with software and connected to storage, working together as one system. This configuration provides high availability. During production hours, if a failure occurs on the failover cluster on one of the server nodes, the cluster will redirect resources to one of the other server nodes in the failover cluster. This ensures that server hardware failures are not the cause of lengthy downtime in a production environment. The...

Network Layer Protection

All the components of NAP reside at the network layer. It is very important to understand where each component can reside and what the function of each component does. We are first going to look at a very general Microsoft Visio drawing and then point out each component and its function as related to NAP Like a lot of Microsoft network designs, some servers can play multiple Windows Server 2008 roles within the NAP-enabled network architecture. Later in this chapter we will point out during the...

User Certificate Types

User Certificate Templates are intended to be bound to a single user to provide identity and or encryption services for that single entity. Administrator This certificate template provides signature and encryption services for administrator accounts providing account identification and trust list CTL management within the domain. Certificates based on the Administrator Template are stored in the Active Directory. Authenticated Session This certificate template allows users to authenticate to a...

Single Master Operation FSMO Roles

In Windows NT 4.0, the domain had only one authoritative source for domain-related information, the primary domain controller or PDC. With the implementation of Active Directory came the multimaster replication model, where objects and their properties can be modified on any DC and become authoritative through replication conflict resolution measures. This scalability effort came with a price in complexity, however, and Active Directory FSMO roles were introduced to control certain domain and...

Figure Configuring PXE Server Initial Settings

Q Windows Deployment Services Configuration Wizard Pre-boot execiition environment FXE dient computers may be pre-staged in Active Directay Domain Services. When a client computer is pie-staged, it is abo called a known client. Clients which are rot pre-staged are called unknown. Use this page to seleol which client type the Windows Deployment Services server responds to. and what action is taken when the server responds lo a known or unknown dient computer. Choose the appropriate answei policy...

Directory Service Access

Most Active Directory objects have their own permissions officially called a system access control list or SACL . Any object in Active Directory that can have permissions set for it can be audited. By default, directory service auditing is not enabled in group policy however, objects in Active Directory do come already set up with some auditing permissions assigned. For most objects this will be Success auditing for members of the Everyone group, but this does vary. For example, the domain...

Psec Encapsulating Security Payload ESP

Encapsulating Security Payload ESP provides both a header and a trailer for an IP datagram that secures the packet. ESP provides data origin authentication, data integrity, antireplay, and data confidentiality protection for the ESP-encapsulated portion of the packet. Figure 8.20 shows the format of the ESP header in transport mode and Figure 8.21 shows the ESP header in tunnel mode. We've also included what the packet looks like if you use both AH and ESP, shown in Figure 8.22, though...

Routing Fundamentals

When attempting to select a path in a network by which to send data or physical traffic, an administrator has many options available to him. There are a number of ways to send packets from one destination to another based on intermediary hardware or nodes. This can include a number of different hardware devices including bridges, gateways, routers, firewalls, and switches. Even computers with multiple network cards are capable of routing packets. There are different types of routing algorithms...

When the installation is complete click Close

Figure 1.42 shows a typical two-node failover cluster. Node 1 and node 2 have each passed the hardware validation, and the Windows 2008 failover clustering feature is successfully installed. The storage shared by both nodes in the cluster also holds the witness disk. The witness disk holds the cluster log files and votes on which node to use in a failover scenario. Each node has a Resource Group consisting of applications and services it also includes the elements needed by the resource, such...

Chapter Configuring Network Access

You are asked by your employer to set up a LAN using Windows 2008 Server RRAS. Which of these types of routing algorithms or protocols cannot be used to organize the signal flow between the devices in the network, according to the supported Windows Server 2008 features Correct Answer amp Explanation C. The correct answer is C, because it is no longer supported in the RRAS of Windows Server 2008. RIP and RIP2 are both supported by Windows Server 2008. 2. You are asked to configure a routing...

Default Trusts

When the Active Directory Installation Wizard is used to create a new domain within an existing forest, two default trusts are created a parent and child trust, and the tree-root trust. Four additional types of trusts can be created using the New Trust Wizard or the command-line utility netdom. The default trust relationships inside a Windows 2000, Windows Server 2003, and Windows Server 2008 forest are transitive, two-way trusts. A parent and child trust is a transitive, two-way trust...

