AD DS 2008 R2

Question 1

2008 R2 licensing changes

Answer 1

Cal for R2
without Hper V Editions
CAL requirement initiation when used to host virtual machines
license suites for VD infrastructure
Foundation
Remote Desktop Services

Question 2

new install options

Answer 2

improved command line and server manager
updated system center manager 2007 mgmt pack
AD Forest Functional Level
Creation of an answer file
integrated Best Practices Analyzer
when installing you can choose to Use Advanced Mode Installation option - don’t need to run the dcpromo with the /adv anymore

Question 3

install in Advance mode options

Answer 3

create a new domain tree
define the PRP - short for password replication policy for an RODC
Choose which source DC to use for the AD DS install
decrease initial replication network traffic
modify the default generated NetBios Name

can’t use this wizard to configure DNS or RODC roles

Question 4

AD DS install wiz has some new pages:

Answer 4

set function levels
select domain
select a site
confg addt DC options
create DNS delegation
specify the Password Replication Policy
Delegate RODC installation and administration

Question 5

2008 R2 supports several upgrade paths

Answer 5

2003 SP2
2003 R2
2008 RTM-SP1 (release to manufacturing version with SP1)
2008 SP2
2008 RC (release candidate)
2008 IDS (internal developer server)
2008 RTM

Question 6

adprep /options

found in the cd 2008 R2 \support\adprep install disc

Answer 6

you need to prep all existing DCs to work with the first 2008 R2 DC in a forest

/forestprep
/domainprep - has to be run on the infrastructure master or on any that will be DCs
domainprep/gpprep - same as above - it brings inheritable access control entries ACEs on the GPOs located in Sysvol shared resource and also allows for RSop functionality to be enabled
/rodcprep

Question 7

in order to use the AD recycle bin

Answer 7

server function level has to be set to 2008 R2

Can’t add a DC lower than the highest function level. So if you need to have a DC 2008 or earlier don’t raise it to 2008 R2

Question 8

to raise forest level

Answer 8

AD Domains and Trusts
right click on same node and choose raise forest function level

for domain, right click the domain node and do the same thing

Question 9

WSM - Windows Migration Tool

Answer 9

needs to be installed on both servers
servers have to be a member of the network, unique server name and IP Address
MIgration assumes that after the migration the destination server will take over the source server’s functions and that source server will be removed, retired, retained as an addtl DC or changed into a member server

Question 10

migration steps for 2008 R2

Answer 10

1. planning
2. preparing the source server
3. gathering DNS and AD settings from the source server
4. Preparing the destination server for migration by adding the server to the network and making this Windows Server 2008 R2 64 based server a DC
5. migrating the mandatory sedtting sof the AD and DNS
6. Validating that migration process was successful by verifying the destination server config
7. Carrying out all post-migration tasks
8. Migrating DNS Server Role

Question 11

Active Directory Administrative Center

Answer 11

an AD data mgmt tool for mgmt of AD objects, admin and object tasks

can’t use it to mgmt LDAP instances or configuration sets

use it for:
new or mng existing groups and user accounts, OUs and containers, computer accounts

Using the query building search feature to filter AD data

Connecting to on or more DC or Domains

Managing or viewing the DC or Domains Directory info

new functions to this are
the breadcrumb bar
object property page
query building search

You install this feature by:
installing the AD DS server role
specifying a server as a DC
Manually using a wizard - do it by add features wizard in the Remote Server Admin Tools, needs net framework 3.5.1 and powershell’s AD module

install by server manager feature node, install remote server admin tools
AD DS and AD LDS Tools

global searches -
Normal Mode if you want touse keywords and build a global search query

Question 12

ADWS

Answer 12

Active Directory Web Services
new 2008 R2
provides a web service interface to AD Directory mounting tool instances, AD LD Services instances,aka AD LDS and AD domains

can adjust parameters in the ADWS config file. Adjustments do not affect other DC because they are only applicable to the ADWS running on the DC whose parameters you adjusted. use microsoftactivedirectory.webservices.exe config file.

on this versions
Datacenter
Enterprise
Standard

AD Mangement Gateway service provides the same thing and is needed to run the AWDS service and can be installed on 2003 SP2, R2, 2008 and 2008 SP2 - it doesn’t support AD Database Mounting Tool

Question 13

2003 and 2008 (not R2)

Answer 13

you could restore deleted AD objects via:
backups of AD DS through ntdsutil
has to be offline DSRM for an authoritative restore and changes between backup and restore will be lost for that object

Tombstone reanimation - restoring through a process before it is actually deleted which is 180 days by default - drawbacks, ln valued attributes are removed during the process of being tombstoned ie: group membership and the same for non linked values

Question 14

AD Recycle Bin

Answer 14

online
maintain there original state
logical deletion, put in the deleted objects container for a period of time (deleted objects lifetime) in its original state - logically deleted

Once time frame as a logically deleted object it is changed and is stripped of its links and is called recycled object and then can only be restored through authoritative restore

