When we first got the search bar from the start menu in Vista my computing life changed. It has allowed me to be blissfully lazy. I really have no idea where any of my programs and files are. Heck, I don’t even know their full names. And don’t get me started on OS tools and features.

If I want to do a backup, I don’t navigate to the Backup and Restore Center – I just type the letters “ba” and BOOM. There it is. Life is great!

In Server 2008 R2 they have added a GUI search tool to help you find Active Directory objects. You can find users, computers, OUs, groups, and more in a snap! You can even search in other domains you have established trusts with.  Network admins everywhere:  rejoice!

You can further refine your search (query) by adding criteria. You can even save queries. And you don’t have to search the entire domain. You could navigate to a particularly large OU then filter that OU’s objects with a query. The possibilities are endless.

In all seriousness, this is a great tool for the help desk professional or any other person the all-powerful admin has delegated responsibilities to. For example, that person does not have to know the ins and outs of the network structure to quickly find a user and reset their password.

The fact that the new Active Directory Administrative Center (and its Global Search) can be installed on a Windows 7 client makes this scenario all the more possible.

The Global Search tool is only one new feature in the new Active Directory Administrative Center, and there are plenty more new features in Server 2008 R2.

So if you want to learn all about it and more — keep an eye out for our new Server 2008 R2 Training that is coming soon. Love it!

Related posts:

• Upgrading to Server 2008 R2 in 8 Easy Steps
• Windows Server 2008: Auditing Active Directory
• How to Backup and Restore Active Directory on Server 2008

The Old Way of Recovering Deleted AD Objects

Let’s start by taking a look at the old way of recovering deleted AD objects in both Server 2008 and Server 2003.

Directory Services Restore Mode (DSRM)

In Windows Server 2008 Active Directory you can completely recover deleted objects, such as users and groups, but only from the Server Backup. Once you restore the object, you then have to make sure that the data is replicated throughout the domain. This is a long, two-step process — first you have to restore it and then replicate it.

But, there is also a catch to this process — you can only perform the restore in Directory Services Restore Mode (DSRM). On top of that, while in DSRM the domain controller has to be offline. No big deal, right?  Well, actually it is a big deal because that domain controller cannot provide services while data is being restored. So restores cannot be done right away but only during scheduled maintenance hours. 

What about that guy who’s account was deleted and he can’t login? Looks like he’s out of luck.

AD Tombstone Reanimation

In Windows Server 2003 and 2008 Active Directory, you can also recover deleted objects through tombstone reanimation.  How does that work? 

Well, when an object is deleted from Active Directory it is not physically removed from the database.  Not right away, at least.  What happens though is the object’s distinguished name (DN) is distorted, attributes are cleared or removed, and the object is moved to Deleted Objects container.  It sits there for about 180 days (that’s the default length of time but it can be adjusted) and anytime within this time period the deleted object can be recovered.

The good thing is that this recovery can be done right away, however, all the attributes will be gone.  So, for example, if a user account belonged to an Administrator’s group before the deletion, this attribute is not going to be there after recovery and you will have to add that account to the Administrator’s group manually. 

You might have to spend some time trying to figure out all the group memberships for an object and that may cause a lot of complaints from that particular user who won’t be able to access his data.

Needless to say, the old way of recovering Active Directory is a slow, painful process that’s frustrating to everyone.

The Better Way to Recover Deleted AD Objects

The Active Directory Recycle Bin in Server 2008 R2 will save you a lot of time and frustration. It also makes the whole process a lot simpler.

How does Active Directory Recycle Bin work?

The AD Recycle Bin works just like the tombstone reanimation explained earlier, but way better. 

The difference is huge — when you delete an object from AD in Server 2008 R2 the system keeps all the attributes with the object, instead of clearing or deleting them. The object becomes “logically deleted” (new state that is introduced in R2). 

Just like with tombstone reanimation, the object is moved to Deleted Objects container where its DN is distorted.  It sits there for a limited period of time (such as 180 days) and within this time frame it can be recovered with AD Recycle Bin within seconds. It will then become a live AD object just like it was before deletion with all the attributes and ready to be used.

So, by using AD Recycle Bin, the object will be:

• restored while Domain Controller is online — without interruption of services
• have all the attributes
• ready to use without any manual adjustments

This will not only minimize directory service downtime but also help restore objects as they are needed within seconds.

