Real MCTS/MCITP Exam 70-647 Prep Kit (eBook)

Front Cover 1
The Real MCITP Exam 647 Windows Server 2008 Enterprise Administrator Prep Kit 4
Copyright Page 5
Technical Editor 6
Lead Author 7
Contributing Authors 8
Contents 12
Foreword 28
Chapter 1: Name Resolution and IP Addressing 38
Introduction 39
Windows 2008 Name Resolution Methods 39
Developing a Naming Strategy 39
Comparing Name Resolution Procedures 40
Internal Names 41
External Names 41
Domain Name System 42
Host Names 42
Domain Names 42
Fully Qualified Domain Name (FQDN) 43
Is DNS Required? 45
DNS Queries 46
The DNS Query Process 47
Part 1: The Local Resolver 47
Part 2: Querying a DNS Server 48
Query Response Types 51
DNS Resource Records 52
DNS Zones 54
Non Active Directory-Integrated Zones 56
Zones Integrated with Active Directory 58
Secondary Zones, Stub Zones, and Condition Forwarding 60
The GlobalNames Zone 60
DNS Design Architecture 61
Split-Brain Design: Same Internal and External Names 61
Separate Name Design: Different External and Internal Names 63
DNS Server Implementation 64
DNS Dynamic Updates and Security 69
Creating Zones and Host Records 70
Setting Aging and Scavenging 72
Configuring DNS Client Settings 75
Setting Computer Names 76
NetBIOS Names Accommodation 77
Setting the Primary DNS Suffix 77
Setting Connection-Specific DNS Suffixes 77
The DNS Resolver Cache 80
Nslookup 81
Integration with WINS 81
The HOSTS File 83
Configuring Information for WINS Clients 85
WINS Name Registration and Cache 88
Setting Up a WINS Server 89
Configuring WINS Server 90
Configuring Replication Partners 93
Specifying Designated Replication Partners 95
Maintaining WINS 97
Burst Handling 97
Scavenging Records 100
The LMHOSTS File 100
TCP/IP v4 and v6 Coexistence 102
Features and Differences from IPv4 103
Summary of Exam Objectives 105
Exam Objectives Fast Track 106
Exam Objectives Frequently Asked Questions 111
Self Test 113
Self Test Quick Answer Key 117
Chapter 2: Designing a Network Access Strategy 118
Introduction 119
Network Access Policies 119
Network Access Methods 120
Local Network Access 121
Remote Network Access 122
RADIUS Server 122
RADIUS Components 124
Network Policy and Access Services 126
NAP Client Components 129
Network Policy Server 131
Designing a Network for NAP 140
RADIUS Proxy Server 141
Remote Access Strategies 142
Terminal Services for Server 2008 142
New Roles 150
Developing a Terminal Services Remote Access Strategy 152
The Corporate Desktop 153
RemoteApp Programs 154
Terminal Services Licensing 159
Installing a Terminal Service Licensing Server 159
Installing the TS Licensing Role Service on an Existing Terminal Server 160
Installing the TS Licensing Role Service on a Separate Server 161
Activating a Terminal Service Licensing Server 162
Activating a Terminal Service Licensing Server Using the Automatic Connection Method 163
Activating a Terminal Service Licensing Server Using the Web Browser Method 166
Activating a Terminal Service Licensing Server Using the Telephone Method 167
Establishing Connectivity between Terminal Server and Terminal Services Licensing Server 168
Using the Terminal Services Configuration Tool to Specify a TS Licensing Server 170
Publishing a Terminal Services Licensing Server Using TS Licensing Manager 171
TS CAL Types 171
Locating Terminal Services Licensing Services 172
Launching and Using the Remote Desktop Connection Utility 175
Configuring the Remote Desktop Connection Utility 176
The General Tab 176
The Display Tab 177
The Local Resources Tab 177
The Programs Tab 180
The Experience Tab 180
The Advanced Tab 182
Terminal Services Troubleshooting 182
Routing and Remote Access 185
Virtual Private Networking 187
VPN Authentication Protocols 187
