Microsoft Certification, Exam MCSE 70-299, Microsoft Mcitp Certification

To restore Active Directory

1.      Use the procedure provided earlier in this lesson to authoritatively restore Active

Directory using Active Directory Backupl. Hint: Use the restore subtree com¬

mand parameter with OU=TESTl,DC=contoso,DC=com as the subtree distin¬

guished name.

2.      Verify that the TEST1 OU you created, backed up, and deleted in Lesson 3 has

been restored in the Active Directory Users And Computers console.

Lesson Review

The following questions are intended to reinforce key information presented in this les¬son. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in the "Questions and Answers" section at the end of this chapter.

1. Describe what happens in a nonauthoritative restore.

2. Describe what happens in an authoritative restore.

3. Which method of restore should you use if you accidentally delete an OU?

4. Which method of restore should you use if a domain controller has completely failed due to hardware or software problems?

5. Which of the following Ntdsutil command parameters should you use if you want to restore the entire directory?

a. Restore database

b. Restore subtree

c. Database restore

d. Subtree restore

No comments

To create a custom MMC, you must open an empty console and then add the snap-ins needed to perform the desired administrative tasks.

To create a custom MMC, complete the following steps:

1.      Click Start and point to Run.

2.      Type nimc in the Run box, and then click OK. An MMC window opens, titled

Consolel and containing a window titled Console Root. This is an empty MMC.

3.      Maximize the Consolel and Console Root windows.

4.      On the File menu, click Add/Remove Snap-In.

5.      In the Standalone tab in the Add/Remove Snap-In dialog box, click Add.

6.      In the Add Standalone Snap-In dialog box, shown in Figure 3-4, select the snap-

in you want to add and click Add. In some instances, the snap-in is simply added

to the MMC. In other cases, MMC requires you to specify additional details for the

snap-in in a dialog box or through a wizard.

7.      Enter additional details for the snap-in as needed.

8.      If the snap-in supports remote administration, a dialog box for the snap-in

appears, as shown in Figure 3-5. Do one of the following:

a   Select Local Computer to manage the computer on which the console is running.

Q   Select Another Computer to manage a remote computer. Then click Browse. In the Select Computer dialog box, type the name of the remote computer,

then click OK.

9.click finish.

10.   When you are finished adding snap-ins, click Close in the Add Standalone Snap-

In dialog box. The snap-ins you have added appear in the list in the Add/Remove

Snap-In dialog box.

11.   In the Add/Remove Snap-In dialog box, click OK. MMC displays the snap-ins you

have added in the console tree below Console Root.

12.   Select the Console Root.

13.   On the File menu, click Options. MMC displays the Options dialog box with the

Console tab active, as shown in Figure 3-6.

14.   Select the console mode in the Console Mode box, and then click OK.

15.   On the File menu, click Save As.

16.   In the File Name box in the Save As dialog box, type the name for your custom¬

ized MMC and then click Save. The name of your console appears in the MMC title

bar.

17.   On the File menu, click Exit. The customized console has been created and saved

and can now be accessed on the Administrative Tools menu.

Modifying Custom MMCs

You can modify a custom MMC by adding or removing snap-ins or extensions. Not all snap-ins have extensions. You can add or remove extensions from a console when you need to expand or limit administrative tasks. This allows you to include only those extensions that are relevant to the computer being administered.

No comments

User mode

Use -when

Full access

Limited access, multiple windows

Limited access, single window

You want to allow users to navigate between snap-ins, open new windows, and gain access to all portions of the console tree.

You do not want to allow users to open new windows or gain access to a portion of the console tree. You want to allow users to view multiple windows in the console. You do not want to allow users to open new windows or gain access to a portion of the console tree. You want to allow users to view only one window in the console.

Using MMCs for Remote Administration

When you create custom MMCs, you can set up a snap-in for remote administration. Remote administration allows you to perform administrative tasks from any location. For example, you can use a computer running Windows XP Professional with Service Pack 1 or the 329357 hot fix applied to perform administrative tasks on a computer running Windows Server 2003. You cannot use all snap-ins for remote administration; the design of each snap-in dictates whether or not you can use it for remote administration.