Can I have AD Recycle Bin on my Server?

There are three version of Windows Server 2008 R2 that support AD Recycle Bin:

• Windows Server 2008 R2 Standard
• Windows Server 2008 R2 Enterprise
• Windows Server 2008 R2 Datacenter

AD Recycle Bin is not available in:

• Windows Server 2008 R2 for Itanium-Based Systems
• Windows Web Server 2008 R2

How do I enable AD Recycle Bin?

By default Active Directory Recycle Bin is disabled. You need to enable it and once you do so, there is no way to disable it.

To enable the Recycle Bin, you need to:

1. Make sure that all of your Domain Controllers run Server 2008 R2
2. Raise the forest and domain functional levels to Server 2008 R2
3. Run a command that will enable the AD Recycle Bin

I bet any Server Admin will agree that the AD Recycle Bin is a great new feature of R2. I think it will be very popular with most (if not all) Windows Administrators.

If you would like to find out more about this and other new features of Windows Server 2008 R2, please visit this Microsoft page and tell me what else you think is cool!

Related posts:

• How to Backup and Restore Active Directory on Server 2008
• Active Directory Improvements in Windows Server 2008
• Server 2008 Active Directory: Adding a Child Domain

Microsoft has been developing and testing a new virtual lab test experience for a while now. At first it was piloted as the 70-113 exam and then started rolling out officially as the 83-640 exam.  All of this might have flown under your radar until recently. We have been getting questions about this here at Train Signal so I thought I would clarify the situation.

Now (as of May 31st actually) the English version of 70-640 has been completely replaced by the 83-640 in the US and Canada.

So why the change in number? I think it is just an organization thing. Like all the beta exams start with 71, the academic versions 72, and now virtual lab exams start with 83.

What to Expect on the New 83-640 Exam

In this case change really is good. The test is more fun (yes I just said fun and test in the same sentence). I encountered some simulation questions when I took 70-620: TS: Microsoft Windows Vista, Configuring. This, however, is an entirely different beast.

For the new 83-640 test you remotely access a virtual machine. You are given a problem or a list of tasks and need to actually solve it on Server 2008. It is a real VM! You could probably add Mickey Mouse as a user if you wanted to. Would this result in a fail? I don’t recommend trying it.

The Born to Learn Blog posted a neat little demo video so that you can get an idea of what this all looks like. I should also mention that there are still some multiple choice questions on the 83-640 exam as well.

Oh and make sure you show up on time for your exam because you have a virtual machine reserved for you at that certain time. Also, there have been some anecdotal reports of latency (not unexpected) and exams completely crashing. Be patient with the slowness but don’t be afraid to speak up if your exam goes kaput.  

What is it Worth?

Microsoft keeps saying that the 70-640 and the 83-640 have the same objectives and count the same. This is all true but have you thought about an additional intangible quality the new exam will bring you?

I think the certification holds more validity and prestige because it can’t be braindumped. You actually get to show that you know how to do configure AD not just the theory behind it. You can give yourself an extra spirited pat on the back after passing this exam.

I can’t wait to see what virtual lab test they decide to develop next. 642? Exchange 2010?

Good News!

Train Signal’s Server 2008 Active Directory Training course is completely able to prepare you for this new exam. Our training already shows you how and not just why. And … Drum roll please … we even include Transcender’s new one-of-a-kind virtual lab-based product. That way you can practice in the same environment that the test has.

Happy studying!

Related posts:

• MCTS Demystified: What you need to know about the Server 2008 Active Directory (Exam 70-640) Certification
• MCTS Demystified: What you need to know about the Server 2008 Applications Infrastructure (exam 70-643) Certification
• Get SQL Certified: What you need to know about the SQL Server 2008 Developer (70-433) Exam

In Part 1: AD RMS – Data Access Controls we learned about file access controls to data and resources by leveraging permissions via NTFS and share restrictions.

Part 2: AD RMS – Encryption covered the Encrypting File System and BitLocker functionality.

Part 3: AD RMS – Features & Operational Considerations covered some of the higher level features and operational considerations of the technology, reviewing content permission and control.

In today’s post I will be outlining the system requirements of Active Directory Rights Management Services as well as other dependencies for the service.

AD RMS System Requirements

Like any other application, Active Directory Rights Management Services has minimum and recommended system requirements.