PPTP 189
Prerequisites 189
Pros 189
Cons 190
L2TP/IPSec 190
Prerequisites 190
Pros 190
Cons 191
SSTP 191
Prerequisites 191
Pros 192
Cons 192
Monitoring and Maintaining NPAS 196
Working with Perimeter Networks 197
Understanding Perimeter Networks 199
Developing a Perimeter Network Strategy 201
Benefits of Server Core 201
Using Windows Firewall with Advanced Security 203
Connection Security Rules 203
Firewall Rules 204
Server and Domain Isolation 206
Benefits of Server Isolation 207
Benefits of Domain Isolation 208
Developing an Isolation Strategy 209
Summary of Exam Objectives 211
Exam Objectives Fast Track 212
Exam Objectives Frequently Asked Questions 215
Self Test 218
Self Test Quick Answer Key 221
Chapter 3: Active Directory Forests and Domains 222
Introduction 223
New in Windows Server 2008 Active Directory Domain Services 223
Designing Active Directory Forests and Domains 230
Factors to Consider When Creating Forest Design Plans 230
Business Units 230
Schema 231
Legal 231
Security 231
Namespaces 231
Timelines 232
Administrative Overhead 232
Testing Environments 233
Creating a Design Plan 233
The Forest Structure 236
The Active Directory Domain Services (AD DS) Logical Design Structure 236
Active Directory Forest 237
Active Directory Tree 238
Active Directory Domain 238
Organizational Units (OU) 239
The Active Directory Domain Services (AD DS) Physical Design Structure 241
Domain Controllers 241
Sites and Site Links 241
Subnets 242
Creating the Forest Root Domain 243
Forest and Domain Function Levels 246
Upgrading Your Forest 250
Windows 2000 Native Mode Active Directory to Windows Server 2008 AD DS 250
Windows Server 2003 Forest to Windows Server 2008 251
New Forest 252
Intra-Organizational Authorization and Authentication 252
Schema Modifications 255
Designing an Active Directory Topology 257
Server Placement 259
Determining the Placement of the Forest Root Domain Controllers 259
Determining the Placement of the Regional Domain Controllers 259
Determining the Placement of the Operations Masters 261
Placement of the PDC Emulator 262
Placement of the Infrastructure Master 262
Planning for Networks with Limited Connectivity 263
Determining the Placement of Global Catalog Servers 265
Creating the Site Link Objects 268
Site Link Bridge Design 270
Creating the Site Objects 271
Creating the Subnet Objects 272
Printer and Location Policies 272
Designing an Active Directory Administrative Model 276
Delegation 277
Group Strategy 278
Compliance Auditing 282
Global Audit Policy 284
SACL 284
Schema 285
Summary of Exam Objectives 286
Exam Objectives Fast Track 287
Exam Objectives Frequently Asked Questions 290
Self Test 291
Self Test Quick Answer Key 297
Chapter 4: Designing an Enterprise-Level Group Policy Strategy 298
Introduction 299
Understanding Group Policy Preferences 299
ADMX/ADML Files 302
Understanding Group Policy Objects 305
Deciding Which Domain Controller Will Process GPOs 307
Group Policy Processing over Slow Links 310
Group Policy Processing over Remote Access Connections 312
Group Policy Background Refresh Interval 312
Backing Up and Restoring GPOs 313
User Policies 316
Software Installation 317
Security Settings 318
Folder Redirection Settings 319
Logon and Logoff Scripts 321
Administrative Templates 323
Computer Policies 324
Software Installation 325
Restricted Groups 326
Windows Firewall with Advanced Security 327
Policy-Based Quality of Service 328
Startup and Shutdown Scripts 330
Administrative Templates 331
GPO Templates 332
Starter GPOs 332
Linking GPOs to Active Directory Objects 333
Linking GPOs 333
GPO Conflicts 334
RSoP 337
Managing Group Policy with Windows PowerShell 340
OU Hierarchy 343