Configuring Audit Policies

The configuration settings for auditing can be a bit trickier to understand than other group policy settings. All types of auditing use the same types of settings, shown in Figure 6.39. You can audit the success and or failure for a variety of tracked events. Examples of what can be tracked include logons, changes to policy, use of privileges, directory service or file access, and so forth See Figure 6.38 . f Default Domain Policy syngress-server.syngress jEjil Computer Configuration B Policies...

Firewall Rules

Inbound Rules Windows Server 2003

Rules can be configured for inbound or outbound traffic, for computers, users, programs, services, ports, and protocols. You can also specify which types of network adapters rules will apply to local area connections, wireless, remote VPN , and so on. You can also create a rule that is applied when a specific profile is used. Inbound and outbound rules explicitly allow or block traffic that matches the criteria of the rule. For inbound traffic, you can configure rules that allow inbound traffic...

Applying Users and Groups to a PSO with Active Directory Users and Computers

In addition to using ADSI Edit to associate users and global security groups with a PSO, administrators can also use Active Directory Users and Computers 1. Open Active Directory Users and Computers by clicking Start Administrative Tools Active Directory Users and Computers. 2. Ensure that View Advanced Features is selected. 3. In the left pane, navigate to Your Domain Name System Password Settings Container. 4. In the right pane, right-click on the PSO you want to configure, and select...

Creating a Zone Delegation

Delegation allows you to transfer authority for a domain to a different zone. For example, an organization with multiple subdomains such as authors.syngress. com, publishers.syngress.com, editors.syngress.com, executives.syngress.com, and so forth may not want to keep all these subdomains in a single syngress.com zone file. Authors and editors might work a different office that has its own DNS server, so moving these parts of the namespace to separate zone files on that server might increase...

Configuring IP Security IPsec

The IP Security IPsec protocol is a standard that provides cryptographic security services for IP traffic. IPsec is an end-to-end security solution. The only two nodes aware of IPsec traffic on the network are the two peers communicating with each other. IPsec packets are forwarded by routers like any other packet on the network. As you probably recall, IPsec provides the following properties Peer authentication. IPsec verifies the identity of a peer computer before data is sent. Data origin...

Enabling a Domain Controller to Support Global Names Zones

To enable a domain controller to support GlobalNames Zones, perform the following steps 1. Open a command prompt by clicking Start Command Prompt. 2. At the command prompt, type dnscmd lt ServerName gt config Enableglobalnamessupport 1. For example dnscmd ad2.syngress.com config Enableglobalnamessupport 1 see Figure 2.24 Figure 2.24 Enabling GlobalNames Zone Support Using the Command Prompt Administrator C Wirdows sy stem32 cmd.exe C lisers fidministratorM11scfTid ad2 . syngress .eon config...

Site Link Bridges

Often, there is no need to deal with site link bridges separately, as all the links are automatically bridged by a property known as a transitive site link. Sometimes when you need to control through which sites the data can flow, you need to create site link bridges. By default, all the site links created are bridged together. The bridging enables the sites to communicate with each other. If this is not enabled by the automatic bridging due to the network structure, disable the same and create...

Click on Start Administrative Tools Windows Deployment Services

In the left pane of the Windows Deployment Services MMC snap-in, expand the server list. 3. Click the server that you want to manage. 4. Right-click the Install Images folder and select Add Install Image. 5. Create a new image group and click Next. 6. Browse to the install media of Vista or Server 2008 in the source directory choose the install.wim file and click Next, as shown in Figure 1.35. Windows Deployment Services - Add Image Wizard Select a Windows image WIM file that contains- the...

VPN Enforcement

Windows Server 2008 and Network Policy Server NPS can facilitate NAP connections allowing remote VPN clients to be checked for compliance and be remediated. Communication Process with VPN Client and NAP When a Windows Vista or Windows XP Service Pack 3 computer connects to a NPS server that is NAP enabled, the communication process is a little different than a normal VPN connection. The NAP client in this case becomes the VPN client and uses simple Point-to-Point Protocol PPP messages to...