Server 2008 R2 and Internet Information Services (IIS) are required in order to successfully install and initialize AD RMS. Additionally, AD RMS also requires access to a database server with SQL Server being identified as part of the system requirements. The database can be run either on the same server as AD RMS or on a remote server.

As defined by Microsoft the “requirement” for AD RMS is:

One (1) Pentium 4 Processors running at 3 GHz or higher
512 MB of RAM
40 GB of free hard disk space

The recommended configuration is:

Two (2) Pentium 4 Processors running at 3 GHz or higher
1 GB of RAM
80 GB of free hard disk space

AD RMS Software Requirements

Below are the software requirements for running your Server 2008 R2 based configuration on the Active Directory Rights Management Services role:

The File system installed should be NTFS and Message Queuing needs to be enabled.

Internet Information Services (IIS) is needed as well as ASP.NET.

Your Server 2008 R2 system in the AD RMS role must be installed in an Active Directory domain. The domain controllers need to be running Windows Server 2000 with Service Pack 3 (SP3), Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2.

An additional requirement is that all users and groups who need to use AD RMS to acquire licenses and publish content must have an e-mail address configured in Active Directory.

AD RMS also requires a database server and Microsoft’s outlined requirements recommend SQL Server 2005 or SQL Server 2008. (SQL Server 2000 is not supported).

Additional Considerations

Before AD RMS can be installed there are several additional considerations that need to be reviewed:

The AD RMS server needs to be installed as a member server in the same domain as the user accounts that will be leveraging the service.

You will need to create a domain user account to be used as the AD RMS service account.

You need to also specify a user account to be used for the installation of AD RMS; this account needs to be different than the AD RMS service account and it must have access to query the Active Directory Domain Services (AD DS) domain.

If you are going to register the AD RMS service connection point (SCP) during installation, the specified user account installing must be a member of the Domain Enterprise Admins group (or have at least the equivalent permissions).

With respect to using an external database server for the AD RMS databases, the user account must have the right to create new databases. If SQL Server 2005 or SQL Server 2008 is used, the user account must be a member of the System Administrators database role, or equivalent

A Few More Recommendations

Microsoft best practices also details the following additional recommendations:

The database server used to host the AD RMS databases should be installed on a separate computer.

When installing an AD RMS cluster, secure sockets layer (SSL) certificates should be used and it should be issued from a trusted root certification authority.

You will need to create a DNS alias (CNAME) record for the AD RMS cluster URL and a separate CNAME record for the computer hosting the AD RMS configuration database. This is helpful in a scenario where the AD RMS servers are no longer in use or taken out of service as the CNAME record can be updated without having to publish all rights-protected files again.

If you are using a named instance for the AD RMS configuration database, the SQL Server Browser service must be started on the database server before installing AD RMS. If the SQL Server Browser service is not started the AD RMS installation will not be able to locate the configuration database and the installation will fail.

And that’s as far as system recommendations and other considerations for AD RMS go.

Next time, we’ll finally get to the fun part — installing AD RMS on a Server 2008 R2 system!

Related posts:

• Active Directory Rights Management Services: Features & Operational Considerations
• Active Directory Rights Management Services: Data Access Controls
• Active Directory Rights Management Services: Encryption – EFS and BitLocker

As I mentioned before, Server 2008 R2 is still in “Release Candidate” status so the details in these articles might change before the product is officially released to manufacturing (RTM), so please keep this in mind.

Now before we get started, let’s do a quick review of what we already covered:

In AD RMS – Data Access Controls we briefly reviewed file access controls to data and resources by leveraging permissions via NTFS and share restrictions. In this article we will take a look at some of the other ways outside of AD RMS that administrators can limit intentional and unintentional data leakage.

In AD RMS – Encryption: EFS and BitLocker we reviewed the Encrypting File System and BitLocker functionality. While not directly related to Active Directory Rights Management Services they are a part of any good security and control strategy.

In today’s segment on Features and Operational Considerations we will review some of the higher level features and operational considerations of the technology in order to get a good understanding of what it offers in terms of content permission and control. I’ll cover:

• Why use AD RMS?
• What AD RMS can do
• How Rights Management works (in a nutshell)
• Shares and Licenses

Why Use AD RMS?

When administrators leverage Active Directory Rights Management Services (AD RMS) as part of their security strategy, they add an additional layer above and beyond standard file based security, EFS, or disk encryption technologies such as BitLocker.

