Visit us at w w w. s y n g r e s s . c o m Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fi t the demands of our cus tomers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site.

  SOLUTIONS WEB SITE

To register your book, visit www.syngress.com/solutions. Once registered, you can

access our solutions@syngress.com Web pages. There you may fi nd an assortment

of valueadded features such as free e-books related to the topic of this book, URLs

of related Web sites, FAQs from the book, corrections, and any updates from the

author(s).

  ULTIMATE CDs

Our Ultimate CD product line offers our readers budget-conscious compilations of

some of our best-selling backlist titles in Adobe PDF form. These CDs are the per-

fect way to extend your reference library on key topics pertaining to your area of

expertise, including Cisco Engineering, Microsoft Windows System Administration,

CyberCrime Investigation, Open Source Security, and Firewall Confi guration, to

name a few.

  DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable

Adobe PDF form. These e-books are often available weeks before hard copies, and

are priced affordably.

  SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at signifi cant savings.

  SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations. Contact us at sales@syngress.com for more information.

  CUSTOM PUBLISHING

Many organizations welcome the ability to combine parts of multiple Syngress

books, as well as their own content, into a single volume for their own internal

use. Contact us at sales@syngress.com for more information.use. Contact us at

sales@syngress.com for more information.

  This page intentionally left blank

  Technical Editor

  Tony Piltzecker Tariq Azad Elsevier, Inc., the author(s), and any person or fi rm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work

is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state

to state. In no event will Makers be liable to you for damages, including any loss of profi ts, lost savings, or

other incidental or consequential damages arising out from the Work or its contents. Because some

states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

  You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and fi les. Syngress Media® and Syngress®, are registered trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

  001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 BPOQ48722D 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc.

  Elsevier, Inc.

  30 Corporate Drive Burlington, MA 01803 The Real MCITP Exam 70-647 Prep Kit Copyright © 2008 by Elsevier, Inc. All rights reserved. Printed in the United States of America.

  

Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced

or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be

entered, stored, and executed in a computer system, but they may not be reproduced for publication.

  Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

  ISBN 13: 978-1-59749-249-2 Publisher: Andrew Williams Page Layout and Art: SPI

Acquisitions Editor: David George Copy Editors: Alice Brzovic, Adrienne Rebello,

Technical Editor: Tony Piltzecker and Mike McGee Project Manager: Gary Byrne Indexer: Michael Ferreira Cover Designer: Michael Kavish For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email m.pedersen@elsevier.com.

  Technical Editor Tony Piltzecker (CISSP, MCSE, CCNA, CCVP, Check Point CCSA, Citrix

  CCA), author and technical editor of Syngress Publishing’s MCSE Exam 70-296

  Study Guide and DVD Training System and How to Cheat at Managing Microsoft Operations Manager 2005, is an independent consultant based in Boston, MA.

  Tony’s specialties include network security design, Microsoft operating system and applications architecture, and Cisco IP Telephony implementations. Tony’s back- ground includes positions as Systems Practice Manager for Presidio Networked Solutions, IT Manager for SynQor Inc, Network Architect for Planning Systems, Inc., and Senior Networking Consultant with Integrated Information Systems. Along with his various certifi cations, Tony holds a bachelor’s degree in business administration. Tony currently resides in Leominster, MA, with his wife, Melanie, and his daughters, Kaitlyn and Noelle.