Understanding Group Policy Hierarchy and Scope Filtering 344
Understanding Group Policy Hierarchies 344
Understanding Scope Filtering 345
Scope Filtering: Permissions 345
Scope Filtering: WMI Filters 347
Controlling Device Installation 349
Controlling Device Installation by Computer 349
Allowing/Preventing Installation of Devices Using Drivers That Match These Device Setup Classes 350
Display a Custom Message When Installation Is Prevented by Policy (Balloon Text/Title) 350
Allowing/Preventing Installation of Devices That Match Any of These Device IDs 350
Preventing Installation of Removable Devices 351
Preventing Installation of Devices Not Described by Any Other Policy Setting 351
Controlling Device Installation by User 351
Summary of Exam Objectives 352
Exam Objectives Fast Track 352
Exam Objectives Frequently Asked Questions 355
Self Test 357
Self Test Quick Answer Key 362
Chapter 5: Designing Identity and Access Management 364
Introduction 365
Planning for Migration, Upgrades, and Restructuring 366
Knowing When to Restructure 390
Intra-Forest Domain Restructure 391
Intra-Forest Upgrade and Restructure 394
Cross-Forest Authentication 396
Implementation Planning 397
Planning for Interoperability 397
Interorganizational Strategies 398
Active Directory Federation Services 398
What Is Federation? 399
Why and When to Use Federation 399
Prerequisites for ADFS 401
Configuring ADFS 401
Application Authorization Interoperability 413
Using Active Directory Lightweight Directory Services to Provide Authentication and Authorization to Extranet Users 413
When to Use AD LDS 414
Changes from Active Directory Application Mode (ADAM) 414
Configuring AD LDS 415
Working with AD LDS 418
Cross-Platform Interoperability 420
File System Paths and Permissions on Unix Systems 420
Authentication on Unix Systems 421
Network Information System 421
NIS+ 422
Network File System (NFS) 425
Summary of Exam Objectives 432
Exam Objectives Fast Track 434
Exam Objectives Frequently Asked Questions 436
Self Test 438
Self Test Quick Answer Key 441
Chapter 6: Designing a Branch Office Deployment 442
Introduction 443
The Branch Office Challenge 443
Network Bandwidth 443
Security 443
Backup and Restore 444
Hub-and-Spoke Topology 445
Developing an Authentication Strategy 446
Centralized Account Administration 446
Single Sign-on 446
Kerberos Authentication 447
Password Policies 447
When to Place a Domain Controller in a Remote Office 448
Number of Group Policies 448
Logon Scripts 448
User Population 448
Domain Controller Physical Security 449
On-Site Technical Expertise Availability 449
Authentication Availability 449
WAN Link Speed and Bandwidth Utilization 449
Bandwidth and Network Traffic Considerations 449
Placing a Global Catalog Server in a Remote Office 451
Universal Group Membership Caching 452
Full Domain Controller vs. Read-Only Domain Controller 453
Using BitLocker 454
Trusted Platform Modules 454
A Practical Example 455
Introduction to BitLocker 455
Full Volume Encryption 456
Startup Process Integrity Verification 456
Recovery Mechanisms 457
Remote Administration 458
Secure Decommissioning 458
BitLocker Architecture 459
Keys Used for Volume Encryption 460
Hardware Upgrades on BitLocker-Protected Systems 461
BitLocker Authentication Modes 461
TPM Only 462
TPM with PIN Authentication 462
TPM with Startup Key Authentication 462
Startup Key-Only 463
When to Use BitLocker on a Windows 2008 Server 463
Support for Multifactor Authentication on Windows Server 2008 463
PIN Authentication 464
Startup Key Authentication 464
Enabling BitLocker 464
Partitioning Disks for BitLocker Usage 464
Installing the BitLocker on Windows Server 2008 466
Turning on BitLocker 468
Enable BitLocker Support for TPM-less Operation 471