This is accomplished by allowing for the protection of information through persistent usage policies and rights management. The best part of this use and rights security is that it is not limited to where the data is stored but rather it is part of the data itself, which means that no matter where the data resides it effectively carries the permissions and restrictions with it.

AD RMS allows administrators to set up the services that will allow data owners to configure permissions to sensitive information as part of their security efforts to keep it from intentionally or accidentally being sent to or received by people that should not have access to it in the first place.

As an example, if I have general file access rights (read) to a Word document and I have it in my possession there is nothing preventing me from forwarding that out to the world in an email.

AD RMS resolves that issue.

As another example, if I have general file access rights (read) to a Word document and I am fired from my company I will always have access to that Word document saved on my own storage device.

AD RMS resolves this problem as well.

What AD RMS Can Do

The AD RMS environment that administrators will deploy includes a system running Server 2008 R2, the latest version released. This system would be running with the AD RMS server role enabled in order to handle all of the necessary certificates for the data. You would also need it to host database services and the AD RMS client.

The AD RMS client is included as part of Windows 7 and Windows Vista and is leveraged as part of the solution to process the permissions on the data.

Data owners are able to define who can open, modify, print, forward, or take other actions with the data. Policy templates can also be created and can be applied directly to the information so that the users do not have to define permissions or rights individually.

As an example a template could be set up as “INTFTE” which allows for “all rights denied except READ” and that could be applied to Word Documents and Spreadsheet and the like, where only those people that are full time, internal employees would even be granted access to the data and then only at a READ level. At that setting they would be unable to print out the data, copy and paste it out and the ability to create screen shots or clippings would be disabled when that document was open.

If you want to be able to leverage rights management to data created on a given application it must be rights management aware or be able to leverage add-ons that have been created to make an application AD RMS-enabled, even if it does not natively implement RMS functionality. Text files created with Notepad cannot be rights enabled because the application cannot leverage the functionality natively as an example.

How Rights Management Works (in a nutshell)

The way the Active Directory Rights Management Service works is that it will issue RMS licenses by way of the AD RMS client which is required for creating the permissions and restrictions on the rights-protected content. The client is also needed for access to that data as well.

Data that is protected by AD RMS leverages encryption and an embedded Usage Policy that defines how each user or group will have access to that data. The data owner will decide the rights that those trusted users will have and they will enable that access right through the application itself.

When a data creator / owner decides that they will rights protect a Word 2007 document, that is done right through Word by selecting the “Office Button” (sometimes called “The Pearl”) in the upper left hand corner of the application and choosing the Prepare option (preparing the document for distribution) and then choosing the Restrict Permission option.

[NOTES FROM THE FIELD] – When content is rights protected (often referred to a “published” or “distributed”) through AD RMS, it is encrypted with Advanced Encryption Standard (AES) 128-bit encryption. (Data Encryption Standard (DES) 56-bit encryption is available for backward compatibility).

In our example above in using Word, AES 128-bit encryption would be used as Microsoft Office 2007 always uses AES 128-bit encryption by default.

AD RMS uses public and private keys to encrypt the content encryption symmetric key. The rights policy data in the publishing license and the use license are also encrypted. AD RMS also uses the public keys to digitally sign AD RMS certificates and licenses as well.

Once the permissions are set (such as READ) then specific users or groups are assigned that license or right to that data. The data owner may then put the Word document out on a share (where the share may have access and permissions rights added to it through the share itself and / or where file permissions may be set via NTFS).

When a user with share and file rights access attempts to view the document they must also have this “licensed” right to do so from the owner or they will be denied access to the data from the rights management perspective.

You can see where combining share, file system, EFS, and BitLocker can add to the security of data and how RMS adds an additional layer even above and beyond that.

Shares and Licenses

If a user was accidentally put into a group that has permissions to a shared resource (such as the Payroll folder and network share), they would suddenly have access to data that they should never have been granted access to in the first place.

However, if the actual data was rights protected this user would not have the license right to access the data; despite the fact they are in a share they don’t otherwise belong in they cannot read the data because they have no RMS access to it.

Additionally, in a situation where someone is fired or quits working for a company, their rights to that data can be revoked. Despite the fact that they may still have data saved on a removable drive or flash memory in their possession, they will no longer be able to access it as their rights, remotely managed via the AD RMS service, will now be denied.

An overly simple way to consider AD RMS is — deny all access rights to all users / groups except those with specific granted rights by way of RMS permissions.

