Monthly Archives: April 2010

70-290 exam

Creating Multiple Domains, Trees, and Forests

April 19, 2010 – 3:35 am

In Chapter 2, you learned to install Active Directory, which actually creates the initial domain, tree, and forest for an organization. However, some organizations might require multiple domains, trees, or forests for Active Directory to effectively meet their needs. This lesson shows you how to create additional domains, trees, and forests.

After this lesson, you will be able to

•       Create additional domains, trees, and forests

•       Explain the reasons for using multiple domains, trees, and forests

•       Explain the implications for using multiple domains, trees, and forests

Estimated lesson time: 20 minutes

Creating Multiple Domains

You must determine the number of domains for each forest in your organization. Although one domain might effectively represent the structure of small or medium-sized organizations, larger and more complex organizations might find that one domain is not sufficient. Before adding any domains you should be able to state the purpose of the new domain and justify it in terms of administrative and hardware costs.

Reasons to Create Multiple Domains

As stated in Chapter 2, you should create multiple domains to

•       Meet security requirements

•       Meet administrative requirements

•       Optimize replication traffic

•       Retain Microsoft Windows NT domains

Tip Do not create multiple domains to accommodate polarized groups or for isolated resources that are not easily assimilated into other domains. Both the groups and the resources are usually better candidates for organizational units (OUs).

Creating Domains to Meet Security Requirements The settings in the Account Policies subdirectory in the Security Settings node of a Group Policy Object (GPO) can be specified only at the domain level. If the security requirements set in the Account Policies subdirectory vary throughout your organization, you need to define separate domains to handle the different requirements. The Account Policies subdirectory contains the following policies:

•       Password policy Contains settings for passwords, such as password history,

age, length, complexity, and storage

•       Account lockout policy Contains settings for account lockout, such as lockout

duration, threshold, and the lockout counter

•       Kerberos policy Contains Kerberos-related settings, such as user logon restric¬

tions, service and user ticket lifetimes, and enforcement

You can learn more about Account Policies in Chapter 13, "Administering Security With Group Policy."

Creating Domains to Meet Administrative Requirements Some organizations might need to establish boundaries to meet special administrative requirements that cannot be accommodated by establishing OUs in one domain. Special requirements might include satisfying specific legal or privacy concerns. For example, an organization might have a privacy requirement that outside administrators not be given control over sensitive product development files. In a one-domain scenario, members of the Domain Admins predefined global group would have complete control over all objects in the domain, including the sensitive files. By establishing a new domain containing the files, the first Domain Admins group is outside of the new domain and no longer has control of the files.

Creating Domains to Optimize Replication Traffic In organizations with one or more sites, you must consider whether site links can handle the replication traffic associated with a single domain. In a forest with one domain, all objects in the forest are replicated to every domain controller in the forest. If objects are replicated to locations where they are not used, bandwidth is used unnecessarily. By defining multiple small domains and replicating only those objects that are relevant to a location, you can reduce network traffic and optimize replication. However, you must weigh the savings achieved by optimizing replication against the cost of hardware and administration for the additional domains.

To determine whether you should define a domain to optimize replication traffic, you must consider

• link capacity and availability If a link is operating near capacity or is not available for replication traffic during specific times of the day, it might not be able to handle replication traffic, and you should consider defining another domain. However, if links are idle at specific times, replication could be scheduled to occur during these times, provided the appropriate bandwidth is available.

Whether replication traffic will compete with other traffic If a link carries

other, more important traffic that you do not want disturbed by replication traffic,

you should consider defining another domain.

•       Whether links are pay-by-usage If replication traffic will cross an expensive

pay-by-usage link, you should consider defining another domain.

Whether links are limited to Simple Mail Transport Protocol (SMTP) If a

location is connected by SMTP-only links, it must have its own domain. Mail-based replication can occur only between domains; it cannot be used between domain controllers in the same domain.