Turning on BitLocker on Systems without a TPM 472
Administration of BitLocker 474
Using Group Policy with BitLocker 474
Storing BitLocker and TPM Recovery Information in Active Directory 476
Storage of BitLocker Recovery Information in Active Directory 477
Storage of TPM Information in Active Directory 478
Prerequisites 478
Extending the Schema 479
Setting Required Permissions for Backing Up TPM Passwords 481
Configuring Group Policy to Enable BitLocker and TPM Backup to Active Directory 481
Recovering Data 482
Disabling BitLocker 484
Configuring Read-Only Domain Controllers 484
Purpose 485
Features 485
Credential Caching 486
Password Changes on an RODC? 487
RODCs and Kerberos Ticket Account 487
Read-Only Domain Name System 489
Installing an RODC 489
Installation of an RODC 491
Prestaging RODC Computer Accounts 494
Full Server Installation vs. Server Core Installation 497
Configuring an RODC 501
Examining Cached Credentials 505
To Export a List of Cached Accounts 506
Where Is a Password Replication Policy Stored? 506
Designing Password Replication Policies 507
No Account Caching 508
Full Account Caching 508
Branch-specific Caching 509
Role Separation 509
Configuring Role Separation 511
Remote Administration 511
Remote Desktop for Administration 512
Remote Server Administration Tools 512
Telnet 513
Windows Remote Management (WinRM) 514
WinRM Listeners 514
Remote Management Using WinRM 515
Group Policy 516
Summary of Exam Objectives 517
Exam Objectives Fast Track 520
Exam Objectives Frequently Asked Questions 521
Self Test 523
Self Test Quick Answer Key 526
Chapter 7: Configuring Certificate Services and PKI 528
Introduction 529
What Is PKI? 530
The Function of the PKI 532
Components of PKI 533
How PKI Works 535
PKCS Standards 537
How Certificates Work 543
Public Key Functionality 546
Digital Signatures 547
Authentication 548
Secret Key Agreement via Public Key 549
Bulk Data Encryption without Prior Shared Secrets 549
User Certificates 562
Machine Certificates 563
Application Certificates 563
Analyzing Certificate Needs within the Organization 563
Working with Certificate Services 564
Configuring a Certificate Authority 564
Certificate Authorities 565
Standard vs. Enterprise 565
Root vs. Subordinate Certificate Authorities 566
Certificate Requests 567
Certificate Practice Statement 572
Key Recovery 572
Backup and Restore 572
Assigning Roles 579
Enrollments 579
Revocation 580
Working with Templates 584
General Properties 586
Request Handling 588
Cryptography 589
Subject Name 591
Issuance Requirements 592
Security 595
Types of Templates 596
User Certificate Types 596
Computer Certificate Types 597
Other Certificate Types 599
Custom Certificate Templates 599
Securing Permissions 602
Versioning 603
Key Recovery Agent 604
Summary of Exam Objectives 606
Exam Objectives Fast Track 607
Exam Objectives Frequently Asked Questions 609
Self Test 612
Self Test Quick Answer Key 615
Chapter 8: Planning for Server Virtualization 616
Introduction 617
Understanding Virtualization 617
Server Consolidation 620
Quality Assurance and Development Testing Environments 621
Disaster Recovery 624
Microkernelized vs. Monolithic Hypervisor 625
Monolithic Hypervisor 625
Microkernel Hypervisor 627
Detailed Architecture 628
Parent Partition 630
Child Partitions 632
Guest Operating Systems 632
Guest with Enlightened Operating System 632
Guest with Partially Enlightened Operating System 633
Legacy Guest 633
Application Compatibility 633
Microsoft Server Virtualization 634
Hyper-V 637
Configuration 638
Installing the Virtualization Role on Windows Server 2008 639
Configuring Virtual Servers with Hyper-V 651
Server Core 661
Competition Comparison 663