  v

  Lead Author

Tariq Bin Azad is the Principal Consultant and Founder of NetSoft Communi-

  cations Inc., a consulting company located in Toronto, Canada. He is considered a top IT professional by his peers, coworkers, colleagues, and customers. He obtained this status by continuously learning and improving his knowledge and information in the fi eld of information technology. Currently, he holds more than 100 certifi - cations, including MCSA, MCSE, MCTS, MCITP (Vista, Mobile 5.0, Microsoft Communications Server 2007, Windows 2008, and Microsoft Exchange Server 2007), MCT, CIW-CI, CCA, CCSP, CCEA, CCI, VCP, CCNA, CCDA, CCNP, CCDP, CSE, and many more. Most recently, Tariq has been concentrating on Microsoft Windows 2000/2003/2008, Exchange 2000/2003/2007, Active Directory, and Citrix implementations. He is a professional speaker and has trained architects, consultants, and engineers on topics such as Windows 2008 Active Directory, Citrix Presentation Server, and Microsoft Exchange 2007. In addition to owning and operating an independent consulting company, Tariq works as a Senior Consultant and has utilized his training skills in numerous workshops, corporate trainings, and presentations. Tariq holds a Bachelor of Science in Information Technology from Capella University, USA, a Bachelor’s degree in Commerce from University of Karachi, Pakistan, and is working on his ALMIT (Master’s of Liberal Arts in Information Technology) from Harvard University, in Cambridge, MA. Tariq has been a coauthor on multiple books, including the best-selling MCITP:

  Microsoft Exchange Server 2007 Messaging Design and Deployment Study Guide: Exams

70-237 and 70-238 (ISBN: 047018146X) and The Real MCTS/MCITP Exam

640 Preparation Kit (ISBN: 978-1-59749-235-5). Tariq has worked on projects or

  trained for major companies and organizations, including Rogers Communica- tions Inc., Flynn Canada, Cap Gemini, HP, Direct Energy, Toyota Motors, Comaq,

  IBM, Citrix Systems Inc., Unicom Technologies, Amica Insurance Company, and many others. He lives in Toronto, Canada, and would like to thank his father, Azad Bin Haider, and his mother, Sitara Begum, for his lifetime of guidance for their understanding and support to give him the skills that have allowed him to excel in work and life.

  vi

  Contributing Authors Steve Magowan is a Senior IT Consultant with extensive experience

  in IT environment migrations and version upgrades for the Exchange and Active Directory resources of enterprise-level clients. As a result of corporate acquisitions Steve has also accomplished multiple large-scale Exchange, Active Directory, and application-based resource integration projects of companies in the 5,000- to 10,000-user range into larger 25,000+ user enterprise environments. In support of these projects, Steve has gained considerable exposure to the virtualization solutions offered by VMware, Citirx, and Microsoft. Working most extensively with VMware-based technologies, Steve has utilized virtualization platforms to accomplish large-scale physical-to-virtual application base server migrations, involving hundreds of application workloads. The use of virtualization technology has allowed Steve to successfully complete these integration initiatives in an effi cient manner that was always invisible to end users. A retired veteran of the Canadian Air Force, Steve has spent the last 12 years building his IT skill set as a consultant. Since leaving the Air Force Steve has had the opportunity to perform migration and integration projects both in and outside of North America. His fl uency in French and Spanish has allowed him to branch out and work in other parts of the world, providing the secondary benefi t of travel, as well as the opportunity to work with and learn about people of other cultures and their languages. For Steve these expatriate experiences have been very valuable, and he is grateful to have had them.

  Ryan Hanisco (MCSE, MCTS: SQL) is an Engagement Manager for

  Magenic, a company focused on delivering business value through ap- plied technology and one of the nation’s premier Microsoft Gold Cer- tifi ed Partners. Ryan has worked in the IT industry for over 10 years providing infrastructure and development services to organizations in

  vii both the public and private sectors. He is a regular contributor to the Microsoft communities and believes strongly in supporting the community through thought leadership and open sharing of ideas.

  He has spoken at several national conferences on topics in varying disciplines, including Microsoft Vista deployment, Citrix implementation, and TCO of Terminal Service solutions. Ryan also maintains a technical blog, which proves technical and business best practices to bridge the gap between corporate strategy and IT’s ability to execute. Ryan would like to thank Drew, Cinders, and Gato for putting up with him. Additional thanks go to Norm, Paul, John, Tom, Keith, and all the other Magenicons who keep me laughing and make IT a great industry to be in.