Further Reading

For a much more of a detailed look at the actual process please consider a review of Deploying Active Directory Rights Management Services at Microsoft — specifically the Process That IRM Uses to Generate and Retrieve Licenses section of the article.

Next Time

In my next article AD RMS – System Requirements and other Considerations we’ll go over the recommend system requirements and some of the high level configuration considerations for a standard set up. See you then!

Related posts:

• Active Directory Rights Management Services: System Requirements & Other Considerations
• Active Directory Rights Management Services: Encryption – EFS and BitLocker
• Active Directory Rights Management Services: Data Access Controls

I have already covered the Active Directory, Configuring (exam 70-640) certification as well as the Network Infrastructure (exam 70-642) certification.

Next MCTS certification in line, and the one I will be discussing today, is the Applications Infrastructure (exam 70-643) certification.

As I already mentioned in my previous articles, the numbering doesn’t really mean the order in which you need to take these exams.  You can take them in any order you want.  However, it does make sense to follow the order, especially when you’re preparing for these exams. 

I would definitely suggest taking the Active Directory (70-640) exam first and then either the Network Infrastructure (70-642) or the Applications Infrastructure (70-643) exam.  The reason is that you will need some of the knowledge from the 70-640 exam to take the 70-642 and 70-643 exams.  But like I said, there are no prerequisites so it is really up to you.

70-643 Exam Details

From what I heard, the number of questions varies for this certification.  It is somewhere between 50 and 60 questions with approximately 90-120 minutes to complete them all. The passing score was reported to be 700.

And again, I would strongly suggest going through all the questions and answering the ones you know the answers to first. Mark the questions that will take longer for you to answer as well as the ones you have no clue about (that shouldn’t happen though, right?).  Once you go over all the questions in your first “round” go back and review the marked questions for the rest of the allotted time.

This will allow you to answer all the questions you know and then give you time to work on the ones that you might not be sure about.  Be ware of changing your answers on the second run — chances are your gut was right and the answer you picked the first time is correct.

70-643 Exam Topics

There are 4 main topics on the Applications Infrastructure exam:

• Deploy Servers (24%)
• Configure Terminal Services (32%)
• Configure Web Services Infrastructure (30%)
• Configure Network Application Services (14%)

Quick tip for studying these is — make sure you know how to configure terminal services (TS) and web services. These two topics account for over 60% of the questions. 

To find out more about these topics as well as sub-topic details visit this Microsoft page.

Where to Start?

As with any certification, I would suggest getting:

• a very good information source for your theory learning — this would be either a book or a video training
• a testing environment to put your theory into practice

For those of you who are going to use our Applications Infrastructure training videos I would definitely suggest making sure you understand Active Directory.  The Applications Infrastructure course assumes that you know how to create OUs, groups, and users. These things, I guess, are sort of a prerequisite for this exam.

As for hardware, you will really need only one mega machine with about 8GB of RAM and 200GB of hard disk space or two beefed up machines with about 4GB of RAM each and about 120GB of hard disk space.

Coach, the instructor for this course, uses Hyper-V to create multiple machines to demonstrate everything on.  You can follow him step-by-step and do the same, or you can use VMware or MS Virtualization for your virtual machines.  This is up to you, but virtualization is strongly recommended as it saves you time and money.

Don’t I Need Experience?

As always, Microsoft wants you to have “at least one year of experience implementing and administering a network operating system in an environment that has the following characteristics:

• 250 to 5,000 or more users
• Three or more physical locations
• Three or more domain controllers
• Network services and resources such as messaging, a database, file and print, a proxy server, a firewall, the Internet, an intranet, remote access, and client computer management
• Connectivity requirements such as connecting branch offices and individual users in remote locations to the corporate network and connecting corporate networks to the Internet”

If you don’t have real-world experience, would suggest spending a considerable amount of time practicing on your test environment before taking this exam. The more you break and fix — the more you will learn and the easier the exam is going to be for you. 

Don’t be afraid that something will go wrong. You are working on virtual machines, so take snapshots before you do anything in case something does go wrong, just go back to the previous snapshot and try again. Troubleshooting your own problems is one of the best ways to really learn.

And remember, you will never be able to do this type of stuff in a production environment, so practice, break stuff, fix stuff — and repeat.

Why Would I Want to Get this Certification?