Shortcut Trusts

Shortcut trusts are transitive in nature and can be either one-way or two-way. These are explicit trusts that you create when the need exists to optimize shortcut the authentication process. Without shortcut trusts in place, authentication travels up and down the domain tree using the default parent and child trusts, or by using the tree-root trusts. In large, complex organizations that use multiple trees, this path can become a bottleneck when authenticating users. To optimize access, the...

Restoring a GPO

Open the GPMC Start Administrative Tools Group Policy Management . 2. In the GPMC, go to Forest MMA.LOCAL Domains MMA.LOCAL Group Policy Objects and verify that the GPO has been deleted. In Figure 5.42, you see that the Tagged GPO is no longer there. 3. In the GPMC, right-click Group Policy Objects and select Manage Backups, as shown in Figure 5.43. Figure 5.43 Selecting Manage Backups Figure 5.43 Selecting Manage Backups 4. In the Manage Backups screen shown in Figure 5.44, select the...

Data Collector Sets

A Data Collector Set organizes multiple data collection points into a single component that you can use to review or log performance. It can be created and then recorded separately, grouped with other sets, and incorporated into logs. Data Collector Sets can contain the following types of data collectors performance counters, event trace data, and system configuration information. There are two types of Data Collector Sets User Defined and System. User Defined are customized by the user...

Creating a Secondary Forward Lookup Zone

Follow these steps to create a secondary, forward lookup zone 1. Open DNS Manager by clicking Start Administrative Tools DNS. 2. In the left pane, expand the node representing the server you want to configure, right-click Forward Lookup Zones, and click New Zone____ 3. Read the welcome page of the New Zone Wizard dialog box and click Next. 4. On the Zone Type wizard page, select Secondary zone and click Next. See Figure 2.11. 5. On the Zone Name wizard page, enter the name of the domain in the...

Figure Active Directory Domain Services Stopped

Application Experience 'Jj Application Information Application Layer Gateway Service Application Management ' Background Intelligent Transfer Ser, r, jBase Filtering Engine 'J i Block Level Backup Engine Service v4 Certificate Propagation amp amp CNG Key Isolation S amp CQM Event System .'. jCOM System Application Computer Browser Cryptographic Services S DCOM Server Process Launcher ',vt.i Desktop Window Manager Session ., S DFS Namespace .' gt . DFS Replication S DHCP ient Diagnostic Policy...

Replication Protocols

When creating site links, you have the option of using either IP or SMTP as the transport protocol SMTP replication You can use SMTP only for replication over site links. It is asynchronous that is, the destination DC does not wait for the reply, so the reply is not received in a short amount of time. SMTP replication also neglects Replication Available and Replication Not Available settings on the site link schedule, and uses the replication interval to indicate how often the server requests...

Working with Trusts

One of the many issues that need to be dealt with in any computer organization is how to protect resources. The main difficulty that administrators face is the dilemma of how to ensure that the company's resources are not accessible by those who do not need access. The other side of that coin, and something that is equally important, is how to ensure that people who do need access are granted access with the least amount of hassle. In small companies, the issues are simpler, because multiple...

Wired XML profiles

Wired 802 Wireless

Using Group Policy, you can configure the Wired Network IEEE 802.3 Policies Group Policy extension, which is part of Computer configuration Group Policy that can specify wired network settings in the AD environment. The Group Policy extension applies only to Windows Server 2008 and Windows Vista computers. The command line can be used within the netsh context using the lan command netsh lan . You can explore the available comments by typing netsh lan at the command line prompt. Wired XML...

Adding a New Restricted Group

Use the following procedure to add a new restricted group 1. Open the GPO that will be used to configure auditing using the Group Policy Management Editor and expand Computer Configuration Policies Windows Settings Security Settings. 2. Right-click on the Restricted Groups node and click Add Group. See Figure 6.47. Figure 6.47 Adding a Restricted Group Figure 6.47 Adding a Restricted Group 3. In the Add Group dialog box, click Browse. 4. In the Select Groups dialog box, in the Enter the object...

The Reliability Monitor

The Reliability Monitor provides a system stability overview and information about events that impact reliability. It is great for troubleshooting the root cause associated with any reduced reliability of the system. For instance, we may have a server that is slow to perform read and write requests. By using the Reliability Monitor, we can examine the server's trend over a period of time and examine failure types with details. The Reliability Monitor calculates the Stability Index which is...