Server Placement 665
System Center Virtual Machine Manager 2007 667
Virtual Machine Manager Administrator Console 669
Windows PowerShell Command-Line Interface 671
System Center Virtual Machine Manager Self Service Web Portal 671
Virtual Machine Manager Library 672
Migration Support Functionality 673
Virtual Machine Creation Process Using SCVMM 674
Managing Servers 675
Stand-Alone Virtualization Management Console 676
Managing Applications 677
Managing VMWare 681
Summary of Exam Objectives 683
Exam Objectives Fast Track 684
Exam Objectives Frequently Asked Questions 688
Self Test 691
Self Test Quick Answer Key 694
Chapter 9: Planning for Business Continuity and High Availability 696
Introduction 697
Planning for Storage Requirements 698
Self Healing NTFS 699
Multipath I/O (MPIO) 700
Data Management 701
Share and Storage Management Console 701
Storage Explorer 702
Storage Manager for SANs Console 703
Data Security 704
Group Policy Control over Removable Media 704
BitLocker Drive Encryption 705
BitLocker Volume Recovery 707
BitLocker Management Options 707
Using BitLocker for the Safe Decommissioning of Hardware 708
Data Collaboration 709
Planning for High Availability 714
Failover Clustering 714
Architectural Details of Windows 2008 Failover Clustering 715
Multi-Site Clusters 731
Service Redundancy 732
Service Availability 734
Data Accessibility and Redundancy 734
Failover Clustering 735
Prerequisites 735
Distributed File System 736
Virtualization and High Availability 737
Planning for Backup and Recovery 738
Data Recovery Strategies 753
Server Recovery 754
WinRE Recovery Environment Bare Metal Restore 755
Command Line Bare Metal Restore 756
Recovering Directory Services 756
Backup Methods for Directory Services 756
Backup Types for Directory Services 757
Recovery Methods for Directory Services 757
Directory Services Restore Mode Recovery 757
Non-Authoritative Restore 758
Authoritative Restore 760
Object Level Recovery 760
Summary of Exam Objectives 768
Exam Objectives Fast Track 768
Exam Objectives Frequently Asked Questions 773
Self Test 776
Self Test Quick Answer Key 779
Chapter 10: Software Updates and Compliance Management 780
Introduction 781
Value Proposition 782
The Compliance Picture 783
Patch Management 784
OS Level Patch Management 785
Windows Server Update Services 786
System Requirements 787
Types of Patches 788
Comparison to Microsoft Update 790
Implementing WSUS 791
Designing a WSUS Infrastructure 791
Small Enterprise (1-100 Workstations) 791
Branch Office Deployment 792
Large Enterprises 793
Deploying to Client Computers 805
Application Patching 811
Security Baselines 811
What Is a Baseline? 812
Using the GPO Accelerator Tool 812
Requirements 814
Supported Security Baselines 814
Using the Baseline Security Analyzer 820
Comparison to Microsoft Update 820
Implementing MBSA 821
Analyzing MBSA Results 823
System Health Models 825
What Is a System Health Model? 825
Developing a Health Model 826
Summary of Exam Objectives 827
Exam Objectives Fast Track 827
Exam Objectives Frequently Asked Questions 831
Self Test 834
Self Test Quick Answer Key 839
Appendix: Self Test Appendix 840
Chapter 1: Name Resolution and IP Addressing 841
Chapter 2: Designing a Network Access Strategy 846
Chapter 3: Active Directory Forests and Domains 851
Chapter 4: Designing an Enterprise-Level Group Policy Strategy 859
Chapter 5: Designing Identity and Access Management 866
Chapter 6: Designing a Branch Office Deployment 871
Chapter 7: Developing a Public Key Infrastructure 876
Chapter 8: Planning for Server Virtualization 882
Chapter 9: Planning for Business Continuity and High Availability 887
Chapter 10: Software Updates and Compliance Management 893
Index 902