To perform remote administration:

You can use snap-ins from computers running different editions of the Windows

Server 2003 family.

You must use specific snap-ins designed for remote administration. If the snap-in

is available for remote administration, Windows Server 2003 prompts you to

choose the target computer to administer.

Suppose you need to administer Windows Server 2003 from a Windows XP Professional desktop. Because Windows XP Professional does not provide the same level of administrative tools as Windows Server 2003, you will need to install a more complete set of tools on the Professional desktop. By accessing the server and executing the Adminpak.msi file located at %5>stemroctf%\System32, you can copy the administrative tools onto the Professional desktop. Then configure each tool for use with the server. One benefit of installing the entire package is that it includes the Active Directory Management MMC, which contains the three major Active Directory MMCs and the DNS MMC. Note that some tools may be installed that are not actually running on the server; the Windows Server 2003 Administration Tools Setup Wizard is simply a means for loading administrative tools to a remote machine.

Off the Record The Adminpak.msi can be used to repair console issues related to file corruption. For example, if you find that you can no longer open a console, such as the DNS console, you should try reinstalling Adminpak.msi.

No comments

In order to install or remove Active Directory you must be able to troubleshoot Active Directory installation and removal. Troubleshooting Active Directory installation and removal involves using the Directory Service log; the Netdiag, Dcdiag, and Ntdsutil command-line tools; and the Dcpromoxc.log files to solve Active Directory installation and removal-related problems. This lesson shows you how to troubleshoot the installation and removal of Active Directory.

After this lesson, you will be able to

Troubleshoot the installation and removal of Active Directory Estimated lesson time: 20 minutes

No comments

On the This Server Is Now A Domain Controller page, click Finish. Active Direc¬tory is now installed on the server.

Note Before you attempt to install Active Directory on a server, you must have an edition of Windows Server 2003 family installed and a static IP address configured for the server. Refer to Lesson 1 for instructions on configuring a static IP address for a server.

Installing Active Directory Using an Answer File

You can create an answer file to run the Active Directory Installation Wizard without having to respond to the screen prompts. An answer file is a file that contains answers to questions that should be automated during installation. The answer file must contain all of the parameters that the Active Directory Installation Wizard needs to install Active Directory. An answer file that is used to install Windows Server 2003 can also include the installation of Active Directory, or you can create an answer file that installs only Active Directory and is run after the Windows Server 2003 setup is complete and you have logged on to the system.

To create the answer file, refer to the instructions located in the "Microsoft Windows Reinstallation Reference," viewable by opening the Ref.chm compiled HTML help file on the Windows Server 2003 CD-ROM. The Ref.chm file is located in the Deploy.cab file in the \Support\Tools folder on the CD. The parameters required for the Active Directory setup answer file are described in Appendix B, "Active Directory Setup Answer File Parameters."

To install Active Directory using an answer file, complete the following steps:

1.      Restart your computer and log on as Administrator.

2.      Click Start and then click Run. In the Run dialog box, type dcpromo /answer:

answer file, where answer file is the name of the answer file, in the Open box and click OK.

Installing Active Directory Using the Network or Backup Media

In Windows 2000, promoting a member server to become an additional domain con¬troller in an existing domain, required replicating the entire directory database to the new domain controller. In case of low network bandwidth or a large directory database, this replication could take hours or even days to complete. Servers running Windows Server 2003 can be promoted using a restored backup taken from a Windows Server 2003 domain controller. This backup can be stored on any backup media (Tape, CD, or DVD) or a network share. You can find more information about backing up Active Directory in

No comments

Before taking the exam, review the key points and terms that are presented in this chapter. You need to know this information.

Key Points

The logical structures in an organization are represented by the following Active Directory components: domains, OUs, trees, and forests.

The physical components of Active Directory are sites and domain controllers.

Active Directory replicates information in two ways: intrasite (within a site), and intersite (between sites).

Group policies are collections of user and computer configuration settings that can

be linked to computers, sites, domains, and OUs to specify the behavior of users'

desktops.

The primary reason for defining an OU is to delegate administration.

The main purpose of a site is to physically group computers to optimize network traffic.