Creating Domains to Retain Windows NT Domains Organizations that have large Windows NT infrastructures might choose to retain an existing Windows NT domain. Existing Windows NT domains can be upgraded to Windows Server 2003, sometimes referred to as an in-place upgrade. You must weigh the costs of upgrading the Windows NT domain or consolidating the domain against the savings of maintaining and administering fewer domains. It is recommended that you minimize the number of domains by consolidating Windows NT domains before upgrading to Windows Server 2003.

Implications of Creating Multiple Domains Adding a domain increases administrative and hardware costs. When determining whether to create multiple domains, keep the following cost issues in mind:

•       Domain administrators Each time a domain is added, a Domain Admins pre¬

defined global group is added as well. More administration is required to monitor

the members of this group.

Security principals As domains are added, the likelihood that security princi¬

pals will need to be moved between domains becomes greater. Although moving a

security principal between OUs within a domain is a simple operation, moving

a security principal between domains is more complex and can negatively

affect  users.

Note A security principal is a user, group, computer, or service that is assigned a unique security identifier (SID). Security principals are discussed in more detail in Chapter 9, "Administering Active Directory Objects."

Group policy and access control Because group policy and access control are applied at the domain level, if your organization uses group policies or delegated administration across the enterprise or many domains, the measures must be applied separately to each domain.

•       Domain controller hardware and security facilities Each Windows Server

2003 domain requires at least two domain controllers to support fault-tolerance

and multimaster requirements. In addition, it is recommended that domain con¬

trollers be located in a secure facility with limited access to prevent physical access

by intruders.

•       Trust links If a user from one domain must log on in another domain, the

domain controller from the second domain must be able to contact the domain

controller in the user's original domain. In the event of a link failure, the domain

controller might not be able to maintain service. More trust links, which require

setup and maintenance, might be necessary to alleviate the problem.

Creating Additional Domains

When creating additional domains, you use the Active Directory Installation Wizard. To create an additional domain, complete the following steps:

1.      Restart your computer and log on as Administrator.

2.      Click Start and then click Run. In the Run dialog box, type dcpromo in the Run

box and click OK.

3.      On the Welcome To The Active Directory Installation Wizard page, click Next.

4.      On the Operating System Compatibility page, click Next.

5.      On the Domain Controller Type page, shown in Figure 4-1, select Domain Con-

troller For A New Domain, and then click Next.

6. On the Create New Domain page, shown in Figure 4-2, select Child Domain In An Existing Domain Tree, and then click Next.

7.on the network Gredentials page ,shown in figure4-3,type the user name, password, and domain of the user account that has permission to create the domain in the user name, password, and domain boxes, respectively, click next.

8. On the Child Domain Installation page, shown in Figure 4-4, type the name of the parent domain in the Parent Domain box, and then type the name of the child domain in the Child Domain box. Ensure that the full Domain Name System (DNS)

9. Proceed through the following Active Directory Installation Wizard pages in the same way you did in the "Installing Active Directory Using the Active Directory Installation Wizard" section of Chapter 2:

Q      NetBIOS Domain Name

Q      Database And Log Folders

Q      Shared System Volume

Q      DNS Registration Diagnostics

Q      Permissions

a       Directory Services Restore Mode Administrator Password

10. On the Summary page, shown in Figure 4-5, the options that you selected are listed. Note that the new child domain is indicated. Review the contents of the Summary page, and then click Next. The Configuring Active Directory progress indicator appears as the Active Directory service is installed on the server. This process takes several minutes.

Permalink | Comment (0)
News

Creating an Active Directory Backup

April 17, 2010 – 2:53 am

After you have completed the preliminary tasks, you can perform the Active Directory backup using the Backup Or Restore Wizard. When you back up Active Directory, the Backup Or Restore Wizard automatically backs up all the system components and all the distributed services that Active Directory requires. Collectively, these components and services are known as system state data.