Browse to the empty NTFS folder on the C drive and select OK

Figure 1.40 shows what the result will look like. The mount point folder in the C drive with a drive icon is a mount point to the physical drive or partition that was selected in Disk Management. The result is that now you have an extra 40 GB of storage mounted to the C drive that you can use. 7. To remove the mount point from the selected folder, follow the same steps and choose Remove from the menu in step 4. Removing the mount point does not remove the folder originally created, nor does...

On the Select Role Services page select the Health Registration Authority check box click Add Required Role Services in

On the Choose the Certification Authority to use with the Health Registration Authority page, choose Install a local CA to issue health certificates for this HRA server and then click Next. See Figure 10.15. Figure 10.15 Choose the Certification Authority to use with the Health Registration Authority Choose the Certification Authority to use with the Health Registration Authority The Health Registrator Authority requires that at feast Orte Certification Authority CA be associated with it....

When the Certificate Issued page appears click Install This Certificate Close the browser

As the use of X.509-based certificates continues to grow it becomes increasingly important that the management an organization of certificates be as diligent as possible. We know what a digital certificate is and what its critical components are, but a CA can issue a certificate for a number of different reasons. The certificate, then, must indicate exactly what the certificate will be used for. The set of rules that indicates exactly how a certificate may be used what purpose it can e trusted...

Configuring ADFS

In this exercise, we are going to create the account side of the ADFS structure. The resource is the other half of the ADFS configuration, which is the provider of the service that will be provided to an account domain. To put it in real-world terms, the resource would provide the extranet application to the partner company the account domain . 1. Click Start Administrative Tools Server Manager. 2. Scroll down to Role Summary, and then click Add Roles. 3. When the Before You Begin page opens,...

Configuring the SOA Record

For standard zones, DNS replication relies on the values configured in the Start of Authority SOA record. Although it appears as a record when viewing zone information in DNS Manager, the values it contains are actually configured within the zone's properties. To access them, in DNS Manager right-click a zone, select Properties, and click the Start of Authority SOA tab to bring it to the foreground see Figure 2.26 . The following settings can be configured. Serial number. This text box contains...

Remote Access Protocols

Encryption as dictated by security policies. PPTP offers payload privacy, but does not encrypt session control traffic. The L2TP consolidates the best of other protocols within a single standard. L2TP Access Concentrators terminate PPP Link Control Protocol LCP and carry out dial session authentication. L2TP can be used with a separate LAC at the ISP NAS, or with a LAC Client on the end-user's PC. L2TP Network Servers terminate PPP NCP, provide routing and bridging for the PPP session, and make...

Understanding Domains

To trust relationships, which you will learn more about later in the book. Security policies such as the password policy, account lockout policy, and Kerberos ticket policy are defined on a per-domain basis. The domain is also the primary boundary defining your DNS and NetBIOS namespaces. The DNS infrastructure is a requirement for an Active Directory domain, and should be defined before you create the domain. There are several good reasons for a multiple-domain model, although a significant...

Renaming a Site

Renaming a site is one of the first tasks you should perform when administering a site structure. When you create a site initially, it is created with the default name Default-First-Site-Name. You can change this name based on the purpose of the site, such as the name of the physical location. A site is also renamed when a network of an organization is expanded by one or more sites. Even if an organization is located in a single location, it makes sense to rename the Default-First-Site-Name,...

Routing and Remote Access Services RRAS

Most of the major functions of network access and the objectives that you will be required to know for your examine, revolve around the RRAS role. This is not a new feature to Windows Server 2008, but has many omissions and additions since Windows Server 2003. From this role, you can access configuration tools for routing, connection manager, and remote access service all of which will be very helpful in setting up remote access on your machines and managing policies. Let's install the RRAS...

Saving Command Line Output to a File

Sometimes the output of a command line command, such as a show all command, can be quite lengthy and can scroll off the screen making it hard to locate needed information. You can save the output to a file by using this sequence of commands. Although the example is used for the netsh ipsec context, this works anywhere in the command line context. At the netsh command line context, type set filename filename.txt where filename.txt is the file you want to create . Then, type ipsec static show...

