Ranj B Technical Blog

MCTS 70-640 – Configuring Windows Server 2008 Active Directory

Home  >>  Microsoft Certified Notes  >>  MCTS 70-640 – Configuring Windows Server 2008 Active Directory

MCTS 70-640 – Configuring Windows Server 2008 Active Directory

On August 14, 2014, Posted by , In Microsoft Certified Notes, With No Comments

Below are just some of my notes I have made whilst studying for the MCTS exam 70-640. I will sort this section out the further I get into the study.

Chapter 6 – Group Policy Management

Domain based GPO’s and Default DC Policy are created by Active Directory and are stored on the organisations DC’s.

Default Domain Policy – only amend password policies to align with your organisation policy.

If need to configure other settings, created a new GPO.

Default Domain Controllers Policy – This policy should only be used to implement auditing policies. It should also be modified to assign user rights required on DCs.

To create new GPOs you need to be part of the Domain Admins and Group Policy creator owners group

Group Policy Processing Behaviour

Trust Relationships

Active Directory trust relationships are transitive, by default trusts are two-way relationships and trusts are used to allow authentications of users from different domains.

Every 90-120 minutes a client refreshes

Differences in policies

Policy based QOS – policies to manage network traffic and give priority on certain apps and clients.

User configuration node – manage RIS, folder redirection and IE settings.

The administrative templates node – contains registry based GPO settings

Central store – To populate all custom or downloaded ADM’s and ADMX’s into once central store in the FQDN sysvol area, which then can be seen on lots of DC’s rather than just the one it was downloaded on. Need to create a folder called PolicyDefinitions and then copy all adms from the local server (%systemroot%policydefinitions) to (FQDNSysvolFQDNPolicies)

Software Deployment

When assigning software you can create AD groups (e.g. taskmagic computers/users) and then use filtering to deploy the package to users or computers.

Chapter 8 Authentication

Configuring Password and Lockout Policies

Three password policies are encountered by administrators in an AD domain:

Maximum password age

Password length

password complexity

Domain password policy is configured in GPO in

computer configurationpolicieswindows settingssecurity settingsaccount policiespassword policy

Once password is set, AD puts the password through an algorithm which then creates a hash code called ‘one way function’ . The hash code is stored in AD and not password itself.

‘store passwords using reversible encryption policy’ is used by applications which need ability to read a users password. This is turned off by default and increases the security risk. Try to eliminate these applications and proceed with caution before turning this on.

There can be only one set of authoritative password and lockout policies that apply to all users in a domain. Settings configured in default domain policy GPO. Fine grained password policies which apply to individual users or groups in domain are managed by PSOs. You can create one or more PSOs in a domain.

Windows 2008 gives option to specify different password and lockout policies for global security groups and users in domain. Fine grained password policies are deployed with password settings objects and NOT group policy.

If more than one PSO applies to a user or group, the one with the highest precedence will count. (Precedence value close to 1) but if a PSO is linked directly to a user that PSO will prevail over any group PSOs even if the precedence count is set to 1.

Auditing Authentication

Account login events occur on domain controllers as it authenticates users anywhere on the domain.

To examine logon events on your domain, you must look at individual event logs from EACH domain controller.

Configuring Read-only Domain Controllers

Before you introduce a RODC in a branch office you need to ensure the forest functional level is set to Windows Server 2003 or higher.

You must then upgrade one of the existing domain controllers to Windows 2008 so that there is at least one writable 2008 DC. Finally you must also run Adprep/rodcprep from the Windows 2008 DVD.

More to follow……..

Leave a Reply

Your email address will not be published. Required fields are marked *