For Windows Server 2003, the system state data comprises the registry, COM+ Class Registration database, system boot files, files under Windows File Protection, and the Certificate Services database (if the server is a certificate server). If the server is a domain controller, Active Directory and the Sysvol directory are also contained in the system state data. When you choose to back up system state data, all of the system state data that is relevant to your computer is backed up; you cannot choose to back up individual components of the system state data. This is due to dependencies among the system state components. You can back up only the system state data on a local computer. You cannot back up the system state data on a remote computer.

To create an Active Directory backup, complete the following steps:

1.      Log on to your domain as Administrator, point to Start, point to All Programs, point

to Accessories, point to System Tools, and select Backup.

2.      On the Welcome To The Backup Or Restore Wizard page, click Next.

3.      On the Backup Or Restore page, shown in Figure 3-8, select Backup Files And Set¬

tings, and then click Next.

4. On the What To Back Up page, shown in Figure 3-9, select Let Me Choose What To Back Up, and then click Next.

5. On the Items To Back Up page, shown in Figure 3-10, expand the My Computer item, and then select System State. Click Next.

6. On the Backup Type, Destination, And Name page, shown in Figure 3-11, complete the following steps:

Q   Select Tape in the Select The Backup Type list if you are using tape; otherwise this option defaults to File.

Q In the Choose A Place To Save Your Backup list, choose the location where Windows Backup will store the data. If you are saving to a tape, select the tape name. If you are saving to a file, browse to the path for the backup file location.

Q In the Type A Name For This Backup box, enter a name for the backup you are going to do.

a   Click Next.

7.      On the Completing The Backup Or Restore Wizard page, click Advanced.

8.      On the Type Of Backup page, shown in Figure 3-12, select Normal as the backup

type used for this backup job. Normal is the only backup type supported by Active

Directory. If the Hierarchical Storage Manager (HSM) has moved data to remote

storage and you want to back it up, select the Backup Migrated Remote Storage

Data check box. Click Next.

9. On the How To Back Up page, shown in Figure 3-13, select the Verify Data After Backup check box. This option causes the backup process to take longer but it confirms that files are correctly backed up. If you are using a tape device and it supports hardware compression, select the Use Hardware Compression, If Available check box to enable hardware compression. It's recommended that you do not select the Disable Volume Shadow Copy check box. By default, Backup creates a volume shadow copy of your data to create an accurate copy of the contents of the hard drive, including open files or files in use by the system. Click Next.

10. On the Backup Options page, shown in Figure 3-14, select the Replace The Existing Backups option, then select the Allow Only The Owner And The Administrator Access To The Backup Data And To Any Backups Appended To This Medium check box. This action saves only the most recent copy of Active Directory and allows you to restrict who can gain access to the completed backup file or tape. Click Next.

Backup Options

11.on the when to back up page, shown in figure-3-15,select now. click next.

12. On the Completing The Backup Or Restore Wizard page, click Finish to start the backup operation.

13- The Backup Progress window shows the progress of the backup.

14. When the backup operation is complete, the Backup Progress window, shown in Figure 3-16, shows that the backup is complete. You can click the Report button to see a report about the backup operation, as shown in Figure 3-17. The report is stored on the hard disk of the computer on which you are running the backup.

15- Close the report when you have finished viewing it and then click Close to close the backup operation.

Permalink | Comment (0)
70-290 exam

Using Active Directory Administration Tools

April 16, 2010 – 3:06 am

The powerful and flexible Active Directory administration tools that are included with Windows Server 2003 simplifies directory service administration. The Active Directory administrative consoles enable you to administer Active Directory directory service. A number of additional Active Directory administration tools are available in the Windows Support Tools. This lesson introduces the Active Directory administrative consoles and Windows Support Tools that are used to configure, manage, and debug Active Directory.