Resource Overview

The Resource Overview screen is also known as the Home Page in the Details pane. The Resource Overview screen presents data about the system in a real-time graphical manner. You see similar categories as those you saw in the Task Manager CPU, Network, Memory, and Disk the latter which is not shown in the Task Manager . You can expand the subsections by clicking on the white down arrow to the far right of the bar. When you do you will see additional, more detailed information. For instance, if...

Chapter Configuring Certificate Services and PKI

You have been asked to provide an additional security system for your company's internet activity. This system should act as an underlying cryptography system. It should enable users or computers that have never been in trusted communication before to validate themselves by referencing an association to a trusted third party TTP . The method of security the above example is referencing is D. Public Key Infrastructure PKI Correct Answer amp Explanation D. Answer D is correct because an...

Introduction to RODC

Read-only domain controllers were designed to combat this very problem. Let's take a scenario where a corporation has a remote office with ten employees. On a daily basis, these ten people are always in the office, while another five to ten float in and out and sometimes aren't there for weeks at a time. Overall, the company has about 1,000 employees. In a Windows 2000 Server or Windows Server 2003 Active Directory environment or, pity you, a Windows NT 4.0 domain , if you have placed a domain...

The Event Viewer

The Event Viewer is traditionally the first place to look when troubleshooting anything in Windows see Figure 5.52 . You can access the Event Viewer by clicking on Start Administrative Tools Event Viewer. This tool which has stood the test of time since the days of NT 3.1 has been completely rewritten and is based on XML. Many new features, functionality, and even a new interface have been added to the Event Viewer in Windows Server 2008. Figure 5.60 shows the new interface for the Event...

Figure IPSec Based NAP Network

The secure network is where all computers have health certificates and require IPsec authentication to communicate with any other computer. If a computer tries to communicate with a computer in the secure network without a health certificate, the computer in the secure network will ignore the client's request. In a NAP infrastructure, computers in the secure network would be members of the Active Directory domain. Boundary networks are where computers that are not NAP compliant can access a...

Figure Network Design

The remediation server could run Windows 2008 Server or Windows 2003 Server software. To remediate Windows Vista, Windows 2008 Server or Windows XP Service Pack 3 what other software would the remediation server need to run A. Windows Server Update Services WSUS B. Network Protection Services NPS C. Routing and Remote Access Services RRAS D. Windows Security Health Validator WSHV 9. You instruct your junior network administrator Roger to setup a NAP enforcement point using a DHCP server....

Network Location Aware Host Firewall

In Windows Server 2008, the Windows Firewall with Advanced Security can act both as a network location-aware host firewall and as part of a server and domain isolation strategy. Let's look at these two scenarios in detail to understand the considerations for these deployment options. Windows Server 2008 as well as Windows Vista includes network awareness APIs that enable applications to sense changes to network configurations. What that means is that a corporate laptop that is placed into...

How Certificates Work

Before we delve into the inner workings of a certificate, let's discuss what a certificate actually is in layman's terms. In PKI, a digital certificate is a tool used for binding a public key with a particular owner. A great comparison is a driver's license. Consider the information listed on a driver's license Social security number or another unique number such as a state issued license number Signature certification by an authority typically from within the issuing state's government body...

Figure A Typical NLB Configuration

Windows 2008 Nlb Cluster

Firewall and NLB and NLB and NLB Firewall and NLB and NLB and NLB 5. When the installation is complete, click Close. Once the NLB feature has been installed you can start configuring the NLB cluster. 6. Open the Network Load Balancing Manager. 7. Right-click on Network Load Balancing Clusters and choose New Cluster. 8. Type the name of the first host that is going to be part of the NLB cluster and click Connect and then Next. 9. Use the Dedicated IP Addresses windows to add all the Transmission...

Troubleshooting Replication

A common symptom of replication problems is that the information is not updated on some or all DCs. There are several steps that you can take to troubleshoot Active Directory replication, including Check the network connectivity The basic requirement for any type of replication to work properly in a distributed environment is network connectivity. The ideal situation is that all the DCs are connected by highspeed LAN links. In the real world, either a dial-up connection or a slow connection is...