By passing the 70-643 Applications Infrastructure exam you are one step closer to your MCITP, Enterprise Administrator Certification which would definitely secure your current position as well as give you the opportunity for a promotion or, who knows, maybe even scoring a better job.

I wonder how many of you guys out there are working towards the Enterprise Admin Certification.  C’mon, show yourself!

Related posts:

• MCTS Demystified: What you need to know about the Server 2008 Network Infrastructure (exam 70-642) Certification
• MCTS Demystified: What you need to know about the Server 2008 Active Directory (Exam 70-640) Certification
• Hyper-V Certification – MCTS: Windows Server Virtualization, Configuration (Exam 70-652)

The MCTS Windows Server 2008 Active Directory: Configuration certification is one of the most popular Microsoft certifications and also a perfect starting point for any aspiring administrator.

Today I’m going to tell you everything you need to know about the Server 2008 AD certification and share some of my experiences and tips for taking, and passing the 70-640 exam so that you can frame your MCTS certificate and show it off to everyone.

As I mentioned before, the Active Directory certification (exam 70-640) is a perfect starting point for those just getting started in the IT industry.  Once you get your Network+ certification, learning Active Directory is a great way to expand your networking skills.

Does that mean that you have to have your Network+ before getting AD certification?  No, Network+ is not a prerequisite.  It is only my recommendation as it will definitely help you understand all of the technology used in Active Directory study materials.

What if you’re an administrator already?  Well, this is a great start on your MCITP Certification. 

Whether your goal is to get the Server Administrator or the Enterprise Administrator certification, the Active Directory Configuration exam is required for both of them. If you’re not sure which MCITP Certification is right for you, check out my last article that talks about the differences between these two certification paths.

70-640 Exam Details

At the time I took the 70-640 exam there were 42 questions.  I don’t remember exactly how long it was but I had plenty of time to go through all the questions and then go back and review my marked ones.

Let me just mention real quick for those of you who never took a Microsoft exam, if you are not sure about your answer or you want to skip a question, you can mark it and then go back to it once you went through the entire exam. This was really helpful to me at least; I marked questions that were long and did them at the end to make sure I had enough time.

The passing score for the 70-640 exam is 700 and believe me, it’s not that difficult to pass it.  I’m not saying it’s an easy exam, but if I could do it, you can too.

70-640 Exam Topics

There are six main topics that are covered on this exam; you will need to learn how to:

• Configure Domain Name System (DNS) for Active Directory (16%)
• Configure the Active Directory infrastructure (25%)
• Configure additional Active Directory server roles (9%)
• Create and maintain Active Directory objects (24%)
• Maintain the Active Directory environment (13%)
• Configure Active Directory Certificate Services (13%)

Now keep in mind that every one of these major topics consists of many different subtopics. To find out more about them visit Microsoft.

Where Should You Start?

In my opinion a good way to start would be getting a certification book or a video, a machine on which you can install Server 2008 (yes, a virtual machine is totally fine too) and dedicating a little bit of time each day to study the material. 

Make sure that once you read a chapter or view a video, you practice the covered topic on your Server 2008. Microsoft provides a download trial for almost each of their products so you should not have to spend a lot of money getting the Server 2008 OS.

If you can’t find a download of a particular Microsoft product consider getting a TechNet Plus subscription which will get you access to full version Microsoft software for your own training purposes. To learn more about this check out Dave’s article: Why Should You Have a Microsoft TechNet Plus Subscription?.

Once you complete all your training, test your knowledge with practice exams.  It’s always good to test your skills before spending money on the exam.

The way I prepared for this exam was by reviewing Coach’s course a couple of times. (Actually, I didn’t have a choice, since as his Product Manager I had to review it more than once, hehe, but it definitely helped a lot). 

I also used Transcender practice exam to test my knowledge. And with some previous knowledge of networking, I felt confident enough to decide to give it a try. I took the exam and passed on the first try.

What About Experience?

Microsoft recommends that you should have “a minimum of one year of experience implementing and administering a network operating system in an environment that has the following characteristics:

• 250 to 5,000 or more users
• Three or more physical locations
• Three or more domain controllers
• Network services and resources such as messaging, a database, file and print, a proxy server, a firewall, the Internet, an intranet, remote access, and client computer management
• Connectivity requirements, such as connecting branch offices and individual users in remote locations to the corporate network and connecting corporate networks to the Internet”

This is where the practicing on your own server 2008 comes into play.  You can “create” your own company on your server and perform all the tasks that are required for this certification. The server is going to crash and things won’t work the way you think they should, so you will also get some troubleshooting experience as well.