After this lesson, you will be able to

•       Describe the functions of the Active Directory Users And Computers administrative console

•       Describe the functions of the Active Directory Sites And Services administrative console

•       Describe the functions of the Active Directory Domains And Trusts administrative console

•       Describe the functions of the Active Directory Schema snap-in

•       Change the domain functional level

•       Change the forest functional level

•       Add or remove a UPN suffix

•       Explain the purpose of each of the Windows Support Tools that pertain to Active Directory

Estimated lesson time: 20 minutes

Active Directory Administration Tools

Two main tools are used to administer Active Directory:

•       Active Directory administrative consoles

•       Active Directory-specific tools in Windows Support Tools

Active Directory Administrative Consoles

The Active Directory administrative consoles are installed automatically on computers configured as Windows Server 2003 domain controllers when Active Directory is installed. The administrative consoles can also be installed on other servers running Windows Server 2003 using the optional Administrative Tools package. This enables you to administer Active Directory from a computer that is not a domain controller. The following administrative consoles are available on the Administrative Tools menu of all Windows Server 2003 domain controllers:

•       Active Directory Domains And Trusts console

•       Active Directory Sites And Services console

•       Active Directory Users And Computers console

The Active Directory Schema snap-in is also available on a computer configured as a domain controller, but must be installed manually.

Permalink | Comment (0)
70-290 exam

Preparing for Active Directory Installation

April 15, 2010 – 3:37 am

There are a number of prerequisites you must consider before you begin installing Active Directory. These prerequisites include the design of your organization's domain staicture and domain name; the storage location of the database, log, and shared sys¬tem volume files; and the method of DNS configuration. This lesson shows you how to prepare for Active Directory installation.

After this lesson, you will be able to

•  Describe the Active Directory installation prerequisites Estimated lesson time: 15 minutes

Active Directory Installation Prerequisites

Before you can install Active Directory, you should take some time to be sure that you are prepared by determining in advance:

•     The domain structure

•     The domain name

•     The storage location of the database and log files

•     The location of the shared system volume folder

•     The DNS configuration method

•     The DNS configuration

You must determine all of these installation prerequisites because they are required to complete the Active Directory installation process.

Determining the Domain Structure

To determine the domain structure, you must assess your company's physical environ¬ment, determine the forest root domain, determine the number of domains, and orga¬nize domains in a hierarchy.

Assessing the Physical Environment

The physical environment of your organization's network includes

•     The current location of points on the network

•     The current number of users at each location

•     The current network type used at each location

•     The current location, link speed, and percentage of available bandwidth of remote

network links

Permalink | Comment (0)
News

Intersite Replication

April 14, 2010 – 3:07 am

A maximum of three replication hops between domain controllers, due to the addition of connection objects by the KCC

Intersite Replication To ensure replication between sites, you must connect them manually by creating site links. Site links represent network connections and allow replication to occur. A single KCC per site generates all connections between sites. Active Directory uses the network connection information to generate connection objects that provide efficient replication and fault tolerance, as shown in Figure 1-12.

You provide information about the replication transport used, cost of a site link, times when the link is available for use, and how often the link should be used. Active Directory uses this information to determine -which site link is used to replicate information. Customizing replication schedules so replication occurs during specific times, such as 'when network traffic is light, makes replication more efficient.

As an administrator, you must configure sites and replication to ensure that the most up-to-date information is available to users. Replication and site link configuration are discussed in more detail in Chapter 5, "Cpnfiguring Sites and Managing Replication."

Permalink | Comment (0)
70-290 exam News

Real world Helpful Information

April 13, 2010 – 3:31 am

You will find sidebars like this one that contain related information you might find helpful, "Real World" sidebars contain specific information gained through the experience of IT professionals just like you.

Part 2: Prepare for the Exam

Part II helps to familiarize you with the types of questions that you will encounter on the MCP exam. By reviewing the objectives and the sample questions, you can focus on the specific skills that you need to improve before taking the exam.

See Also For a complete list of MCP exams and their related objectives, go to http:// www.microson.com/traincert/mcp.