Key Terms

Active Directory A Windows-based directory service. Active Directory stores information about objects on a network and makes this information usable to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive, hierarchical view of the network and a single point of administration for all network objects.

domain A collection of computer, user, and group objects defined by the administrator. These objects share a common directory database, security policies, and security relationships with other domains.

forest One or more Active Directory domains that share the same class and attribute definitions (schema), site, and replication information (configuration), and forest-wide search capabilities (global catalog). Domains in the same forest are linked with two-way, transitive trust relationships.

organizational unit (OU) An Active Directory container object used within domains. An OU is a logical container into which users, groups, computers, and other OUs are placed. It can contain objects only from its parent domain. An OU is the smallest scope to which a GPO can be linked, or over which administrative authority can be delegated.

site One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topol¬ogy to take advantage of the physical network.

No comments

The relationship of Active Directory domains, OUs, trees, and forests

Domains The core unit of logical structure in Active Directory is the domain, which can store millions of objects. Objects stored in a domain are those considered vital to the network. These vital objects are items the members of the networked community need in order to do their jobs: printers, documents, e-mail addresses, databases, users, distributed components, and other resources. All network objects exist within a domain, and each domain stores information only about the objects it contains. Active Directory is made up of one or more domains. A domain can span more than one physical location. Domains share the following characteristics:

•       All network objects exist within a domain, and each domain stores information

only about the objects that it contains.

•       A domain is a security boundary. Access to domain objects is governed by access

control lists (ACLs), which contain the permissions associated with the objects.

Such permissions control which users can gain access to an object and what type

of access they can gain. In the Windows Server 2003 family, objects include files,

folders, shares, printers, and other Active Directory objects. None of the security

policies and settings—such as administrative rights, security policies, and ACLs—

can cross from one domain to another. You, as the domain administrator, have

absolute rights to set policies only within your domain.

The domain functional level (known as domain mode in Windows 2000) provides a way to enable domain-wide Active Directory features within your network environment. Four domain functional levels are available: Windows 2000 mixed (default), Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. The Windows 2000 mixed functional level allows a Windows Server 2003 domain controller to interact with domain controllers in the same domain running Windows NT 4, Windows 2000, or the Windows Server 2003 family. The Windows 2000 native functional level allows a Windows Server 2003 domain controller to interact with domain controllers in the domain running Windows 2000 or Windows Server 2003. The Windows Server 2003 interim functional level allows a Windows Server 2003 domain controller to interact with domain controllers in the domain running Windows NT 4 or Windows Server 2003. The Windows Server 2003 functional level allows a Windows Server 2003 domain controller to interact only with domain controllers in the domain running Windows Server 2003. You can raise the functional level of a domain only if the domain controllers in the domain are running the appropriate version of Windows. See Chapter 3, "Administering Active Directory," for details about raising domain functional levels.

As an administrator, you must create a domain structure to reflect your company's organization. See Lesson 3, "Planning the Active Directory Infrastructure Design," to learn the basics of domain design. See Chapter 4, "Installing and Managing Domains, Trees, and Forests," for details about creating domains.

OUs An OU is a container used to organize objects within a domain into a logical administrative group. OUs provide a means for handling administrative tasks, such as the administration of users and resources, as they are the smallest scope to which you can delegate administrative authority. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain. The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains—each domain can implement its own OU hierarchy. By adding OUs to other OUs, or nesting, you can provide administrative control in a hierarchical fashion.

As an administrator, you must create an OU structure to reflect your company's organization. See Lesson 3, "Planning the Active Directory Infrastructure Design," to learn the basics of OU design. See Chapter 6, "Implementing an OU Structure," to learn about implementing an OU structure.

In Figure 1-5, the microsoft.com domain mirrors the organization of a shipping company and contains three OUs: US, Orders, and Disp, where Orders and Disp are nested within the US OU. In the summer months the number of shipping orders taken increases, and management has requested the addition of a subadministrator for the Orders department. The subadministrator must have permission only to create user accounts and provide users with access to Orders department files and shared printers. Rather than creating another domain, the request can be met by assigning the subadministrator the appropriate permissions within the Orders OU.