If you can’t get real experience from a job, create your own scenarios and use them as practice.

What Are the Benefits of Passing This Certification?

Well, if you are new to IT, this certification will show that you are definitely on the right path to a new career.  For those of you who are already in the field — just a few more certifications and you will be an MCITP Certified Professional.  This will open up doors for new job opportunities and/or promotions …
And let’s be honest, we all want those

So how did you do?  Post your scores guys — let’s have a competition! (Just don’t make them up — I might ask you to fax me your results, hehe)

Related posts:

• MCTS Demystified: What you need to know about the Server 2008 Applications Infrastructure (exam 70-643) Certification
• MCTS Demystified: What you need to know about the Server 2008 Network Infrastructure (exam 70-642) Certification
• Hyper-V Certification – MCTS: Windows Server Virtualization, Configuration (Exam 70-652)

I recently had a client call me after they installed updates and rebooted their server. They noticed after the reboot that there was a message that said “Active Directory is rebuilding indices. Please wait”.

Their Active Directory database had become corrupted from the updates. So what do you do? How can you restore AD?

Let’s talk about how to backup AD in Windows Server 2008 and how to restore it. Today I’ll show you:

• what you need to do to get your Server 2008 ready for backup
• how to backup Active Directory on Server 2008
• how to perform an Authoritative Restore of Active Directory
• how to perform Active Directory Snapshots

Prerequisites: Getting Server 2008 Ready for Backup

Before you can backup Server 2008 you need to install the backup features from the Server Manager.

1. To install the backup features click Start → Server Manager.

 

2. Next click Features → Add Features

 

3. Scroll to the bottom and select both the Windows Server Backup and the Command Line Tools

 

4. Click Next, then click Install

Backing up Server 2008 Active Directory

Now that we have the backup features installed we need to backup Active Directory. You could do a complete server backup, but what if you need to do an authoritative restore of Active Directory?

As you’ll notice in Server 2008, there isn’t an option to backup the System State data through the normal backup utility.

 

So what do we do? We need to go “command line” to backup Active Directory.

1. Open up your command prompt by clicking Start and type “cmd” and hit enter.

2. In your command prompt type “wbadmin start systemstatebackup -backuptarget:e:” and press enter.

Note: You can use a different backup target of your choosing

3. Type “y” and press enter to start the backup process.

 

When the backup is finished running you should get a message that the backup completed successfully. If it did not complete properly you will need to troubleshoot.

 

Now you have a system state backup of your 2008 Server!

Authoritative Restore of Active Directory

So now what if you accidentally delete an OU, group, or a user account and it’s already replicated to your other servers? We will need to perform an authoritative restore of the Active Directory object you accidentally deleted.

1. To do this you will need to boot into DSRM (Directory Services Restore Mode) by restarting your server and pressing F8 during the restart.

2.Choose Directory Services Restore Mode from the Advanced Boot menu.

 

3. Login to your server with your DSRM password you created during Active Directory installation.

4. Once you’re logged into your server and in DSRM safe mode, open a command prompt by clicking Start, type “cmd“, and press enter.

5. To make sure you restore the correct backup it’s a good idea to use the “wbadmin get versions” command and write down the version you need to use.

 

6. Now we need to perform a non-authoritative restore of Active Directory by typing “wbadmin start systemstaterecovery -version:04/14/2009-02:39“.

Note: The version of backup will vary depending on your situation. Type “y” and press enter to start the non authoritative restore.

7. Go grab some coffee and take a break while the restore completes.

 

8. You can mark the sysvol as authoritative by adding the –authsysvol switch to the end of the wbadmin command.

 

9. But if you want to restore a specific Active Directory object then you can use the ever familiar ntdsutil.

For this example we are going to restore a user account with a distinguished name of CN=Test User,CN=Users,DC=home,DC=local. So the commands would be:

ntdsutil
activate instance ntds
authoritative restore
restore object “cn=Test User,cn=Users,dc=home,dc=local”

Note: The quotes are required

 

10. Reboot your server into normal mode and you’re finished. The object will be marked as authoritative and replicate to the rest of your domain.