Part II is organized by the exam's objectives. Each chapter covers one of the primary groups of objectives, called Objective Domains. Each chapter lists the tested skills you need to master to answer the exam questions and includes a list of further readings to help you improve your ability to perform the tasks or skills specified by the objectives.

Within each Objective Domain, you will find the related objectives that are covered on the exam. Each objective provides you •with the several practice exam questions. The answers are accompanied by explanations of each correct and incorrect answer.

Note These questions are also available on the Supplemental CD-ROM as a practice text.

Informational Notes

Several types of reader aids appear throughout the training kit.

•       Tip contains methods of performing a task more quickly or in a not-so-obvious way.

Important contains information that is essential to completing a task.

•       Note contains supplemental information.

•       Caution contains valuable information about possible loss of data; be sure to read

this information carefully.

•       Warning contains critical information about possible physical injury; be sure to

read this information carefully.

•       See Also contains references to other sources of information.

About This Book       xxxv

•       Planning contains hints and useful information that should help you plan the

implementation.

•       Security Alert highlights information you need to know to maximize security in

your work environment.

•       Exam Tip flags information you should know before taking the certification exam.

•       Off the Record contains practical advice about the real-world implications of

information presented in the lesson.

Notational Conventions

The following conventions are used throughout this book.

•       Characters or commands that you type appear in bold type.

•       Italic in syntax statements indicates placeholders for variable information. Italic is

also used for book titles.

•       Names of files and folders appear in Title caps, except when you are to type them

directly. Unless otherwise indicated, you can use all lowercase letters when you

type a file name in a dialog box or at a command prompt.

•       File name extensions appear in all lowercase.

•       Acronyms appear in all uppercase.

•       Monospace type represents code samples, examples of screen text, or entries

that you might type at a command prompt or in initialization files.

•       Square brackets [ ] are used in syntax statements to enclose optional items. For

example, [filename] in command syntax indicates that you can choose to type a

file name with the command. Type only the information within the brackets, not

the brackets themselves.

•       Braces 1 are used in syntax statements to enclose required items. Type only the

information within the braces, not the braces themselves.

Keyboard Conventions

•       A plus sign (+) between two key names means that you must press those keys at

the same time. For example, "Press ALT+TAB" means that you hold down ALT

while you press TAB.

•       A comma ( , ) between two or more key names means that you must press each

of the keys consecutively, not together. For example, "Press ALT, F, X" means that

you press and release each key in sequence. "Press ALT+W, L" means that you first

press ALT and W at the same time, and then release them and press L.

Permalink | Comment (0)
News

Analyzing Technical Constraints that Affect Security Design

April 12, 2010 – 5:29 am

The security designer must analyze the situation and understand the limitations imposed by factors such as legacy infrastructure, currently installed software, and the interoperability requirements. If she does not, she will not produce a workable design and may even promote one that reduces, instead of increases, security on the network.

After this lesson, you will be able to

•      Identify capabilities of legacy infrastructure and integrate them into the design.

•      Identify technology limitations.

•      Analyze interoperability constraints.

Estimated lesson time: 30 minutes

Guidelines for Integrating Legacy Infrastructure in Security Designs

Very few security designers get to pick and choose hardware, operating system software, security devices, and processes from scratch. Instead, they must make sure that security designs consider legacy computers, operating systems, network devices, or other infrastructure components. These considerations are often a large part of security design work. This section describes what a legacy system is and then provides guidelines for integrating legacy infrastructure in security designs.

What Is a Legacy System?

A legacy system is any infrastructure component such as hardware, operating system software, network device, or application that is technically out of date. Often legacy systems cannot be replaced either because they still provide a service, they provide a service that cannot be provided by another system, funds do not exist to bring them up to date, or there is no compelling reason to bring them up to date. Legacy systems can be old technologies that preceded recent versions of the software or operating system—for example, older versions of Windows or a version of an application that is no longer supported. Many capabilities and constraints introduced by non-Windows systems are discussed in the "Guidelines for Analyzing Interoperability Constraints" section later in this lesson.

