MCTS 70-640 – Configuring Windows Server 2008 Active Directory
Below are just some of my notes I have made whilst studying for the MCTS exam 70-640. I will sort this section out the further I get into the study.
Chapter 6 – Group Policy Management
Domain based GPO’s and Default DC Policy are created by Active Directory and are stored on the organisations DC’s.
Default Domain Policy – only amend password policies to align with your organisation policy.
If need to configure other settings, created a new GPO.
Default Domain Controllers Policy – This policy should only be used to implement auditing policies. It should also be modified to assign user rights required on DCs.
To create new GPOs you need to be part of the Domain Admins and Group Policy creator owners group
Group Policy Processing Behaviour
Active Directory trust relationships are transitive, by default trusts are two-way relationships and trusts are used to allow authentications of users from different domains.
Every 90-120 minutes a client refreshes
Differences in policies
Policy based QOS – policies to manage network traffic and give priority on certain apps and clients.
User configuration node – manage RIS, folder redirection and IE settings.
The administrative templates node – contains registry based GPO settings
Central store – To populate all custom or downloaded ADM’s and ADMX’s into once central store in the FQDN sysvol area, which then can be seen on lots of DC’s rather than just the one it was downloaded on. Need to create a folder called PolicyDefinitions and then copy all adms from the local server (%systemroot%policydefinitions) to (FQDNSysvolFQDNPolicies)
When assigning software you can create AD groups (e.g. taskmagic computers/users) and then use filtering to deploy the package to users or computers.
Chapter 8 Authentication
Configuring Password and Lockout Policies
Three password policies are encountered by administrators in an AD domain:
Maximum password age
Domain password policy is configured in GPO in
computer configurationpolicieswindows settingssecurity settingsaccount policiespassword policy
Once password is set, AD puts the password through an algorithm which then creates a hash code called ‘one way function’ . The hash code is stored in AD and not password itself.
‘store passwords using reversible encryption policy’ is used by applications which need ability to read a users password. This is turned off by default and increases the security risk. Try to eliminate these applications and proceed with caution before turning this on.
There can be only one set of authoritative password and lockout policies that apply to all users in a domain. Settings configured in default domain policy GPO. Fine grained password policies which apply to individual users or groups in domain are managed by PSOs. You can create one or more PSOs in a domain.
Windows 2008 gives option to specify different password and lockout policies for global security groups and users in domain. Fine grained password policies are deployed with password settings objects and NOT group policy.
If more than one PSO applies to a user or group, the one with the highest precedence will count. (Precedence value close to 1) but if a PSO is linked directly to a user that PSO will prevail over any group PSOs even if the precedence count is set to 1.
Account login events occur on domain controllers as it authenticates users anywhere on the domain.
To examine logon events on your domain, you must look at individual event logs from EACH domain controller.
Configuring Read-only Domain Controllers
Before you introduce a RODC in a branch office you need to ensure the forest functional level is set to Windows Server 2003 or higher.
You must then upgrade one of the existing domain controllers to Windows 2008 so that there is at least one writable 2008 DC. Finally you must also run Adprep/rodcprep from the Windows 2008 DVD.
More to follow……..