  Joe Lurie (MCSE, MCT, MCTS, MCITP) is a Senior Consultant

  specializing in Microsoft Application Virtualization, Business Desktop Deployment, and Active Directory and has spent the past several years training thousands of students on these technologies. Joe holds several certifi cations from Microsoft, Cisco, and CompTia, and has been coaching students on exam prep since he fi rst got certifi ed in Windows NT. In addition to teaching, Joe was only the second person in North America to be certifi ed to teach Microsoft Application Virtualization, and he has been consulting on this product since it was acquired by Microsoft. He also writes Hands-On-Labs for Microsoft and is frequently a Technical Learning Guide and presenter at many technical conferences, including Tech Ed, Tech Ready, and Launch Events. Besides Hands-On-Labs, a number of the Server 2008 First- Look clinics were either written or reviewed by Joe, as were dozens of Hand-On-Labs in technologies ranging from application compat- ibility, Windows Vista deployment, QoS, and group policy enhance- ments in Windows Server 2008. In his spare time, Joe has a wife and two daughters that he loves to spend time with, doing everything from reading to swimming to skiing. Joe is thankful to HynesITe, Axis Technology, and to the MCT community for the countless opportunities they have given him.

  viii

  Christian Schindler is a Microsoft Certifi ed Architect | Messaging,

  MCSE, MCITP for Windows Server 2008 and a MCT. He has been a trainer for 10 years and designed several customized courses for lead- ing learning providers. He began his career as a systems engineer at a telecommunications company, managing directory and messaging services. Currently, he works as a Senior Consultant at NTx BackOffi ce Consulting Group, a Microsoft Gold Certifi ed Partner specializing in advanced infrastructure solutions.

  Shoab Syed is an expert in Microsoft Technologies. He has an

  extensive background in providing systems solutions and implemen- tations spanning over 12 years. His clients include major national and international companies from various industries in both public and private sectors. Shoab currently resides in Toronto, Canada, and provides consulting services worldwide.

  ix This page intentionally left blank

  Contents

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii

Chapter 1 Name Resolution and IP Addressing . . . . . . . . . . . . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Windows 2008 Name Resolution Methods . . . . . . . . . . . . . . . . . . . . . . . . . 2 Developing a Naming Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Comparing Name Resolution Procedures . . . . . . . . . . . . . . . . . . . . . 3 Internal Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 External Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Domain Name System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Host Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Domain Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Fully Qualifi ed Domain Name (FQDN) . . . . . . . . . . . . . . . . . . . . . . . . 6 Is DNS Required? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 DNS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 The DNS Query Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Part 1: The Local Resolver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Part 2: Querying a DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Query Response Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 DNS Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 DNS Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Non Active Directory–Integrated Zones . . . . . . . . . . . . . . . . . . . . . . . 19 Zones Integrated with Active Directory . . . . . . . . . . . . . . . . . . . . . . . . 21 Secondary Zones, Stub Zones, and Condition Forwarding . . . . . . . . . . 23 The GlobalNames Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 DNS Design Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Split-Brain Design: Same Internal and External Names . . . . . . . . . . 24 Separate Name Design: Different External and Internal Names . . . . 26 DNS Server Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 DNS Dynamic Updates and Security . . . . . . . . . . . . . . . . . . . . . . . . . 32 Creating Zones and Host Records . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Setting Aging and Scavenging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Confi guring DNS Client Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Setting Computer Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 NetBIOS Names Accommodation . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Setting the Primary DNS Suffi x . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

  xi

  xii Contents

  Setting Connection-Specifi c DNS Suffi xes . . . . . . . . . . . . . . . . . . . 40 The DNS Resolver Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

  Nslookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Integration with WINS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

  The HOSTS File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Confi guring Information for WINS Clients . . . . . . . . . . . . . . . . . . . . . 48 WINS Name Registration and Cache . . . . . . . . . . . . . . . . . . . . . . . . . 51 Setting Up a WINS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Confi guring WINS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Confi guring Replication Partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

  Specifying Designated Replication Partners . . . . . . . . . . . . . . . . . . . 58 Maintaining WINS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

  Burst Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Scavenging Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

  The LMHOSTS File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 TCP/IP v4 and v6 Coexistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

  Features and Differences from IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . 74 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Chapter 2 Designing a Network Access Strategy . . . . . . . . . . . . . . . . 81 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Network Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Network Access Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Local Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Remote Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 RADIUS Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Network Policy and Access Services . . . . . . . . . . . . . . . . . . . . . . . . . . 89 NAP Client Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Network Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Designing a Network for NAP . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 RADIUS Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 Remote Access Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105 Terminal Services for Server 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . .105 New Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113 Developing a Terminal Services Remote Access Strategy . . . . . . . . .115