No comments

In the rush to design secure systems that respond to the business needs of the organization, the ability to recover systems in the event of failure might be overlooked. It should not be. Recovery processes, including emergency management of remote servers, are often seen as a network administration process and are not included as part of a security designer's purview. However, one aspect of security is ensuring the availability of data and systems, and dealing with the risk of systems failure—whether due to hardware or software malfunction or attack—is something that should be a part of every security design. Use the following guidelines to help you design for recovery:

Understand the capabilities of the systems for recovery.    All systems should

be considered, and a comprehensive strategy should be developed for each. How?

ever, each platform presents specific benefits and challenges. Windows Server

2003 offers many features to assist in recovery, including volume shadow copy,

backup and restore processes, Automated Systems Recovery (ASR), and Emer?

gency Management Services.

Divide systems by computer role on the network.    What a computer is used

for dictates what type of backup and restore plan needs to be developed for it.

Databases, for example, might contain extremely sensitive data, large amounts of

data, require special backup software, and take a long time to back up and

restore. Desktop computers, on the other hand, might not store any data locally

and might simply require a fresh imaging or replacement should they fail.

Have written procedures for each computer role.    Don't trust any one

person's knowledge of how computers must be backed up or how they can be

restored. This person might not be available when needed. Written plans are

critical.

Practice recovery steps.    Provide test systems, and require IT personnel who

recover systems to practice the recovery steps. Keep records of which IT person?

nel have completed practicing the recovery steps. Provide a drill. Simulate the

loss of a domain controller, for example, and require IT personnel to recover the

system. Provide feedback about how well they responded to the drill. If systems

are lost and then recovered or not recovered, provide postmortem discussions on

the process.

Determine when to use volume shadow copy.    This service empowers the

end user with the ability to recover previous editions of files or to restore files that

have been accidentally deleted.

Design a backup strategy.    Windows Server 2003 has backup and restore pro?

cesses built into it, and other companies' products are available as well. Determin?

ing which product to use will depend on the availability of the services necessary

to your design. Backup strategies include decisions to be made about frequency,

comprehensiveness, storage of backup media, offsite storage, personnel, logging,

number of copies, security for backup media, and audits of backup processes.

Rank systems to determine how critical they are.    In a formal business continuity plan, a business impact analysis (BIA) is constructed to determine –which systems are the most   critical to an organization's survival. The BIA is an interdepartmental project. Without this information, an IT design for recovery might consist of the identification of critical IT resources such as domain controllers, messaging servers, firewalls, and the like. The reason for this qualification is to create more comprehensive recovery plans for these systems and to determine the order of recovery efforts should multiple systems be affected at the same time.

Exam Tip    Recovery of systems at remote locations can be accomplished via the use of Emergency Management Services (EMS) and specialized hardware. Providing such access to systems could result in malicious activity if the systems are not properly secured. EMS, auxiliary hardware connections, or both could be used to connect to and disrupt the normal services provided by the server. Any design that provides such access should include security.

Determine special systems strategies that are the result of the server role

or location.    Domain controllers, e-mail servers, firewalls, Internet Information Services (IIS), Domain Name System (DNS) servers, and other network server roles require backup and recovery techniques in addition to the backup and recovery required by the base operating system. Servers located at remote locations might require processes as provided by the Emergency Management Services available with Windows Server 2003.

Complete the recovery process plan.    All the information gathered is formulated into a comprehensive plan. The plan includes procedures and schedules for each type of product and systems—both backup and recovery. It also defines the order of recovery during times of multiple failure, assignment of responsibilities, and a plan for continuous testing and auditing of recovery plans.

Test each piece of the plan.    Testing each piece of the recovery process

ensures adequate backups are being prepared and that the procedures are valid.

Testing might also show that alternative procedures or additional processes need

to be added.

Audit backup processes.    Designing an adequate plan is a good start, but even

better are plans that are actually implemented, maintained, and reviewed. There

should be processes in place—including logging—to monitor backup.

Practice: Creating the Security Design Framework

In this practice, you will predict threats to a company, design a segmented network, and design a recovery process for a fictitious company. You will then match security plan elements to parts of a security framework and identify devices that segment internal networks into zones. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the "Questions and Answers" section at the end of this chapter.

No comments