Creating an Active Directory Integrated Forward Lookup Zone

Follow these steps to create an AD integrated forward lookup zone 1. Open DNS Manager by clicking Start Administrative Tools DNS. 2. In the left pane, expand the node representing the server you want to configure, right-click Forward Lookup Zones, and click New Zone____ 3. Read the welcome page of the New Zone Wizard dialog box and click Next. 4. On the Zone Type wizard page, leave the default selection of Primary zone and leave Store the zone in Active Directory available only if DNS server is...

Creating Host Records

Record 2008

A type host records are used for IPv4 hosts and AAAA type host records are used for IPv6 hosts. A computer can have both IPv4 and IPv6 addresses configured on it. Because of this, Windows allows a host to have both A and AAAA host records created for it. Let's examine how to create each type of record. To create a new A type host record, follow these steps 1. Open DNS Manager by clicking Start Administrative Tools DNS. 2. Expand the node for the server you want to configure, expand the Forward...

For Windows Firewall with Advanced Security

As with just about any other server feature in Windows Server 2008, you can use the command line to adjust firewall settings. Once you've opened the command window Start Run cmd , you use the netsh context with the advfirewall command. As with other commands, you can use the netsh advfirewall command to get a list of available options and switches. We've listed a few here for your convenience all commands here begin with netsh advfirewall followed by the option shown. Export. Exports the...

Creating a Standard Primary Reverse Lookup Zone

Follow these steps to create a reverse lookup zone 1. Open DNS Manager by clicking Start Administrative Tools DNS. 2. In the left pane, expand the node representing the server you want to configure, right-click Reverse Lookup Zones, and click New Zone____ 3. Read the welcome page of the New Zone Wizard dialog box and click Next. 4. On the Zone Type wizard page, leave the default selection of Primary zone and click Next. See Figure 2.11. 5. On the Reverse Lookup Zone Name wizard page, select the...

Creating a Custom View

Open the Event Viewer by clicking Start Administrative Tools Event Viewer. 2. In the Event Viewer, right-click Custom Views and select Create Custom View. 3. Next, the Create Custom View form comes up. In the Logged drop-down list choose when you want events logged. For instance, you can choose to do Any time, Last hour, Last 12 hours, Last 24 hours, Last 7 days, Last 30 days, or a Custom range. When choosing Custom range you decide the date and time from the first event to the date and time...

Linked Value Replication

When the forest level is at Windows Server 2003 or above, linked value replication LVR is available. Previously in Active Directory, primarily with Windows 2000, when an attribute changed the entire attribute was replicated to all other DCs on the network. Now, with LVR, changes in group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit. LVR lowers the amount of bandwidth used in replication and the amount of processor...

Configuring Windows Firewall with Advanced Security

Windows Firewall with Advanced Security is a stateful firewall and as such, it inspects all packets for all IP traffic IPv4 and IPv6 . The default setting is that all incoming traffic is blocked automatically unless it is a response to a host request called solicited traffic or unless it specifically has been allowed. Specific traffic can be allowed by configuring firewall rules to allow specific traffic by configuring the port number, application name, service name, and other settings. Figure...

Configuring NAP Health Policies

NAP Health Policies are a combination of settings for health determination and enforcement of infrastructure compliance. Health requirement policies on the NAP health policy server determine whether a NAP client is compliant or noncompliant, how to treat noncompliant NAP clients and whether they should automatically remediate their health state, and how to treat clients that are not NAP capable for different NAP enforcement methods. The following settings make up the NAP Health Policies...

Open Shortest Path First OSPF

The area need to agree they are stub, so that they do not generate types of LSA not appropriate to a stub area. Stub areas do not have the transit attribute and thus cannot be traversed by a virtual link. Not-so-stubby area NSSA The Not-so-stubby area NSSA is a type of stub area that can import autonomous system AS external routes and send them to the backbone, but cannot receive AS external routes from the backbone or other areas. The NSSA is a non-proprietary extension of the existing stub...

Configuring Object Level Auditing

For this example, we will configure file system auditing. A similar procedure is used to audit other objects such as printers and Registry keys. 1. Open Windows Explorer by going to Start Computer, and navigate to the file system object on which you want to enable auditing. For this example, we will use a folder named Programs. 2. Right-click on the object you've selected, and click Properties. 3. In the Properties dialog box, select the Security tab, and click Advanced. See Figure 6.43. 4. In...