  Contents xiii

  The Corporate Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116 RemoteApp Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117 Terminal Services Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122

  Installing a Terminal Service Licensing Server . . . . . . . . . . . . . . . . . . .122 Installing the TS Licensing Role Service on an Existing

  Terminal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 Installing the TS Licensing Role Service on a Separate Server . . . . .124

  Activating a Terminal Service Licensing Server . . . . . . . . . . . . . . . . . . .125 Activating a Terminal Service Licensing Server Using the

  Automatic Connection Method . . . . . . . . . . . . . . . . . . . . . . . . .126 Activating a Terminal Service Licensing Server Using the

  Web Browser Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 Activating a Terminal Service Licensing Server Using the Telephone Method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130 Establishing Connectivity between Terminal Server and

  Terminal Services Licensing Server. . . . . . . . . . . . . . . . . . . . . . .131 Using the Terminal Services Confi guration Tool to

  Specify a TS Licensing Server . . . . . . . . . . . . . . . . . . . . . . . .133 Publishing a Terminal Services Licensing Server

  Using TS Licensing Manager . . . . . . . . . . . . . . . . . . . . . . . . .134 TS CAL Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134 Locating Terminal Services Licensing Services . . . . . . . . . . . . . . . . .135 Launching and Using the Remote Desktop

  Connection Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138 Confi guring the Remote Desktop Connection Utility . . . . . . . . . .139

  The General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 The Display Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 The Local Resources Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 The Programs Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 The Experience Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 The Advanced Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145

  Terminal Services Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . .145 Routing and Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148 Virtual Private Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150

  VPN Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . .150 PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152

  Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153 L2TP/IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153

  xiv Contents

  Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153 Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153 Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154 SSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154

  Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155 Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155

  Monitoring and Maintaining NPAS . . . . . . . . . . . . . . . . . . . . . . . . . .159 Working with Perimeter Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160

  Understanding Perimeter Networks. . . . . . . . . . . . . . . . . . . . . . . . . . .162 Developing a Perimeter Network Strategy . . . . . . . . . . . . . . . . . . . . . .164 Benefi ts of Server Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164 Using Windows Firewall with Advanced Security . . . . . . . . . . . . . . . . .166

  Connection Security Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166 Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167

  Server and Domain Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169 Benefi ts of Server Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170 Benefi ts of Domain Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171 Developing an Isolation Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172

  Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .178 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184

Chapter 3 Active Directory Forests and Domains . . . . . . . . . . . . . . . . 185 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186 New in Windows Server 2008 Active Directory Domain Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186 Designing Active Directory Forests and Domains . . . . . . . . . . . . . . . . . . . .193 Factors to Consider When Creating Forest Design Plans . . . . . . . . . . . .193 Business Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193 Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194 Legal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194 Namespaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194 Timelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195 Administrative Overhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195 Testing Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196 Creating a Design Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196

  Contents xv

  The Forest Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199 The Active Directory Domain Services (AD DS)

  Logical Design Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199 Active Directory Forest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200 Active Directory Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201 Active Directory Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201 Organizational Units (OU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202

  The Active Directory Domain Services (AD DS) Physical Design Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204

  Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204 Sites and Site Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204 Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205

  Creating the Forest Root Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . .206 Forest and Domain Function Levels . . . . . . . . . . . . . . . . . . . . . . . . . . .209 Upgrading Your Forest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213

  Windows 2000 Native Mode Active Directory to Windows Server 2008 AD DS . . . . . . . . . . . . . . . . . . . . . . . . . .213

  Windows Server 2003 Forest to Windows Server 2008 . . . . . . . . . .214 New Forest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215

  Intra-Organizational Authorization and Authentication . . . . . . . . . . . . .215 Schema Modifi cations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218

  Designing an Active Directory Topology . . . . . . . . . . . . . . . . . . . . . . . . . .220 Server Placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222

  Determining the Placement of the Forest Root Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222

  Determining the Placement of the Regional Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222