Using Active Directory Snapshots

There is a really cool new feature in Windows Server 2008 called Active Directory Snapshots. Volume Shadow Copy Service now allows us to take a snapshot of Active Directory as a type of backup. They are very quick to create and serve as another line of defense for your backup strategy.

With your server booted into normal mode open a command prompt by clicking Start, type “cmd“, and press enter.

We are going to use the ntdsutil again for creating the Active Directory snapshots. The commands are:

ntdsutil
snapshot
activate instance ntds
create
quit
quit

So now that you have a snapshot of AD, how do you access the data? First we need to mount the snapshot using ntdsutil. The commands are:

ntdsutl
snapshot
list all
mount 1 — (Note: You should mount the correct snapshot you need; for this example there is only 1.)
quit
quit

Your snapshot is mounted, but how do you access the data? We need to use the dsamain command to accomplish this. Then we need to select an LDAP port to use. The command is as follows:

dsamain –dbpath c:\$SNAP_200905141444_VOLUMEC$\WINDOWS\NTDS\ntds.dit –ldapport 10001

The result should look like this:

 

Now we need to go to Start, Administrative Tools, then Active Directory Users and Computers.

Right click Active Directory Users and Computers and select Change Domain Controller.

 

In the area that says < Type a Directory Server name [:port] here > enter the name of your server and the LDAP port you used when running the dsamain command.

For my example it would be: WIN-V22UWGW0LU8.HOME.LOCAL:10001

 

Now you can browse the snapshot of Active Directory without affecting anything else negatively.

Your AD Backup Strategy

It’s always good to have a solid backup plan for your Active Directory. You can use a combination of backup strategies or just one of these methods for backing up your Active Directory.

Make sure you tailor your Active Directory backup strategy to meet your company’s needs and make it easy to recover if disaster does strike.

Related posts:

• New in Server 2008 R2: Recycle Bin in Active Directory
• Windows Server 2008: Auditing Active Directory
• Windows Server 2008 Active Directory — Creating Users is Easy!

Now, I’m going to assume that you already installed Server 2008 and Active Directory and have your server set up and ready to go.

Today we’ll start with a quick review of Active Directory so you can get a good idea of what’s new in the 2008 version.

Then we’ll talk about user and group creation before jumping in to the hands-on demo portion of the video where I’ll show you how to create users and groups.

Here’s what’s covered in Lesson 3:

• AD review & what’s new in 2008 — we’ll talk about some of the new toys and capabilities that have been added to Server 2008 AD
• Server Manager — next we’ll take a tour of Server Manager to see where things are and what they do
• AD DS Auditing — using our Verde Petra scenario that we went over in Part 1 I’ll show you how to setup Active Directory auditing
• Renaming Admin user – for server hardening we’re going to rename the primary admin account; this is going to protect our server against any attacks and keep our server secure and safe
• Creating users & groups — now we’re going to create a few user accounts and then we’ll create groups for all of the accounts
• Adding users to groups — I’ll also show you how to add users to different groups
• Event Viewer — we’ll end the video with a quick look at the Event Viewer so you can see where to find all the auditing items

Free Instant Download

Download this lesson in high-quality WMV video format

Or, download in iPod/iPhone format to watch on the go

Related posts:

• Windows Server 2008 Active Directory — Creating Users is Easy!
• Lesson 2: How to Install Server 2008 and Active Directory
• Server 2008 Active Directory User Groups — the Easy Way!

You can watch the whole video below or download it and watch it at your convenience — I included iPod/iPhone files for you too.

 
Here’s what I cover in this video:

• The scenario — I’ll start off by introducing you to the scenario that we’ll be working with all throughout this training
• Quick edition check — we’ll go through the different flavors of Server 2008 and the requirements to make sure that your box is ready
• Installation & configuration — installation and initial configuration steps are explained and demonstrated on a virtual machine
• Adding Active Directory — next I’ll show you how to add the AD role by installing Active Directory Domain Services
• Promotion to Domain Controller — using dcpromo.exe we will create a new domain in a new forest and then install the DNS server

Free Instant Download

Download this lesson in high-quality WMV video format

Or, download in iPod/iPhone format to watch on the go

Related posts:

• Lesson 3: Active Directory Users and Groups in Windows Server 2008
• Lesson 8: Windows Server 2008 Terminal Services
• Lesson 6: Windows Server 2008 RODC – Read Only Domain Controllers