Integration Guidelines

To successfully integrate legacy systems into your security design, you must recognize their capabilities and then work within those constraints. Use these guidelines to integrate legacy systems into security designs:

•      Do not compromise the security of these systems.    The security of these sys¬

tems must not be compromised when you add new systems. For example, when

Linux or Windows operating systems are run on mainframe systems, care should

be taken to make sure that security on the mainframe is not reduced. Adding new

software adds new vulnerabilities, which must be mitigated. Another example is

that adding new applications might require opening new ports on a firewall, ports

that might be used to attack legacy systems.

•      Recognize that the accommodation of legacy system capabilities could

mean full compliance with security policy and directives might not be

accomplished.    For example, if a system is not capable of using 10-character

passwords, you cannot fulfill that criteria of a security policy or design.

•       Increase the security of legacy systems by incorporating, wherever possible, any changes that can make them more secure.    Upgrades or the installation of new utilities might provide this extra security.

Note    When can legacy systems be eliminated because of security concerns? It is not up to the designer to determine the end of the life cycle for legacy systems, but the' designer can report the inability to fulfill mandated security policy because of the limitations of these systems and recommend a solution. Management must then make the decision about when and where legacy systems should be eliminated. The designer can also recommend legacy sys-tem placement or use so as to mitigate the risk of its use.

Each legacy system difference must be examined to determine where these systems will either cause a change in the configuration in Windows Server 2003 (and possibly reduce the level of security), require an alternative security solution, require an upgrade to services, or require removal of the legacy system before security policy can be met. The security designer's goal, is, as always, to provide the best, most secure solution while being mindful of the constraints and the need to support business requirements.

How a Legacy System Can Be Integrated into a Security Design

An example of a legacy system issue is LAN Manager (LM) authentication. Windows 98 systems cannot natively use Windows NT LAN Manager (NTLM) for authentication; instead they use its predecessor, LM, Windows Server 2003 systems eliminate, by default, the use of LM, The security design decision might then be to reconfigure Windows Server 2003 to allow the use of LM or install the Active Directory directory service client on Windows 98 systems and configure them to use NTLM

If the design decision is based only on immediate financial cost, the choice will be to allow the use of LM, which will greatly reduce the security of the forest. It will take money, in the form of administrative time, to implement the client and configure the systems. However, this will result in better security. The necessary configuration can be automated, which will reduce its cost. The benefits of maintaining security are sometimes difficult to quantify, but in this case, there are many ways the security team can make the point. One way would be by using cracking tools on a test system that uses LM and on one that does not. Doing this would show how quickly the LM database passwords can be cracked in comparison to those on the system where LM is not used. Care should be taken to make sure this test, which takes very little time to set up, is done on a test system and that no real passwords are exposed.

Considerations for Identifying Technology Limitations

Every system has its technology limitations—factors that restrict what can ancl cannot be done. When these limitations affect a security operation, the security design must account for them. To identify technology limitations, you must consider:

•       Existing hardware limitations.    If an operating system upgrade is required,

can the existing hardware meet minimum requirements of the proposed operating

system? Will security services put additional demands on the hardware? Can the

hardware be upgraded or replaced?

•       Existing operation system limitations.    If the operating system cannot be

upgraded, what part of the security policy or security design cannot be met?

•       Existing software constraints.    Does existing application software  impose

requirements, such as administrative access, to run or require that specific hard¬

ware be installed?

•       Existing legal requirements such as FIPS.    The Federal Information Processing Standard (FIPS) is mandated for some U.S. government operations. This standard specifies cryptographic algorithms and other security-related processing functions. Meeting these standards might require special software, certain cryptographic algorithms, and security devices such as Fortezza carets.

Permalink | Comment (0)

« Previous Page

« Previous Page