  Determining the Placement of the Operations Masters . . . . . . . . . .224 Placement of the PDC Emulator . . . . . . . . . . . . . . . . . . . . . . . . . .225 Placement of the Infrastructure Master . . . . . . . . . . . . . . . . . . . . . .225 Planning for Networks with Limited Connectivity . . . . . . . . . . . . .226 Determining the Placement of Global Catalog Servers . . . . . . . . . . .228 Creating the Site Link Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . .231 Site Link Bridge Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233 Creating the Site Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234 Creating the Subnet Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235

  Printer and Location Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235 Designing an Active Directory Administrative Model . . . . . . . . . . . . . . . . .239

  Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240

  xvi Contents

  Group Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241 Compliance Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245

  Global Audit Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247 SACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247 Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248

  Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .253 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260

Chapter 4 Designing an Enterprise-Level Group Policy Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262 Understanding Group Policy Preferences . . . . . . . . . . . . . . . . . . . . . . . . . .262 ADMX/ADML Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265 Understanding Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . .268 Deciding Which Domain Controller Will Process GPOs . . . . . . . . . . .270 Group Policy Processing over Slow Links . . . . . . . . . . . . . . . . . . . . . .273 Group Policy Processing over Remote Access Connections . . . . . . . . .275 Group Policy Background Refresh Interval . . . . . . . . . . . . . . . . . . . . .275 Backing Up and Restoring GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . .276 User Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279 Software Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280 Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281 Folder Redirection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282 Logon and Logoff Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284 Administrative Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286 Computer Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287 Software Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288 Restricted Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289 Windows Firewall with Advanced Security . . . . . . . . . . . . . . . . . . . . .290 Policy-Based Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291 Startup and Shutdown Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293 Administrative Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294 GPO Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295 Starter GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295 Linking GPOs to Active Directory Objects . . . . . . . . . . . . . . . . . . . . . . . .296 Linking GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296 GPO Confl icts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297

  Contents xvii

  RSoP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300 Managing Group Policy with Windows PowerShell . . . . . . . . . . . . . . .303 OU Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306

  Understanding Group Policy Hierarchy and Scope Filtering . . . . . . . . . . . .307 Understanding Group Policy Hierarchies . . . . . . . . . . . . . . . . . . . . . . .307 Understanding Scope Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308

  Scope Filtering: Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308 Scope Filtering: WMI Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310

  Controlling Device Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312 Controlling Device Installation by Computer . . . . . . . . . . . . . . . . . . . .312

  Allowing/Preventing Installation of Devices Using Drivers That Match These Device Setup Classes . . . . . . . . . . . . . . . . . . .313

  Display a Custom Message When Installation Is Prevented by Policy (Balloon Text/Title) . . . . . . . . . . . . . . . . . . . . . . . . . . . .313

  Allowing/Preventing Installation of Devices That Match Any of These Device IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313

  Preventing Installation of Removable Devices . . . . . . . . . . . . . . . . .314 Preventing Installation of Devices Not Described by Any

  Other Policy Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314 Controlling Device Installation by User . . . . . . . . . . . . . . . . . . . . . . . .314

  Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .318 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325

Chapter 5 Designing Identity and Access Management . . . . . . . . . . 327 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328 Planning for Migration, Upgrades, and Restructuring . . . . . . . . . . . . . . . .329 Knowing When to Migrate or Upgrade . . . . . . . . . . . . . . . . . . . . . . . .329 Backward Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330 Object Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330 The Object Global Unique Identifi er in Active Directory . . . . . .331 The Effect of an Upgrade or a Restructuring on SIDs and GUIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332 Leveraging SID History to Maintain Access to Resources . . . . . .333 Using Active Directory Migration Tool to Restructure Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334 Maintaining User Passwords During a Restructure . . . . . . . . . . .337 Migrating Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . .339

  xviii Contents

  Migrating Computer Accounts . . . . . . . . . . . . . . . . . . . . . . . . . .346 Upgrading Your Active Directory Domain or Forest . . . . . . . . . . . .348

  Installing Windows Server 2008 Domain Controllers into an Existing Forest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350 Migration Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352

  Knowing When to Restructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353 Intra-Forest Domain Restructure . . . . . . . . . . . . . . . . . . . . . . . . . .354 Intra-Forest Upgrade and Restructure . . . . . . . . . . . . . . . . . . . . . . .357

  Cross-Forest Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359 Implementation Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360