When lifetime completely expires they are completely removed from db through garbage collection process

disabled by default need to consider:
forest function lever - has to be 2008 R2

Irreversibility -
once enabled you cannot turn it off or disable.

make changes by using the DN of the object:
CN=Partitions,CN=Configurations, DC=mydomain,DC=com:Acitve Directory Recycle Bin GUID

Enable-ADOptionalFeature - Identity ADOptionalFeature -Scope ADOptionalFeatureScope - Target ADEntity

Question 15

steps to do before enabling AD Recycle Bin

Answer 15

Prepare forest - run adprep /forestprep
Schema Master
Infrastructure Master - adprep /domainprep/gpprep
update all DC to 2008R2
raise the forest level - run setADForestMode cmdlet or by running ldp.exe

Question 16

identify two of the steps to prepare your environment for the recycle bin

Answer 16

update AD forest by raising it to 2008R2

Update AD schema by running adprep

Question 17

isdeleted

Answer 17

is the attribute you want to remove from a deleted object in ldp.exe

Question 18

Powershell recover of deleted objects

Answer 18

powershell- recommended that you use GetADOb ject to retrieve deleted object and pass it through the pipline to Restore-ADObject which recovers it

GetADObject-Filter -includeDeletedObjects

ie: string = displayNmae -eq “AbuJones”

Restore-ADObject-Identity NewName -TargetPath

Simplest way to recover get object first using:
Get-ADObject-Filter-IncludeDeletedObejects|Restore-ADObject

Question 19

offline domain join benefits

Answer 19

Streamlines the process - useful when VM Data center environments
Reduces network traffic -
AD state changes without creating traffic
Computer state changes w/out traffice to a
DC
Make ea set of changes at a different time

Reduces cost of ownership - reduces start up time for servers, increases relaibility of domain joins ops in test and production environments

Performing domain joins using and RODC -

1. create computer acct
2. adjust pass2word replicationpoicy of ther RODC to allow passwrod caching for the computer you want to join to the domain
3. force replication of secrets for the computer you want to join
4. Communicate the password offline to the computer you want to join to the domain
5. Run a custome script that targets the RODC to complete the join.

Question 20

Offline domain join

Answer 20

Create the account beforehand in AD DS
Specify tha the doamin joining computer must consume a previously created test file
Once the computer consumes the data in the text file and starts up, it is automatically joined to the domain

Question 21

Rapid Deployment

Answer 21

offline domain join may be of particluar interest to network architects as well as security and datacenter admins because reduces bottlenecks when many users access the network simutaneously

Question 22

unattended windows setup answer files with deployment tools , such as

Answer 22

Windows System Image Manager which provides relevant data to join a domain

2008R2 and Windows 7 support these options

Question 23

Prerequisite user rights to perform and offline join

Answer 23

1. Member of the domain Admin group
2. Edit the ACL
3. Create an OU ie: grant yout he Create Child-Allow permission, pass the /machineOU parameter to the djoin

/provision command

to create a join file:
ldp.exe to join, go to connect, tree, etc.
then right click on DN in the list for the domain controller,
Choose Advanced, Security Descriptor
ACE windows type in the name of the permission to join - check Create Child and inherit, drop down of Object Type: Computer class, ok. update

then use the djoin.exe

Question 24

djoin.exe commands

Answer 24

/provision -

/requestODJ - inserts the provisioned metadata into the Windows directory of the domain joining computer

it targets the DC running 2008 R2 by default but can be modified. do this by using the /downlevel parameter

djoin /provision /domain domain_mane /machine destination_computer_name /savefile filename.txt

Question 25

doing the join offline

can be used in several situations

Hyper V machines (use 3 VMs - DC, Provisioning server and the computer to join

provisioning cmd and the request cmd have to be run on 7 or 2008 R2 computers

Answer 25

setup an account with the proper user rights
use djoin.exe /provision cmd to create the computer metadata account info. Must be done on a machine joined already and 2008 R2 or Windows 7. - This becomes the provisioning server

use the blob file you created to joining the computer with 2 options:

djoin /request ODJ to call the metadata and cpy it to the Windows directory of the computer you want to join.

djoin /requested

djoin /requestodj /loadfile filename.txt /windowspath windows_directory_path_to_offline_image /localos - run at the command prompt on the machine to join after you have copied the xml file, then reboot and the computer will have been joined.

or use an unattended XML file

create an undattend.xml file that contains sections for the

ComputerAccountMetadata

Question 26

enable recycle bin (forest level already completed)

Answer 26

1. Run ldp.exe, connect and bind to AD DS
2. Access the options to modify the partitions container in the config dir partition
   3 Specify attribute to add to the partitions container is an optional feature
3. Specify the distinguished name of the AD recycle bin which includes the GUID

Question 27

activate the display of the deleted objects container

Answer 27

1. ldp.exe
2. options tab
3. Access the controls dialog box
4. Select the option to display the deleted objects container