  Planning for Interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360 Interorganizational Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361

  Active Directory Federation Services . . . . . . . . . . . . . . . . . . . . . . .361 What Is Federation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362

  Why and When to Use Federation . . . . . . . . . . . . . . . . . . . . . . . . .362 Prerequisites for ADFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364

  Confi guring ADFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364 Application Authorization Interoperability . . . . . . . . . . . . . . . . . . . . . .376

  Using Active Directory Lightweight Directory Services to Provide Authentication and Authorization to Extranet Users . . . .376

  When to Use AD LDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377 Changes from Active Directory Application Mode (ADAM) . . . . . . . . .377 Confi guring AD LDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378

  Working with AD LDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381 Cross-Platform Interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383

  File System Paths and Permissions on Unix Systems . . . . . . . . . . . .383 Authentication on Unix Systems . . . . . . . . . . . . . . . . . . . . . . . . . .384

  Network Information System . . . . . . . . . . . . . . . . . . . . . . . . . . .384 NIS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385

  Network File System (NFS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388 Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .399 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404

Chapter 6 Designing a Branch Offi ce Deployment . . . . . . . . . . . . . . . 405 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 The Branch Offi ce Challenge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 Network Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

  Contents xix

  Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Hub-and-Spoke Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

  Developing an Authentication Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Centralized Account Administration . . . . . . . . . . . . . . . . . . . . . . . . . 409 Single Sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Kerberos Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Password Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 When to Place a Domain Controller in a Remote Offi ce. . . . . . . . . . 411

  Number of Group Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Logon Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 User Population . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Domain Controller Physical Security . . . . . . . . . . . . . . . . . . . . . . 412 On-Site Technical Expertise Availability . . . . . . . . . . . . . . . . . . . . 412 Authentication Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 WAN Link Speed and Bandwidth Utilization . . . . . . . . . . . . . . . . 412 Bandwidth and Network Traffi c Considerations. . . . . . . . . . . . . . . 412

  Placing a Global Catalog Server in a Remote Offi ce . . . . . . . . . . . . . 414 Universal Group Membership Caching . . . . . . . . . . . . . . . . . . . . . 415

  Full Domain Controller vs. Read-Only Domain Controller . . . . . . . . 416 Using BitLocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

  Trusted Platform Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 A Practical Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

  Introduction to BitLocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 Full Volume Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Startup Process Integrity Verifi cation . . . . . . . . . . . . . . . . . . . . . . . 419 Recovery Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Remote Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 Secure Decommissioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 BitLocker Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Keys Used for Volume Encryption . . . . . . . . . . . . . . . . . . . . . . . . 423 Hardware Upgrades on BitLocker-Protected Systems . . . . . . . . . . . 424 BitLocker Authentication Modes . . . . . . . . . . . . . . . . . . . . . . . . . 424

  TPM Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 TPM with PIN Authentication . . . . . . . . . . . . . . . . . . . . . . . . 425 TPM with Startup Key Authentication . . . . . . . . . . . . . . . . . . . 425 Startup Key-Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

  When to Use BitLocker on a Windows 2008 Server . . . . . . . . . . . . . 426

  xx Contents

  Support for Multifactor Authentication on Windows Server 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 PIN Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Startup Key Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

  Enabling BitLocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Partitioning Disks for BitLocker Usage . . . . . . . . . . . . . . . . . . . . . 427 Installing the BitLocker on Windows Server 2008 . . . . . . . . . . . . . 429 Turning on BitLocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Enable BitLocker Support for TPM-less Operation . . . . . . . . . . . . 434 Turning on BitLocker on Systems without a TPM . . . . . . . . . . . . 435 Administration of BitLocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Using Group Policy with BitLocker . . . . . . . . . . . . . . . . . . . . . . . 437 Storing BitLocker and TPM Recovery Information in

  Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Storage of BitLocker Recovery Information in

  Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 Storage of TPM Information in Active Directory . . . . . . . . . . . 441 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Extending the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 Setting Required Permissions for Backing Up TPM

  Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 Confi guring Group Policy to Enable BitLocker and

  TPM Backup to Active Directory . . . . . . . . . . . . . . . . . . . . 444 Recovering Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 Disabling BitLocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447